On this page, we will analyze the SBOM generated by the Syft tool for the PyTorch GitHub Repository. The overall analysis for Syft is available here.
The SPDX SBOM was generated in the JSON format and converted to RDF/XML using pyspdxtools. It is a valid spdx file and can be validated using the spdx online validator.
kg = kglab.KnowledgeGraph()
kg.load_rdf("../../../data/tools_cs1/sboms/rdf/pytorch-syft-spdx23.rdf.xml", format="xml")
print("Files:", len(get_files_data(kg)))
print("Packages:", len(get_package_data(kg)))
print("relationships:", len(get_relationship_data(kg)))Files: 12
Packages: 201
relationships: 202| Individual elements | Status |
|---|---|
| All component names provided? | True |
| All component versions provided? | True |
| All component identifiers provided? | True |
| All component suppliers provided? | False |
| SBOM author name provided? | True |
| SBOM creation timestamp provided? | True |
| Dependency relationships provided? | True |
Components missing an supplier: CFPropertyList, IPython, IPython, Jinja2, addressable, artifactory, atomos, aws-eventstream, aws-partitions, aws-sdk-core, aws-sdk-kms, aws-sdk-s3, aws-sigv4, babosa, boto3, boto3, boto3, breathe, breathe, bs4, certifi, charset-normalizer, claide, colored, colored2, commander, coremltools, coremltools, declarative, digest-crc, docutils, docutils, docutils, domain_name, dotenv, emoji_regex, excon, exhale, exhale, expecttest, expecttest, faraday, faraday-cookie_jar, faraday-em_http, faraday-em_synchrony, faraday-excon, faraday-httpclient, faraday-multipart, faraday-net_http, faraday-net_http_persistent, faraday-patron, faraday-rack, faraday-retry, faraday_middleware, fastimage, fastlane, filelock, flake8, flake8-bugbear, flake8-comprehensions, flake8-executable, flake8-logging-format, flake8-pyi, flatbuffers, future, gh_inspector, ghstack, google-apis-androidpublisher_v3, google-apis-core, google-apis-iamcredentials_v1, google-apis-playcustomapp_v1, google-apis-storage_v1, google-cloud-core, google-cloud-env, google-cloud-errors, google-cloud-storage, googleauth, gradle-wrapper, highline, http-cookie, httpclient, hypothesis, hypothesis, idna, jinja2, jinja2, jmespath, json, junitparser, jwt, lintrunner, lintrunner, matplotlib, matplotlib, mccabe, memoist, mini_magick, mini_mime, mpmath, mpmath, multi_json, multipart-post, mypy, myst-nb, myst-nb, myst-parser, myst-parser, nanaimo, naturally, networkx, networkx, ninja, numba, numba, numba, numba, numpy, nvidia-ml-py, nvidia-ml-py, opt-einsum, optparse, os, plist, protobuf, protobuf, psutil, public_suffix, pycodestyle, pyflakes, pygments, pygments, pytest, pytest-cpp, pytest-cpp, pytest-flakefinder, pytest-flakefinder, pytest-rerunfailures, pytest-shard, pytest-xdist, python-etcd, python-etcd, pyyaml, pyyaml, rake, representable, requests, requests, retriable, rexml, rich, rockset, rockset, rouge, ruby2_keywords, rubyzip, scikit-image, scikit-image, scipy, scipy, scipy, scipy, security, setuptools, signet, simctl, six, sphinx, sphinx, sphinx, sphinx, sphinx-copybutton, sphinx-copybutton, sphinx-panels, sphinx-panels, sphinxcontrib.katex, sphinxcontrib.katex, sphinxcontrib.katex, sympy, sympy, tb-nightly, tensorboard, tensorboard, terminal-notifier, terminal-table, trailblazer-option, tty-cursor, tty-screen, tty-spinner, typing-extensions, uber, unf, unf_ext, unicode-display_width, urllib3, webrick, word_wrap, xcodeproj, xcpretty, xcpretty-travis-formatter, xdoctest, xdoctest
Source: ntia_checker
dir_qs = "../../../data/tools_cs1/sbomqs/"
sbomqs_df, feature_qscores = sbomqs_scores(dir_qs)
display_qscores_with_descriptions(feature_qscores, tool_list=['syft'])| feature | score | description | tool | |
|---|---|---|---|---|
| 0 | sbom_spec | 10.0 | provided sbom is in a supported sbom format of... | syft |
| 1 | sbom_spec_version | 10.0 | provided sbom should be in supported spec vers... | syft |
| 2 | sbom_spec_file_format | 10.0 | provided sbom should be in supported file form... | syft |
| 3 | sbom_parsable | 10.0 | provided sbom is parsable | syft |
| feature | score | description | tool | |
|---|---|---|---|---|
| 4 | comp_with_supplier | 0.0 | 0/201 have supplier names | syft |
| 5 | comp_with_name | 10.0 | 201/201 have names | syft |
| 6 | comp_with_version | 10.0 | 201/201 have versions | syft |
| 7 | comp_with_uniq_ids | 10.0 | 201/201 have unique ID's | syft |
| 8 | sbom_dependencies | 10.0 | doc has 1 relationships | syft |
| 9 | sbom_authors | 10.0 | doc has 2 authors | syft |
| 10 | sbom_creation_timestamp | 10.0 | doc has creation timestamp | syft |
| feature | score | description | tool | |
|---|---|---|---|---|
| 11 | sbom_required_fields | 10.00 | Doc Fields:true Pkg Fields:true | syft |
| 12 | comp_with_licenses | 0.00 | 0/201 have licenses | syft |
| 13 | comp_with_checksums | 0.05 | 1/201 have checksums | syft |
| feature | score | description | tool | |
|---|---|---|---|---|
| 14 | comp_valid_licenses | 0.0 | 0/201 components with valid license | syft |
| 15 | comp_with_primary_purpose | 0.0 | 0/201 components have primary purpose specified | syft |
| 16 | comp_with_deprecated_licenses | 0.0 | no licenses found | syft |
| 17 | comp_with_restrictive_licenses | 0.0 | no licenses found | syft |
| 18 | comp_with_any_vuln_lookup_id | 10.0 | 201/201 components have any lookup id | syft |
| 19 | comp_with_multi_vuln_lookup_id | 10.0 | 201/201 components have multiple lookup id | syft |
| 20 | sbom_with_creator_and_version | 10.0 | 1/1 tools have creator and version | syft |
| feature | score | description | tool | |
|---|---|---|---|---|
| 21 | sbom_sharable | 10.0 | doc has a sharable license free 1 :: of 1 | syft |
# get the relationship graph to be visualized
graph = visualize_relationship_graph(kg)
# optional: set the physics layout of the network
graph.force_atlas_2based()
graph.set_edge_smooth('dynamic')
# show graph
graph.show("../../figs/cs1-syft.relationship_full.html")../../figs/cs1-syft.relationship_full.htmlNote: The tool localized 12 metadata files and then for each one it acquired info of packages. The metadata files founded:
0 ios/TestApp/Gemfile.lock
1 requirements-flake8.txt
2 .ci/docker/requirements-docs.txt
3 .github/requirements-gha-cache.txt
4 .ci/docker/requirements-ci.txt
5 docs/requirements.txt
6 .github/requirements/pip-requirements-macOS.txt
7 functorch/docs/requirements.txt
8 tools/build/bazel/requirements.txt
9 docs/cpp/requirements.txt
10 android/gradle/wrapper/gradle-wrapper.jar
11 .github/requirements/pip-requirements-iOS.txt
Name: fileName, dtype: objectNote: The tool was unable to assign the correct relationship type for the dependencies and instead assigns the name other between all packages and files.