gh-sbom

On this page, we will analyze the SBOM generated by the gh-sbom tool for the PyTorch GitHub Repository. The overall analysis for gh-sbom is available here.

The SPDX SBOM was generated in the JSON format and converted to RDF/XML using pyspdxtools. It is a valid spdx file and can be validated using the spdx online validator.

SBOM size

kg = kglab.KnowledgeGraph()
kg.load_rdf("../../../data/tools_cs1/sboms/rdf/pytorch-gh-sbom-spdx23.rdf.xml", format="xml")


print("Files:", len(get_files_data(kg)))
print("Packages:", len(get_package_data(kg)))
print("relationships:", len(get_relationship_data(kg)))
Files: 0
Packages: 231
relationships: 1

Is this SBOM NTIA minimum element conformant? False

Individual elements Status
All component names provided? True
All component versions provided? False
All component identifiers provided? True
All component suppliers provided? False
SBOM author name provided? True
SBOM creation timestamp provided? True
Dependency relationships provided? False

Source: ntia_checker

Quality Score

dir_qs = "../../../data/tools_cs1/sbomqs/"
sbomqs_df, feature_qscores = sbomqs_scores(dir_qs)
display_qscores_with_descriptions(feature_qscores, tool_list=['GitHub.com-Dependency-Graph'])

Tool: GitHub.com-Dependency-Graph (avg score: 6.83)

Category: Structural (avg score: 10.00)

feature score description tool
0 sbom_spec 10.0 provided sbom is in a supported sbom format of... GitHub.com-Dependency-Graph
1 sbom_spec_version 10.0 provided sbom should be in supported spec vers... GitHub.com-Dependency-Graph
2 sbom_spec_file_format 10.0 provided sbom should be in supported file form... GitHub.com-Dependency-Graph
3 sbom_parsable 10.0 provided sbom is parsable GitHub.com-Dependency-Graph

Category: NTIA-minimum-elements (avg score: 6.99)

feature score description tool
4 comp_with_supplier 0.00 0/231 have supplier names GitHub.com-Dependency-Graph
5 comp_with_name 10.00 231/231 have names GitHub.com-Dependency-Graph
6 comp_with_version 8.92 206/231 have versions GitHub.com-Dependency-Graph
7 comp_with_uniq_ids 10.00 231/231 have unique ID's GitHub.com-Dependency-Graph
8 sbom_dependencies 0.00 doc has 0 relationships GitHub.com-Dependency-Graph
9 sbom_authors 10.00 doc has 1 authors GitHub.com-Dependency-Graph
10 sbom_creation_timestamp 10.00 doc has creation timestamp GitHub.com-Dependency-Graph

Category: Semantic (avg score: 5.44)

feature score description tool
11 sbom_required_fields 10.00 Doc Fields:true Pkg Fields:true GitHub.com-Dependency-Graph
12 comp_with_licenses 6.32 146/231 have licenses GitHub.com-Dependency-Graph
13 comp_with_checksums 0.00 0/231 have checksums GitHub.com-Dependency-Graph

Category: Quality (avg score: 5.00)

feature score description tool
14 comp_valid_licenses 6.32 146/231 components with valid license GitHub.com-Dependency-Graph
15 comp_with_primary_purpose 0.00 0/231 components have primary purpose specified GitHub.com-Dependency-Graph
16 comp_with_deprecated_licenses 10.00 0/231 components have deprecated licenses GitHub.com-Dependency-Graph
17 comp_with_restrictive_licenses 10.00 0/231 components have restricted licenses GitHub.com-Dependency-Graph
18 comp_with_any_vuln_lookup_id 8.70 201/231 components have any lookup id GitHub.com-Dependency-Graph
19 comp_with_multi_vuln_lookup_id 0.00 0/231 components have multiple lookup id GitHub.com-Dependency-Graph
20 sbom_with_creator_and_version 0.00 0/1 tools have creator and version GitHub.com-Dependency-Graph

Category: Sharing (avg score: 10.00)

feature score description tool
21 sbom_sharable 10.0 doc has a sharable license free 1 :: of 1 GitHub.com-Dependency-Graph

Dependencies

# get the relationship graph to be visualized
graph = visualize_relationship_graph(kg)

# optional: set the physics layout of the network
graph.force_atlas_2based()
graph.set_edge_smooth('dynamic')

# show graph
graph.show("../../figs/cs1-gh-sbom.relationship_full.html")
../../figs/cs1-gh-sbom.relationship_full.html

Note: There is only one relationship between spdx:Document and the main package. There are no relationships between the detected packages.