This is the official repository for the Open Source Security and Quality Assessment (OSSQA) project. OSSQA is a project for determining the quality of a software projekt using a Software Bill of Materials (SBOM).
To install OSSQA, clone this repository.
git clone https://github.com/OSSQA-PUM/OSSQA.git
To analyze your SBOMs, the SBOM in CycloneDX-format needs to be added to the /sboms directory.
Insert your GitHub Access Token the .env file.
GITHUB_AUTH_TOKEN = [TOKEN…]
- Build the Docker image.
docker compose build ossqa-cli
- Run a container of the image.
docker compose run ossqa-cli [COMMAND] [ARGUMENTS…]
This command analyzes an SBOM and scores its components. The components are scored with OpenSSF Scorecard which runs many tests of five different categories. Scorecard requires a GitHub Personal Access Token which can be created according to these instructions.
- Usage:
docker compose run ossqa-cli analyze PATH [OPTIONS…] - Example:
docker compose run ossqa-cli analyze /sboms/example-SBOM.json -sp 6
| Prepositional | Description |
|---|---|
| PATH | Path to the SBOM file. |
| Option | Description |
|---|---|
| -g | --git-token | Set GitHub Personal Access Token. Defaults to the GITHUB_AUTH_TOKEN environment variable in the docker image. |
| -vu | --vulnerabilities | Requirement for vulnerabilities from -1 to 10. |
| -dut | –dependency-update-tool | Requirement for dependency update tool from -1 to 10. |
| -m | --maintained | Requirement for maintained from -1 to 10. |
| -sp | --security-policy | Requirement for security policy from -1 to 10. |
| -l | --license | Requirement for license from -1 to 10. |
| -cbp | --cii-best-practices | Requirement for CII best practices from -1 to 10. |
| -ct | --ci-tests | Requirement for CI tests from -1 to 10. |
| -f | --fuzzing | Requirement for fuzzing from -1 to 10. |
| -s | --sast | Requirement for SAST from -1 to 10. |
| -ba | --binary-artifacts | Requirement for binary artifacts from -1 to 10. |
| -bp | --branch-protection | Requirement for branch protection from -1 to 10. |
| -dw | --dangerous-workflow | Requirement for dangerous workflow from -1 to 10. |
| -cr | --code-review | Requirement for code review from -1 to 10. |
| -c | --contributors | Requirement for contributors from -1 to 10. |
| -pd | --pinned-dependencies | Requirement for pinned dependencies from -1 to 10. |
| -tp | --token-permissions | Requirement for token permissions from -1 to 10. |
| -p | --packaging | Requirement for packaging from -1 to 10. |
| -sr | --signed-releases | Requirement for signed releases from -1 to 10. |
| -b | --backend | URL of the backend server. Defaults to internal docker backend. |
| -o | --output | Format of the output. Can be table, simplified or JSON. Defaults to table. |
| -v | --verbose | Print the output verbosely. |
| --help | Show the help page for the analyze command. |
This command prints out the names of all SBOMs in the database.
- Usage:
docker compose run ossqa-cli sboms [OPTIONS…] - Example:
docker compose run ossqa-cli sboms -o json
| Option | Description |
|---|---|
| -b | --backend | URL of the backend server. Defaults to internal docker backend. |
| -o | --output | Format of the output. Can be table or json. Defaults to table. |
| -v | --verbose | Print the output verbosely. |
| --help | Show the help page for the SBOMs command |
This command prints out details of all SBOMs in the database that have a specified name.
- Usage:
docker compose run ossqa-cli lookup [OPTIONS…] NAME - Example:
docker compose run ossqa-cli lookup -o table sysman
| Positionals | Description |
|---|---|
| NAME | Name of the SBOMs to print the details of. |
| Option | Description |
|---|---|
| -b | --backend | URL of the backend server. Defaults to internal docker backend. |
| -o | --output | Format of the output. Can be table or json. Defaults to table. |
| -v | --verbose | Print the output verbosely. |
| --help | Show the help page for the lookup command. |
This project is open source, contributions are appreciated.
Open an issue or create a post in our discussions page.
This project is licensed under the GPLv3 License - see the LICENSE.md file for details.