On this page, we will analyze the SBOM generated by the Trivy tool for the PyTorch GitHub Repository. The overall analysis for Trivy is available here.
The SPDX SBOM was generated in the JSON format and converted to RDF/XML using pyspdxtools. It is a valid spdx file and can be validated using the spdx online validator.
kg = kglab.KnowledgeGraph()
kg.load_rdf("../../../data/tools_cs1/sboms/rdf/pytorch-trivy-spdx23.rdf.xml", format="xml")
print("Files:", len(get_files_data(kg)))
print("Packages:", len(get_package_data(kg)))
print("relationships:", len(get_relationship_data(kg)))Files: 0
Packages: 124
relationships: 126| Individual elements | Status |
|---|---|
| All component names provided? | True |
| All component versions provided? | False |
| All component identifiers provided? | True |
| All component suppliers provided? | False |
| SBOM author name provided? | True |
| SBOM creation timestamp provided? | True |
| Dependency relationships provided? | True |
Components missing a version: pytorch, pip, pip, pip, bundler, pip
Components missing an supplier: pytorch, pip, myst-nb, IPython, sphinxcontrib.katex, docutils, sphinx, pip, sphinx-copybutton, tensorboard, myst-parser, sphinx-panels, matplotlib, python-etcd, sphinx, pip, breathe, exhale, sphinx, Jinja2, bundler, signet, faraday-em_http, unf, google-apis-playcustomapp_v1, terminal-notifier, rexml, representable, artifactory, faraday-net_http_persistent, atomos, faraday-patron, google-cloud-core, http-cookie, aws-eventstream, googleauth, multi_json, declarative, tty-screen, public_suffix, rake, google-cloud-storage, ruby2_keywords, uber, simctl, mini_magick, babosa, gh_inspector, fastimage, unf_ext, faraday-excon, nanaimo, tty-cursor, faraday-multipart, tty-spinner, digest-crc, colored2, xcodeproj, dotenv, colored, jmespath, rouge, faraday, retriable, faraday-httpclient, trailblazer-option, naturally, webrick, emoji_regex, optparse, httpclient, xcpretty-travis-formatter, plist, faraday_middleware, faraday-cookie_jar, os, jwt, google-apis-core, fastlane, highline, mini_mime, commander, excon, addressable, multipart-post, faraday-net_http, faraday-rack, aws-partitions, domain_name, memoist, json, google-cloud-env, CFPropertyList, aws-sdk-s3, claide, google-cloud-errors, aws-sdk-kms, security, unicode-display_width, rubyzip, faraday-em_synchrony, google-apis-iamcredentials_v1, google-apis-androidpublisher_v3, aws-sdk-core, xcpretty, aws-sigv4, word_wrap, google-apis-storage_v1, terminal-table, faraday-retry, pip, typing-extensions, idna, sympy, urllib3, certifi, future, charset-normalizer, setuptools, numpy, six, requests, pyyaml, mpmath
Source: ntia_checker
dir_qs = "../../../data/tools_cs1/sbomqs/"
sbomqs_df, feature_qscores = sbomqs_scores(dir_qs)
display_qscores_with_descriptions(feature_qscores, tool_list=['trivy'])| feature | score | description | tool | |
|---|---|---|---|---|
| 0 | sbom_spec | 10.0 | provided sbom is in a supported sbom format of... | trivy |
| 1 | sbom_spec_version | 10.0 | provided sbom should be in supported spec vers... | trivy |
| 2 | sbom_spec_file_format | 10.0 | provided sbom should be in supported file form... | trivy |
| 3 | sbom_parsable | 10.0 | provided sbom is parsable | trivy |
| feature | score | description | tool | |
|---|---|---|---|---|
| 4 | comp_with_supplier | 0.00 | 0/124 have supplier names | trivy |
| 5 | comp_with_name | 10.00 | 124/124 have names | trivy |
| 6 | comp_with_version | 9.52 | 118/124 have versions | trivy |
| 7 | comp_with_uniq_ids | 10.00 | 124/124 have unique ID's | trivy |
| 8 | sbom_dependencies | 10.00 | doc has 126 relationships | trivy |
| 9 | sbom_authors | 10.00 | doc has 2 authors | trivy |
| 10 | sbom_creation_timestamp | 10.00 | doc has creation timestamp | trivy |
| feature | score | description | tool | |
|---|---|---|---|---|
| 11 | sbom_required_fields | 10.0 | Doc Fields:true Pkg Fields:true | trivy |
| 12 | comp_with_licenses | 0.0 | 0/124 have licenses | trivy |
| 13 | comp_with_checksums | 0.0 | 0/124 have checksums | trivy |
| feature | score | description | tool | |
|---|---|---|---|---|
| 14 | comp_valid_licenses | 0.00 | 0/124 components with valid license | trivy |
| 15 | comp_with_primary_purpose | 10.00 | 124/124 components have primary purpose specified | trivy |
| 16 | comp_with_deprecated_licenses | 0.00 | no licenses found | trivy |
| 17 | comp_with_restrictive_licenses | 0.00 | no licenses found | trivy |
| 18 | comp_with_any_vuln_lookup_id | 9.52 | 118/124 components have any lookup id | trivy |
| 19 | comp_with_multi_vuln_lookup_id | 0.00 | 0/124 components have multiple lookup id | trivy |
| 20 | sbom_with_creator_and_version | 10.00 | 1/1 tools have creator and version | trivy |
| feature | score | description | tool | |
|---|---|---|---|---|
| 21 | sbom_sharable | 10.0 | doc has a sharable license free 1 :: of 1 | trivy |
# get the relationship graph to be visualized
graph = visualize_relationship_graph(kg)
# optional: set the physics layout of the network
graph.force_atlas_2based()
#graph.set_edge_smooth('dynamic')
# show graph
graph.show("../../figs/cs1-trivy.relationship_full.html")../../figs/cs1-trivy.relationship_full.htmlNote: The tool discovered 5 metadata files, but did not classify them as spdx:File. Instead, it generated an spdx package for each file and connected the dependent packages in the file to it.
The metadata files:
spdx:Packages created for each metadata file:
"name": "bundler",
"SPDXID": "SPDXRef-Application-78693afa971b5448",
"sourceInfo": "ios/TestApp/Gemfile.lock",
"primaryPackagePurpose": "APPLICATION"
"name": "pip",
"SPDXID": "SPDXRef-Application-530d40f8e0d7c5c3",
"sourceInfo": "docs/cpp/requirements.txt",
"primaryPackagePurpose": "APPLICATION"
"name": "pip",
"SPDXID": "SPDXRef-Application-547f4b32b4b380e9",
"sourceInfo": "docs/requirements.txt",
"primaryPackagePurpose": "APPLICATION"
"name": "pip",
"SPDXID": "SPDXRef-Application-61422b121c43e6c3",
"sourceInfo": "tools/build/bazel/requirements.txt",
"copyrightText": "",
"primaryPackagePurpose": "APPLICATION"
"name": "pip",
"SPDXID": "SPDXRef-Application-b800f9d75ff7358c",
"sourceInfo": "functorch/docs/requirements.txt",
"primaryPackagePurpose": "APPLICATION"