Require creation timestamp for max score & implement creation tool sc…

…ore for cdx. Refs #34
eBay · Mar 26, 2023 · 3ff813f · 3ff813f
1 parent 8d01bbc
commit 3ff813f
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 9 deletions.
diff --git a/pkg/cdx/cdx_report.go b/pkg/cdx/cdx_report.go
@@ -14,8 +14,9 @@ type CycloneDXReport struct {
 	valid    bool
 	docError error
 
-	creationToolName    int
-	creationToolVersion int
+	creationToolName     int
+	creationToolVersion  int
+	hasCreationTimestamp bool
 
 	totalPackages  int
 	hasLicense     int
@@ -93,8 +94,32 @@ func (r *CycloneDXReport) PackageLicenses() scorecard.ReportValue {
 }
 
 func (r *CycloneDXReport) CreationInfo() scorecard.ReportValue {
-	// @@@
-	return scorecard.ReportValue{Ratio: 1}
+	var score float32
+	score = 1.0
+	var reasoning []string
+
+	if r.creationToolName == 0 {
+		return scorecard.ReportValue{
+			Ratio:     0,
+			Reasoning: "SBOM was not generated by a tool",
+		}
+	}
+
+	if r.creationToolVersion == 0 {
+		score -= .2
+		reasoning = append(reasoning, "Creation tool does not list a version")
+
+	}
+
+	if !r.hasCreationTimestamp {
+		score -= .2
+		reasoning = append(reasoning, "Missing creation timestamp")
+	}
+
+	return scorecard.ReportValue{
+		Ratio:     score,
+		Reasoning: strings.Join(reasoning, ", "),
+	}
 }
 
 func GetCycloneDXReport(filename string) scorecard.SbomReport {
@@ -135,6 +160,10 @@ func GetCycloneDXReport(filename string) scorecard.SbomReport {
 		}
 	}
 
+	if bom.Metadata.Timestamp != "" {
+		r.hasCreationTimestamp = true
+	}
+
 	if bom.Components != nil {
 		for _, p := range *bom.Components {
 			r.totalPackages += 1

diff --git a/pkg/spdx/spdx_report.go b/pkg/spdx/spdx_report.go
@@ -130,15 +130,23 @@ func (r *SpdxReport) CreationInfo() scorecard.ReportValue {
 		}
 	}
 
+	var score float32
+	score = 1.0
+	reasons := []string{}
+
 	if !hasVersion {
-		return scorecard.ReportValue{
-			Ratio:     .2,
-			Reasoning: "The tool used to create the sbom does not have a version",
-		}
+		score -= .2
+		reasons = append(reasons, "The tool used to create the sbom does not have a version")
+	}
+
+	if r.doc.GetCreationInfo().Created == "" {
+		score -= .2
+		reasons = append(reasons, "There is no timestamp for when the sbom was created")
 	}
 
 	return scorecard.ReportValue{
-		Ratio: 1,
+		Ratio:     score,
+		Reasoning: strings.Join(reasons, ", "),
 	}
 
 }