On this page, we will analyze the SBOM generated by the Fossa tool for the PyTorch GitHub Repository. The overall analysis for Fossa is available here.
The SPDX SBOM was generated in the JSON format and converted to RDF/XML using pyspdxtools. It is a valid spdx file and can be validated using the spdx online validator.
kg = kglab.KnowledgeGraph()
kg.load_rdf("../../../data/tools_cs1/sboms/rdf/pytorch-fossa-spdx23.rdf.xml", format="xml")
print("Files:", len(get_files_data(kg)))
print("Packages:", len(get_package_data(kg)))
print("relationships:", len(get_relationship_data(kg)))Files: 0
Packages: 106
relationships: 211| Individual elements | Status |
|---|---|
| All component names provided? | True |
| All component versions provided? | False |
| All component identifiers provided? | True |
| All component suppliers provided? | False |
| SBOM author name provided? | True |
| SBOM creation timestamp provided? | True |
| Dependency relationships provided? | True |
Components missing a version: click, filelock, fsspec, jinja2, networkx, numpy, psutil, PyGithub, pytest, pytest-xdist, PyYAML, requests, setuptools, tqdm, typing-extensions
Components missing an supplier: git@github.com:pytorch/pytorch.git, astunparse, boto3, breathe, bs4, certifi, charset-normalizer, click, cmake, coremltools, docutils, enum34, exhale, expecttest, expecttest, fastlane, filelock, filelock, flake8, flake8-bugbear, flake8-comprehensions, flake8-executable, flake8-logging-format, flake8-pyi, flatbuffers, fsspec, future, ghstack, hypothesis, hypothesis, hypothesis, idna, ipython, jinja2, jinja2, jinja2, junitparser, libopenblas, librosa, lintrunner, matplotlib, mccabe, mpmath, mypy, myst-nb, myst-parser, networkx, networkx, networkx, ninja, ninja, numba, numba, numba, numba, numba, numpy, numpy, nvidia-ml-py, opt-einsum, protobuf, psutil, psutil, pycodestyle, pyflakes, PyGithub, Pygments, pytest, pytest, pytest-cpp, pytest-flakefinder, pytest-rerunfailures, pytest-shard, pytest-xdist, pytest-xdist, python-etcd, PyYAML, PyYAML, requests, requests, rich, rockset, scikit-image, scikit-image, scipy, scipy, scipy, scipy, setuptools, setuptools, six, Sphinx, sphinxcontrib-katex, sphinx-copybutton, sphinx-panels, sympy, sympy, tb-nightly, tensorboard, tqdm, types-dataclasses, typing-extensions, typing-extensions, unittest-xml-reporting, urllib3, xdoctest
Source: ntia_checker
dir_qs = "../../../data/tools_cs1/sbomqs/"
sbomqs_df, feature_qscores = sbomqs_scores(dir_qs)
display_qscores_with_descriptions(feature_qscores, tool_list=['FOSSA v0.12.0'])| feature | score | description | tool | |
|---|---|---|---|---|
| 0 | sbom_spec | 10.0 | provided sbom is in a supported sbom format of... | FOSSA v0.12.0 |
| 1 | sbom_spec_version | 10.0 | provided sbom should be in supported spec vers... | FOSSA v0.12.0 |
| 2 | sbom_spec_file_format | 10.0 | provided sbom should be in supported file form... | FOSSA v0.12.0 |
| 3 | sbom_parsable | 10.0 | provided sbom is parsable | FOSSA v0.12.0 |
| feature | score | description | tool | |
|---|---|---|---|---|
| 4 | comp_with_supplier | 10.00 | 212/212 have supplier names | FOSSA v0.12.0 |
| 5 | comp_with_name | 10.00 | 212/212 have names | FOSSA v0.12.0 |
| 6 | comp_with_version | 9.29 | 197/212 have versions | FOSSA v0.12.0 |
| 7 | comp_with_uniq_ids | 5.00 | 106/212 have unique ID's | FOSSA v0.12.0 |
| 8 | sbom_dependencies | 10.00 | doc has 211 relationships | FOSSA v0.12.0 |
| 9 | sbom_authors | 10.00 | doc has 2 authors | FOSSA v0.12.0 |
| 10 | sbom_creation_timestamp | 10.00 | doc has creation timestamp | FOSSA v0.12.0 |
| feature | score | description | tool | |
|---|---|---|---|---|
| 11 | sbom_required_fields | 7.50 | Doc Fields:true Pkg Fields:false | FOSSA v0.12.0 |
| 12 | comp_with_licenses | 4.62 | 98/212 have licenses | FOSSA v0.12.0 |
| 13 | comp_with_checksums | 5.00 | 106/212 have checksums | FOSSA v0.12.0 |
| feature | score | description | tool | |
|---|---|---|---|---|
| 14 | comp_valid_licenses | 4.54 | 97/212 components with valid license | FOSSA v0.12.0 |
| 15 | comp_with_primary_purpose | 0.00 | 0/212 components have primary purpose specified | FOSSA v0.12.0 |
| 16 | comp_with_deprecated_licenses | 10.00 | 0/212 components have deprecated licenses | FOSSA v0.12.0 |
| 17 | comp_with_restrictive_licenses | 9.86 | 3/212 components have restricted licenses | FOSSA v0.12.0 |
| 18 | comp_with_any_vuln_lookup_id | 4.81 | 102/212 components have any lookup id | FOSSA v0.12.0 |
| 19 | comp_with_multi_vuln_lookup_id | 0.00 | 0/212 components have multiple lookup id | FOSSA v0.12.0 |
| 20 | sbom_with_creator_and_version | 0.00 | 0/1 tools have creator and version | FOSSA v0.12.0 |
| feature | score | description | tool | |
|---|---|---|---|---|
| 21 | sbom_sharable | 10.0 | doc has a sharable license free 1 :: of 1 | FOSSA v0.12.0 |
# get the relationship graph to be visualized
graph = visualize_relationship_graph(kg)
# optional: set the physics layout of the network
graph.force_atlas_2based()
graph.set_edge_smooth('dynamic')
# show graph
graph.show("../../figs/cs1-fossa.relationship_full.html")../../figs/cs1-fossa.relationship_full.htmlnote_1:
The graph has twice as many edges. This occurs because the main repository has two SPDX IDs, and since every package is related to the main repository, there are two edges for each relationship.
note_2:
The sbom file contains packages with duplicate SPDX IDs, for example:
SPDXID : SPDXRef-custom-38450-git-github.com-pytorch-pytorch.git-fbbde8df69577fa52a6e354b930a2fe4e921ae92
name : git@github.com:pytorch/pytorch.git
versionInfo : fbbde8df69577fa52a6e354b930a2fe4e921ae92
filesAnalyzed : true
downloadLocation : NOASSERTION
originator : Organization: Custom (provided build)
licenseDeclared : NONE
copyrightText : NONE
licenseConcluded : NOASSERTION
SPDXID : SPDXRef-custom-38450-git-github.com-pytorch-pytorch.git-fbbde8df69577fa52a6e354b930a2fe4e921ae92
name : 38450/git@github.com:pytorch/pytorch.git
versionInfo : fbbde8df69577fa52a6e354b930a2fe4e921ae92
downloadLocation : NOASSERTION
comment : Incomplete dependency
supplier : Organization: Custom (provided build)
filesAnalyzed : falsenote_3:
Between the same two nodes, there are dependencies in two directions (dependsOn and dependsOf), for example:
spdxElementId : SPDXRef-custom-38450-git-github.com-pytorch-pytorch.git-fbbde8df69577fa52a6e354b930a2fe4e921ae92
relationshipType : DEPENDS_ON
relatedSpdxElement : SPDXRef-pip-astunparse-1.6.3
spdxElementId : SPDXRef-pip-astunparse-1.6.3
relationshipType : DEPENDENCY_OF
relatedSpdxElement : SPDXRef-custom-38450-git-github.com-pytorch-pytorch.git-fbbde8df69577fa52a6e354b930a2fe4e921ae92