-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Tool] Add the OSS Review Toolkit (ORT) #11
Comments
Hi @sschuberth Thank you for reporting this. ORT SBOM has been added and analyzed for a few repositories and you can find the entries on
SBOMBenchmark uses the following checks of sbomqs to evaluate SBOMs. The current set of ORT SBOM limitations seems clustered to - license and unique (CPE/PURL) identifiers. |
Thanks @surendrapathak! I'll have a look as soon as I'm back from vacation. |
While I'm not certain what exactly you mean with this, please be aware that some of the SBOM fields, like licenses, are only filled by ORT if either a) the original package metadata does declare any licenses, or b) the
However, running |
A remark on the scoring: I realized that this shows 0.0 for
What else is expected by |
This increases the score with tools like sbomqs [1]. Also see [2]. [1]: https://github.com/interlynk-io/sbomqs [2]: interlynk-io/sbombenchmark.dev#11 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
Hi @sschuberth I'll check out the scan report before the end of the week and will update you with my findings. For the Creator Tool name, the implementation relies on the SPDX Creator description from the SPDX value here that implies one word with the name of the tool and version separated by '-'. There is no official schema for SPDX yet; therefore, it needed to be clarified if the identifier name can or cannot have spaces. Interlynk's implementation for this rule is here: https://github.com/interlynk-io/sbomqs/blob/main/pkg/sbom/spdx.go#L219C10-L219C10 Given, the included SBOM is validated with pyspdxtools as well, we'll take up on loosening the space rule above to make sure it can accommodate strings like 'ORT Review Toolkit'. Here is the issue # for your reference: interlynk-io/sbomqs#180 I can re-run the ORT once I am able to get the results from |
This increases the score with tools like sbomqs [1]. Also see [2]. [1]: https://github.com/interlynk-io/sbomqs [2]: interlynk-io/sbombenchmark.dev#11 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
While the SPDX sepc is not clear about this, the example [1] suggests that tool names should follow the syntax `toolidentifier-version`, and some SPDX validation tool actually rely on this [2]. To be on the safe side, and as "ort" as a (short) tool name is already well known in the community, follow the example syntax and do not use spaces in the tool / version string. [1]: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field [2]: interlynk-io/sbombenchmark.dev#11 (comment) Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
Great! You may want to ensure that these PRs in ORT are merged before that, and to use the latest ORT version then: |
While the SPDX sepc is not clear about this, the example [1] suggests that tool names should follow the syntax `toolidentifier-version`, and some SPDX validation tool actually rely on this [2]. To be on the safe side, and as "ort" as a (short) tool name is already well known in the community, follow the example syntax and do not use spaces in the tool / version string. [1]: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field [2]: interlynk-io/sbombenchmark.dev#11 (comment) Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
While the SPDX spec is not clear about this, the example [1] suggests that tool names should follow the syntax `toolidentifier-version`, and some SPDX validation tools actually rely on this [2]. To be on the safe side, and as "ort" as a (short) tool name is already well known in the community, follow the example syntax and do not use spaces in the tool / version string. [1]: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field [2]: interlynk-io/sbombenchmark.dev#11 (comment) Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
While the SPDX spec is not clear about this, the example [1] suggests that tool names should follow the syntax `toolidentifier-version`, and some SPDX validation tools actually rely on this [2]. To be on the safe side, and as "ort" as a (short) tool name is already well known in the community, follow the example syntax and do not use spaces in the tool / version string. [1]: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field [2]: interlynk-io/sbombenchmark.dev#11 (comment) Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
Also note that scanning might take long time, as ORT scans the full source code of all transitive dependencies over and over again by default unless you set up a shared scan result storage. So maybe it's not a good idea to set up scanning after all, but then the scoring of license entries in SBOMs needs to be adjusted so that licenses are only expected if they're actually declared in the original package metadata. Otherwise we're running into a "garbage in, garbage out" problem 😉 |
While the SPDX spec is not clear about this, the example [1] suggests that tool names should follow the syntax `toolidentifier-version`, and some SPDX validation tools actually rely on this [2]. To be on the safe side, and as "ort" as a (short) tool name is already well known in the community, follow the example syntax and do not use spaces in the tool / version string. [1]: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field [2]: interlynk-io/sbombenchmark.dev#11 (comment) Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
This increases the score with tools like sbomqs [1]. Also see [2]. [1]: https://github.com/interlynk-io/sbomqs [2]: interlynk-io/sbombenchmark.dev#11 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
This increases the score with tools like sbomqs [1]. Also see [2]. [1]: https://github.com/interlynk-io/sbomqs [2]: interlynk-io/sbombenchmark.dev#11 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
Hi @sschuberth, I am just checking if you know of any issues building the ORT image on Mac. I am getting |
I'm not on a Mac, and I haven't seen this before. @mbochtler have you maybe?
Indeed we didn't modify the |
Hi @mbochtler, Any feedback on this? If the image is available elsewhere (DockerHub / GHCR), I am happy to pull and directly re-run it to review the results. Let me know. Thanks. |
It's actually not yet... |
I am still blocked for the SBBM upgrade. However, I was able to confirm that Tools parsing is looking good with manually cli/build/install/ort/bin/ort --version I'll give it another try after the long weekend. |
Thanks for confirming!
You may want to try with Dockerfile-legacy instead for the time being... |
Hi @sschuberth , The magic of killing the entire repo and rebuilding from scratch helped the docker image succeed. I was able to find these additional improvement opportunities:
|
Thank you @surendrapathak for your feedback!
Thanks a lot for pointing this out. I believe that maps to this issue in ORT.
While it's trivial to write out the supplier field per se, as you're pointing out yourselves the difficulty lies in a common understanding about what the "supplier" of an Open Source package should be. I'll bring this up in the ORT community; might be that we'd require some small model changes to address this appropriately. |
@sschuberth Happy to help. Just FYI - In the last couple of months, CISA group working on the community side of SBOM recommendations did consider the Supplier question for the Open Source. Supplier Name
|
Thank again for your input, @surendrapathak! I've captured the supplier-topic on the ORT side at oss-review-toolkit/ort#7449. As ORT has been added as a tool to your service successfully, let's close this! Thanks again. |
Tool name and link (must be open source)
OSS Review Toolkit (ORT), https://github.com/oss-review-toolkit/ort
Supported specifications
Supported target
Environment setup (if any)
Depends on the package managers to analyze; see the output of
ort requirements
.Recommended command to see version
Run
ort--version
. The version currently is the short Git SHA1 of the source code from which ORT was built. We'll switch to Semver eventually.Recommended command(s) to build SBOM
Creating an SBOM is a two stage process: First the project source code is analyzed, and then the analyzer result is converted to an SBOM via the reporter tool.
We recommend to run ORT from a built Docker image like:
The resulting CycloneDX and SPDX SBOMs will reside in the
/project/ort/reporter
directory afterwards.Additional context
Only supports SPDX 2.x JSON / YAML. CycloneDX is currently limited to 1.4.
I'm the founder and maintainer of ORT. Please let me know if you need more details to get it running.
The text was updated successfully, but these errors were encountered: