Software Bill of Materials (SBOM) enable organizations to identify vulnerabilities, track open-source usage, and ensure compliance with obligations.
However, each industry and their software production and consumption habits can have its own industry specific requirements.
The telecom industry realized this and OpenChain Telco workgroup was created in May 2021 to address industry's unique SBOM requirements.
Powered by participation from industry giants - Ericsson, Nokia, Huawei, KDDI Corporation, Fujitsu, Toshiba, Sony, Bosch among others - the working group aimed to recommend specific SBOM data-format, identify key fields in the format and criteria for distributing SBOM.
The OpenChain working group has released SBOM Guide Version 1.0 aimed at creating consensus for a quality Software Bill of Materials (SBOM).
Document creation information
SBOM Build Information
Creator
field must contain an Organization
valueCreator
field must contain a Tool
name and its versionCreatorComment
field must contain SBOMType information as defined by CISAPackage information
Scope information
Relationships Information
Interlynk has open source multi-spec utility sbomqs that is widely used for SBOM's quality and conformity against NTIA-Minimum Elements and BSI TR-03183-2.
We expanded the capability to report on OpenChain Telco compliance as well.
sbomqs can now create a basic or detailed report with table and JSON formats.
sbomqs compliance -t -b ~/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json
OpenChain Telco Report
Score:4.0 RequiredScore:4.0 OptionalScore:0.0 for /Users/interlynk/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json
OpenChain Telco Report
Compliance score by Interlynk Score:4.0 RequiredScore:4.0 OptionalScore:0.0 for /Users/interlynk/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json
* indicates optional fields
+--------------------------------------------------------+---------+------------------------------+---------------------------------------------------------------------------+-------+
| ELEMENTID | SECTION | DATAFIELD | ELEMENT RESULT | SCORE |
+--------------------------------------------------------+---------+------------------------------+---------------------------------------------------------------------------+-------+
| SBOM Format | 3.1 | SBOM data format | spdx | 10.0 |
+--------------------------------------------------------+---------+------------------------------+---------------------------------------------------------------------------+-------+
| SPDX Elements | 3.2 | Spec version | SPDX-2.3 | 10.0 |
+ +---------+------------------------------+---------------------------------------------------------------------------+-------+
| | 3.2 | Spec spdxid | DOCUMENT | 10.0 |
+ +---------+------------------------------+---------------------------------------------------------------------------+-------+
| | 3.2 | SBOM creator comment | | 0.0 |
sbomqs compliance -t -j ~/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json
{
"report_name": "Open Chain Telco Report",
"subtitle": "Part 2: Software Bill of Materials (SBOM)",
"revision": "",
"run": {
"id": "0822860e-c4e3-4833-9dc1-7c367339e5c9",
"generated_at": "2024-07-03T18:58:39Z",
"file_name": "/Users/interlynk/Downloads/syft-0.105.1_nginx-stable-bullseye-perl.spdx.json",
"compliance_engine_version": "1"
},
....