Tern

On this page, we will analyze the SBOM generated by the Tern tool for the PyTorch GitHub Repository. The overall analysis for Tern is available here.

The SPDX SBOM was generated in the JSON format and converted to RDF/XML using pyspdxtools. It is a valid spdx file and can be validated using the spdx online validator.

SBOM size

kg = kglab.KnowledgeGraph()
kg.load_rdf("../../../data/tools_cs1/sboms/rdf/di-pytorch-tern-spdx22.xml", format="xml")

print("Files:", len(get_files_data(kg)))
print("Packages:", len(get_package_data(kg)))
print("relationships:", len(get_relationship_data(kg)))
Files: 0
Packages: 181
relationships: 224

Is this SBOM NTIA minimum element conformant? False

The ntia_checker did not allow for a successful verification. An error occurred while attempting to check the file.

Considering the sbomqs score for the category related to the SBOM NTIA minimum element conformant, the file conforms to all fields except one:

Individual elements Status
All component names provided? True
All component versions provided? True
All component identifiers provided? True
All component suppliers provided? False
SBOM author name provided? True
SBOM creation timestamp provided? True
Dependency relationships provided? True

Quality Score

dir_qs = "../../../data/tools_cs1/sbomqs/"
sbomqs_df, feature_qscores = sbomqs_scores(dir_qs)
display_qscores_with_descriptions(feature_qscores, tool_list=['tern'])

Tool: tern (avg score: 7.38)

Category: Structural (avg score: 10.00)

feature score description tool
0 sbom_spec 10.0 provided sbom is in a supported sbom format of... tern
1 sbom_spec_version 10.0 provided sbom should be in supported spec vers... tern
2 sbom_spec_file_format 10.0 provided sbom should be in supported file form... tern
3 sbom_parsable 10.0 provided sbom is parsable tern

Category: NTIA-minimum-elements (avg score: 9.42)

feature score description tool
4 comp_with_supplier 5.91 107/181 have supplier names tern
5 comp_with_name 10.00 181/181 have names tern
6 comp_with_version 10.00 181/181 have versions tern
7 comp_with_uniq_ids 10.00 181/181 have unique ID's tern
8 sbom_dependencies 10.00 doc has 117 relationships tern
9 sbom_authors 10.00 doc has 1 authors tern
10 sbom_creation_timestamp 10.00 doc has creation timestamp tern

Category: Semantic (avg score: 4.99)

feature score description tool
11 sbom_required_fields 10.00 Doc Fields:true Pkg Fields:true tern
12 comp_with_licenses 4.70 85/181 have licenses tern
13 comp_with_checksums 0.28 5/181 have checksums tern

Category: Quality (avg score: 4.50)

feature score description tool
14 comp_valid_licenses 1.78 65/181 components with valid license tern
15 comp_with_primary_purpose 0.00 0/181 components have primary purpose specified tern
16 comp_with_deprecated_licenses 7.73 41/181 components have deprecated licenses tern
17 comp_with_restrictive_licenses 6.08 71/181 components have restricted licenses tern
18 comp_with_any_vuln_lookup_id 5.91 107/181 components have any lookup id tern
19 comp_with_multi_vuln_lookup_id 0.00 0/181 components have multiple lookup id tern
20 sbom_with_creator_and_version 10.00 1/1 tools have creator and version tern

Category: Sharing (avg score: 10.00)

feature score description tool
21 sbom_sharable 10.0 doc has a sharable license free 1 :: of 1 tern

Dependencies

# get the relationship graph to be visualized
graph = visualize_relationship_graph(kg)

# optional: set the physics layout of the network
graph.force_atlas_2based()
graph.set_edge_smooth('dynamic')

# show graph
graph.show("../../figs/cs1-tern.relationship_full.html")
../../figs/cs1-tern.relationship_full.html

Note: The component 99803d4b97f3db529ae9ca4174b0951afac6b309e7deaa8ec3214c584e02b3a8 contains most of the components, which appear to be the operating system, in this case, Ubuntu.

Note: There are many components that have names formed only by numbers.

Note: In addition to contains and describes, there are two relationship types generatedFrom and hasPrerequisite.