sbomqs

sbomqs evaluates the quality of Software Bills of Materials (SBOMs) and validates compliance against industry standards. It scores SBOMs on a 0–10 scale across multiple quality dimensions — identification, provenance, integrity, licensing, vulnerability readiness, and structural correctness — and provides actionable feedback for improvement.

Repository: github.com/interlynk-io/sbomqs

How Scoring Works

sbomqs evaluates SBOMs across 8 weighted categories, each containing multiple features:

Supported SBOM Formats

SPDX: 2.2.1, 2.3, 3.0 (partial)
CycloneDX: 1.4, 1.5, 1.6
File formats: JSON, XML, Tag-Value
Format and spec version are auto-detected.

Installation

Homebrew (macOS/Linux)

brew tap interlynk-io/interlynk
brew install sbomqs

Go Install

go install github.com/interlynk-io/sbomqs@latest

Pre-Built Binaries

Download from the GitHub releases page for Linux (amd64, arm64), macOS (amd64, arm64), and Windows (amd64).

Linux Packages

# Debian/Ubuntu
sudo dpkg -i sbomqs_*_amd64.deb

# RedHat/CentOS
sudo rpm -i sbomqs_*_amd64.rpm

Docker

docker run ghcr.io/interlynk-io/sbomqs:latest score sbom.json

Mount local files:

docker run -v $(pwd):/data ghcr.io/interlynk-io/sbomqs:latest score /data/sbom.json

Build from Source

git clone https://github.com/interlynk-io/sbomqs.git
cd sbomqs
make build

Verify Installation

sbomqs version

Running a Scan

Basic Score

sbomqs score sbom.json

Output Formats

# Detailed table (default)
sbomqs score --detailed sbom.json

# Single-line summary
sbomqs score --basic sbom.json

# JSON for automation
sbomqs score --json sbom.json

# Color-coded table
sbomqs score --color sbom.json

Basic output example:

7.8 interlynk cyclonedx 1.6 json sbom.json

JSON output structure:

{
  "run_id": "abc-123",
  "timestamp": "2025-02-20T10:30:00Z",
  "creation_info": { ... },
  "files": [
    {
      "sbom_quality_score": 7.8,
      "grade": "B",
      "num_components": 247,
      "spec": "cyclonedx",
      "spec_version": "1.6",
      "file_format": "json",
      "comprehensive": [ ... ],
      "profiles": { ... }
    }
  ]
}

Filter by Category or Feature

# Score only specific categories
sbomqs score --category "integrity,licensing" sbom.json

# Score only specific features
sbomqs score --feature "comp_with_purl,comp_with_version" sbom.json

Recursive Directory Scoring

sbomqs score --recursive ./sboms/

Compliance Validation

Validate against industry standards:

# NTIA Minimum Elements
sbomqs compliance --ntia sbom.json

# BSI TR-03183-2 v2.0
sbomqs compliance --bsi-v2 sbom.json

# BSI TR-03183-2 v1.1
sbomqs compliance --bsi sbom.json

# OpenChain Telco v1.0
sbomqs compliance --oct sbom.json

# Framing Software Component Transparency v3
sbomqs compliance --fsct sbom.json

Compliance output shows pass/fail status for each requirement, score breakdowns, and recommendations.

List Components by Feature

# List components missing PURLs
sbomqs list --feature comp_with_purl --missing sbom.json

# List components with their license values
sbomqs list --feature comp_valid_licenses --show sbom.json

# JSON output
sbomqs list --feature comp_with_version --missing --json sbom.json

Generate a permanent shareable link on sbombenchmark.dev:

sbomqs share sbom.json

Policy Enforcement

# Using a policy file
sbomqs policy --file policies.yaml sbom.json

# Inline policy
sbomqs policy --name "require-purl" --type required --rules "comp_with_purl" --action fail sbom.json

Policy types: whitelist, blacklist, required

Policy actions: fail (exit non-zero), warn (report only), pass (force pass)

Exit Codes

Code

Meaning

0

Success

1

Error (invalid input, configuration issue, parsing failure)

Non-zero

Policy violation with --action fail

Integration Patterns

CI Quality Gate

Fail the build if SBOM quality drops below a threshold:

#!/bin/bash
THRESHOLD=7.0
SCORE=$(sbomqs score --json sbom.json | jq -r '.files[0].sbom_quality_score')

if (( $(echo "$SCORE < $THRESHOLD" | bc -l) )); then
  echo "SBOM quality score $SCORE is below threshold $THRESHOLD"
  exit 1
fi

echo "SBOM quality score: $SCORE (threshold: $THRESHOLD)"

GitHub Actions

name: SBOM Quality Gate
on: [push, pull_request]

jobs:
  sbom-quality:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Generate SBOM
        run: syft . -o cyclonedx-json > sbom.cdx.json

      - name: Install sbomqs
        run: |
          curl -sL https://github.com/interlynk-io/sbomqs/releases/latest/download/sbomqs-linux-amd64 -o sbomqs
          chmod +x sbomqs

      - name: Score SBOM
        run: |
          SCORE=$(./sbomqs score --json sbom.cdx.json | jq -r '.files[0].sbom_quality_score')
          echo "SBOM Quality Score: $SCORE"
          if (( $(echo "$SCORE < 7.0" | bc -l) )); then
            echo "::error::SBOM quality below threshold: $SCORE < 7.0"
            exit 1
          fi

GitLab CI

sbom-quality:
  stage: test
  image: golang:1.24
  script:
    - go install github.com/interlynk-io/sbomqs@latest
    - SCORE=$(sbomqs score --json sbom.cdx.json | jq -r '.files[0].sbom_quality_score')
    - |
      if [ $(echo "$SCORE < 7.0" | bc -l) -eq 1 ]; then
        echo "SBOM quality below threshold: $SCORE"
        exit 1
      fi
  artifacts:
    reports:
      dotenv: sbom-quality.env

Pre-Release Validation

Score all SBOMs in a release directory:

sbomqs score --recursive --json ./release-sboms/ | \
  jq -r '.files[] | "\(.file_name): \(.sbom_quality_score) (\(.grade))"'

Compliance Gate

Block releases that fail compliance standards:

sbomqs compliance --ntia --json sbom.json | \
  jq -e '.files[0].compliance_status == "pass"' || {
    echo "SBOM does not meet NTIA minimum elements"
    exit 1
  }

Dependency-Track Integration

Score SBOMs directly from a Dependency-Track instance:

sbomqs dtrackScore \
  --url https://dtrack.example.com \
  --api-key "$DT_API_KEY" \
  --tag-project-with-score \
  --tag-project-with-grade \
  <project-uuid>

Customization

Configuration Files

Generate default configuration templates:

sbomqs generate features       # Individual feature weights
sbomqs generate comprehenssive # Category configuration
sbomqs generate profiles       # Profile definitions

Custom Scoring Configuration

Use --configpath to apply a custom configuration:

sbomqs score --configpath ./custom-config.yaml sbom.json

Configuration structure allows you to:

Enable or disable specific categories
Adjust category weights
Customize individual feature weights (0.0–1.0)
Create organization-specific scoring profiles

Compliance Profiles

Apply compliance profiles during scoring:

sbomqs score --profile ntia sbom.json
sbomqs score --profile bsi sbom.json
sbomqs score --profile bsi-v2.0 sbom.json
sbomqs score --profile oct sbom.json
sbomqs score --profile fsct sbom.json
sbomqs score --profile interlynk sbom.json

Legacy Scoring Mode

Use the pre-v2.0 scoring categories (NTIA Minimum Elements, Structural, Semantic, Quality, Sharing):

sbomqs score --legacy sbom.json

Best Practices

When to Enforce Strict Scoring

Context

Recommended Threshold

Standard

Internal development builds

5.0+ (Grade C)

No specific standard

Pre-release / staging

7.0+ (Grade B)

Organization policy

Production releases

8.0+ (Grade A)

NTIA minimum elements

Regulatory submissions

8.5+ (Grade A)

BSI TR-03183-2 or FSCT

Supply chain sharing

7.5+ (Grade B)

OpenChain Telco

Using Alongside Vulnerability Scanning

Score first — validate the SBOM has sufficient quality for vulnerability scanning to be meaningful. An SBOM without PURLs or CPEs will produce incomplete vulnerability results.
Scan second — run vulnerability scanning on SBOMs that meet quality thresholds.
Gate on both — a release should pass both quality and vulnerability gates.

# Step 1: Quality gate
sbomqs score --json sbom.json | jq -e '.files[0].sbom_quality_score >= 7.0' || exit 1

# Step 2: Upload for vulnerability scanning
pylynk upload --prod 'my-app' --sbom sbom.json

Governance Recommendations

Baseline scores: Establish minimum quality scores per project tier (critical, standard, experimental).
Track trends: Export JSON scores to a time-series database to monitor quality over time.
Automate compliance: Run compliance checks in CI and block merges that introduce regressions.
Share results: Use sbomqs share to create permanent links for audit trails.

Common Misconfigurations

Issue

Symptom

Fix

Scoring SBOM without PURLs

Low vulnerability readiness score

Ensure SBOM generator includes PURLs for all components

Using --legacy in new pipelines

Inconsistent scoring with platform

Remove --legacy flag; use v2.0 categories

Threshold too low

Low-quality SBOMs pass the gate

Raise threshold to 7.0+ for production

Threshold too high for early development

All builds fail quality gate

Use 5.0 for development, increase for staging/production

Not using --json in CI

Parsing table output is fragile

Always use --json with jq for automation

Scoring the wrong file

Unexpected results

Verify the file is a valid SBOM, not a lock file or manifest

Previouslynk-mcp Nextsbomasm

Last updated 12 hours ago

hashtagHow Scoring Works

hashtagSupported SBOM Formats

hashtagInstallation

hashtagHomebrew (macOS/Linux)

hashtagGo Install

hashtagPre-Built Binaries

hashtagLinux Packages

hashtagDocker

hashtagBuild from Source

hashtagVerify Installation

hashtagRunning a Scan

hashtagBasic Score

hashtagOutput Formats

hashtagFilter by Category or Feature

hashtagRecursive Directory Scoring

hashtagCompliance Validation

hashtagList Components by Feature

hashtagShare Results

hashtagPolicy Enforcement

hashtagExit Codes

hashtagIntegration Patterns

hashtagCI Quality Gate

hashtagGitHub Actions

hashtagGitLab CI

hashtagPre-Release Validation

hashtagCompliance Gate

hashtagDependency-Track Integration

hashtagCustomization

hashtagConfiguration Files

hashtagCustom Scoring Configuration

hashtagCompliance Profiles

hashtagLegacy Scoring Mode

hashtagBest Practices

hashtagWhen to Enforce Strict Scoring

hashtagUsing Alongside Vulnerability Scanning

hashtagGovernance Recommendations

hashtagCommon Misconfigurations