Skip to main content

Validator for the OpenChain Telco SBOM Guide now on Pipy

By 2024-09-29News

As part of their engagement with the OpenChain Project, the Nokia Open Source team have contributed the ‘openchain-telco-sbom-validator’, a script to validate SBOMs against the OpenChain Telco SBOM Guide.

Now the validator is available in Pipy: https://pypi.org/project/openchain-telco-sbom-validator/ and can be installed with `pip install openchain-telco-sbom-validator`

This reference tool is available to everyone under the Apache 2.0 license.

Credits

Marc-Etienne Vargenau of Nokia, chair of the OpenChain Telco Work Group, Gergely Csatari and their colleagues have been instrumental in helping to ensure the determination of SBOM quality is easier, faster and more effective.

Check out the Telco SBOM Guide (Written Document):

Access the Validator Code:

Usage

usage: python3 openchain-telco-sbom-validator.py [options] input

positional arguments:
  input                 The input SPDX file.

options:
  -h, --help            Shows this help message and exits.
  --debug               Prints debug logs.
  --nr-of-errors NR_OF_ERRORS
                        Sets a limit on the number of errors displayed.
  --strict-purl-check   Runs a strict check on the given purls. The default behaviour is to run a non strict purl check what means that it is not checked if the purl is translating to a downloadable URL.
  --strict-url-check    Runs a strict check on the URLs of the PackageHomepages. Strict check means that the validator checks also if the given URL can be accessed. The default behaviour is to run a non strict URL check what means that it is not checked if the URL points to a valid page. Strict URL check requires access to the internet and takes some time.')

Installation of prerequisites

This script is written in python and uses a requirements.txt to list its dependencies. To install python on an Ubuntu environment run sudo apt install python3-pip.

It is usually a good practice to install Python dependencies to a Python virtual environment. To be able to manage virtual environments you need to install venv with sudo apt install python3-venv.

If you do not have a virtual environment yet cretate it with python3 -m venv .env and install the dependencies with pip3 install -r requirements.txt, if you already have a virtual environment start it with . .env/bin/activate.

License

This software is Copyright Nokia and is licensed under the Apache 2.0 license.

Issues and contributions

In case of any issues please create a GitHub issue, while also any contributions are warmly welcome in the form of GitHub merge requests.