ntia_conformance_checker package
Submodules
ntia_conformance_checker.base_checker module
Base checking functionality.
- class ntia_conformance_checker.base_checker.BaseChecker(file: str, validate: bool = True, compliance: str = '', sbom_spec: str = 'spdx2')[source]
Bases:
ABC
Base class for all compliance/conformance checkers.
This base class contains methods for common tasks like file parsing and information extractions from the SBOM.
Any class inheriting from BaseChecker must implement its abstract methods, such as check_compliance and output_json.
- check_dependency_relationships() bool [source]
Check if the SPDX document DESCRIBES at least one package.
- compliance_standard: str = ''
- compliant: bool = False
- components_without_concluded_licenses: List[str] = []
- components_without_copyright_texts: List[str] = []
- components_without_identifiers: List[str] = []
- components_without_names: List[str] = []
- components_without_suppliers: List[str] = []
- components_without_versions: List[str] = []
- dependency_relationships: bool = False
- doc: Document | SHACLObjectSet | None = None
- doc_author: bool = False
- doc_timestamp: bool = False
- doc_version: bool = False
- file: str = ''
- get_components_without_concluded_licenses(return_tuples: bool = False) List[str] | List[Tuple[str, str]] [source]
Retrieve names and/or SPDX IDs of components without concluded licenses.
- Parameters:
return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
- Returns:
A list of component names or a list of tuples with component names and SPDX IDs.
- Return type:
Union[List[str], List[Tuple[str, str]]]
- get_components_without_copyright_texts(return_tuples: bool = False) List[str] | List[Tuple[str, str]] [source]
Retrieve names and/or SPDX IDs of components without copyright texts.
- Parameters:
return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
- Returns:
A list of component names or a list of tuples with component names and SPDX IDs.
- Return type:
Union[List[str], List[Tuple[str, str]]]
- get_components_without_identifiers() List[str] [source]
Retrieve name of components without identifiers.
Note that SPDX 3 requires identifiers for all elements, so this should not happen in a valid SPDX 3 document. spdx-python-model JSON deserializer will raise a ValueError if any element is missing an identifier.
- Returns:
A list of component names.
- Return type:
List[str]
- get_components_without_names() List[str] [source]
Retrieve SPDX ID of components without names.
- Returns:
A list of component SPDX IDs.
- Return type:
List[str]
- get_components_without_suppliers(return_tuples: bool = False) List[str] | List[Tuple[str, str]] [source]
Retrieve names and/or SPDX IDs of components without suppliers.
- Parameters:
return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
- Returns:
A list of component names or a list of tuples with component names and SPDX IDs.
- Return type:
Union[List[str], List[Tuple[str, str]]]
- get_components_without_versions(return_tuples: bool = False) List[str] | List[Tuple[str, str]] [source]
Retrieve name and/or SPDX ID of components without versions.
- Parameters:
return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
- Returns:
A list of component names or a list of tuples with component names and SPDX IDs.
- Return type:
Union[List[str], List[Tuple[str, str]]]
- get_total_number_components() int [source]
Retrieve total number of components.
- Returns:
The total number of components.
- Return type:
int
- ntia_minimum_elements_compliant: bool = False
- output_html(table_elements: List[Tuple[str, bool]] | None = None) str [source]
Create element-by-element result table in HTML.
- Parameters:
table_elements (Optional[List[Tuple[str, bool]]]) – A list of tuples where each tuple contains a label and a boolean value indicating the status of that element.
- Returns:
The HTML representation of the results.
- Return type:
str
- output_json() Dict[str, Any] [source]
Create a JSON-serializable result dict.
Subclasses may override to provide custom fields.
- parse_file() Document | None [source]
Parse SPDX 2 SBOM document.
- Returns:
An SPDX 2 SBOM document if successful, otherwise None.
- Return type:
Optional[Document]
- parse_spdx3_file() SHACLObjectSet | None [source]
Parse SPDX 3 SBOM document.
- Returns:
An SHACLObjectSet if successful, otherwise None.
- Return type:
Optional[spdx3.SHACLObjectSet]
- parsing_error: List[str] = []
- print_components_missing_info(attributes: List[str] | None = None) None [source]
Print information about components that are missing required details.
What is considered “missing” is determined by a compliance standard. Subclasses may override this method to provide custom behavior.
- Parameters:
attributes (Optional[List[str]]) – A list of attributes to check for missing information. If not specified, all available attributes will be checked.
- Returns:
None
- print_table_output(verbose: bool = False, table_elements: List[Tuple[str, bool]] | None = None) None [source]
Print element-by-element result table.
- Parameters:
verbose (bool) – If True, print detailed information.
table_elements (Optional[List[Tuple[str, bool]]]) – A list of tuples where each tuple contains a label and a boolean value indicating the status of that element.
- Returns:
None
- sbom_name: str = ''
- sbom_spec: str = ''
- validation_messages: List[ValidationMessage] = []
ntia_conformance_checker.cli_utils module
Utilities for CLI.
- ntia_conformance_checker.cli_utils.get_parsed_args() Namespace [source]
Parse command line arguments.
- ntia_conformance_checker.cli_utils.get_sbom_spec(file: str, sbom_spec: str) str [source]
Detect SBOM specification from file content.
- ntia_conformance_checker.cli_utils.get_spdx_version(file: str, sbom_spec: str = 'spdx2') Tuple[int, int] | None [source]
Detect the SPDX version of the SBOM file.
XLS file format is not supported.
- Parameters:
file (str) – The name of the file to be checked.
sbom_spec (str) – The SBOM specification hint, the function will try to use the appropriate parser first.
- Returns:
- The SPDX major.minor version of the SBOM.
E.g. (2, 3) for version 2.3.
- Return type:
Tuple[int, int]
- ntia_conformance_checker.cli_utils.print_output(sbom: BaseChecker, *, output_type: str, output_file: str, verbose: bool) None [source]
Print or save the output report.
ntia_conformance_checker.constants module
Constants.
ntia_conformance_checker.fsct_checker module
FSCT Common BOM checking functionality.
- class ntia_conformance_checker.fsct_checker.FSCT3Checker(file: str, validate: bool = True, compliance: str = 'fsct3-min', sbom_spec: str = 'spdx2')[source]
Bases:
BaseChecker
FSCTv3 checker.
A set of Baseline Attributes is defined in Section 2.2 of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) Third Edition.
There are three maturity levels (Minimum Expected, Recommended Practice, and Aspirational Goal) for content provided in Attribute entries.
This checker currently only checks for Minimum Expected maturity level.
ntia_conformance_checker.main module
Entrypoint for CLI.
ntia_conformance_checker.ntia_checker module
NTIA Minimum Elements checking functionality.
- class ntia_conformance_checker.ntia_checker.NTIAChecker(file: str, validate: bool = True, compliance: str = 'ntia', sbom_spec: str = 'spdx2')[source]
Bases:
BaseChecker
NTIA Minimum Elements check.
- check_ntia_minimum_elements_compliance() bool [source]
Check overall compliance with NTIA minimum elements.
This method is kept for backward compatibility. Please consider using check_compliance() instead.
ntia_conformance_checker.report module
Report generation functionality.
ntia_conformance_checker.sbom_checker module
Main checking functionality.
- final class ntia_conformance_checker.sbom_checker.SbomChecker(file: str, validate: bool = True, compliance: str = 'ntia', sbom_spec: str = 'spdx2')[source]
Bases:
BaseChecker
SBOM checker factory - do not subclass this class.
Subclass BaseChecker instead to implement a new compliance checker.
Post-v3.0.2, SbomChecker acts like a factory that returns a subclass of BaseChecker based on the given “compliance” argument during instantiation.
Currently there are two compliance standards available:
“ntia” (default), returns an instance of NTIAChecker - NTIAChecker has the same behavior as the original SbomChecker
“fsct3-min”, returns an instance of FSCT3Checker - FSCT3Checker is a checker for FSCT 3rd Edition Baseline Attributes
If “compliance” is not recognized, SbomChecker raises a ValueError.
ntia_conformance_checker.spdx3_utils module
Helpers for SPDX 3.
- ntia_conformance_checker.spdx3_utils.get_all_packages(object_set: SHACLObjectSet) Set[software_Package] [source]
Retrieve all /Software/Package objects from an SHACLObjectSet.
- ntia_conformance_checker.spdx3_utils.get_boms_from_spdx_document(spdx_doc: SpdxDocument | None) List[Bom] | None [source]
Retrieve the BOMs that are rootElements of an SPDX 3 SpdxDocument.
- Parameters:
spdx_doc (spdx3.SpdxDocument) – The SPDX 3 SpdxDocument.
- Returns:
The Boms if found, otherwise None.
- Return type:
Optional[List[spdx3.Bom]]
- ntia_conformance_checker.spdx3_utils.get_packages_from_bom(bom: Bom | None) List[software_Package] | None [source]
Retrieve the /Software/Packages that are rootElements of an SPDX 3 BOM.
- Parameters:
spdx_doc (spdx3.Bom) – The SPDX 3 Bom.
- Returns:
The packages if found, otherwise None.
- Return type:
Optional[List[spdx3.software_Package]]
- ntia_conformance_checker.spdx3_utils.iter_objects_with_property(object_set: ~spdx_python_model.bindings.v3_0_1.SHACLObjectSet, typ: ~typing.Type[~spdx_python_model.bindings.v3_0_1.SHACLObject] = <class 'spdx_python_model.bindings.v3_0_1.Artifact'>, property_name: str = 'spdxId') Iterator[Tuple[str, str, Any]] [source]
Yield (name, spdxId, property) for each SPDX 3 object.
- Parameters:
object_set (spdx3.SHACLObjectSet) – The SHACLObjectSet to iterate over.
typ (Type[spdx3.SHACLObject]) – The type of SPDX3 object
property_name (str) – The property name to retrieve.
- Yields:
Iterator[Tuple[str, str, Any]] – A tuple containing the name, SPDX ID, and the specified property of the object.
- ntia_conformance_checker.spdx3_utils.iter_relationships_by_type(object_set: SHACLObjectSet, rel_type: str) Iterator[Tuple[str, str]] [source]
Yield (from_id, to_id) for each relationship of the specified relationship type.
- ntia_conformance_checker.spdx3_utils.validate_spdx3_data(object_set: SHACLObjectSet) Tuple[SpdxDocument | None, List[ValidationMessage]] [source]
Validate an SHACLObjectSet if it contains a valid SpdxDocument.
The SPDX 3.0 specification states that “Any instance of serialization of SPDX data MUST NOT contain more than one SpdxDocument element definition.”
See: https://spdx.github.io/spdx-spec/v3.0/model/Core/Classes/SpdxDocument/
For the purpose of BOM/SBOM application, it also requires that the SpdxDocument should have a Bom or Software/Sbom as its rootElement.
See: https://github.com/spdx/ntia-conformance-checker/issues/268
- Parameters:
object_set (spdx3.SHACLObjectSet) – The SHACLObjectSet containing the SPDX 3 document.
- Returns:
An SpdxDocument if found, otherwise None. List[ValidationMessage]: A list of validation messages. Empty if no errors.
- Return type:
Optional[spdx3.SpdxDocument]
Module contents
Export functions for usage as library.
- class ntia_conformance_checker.BaseChecker(file: str, validate: bool = True, compliance: str = '', sbom_spec: str = 'spdx2')[source]
Bases:
ABC
Base class for all compliance/conformance checkers.
This base class contains methods for common tasks like file parsing and information extractions from the SBOM.
Any class inheriting from BaseChecker must implement its abstract methods, such as check_compliance and output_json.
- check_dependency_relationships() bool [source]
Check if the SPDX document DESCRIBES at least one package.
- compliance_standard: str = ''
- compliant: bool = False
- components_without_concluded_licenses: List[str] = []
- components_without_copyright_texts: List[str] = []
- components_without_identifiers: List[str] = []
- components_without_names: List[str] = []
- components_without_suppliers: List[str] = []
- components_without_versions: List[str] = []
- dependency_relationships: bool = False
- doc: Document | SHACLObjectSet | None = None
- doc_author: bool = False
- doc_timestamp: bool = False
- doc_version: bool = False
- file: str = ''
- get_components_without_concluded_licenses(return_tuples: bool = False) List[str] | List[Tuple[str, str]] [source]
Retrieve names and/or SPDX IDs of components without concluded licenses.
- Parameters:
return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
- Returns:
A list of component names or a list of tuples with component names and SPDX IDs.
- Return type:
Union[List[str], List[Tuple[str, str]]]
- get_components_without_copyright_texts(return_tuples: bool = False) List[str] | List[Tuple[str, str]] [source]
Retrieve names and/or SPDX IDs of components without copyright texts.
- Parameters:
return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
- Returns:
A list of component names or a list of tuples with component names and SPDX IDs.
- Return type:
Union[List[str], List[Tuple[str, str]]]
- get_components_without_identifiers() List[str] [source]
Retrieve name of components without identifiers.
Note that SPDX 3 requires identifiers for all elements, so this should not happen in a valid SPDX 3 document. spdx-python-model JSON deserializer will raise a ValueError if any element is missing an identifier.
- Returns:
A list of component names.
- Return type:
List[str]
- get_components_without_names() List[str] [source]
Retrieve SPDX ID of components without names.
- Returns:
A list of component SPDX IDs.
- Return type:
List[str]
- get_components_without_suppliers(return_tuples: bool = False) List[str] | List[Tuple[str, str]] [source]
Retrieve names and/or SPDX IDs of components without suppliers.
- Parameters:
return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
- Returns:
A list of component names or a list of tuples with component names and SPDX IDs.
- Return type:
Union[List[str], List[Tuple[str, str]]]
- get_components_without_versions(return_tuples: bool = False) List[str] | List[Tuple[str, str]] [source]
Retrieve name and/or SPDX ID of components without versions.
- Parameters:
return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
- Returns:
A list of component names or a list of tuples with component names and SPDX IDs.
- Return type:
Union[List[str], List[Tuple[str, str]]]
- get_total_number_components() int [source]
Retrieve total number of components.
- Returns:
The total number of components.
- Return type:
int
- ntia_minimum_elements_compliant: bool = False
- output_html(table_elements: List[Tuple[str, bool]] | None = None) str [source]
Create element-by-element result table in HTML.
- Parameters:
table_elements (Optional[List[Tuple[str, bool]]]) – A list of tuples where each tuple contains a label and a boolean value indicating the status of that element.
- Returns:
The HTML representation of the results.
- Return type:
str
- output_json() Dict[str, Any] [source]
Create a JSON-serializable result dict.
Subclasses may override to provide custom fields.
- parse_file() Document | None [source]
Parse SPDX 2 SBOM document.
- Returns:
An SPDX 2 SBOM document if successful, otherwise None.
- Return type:
Optional[Document]
- parse_spdx3_file() SHACLObjectSet | None [source]
Parse SPDX 3 SBOM document.
- Returns:
An SHACLObjectSet if successful, otherwise None.
- Return type:
Optional[spdx3.SHACLObjectSet]
- parsing_error: List[str] = []
- print_components_missing_info(attributes: List[str] | None = None) None [source]
Print information about components that are missing required details.
What is considered “missing” is determined by a compliance standard. Subclasses may override this method to provide custom behavior.
- Parameters:
attributes (Optional[List[str]]) – A list of attributes to check for missing information. If not specified, all available attributes will be checked.
- Returns:
None
- print_table_output(verbose: bool = False, table_elements: List[Tuple[str, bool]] | None = None) None [source]
Print element-by-element result table.
- Parameters:
verbose (bool) – If True, print detailed information.
table_elements (Optional[List[Tuple[str, bool]]]) – A list of tuples where each tuple contains a label and a boolean value indicating the status of that element.
- Returns:
None
- sbom_name: str = ''
- sbom_spec: str = ''
- validation_messages: List[ValidationMessage] = []
- class ntia_conformance_checker.FSCT3Checker(file: str, validate: bool = True, compliance: str = 'fsct3-min', sbom_spec: str = 'spdx2')[source]
Bases:
BaseChecker
FSCTv3 checker.
A set of Baseline Attributes is defined in Section 2.2 of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) Third Edition.
There are three maturity levels (Minimum Expected, Recommended Practice, and Aspirational Goal) for content provided in Attribute entries.
This checker currently only checks for Minimum Expected maturity level.
- class ntia_conformance_checker.NTIAChecker(file: str, validate: bool = True, compliance: str = 'ntia', sbom_spec: str = 'spdx2')[source]
Bases:
BaseChecker
NTIA Minimum Elements check.
- check_ntia_minimum_elements_compliance() bool [source]
Check overall compliance with NTIA minimum elements.
This method is kept for backward compatibility. Please consider using check_compliance() instead.
- class ntia_conformance_checker.SbomChecker(file: str, validate: bool = True, compliance: str = 'ntia', sbom_spec: str = 'spdx2')[source]
Bases:
BaseChecker
SBOM checker factory - do not subclass this class.
Subclass BaseChecker instead to implement a new compliance checker.
Post-v3.0.2, SbomChecker acts like a factory that returns a subclass of BaseChecker based on the given “compliance” argument during instantiation.
Currently there are two compliance standards available:
“ntia” (default), returns an instance of NTIAChecker - NTIAChecker has the same behavior as the original SbomChecker
“fsct3-min”, returns an instance of FSCT3Checker - FSCT3Checker is a checker for FSCT 3rd Edition Baseline Attributes
If “compliance” is not recognized, SbomChecker raises a ValueError.