Fix/bsi 2 testing (#450)

* remove ordering

* lineup features in ordering

* add sbom bomlinks attributes for bsi 2

* fix linting

* fix values

Author: viveksahu26

cmd/list.go

@@ -74,7 +74,7 @@ var listCmd = &cobra.Command{
   # SBOM features:
   [sbom_creation_timestamp, sbom_authors, sbom_with_creator_and_version, sbom_with_primary_component, sbom_dependencies, 
   sbom_sharable, sbom_parsable, sbom_spec, sbom_file_format, sbom_spec_version, spec_with_version_compliant, sbom_with_uri,
-  sbom_with_vuln, sbom_build_process]
+  sbom_with_vuln, sbom_build_process, sbom_with_bomlinks]
 `,
 
 	Args: func(_ *cobra.Command, args []string) error {
@@ -267,5 +267,6 @@ var isFeaturePresent = map[string]bool{
 	"sbom_with_uri":                 true,
 	"sbom_with_vuln":                true,
 	"sbom_build_process":            true,
+	"sbom_with_bomlinks":            true,
 	// "sbom_with_signature":           true,
 }

pkg/compliance/bsiV2.go

@@ -64,6 +64,7 @@ func bsiV2Result(ctx context.Context, doc sbom.Document, fileName string, outFor
 	}
 }
 
+// bomlinks
 func bsiV2SbomLinks(doc sbom.Document) *db.Record {
 	result, score := "", 0.0
 

pkg/list/list.go

@@ -291,13 +291,13 @@ func evaluateComponentFeature(feature string, comp sbom.GetComponent, doc sbom.D
 		return evaluateCompWithAssociatedLicense(doc, comp)
 
 	case "comp_with_concluded_license":
-		return evaluateCompWithConcludedLicense(doc, comp)
+		return evaluateCompWithConcludedLicense(comp)
 
 	case "comp_with_declared_license":
-		return evaluateCompWithDeclaredLicense(doc, comp)
+		return evaluateCompWithDeclaredLicense(comp)
 
 	case "comp_with_dependencies":
-		return evaluateCompWithDependencies(doc, comp)
+		return evaluateCompWithDependencies(comp)
 
 	case "comp_with_any_vuln_lookup_id":
 		return evaluateCompWithAnyVulnLookupID(comp)
@@ -312,7 +312,7 @@ func evaluateComponentFeature(feature string, comp sbom.GetComponent, doc sbom.D
 		return evaluateCompWithPrimaryPurpose(doc, comp)
 
 	case "comp_with_restrictive_licenses":
-		return evaluateCompWithRestrictedLicenses(doc, comp)
+		return evaluateCompWithRestrictedLicenses(comp)
 
 	case "comp_with_checksums":
 		return evaluateCompWithChecksums(comp)
@@ -372,6 +372,9 @@ func evaluateSBOMFeature(feature string, doc sbom.Document) (bool, string, error
 	case "sbom_build_process":
 		return evaluateSBOMBuildLifeCycle(doc)
 
+	case "sbom_with_bomlinks":
+		return evaluateSBOMWithBomLinks(doc)
+
 	// case "sbom_with_signature":
 	// 	return evaluateSBOMWithSignature(doc)
 
@@ -434,6 +437,9 @@ func evaluateCompWithVersion(comp sbom.GetComponent) (bool, string, error) {
 
 // evaluateCompWithSupplier evaluates if the component has a supplier
 func evaluateCompWithSupplier(comp sbom.GetComponent) (bool, string, error) {
+	if !comp.Suppliers().IsPresent() {
+		return false, "", nil
+	}
 	return comp.Suppliers().IsPresent(), comp.Suppliers().GetName() + "," + comp.Suppliers().GetEmail(), nil
 }
 
@@ -457,7 +463,7 @@ func evaluateCompWithValidLicenses(comp sbom.GetComponent) (bool, string, error)
 	}
 
 	if len(validLicenses) == 0 {
-		return false, "", nil
+		return true, "", nil
 	}
 	return true, strings.Join(validLicenses, ","), nil
 }
@@ -479,6 +485,9 @@ func evaluateCompWithAnyVulnLookupID(comp sbom.GetComponent) (bool, string, erro
 		allIDs = append(allIDs, purl.String()) // Assuming purl.PURL has a String() method
 	}
 
+	if len(allIDs) == 0 {
+		return true, "", nil
+	}
 	return true, strings.Join(allIDs, ","), nil
 }
 
@@ -500,6 +509,9 @@ func evaluateCompWithMultiVulnLookupID(comp sbom.GetComponent) (bool, string, er
 	for _, purl := range purls {
 		allIDs = append(allIDs, purl.String()) // Assuming purl.PURL has a String() method
 	}
+	if len(allIDs) == 0 {
+		return true, "", nil
+	}
 
 	return hasFeature, strings.Join(allIDs, ","), nil
 }
@@ -537,7 +549,7 @@ func evaluateCompWithPrimaryPurpose(doc sbom.Document, comp sbom.GetComponent) (
 }
 
 // evaluateCompWithRestrictedLicenses evaluates if the component has any restrictive licenses
-func evaluateCompWithRestrictedLicenses(doc sbom.Document, comp sbom.GetComponent) (bool, string, error) {
+func evaluateCompWithRestrictedLicenses(comp sbom.GetComponent) (bool, string, error) {
 	licenses := comp.Licenses()
 	if len(licenses) == 0 {
 		return false, "", nil
@@ -573,6 +585,9 @@ func evaluateCompWithChecksums(comp sbom.GetComponent) (bool, string, error) {
 	for _, checksum := range checksums {
 		checksumValues = append(checksumValues, checksum.GetAlgo()) // Assuming sbom.GetChecksum has a GetAlgo() method
 	}
+	if len(checksumValues) == 0 {
+		return true, "", nil
+	}
 	return true, strings.Join(checksumValues, ","), nil
 }
 
@@ -589,6 +604,9 @@ func evaluateCompWithLicenses(comp sbom.GetComponent) (bool, string, error) {
 			licenseNames = append(licenseNames, l.Name())
 		}
 	}
+	if len(licenseNames) == 0 {
+		return true, "", nil
+	}
 
 	return true, strings.Join(licenseNames, ","), nil
 }
@@ -610,7 +628,7 @@ func evaluateCompWithSHA256Checksums(comp sbom.GetComponent) (bool, string, erro
 	}
 
 	if len(sha256Checksums) == 0 {
-		return false, "", nil
+		return true, "", nil
 	}
 	return true, strings.Join(sha256Checksums, ","), nil
 }
@@ -685,7 +703,7 @@ func evaluateCompWithAssociatedLicense(doc sbom.Document, comp sbom.GetComponent
 }
 
 // evaluateCompWithConcludedLicense evaluates if the component has a concluded license
-func evaluateCompWithConcludedLicense(doc sbom.Document, comp sbom.GetComponent) (bool, string, error) {
+func evaluateCompWithConcludedLicense(comp sbom.GetComponent) (bool, string, error) {
 	var concludedLicense []string
 	for _, l := range comp.ConcludedLicenses() {
 		if l != nil {
@@ -700,7 +718,7 @@ func evaluateCompWithConcludedLicense(doc sbom.Document, comp sbom.GetComponent)
 }
 
 // evaluateCompWithDeclaredLicense evaluates if the component has a declared license
-func evaluateCompWithDeclaredLicense(doc sbom.Document, comp sbom.GetComponent) (bool, string, error) {
+func evaluateCompWithDeclaredLicense(comp sbom.GetComponent) (bool, string, error) {
 	var declaredLicense []string
 	for _, l := range comp.DeclaredLicenses() {
 		if l != nil {
@@ -715,7 +733,7 @@ func evaluateCompWithDeclaredLicense(doc sbom.Document, comp sbom.GetComponent)
 }
 
 // evaluateCompWithDependencies evaluates if the component has dependencies
-func evaluateCompWithDependencies(doc sbom.Document, comp sbom.GetComponent) (bool, string, error) {
+func evaluateCompWithDependencies(comp sbom.GetComponent) (bool, string, error) {
 	if comp == nil {
 		return false, "", fmt.Errorf("component is nil")
 	}
@@ -905,3 +923,18 @@ func evaluateSBOMBuildLifeCycle(doc sbom.Document) (bool, string, error) {
 
 	return true, lifecycles[found-1], nil
 }
+
+// evaluateSBOMWithBomLinks evaluates if the SBOM has BOM links
+func evaluateSBOMWithBomLinks(doc sbom.Document) (bool, string, error) {
+	bomLinks := doc.Spec().GetExtDocRef()
+	if len(bomLinks) == 0 {
+		return false, "", nil
+	}
+
+	linkValues := make([]string, 0, len(bomLinks))
+	linkValues = append(linkValues, bomLinks...)
+	if len(linkValues) == 0 {
+		return false, "", nil
+	}
+	return true, strings.Join(linkValues, ", "), nil
+}

pkg/reporter/detailed.go

@@ -17,8 +17,6 @@ package reporter
 import (
 	"fmt"
 	"os"
-	"sort"
-	"strings"
 
 	"github.com/fatih/color"
 	"github.com/olekukonko/tablewriter"
@@ -41,16 +39,6 @@ func (r *Reporter) detailedReport() {
 			outDoc = append(outDoc, l)
 		}
 
-		sort.Slice(outDoc, func(i, j int) bool {
-			switch strings.Compare(outDoc[i][0], outDoc[j][0]) {
-			case -1:
-				return true
-			case 1:
-				return false
-			}
-			return outDoc[i][1] < outDoc[j][1]
-		})
-
 		fmt.Printf("SBOM Quality by Interlynk Score:%0.1f\tcomponents:%d\t%s\n", scores.AvgScore(), len(doc.Components()), path)
 
 		// Initialize tablewriter table with borders

pkg/scorer/bsi.go

@@ -258,6 +258,20 @@ func compWithSourceCodeHashCheck(d sbom.Document, c *check) score {
 	return *s
 }
 
+func sbomWithBomLinksCheck(doc sbom.Document, c *check) score {
+	s := newScoreFromCheck(c)
+	bom := doc.Spec().GetExtDocRef()
+	if len(bom) == 0 {
+		s.setScore(0.0)
+		s.setDesc("no bom links found")
+		// s.setIgnore(true)
+		return *s
+	}
+	s.setScore(10.0)
+	s.setDesc(fmt.Sprintf("found %d bom links", len(bom)))
+	return *s
+}
+
 // v2.1
 func sbomWithVulnCheck(doc sbom.Document, c *check) score {
 	s := newScoreFromCheck(c)
@@ -326,7 +340,7 @@ func sbomWithSignatureCheck(doc sbom.Document, c *check) score {
 		pubKeyData, err := os.ReadFile(pubKey)
 		if err != nil {
 			s.setScore(0.0)
-			s.setDesc("No signature provided or public key not found!")
+			s.setDesc("No signature or public key provided!")
 			// s.setIgnore(true)
 			return *s
 		}

pkg/scorer/criteria.go

@@ -39,20 +39,14 @@ type check struct {
 }
 
 var checks = []check{
-	// structural
-	{string(structural), "sbom_spec", false, "SBOM Specification", specCheck},
-	{string(structural), "sbom_spec_version", false, "Spec Version", specVersionCheck},
-	{string(structural), "sbom_file_format", false, "SBOM File Format", sbomFileFormatCheck},
-	{string(structural), "sbom_parsable", false, "Spec is parsable", specParsableCheck},
-
 	// ntia minimum
-	{string(ntiam), "comp_with_supplier", false, "components have suppliers", compWithSupplierCheck},
 	{string(ntiam), "comp_with_name", false, "components have a name", compWithNameCheck},
 	{string(ntiam), "comp_with_version", false, "components have a version", compWithVersionCheck},
 	{string(ntiam), "comp_with_uniq_ids", false, "components have uniq ids", compWithUniqIDCheck},
-	{string(ntiam), "sbom_dependencies", false, "sbom has dependencies", sbomWithDepedenciesCheck},
-	{string(ntiam), "sbom_authors", false, "sbom has authors", sbomWithAuthorsCheck},
+	{string(ntiam), "comp_with_supplier", false, "components have suppliers", compWithSupplierCheck},
 	{string(ntiam), "sbom_creation_timestamp", false, "sbom has creation timestamp", sbomWithTimeStampCheck},
+	{string(ntiam), "sbom_authors", false, "sbom has authors", sbomWithAuthorsCheck},
+	{string(ntiam), "sbom_dependencies", false, "primary comp has dependencies", sbomWithDepedenciesCheck},
 
 	// bsi-v1.1
 	{string(bsiv1_1), "comp_with_name", false, "components have a name", compWithNameCheck},
@@ -64,36 +58,34 @@ var checks = []check{
 	{string(bsiv1_1), "comp_with_source_code_uri", false, "components have source code URI", compWithSourceCodeURICheck},
 	{string(bsiv1_1), "comp_with_source_code_hash", false, "components have source code hash", compWithSourceCodeHashCheck},
 	{string(bsiv1_1), "comp_with_executable_uri", false, "components have executable URI", compWithExecutableURICheck},
+	{string(bsiv1_1), "comp_with_dependencies", false, "components have dependencies", compWithDependencyCheck},
 	{string(bsiv1_1), "spec_with_version_compliant", false, "SBOM Specification", specWithVersionCompliant},
-	{string(bsiv1_1), "sbom_authors", false, "sbom has authors", sbomWithAuthorsCheck},
 	{string(bsiv1_1), "sbom_creation_timestamp", false, "sbom has creation timestamp", sbomWithTimeStampCheck},
+	{string(bsiv1_1), "sbom_authors", false, "sbom has authors", sbomWithAuthorsCheck},
 	{string(bsiv1_1), "sbom_dependencies", false, "sbom has dependencies", sbomWithDepedenciesCheck},
 	{string(bsiv1_1), "sbom_with_uri", false, "sbom has URI", sbomWithURICheck},
-	{string(bsiv1_1), "comp_with_dependencies", false, "components have dependencies", compWithDependencyCheck},
 
 	// bsi-v2.0.0
 	{string(bsiv2_0), "comp_with_name", false, "components have a name", compWithNameCheck},
 	{string(bsiv2_0), "comp_with_version", false, "components have a version", compWithVersionCheck},
 	{string(bsiv2_0), "comp_with_uniq_ids", false, "components have uniq ids", bsiCompWithUniqIDCheck},
 	{string(bsiv2_0), "comp_with_supplier", false, "components have suppliers", compWithSupplierCheck},
-
 	{string(bsiv2_0), "comp_with_associated_license", false, "components have associated licenses", compWithAssociatedLicensesCheck},
 	{string(bsiv2_0), "comp_with_concluded_license", false, "components have concluded licenses", compWithConcludedLicensesCheck},
 	{string(bsiv2_0), "comp_with_declared_license", false, "components have declared licenses", compWithDeclaredLicensesCheck},
-	{string(bsiv2_0), "comp_with_dependencies", false, "components have dependencies", compWithDependencyCheck},
-
 	{string(bsiv2_0), "comp_with_source_code_uri", false, "components have source code URI", compWithSourceCodeURICheck},
 	{string(bsiv2_0), "comp_with_source_code_hash", false, "components have source code hash", compWithSourceCodeHashCheck},
 	{string(bsiv2_0), "comp_with_executable_uri", false, "components have executable URI", compWithExecutableURICheck},
 	{string(bsiv2_0), "comp_with_executable_hash", false, "components have executable checksums", compWithSHA256ChecksumsCheck},
-
-	{string(bsiv2_0), "sbom_with_vuln", false, "SBOM has vulnerability", sbomWithVulnCheck},
+	{string(bsiv2_0), "comp_with_dependencies", false, "components have dependencies", compWithDependencyCheck},
 	{string(bsiv2_0), "spec_with_version_compliant", false, "SBOM Specification", specWithVersionCompliant},
-	{string(bsiv2_0), "sbom_build_process", false, "SBOM build process", sbomBuildLifecycleCheck},
-	{string(bsiv2_0), "sbom_authors", false, "sbom has authors", sbomWithAuthorsCheck},
 	{string(bsiv2_0), "sbom_creation_timestamp", false, "sbom has creation timestamp", sbomWithTimeStampCheck},
-	{string(bsiv2_0), "sbom_dependencies", false, "primary comp has dependencies", sbomWithDepedenciesCheck},
+	{string(bsiv2_0), "sbom_authors", false, "sbom has authors", sbomWithAuthorsCheck},
+	{string(bsiv2_0), "sbom_build_process", false, "SBOM build process", sbomBuildLifecycleCheck},
 	{string(bsiv2_0), "sbom_with_uri", false, "sbom has URI", sbomWithURICheck},
+	{string(bsiv2_0), "sbom_dependencies", false, "primary comp has dependencies", sbomWithDepedenciesCheck},
+	{string(bsiv2_0), "sbom_with_bomlinks", false, "sbom has bomlinks", sbomWithBomLinksCheck},
+	{string(bsiv2_0), "sbom_with_vuln", false, "SBOM has vulnerability", sbomWithVulnCheck},
 	{string(bsiv2_0), "sbom_with_signature", false, "sbom has signature", sbomWithSignatureCheck},
 
 	// semantic
@@ -113,4 +105,10 @@ var checks = []check{
 
 	// sharing
 	{string(sharing), "sbom_sharable", false, "sbom document has a sharable license", sharableLicenseCheck},
+
+	// structural
+	{string(structural), "sbom_spec", false, "SBOM Specification", specCheck},
+	{string(structural), "sbom_spec_version", false, "Spec Version", specVersionCheck},
+	{string(structural), "sbom_file_format", false, "SBOM File Format", sbomFileFormatCheck},
+	{string(structural), "sbom_parsable", false, "Spec is parsable", specParsableCheck},
 }