ntia_conformance_checker package

Submodules

ntia_conformance_checker.base_checker module

Base checking functionality.

class ntia_conformance_checker.base_checker.BaseChecker(file: str, validate: bool = True, compliance: str = '', sbom_spec: str = 'spdx2')[source]

Bases: ABC

Base class for all compliance/conformance checkers.

This base class contains methods for common tasks like file parsing and information extractions from the SBOM.

Any class inheriting from BaseChecker must implement its abstract methods, such as check_compliance and output_json.

MIN_ELEMENTS: List[str] = []

check_author() → bool[source]: Check if the author of SBOM data exists.

abstractmethod check_compliance() → bool[source]: Abstract method to check compliance/conformance.

check_dependency_relationships() → bool[source]: Check if the SPDX document DESCRIBES at least one package.

check_doc_version() → bool[source]: Check if the document’s specification version exists.

check_timestamp() → bool[source]: Check if the SBOM creation timestamp exists.

compliance_standard: str = ''

compliant: bool = False

components_without_concluded_licenses: List[str] = []

components_without_copyright_texts: List[str] = []

components_without_identifiers: List[str] = []

components_without_names: List[str] = []

components_without_suppliers: List[str] = []

components_without_versions: List[str] = []

dependency_relationships: bool = False

doc: Document | spdx3.SHACLObjectSet | None = None

doc_author: bool = False

doc_timestamp: bool = False

doc_version: bool = False

file: str = ''

get_components_without_concluded_licenses(return_tuples: bool = False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without concluded licenses.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_copyright_texts(return_tuples: bool = False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without copyright texts.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_identifiers() → List[str][source]

Retrieve name of components without identifiers.

Note that SPDX 3 requires identifiers for all elements, so this should not happen in a valid SPDX 3 document. spdx-python-model JSON deserializer will raise a ValueError if any element is missing an identifier.

Returns:: A list of component names.
Return type:: List[str]

get_components_without_names() → List[str][source]

Retrieve SPDX ID of components without names.

Returns:: A list of component SPDX IDs.
Return type:: List[str]

get_components_without_suppliers(return_tuples: bool = False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without suppliers.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_versions(return_tuples: bool = False) → List[str] | List[Tuple[str, str]][source]

Retrieve name and/or SPDX ID of components without versions.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_doc_spec_version() → str | None[source]: Retrieve the document’s specification version.

get_sbom_name() → str[source]: Retrieve the name of the SBOM.

get_total_number_components() → int[source]

Retrieve total number of components.

Returns:: The total number of components.
Return type:: int

ntia_minimum_elements_compliant: bool = False

output_html() → str[source]

Create element-by-element result table in HTML.

Returns:: The HTML representation of the results.
Return type:: str

output_json() → Dict[str, Any][source]

Create a JSON-serializable result dict.

Subclasses may override to provide custom fields.

parse_file() → Document | None[source]

Parse SPDX 2 SBOM document.

Returns:: An SPDX 2 SBOM document if successful, otherwise None.
Return type:: Optional[Document]

parse_spdx3_file() → SHACLObjectSet | None[source]

Parse SPDX 3 SBOM document.

Returns:: An SHACLObjectSet if successful, otherwise None.
Return type:: Optional[spdx3.SHACLObjectSet]

parsing_error: List[str] = []

print_components_missing_info() → None[source]

Print information about components that are missing required details.

What is considered “missing” is determined by a compliance standard. Subclasses may override this method to provide custom behavior.

Returns:: None

print_table_output(verbose: bool = False) → None[source]

Print element-by-element result table.

Parameters:: verbose (bool) – If True, print detailed information.
Returns:: None

sbom_name: str = ''

sbom_spec: str = ''

validation_messages: List[ValidationMessage] = []

ntia_conformance_checker.cli_utils module

Utilities for CLI.

ntia_conformance_checker.cli_utils.get_parsed_args() → Namespace[source]: Parse command line arguments.

ntia_conformance_checker.cli_utils.get_sbom_spec(file: str, sbom_spec: str) → str[source]: Detect SBOM specification from file content.

ntia_conformance_checker.cli_utils.get_spdx_version(file: str, sbom_spec: str = 'spdx2') → Tuple[int, int] | None[source]

Detect the SPDX version of the SBOM file.

XLS file format is not supported.

Parameters:

file (str) – The name of the file to be checked.
sbom_spec (str) – The SBOM specification hint, the function will try to use the appropriate parser first.

Returns:

The SPDX major.minor version of the SBOM.: E.g. (2, 3) for version 2.3.

Return type:

Tuple[int, int]

ntia_conformance_checker.cli_utils.print_output(sbom: BaseChecker, *, output_type: str, output_file: str, verbose: bool) → None[source]: Print or save the output report.

ntia_conformance_checker.constants module

Constants.

ntia_conformance_checker.fsct_checker module

FSCT Common BOM checking functionality.

class ntia_conformance_checker.fsct_checker.FSCT3Checker(file: str, validate: bool = True, compliance: str = 'fsct3-min', sbom_spec: str = 'spdx2')[source]

Bases: BaseChecker

FSCTv3 checker.

A set of Baseline Attributes is defined in Section 2.2 of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) Third Edition.

There are three maturity levels (Minimum Expected, Recommended Practice, and Aspirational Goal) for content provided in Attribute entries.

This checker currently only checks for Minimum Expected maturity level.

See:: https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024

MIN_ELEMENTS: List[str] = ['name', 'version', 'identifier', 'supplier', 'concluded_license', 'copyright_text']

check_compliance() → bool[source]: Check overall compliance with FSCTv3 Minimum Expected

ntia_conformance_checker.main module

Entrypoint for CLI.

ntia_conformance_checker.main.main() → None[source]: Entrypoint for CLI application.

ntia_conformance_checker.ntia_checker module

NTIA Minimum Elements checking functionality.

class ntia_conformance_checker.ntia_checker.NTIAChecker(file: str, validate: bool = True, compliance: str = 'ntia', sbom_spec: str = 'spdx2')[source]

Bases: BaseChecker

NTIA Minimum Elements check.

See:: https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom

MIN_ELEMENTS: List[str] = ['name', 'version', 'identifier', 'supplier']

check_compliance() → bool[source]: Check overall compliance with NTIA minimum elements.

check_ntia_minimum_elements_compliance() → bool[source]

Check overall compliance with NTIA minimum elements.

This method is kept for backward compatibility. Please consider using check_compliance() instead.

ntia_conformance_checker.report module

Report generation functionality.

Some of the code here was originally in the BaseChecker class.

class ntia_conformance_checker.report.ReportContext(sbom_spec: str = '', compliance_standard: str = '', compliant: bool = False, requirement_results: List[Tuple[str, bool]] | None = None, components_without_info: List[Tuple[str, List[str]]] | None = None, validation_messages: List[ValidationMessage] | None = None, parsing_error: List[str] | None = None)[source]

Bases: object

Context for generating conformance reports.

compliance_standard: str = ''

compliant: bool = False

components_without_info: List[Tuple[str, List[str]]] | None = None

parsing_error: List[str] | None = None

requirement_results: List[Tuple[str, bool]] | None = None

sbom_spec: str = ''

validation_messages: List[ValidationMessage] | None = None

ntia_conformance_checker.report.get_validation_messages_html(validation_messages: List[ValidationMessage], verbose: bool = False) → str[source]

Generates HTML for validation messages and context details.

Parameters:

validation_messages (List[ValidationMessage]) – List of validation messages.
verbose (bool) – If True, include detailed validation context.

Returns:

HTML representation of the validation messages.

Return type:

str

ntia_conformance_checker.report.get_validation_messages_json(validation_messages: List[ValidationMessage]) → List[Dict[str, str]][source]

Generates JSON-serializable list for validation messages and context details.

Parameters:: validation_messages (List[ValidationMessage]) – List of validation messages.
Returns:: JSON-serializable representation of the validation messages.
Return type:: List[Dict[str, str]]

ntia_conformance_checker.report.get_validation_messages_text(validation_messages: List[ValidationMessage], verbose: bool = False) → str[source]

Generates validation messages and optional context details.

Parameters:

validation_messages (List[ValidationMessage]) – List of validation messages.
verbose (bool) – If True, include detailed validation context.

Returns:

Plain-text representation of the validation messages.

Return type:

str

ntia_conformance_checker.report.print_validation_messages(validation_messages: List[ValidationMessage], verbose: bool = False) → None[source]

Prints validation messages and optional context details.

Parameters:

validation_messages (List[ValidationMessage]) – List of validation messages.
verbose (bool) – If True, include detailed validation context.

Returns:

None

ntia_conformance_checker.report.report_html(rc: ReportContext, verbose: bool = False) → str[source]

Generates element-by-element result table in HTML.

Parameters:

rc (ReportContext) – Information for generating the report.
verbose (bool) – If True, include detailed validation messages.

Returns:

HTML representation of the results.

Return type:

str

ntia_conformance_checker.report.report_text(rc: ReportContext, verbose: bool = False) → str[source]

Generates element-by-element result table in plain-text.

Parameters:

rc (ReportContext) – Information for generating the report.
verbose (bool) – If True, include detailed validation messages.

Returns:

Plain-text representation of the results.

Return type:

str

ntia_conformance_checker.sbom_checker module

Main checking functionality.

final class ntia_conformance_checker.sbom_checker.SbomChecker(file: str, validate: bool = True, compliance: str = 'ntia', sbom_spec: str = 'spdx2')[source]

Bases: BaseChecker

SBOM checker factory - do not subclass this class.

Subclass BaseChecker instead to implement a new compliance checker.

Post-v3.0.2, SbomChecker acts like a factory that returns a subclass of BaseChecker based on the given “compliance” argument during instantiation.

Currently there are two compliance standards available:

“ntia” (default), returns an instance of NTIAChecker - NTIAChecker has the same behavior as the original SbomChecker
“fsct3-min”, returns an instance of FSCT3Checker - FSCT3Checker is a checker for FSCT 3rd Edition Baseline Attributes

If “compliance” is not recognized, SbomChecker raises a ValueError.

check_compliance() → bool[source]: Abstract method to check compliance/conformance.

ntia_conformance_checker.spdx3_utils module

Helpers for SPDX 3.

ntia_conformance_checker.spdx3_utils.get_all_packages(object_set: SHACLObjectSet) → Set[software_Package][source]: Retrieve all /Software/Package objects from an SHACLObjectSet.

ntia_conformance_checker.spdx3_utils.get_boms_from_spdx_document(spdx_doc: SpdxDocument | None) → List[Bom] | None[source]

Retrieve the BOMs that are rootElements of an SPDX 3 SpdxDocument.

Parameters:: spdx_doc (spdx3.SpdxDocument) – The SPDX 3 SpdxDocument.
Returns:: The Boms if found, otherwise None.
Return type:: Optional[List[spdx3.Bom]]

ntia_conformance_checker.spdx3_utils.get_packages_from_bom(bom: Bom | None) → List[software_Package] | None[source]

Retrieve the /Software/Packages that are rootElements of an SPDX 3 BOM.

Parameters:: spdx_doc (spdx3.Bom) – The SPDX 3 Bom.
Returns:: The packages if found, otherwise None.
Return type:: Optional[List[spdx3.software_Package]]

ntia_conformance_checker.spdx3_utils.iter_objects_with_property(object_set: ~spdx_python_model.bindings.v3_0_1.SHACLObjectSet, typ: ~typing.Type[~spdx_python_model.bindings.v3_0_1.SHACLObject] = <class 'spdx_python_model.bindings.v3_0_1.Artifact'>, property_name: str = 'spdxId') → Iterator[Tuple[str, str, Any]][source]

Yield (name, spdxId, property) for each SPDX 3 object.

Parameters:

object_set (spdx3.SHACLObjectSet) – The SHACLObjectSet to iterate over.
typ (Type[spdx3.SHACLObject]) – The type of SPDX3 object
property_name (str) – The property name to retrieve.

Yields:

Iterator[Tuple[str, str, Any]] – A tuple containing the name, SPDX ID, and the specified property of the object.

ntia_conformance_checker.spdx3_utils.iter_relationships_by_type(object_set: SHACLObjectSet, rel_type: str) → Iterator[Tuple[str, str]][source]: Yield (from_id, to_id) for each relationship of the specified relationship type.

ntia_conformance_checker.spdx3_utils.validate_spdx3_data(object_set: SHACLObjectSet) → Tuple[SpdxDocument | None, List[ValidationMessage]][source]

Validate an SHACLObjectSet if it contains a valid SpdxDocument.

The SPDX 3.0 specification states that “Any instance of serialization of SPDX data MUST NOT contain more than one SpdxDocument element definition.”

See: https://spdx.github.io/spdx-spec/v3.0/model/Core/Classes/SpdxDocument/

For the purpose of BOM/SBOM application, it also requires that the SpdxDocument should have a Bom or Software/Sbom as its rootElement.

See: https://github.com/spdx/ntia-conformance-checker/issues/268

Parameters:: object_set (spdx3.SHACLObjectSet) – The SHACLObjectSet containing the SPDX 3 document.
Returns:: An SpdxDocument if found, otherwise None. List[ValidationMessage]: A list of validation messages. Empty if no errors.
Return type:: Optional[spdx3.SpdxDocument]

Module contents

Export functions for usage as library.

class ntia_conformance_checker.BaseChecker(file: str, validate: bool = True, compliance: str = '', sbom_spec: str = 'spdx2')[source]

Bases: ABC

Base class for all compliance/conformance checkers.

This base class contains methods for common tasks like file parsing and information extractions from the SBOM.

Any class inheriting from BaseChecker must implement its abstract methods, such as check_compliance and output_json.

MIN_ELEMENTS: List[str] = []

all_components_without_info: List[Tuple[str, List[str]]]

check_author() → bool[source]: Check if the author of SBOM data exists.

abstractmethod check_compliance() → bool[source]: Abstract method to check compliance/conformance.

check_dependency_relationships() → bool[source]: Check if the SPDX document DESCRIBES at least one package.

check_doc_version() → bool[source]: Check if the document’s specification version exists.

check_timestamp() → bool[source]: Check if the SBOM creation timestamp exists.

compliance_standard: str = ''

compliant: bool = False

components_without_concluded_licenses: List[str] = []

components_without_copyright_texts: List[str] = []

components_without_identifiers: List[str] = []

components_without_names: List[str] = []

components_without_suppliers: List[str] = []

components_without_versions: List[str] = []

dependency_relationships: bool = False

doc: Document | spdx3.SHACLObjectSet | None = None

doc_author: bool = False

doc_timestamp: bool = False

doc_version: bool = False

file: str = ''

get_components_without_concluded_licenses(return_tuples: bool = False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without concluded licenses.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_copyright_texts(return_tuples: bool = False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without copyright texts.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_identifiers() → List[str][source]

Retrieve name of components without identifiers.

Note that SPDX 3 requires identifiers for all elements, so this should not happen in a valid SPDX 3 document. spdx-python-model JSON deserializer will raise a ValueError if any element is missing an identifier.

Returns:: A list of component names.
Return type:: List[str]

get_components_without_names() → List[str][source]

Retrieve SPDX ID of components without names.

Returns:: A list of component SPDX IDs.
Return type:: List[str]

get_components_without_suppliers(return_tuples: bool = False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without suppliers.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_versions(return_tuples: bool = False) → List[str] | List[Tuple[str, str]][source]

Retrieve name and/or SPDX ID of components without versions.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_doc_spec_version() → str | None[source]: Retrieve the document’s specification version.

get_sbom_name() → str[source]: Retrieve the name of the SBOM.

get_total_number_components() → int[source]

Retrieve total number of components.

Returns:: The total number of components.
Return type:: int

ntia_minimum_elements_compliant: bool = False

output_html() → str[source]

Create element-by-element result table in HTML.

Returns:: The HTML representation of the results.
Return type:: str

output_json() → Dict[str, Any][source]

Create a JSON-serializable result dict.

Subclasses may override to provide custom fields.

parse_file() → Document | None[source]

Parse SPDX 2 SBOM document.

Returns:: An SPDX 2 SBOM document if successful, otherwise None.
Return type:: Optional[Document]

parse_spdx3_file() → SHACLObjectSet | None[source]

Parse SPDX 3 SBOM document.

Returns:: An SHACLObjectSet if successful, otherwise None.
Return type:: Optional[spdx3.SHACLObjectSet]

parsing_error: List[str] = []

print_components_missing_info() → None[source]

Print information about components that are missing required details.

What is considered “missing” is determined by a compliance standard. Subclasses may override this method to provide custom behavior.

Returns:: None

print_table_output(verbose: bool = False) → None[source]

Print element-by-element result table.

Parameters:: verbose (bool) – If True, print detailed information.
Returns:: None

sbom_name: str = ''

sbom_spec: str = ''

table_elements: List[Tuple[str, bool]]

validation_messages: List[ValidationMessage] = []

class ntia_conformance_checker.FSCT3Checker(file: str, validate: bool = True, compliance: str = 'fsct3-min', sbom_spec: str = 'spdx2')[source]

Bases: BaseChecker

FSCTv3 checker.

A set of Baseline Attributes is defined in Section 2.2 of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) Third Edition.

There are three maturity levels (Minimum Expected, Recommended Practice, and Aspirational Goal) for content provided in Attribute entries.

This checker currently only checks for Minimum Expected maturity level.

See:: https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024

MIN_ELEMENTS: List[str] = ['name', 'version', 'identifier', 'supplier', 'concluded_license', 'copyright_text']

all_components_without_info: List[Tuple[str, List[str]]]

check_compliance() → bool[source]: Check overall compliance with FSCTv3 Minimum Expected

table_elements: List[Tuple[str, bool]]

class ntia_conformance_checker.NTIAChecker(file: str, validate: bool = True, compliance: str = 'ntia', sbom_spec: str = 'spdx2')[source]

Bases: BaseChecker

NTIA Minimum Elements check.

See:: https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom

MIN_ELEMENTS: List[str] = ['name', 'version', 'identifier', 'supplier']

all_components_without_info: List[Tuple[str, List[str]]]

check_compliance() → bool[source]: Check overall compliance with NTIA minimum elements.

check_ntia_minimum_elements_compliance() → bool[source]

Check overall compliance with NTIA minimum elements.

This method is kept for backward compatibility. Please consider using check_compliance() instead.

table_elements: List[Tuple[str, bool]]

class ntia_conformance_checker.SbomChecker(file: str, validate: bool = True, compliance: str = 'ntia', sbom_spec: str = 'spdx2')[source]

Bases: BaseChecker

SBOM checker factory - do not subclass this class.

Subclass BaseChecker instead to implement a new compliance checker.

Post-v3.0.2, SbomChecker acts like a factory that returns a subclass of BaseChecker based on the given “compliance” argument during instantiation.

Currently there are two compliance standards available:

“ntia” (default), returns an instance of NTIAChecker - NTIAChecker has the same behavior as the original SbomChecker
“fsct3-min”, returns an instance of FSCT3Checker - FSCT3Checker is a checker for FSCT 3rd Edition Baseline Attributes

If “compliance” is not recognized, SbomChecker raises a ValueError.

check_compliance() → bool[source]: Abstract method to check compliance/conformance.