Skip to content

SBOM data is lacking. #329

New issue
New issue
Open
Feature
Open
SBOM data is lacking.#329
Feature
Assignees
ALABSTM
Labels
documentationImprovements or additions to documentationenhancementNew feature or requestinternal bug trackerIssue confirmed and logged into the internal bug tracking system
@riteshnoronha

Description

@riteshnoronha
riteshnoronha
opened on Nov 21, 2025

For CRA compliance & other regulations the sbom provided at sbom is limited. These sboms need to be enriched with better data for compliance and vulnerabilities management needs.

➜  Downloads sbomqs score sbom_cdx.json
SBOM Quality Score: 3.9/10.0     Grade: F       Components: 117          EngineVersion: 1       File: sbom_cdx.json

Profile Summary Scores:
+-----------------------+----------+-------+
|        PROFILE        |  SCORE   | GRADE |
+-----------------------+----------+-------+
| Interlynk Profile     | 4.0/10.0 | F     |
+-----------------------+----------+-------+
| NTIA Minimum Elements | 7.2/10.0 | C     |
+-----------------------+----------+-------+
| BSI TR-03183-2 v1.1   | 5.4/10.0 | D     |
+-----------------------+----------+-------+

Interlynk Detailed Score:
+-------------------+--------------------------------+---------------+-------------------------------------+
|     CATEGORY      |            FEATURE             |     SCORE     |                DESC                 |
+-------------------+--------------------------------+---------------+-------------------------------------+
| Identification    | comp_with_name                 | 10.0/10.0     | 117/117 have names                  |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_with_version              | 10.0/10.0     | 117/117 have versions               |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_with_identifiers          | 10.0/10.0     | 117/117 have unique IDs             |
+-------------------+--------------------------------+---------------+-------------------------------------+
| Provenance        | sbom_creation_timestamp        | 10.0/10.0     | 2025-11-07T14:10:59Z                |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_authors                   | 10.0/10.0     | 1 authors                           |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_tool_version              | 10.0/10.0     | 2 tool                              |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_supplier                  | 0.0/10.0      | missing supplier                    |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_namespace                 | 10.0/10.0     | present namespace                   |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_lifecycle                 | 0.0/10.0      | missing lifecycle                   |
+-------------------+--------------------------------+---------------+-------------------------------------+
| Integrity         | comp_with_checksums            | 0.0/10.0      | 0/117 have SHA-1+                   |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_with_sha256               | 0.0/10.0      | 0/117 have SHA-256+                 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_signature                 | 0.0/10.0      | missing signature                   |
+-------------------+--------------------------------+---------------+-------------------------------------+
| Completeness      | comp_with_dependencies         | 0.3/10.0      | 4/117 have dependencies             |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_completeness_declared     | 0.0/10.0      | missing completeness                |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_primary_component         | 10.0/10.0     | identified                          |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_with_source_code          | 0.0/10.0      | 0/117 have source URIs              |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_with_supplier             | 0.0/10.0      | 0/117 have suppliers                |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_with_purpose              | 10.0/10.0     | 117/117 have type                   |
+-------------------+--------------------------------+---------------+-------------------------------------+
| Licensing         | comp_with_licenses             | 0.0/10.0      | 0/117 have licenses                 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_with_valid_licenses       | 0.0/10.0      | 0/117 have valid SPDX licenses      |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_with_declared_licenses    | 0.0/10.0      | 0/117 have declared licenses        |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_data_license              | 0.0/10.0      | missing data license                |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_no_deprecated_licenses    | 0.0/10.0      | N/A                                 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_no_restrictive_licenses   | 0.0/10.0      | N/A                                 |
+-------------------+--------------------------------+---------------+-------------------------------------+
| Vulnerability     | comp_with_purl                 | 0.3/10.0      | 3/117 have PURLs                    |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_with_cpe                  | 0.4/10.0      | 5/117 have CPEs                     |
+-------------------+--------------------------------+---------------+-------------------------------------+
| Structural        | sbom_spec_declared             | 10.0/10.0     | cyclonedx                           |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_spec_version              | 10.0/10.0     |                                 1.5 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_file_format               | 10.0/10.0     | json                                |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | sbom_schema_valid              | 10.0/10.0     | schema valid                        |
+-------------------+--------------------------------+---------------+-------------------------------------+
| Component Quality | comp_eol_eos                   | Coming Soon.. | N/A                                 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_malicious                 | Coming Soon.. | N/A                                 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_vuln_sev_critical         | Coming Soon.. | N/A                                 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_kev                       | Coming Soon.. | N/A                                 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_purl_valid                | Coming Soon.. | N/A                                 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | comp_cpe_valid                 | Coming Soon.. | N/A                                 |
+                   +--------------------------------+---------------+-------------------------------------+
|                   | NOTE: Register Interest for    |               | https://forms.gle/WVoB3DrX9NKnzfhV8 |
|                   | Component Analysis             |               |                                     |
+-------------------+--------------------------------+---------------+-------------------------------------+

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationenhancementNew feature or requestinternal bug trackerIssue confirmed and logged into the internal bug tracking system

Type

Feature

Projects

stm32cube-mcu-fw-dashboard

Status

Analyzed

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions