✨ Add experimental check for published SBOM (#3903)

* Sbom check MVP

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* PR suggestion fixes

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* fix line length

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* update gitlab client to check 20 latest pipelines in default branch

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* correct issues

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* add unit tests for sbom client code

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* probe name alignment, updated evaluation tests

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* consolidate probes, reuse available data sources

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* add autogen doc update

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* address PR comments, remove CI/CD check code

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* update unit tests

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* fix linting errors

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* revert unnecessary changes, correct check documentation

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* address PR comments

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

* move release lookback to data collection side

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

---------

Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

checker/raw_result.go

@@ -37,6 +37,7 @@ type RawResults struct {
 	DependencyUpdateToolResults DependencyUpdateToolData
 	FuzzingResults              FuzzingData
 	LicenseResults              LicenseData
+	SBOMResults                 SBOMData
 	MaintainedResults           MaintainedData
 	Metadata                    MetadataData
 	PackagingResults            PackagingData
@@ -168,6 +169,18 @@ type LicenseData struct {
 	LicenseFiles []LicenseFile
 }
 
+// SBOM details.
+type SBOM struct {
+	Name string // SBOM Filename
+	File File   // SBOM File Object
+}
+
+// SBOMData contains the raw results for the SBOM check.
+// Some repos may have more than one SBOM.
+type SBOMData struct {
+	SBOMFiles []SBOM
+}
+
 // CodeReviewData contains the raw results
 // for the Code-Review check.
 type CodeReviewData struct {

checks/all_checks.go

@@ -38,6 +38,7 @@ func getAll(overrideExperimental bool) checker.CheckNameToFnMap {
 	if _, experimental := os.LookupEnv("SCORECARD_EXPERIMENTAL"); !experimental {
 		// TODO: remove this check when v6 is released
 		delete(possibleChecks, CheckWebHooks)
+		delete(possibleChecks, CheckSBOM)
 	}
 
 	return possibleChecks

checks/evaluation/sbom.go

@@ -0,0 +1,75 @@
+// Copyright 2024 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package evaluation
+
+import (
+	"github.com/ossf/scorecard/v5/checker"
+	sce "github.com/ossf/scorecard/v5/errors"
+	"github.com/ossf/scorecard/v5/finding"
+	"github.com/ossf/scorecard/v5/probes/hasReleaseSBOM"
+	"github.com/ossf/scorecard/v5/probes/hasSBOM"
+)
+
+// SBOM applies the score policy for the SBOM check.
+func SBOM(name string,
+	findings []finding.Finding,
+	dl checker.DetailLogger,
+) checker.CheckResult {
+	// We have 4 unique probes, each should have a finding.
+	expectedProbes := []string{
+		hasSBOM.Probe,
+		hasReleaseSBOM.Probe,
+	}
+
+	if !finding.UniqueProbesEqual(findings, expectedProbes) {
+		e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
+		return checker.CreateRuntimeErrorResult(name, e)
+	}
+
+	// Compute the score.
+	score := 0
+	m := make(map[string]bool)
+	var logLevel checker.DetailType
+	for i := range findings {
+		f := &findings[i]
+		switch f.Outcome {
+		case finding.OutcomeTrue:
+			logLevel = checker.DetailInfo
+			switch f.Probe {
+			case hasSBOM.Probe:
+				score += scoreProbeOnce(f.Probe, m, 5)
+			case hasReleaseSBOM.Probe:
+				score += scoreProbeOnce(f.Probe, m, 5)
+			}
+		case finding.OutcomeFalse:
+			logLevel = checker.DetailWarn
+		default:
+			continue // for linting
+		}
+		checker.LogFinding(dl, f, logLevel)
+	}
+
+	_, defined := m[hasSBOM.Probe]
+	if !defined {
+		return checker.CreateMinScoreResult(name, "SBOM file not detected")
+	}
+
+	_, defined = m[hasReleaseSBOM.Probe]
+	if defined {
+		return checker.CreateMaxScoreResult(name, "SBOM file found in release artifacts")
+	}
+
+	return checker.CreateResultWithScore(name, "SBOM file found in project", score)
+}

checks/evaluation/sbom_test.go

@@ -0,0 +1,95 @@
+// Copyright 2024 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package evaluation
+
+import (
+	"testing"
+
+	"github.com/ossf/scorecard/v5/checker"
+	"github.com/ossf/scorecard/v5/finding"
+	scut "github.com/ossf/scorecard/v5/utests"
+)
+
+func TestSBOM(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name     string
+		findings []finding.Finding
+		result   scut.TestReturn
+	}{
+		{
+			name: "No SBOM. Min Score",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasSBOM",
+					Outcome: finding.OutcomeFalse,
+				},
+				{
+					Probe:   "hasReleaseSBOM",
+					Outcome: finding.OutcomeFalse,
+				},
+			},
+			result: scut.TestReturn{
+				Score:        checker.MinResultScore,
+				NumberOfInfo: 0,
+				NumberOfWarn: 2,
+			},
+		},
+		{
+			name: "Only Source SBOM. Half Points",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasSBOM",
+					Outcome: finding.OutcomeTrue,
+				},
+				{
+					Probe:   "hasReleaseSBOM",
+					Outcome: finding.OutcomeFalse,
+				},
+			},
+			result: scut.TestReturn{
+				Score:        5,
+				NumberOfInfo: 1,
+				NumberOfWarn: 1,
+			},
+		},
+		{
+			name: "SBOM in Release Assets. Max score",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasSBOM",
+					Outcome: finding.OutcomeTrue,
+				},
+				{
+					Probe:   "hasReleaseSBOM",
+					Outcome: finding.OutcomeTrue,
+				},
+			},
+			result: scut.TestReturn{
+				Score:        checker.MaxResultScore,
+				NumberOfInfo: 2,
+				NumberOfWarn: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			dl := scut.TestDetailLogger{}
+			got := SBOM(tt.name, tt.findings, &dl)
+			scut.ValidateTestReturn(t, tt.name, &tt.result, &got, &dl)
+		})
+	}
+}

checks/raw/sbom.go

@@ -0,0 +1,106 @@
+// Copyright 2024 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package raw
+
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/ossf/scorecard/v5/checker"
+	"github.com/ossf/scorecard/v5/clients"
+	"github.com/ossf/scorecard/v5/finding"
+)
+
+var (
+	reRootFile = regexp.MustCompile(`^[^.]([^//]*)$`)
+	reSBOMFile = regexp.MustCompile(
+		`(?i).+\.(cdx.json|cdx.xml|spdx|spdx.json|spdx.xml|spdx.y[a?]ml|spdx.rdf|spdx.rdf.xml)`,
+	)
+)
+
+const releaseLookBack = 5
+
+// SBOM retrieves the raw data for the SBOM check.
+func SBOM(c *checker.CheckRequest) (checker.SBOMData, error) {
+	var results checker.SBOMData
+
+	releases, lerr := c.RepoClient.ListReleases()
+	if lerr != nil {
+		return results, fmt.Errorf("RepoClient.ListReleases: %w", lerr)
+	}
+
+	results.SBOMFiles = append(results.SBOMFiles, checkSBOMReleases(releases)...)
+
+	// Look for SBOMs in source
+	repoFiles, err := c.RepoClient.ListFiles(func(file string) (bool, error) {
+		return reSBOMFile.MatchString(file) && reRootFile.MatchString(file), nil
+	})
+	if err != nil {
+		return results, fmt.Errorf("error during ListFiles: %w", err)
+	}
+
+	results.SBOMFiles = append(results.SBOMFiles, checkSBOMSource(repoFiles)...)
+
+	return results, nil
+}
+
+func checkSBOMReleases(releases []clients.Release) []checker.SBOM {
+	var foundSBOMs []checker.SBOM
+
+	for i := range releases {
+		if i >= releaseLookBack {
+			break
+		}
+
+		v := releases[i]
+
+		for _, link := range v.Assets {
+			if !reSBOMFile.MatchString(link.Name) {
+				continue
+			}
+
+			foundSBOMs = append(foundSBOMs,
+				checker.SBOM{
+					File: checker.File{
+						Path: link.URL,
+						Type: finding.FileTypeURL,
+					},
+					Name: link.Name,
+				})
+
+			// Only want one sbom from each release
+			break
+		}
+	}
+	return foundSBOMs
+}
+
+func checkSBOMSource(fileList []string) []checker.SBOM {
+	var foundSBOMs []checker.SBOM
+
+	for _, file := range fileList {
+		// TODO: parse matching file contents to determine schema & version
+		foundSBOMs = append(foundSBOMs,
+			checker.SBOM{
+				File: checker.File{
+					Path: file,
+					Type: finding.FileTypeSource,
+				},
+				Name: file,
+			})
+	}
+
+	return foundSBOMs
+}