This page describes each SBOM Quality check in detail, including scoring criteria, remediation steps, and an explanation of the potential impact associated with a low score. The checks are continually changing, and we welcome community feedback.
If you have ideas for additions or new detection techniques, please contribute!
- A
Quality Check
is a test that can be performed on SBOM to return a binary result (e.g., A check for specification) - A
Quality Check Category
is a logical grouping of Quality Checks (e.g., "NTIA-Minimum-Elements" Checks) - A
Quality Check Set
is a collection of Quality Checks (e.g., "Default Check Set", "IoT Quality Set")
- Each Quality Check has an equal weight and a score range of 0.0 - 10.0. (Coming soon: Customization of weight per Quality Check)
- A Quality Check applied over a list of items (e.g., licenses) averages its score from the Check applied to each element.
- Quality Check Set Score is an average of scores over all Quality Checks in that Set.
Any Check Set, including the default Check Set, may change over time as new Checks are added, existing ones are removed and meaning of an existing one changes.
Such a breaking change is marked by incrementing scoring_engine_version
in the output of sbomqs
.
Therefore comparing Quality Scores across scoring_engine_version
is not recommended.
This check determines whether the SBOM is in one of the specifications (CycloneDX, SPDX, SWID) recommended by the CISA reference document .
CISA recommends limiting the document to three commonly used formats to facilitate widespread adoption.
Remediation
- Re-create the document in CycloneDX, SPDX, or SWID.
This check determines whether the given SBOM is in the specification version that can support fields necessary for typical SBOM operations. The current check tests for:
- CycloneDX Versions: 1.0, 1.1, 1.2, 1.3, 1.4
- SPDX Versions: 2.1, 2.2, 2.3
While the earlier versions of specifications may exist, a document in an earlier version will not be able to carry all of the required fields.
Remediation
- Re-create the document in one of the versions listed above.
This check determines whether the given SBOM can be easily consumed by testing for the most common file formats associated with the specification.
- CycloneDX: XML, JSON
- SPDX: JSON, YAML, RDF, tag/value
Building and sharing SBOM in the most commonly used file format enables the use of SBOM in various conditions.
Remediation steps
- Re-create the document in one of the file formats listed above.
This check determines whether the given SBOM meets all the requirements of the underlying specification and file format to be parsed.
A syntactic error in the SBOM will prevent it from being usable.
Remediation
- Check the SBOM generator tool's known issues and get the most recent version of the tool.
- Check options/setup of the environment variables required to use the tool.
- Build SBOM with a different tool.
This check determines whether each component in the SBOM includes a name.
Components must have a name to be used meaningfully to assess compliance or security risk.
Remediation Identify the component with a missing name and check its product page to get its name.
- CycloneDX field: components:name
- SPDX field: PackageName
This check determines whether each component in the SBOM includes a supplier name. Supplier name is not a well defined term especially in the context of Open Source projects and we will update the recommendation here once a consensus emerges.
Remediation
Identify the component with a missing supplier name and check its product page to get its supplier name.
- CycloneDX field: components:supplier
- SPDX field: PackageSupplierName
This check determines whether each component in the SBOM includes a unique identifier.
Unique component identifiers are essential to ensure the document can uniquely describe properties associated with the component.
Remediation
Identify the component with a missing/duplicate identifier.
- CycloneDX field: components:bom-ref
- SPDX field: SPDXID
This check determines whether each component in the SBOM includes a version.
Components without a version can not be checked for vulnerabilities.
Remediation Identify the component with the missing version and populate the version field below.
- CycloneDX field: components:version
- SPDX field: PackageVersion
This check determines whether the document includes the name of the author.
The person, organization, or the tool that created the SBOM must be specified as the Author.
Remediation Check and populate the following fields with the name of the person, organization, or tool creating the SBOM.
- CycloneDX field: metadata:authors
- SPDX field: Creator
This check determines if the document includes the timestamp of its creation.
The timestamp can be used to determine when the SBOM was created relative to the software itself.
Remediation steps
- Check and populate the following fields with the timestamp of the SBOM document.
- CycloneDX field: metadata:timestamp
- SPDX field: Created
This check determines if the document describes the relationship among included components.
The dependency relationship can be critical in determining the order of inclusion and updates.
Remediation
- Check and populate the following fields with the relationship of components in the SBOM.
- CycloneDX field: dependencies
- SPDX field: Relationship
This check determines whether each component in the SBOM includes a valid checksum.
A valid checksum can be used to independently identify the contents of the package among variations of the package.
Remediation
- Check and populate the following fields with the relationship of components in the SBOM.
- CycloneDX field: dependencies
- SPDX fields: PackageChecksum, (Coming Soon) FileChecksum
This check determines whether each component in the SBOM includes a valid license.
A declared valid SPDX license is the key to evaluating any compliance risks.
Remediation steps
Check and populate the following fields with the relationship of components in the SBOM.
- CycloneDX field: component:licenses
- SPDX fields: PackageLicenseConcluded, (Coming Soon) LicenseConcluded
This check determines whether several fields required by the underlying specification are present in the document.
With the required fields, the SBOM processing becomes consistent by different tools.
Remediation
Check and populate the following required fields:
- CycloneDX Fields: bomFormat, SpecVersion, Version, component:type,component:name
- SPDX Fields: CreationInfo, Creator, Created, SPDXVersion, DataLicense, SPDXIdentifier, DocumentName, DocumentNamespace, PackageName, PackageSPDXIdentifier, PackageDowloadLocation, PackageVerificationCode (if applicable)
This check determines whether at least one vulnerability lookup identifier (CPE/PURL) is present for each component.
A vulnerability lookup identifier is critical in mapping SBOM components to known vulnerability databases (e.g., NVD).
Remediation
- Check and populate the following fields:
- CycloneDX field: components:cpe OR components:purl
- SPDX fields: ExternalRef with CPE or PURL
This check determines whether multiple vulnerability lookup identifiers are present for each component.
Including more than one vulnerability lookup identifier can enable vulnerability lookup from multiple sources, reducing the risk of missing any vulnerability.
Remediation
Check and populate the following fields:
- CycloneDX field: components:cpe AND components:purl
- SPDX fields: ExternalRef with CPE AND PURL
This check determines whether all included licenses are valid SPDX licenses or license expressions.
Any license expression not found on the SPDX list is a commercial license and must be evaluated independently for compliance risks.
Remediation
- Check the following fields to confirm none of the licenses belong to the SPDX license list:
- CycloneDX field: component:licenses
- SPDX fields: PackageLicenseConcluded, (Coming Soon) LicenseConcluded
This check determines whether any of the included licenses have been declared deprecated.
A deprecated license declaration can be considered a compliance risk.
Remediation
- Check the following fields to confirm none of the licenses belong to the deprecated licenses:
- CycloneDX field: component:licenses
- SPDX fields: PackageLicenseConcluded, (Coming Soon) LicenseConcluded
This check determines whether any included licenses have been declared restricted for use.
A restricted license declaration can be considered a compliance risk.
Remediation
- Check the following fields to confirm none of the licenses belong to the restricted license list:
- CycloneDX field: component:licenses
- SPDX fields: PackageLicenseConcluded, (Coming Soon) LicenseConcluded
This check determines whether the SBOM component includes the Primary Purpose field.
The primary purpose (or type) indicates the use of the component inside the application.
Remediation steps
Check the following fields to confirm none of the licenses belong to the restricted license list:
- CycloneDX field: component:type
- SPDX fields: PrimaryPackagePurpose
An sbom is expected to describe a primary component. This check determines if the sbom has a primary component or not.
Remediation steps
- CycloneDX: ensure the metadata section has the primary component defined
- SPDX: Should have a DESCRIBES relationship which points to a package, or have a documentDescribes field present.
This check determines whether the SBOM can be shared easily because it includes an unencumbered license: CC0, Unlicense, 0BSD
Check the following fields to see if the license includes one of the above licenses:
- CycloneDX field: metadata:licenses
- SPDX fields: DataLicense