✨ Add experimental check for published SBOM

checker/raw_result.go

@@ -38,6 +38,7 @@ type RawResults struct {
 	DependencyUpdateToolResults DependencyUpdateToolData
 	FuzzingResults              FuzzingData
 	LicenseResults              LicenseData
+	SbomResults                 SbomData
 	MaintainedResults           MaintainedData
 	Metadata                    MetadataData
 	PackagingResults            PackagingData
@@ -169,6 +170,42 @@ type LicenseData struct {
 	LicenseFiles []LicenseFile
 }
 
+type SbomOriginationType string
+
+const (
+	// sources of sbom information.
+
+	// Originating in repository Release Assets (or Sbom api endpoint for GH).
+	SbomOriginationTypeRelease SbomOriginationType = "repositoryRelease"
+	// Originating in repository CICD artifacts.
+	SbomOriginationTypeCICD SbomOriginationType = "repositoryCICD"
+	// Originating in source or other non-specific source.
+	SbomOriginationTypeOther SbomOriginationType = "other"
+	// Originating from sbom entry in SECURITY_INSIGHTS.yml.
+	SbomOriginationTypeStandards SbomOriginationType = "standardsFile"
+)
+
+// sbom details.
+type Sbom struct {
+	Name          string              // Sbom Filename
+	Origin        SbomOriginationType // Sbom Source
+	Schema        string              // Sbom Schema
+	SchemaVersion string              // Sbom Schema Version
+	URL           string              // Sbom Asset URL
+}
+
+// one file contains one sbom.
+type SbomFile struct {
+	SbomInformation Sbom
+	File            File
+}
+
+// SbomData contains the raw results for the Sbom check.
+// Some repos may have more than one sbom.
+type SbomData struct {
+	SbomFiles []SbomFile
+}
+
 // CodeReviewData contains the raw results
 // for the Code-Review check.
 type CodeReviewData struct {

checks/evaluation/sbom.go

@@ -0,0 +1,140 @@
+// Copyright 2024 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package evaluation
+
+import (
+	"fmt"
+
+	"github.com/ossf/scorecard/v4/checker"
+	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/finding"
+	"github.com/ossf/scorecard/v4/probes/sbomCICDArtifactExists"
+	"github.com/ossf/scorecard/v4/probes/sbomExists"
+	"github.com/ossf/scorecard/v4/probes/sbomReleaseAssetExists"
+	"github.com/ossf/scorecard/v4/probes/sbomStandardsFileUsed"
+)
+
+// Sbom applies the score policy for the Sbom check.
+func Sbom(name string,
+	findings []finding.Finding,
+	dl checker.DetailLogger,
+) checker.CheckResult {
+	// We have 4 unique probes, each should have a finding.
+	expectedProbes := []string{
+		sbomExists.Probe,
+		sbomReleaseAssetExists.Probe,
+		sbomStandardsFileUsed.Probe,
+		sbomCICDArtifactExists.Probe,
+	}
+
+	if !finding.UniqueProbesEqual(findings, expectedProbes) {
+		e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
+		return checker.CreateRuntimeErrorResult(name, e)
+	}
+
+	// Compute the score.
+	existsMsg := "Sbom file found in project"
+	cicdMsg := "Sbom file generated in project CICD"
+	releaseMsg := "Sbom file found in release artifacts"
+	standardsMsg := "Sbom standards file used in project"
+	score := 0
+	m := make(map[string]bool)
+	for i := range findings {
+		f := &findings[i]
+		switch f.Outcome {
+		case finding.OutcomeNotApplicable:
+			dl.Info(&checker.LogMessage{
+				Type:   finding.FileTypeSource,
+				Offset: 1,
+				Text:   f.Message,
+			})
+		case finding.OutcomePositive:
+			switch f.Probe {
+			case sbomExists.Probe:
+				dl.Info(&checker.LogMessage{
+					Type: finding.FileTypeSource,
+					Path: f.Message,
+					Text: existsMsg,
+				})
+				score += scoreProbeOnce(f.Probe, m, 3)
+			case sbomCICDArtifactExists.Probe:
+				dl.Info(&checker.LogMessage{
+					Type: finding.FileTypeURL,
+					Path: f.Message,
+					Text: cicdMsg,
+				})
+				score += scoreProbeOnce(f.Probe, m, 3)
+			case sbomReleaseAssetExists.Probe:
+				dl.Info(&checker.LogMessage{
+					Type: finding.FileTypeURL,
+					Path: f.Message,
+					Text: releaseMsg,
+				})
+				score += scoreProbeOnce(f.Probe, m, 3)
+			case sbomStandardsFileUsed.Probe:
+				dl.Info(&checker.LogMessage{
+					Type: finding.FileTypeSource,
+					Path: f.Message,
+					Text: standardsMsg,
+				})
+				score += scoreProbeOnce(f.Probe, m, 1)
+			default:
+				e := sce.WithMessage(sce.ErrScorecardInternal, "unknown probe results")
+				return checker.CreateRuntimeErrorResult(name, e)
+			}
+		case finding.OutcomeNegative:
+			switch f.Probe {
+			case sbomExists.Probe:
+				dl.Warn(&checker.LogMessage{
+					Type: finding.FileTypeSource,
+					Path: f.Message,
+					Text: "Sbom file not found in project",
+				})
+				existsMsg = f.Message
+			case sbomCICDArtifactExists.Probe:
+				dl.Warn(&checker.LogMessage{
+					Type: finding.FileTypeURL,
+					Path: f.Message,
+					Text: "Sbom file not generated in project CICD",
+				})
+				cicdMsg = f.Message
+			case sbomReleaseAssetExists.Probe:
+				dl.Warn(&checker.LogMessage{
+					Type: finding.FileTypeURL,
+					Path: f.Message,
+					Text: "Sbom file not found in release artifacts",
+				})
+				releaseMsg = f.Message
+			case sbomStandardsFileUsed.Probe:
+				dl.Warn(&checker.LogMessage{
+					Type: finding.FileTypeSource,
+					Path: f.Message,
+					Text: "Sbom standards file not used in project",
+				})
+				standardsMsg = f.Message
+			}
+		default:
+			continue // for linting
+		}
+	}
+
+	_, defined := m[sbomExists.Probe]
+	if !defined {
+		return checker.CreateMinScoreResult(name, "sbom file not detected")
+	}
+
+	message := fmt.Sprintf("%s. %s. %s. %s. ", existsMsg, cicdMsg, releaseMsg, standardsMsg)
+	return checker.CreateResultWithScore(name, message, score)
+}