ossf · spencerschrock · May 17, 2024 · Feb 22, 2024 · Feb 22, 2024 · Feb 27, 2024
@@ -38,6 +38,7 @@ type RawResults struct {
 	DependencyUpdateToolResults DependencyUpdateToolData
 	FuzzingResults              FuzzingData
 	LicenseResults              LicenseData
+	SbomResults                 SbomData
 	MaintainedResults           MaintainedData
 	Metadata                    MetadataData
 	PackagingResults            PackagingData
@@ -169,6 +170,37 @@ type LicenseData struct {
 	LicenseFiles []LicenseFile
 }
 
+type SbomOriginationType string
+
+const (
+	// sources of license information used to assert repo's license.
+	SbomOriginationTypeAPI       SbomOriginationType = "repositoryAPI"
+	SbomOriginationTypeCICD      SbomOriginationType = "repositoryCICD"
+	SbomOriginationTypeOther     SbomOriginationType = "other"
+	SbomOriginationTypeStandards SbomOriginationType = "standardsFile"
+)
+
+// sbom details.
+type Sbom struct {
+	Name          string              // sbom filename
+	Origin        SbomOriginationType // source of sbom
+	Schema        string              // Sbom Schema
+	SchemaVersion string              // Sbom Schema Version
+}
+
+// one file contains one sbom.
+type SbomFile struct {
+	SbomInformation Sbom
+	File            File
+}
+
+// SbomData contains the raw results
+// for the Sbom check.
+// Some repos may have more than one sbom.
+type SbomData struct {
+	SbomFiles []SbomFile
+}
+
 // CodeReviewData contains the raw results
 // for the Code-Review check.
 type CodeReviewData struct {

@@ -0,0 +1,140 @@
+// Copyright 2024 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package evaluation
+
+import (
+	"fmt"
+
+	"github.com/ossf/scorecard/v4/checker"
+	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/finding"
+	"github.com/ossf/scorecard/v4/probes/sbomCICDArtifactExists"
+	"github.com/ossf/scorecard/v4/probes/sbomExists"
+	"github.com/ossf/scorecard/v4/probes/sbomReleaseArtifactExists"
+	"github.com/ossf/scorecard/v4/probes/sbomStandardsFileUsed"
+)
+
+// Sbom applies the score policy for the Sbom check.
+func Sbom(name string,
+	findings []finding.Finding,
+	dl checker.DetailLogger,
+) checker.CheckResult {
+	// We have 4 unique probes, each should have a finding.
+	expectedProbes := []string{
+		sbomExists.Probe,
+		sbomReleaseArtifactExists.Probe,
+		sbomStandardsFileUsed.Probe,
+		sbomCICDArtifactExists.Probe,
+	}
+
+	if !finding.UniqueProbesEqual(findings, expectedProbes) {
+		e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
+		return checker.CreateRuntimeErrorResult(name, e)
+	}
+
+	// Compute the score.
+	existsMsg := "Sbom file found in project"
+	cicdMsg := "Sbom file generated in project CICD"
+	releaseMsg := "Sbom file found in release artifacts"
+	standardsMsg := "Sbom standards file used in project"
+	score := 0
+	m := make(map[string]bool)
+	for i := range findings {
+		f := &findings[i]
+		switch f.Outcome {
+		case finding.OutcomeNotApplicable:
+			dl.Info(&checker.LogMessage{
+				Type:   finding.FileTypeSource,
+				Offset: 1,
+				Text:   f.Message,
+			})
+		case finding.OutcomePositive:
+			switch f.Probe {
+			case sbomExists.Probe:
+				dl.Info(&checker.LogMessage{
+					Type: finding.FileTypeSource,
+					Path: f.Message,
+					Text: existsMsg,
+				})
+				score += scoreProbeOnce(f.Probe, m, 3)
+			case sbomCICDArtifactExists.Probe:
+				dl.Info(&checker.LogMessage{
+					Type: finding.FileTypeURL,
+					Path: f.Message,
+					Text: cicdMsg,
+				})
+				score += scoreProbeOnce(f.Probe, m, 3)
+			case sbomReleaseArtifactExists.Probe:
+				dl.Info(&checker.LogMessage{
+					Type: finding.FileTypeURL,
+					Path: f.Message,
+					Text: releaseMsg,
+				})
+				score += scoreProbeOnce(f.Probe, m, 3)
+			case sbomStandardsFileUsed.Probe:
+				dl.Info(&checker.LogMessage{
+					Type: finding.FileTypeSource,
+					Path: f.Message,
+					Text: standardsMsg,
+				})
+				score += scoreProbeOnce(f.Probe, m, 1)
+			default:
+				e := sce.WithMessage(sce.ErrScorecardInternal, "unknown probe results")
+				return checker.CreateRuntimeErrorResult(name, e)
+			}
+		case finding.OutcomeNegative:
+			switch f.Probe {
+			case sbomExists.Probe:
+				dl.Warn(&checker.LogMessage{
+					Type: finding.FileTypeSource,
+					Path: f.Message,
+					Text: "Sbom file not found in project",
+				})
+				existsMsg = f.Message
+			case sbomCICDArtifactExists.Probe:
+				dl.Warn(&checker.LogMessage{
+					Type: finding.FileTypeURL,
+					Path: f.Message,
+					Text: "Sbom file not generated in project CICD",
+				})
+				cicdMsg = f.Message
+			case sbomReleaseArtifactExists.Probe:
+				dl.Warn(&checker.LogMessage{
+					Type: finding.FileTypeURL,
+					Path: f.Message,
+					Text: "Sbom file not found in release artifacts",
+				})
+				releaseMsg = f.Message
+			case sbomStandardsFileUsed.Probe:
+				dl.Warn(&checker.LogMessage{
+					Type: finding.FileTypeSource,
+					Path: f.Message,
+					Text: "Sbom standards file not used in project",
+				})
+				standardsMsg = f.Message
+			}
+		default:
+			continue // for linting
+		}
+	}
+
+	_, defined := m[sbomExists.Probe]
+	if !defined {
+		return checker.CreateMinScoreResult(name, "sbom file not detected")
+	}
+
+	message := fmt.Sprintf("%s. %s. %s. %s. ", existsMsg, cicdMsg, releaseMsg, standardsMsg)
+	return checker.CreateResultWithScore(name, message, score)
+}
@@ -0,0 +1,87 @@
+// Copyright 2024 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package evaluation
+
+import (
+	"testing"
+
+	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/finding"
+	scut "github.com/ossf/scorecard/v4/utests"
+)
+
+func TestSbom(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name     string
+		findings []finding.Finding
+		result   scut.TestReturn
+	}{
+		{
+			name: "Positive outcome = Max Score",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasSbomFile",
+					Outcome: finding.OutcomePositive,
+				},
+				{
+					Probe:   "hasSbomReleaseArtifact",
+					Outcome: finding.OutcomePositive,
+				},
+			},
+			result: scut.TestReturn{
+				Score:        checker.MaxResultScore,
+				NumberOfInfo: 2,
+			},
+		}, {
+			name: "Negative outcomes from all probes = Min score",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasLicenseFile",
+					Outcome: finding.OutcomeNegative,
+				},
+				{
+					Probe:   "hasSbomReleaseArtifact",
+					Outcome: finding.OutcomeNegative,
+				},
+			},
+			result: scut.TestReturn{
+				Score:        checker.MinResultScore,
+				NumberOfWarn: 2,
+			},
+		}, {
+			name: "Has license file but not a top level or in OSI/FSF format",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasLicenseFile",
+					Outcome: finding.OutcomePositive,
+				},
+				{
+					Probe:   "hasSbomReleaseArtifact",
+					Outcome: finding.OutcomeNegative,
+				},
+			},
+			result: scut.TestReturn{
+				Score:        3,
+				NumberOfWarn: 1,
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Parallel testing scoping hack.
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+		})
+	}
+}