sbom4python

On this page, we will analyze the SBOM generated by the sbom4python tool for the PyTorch GitHub Repository. The overall analysis for sbom4python is available here.

The SPDX SBOM was generated in the JSON format and converted to RDF/XML using pyspdxtools. It is a valid spdx file and can be validated using the spdx online validator.

SBOM size

kg = kglab.KnowledgeGraph()
kg.load_rdf("../../../data/tools_cs1/sboms/rdf/pytorch-sbom4python-spdx23.rdf.xml", format="xml")

print("Files:", len(get_files_data(kg)))
print("Packages:", len(get_package_data(kg)))
print("relationships:", len(get_relationship_data(kg)))
Files: 0
Packages: 0
relationships: 0

Is this SBOM NTIA minimum element conformant? False

Individual elements Status
All component names provided? False
All component versions provided? False
All component identifiers provided? False
All component suppliers provided? False
SBOM author name provided? True
SBOM creation timestamp provided? True
Dependency relationships provided? False

Source: ntia_checker

Quality Score

dir_qs = "../../../data/tools_cs1/sbomqs/"
sbomqs_df, feature_qscores = sbomqs_scores(dir_qs)
#display_qscores_with_descriptions(feature_qscores, tool_list=['sbom4python'])
display_qscores_with_descriptions(feature_qscores, tool_list=['sbom4python'])

Tool: sbom4python (avg score: 3.86)

Category: Structural (avg score: 10.00)

feature score description tool
0 sbom_spec 10.0 provided sbom is in a supported sbom format of... sbom4python
1 sbom_spec_version 10.0 provided sbom should be in supported spec vers... sbom4python
2 sbom_spec_file_format 10.0 provided sbom should be in supported file form... sbom4python
3 sbom_parsable 10.0 provided sbom is parsable sbom4python

Category: NTIA-minimum-elements (avg score: 2.86)

feature score description tool
4 comp_with_supplier 0.0 N/A (no components) sbom4python
5 comp_with_name 0.0 N/A (no components) sbom4python
6 comp_with_version 0.0 N/A (no components) sbom4python
7 comp_with_uniq_ids 0.0 N/A (no components) sbom4python
8 sbom_dependencies 0.0 doc has 0 relationships sbom4python
9 sbom_authors 10.0 doc has 1 authors sbom4python
10 sbom_creation_timestamp 10.0 doc has creation timestamp sbom4python

Category: Semantic (avg score: 1.67)

feature score description tool
11 sbom_required_fields 5.0 Doc Fields:true Pkg Fields:false sbom4python
12 comp_with_licenses 0.0 N/A (no components) sbom4python
13 comp_with_checksums 0.0 N/A (no components) sbom4python

Category: Quality (avg score: 1.43)

feature score description tool
14 comp_valid_licenses 0.0 N/A (no components) sbom4python
15 comp_with_primary_purpose 0.0 N/A (no components) sbom4python
16 comp_with_deprecated_licenses 0.0 N/A (no components) sbom4python
17 comp_with_restrictive_licenses 0.0 N/A (no components) sbom4python
18 comp_with_any_vuln_lookup_id 0.0 N/A (no components) sbom4python
19 comp_with_multi_vuln_lookup_id 0.0 N/A (no components) sbom4python
20 sbom_with_creator_and_version 10.0 1/1 tools have creator and version sbom4python

Category: Sharing (avg score: 10.00)

feature score description tool
21 sbom_sharable 10.0 doc has a sharable license free 1 :: of 1 sbom4python

Dependencies

There is no component