nsip 0.7.0

NSIP Search API client for nsipsearch.nsip.org/api
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180

---
diataxis_type: reference
---
# Software Bill of Materials (SBOM)

## Overview

Automated generation of Software Bill of Materials in SPDX format for supply chain transparency and compliance.

**Tools:** `anchore/sbom-action` (Syft — release pipeline), `cargo-sbom` (on-demand)  
**Formats:** CycloneDX JSON (release), SPDX 2.3 JSON (on-demand)  
**Release artifact filename:** `nsip-<VERSION>-sbom.cdx.json` (e.g. `nsip-0.6.0-sbom.cdx.json`)

## SBOM Generation Paths

An SBOM is produced through **two** distinct paths with different purposes:

| Path | Workflow / Job | Trigger | Attaches to release? | Attestation |
|---|---|---|---|---|
| Release pipeline | `release.yml``sbom` job | Push of a `v*.*.*` tag (or dispatch dry run) | **Yes** — uploads `nsip-<VERSION>-sbom.cdx.json` | **Yes**`actions/attest-sbom` binds **every** release artifact to this SBOM; verified fail-closed before publication |
| On-demand | `sbom.yml` | Manual `workflow_dispatch` only | **No** — workflow run artifact only (90-day retention) | No |

The **release pipeline is the single authoritative source** of the SBOM on a
GitHub Release. The standalone `sbom.yml` is for ad-hoc SPDX inspection
(generate an SBOM for the current `main` without cutting a release); it does
**not** attach to releases, so it cannot clobber or invalidate the attested
release SBOM.

## What is an SBOM?

A machine-readable inventory of:
- All dependencies (direct and transitive)
- License information
- Package versions
- Supplier information

**Use cases:**
- Supply chain security (EO 14028 compliance)
- Vulnerability tracking
- License compliance
- Dependency auditing

## How It Works

On every release (the `release.yml` → `sbom` job, on `v*.*.*` tag push):
1. Generates a CycloneDX SBOM from the source tree with Syft
   (`anchore/sbom-action`)
2. Binds every release artifact (binaries, archives, MCPB bundle) to the
   SBOM with `actions/attest-sbom`
3. The `verify` job re-verifies the SBOM attestation on every artifact
   before the release publishes
4. Uploads `nsip-<VERSION>-sbom.cdx.json` to the GitHub release

Consumers verify with:

```bash
gh attestation verify nsip-X.Y.Z-linux-amd64 --repo zircote/nsip \
  --predicate-type https://cyclonedx.org/bom
```

## Usage

### Generate Locally

```bash
# Install cargo-sbom
cargo install cargo-sbom

# Generate SBOM (SPDX format)
cargo sbom --output-format spdx_json_2_3 > sbom.json

# View SBOM
cat sbom.json | jq '.packages[] | {name, version, licenseConcluded}'
```

### Access from Release

```bash
# Download from GitHub release (replace vX.Y.Z with the release tag)
wget https://github.com/zircote/nsip/releases/download/vX.Y.Z/nsip-X.Y.Z-sbom.cdx.json

# Analyze with SBOM tools (CycloneDX)
cyclonedx validate --input-file nsip-X.Y.Z-sbom.cdx.json
```

## Configuration

The workflow uses default configuration. To customize:

```bash
# Different output format
cargo sbom --output-format cyclonedx_json_1_4

# Include build dependencies
cargo sbom --cargo-features all-features
```

## SBOM Contents

The generated SBOM includes:

```json
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "packages": [
    {
      "name": "nsip",
      "versionInfo": "X.Y.Z",
      "licenseConcluded": "MIT",
      "supplier": "Organization: zircote"
    }
  ],
  "relationships": [
    {
      "spdxElementId": "SPDXRef-nsip",
      "relationshipType": "DEPENDS_ON",
      "relatedSpdxElement": "SPDXRef-dependency"
    }
  ]
}
```

## Compliance

### Executive Order 14028

The SBOM meets requirements for:
- Machine-readable format (SPDX)
- Dependency enumeration
- License identification
- Supplier information

### NIST Guidelines

Complies with NIST SP 800-161r1 for supply chain risk management.

## Troubleshooting

### Missing Dependencies

If dependencies are missing:

```bash
# Ensure Cargo.lock is up to date
cargo update
cargo sbom --output-format spdx_json_2_3
```

### License Issues

Unknown licenses appear as `NOASSERTION`. To fix:

```toml
# Cargo.toml
[package]
license = "MIT"

[dependencies]
unlicensed-crate = { version = "1.0", license = "MIT" }
```

### Format Errors

Validate SBOM:

```bash
# Release SBOM (CycloneDX)
cyclonedx validate --input-file nsip-X.Y.Z-sbom.cdx.json

# On-demand SPDX SBOM (sbom.yml artifact)
pip install spdx-tools
spdx-tools validate nsip-X.Y.Z-sbom-spdx.json
```

## Links

- [cargo-sbom Documentation](https://github.com/psastras/sbom-rs)
- [SPDX Specification](https://spdx.github.io/spdx-spec/)
- [NTIA Minimum Elements](https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf)
- [Executive Order 14028](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)