# NTIA Conformance Checker
[](https://github.com/spdx/ntia-conformance-checker/actions)
[](https://badge.fury.io/py/ntia-conformance-checker)
[](https://badge.fury.io/py/ntia-conformance-checker)
[](https://scorecard.dev/viewer/?uri=github.com/spdx/ntia-conformance-checker)
This tool determines whether a [SPDX](https://spdx.dev/) software bill of
materials (SBOM) document contains informational items as required by a
certain specification.
## Conformance
Currently, the only supported specification is the
2021 National Telecommunications and Information Administration (NTIA)
["minimum elements."][ntia]
The mapping of the NTIA elements required data fields to the SPDX 2.3
specification can be found [here][ntia-spdx23].
The minimum elements include:
- Supplier Name
- Component Name
- Version of the Component
- Other Unique Identifiers
- Dependency Relationship
- Author of SBOM Data
- Timestamp
As defined by the NTIA, the minimum elements are
"the essential pieces that support basic SBOM functionality and will serve as
the foundation for an evolving approach to software transparency."
Checking the conformance with 2024 Framing Software Component Transparency
(FSCT3) ["Baseline Attributes"][fsct3] is *experimental and under development*.
The mapping of FSCT3 Baseline Attributes to ISO/IEC 5962:2021 (SPDX 2.2.1) and
SPDX 3.0 can be found at Section 2.5 of the FSCT3 document.
In addition to information similar to NTIA minimum elements,
FSCT3 also requires these Baseline Attributes:
- License
- Copyright Holder
More comparison of SBOM requirements and their mapping to SPDX can be found in
[this slide][sbom-reqs] from Takashi Ninjouji of OpenChain Japan SBOM Sub-WG,
presented at SPDX General Meeting 2024-12-05.
[sbom-reqs]: https://drive.google.com/file/d/14HZGYD7pSSWEmtaHZzWrzPhxCXaCnloJ/view
## Installation
*Installation Method #1*:
Install from the [Python Package Index (PyPI)][pypi] with `pip`.
`pip install ntia-conformance-checker`
*Installation Method #2*: Install locally.
Clone the repo and install dependencies using the following commands:
```bash
git clone https://github.com/spdx/ntia-conformance-checker.git
cd ntia-conformance-checker
pip install .
```
The tool requires Python 3 (3.8+).
It is recommended to use a virtual python environment especially
if you are using different versions of python.
`virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single
environment, or have different environments set up for testing using different
versions of Python.
## CLI Usage
```text
Usage: sbomcheck [OPTIONS]
Options:
--file TEXT The file to be parsed
--comply [fsct3-min|ntia]
Specify which compliance standard to check against
- fsct3-min: FSCT3 Baseline Attributes-Minimum Expected
- ntia: NTIA minimum elements
[default: ntia]
--output [html|json|print|quiet]
Output format [default: print]
--output_path TEXT Filepath for optionally storing output.
--skip-validation Specify whether to skip validation
-v, --verbose Use verbose printing
--version Display version of ntia-conformance-checker
-h, --help Show this message and exit.
```
The user can then analyze a particular file:
```bash
sbomcheck --file sbom.json
```
To generate the output in machine-readable JSON, run:
```bash
sbomcheck --file sbom.spdx --output json
```
## Usage as a Library
`ntia-conformance-checker` can also be imported as a library. For example:
```python
from ntia_conformance_checker import SbomChecker
sbom_checker = SbomChecker("SBOM_filepath")
print(sbom_checker.compliant)
```
Additional properties and methods can be found in `BaseChecker` class
at [`base_checker.py`](ntia_conformance_checker/base_checker.py).
Specific properties and methods for a particular specification can be found
at the checker for that specification. For example, `NTIAChecker` class
at [`ntia_checker.py`](ntia_conformance_checker/ntia_checker.py).
## History
This is the result of an initial
[Google Summer of Code (GSoC)](https://summerofcode.withgoogle.com/)
contribution in 2022 by
[@linynjosh](https://github.com/linynjosh) and is maintained
by a community of SPDX adopters and enthusiasts.
## License
[Apache-2.0](./LICENSE)
## Dependencies
- [spdx-tools](https://pypi.org/project/spdx-tools/) used for parsing the
SPDX SBOM.
## Support
- Submit issues, questions or feedback at
<https://github.com/spdx/ntia-conformance-checker/issues>
- Join the discussion on <https://lists.spdx.org/g/spdx-tech> and
<https://spdx.dev/participate/tech/>
## Contributing
Contributions are very welcome! See [CONTRIBUTING.md](./CONTRIBUTING.md)
for instructions on how to contribute to the codebase.
## Further help
Check out the [frequently asked questions](./FAQ.md) document.
[ntia]: https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom
[ntia-spdx23]: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields
[fsct3]: https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024
[pypi]: https://pypi.org/project/ntia-conformance-checker/
Raw data
{
"_id": null,
"home_page": null,
"name": "ntia-conformance-checker",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "John Speed Meyers <johnmeyersster@gmail.com>, Gary O'Neall <gary@sourceauditor.com>, Josh Lin <linynjosh@gmail.com>, SPDX group at the Linux Foundation and others <spdx-implementers+owner@lists.spdx.org>",
"keywords": "spdx, sbom, ntia, cisa, minimum elements, baseline attributes, software bill of materials, bill of materials, common SBOM, software package data exchange, software component transparency",
"author": null,
"author_email": "Josh Lin <linynjosh@gmail.com>, John Speed Meyers <johnmeyersster@gmail.com>, Arthit Suriyawongkul <arthit@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/d7/06/a7baa9457173ef2a989bb3d8866ce834b02822677572f54e281dcd898d30/ntia_conformance_checker-3.1.0.tar.gz",
"platform": null,
"description": "# NTIA Conformance Checker\n\n[](https://github.com/spdx/ntia-conformance-checker/actions)\n\n[](https://badge.fury.io/py/ntia-conformance-checker)\n[](https://badge.fury.io/py/ntia-conformance-checker)\n[](https://scorecard.dev/viewer/?uri=github.com/spdx/ntia-conformance-checker)\n\nThis tool determines whether a [SPDX](https://spdx.dev/) software bill of\nmaterials (SBOM) document contains informational items as required by a\ncertain specification.\n\n## Conformance\n\nCurrently, the only supported specification is the\n2021 National Telecommunications and Information Administration (NTIA)\n[\"minimum elements.\"][ntia]\nThe mapping of the NTIA elements required data fields to the SPDX 2.3\nspecification can be found [here][ntia-spdx23].\n\nThe minimum elements include:\n\n- Supplier Name\n- Component Name\n- Version of the Component\n- Other Unique Identifiers\n- Dependency Relationship\n- Author of SBOM Data\n- Timestamp\n\nAs defined by the NTIA, the minimum elements are\n\"the essential pieces that support basic SBOM functionality and will serve as\nthe foundation for an evolving approach to software transparency.\"\n\nChecking the conformance with 2024 Framing Software Component Transparency\n(FSCT3) [\"Baseline Attributes\"][fsct3] is *experimental and under development*.\nThe mapping of FSCT3 Baseline Attributes to ISO/IEC 5962:2021 (SPDX 2.2.1) and\nSPDX 3.0 can be found at Section 2.5 of the FSCT3 document.\n\nIn addition to information similar to NTIA minimum elements,\nFSCT3 also requires these Baseline Attributes:\n\n- License\n- Copyright Holder\n\nMore comparison of SBOM requirements and their mapping to SPDX can be found in\n[this slide][sbom-reqs] from Takashi Ninjouji of OpenChain Japan SBOM Sub-WG,\npresented at SPDX General Meeting 2024-12-05.\n\n[sbom-reqs]: https://drive.google.com/file/d/14HZGYD7pSSWEmtaHZzWrzPhxCXaCnloJ/view \n\n## Installation\n\n*Installation Method #1*:\nInstall from the [Python Package Index (PyPI)][pypi] with `pip`.\n\n`pip install ntia-conformance-checker`\n\n*Installation Method #2*: Install locally.\nClone the repo and install dependencies using the following commands:\n\n```bash\ngit clone https://github.com/spdx/ntia-conformance-checker.git\ncd ntia-conformance-checker\npip install .\n```\n\nThe tool requires Python 3 (3.8+).\nIt is recommended to use a virtual python environment especially\nif you are using different versions of python.\n`virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single\nenvironment, or have different environments set up for testing using different\nversions of Python.\n\n## CLI Usage\n\n```text\nUsage: sbomcheck [OPTIONS]\n\nOptions:\n --file TEXT The file to be parsed\n --comply [fsct3-min|ntia]\n Specify which compliance standard to check against\n - fsct3-min: FSCT3 Baseline Attributes-Minimum Expected\n - ntia: NTIA minimum elements\n [default: ntia]\n --output [html|json|print|quiet]\n Output format [default: print]\n --output_path TEXT Filepath for optionally storing output.\n --skip-validation Specify whether to skip validation\n -v, --verbose Use verbose printing\n --version Display version of ntia-conformance-checker\n -h, --help Show this message and exit.\n```\n\nThe user can then analyze a particular file:\n\n```bash\nsbomcheck --file sbom.json\n```\n\nTo generate the output in machine-readable JSON, run:\n\n```bash\nsbomcheck --file sbom.spdx --output json\n```\n\n## Usage as a Library\n\n`ntia-conformance-checker` can also be imported as a library. For example:\n\n```python\nfrom ntia_conformance_checker import SbomChecker\n\nsbom_checker = SbomChecker(\"SBOM_filepath\")\n\nprint(sbom_checker.compliant)\n```\n\nAdditional properties and methods can be found in `BaseChecker` class\nat [`base_checker.py`](ntia_conformance_checker/base_checker.py).\nSpecific properties and methods for a particular specification can be found\nat the checker for that specification. For example, `NTIAChecker` class\nat [`ntia_checker.py`](ntia_conformance_checker/ntia_checker.py).\n\n## History\n\nThis is the result of an initial\n[Google Summer of Code (GSoC)](https://summerofcode.withgoogle.com/)\ncontribution in 2022 by\n[@linynjosh](https://github.com/linynjosh) and is maintained\nby a community of SPDX adopters and enthusiasts.\n\n## License\n\n[Apache-2.0](./LICENSE)\n\n## Dependencies\n\n- [spdx-tools](https://pypi.org/project/spdx-tools/) used for parsing the\n SPDX SBOM.\n\n## Support\n\n- Submit issues, questions or feedback at\n <https://github.com/spdx/ntia-conformance-checker/issues>\n- Join the discussion on <https://lists.spdx.org/g/spdx-tech> and\n <https://spdx.dev/participate/tech/>\n\n## Contributing\n\nContributions are very welcome! See [CONTRIBUTING.md](./CONTRIBUTING.md)\nfor instructions on how to contribute to the codebase.\n\n## Further help\n\nCheck out the [frequently asked questions](./FAQ.md) document.\n\n[ntia]: https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom\n[ntia-spdx23]: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields\n[fsct3]: https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024\n[pypi]: https://pypi.org/project/ntia-conformance-checker/\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Check SPDX SBOM for NTIA minimum elements and common SBOM baseline attributes",
"version": "3.1.0",
"project_urls": {
"Homepage": "https://github.com/spdx/ntia-conformance-checker"
},
"split_keywords": [
"spdx",
" sbom",
" ntia",
" cisa",
" minimum elements",
" baseline attributes",
" software bill of materials",
" bill of materials",
" common sbom",
" software package data exchange",
" software component transparency"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "c64a39d2dfdbae160fc7cb881ed592a1e4d2f4c61311b0da938f80222b1acfe8",
"md5": "0910897d6d21782b86f6f412f49d4b07",
"sha256": "27cba6ef78b7a939c708a3bbccce5e2179c64b1d4f0c2b3926842bc90f6ad3c1"
},
"downloads": -1,
"filename": "ntia_conformance_checker-3.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "0910897d6d21782b86f6f412f49d4b07",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 18685,
"upload_time": "2024-12-31T21:53:59",
"upload_time_iso_8601": "2024-12-31T21:53:59.857052Z",
"url": "https://files.pythonhosted.org/packages/c6/4a/39d2dfdbae160fc7cb881ed592a1e4d2f4c61311b0da938f80222b1acfe8/ntia_conformance_checker-3.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "d706a7baa9457173ef2a989bb3d8866ce834b02822677572f54e281dcd898d30",
"md5": "9dfb90d45b830b02ee28b81afb5130bb",
"sha256": "d77c922cffbb8c327fcc0d62999647ed81e7c628958649438d9d5b691d17bdaf"
},
"downloads": -1,
"filename": "ntia_conformance_checker-3.1.0.tar.gz",
"has_sig": false,
"md5_digest": "9dfb90d45b830b02ee28b81afb5130bb",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 3986001,
"upload_time": "2024-12-31T21:54:02",
"upload_time_iso_8601": "2024-12-31T21:54:02.584256Z",
"url": "https://files.pythonhosted.org/packages/d7/06/a7baa9457173ef2a989bb3d8866ce834b02822677572f54e281dcd898d30/ntia_conformance_checker-3.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-12-31 21:54:02",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "spdx",
"github_project": "ntia-conformance-checker",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "ntia-conformance-checker"
}
JSON
