Policy Bundle Documentation

Severity: tip Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_1_6_PLUS

Teams who are generating am SBOM will benefit from using CycloneDX version 1.6 and above in order to access key features that make it much easier to represent certain information, such as multiple CPEs and PURLs. This policy gives informational feedback on the advantages of using version CycloneDX 1.6 and above.

Severity: tip Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_ANCESTORS

Using the pedigree.ancestors field of a component inside of a CycloneDX SBOM, teams can denote the upstream of a component in the SBOMs they generate. Supported by Trustify.

Severity: tip Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_CPE

An SBOM can have a CPE field that ties it a product.

Severity: error Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_EXTERNALREFS

When teams produce an SBOM for their product, they will most likely NOT be putting all transitive layers into a single SBOM. This policy would ensure that the references to external SBOMs made are defined using the correct fields and are syntactically correct. Making sure that these references are correctly written is crucial for the relationships to accurately make it into TPA.

Severity: error Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_MAINCOMPONENTDUP

ProdSec use-cases policy 1. Check if top component is duplicated into the components array in a CycloneDX SBOM.

Severity: tip Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_MULTICPE

A CycloneDX SBOM that is version 1.6 and above has the ability to represent multiple CPEs using the metadata.component.cpe field for the main CPE, and the metadata.component.evidence.identity field for its aliases.

Severity: tip Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_MULTIPURL

A CycloneDX SBOM that is version 1.6 and above has the ability to represent multiple PURLs using .purl field for the main PURL, and the .evidence.identity field for its aliases.

Severity: tip Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_PROVIDES

Using the dependencies section of a CycloneDX SBOM, the provides field can be used to specify what specification a certain component implements, or additionally can represent source-to-binary relationships.

Severity: warning Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_SBOMTYPE

Teams who are generating an SBOM should define the type of SBOM it is. This can be done using the .metadata.lifecycles field. This policy ensures that different policies can be applied to different SBOM types. This also gives Mequal the option the opportunity to do SBOM evaluation in specific specialized contexts in the future.

Severity: tip Level: Undefined Path: data.prodsec.policies.cyclonedx.CDX_VARIANTS

Using the pedigree.variants field of a component inside of a CycloneDX SBOM, teams can represent the relationship of the image index container to their respective architectural variants in the CycloneDX SBOMs they generate. Supported by Trustify.

Severity: Undefined Level: L0 Path: data.mequal.policies.LPOL1

SBOM Level grading policy 1. Check if an SBOM is in either SPDX or CycloneDX format

Severity: error Level: L1 Path: data.mequal.policies.cyclonedx.LPOL2

SBOM Level grading policy 2. Check if all packages in the SBOM include a version and a bom-ref, and has components

Severity: error Level: L1 Path: data.mequal.policies.cyclonedx.LPOL3

Check if all packages in the CycloneDX SBOM include checksums

Severity: error Level: L1 Path: data.mequal.policies.spdx.LPOL2

Check if all packages in the SBOM include a version

Severity: error Level: L1 Path: data.mequal.policies.spdx.LPOL3

Check if all packages in the SPDX SBOM include checksums