BSI TR-03183-2 comp_source_code URL and hash not found

[robin-s-007]

Hello,

I using sbomqs to validate an SBOM template (CycloneDX v1.6 JSON) against the BSI v2.1.0 standard.
While sbomqs only supports BSI v2.0 the changelog in v2.1.0 does not list anything significant differences.

But I noticed that the source code URL and source code hash are not detected by sbomqs, while the input SBOM complies to the BSI format.

BSI format:
"components": [{
"externalReferences": [{
"type": "source-distribution",
"url": "..."
}]
}]

In file:
"externalReferences":[
{
"type": "source-distribution",
"url": "https://svn.ACME.com/..../Measure.c",
"hashes": [
{
"alg": "SHA-512",
"content": "25bce836d2eac1faa04bb4160c23434b855db09da0be765b95e21e0ba0ab822fec28463bfac147267b89ce343a5d3195a58fd9c7f6a95b41780c24cb522739ef"
}
]
}
]

The same is true for the hash, but sbomqs picksup a hash at this level:
"components": [{
"hashes": {...}
}]
and interprets this as being under the
"components": [{
"externalReferences": [{
"type": "source-distribution",
"hashes": [{
"alg": "SHA-512",
"content": "..."
}]
}]
}]

I have attached the sbom test file.
Hope it can be fixed

Best Regards,

Robin

C project SBOM example-v3_issuereport -BSi tests.json

[viveksahu26]

Hey @robin-s-007 , thanks for raising an issue. Basically, the "source code URL" feature(comp_with_source_code) is intended to represent the location of the source code repository. In CDX , the corresponding feature(comp_with_source_code) represnts/maps to externalReference of type vcs, which is used for version-control repository. Whereas, the type source-distribution on the other hand, represents, source code distributable, which is often an archive format such as zip or tgz.

The provided URL(https://svn.ACME.com/!/#Rubberduck/view/head/01_SENSOR_MODULE/02_DEVELOPMENT/03_SOFTWARE/Source/Blackhole/trunk/src/Measure.c) looks like pointing to a some *.c files within svn repo, not a archive.

If you replace source-distribution by vcs, sbomqs will catch up and provide score for the same.

https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences_items_url

[robin-s-007]

Hi vivek,

Thanks for the info.
I did notice the vcs type in the CycloneDX spec. , but assumed the BSI spec was the formal way to be BSI compliant.
I changed and tested it, and now the source code uri is picked up by sbomqs.
However the source code hash, which according to CycloneDX spec and BSI spec would then also be in the externalReferences item, is then still not picked up.
sbomqs only detects the hash if its on components level.

Thanks,
Robin

[viveksahu26]

I looked at the example provided by the BSI-TR-03183-2_v2_1_0 for source code URL, is referring to type source-distribution URL for url, and hashes for source code hash. If this is the case, then we need to change the type from vcs to source-distribution accordinly to BSI compliance.

Hey @riteshnoronha , what's your take on this ?