# Note: xml file cannot be loaded correctly
print("Files:", 12068)
print("Packages:", 1)
print("relationships:", 12068)Files: 12068
Packages: 1
relationships: 12068On this page, we will analyze the SBOM generated by the bom tool for the PyTorch GitHub Repository. The overall analysis for bom is available here.
The SPDX SBOM was generated in the JSON format and converted to RDF/XML using pyspdxtools. It is a valid spdx file and can be validated using the spdx online validator.
SBOM size
Is this SBOM NTIA minimum element conformant? False
| Individual elements | Status |
|---|---|
| All component names provided? | True |
| All component versions provided? | True |
| All component identifiers provided? | True |
| All component suppliers provided? | False |
| SBOM author name provided? | True |
| SBOM creation timestamp provided? | True |
| Dependency relationships provided? | True |
Components missing an supplier: pytorch
Source: ntia_checker
Quality Score
dir_qs = "../../../data/tools_cs1/sbomqs/"
sbomqs_df, feature_qscores = sbomqs_scores(dir_qs)
#display_qscores_with_descriptions(feature_qscores, tool_list=['sbom4python'])
display_qscores_with_descriptions(feature_qscores, tool_list=['bom'])Tool: bom (avg score: 7.27)
Category: Structural (avg score: 10.00)
| feature | score | description | tool | |
|---|---|---|---|---|
| 0 | sbom_spec | 10.0 | provided sbom is in a supported sbom format of... | bom |
| 1 | sbom_spec_version | 10.0 | provided sbom should be in supported spec vers... | bom |
| 2 | sbom_spec_file_format | 10.0 | provided sbom should be in supported file form... | bom |
| 3 | sbom_parsable | 10.0 | provided sbom is parsable | bom |
Category: NTIA-minimum-elements (avg score: 7.14)
| feature | score | description | tool | |
|---|---|---|---|---|
| 4 | comp_with_supplier | 0.0 | 0/1 have supplier names | bom |
| 5 | comp_with_name | 10.0 | 1/1 have names | bom |
| 6 | comp_with_version | 0.0 | 0/1 have versions | bom |
| 7 | comp_with_uniq_ids | 10.0 | 1/1 have unique ID's | bom |
| 8 | sbom_dependencies | 10.0 | doc has 12068 relationships | bom |
| 9 | sbom_authors | 10.0 | doc has 1 authors | bom |
| 10 | sbom_creation_timestamp | 10.0 | doc has creation timestamp | bom |
Category: Semantic (avg score: 6.67)
| feature | score | description | tool | |
|---|---|---|---|---|
| 11 | sbom_required_fields | 10.0 | Doc Fields:true Pkg Fields:true | bom |
| 12 | comp_with_licenses | 10.0 | 1/1 have licenses | bom |
| 13 | comp_with_checksums | 0.0 | 0/1 have checksums | bom |
Category: Quality (avg score: 5.71)
| feature | score | description | tool | |
|---|---|---|---|---|
| 14 | comp_valid_licenses | 10.0 | 1/1 components with valid license | bom |
| 15 | comp_with_primary_purpose | 0.0 | 0/1 components have primary purpose specified | bom |
| 16 | comp_with_deprecated_licenses | 10.0 | 0/1 components have deprecated licenses | bom |
| 17 | comp_with_restrictive_licenses | 10.0 | 0/1 components have restricted licenses | bom |
| 18 | comp_with_any_vuln_lookup_id | 0.0 | 0/1 components have any lookup id | bom |
| 19 | comp_with_multi_vuln_lookup_id | 0.0 | 0/1 components have multiple lookup id | bom |
| 20 | sbom_with_creator_and_version | 10.0 | 1/1 tools have creator and version | bom |
Category: Sharing (avg score: 10.00)
| feature | score | description | tool | |
|---|---|---|---|---|
| 21 | sbom_sharable | 10.0 | doc has a sharable license free 1 :: of 1 | bom |
Dependencies
The relationship graph cannot be viewed because the rdf/xml file cannot be loaded correctly.
The sbom file contains onle one package which is the pytorch package itself and it contains all the 12068 files detected.