Releases: SoftwareDesignLab/SBOM-Plugfest
Releases · SoftwareDesignLab/SBOM-Plugfest
v1.2.1b
Release Notes
New deployment methods and some ui changes. The full changelog can be found here
Added
- Added the following startup commands for frontend as either a web app or a standalone application:
web-start: Runs an angular instance of the application for development purposesweb-build: Generates an index.html and build folder for the angular application for web deploymentelectron-start: Launches an electron instance of the applicationwindows-build: Generates a standalone application (.exe) file and directory for deployment with the backend built and included withbackend-build: Builds the backend with no tests, used for windows build scriptcopy-jar: Copies the latest backend jar built from the backend to the build directory, used for windows build script
- DiffReport now tracks similarity and difference count for metadata and components
- Download button added to compare and metrics
- Header on metrics to display passed/total tests as well as which tests are currently displayed
Changed
package.jsonupdated app name to plugfest
Fixed
- If select all was pressed first on compare than it would always compare all sboms even if one was unchecked
What's Changed
- Mac Support by @jwj7297 in #225
- Fixed Mac for Gradle Build by @jwj7297 in #226
- Dev revise readme by @amandanitta in #230
- Scoring System by @jwj7297 in #229
- Scoring Changelog by @jwj7297 in #231
- Fixed selection issue for compare by @jwj7297 in #232
- Plugfest-in-a-box 1.2.1 Pre-Release by @dlg1206 in #224
New Contributors
- @amandanitta made their first contribution in #230
Full Changelog: v1.0.0b...v1.2.1b
Contributors
dlg1206, amandanitta, and jwj7297
Assets 4
Plugfest-in-a-Box v1-beta
Supported SBOM Formats
- CycloneDX 1.4 JSON
- CycloneDX 1.4 XML
- SPDX 2.3 Tag-Value
Comparison
Allows comparison across schemas and file formats
SBOM Conflicts
- Supplier: Supplier of the code are not the same (publisher)
- Author: SBOMs have different authors
- Timestamp: SBOMs have different timestamps
- Origin Format: SBOMs have different origin formats
- Schema Version: SBOMs have different schema versions (CycloneDX 1.4, SPDX 2.3, etc)
- SBOM Version: SBOMs have different versions
- Serial Number: SBOMs have different serial numbers
Component Conflicts
- Missing: Component only found in one SBOM
- Version: Component found in both SBOMs, but has different versions
- License: Component found in both SBOMs, but has different licenses
- Publisher: Component found in both SBOMs, but has different publisher
- CPE: Component found in both SBOMs, but has different CPE
- PURL: Component found in both SBOMs, but has different PURL
- Hash: Component found in both SBOMs, but has different Hashes
Metrics
A series of metrics to access the quality of the SBOM.
Completeness
Accesses how complete the content of the SBOM is.
- Minimum Elements Test: Checks for the Minimum Elements for an SBOM
are present as recommend by the NTIA.- Supplier Name: The name of an entity that creates, defines, and identifies components.
- Component Name: Designation assigned to a unit of software defined by the original supplier.
- Version of the Component: Identifier used by the supplier to specify a change in software from a previously identified version.
- Other Unique Identifiers: Other identifiers that are used to identify a component, or serve as a look-up key for relevant databases.
Plugfest uses CPE and PURL
- Author of SBOM Data: The name of the entity that creates the SBOM data for this
component. - Timestamp: Record of the date and time of the SBOM data assembly
- Valid PURL Test: Test to see if the PURL is correctly formatted
- Valid CPE Test: Test to see if the CPE is correctly formatted
Uniqueness
Accesses the quality of the unique identifiers and ensure they match the stored SBOM data.
- Has Hash Data Test: Test to see if hashes are stored
- Valid Hash Data Test: Test to see the stored hashes match the reported hash algorithm
- Accurate PURL Test: Test to see if the data stored in the PURL matches what is reported in the SBOM
- Accurate CPE Test: Test to see if the data stored in the CPE matches what is reported in the SBOM
Registered
Accesses if the component is stored in a default repository
- Is Registered Test: Uses PURLs to verify if the component exists in the default PURL repository
Licensing
Accesses if the SBOM has valid license data
- Has License Data Test: Test to see if Licenses are stored
- Valid SPDX License Test: Test to see if the License is stored in the SPDX License List and if they are depreciated
SPDX
Accesses for features that are required specifically for SPDX SBOMs.
- Has Data License SPDX Test: Test to see if the SBOM's DataLicense field contain the CC0-1.0 license
- Has SPDX ID Test: Test to see if each component has a valid SPDXID
- Has Document Namespace Test: Test to see if the SBOM contains a valid document namespace
- Has Download Location Test: Test to see if each component has a download location
- Has Creation Info Test: Test to see if the SBOM contains creation information
- Has Verification Code Test: Test to see if each component has a package verification code (FilesAnalyzed is true) or is it omitted (FilesAnalyzed if false)
- Has Extracted Licenses Test: Test to see if there are any extracted licenses not on the SPDX license list in the SBOM
- Extracted License Minimum Element Test: Test to see if the extracted licenses contain the required fields LicenseName, LicenseID, and LicenseCrossReference
CycloneDX
Accesses for features that are required specifically for CycloneDX SBOMs.
- Has Bom-Ref Test: Test to see if a component has a unique bom-ref to reference inside the SBOM
- Has Bom Version Test: Test to see if the SBOM has a version number declared
v3.2.0a
v3.2.0 -- 5/9/23
API
- Fixed another bug preventing non-ASCII characters from being processed
Comparison
- Allow marking of components as appearing in target SBOM
Metrics
- Fix bug causing formatting issues with the data verification test
GUI
- Added individual loading spinners for each uploaded SBOM
v3.1.0a
v3.1.0 -- 5/2/23
API
- Fixed bug that prevented non-ASCII characters from being processed
Comparison
- Fix bug that showed duplicate UIDs in the comparison report
Metrics
- Added support for non-ASCII characters when pulling from package manager databases
- Remove all empty tests to prevent duplicated component lists
GUI
- Display which SBOM an identifier or quality came from