ntia_conformance_checker package

Submodules

ntia_conformance_checker.base_checker module

Base checking functionality.

class ntia_conformance_checker.base_checker.BaseChecker(file, validate=True, compliance='')[source]

Bases: ABC

Base class for all compliance checkers.

This base class contains methods for common tasks like file loading and parsing.

Any class inheriting from BaseChecker must implement its abstract methods, such as check_compliance and output_json.

abstract check_compliance() → bool[source]: Abstract method to check compliance.

abstract check_dependency_relationships() → bool[source]: Abstract method to check dependency relationship requirements.

abstract check_doc_version() → bool[source]: Abstract method to check SBOM document version.

compliance_standard: str = ''

compliant: bool = False

components_without_concluded_licenses: List[str] = []

components_without_copyright_texts: List[str] = []

components_without_identifiers: List[str] = []

components_without_names: List[str] = []

components_without_suppliers: List[str] = []

components_without_versions: List[str] = []

dependency_relationships: bool = False

doc: Document | None = None

doc_author: bool = False

doc_timestamp: bool = False

doc_version: bool = False

file: str = ''

get_components_without_concluded_licenses(return_tuples=False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without concluded licenses.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_copyright_texts(return_tuples=False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without copyright texts.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_identifiers() → list[str][source]

Retrieve name of components without identifiers.

Returns:: A list of component names that do not have identifiers.
Return type:: List[str]

get_components_without_names() → list[str][source]

Retrieve SPDX ID of components without names.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_suppliers(return_tuples=False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without suppliers.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_versions(return_tuples=False) → List[str] | List[Tuple[str, str]][source]

Retrieve name and/or SPDX ID of components without versions.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_total_number_components() → int[source]

Retrieve total number of components.

Returns:: The total number of components.
Return type:: int

ntia_minimum_elements_compliant: bool = False

abstract output_html() → str[source]: Abstract method to create a result in HTML format.

abstract output_json() → Dict[str, Any][source]: Abstract method to create a dict of results for outputting to JSON.

parse_file() → Document | None[source]

Parse SBOM document.

Returns:: The parsed SBOM document if successful, otherwise None.
Return type:: Optional[Document]

parsing_error: List[str] = []

abstract print_components_missing_info() → None[source]

Abstract method to print information about components that are missing required details.

What is considered “missing” is determined by a compliance standard and the method that implements this abstract method.

Returns:: None

abstract print_table_output() → None[source]

Abstract method to print element-by-element result table.

Returns:: None

sbom_name: str = ''

validation_messages: List[str] | None = None

ntia_conformance_checker.fsct_checker module

FSCT Common BOM checking functionality.

class ntia_conformance_checker.fsct_checker.FSCT3Checker(file, validate=True, compliance='fsct3-min')[source]

Bases: BaseChecker

FSCT Common SBOM Third Edition checker.

A set of Baseline Attributes is defined in Section 2.2 of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) Third Edition.

There are three maturity levels (Minimum Expected, Recommended Practice, and Aspirational Goal) for content provided in Attribute entries.

See: https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024

check_compliance()[source]: Check overall compliance with FSCTv3 Minimum Expected

check_dependency_relationships()[source]: Check that the document DESCRIBES at least one package.

check_doc_version()[source]: Check for SPDX document version.

output_html()[source]: Create a HTML of results.

output_json()[source]: Create a dict of results for outputting to JSON.

print_components_missing_info()[source]: Print detailed info about which components are missing info.

print_table_output()[source]: Print element-by-element result table.

ntia_conformance_checker.main module

Entrypoint for CLI.

ntia_conformance_checker.main.get_parsed_args()[source]: Parse command line arguments

ntia_conformance_checker.main.main()[source]: Entrypoint for CLI application.

ntia_conformance_checker.ntia_checker module

NTIA minimum elements checking functionality.

class ntia_conformance_checker.ntia_checker.NTIAChecker(file, validate=True, compliance='ntia')[source]

Bases: BaseChecker

NTIA Minimum Elements check.

check_compliance()[source]: Check overall compliance with NTIA minimum elements.

check_dependency_relationships()[source]: Check that the document DESCRIBES at least one package.

check_doc_version()[source]: Check for SPDX document version.

check_ntia_minimum_elements_compliance()[source]

Check overall compliance with NTIA minimum elements.

This method is kept for backward compatibility. Please consider using check_compliance() instead.

output_html()[source]: Create a HTML of results.

output_json()[source]: Create a dict of results for outputting to JSON.

print_components_missing_info()[source]: Print detailed info about which components are missing info.

print_table_output()[source]: Print element-by-element result table.

ntia_conformance_checker.sbom_checker module

Main checking functionality.

class ntia_conformance_checker.sbom_checker.SbomChecker(file, validate=True, compliance='ntia')[source]

Bases: BaseChecker

SBOM checker factory.

Post-v3.0.2, SbomChecker acts like a factory that returns a subclass of BaseChecker based on the given “compliance” argument during instantiation.

Currently there are two compliance standards available:

“ntia” (default), returns an instance of NTIAChecker - NTIAChecker has the same behavior as the original SbomChecker
“fsct3-min”, returns an instance of FSCT3Checker - FSCT3Checker is a new checker for FSCT 3rd Edition Baseline Attributes

If “compliance” is not recognized, SbomChecker raises a ValueError.

check_compliance() → bool[source]: Abstract method to check compliance.

check_dependency_relationships() → bool[source]: Abstract method to check dependency relationship requirements.

check_doc_version() → bool[source]: Abstract method to check SBOM document version.

output_html() → str[source]: Abstract method to create a result in HTML format.

output_json() → dict[source]: Abstract method to create a dict of results for outputting to JSON.

print_components_missing_info() → None[source]

Abstract method to print information about components that are missing required details.

What is considered “missing” is determined by a compliance standard and the method that implements this abstract method.

Returns:: None

print_table_output() → None[source]

Abstract method to print element-by-element result table.

Returns:: None

Module contents

Export functions for usage as library.

class ntia_conformance_checker.BaseChecker(file, validate=True, compliance='')[source]

Bases: ABC

Base class for all compliance checkers.

This base class contains methods for common tasks like file loading and parsing.

Any class inheriting from BaseChecker must implement its abstract methods, such as check_compliance and output_json.

abstract check_compliance() → bool[source]: Abstract method to check compliance.

abstract check_dependency_relationships() → bool[source]: Abstract method to check dependency relationship requirements.

abstract check_doc_version() → bool[source]: Abstract method to check SBOM document version.

compliance_standard: str = ''

compliant: bool = False

components_without_concluded_licenses: List[str] = []

components_without_copyright_texts: List[str] = []

components_without_identifiers: List[str] = []

components_without_names: List[str] = []

components_without_suppliers: List[str] = []

components_without_versions: List[str] = []

dependency_relationships: bool = False

doc: Document | None = None

doc_author: bool = False

doc_timestamp: bool = False

doc_version: bool = False

file: str = ''

get_components_without_concluded_licenses(return_tuples=False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without concluded licenses.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_copyright_texts(return_tuples=False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without copyright texts.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_identifiers() → list[str][source]

Retrieve name of components without identifiers.

Returns:: A list of component names that do not have identifiers.
Return type:: List[str]

get_components_without_names() → list[str][source]

Retrieve SPDX ID of components without names.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_suppliers(return_tuples=False) → List[str] | List[Tuple[str, str]][source]

Retrieve names and/or SPDX IDs of components without suppliers.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_components_without_versions(return_tuples=False) → List[str] | List[Tuple[str, str]][source]

Retrieve name and/or SPDX ID of components without versions.

Parameters:: return_tuples (bool) – If True, return a list of tuples with component names and SPDX IDs. If False, return a list of component names.
Returns:: A list of component names or a list of tuples with component names and SPDX IDs.
Return type:: Union[List[str], List[Tuple[str, str]]]

get_total_number_components() → int[source]

Retrieve total number of components.

Returns:: The total number of components.
Return type:: int

ntia_minimum_elements_compliant: bool = False

abstract output_html() → str[source]: Abstract method to create a result in HTML format.

abstract output_json() → Dict[str, Any][source]: Abstract method to create a dict of results for outputting to JSON.

parse_file() → Document | None[source]

Parse SBOM document.

Returns:: The parsed SBOM document if successful, otherwise None.
Return type:: Optional[Document]

parsing_error: List[str] = []

abstract print_components_missing_info() → None[source]

Abstract method to print information about components that are missing required details.

What is considered “missing” is determined by a compliance standard and the method that implements this abstract method.

Returns:: None

abstract print_table_output() → None[source]

Abstract method to print element-by-element result table.

Returns:: None

sbom_name: str = ''

validation_messages: List[str] | None = None

class ntia_conformance_checker.FSCT3Checker(file, validate=True, compliance='fsct3-min')[source]

Bases: BaseChecker

FSCT Common SBOM Third Edition checker.

A set of Baseline Attributes is defined in Section 2.2 of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) Third Edition.

There are three maturity levels (Minimum Expected, Recommended Practice, and Aspirational Goal) for content provided in Attribute entries.

See: https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024

check_compliance()[source]: Check overall compliance with FSCTv3 Minimum Expected

check_dependency_relationships()[source]: Check that the document DESCRIBES at least one package.

check_doc_version()[source]: Check for SPDX document version.

output_html()[source]: Create a HTML of results.

output_json()[source]: Create a dict of results for outputting to JSON.

print_components_missing_info()[source]: Print detailed info about which components are missing info.

print_table_output()[source]: Print element-by-element result table.

class ntia_conformance_checker.NTIAChecker(file, validate=True, compliance='ntia')[source]

Bases: BaseChecker

NTIA Minimum Elements check.

check_compliance()[source]: Check overall compliance with NTIA minimum elements.

check_dependency_relationships()[source]: Check that the document DESCRIBES at least one package.

check_doc_version()[source]: Check for SPDX document version.

check_ntia_minimum_elements_compliance()[source]

Check overall compliance with NTIA minimum elements.

This method is kept for backward compatibility. Please consider using check_compliance() instead.

output_html()[source]: Create a HTML of results.

output_json()[source]: Create a dict of results for outputting to JSON.

print_components_missing_info()[source]: Print detailed info about which components are missing info.

print_table_output()[source]: Print element-by-element result table.

class ntia_conformance_checker.SbomChecker(file, validate=True, compliance='ntia')[source]

Bases: BaseChecker

SBOM checker factory.

Post-v3.0.2, SbomChecker acts like a factory that returns a subclass of BaseChecker based on the given “compliance” argument during instantiation.

Currently there are two compliance standards available:

“ntia” (default), returns an instance of NTIAChecker - NTIAChecker has the same behavior as the original SbomChecker
“fsct3-min”, returns an instance of FSCT3Checker - FSCT3Checker is a new checker for FSCT 3rd Edition Baseline Attributes

If “compliance” is not recognized, SbomChecker raises a ValueError.

check_compliance() → bool[source]: Abstract method to check compliance.

check_dependency_relationships() → bool[source]: Abstract method to check dependency relationship requirements.

check_doc_version() → bool[source]: Abstract method to check SBOM document version.

output_html() → str[source]: Abstract method to create a result in HTML format.

output_json() → dict[source]: Abstract method to create a dict of results for outputting to JSON.

print_components_missing_info() → None[source]

Abstract method to print information about components that are missing required details.

What is considered “missing” is determined by a compliance standard and the method that implements this abstract method.

Returns:: None

print_table_output() → None[source]

Abstract method to print element-by-element result table.

Returns:: None