Documentation
¶
Overview ¶
Copyright 2025 Interlynk.io
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2025 Interlynk.io ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Package cmd implements the command-line interface for the sbomqs application, providing commands for scoring, compliance checking, and policy validation of SBOM documents.
Copyright 2025 Interlynk.io ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2025 Interlynk.io ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var FeatureRegistry = []Feature{
{Name: "sbom_authors", Category: "SBOM", Description: "SBOM authors / creators"},
{Name: "sbom_creation_timestamp", Category: "SBOM", Description: "SBOM creation timestamp"},
{Name: "sbom_tool", Category: "SBOM", Description: "Tool that generated the SBOM (name + version)"},
{Name: "sbom_organization", Category: "SBOM", Description: "SBOM producing organization"},
{Name: "sbom_spdxid", Category: "SBOM", Description: "Document-level SPDX ID"},
{Name: "sbom_schema_valid", Category: "SBOM", Description: "SBOM validates against its schema"},
{Name: "sbom_parsable", Category: "SBOM", Description: "SBOM is syntactically parsable"},
{Name: "sbom_sharable", Category: "SBOM", Description: "SBOM has a sharable data license"},
{Name: "sbom_spec", Category: "SBOM", Description: "SBOM specification type (cyclonedx / spdx)"},
{Name: "sbom_spec_version", Category: "SBOM", Description: "SBOM specification version"},
{Name: "sbom_spec_file_format", Category: "SBOM", Description: "SBOM file format (json / xml / tag-value)"},
{Name: "spec_version_compliant", Category: "SBOM", Description: "Spec + version are compliant"},
{Name: "sbom_primary_comp", Category: "SBOM", Description: "Primary component name and version"},
{Name: "sbom_primary_component", Category: "SBOM", Description: "Primary component declared"},
{Name: "sbom_uri", Category: "SBOM", Description: "SBOM unique URI or namespace"},
{Name: "sbom_dependencies", Category: "SBOM", Description: "SBOM dependency graph"},
{Name: "sbom_build", Category: "SBOM", Description: "SBOM build / lifecycle metadata"},
{Name: "sbom_bomlinks", Category: "SBOM", Description: "BOM-Link references present"},
{Name: "sbom_supplier", Category: "SBOM", Description: "SBOM supplier (CycloneDX only)"},
{Name: "sbom_vuln", Category: "Security", Description: "SBOM contains vulnerability entries"},
{Name: "comp_name", Category: "Component", Description: "Component name"},
{Name: "comp_version", Category: "Component", Description: "Component version"},
{Name: "comp_supplier", Category: "Component", Description: "Component supplier or manufacturer (with fallback)"},
{Name: "comp_author", Category: "Component", Description: "Component authors (name, email)"},
{Name: "comp_uniq_ids", Category: "Component", Description: "All unique identifiers: PURL, CPE, SWHID, SWID, OmniBOR"},
{Name: "comp_local_id", Category: "Component", Description: "Component local identifier"},
{Name: "comp_purl", Category: "Component", Description: "Component PURL"},
{Name: "comp_cpe", Category: "Component", Description: "Component CPE"},
{Name: "comp_primary_purpose", Category: "Component", Description: "Component primary purpose / type"},
{Name: "comp_external_refs", Category: "Component", Description: "All external references (type: locator)"},
{Name: "comp_depth", Category: "Component", Description: "Direct dependency names, or 'leaf component' if none"},
{Name: "comp_dependencies", Category: "Component", Description: "Component dependency declarations"},
{Name: "comp_checksums", Category: "Component", Description: "Component has checksums"},
{Name: "comp_sha256", Category: "Component", Description: "Component has SHA-256 checksum"},
{Name: "comp_checksums_sha256", Category: "Component", Description: "Component has SHA-256 checksum entry"},
{Name: "comp_strong_checksums", Category: "Component", Description: "Component uses strong checksum algorithms"},
{Name: "comp_weak_checksums", Category: "Component", Description: "Component has weak checksum algorithms"},
{Name: "comp_source_code_hash", Category: "Component", Description: "Source code hash"},
{Name: "comp_source_code_uri", Category: "Component", Description: "Component source code URI"},
{Name: "comp_executable_uri", Category: "Component", Description: "Component executable / download URI"},
{Name: "comp_all_licenses", Category: "License", Description: "All licenses: concluded and declared, labeled by type"},
{Name: "comp_licenses", Category: "License", Description: "Component has license expressions"},
{Name: "comp_valid_licenses", Category: "License", Description: "Component has valid SPDX expression syntax (accepts LicenseRef-*)"},
{Name: "comp_spdx_listed_license", Category: "License", Description: "Component has SPDX standard listed licenses only"},
{Name: "comp_associated_license", Category: "License", Description: "Component associated license"},
{Name: "comp_concluded_license", Category: "License", Description: "Component concluded license"},
{Name: "comp_declared_license", Category: "License", Description: "Component declared license"},
{Name: "comp_deprecated_licenses", Category: "License", Description: "Component has deprecated licenses"},
{Name: "comp_restrictive_licenses", Category: "License", Description: "Component has restrictive licenses"},
{Name: "comp_any_vuln_lookup_id", Category: "Security", Description: "Component has at least one vulnerability lookup ID"},
{Name: "comp_multi_vuln_lookup_id", Category: "Security", Description: "Component has multiple vulnerability lookup IDs"},
}
var ProfileSections = []ProfileSection{ { Name: "Generic (no --profile required)", Features: []ProfileFeature{ {Name: "sbom_authors", Description: "SBOM authors"}, {Name: "sbom_timestamp", Description: "SBOM creation timestamp"}, {Name: "sbom_creator_and_version", Description: "Tool that generated the SBOM (name + version)"}, {Name: "sbom_spec", Description: "SBOM specification type (cyclonedx / spdx)"}, {Name: "sbom_spec_version", Description: "SBOM specification version"}, {Name: "sbom_file_format", Description: "SBOM file format (json / xml / tag-value)"}, {Name: "sbom_uri", Description: "SBOM unique URI or namespace"}, {Name: "sbom_primary_comp", Description: "Primary component name and version"}, {Name: "sbom_schema_valid", Description: "Whether the SBOM validates against its schema"}, {Name: "sbom_dependencies", Description: "SBOM-level dependency graph summary"}, {Name: "sbom_organization", Description: "SBOM organization metadata"}, {Name: "sbom_build", Description: "SBOM build / lifecycle metadata"}, {Name: "sbom_vuln", Description: "Whether the SBOM contains vulnerability entries"}, {Name: "comp_name", Description: "Component name"}, {Name: "comp_version", Description: "Component version"}, {Name: "comp_supplier", Description: "Component supplier or manufacturer (fallback)"}, {Name: "comp_author", Description: "Component authors (name, email)"}, {Name: "comp_external_refs", Description: "All external references (type: locator)"}, {Name: "comp_all_licenses", Description: "All licenses: concluded and declared, labeled by type"}, {Name: "comp_depth", Description: "Direct dependencies by name, or 'leaf component' if none"}, {Name: "comp_uniq_ids", Description: "All unique identifiers: PURL, CPE, SWHID, SWID, OmniBOR"}, {Name: "comp_purl", Description: "Component PURL"}, {Name: "comp_cpe", Description: "Component CPE"}, {Name: "comp_checksums", Description: "Component checksum value"}, {Name: "comp_primary_purpose", Description: "Component purpose / type"}, {Name: "comp_source_code_uri", Description: "Component source code URI"}, {Name: "comp_executable_uri", Description: "Component executable / download URI"}, {Name: "comp_source_code_hash", Description: "Source code hash"}, }, }, { Name: "BSI TR-03183-2 v1.1 (--profile bsiv11)", Features: []ProfileFeature{ {Name: "sbom_creator", Description: "SBOM creator contact (email or URL)"}, {Name: "sbom_timestamp", Description: "SBOM creation timestamp"}, {Name: "sbom_uri", Description: "SBOM URI"}, {Name: "comp_creator", Description: "Component creator contact (email or URL)"}, {Name: "comp_name", Description: "Component name"}, {Name: "comp_version", Description: "Component version"}, {Name: "comp_depth", Description: "Dependency relationships"}, {Name: "comp_license", Description: "License (concluded preferred, declared fallback)"}, {Name: "comp_hash", Description: "Component hash (any algorithm)"}, {Name: "comp_unique_identifiers", Description: "Unique identifiers (PURL, CPE)"}, {Name: "comp_source_url", Description: "Source code URL"}, {Name: "comp_executable_url", Description: "Executable / download URL"}, {Name: "comp_source_hash", Description: "Source code hash"}, }, }, { Name: "BSI TR-03183-2 v2.0 (--profile bsiv20)", Features: []ProfileFeature{ {Name: "sbom_creator", Description: "SBOM creator contact (email or URL)"}, {Name: "sbom_timestamp", Description: "SBOM creation timestamp"}, {Name: "sbom_uri", Description: "SBOM URI"}, {Name: "comp_creator", Description: "Component creator contact (email or URL)"}, {Name: "comp_name", Description: "Component name"}, {Name: "comp_version", Description: "Component version"}, {Name: "comp_filename", Description: "Component filename"}, {Name: "comp_depth", Description: "Dependency relationships"}, {Name: "comp_associated_license", Description: "Associated license (concluded preferred, declared fallback)"}, {Name: "comp_deployable_hash", Description: "Deployable component hash"}, {Name: "comp_executable_property", Description: "Executable property"}, {Name: "comp_archive_property", Description: "Archive property"}, {Name: "comp_structured_property", Description: "Structured property"}, {Name: "comp_source_code_url", Description: "Source code URL"}, {Name: "comp_download_url", Description: "Download / executable URL"}, {Name: "comp_other_identifiers", Description: "Other unique identifiers (PURL, CPE)"}, {Name: "comp_concluded_license", Description: "Concluded license"}, {Name: "comp_declared_license", Description: "Declared license"}, {Name: "comp_source_hash", Description: "Source code hash"}, }, }, { Name: "BSI TR-03183-2 v2.1 (--profile bsiv21)", Features: []ProfileFeature{ {Name: "sbom_spec_version", Description: "SBOM specification version (CycloneDX ≥ 1.6)"}, {Name: "sbom_creator", Description: "SBOM creator contact (email or URL)"}, {Name: "sbom_timestamp", Description: "SBOM creation timestamp"}, {Name: "sbom_uri", Description: "SBOM URI"}, {Name: "comp_creator", Description: "Component creator contact (email or URL)"}, {Name: "comp_name", Description: "Component name"}, {Name: "comp_version", Description: "Component version"}, {Name: "comp_filename", Description: "Component filename"}, {Name: "comp_depth", Description: "Dependency relationships"}, {Name: "comp_distribution_license", Description: "Distribution license (concluded)"}, {Name: "comp_deployable_hash", Description: "Deployable component hash"}, {Name: "comp_executable_prop", Description: "Executable property"}, {Name: "comp_archive_prop", Description: "Archive property"}, {Name: "comp_structured_prop", Description: "Structured property"}, {Name: "comp_source_code_url", Description: "Source code URL"}, {Name: "comp_download_url", Description: "Download / executable URL"}, {Name: "comp_other_identifiers", Description: "Other unique identifiers (PURL, CPE, SWID)"}, {Name: "comp_original_licenses", Description: "Original / declared licenses"}, {Name: "comp_effective_license", Description: "Effective license"}, {Name: "comp_source_hash", Description: "Source code hash"}, {Name: "comp_security_txt_url", Description: "security.txt URL"}, }, }, { Name: "FSCT Framing 3rd Edition (--profile fsct)", Features: []ProfileFeature{ {Name: "sbom_provenance", Description: "SBOM provenance (author or tool declared)"}, {Name: "sbom_primary_component", Description: "Primary component declared"}, {Name: "relationships_coverage", Description: "Dependency relationship completeness"}, {Name: "comp_identity", Description: "Component name and version"}, {Name: "supplier_attribution", Description: "Supplier attribution (name, URL, email, or unknown)"}, {Name: "comp_unique_id", Description: "Unique identifier (PURL, CPE, SWHID, SWID, or OmniBOR)"}, {Name: "artifact_integrity", Description: "Component hash (any algorithm)"}, {Name: "license_coverage", Description: "License information (any type)"}, {Name: "copyright_coverage", Description: "Copyright text"}, }, }, { Name: "Interlynk (--profile interlynk)", Features: []ProfileFeature{ {Name: "comp_name", Description: "Component name"}, {Name: "comp_version", Description: "Component version"}, {Name: "comp_local_id", Description: "Component local identifier"}, {Name: "sbom_timestamp", Description: "SBOM creation timestamp"}, {Name: "sbom_authors", Description: "SBOM authors"}, {Name: "sbom_tool", Description: "SBOM tool name and version"}, {Name: "sbom_supplier", Description: "SBOM supplier"}, {Name: "sbom_namespace", Description: "SBOM namespace / URI"}, {Name: "sbom_lifecycle", Description: "SBOM lifecycle / build stage"}, {Name: "comp_checksums", Description: "Component checksums (any algorithm)"}, {Name: "comp_sha256", Description: "Component SHA-256 checksum"}, {Name: "sbom_signature", Description: "SBOM signature"}, {Name: "comp_dependencies", Description: "Component dependency declarations"}, {Name: "sbom_completeness", Description: "SBOM completeness declaration"}, {Name: "sbom_primary_component", Description: "Primary component declared"}, {Name: "comp_source_code", Description: "Component source code reference"}, {Name: "comp_supplier", Description: "Component supplier"}, {Name: "comp_purpose", Description: "Component purpose / type"}, {Name: "comp_licenses", Description: "Component licenses (concluded)"}, {Name: "comp_valid_licenses", Description: "Component has valid SPDX expression syntax (accepts LicenseRef-*)"}, {Name: "comp_spdx_listed_license", Description: "Component has SPDX standard listed licenses only"}, {Name: "comp_no_deprecated_licenses", Description: "No deprecated licenses"}, {Name: "comp_no_restrictive_licenses", Description: "No restrictive licenses"}, {Name: "comp_declared_licenses", Description: "Component declared licenses"}, {Name: "sbom_data_license", Description: "SBOM data license"}, {Name: "comp_purl", Description: "Component PURL"}, {Name: "comp_cpe", Description: "Component CPE"}, {Name: "sbom_spec_declared", Description: "SBOM specification declared"}, {Name: "sbom_spec_version", Description: "SBOM specification version"}, {Name: "sbom_file_format", Description: "SBOM file format"}, {Name: "sbom_schema_valid", Description: "SBOM schema valid"}, }, }, { Name: "NTIA Minimum Elements (--profile ntia)", Features: []ProfileFeature{ {Name: "sbom_authors", Description: "SBOM author declared"}, {Name: "sbom_relationships", Description: "Primary component dependency relationships"}, {Name: "sbom_timestamp", Description: "SBOM creation timestamp"}, {Name: "comp_supplier", Description: "Component supplier"}, {Name: "comp_name", Description: "Component name"}, {Name: "comp_version", Description: "Component version"}, {Name: "comp_uniq_id", Description: "Unique identifier (PURL or CPE)"}, }, }, }
ProfileSections defines all sections shown by `sbomqs features`, ordered: Generic first, then each compliance profile alphabetically.
Functions ¶
Types ¶
type ProfileFeature ¶ added in v2.0.6
ProfileFeature is a feature entry within a profile section for display purposes.
type ProfileSection ¶ added in v2.0.6
type ProfileSection struct {
Name string
Features []ProfileFeature
}
ProfileSection groups features under a named profile or "Generic" for display.