Skip to main content

SBOM Score

You can see the quality score of every SBOM that’s generated by SCS module. This feature evaluates the quality of the Software Bill of Materials (SBOM) in various categories, utilizing a scoring system ranging from 0 to 10.

Scoring Criteria

The SBOM Quality Score is calculated based on the following categories:

NTIA-Minimum-Elements: Assesses compliance with NTIA minimum element guidelines.

Structural: Checks adherence to underlying specifications of SPDX or CycloneDX.

Semantic: Evaluates the correctness of SBOM field meanings specific to their standard.

Quality: Determines the overall data quality present in the SBOM.

Sharing: Assesses the SBOM's readiness for sharing.

Each category contributes to an overall score reflecting the SBOM's quality, compliance, and readiness for sharing.

How It Works

SBOM Generation: Upon generating an SBOM in SCS, it undergoes quality scoring.

Scoring Process: The sbomqs tool evaluates the SBOM across the defined categories.

Score Display: The final score, ranging from 0 to 10, is displayed alongside the SBOM details within SCS.

Viewing the Score

You can view the scores of all generated SBOMs from the Artifacts view. Additionally, the score of an SBOMs generated from a specific pipeline execution can be found in the Supply Chain tab within the pipeline execution window.

Artifact view in SCS

Click on the Artifacts section in the left-hand panel which lists all the artifacts. Select any of the artifact,to access a detailed list of all associated digests of the artifact. In the SBOM column, you'll be able to view the corresponding score alongside the SBOM for that digest.

"SBOM Score from Artifacts view"

By clicking on the score, you see the complete breakdown of scores in various categories. You can expand each category to see the score of individual items

"SBOM Score details"

Supply Chain Tab

The SBOM score for a specific pipeline execution can be found in the Supply Chain tab within the pipeline execution window.

"SBOM Score from Supply Chain Tab"

Score Interpretation

Score Range: 0 (lowest) to 10 (highest).

Higher Scores: Indicate better quality, compliance, and readiness for sharing.

Lower Scores: Suggest areas for improvement or further investigation.

For more detailed information on the scoring criteria, please visit the sbomqs GitHub repository.