SBOM Score

You can see the quality score of every SBOM that’s generated by SSCA module. This feature evaluates the quality of the Software Bill of Materials (SBOM) in various categories, utilizing a scoring system ranging from 0 to 10.

Scoring Criteria

The SBOM Quality Score is calculated based on the following categories:

NTIA-Minimum-Elements: Assesses compliance with NTIA minimum element guidelines.

Structural: Checks adherence to underlying specifications of SPDX or CycloneDX.

Semantic: Evaluates the correctness of SBOM field meanings specific to their standard.

Quality: Determines the overall data quality present in the SBOM.

Sharing: Assesses the SBOM's readiness for sharing.

Each category contributes to an overall score reflecting the SBOM's quality, compliance, and readiness for sharing.

How It Works

SBOM Generation: Upon generating an SBOM in SSCA, it undergoes quality scoring.

Scoring Process: The sbomqs tool evaluates the SBOM across the defined categories.

Score Display: The final score, ranging from 0 to 10, is displayed alongside the SBOM details within SSCA.

Viewing the Score

Artifact View in SSCA

You can view the score alongside the SBOM in the SBOM column

By clicking on the score, you see the complete breakdown of scores in various categories. You can expand each category to see the score of individual items

You can also see the SBOM score in the pipeline execution view alongside the SBOM

Score Interpretation

Score Range: 0 (lowest) to 10 (highest).

Higher Scores: Indicate better quality, compliance, and readiness for sharing.

Lower Scores: Suggest areas for improvement or further investigation.

For more detailed information on scoring criteria, visit the sbomqs tool's GitHub page: sbomqs GitHub Repository.