# NTIA Conformance Checker
[](https://github.com/spdx/ntia-conformance-checker/actions)
[](https://pypi.org/project/ntia-conformance-checker/)
[](https://github.com/spdx/ntia-conformance-checker)
[](https://scorecard.dev/viewer/?uri=github.com/spdx/ntia-conformance-checker)
This tool determines whether a [SPDX](https://spdx.dev/) software bill of
materials (SBOM) document contains informational items as required by a
certain specification.
## Conformance
Currently, the supported specifications are:
- 2021 National Telecommunications and Information Administration (NTIA)
["minimum elements."][ntia]
- 2024 CISA Framing Software Component Transparency (FSCT3)
["minimum expected."][fsct3]
The minimum elements include:
- Supplier Name
- Component Name
- Version of the Component
- Other Unique Identifiers
- Dependency Relationship
- Author of SBOM Data
- Timestamp
As defined by the NTIA, the minimum elements are
"the essential pieces that support basic SBOM functionality and will serve as
the foundation for an evolving approach to software transparency."
In addition to information similar to NTIA minimum elements,
FSCT3 requires these Baseline Attributes as part of its "minimum expected":
- License
- Copyright Holder (inside Copyright Notice)
Mappings:
- The mapping of the NTIA elements required data fields to the SPDX 2.3
specification can be found [here][ntia-spdx23].
- The mapping of FSCT3 Baseline Attributes to ISO/IEC 5962:2021 (SPDX 2.2.1)
and SPDX 3.0 can be found at Section 2.5 of the FSCT3 document.
- More comparison of SBOM requirements and their mapping to SPDX can be found
in [this slide][sbom-reqs] from Takashi Ninjouji of OpenChain Japan SBOM
Sub-WG, presented at SPDX General Meeting 2024-12-05.
## Installation
This tool requires Python 3.9+.
Its dependencies may require a more recent version of Python.
*Installation Method #1*:
Install from the [Python Package Index (PyPI)][pypi] with `pip`.
```bash
pip install ntia-conformance-checker
```
*Installation Method #2*: Install from local source.
Clone the repo and install dependencies using the following commands:
```bash
git clone https://github.com/spdx/ntia-conformance-checker.git
cd ntia-conformance-checker
pip install .
```
It is recommended to use a virtual environment, especially
if you work with multiple Python versions.
`virtualenv` is a tool for creating isolated Python environments;
it lets you keep a project's dependencies in a single environment
or create separate environments for testing with different Python versions.
## CLI Usage
```text
usage: sbomcheck [OPTIONS] FILE
FILE Filepath for SBOM input
Options:
-h, --help show this help message and exit
-s, --sbom-spec {spdx2,spdx3}
SBOM specification of the input file; see below for details [default: spdx2]
-c, --comply {fsct3-min,ntia}
Compliance standards to check against; see below for details [default: ntia]
--skip-validation Skip validation
-r, --output {html,json,print,quiet}
Type of compliance report output; see below for details [default: print]
-o, --output-file PATH
Filepath for compliance report output; if omitted, prints to console
-v, --verbose Print more information (debug)
-V, --version Display version of sbomcheck
choices:
SBOM specifications (for --sbom-spec):
spdx2 Software Package Data Exchange (SPDX) 2.x
spdx3 System Package Data Exchange (SPDX) 3.x
Compliance standards (for --comply):
fsct3-min 2024 CISA Framing Software Component Transparency (minimum expectation)
ntia 2021 NTIA SBOM Minimum Elements
Report output types (for --output):
html Report in HTML format
json Report in JSON format
print Print report to console
quiet No output unless there are errors
Examples:
sbomcheck sbom.spdx
sbomcheck -s spdx3 -c fsct3-min -v sbom.json
sbomcheck sbom.yaml --output json --output-file report.json
```
The user can then analyze a particular file:
```bash
sbomcheck sbom.json
```
To generate the output in machine-readable JSON, run:
```bash
sbomcheck sbom.spdx --output json
```
To analyze an SPDX 3 JSON file, run:
```bash
sbomcheck sbom.spdx --sbom-spec spdx3
```
Use `-h` for help:
```bash
sbomcheck -h
```
## Usage as a Library
`ntia-conformance-checker` can also be imported as a library. For example:
```python
from ntia_conformance_checker import SbomChecker
sbom_checker = SbomChecker("SBOM_filepath")
print(sbom_checker.compliant)
```
See the API documentation at:
<https://spdx.github.io/ntia-conformance-checker/>
Additional properties and methods can be found in `BaseChecker` class
at [`base_checker.py`](ntia_conformance_checker/base_checker.py).
Specific properties and methods for a particular specification can be found
at the checker for that specification. For example, `NTIAChecker` class
at [`ntia_checker.py`](ntia_conformance_checker/ntia_checker.py).
## Online Usage
With the SPDX Online Tool, you can check the SBOM conformance without the need
to install the Python package.
Go to this page: <https://tools.spdx.org/app/ntia_checker/>.
## History
- The project is the result of an initial [Google Summer of Code (GSoC)][gsoc]
contribution in 2022 by [@linynjosh](https://github.com/linynjosh).
- SPDX 3 support and improved FSCT3 checker, available in [v4.0.0][],
are [GSoC 2025 contribution][gsoc2025] by [@bact](https://github.com/bact).
- The project is maintained by a community of SPDX adopters and enthusiasts.
- See SPDX's participation in Google Summer of Code (GSoC):
<https://github.com/spdx/GSoC>.
[v4.0.0]: https://github.com/spdx/ntia-conformance-checker/blob/main/CHANGELOG.md#400---2025-09-05
[gsoc]: https://summerofcode.withgoogle.com/
[gsoc2025]: https://docs.google.com/document/d/1emyt1AXJUPDoHIoFdWAwdpV6nRpnmeJiCVCAzFG3T-8/edit?usp=sharing
## License
[Apache-2.0](./LICENSE)
## Dependencies
- [spdx-tools](https://pypi.org/project/spdx-tools/)
used for parsing the SPDX 2 SBOM.
- [spdx-python-model](https://pypi.org/project/spdx-python-model/)
used for parsing the SPDX 3 SBOM.
## Support
- Submit issues, questions or feedback at
<https://github.com/spdx/ntia-conformance-checker/issues>
- Join the discussion on <https://lists.spdx.org/g/spdx-tech> and
<https://spdx.dev/participate/tech/>
## Contributing
Contributions are very welcome! See [CONTRIBUTING.md](./CONTRIBUTING.md)
for instructions on how to contribute to the codebase.
## Further help
Check out the [frequently asked questions](./FAQ.md) document.
[ntia]: https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom
[ntia-spdx23]: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields
[fsct3]: https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024
[sbom-reqs]: https://drive.google.com/file/d/14HZGYD7pSSWEmtaHZzWrzPhxCXaCnloJ/view
[pypi]: https://pypi.org/project/ntia-conformance-checker/
Raw data
{
"_id": null,
"home_page": null,
"name": "ntia-conformance-checker",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": "John Speed Meyers <johnmeyersster@gmail.com>, Gary O'Neall <gary@sourceauditor.com>, Josh Lin <linynjosh@gmail.com>, Arthit Suriyawongkul <suriyawa@tcd.ie>, SPDX group at the Linux Foundation and others <spdx-implementers+owner@lists.spdx.org>",
"keywords": "spdx, sbom, ntia, cisa, minimum elements, baseline attributes, software bill of materials, bill of materials, common SBOM, software package data exchange, software component transparency, supply chain security",
"author": null,
"author_email": "Josh Lin <linynjosh@gmail.com>, John Speed Meyers <johnmeyersster@gmail.com>, Arthit Suriyawongkul <suriyawa@tcd.ie>",
"download_url": "https://files.pythonhosted.org/packages/13/2a/d166b25688e964ddbba2c919648ead7a7234cd514ef47f854037d70f3cdb/ntia_conformance_checker-4.0.0.tar.gz",
"platform": null,
"description": "# NTIA Conformance Checker\n\n[](https://github.com/spdx/ntia-conformance-checker/actions)\n\n[](https://pypi.org/project/ntia-conformance-checker/)\n[](https://github.com/spdx/ntia-conformance-checker)\n[](https://scorecard.dev/viewer/?uri=github.com/spdx/ntia-conformance-checker)\n\nThis tool determines whether a [SPDX](https://spdx.dev/) software bill of\nmaterials (SBOM) document contains informational items as required by a\ncertain specification.\n\n## Conformance\n\nCurrently, the supported specifications are:\n\n- 2021 National Telecommunications and Information Administration (NTIA)\n [\"minimum elements.\"][ntia]\n- 2024 CISA Framing Software Component Transparency (FSCT3)\n [\"minimum expected.\"][fsct3]\n\nThe minimum elements include:\n\n- Supplier Name\n- Component Name\n- Version of the Component\n- Other Unique Identifiers\n- Dependency Relationship\n- Author of SBOM Data\n- Timestamp\n\nAs defined by the NTIA, the minimum elements are\n\"the essential pieces that support basic SBOM functionality and will serve as\nthe foundation for an evolving approach to software transparency.\"\n\nIn addition to information similar to NTIA minimum elements,\nFSCT3 requires these Baseline Attributes as part of its \"minimum expected\":\n\n- License\n- Copyright Holder (inside Copyright Notice)\n\nMappings:\n\n- The mapping of the NTIA elements required data fields to the SPDX 2.3\n specification can be found [here][ntia-spdx23].\n- The mapping of FSCT3 Baseline Attributes to ISO/IEC 5962:2021 (SPDX 2.2.1)\n and SPDX 3.0 can be found at Section 2.5 of the FSCT3 document.\n- More comparison of SBOM requirements and their mapping to SPDX can be found\n in [this slide][sbom-reqs] from Takashi Ninjouji of OpenChain Japan SBOM\n Sub-WG, presented at SPDX General Meeting 2024-12-05.\n\n## Installation\n\nThis tool requires Python 3.9+.\nIts dependencies may require a more recent version of Python.\n\n*Installation Method #1*:\nInstall from the [Python Package Index (PyPI)][pypi] with `pip`.\n\n```bash\npip install ntia-conformance-checker\n```\n\n*Installation Method #2*: Install from local source.\nClone the repo and install dependencies using the following commands:\n\n```bash\ngit clone https://github.com/spdx/ntia-conformance-checker.git\ncd ntia-conformance-checker\npip install .\n```\n\nIt is recommended to use a virtual environment, especially\nif you work with multiple Python versions.\n`virtualenv` is a tool for creating isolated Python environments;\nit lets you keep a project's dependencies in a single environment\nor create separate environments for testing with different Python versions.\n\n## CLI Usage\n\n```text\nusage: sbomcheck [OPTIONS] FILE\n\n FILE Filepath for SBOM input\n\nOptions:\n -h, --help show this help message and exit\n -s, --sbom-spec {spdx2,spdx3}\n SBOM specification of the input file; see below for details [default: spdx2]\n -c, --comply {fsct3-min,ntia}\n Compliance standards to check against; see below for details [default: ntia]\n --skip-validation Skip validation\n -r, --output {html,json,print,quiet}\n Type of compliance report output; see below for details [default: print]\n -o, --output-file PATH\n Filepath for compliance report output; if omitted, prints to console\n -v, --verbose Print more information (debug)\n -V, --version Display version of sbomcheck\n\nchoices:\n SBOM specifications (for --sbom-spec):\n spdx2 Software Package Data Exchange (SPDX) 2.x\n spdx3 System Package Data Exchange (SPDX) 3.x\n\n Compliance standards (for --comply):\n fsct3-min 2024 CISA Framing Software Component Transparency (minimum expectation)\n ntia 2021 NTIA SBOM Minimum Elements\n\n Report output types (for --output):\n html Report in HTML format\n json Report in JSON format\n print Print report to console\n quiet No output unless there are errors\n\nExamples:\n sbomcheck sbom.spdx\n sbomcheck -s spdx3 -c fsct3-min -v sbom.json\n sbomcheck sbom.yaml --output json --output-file report.json\n```\n\nThe user can then analyze a particular file:\n\n```bash\nsbomcheck sbom.json\n```\n\nTo generate the output in machine-readable JSON, run:\n\n```bash\nsbomcheck sbom.spdx --output json\n```\n\nTo analyze an SPDX 3 JSON file, run:\n\n```bash\nsbomcheck sbom.spdx --sbom-spec spdx3\n```\n\nUse `-h` for help:\n\n```bash\nsbomcheck -h\n```\n\n## Usage as a Library\n\n`ntia-conformance-checker` can also be imported as a library. For example:\n\n```python\nfrom ntia_conformance_checker import SbomChecker\n\nsbom_checker = SbomChecker(\"SBOM_filepath\")\n\nprint(sbom_checker.compliant)\n```\n\nSee the API documentation at:\n<https://spdx.github.io/ntia-conformance-checker/>\n\nAdditional properties and methods can be found in `BaseChecker` class\nat [`base_checker.py`](ntia_conformance_checker/base_checker.py).\nSpecific properties and methods for a particular specification can be found\nat the checker for that specification. For example, `NTIAChecker` class\nat [`ntia_checker.py`](ntia_conformance_checker/ntia_checker.py).\n\n## Online Usage\n\nWith the SPDX Online Tool, you can check the SBOM conformance without the need\nto install the Python package.\n\nGo to this page: <https://tools.spdx.org/app/ntia_checker/>.\n\n## History\n\n- The project is the result of an initial [Google Summer of Code (GSoC)][gsoc]\n contribution in 2022 by [@linynjosh](https://github.com/linynjosh).\n- SPDX 3 support and improved FSCT3 checker, available in [v4.0.0][],\n are [GSoC 2025 contribution][gsoc2025] by [@bact](https://github.com/bact).\n- The project is maintained by a community of SPDX adopters and enthusiasts.\n- See SPDX's participation in Google Summer of Code (GSoC):\n <https://github.com/spdx/GSoC>.\n\n[v4.0.0]: https://github.com/spdx/ntia-conformance-checker/blob/main/CHANGELOG.md#400---2025-09-05\n[gsoc]: https://summerofcode.withgoogle.com/\n[gsoc2025]: https://docs.google.com/document/d/1emyt1AXJUPDoHIoFdWAwdpV6nRpnmeJiCVCAzFG3T-8/edit?usp=sharing\n\n## License\n\n[Apache-2.0](./LICENSE)\n\n## Dependencies\n\n- [spdx-tools](https://pypi.org/project/spdx-tools/)\n used for parsing the SPDX 2 SBOM.\n- [spdx-python-model](https://pypi.org/project/spdx-python-model/)\n used for parsing the SPDX 3 SBOM.\n\n## Support\n\n- Submit issues, questions or feedback at\n <https://github.com/spdx/ntia-conformance-checker/issues>\n- Join the discussion on <https://lists.spdx.org/g/spdx-tech> and\n <https://spdx.dev/participate/tech/>\n\n## Contributing\n\nContributions are very welcome! See [CONTRIBUTING.md](./CONTRIBUTING.md)\nfor instructions on how to contribute to the codebase.\n\n## Further help\n\nCheck out the [frequently asked questions](./FAQ.md) document.\n\n[ntia]: https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom\n[ntia-spdx23]: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields\n[fsct3]: https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024\n[sbom-reqs]: https://drive.google.com/file/d/14HZGYD7pSSWEmtaHZzWrzPhxCXaCnloJ/view\n[pypi]: https://pypi.org/project/ntia-conformance-checker/\n",
"bugtrack_url": null,
"license": null,
"summary": "Check SPDX SBOM for NTIA minimum elements and CISA baseline attributes",
"version": "4.0.0",
"project_urls": {
"Homepage": "https://github.com/spdx/ntia-conformance-checker"
},
"split_keywords": [
"spdx",
" sbom",
" ntia",
" cisa",
" minimum elements",
" baseline attributes",
" software bill of materials",
" bill of materials",
" common sbom",
" software package data exchange",
" software component transparency",
" supply chain security"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "246e96e0e8195db51ed1827d2d62eef6b1db1a8dd5d1f5bf5538c6268ddd3ea3",
"md5": "ab669ddb04837d54940e959014f7d8a6",
"sha256": "46e3611ff4ea8608cd577df1763b1ac273662a7d34d75bf23d89191587743946"
},
"downloads": -1,
"filename": "ntia_conformance_checker-4.0.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "ab669ddb04837d54940e959014f7d8a6",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 28050,
"upload_time": "2025-09-05T21:05:59",
"upload_time_iso_8601": "2025-09-05T21:05:59.883658Z",
"url": "https://files.pythonhosted.org/packages/24/6e/96e0e8195db51ed1827d2d62eef6b1db1a8dd5d1f5bf5538c6268ddd3ea3/ntia_conformance_checker-4.0.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "132ad166b25688e964ddbba2c919648ead7a7234cd514ef47f854037d70f3cdb",
"md5": "07a7b00575ea5e84dce0421c49b5a5d0",
"sha256": "1937d97d5995394ddce03597f337fb62821c2f23cf7ca8524bb92713972fb663"
},
"downloads": -1,
"filename": "ntia_conformance_checker-4.0.0.tar.gz",
"has_sig": false,
"md5_digest": "07a7b00575ea5e84dce0421c49b5a5d0",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 4000782,
"upload_time": "2025-09-05T21:06:01",
"upload_time_iso_8601": "2025-09-05T21:06:01.382854Z",
"url": "https://files.pythonhosted.org/packages/13/2a/d166b25688e964ddbba2c919648ead7a7234cd514ef47f854037d70f3cdb/ntia_conformance_checker-4.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-09-05 21:06:01",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "spdx",
"github_project": "ntia-conformance-checker",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "ntia-conformance-checker"
}
JSON
