chart-linesbomqs

sbomqs evaluates the quality of Software Bills of Materials (SBOMs) and validates compliance against industry standards. It scores SBOMs on a 0–10 scale across multiple quality dimensions — identification, provenance, integrity, licensing, vulnerability readiness, and structural correctness — and provides actionable feedback for improvement.

Repository: github.com/interlynk-io/sbomqsarrow-up-right


How Scoring Works

sbomqs evaluates SBOMs across 8 weighted categories, each containing multiple features:

Category
Weight
What It Measures

Identification

10

Component names, versions, unique identifiers

Provenance

12

Creation timestamp, authors, tool info, supplier, namespace

Integrity

15

Checksums (SHA-256+), SBOM signatures

Completeness

12

Dependencies, primary component, source URIs, suppliers

Licensing

15

License info quality, SPDX validity, deprecated/restrictive detection

Vulnerability

10

CPE/PURL identifiers for vulnerability lookup

Structural

8

Spec compliance, version, file format, schema validation

Component Quality

Informational

EOL/EOS detection, malicious component detection, KEV tracking

Each feature is scored 0–10. Category scores are the average of their features. The overall score is the weighted average of all categories.

Grade scale:

Grade
Score Range

A

8.0 – 10.0

B

6.0 – 7.9

C

4.0 – 5.9

D

2.0 – 3.9

F

0.0 – 1.9

Supported SBOM Formats

  • SPDX: 2.2.1, 2.3, 3.0 (partial)

  • CycloneDX: 1.4, 1.5, 1.6

  • File formats: JSON, XML, Tag-Value

  • Format and spec version are auto-detected.


Installation

Homebrew (macOS/Linux)

Go Install

Pre-Built Binaries

Download from the GitHub releases pagearrow-up-right for Linux (amd64, arm64), macOS (amd64, arm64), and Windows (amd64).

Linux Packages

Docker

Mount local files:

Build from Source

Verify Installation


Running a Scan

Basic Score

Output Formats

Basic output example:

JSON output structure:

Filter by Category or Feature

Recursive Directory Scoring

Compliance Validation

Validate against industry standards:

Compliance output shows pass/fail status for each requirement, score breakdowns, and recommendations.

List Components by Feature

Share Results

Generate a permanent shareable link on sbombenchmark.dev:

Policy Enforcement

Policy types: whitelist, blacklist, required

Policy actions: fail (exit non-zero), warn (report only), pass (force pass)


Exit Codes

Code
Meaning

0

Success

1

Error (invalid input, configuration issue, parsing failure)

Non-zero

Policy violation with --action fail


Integration Patterns

CI Quality Gate

Fail the build if SBOM quality drops below a threshold:

GitHub Actions

GitLab CI

Pre-Release Validation

Score all SBOMs in a release directory:

Compliance Gate

Block releases that fail compliance standards:

Dependency-Track Integration

Score SBOMs directly from a Dependency-Track instance:


Customization

Configuration Files

Generate default configuration templates:

Custom Scoring Configuration

Use --configpath to apply a custom configuration:

Configuration structure allows you to:

  • Enable or disable specific categories

  • Adjust category weights

  • Customize individual feature weights (0.0–1.0)

  • Create organization-specific scoring profiles

Compliance Profiles

Apply compliance profiles during scoring:

Legacy Scoring Mode

Use the pre-v2.0 scoring categories (NTIA Minimum Elements, Structural, Semantic, Quality, Sharing):


Best Practices

When to Enforce Strict Scoring

Context
Recommended Threshold
Standard

Internal development builds

5.0+ (Grade C)

No specific standard

Pre-release / staging

7.0+ (Grade B)

Organization policy

Production releases

8.0+ (Grade A)

NTIA minimum elements

Regulatory submissions

8.5+ (Grade A)

BSI TR-03183-2 or FSCT

Supply chain sharing

7.5+ (Grade B)

OpenChain Telco

Using Alongside Vulnerability Scanning

  1. Score first — validate the SBOM has sufficient quality for vulnerability scanning to be meaningful. An SBOM without PURLs or CPEs will produce incomplete vulnerability results.

  2. Scan second — run vulnerability scanning on SBOMs that meet quality thresholds.

  3. Gate on both — a release should pass both quality and vulnerability gates.

Governance Recommendations

  • Baseline scores: Establish minimum quality scores per project tier (critical, standard, experimental).

  • Track trends: Export JSON scores to a time-series database to monitor quality over time.

  • Automate compliance: Run compliance checks in CI and block merges that introduce regressions.

  • Share results: Use sbomqs share to create permanent links for audit trails.


Common Misconfigurations

Issue
Symptom
Fix

Scoring SBOM without PURLs

Low vulnerability readiness score

Ensure SBOM generator includes PURLs for all components

Using --legacy in new pipelines

Inconsistent scoring with platform

Remove --legacy flag; use v2.0 categories

Threshold too low

Low-quality SBOMs pass the gate

Raise threshold to 7.0+ for production

Threshold too high for early development

All builds fail quality gate

Use 5.0 for development, increase for staging/production

Not using --json in CI

Parsing table output is fragile

Always use --json with jq for automation

Scoring the wrong file

Unexpected results

Verify the file is a valid SBOM, not a lock file or manifest

Last updated