SoftwareDesignLab
diff --git a/‎.github/ISSUE_TEMPLATE/action-item.md‎
Lines changed: 16 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/action-item.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 28 additions & 0 deletions b/‎.github/workflows/build.yml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎.github/workflows/generate-sbom.yml‎
Lines changed: 43 additions & 0 deletions b/‎.github/workflows/generate-sbom.yml‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 45 additions & 0 deletions b/‎.github/workflows/test.yml‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 1 deletion b/‎.gitignore‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 93 additions & 54 deletions b/‎README.md‎
Lines changed: 93 additions & 54 deletions
@@ -0,0 +1,16 @@
+---
+name: Action Item
+about: Action Item to complete
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+# Overview
+
+_Description Here_
+
+## Acceptance Criteria
+
+- [ ] _Acceptance Criteria Here_
@@ -0,0 +1,28 @@
+name: Build Plugfest
+on: 
+  push:
+    # Exclude prod/dev branches since they are built and tested
+    branches-ignore:  
+      - 'dev'   # todo: replace with vars
+      - 'main'  # todo: replace with vars
+    paths-ignore:
+      - '**/sample_boms/**'
+      - '**/sample_sboms/**'
+jobs:
+  build:
+    runs-on: windows-latest
+    steps:
+      - name: checkout
+        uses: actions/[email protected]
+        
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
+        
+      - name: Build Plugfest
+        run: ./gradlew clean build -x test
@@ -0,0 +1,43 @@
+name: Syft SBOM Generation
+on:
+  push:
+    paths-ignore:
+      - '**/sample_boms/**'
+      - '**/sample_sboms/**'
+
+jobs:
+  get-sbom-type:
+    runs-on: ubuntu-latest
+    outputs:
+      sbom-type: ${{ steps.sbom-type.outputs.type }}
+    steps:
+      - name: Get SBOM type
+        id: sbom-type
+        run: |
+          case ${GITHUB_REF##*/} in
+            ${{ vars.PROD_BRANCH }}) echo "type=production" >> "$GITHUB_OUTPUT";;
+            ${{ vars.DEV_BRANCH }}) echo "type=dev" >> "$GITHUB_OUTPUT";;
+            *) echo "type=snapshot" >> "$GITHUB_OUTPUT";;
+          esac
+  
+  gen-sboms:
+    runs-on: ubuntu-latest
+    needs: get-sbom-type
+    env:
+      SBOM_TYPE: ${{ needs.get-sbom-type.outputs.sbom-type }}
+    steps:
+    
+      - name: checkout
+        uses: actions/[email protected]
+
+      - name: spdx-sbom
+        uses: anchore/[email protected]
+        with:
+          format: spdx
+          artifact-name: plugfest-sbom-${{ env.SBOM_TYPE }}.spdx
+      
+      - name: cyclonedx-sbom
+        uses: anchore/[email protected]
+        with:
+          format: cyclonedx-json
+          artifact-name: plugfest-sbom-cdx-${{ env.SBOM_TYPE }}.json
@@ -0,0 +1,45 @@
+name: Build and Test Plugfest
+on: 
+  push:
+      branches:  
+      - 'dev'   # todo: replace with vars
+      - 'main'  # todo: replace with vars
+      paths-ignore:
+        - '**/sample_boms/**'
+        - '**/sample_sboms/**'
+  pull_request:
+    branches:  
+      - 'dev'   # todo: replace with vars
+      - 'main'  # todo: replace with vars
+      paths-ignore:
+        - '**/sample_boms/**'
+        - '**/sample_sboms/**'
+jobs:
+  build-test:
+    runs-on: windows-latest
+    steps:
+      - name: checkout
+        uses: actions/[email protected]
+        
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
+        
+      - name: Build and Test Plugfest
+        run: ./gradlew clean build
+        
+      - name: Store Report
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: reports
+          path: "**/build/reports/"
+          
+      - name: Report Failure
+        if: failure()
+        run: echo "::error::Some Tests Failed, see the artifacts for details"
@@ -52,4 +52,7 @@ gradle-app.setting
 # Angular
 /node_modules/
 core/bin
-*.spdx
+*.spdx
+
+# Excluded test driver class used for testing
+TestMain.java
@@ -1,60 +1,95 @@
-# PlugFest Tooling
-> A collection of tools to compare the usage and quality of different SBOM generators
->
-> ## v3.2.0 -- 5/9/23
-> ### API
-> - Fixed another bug preventing non-ASCII characters from being processed
-> ### Comparison
-> - Allow marking of components as appearing in target SBOM
-> ### Metrics
-> - Fix bug causing formatting issues with the data verification test
-> ### GUI
-> - Added individual loading spinners for each uploaded SBOM
-
-## Differ
-- Compares two SBOMs supporting CycloneDX XML and SPDX Tag-Value
-- Allows comparison between CycloneDX and SPDX formats
-- Displays differences in trivial SBOM attributes like publisher and timestamp
-- Displays differences in found component data between SBOMs 
-  - Version number
-  - Publisher
-  - CPEs
-  - PURLs
-  - SWIDs
-- Summarizes the report in a Unix-diff-like print
+# PlugFest-in-a-Box Tool
+### v1.0.0-beta
+[changelog](changelog.md)
+> PlugFest-in-a-Box is a powerful tool to reveal key areas of difference between several Software Bills of Materials 
+> (SBOMs) and applying thorough metrics to identify any and all quality issues.
+
+
+## Supported SBOM Formats
+- CycloneDX 1.4 JSON
+- CycloneDX 1.4 XML
+- SPDX 2.3 Tag-Value
 
-## Comparison
-- Generate detailed DiffReports from a target SBOM and a list of SBOMs. 
-
-## Quality Attributes
-- Actionable Test
-  - Tests fields to ensure data contained is usable.
-- Completeness Test
-  - Checks to make sure components have a name, publisher, version
-  - Checks if attributes are formatted correctly and checks CPE and PURL formatting 
-- Data Verification Test
-  - Uses PURLs to search for information about the package using package manager APIs
-  - Confirms that name and publisher match resource
-  - Also checks to see if the assigned version number exists in resource
-  
-## Translator
-- Parse SBOMS from files and deserialize from formats:
-  - CycloneDX
-    > .xml and .json
-  - SPDX
-    > .spdx
-## System Requirements
-- Java 17
-  > Check: `java -version`
 
 ## Quick Start
-### Backend
-1. `./gradlew bootJar`
-2. `java -jar .\api\build\libs\api-3.1.0.jar`
-### Frontend
+> See [System Requirements](doc/README.md) for more details
 1. `cd gui`
-2. `npm install`
-3. `npm start`
+2. `npm -ci`
+3. `npm run start`
+
+
+## Comparison
+> Allows comparison across schemas and file formats
+
+### SBOM Conflicts
+- **Supplier**: Supplier of the code are not the same (publisher)
+- **Author**: SBOMs have different authors
+- **Timestamp**: SBOMs have different timestamps
+- **Origin Format**: SBOMs have different origin formats
+- **Schema Version**: SBOMs have different schema versions (CycloneDX 1.4, SPDX 2.3, etc)
+- **SBOM Version**: SBOMs have different versions
+- **Serial Number**: SBOMs have different serial numbers
+
+### Component Conflicts
+- **Missing**: Component only found in one SBOM
+- **Version**: Component found in both SBOMs, but has different versions
+- **License**: Component found in both SBOMs, but has different licenses
+- **Publisher**: Component found in both SBOMs, but has different publisher
+- **CPE**: Component found in both SBOMs, but has different CPE
+- **PURL**: Component found in both SBOMs, but has different PURL
+- **Hash**: Component found in both SBOMs, but has different Hashes
+
+
+## Metrics
+> A series of metrics to access the quality of the SBOM.
+
+### Completeness
+> Accesses how complete the content of the SBOM is.
+- **Minimum Elements Test**: Checks for the [Minimum Elements for an SBOM](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf) 
+are present as recommend by the NTIA.
+  - _Supplier Name_: The name of an entity that creates, defines, and identifies components. 
+  - _Component Name_: Designation assigned to a unit of software defined by the original supplier. 
+  - _Version of the Component_: Identifier used by the supplier to specify a change in software from a previously identified version. 
+  - _Other Unique Identifiers_: Other identifiers that are used to identify a component, or serve as a look-up key for relevant databases.
+    > Plugfest uses CPE and PURL
+  - _Author of SBOM Data_: The name of the entity that creates the SBOM data for this
+    component. 
+  - _Timestamp_: Record of the date and time of the SBOM data assembly
+- **Valid PURL Test**: Test to see if the PURL is correctly formatted
+- **Valid CPE Test**: Test to see if the CPE is correctly formatted
+
+### Uniqueness
+> Accesses the quality of the unique identifiers and ensure they match the stored SBOM data.
+- **Has Hash Data Test**: Test to see if hashes are stored
+- **Valid Hash Data Test**: Test to see the stored hashes match the reported hash algorithm
+- **Accurate PURL Test**: Test to see if the data stored in the PURL matches what is reported in the SBOM
+- **Accurate CPE Test**: Test to see if the data stored in the CPE matches what is reported in the SBOM
+
+### Registered
+> Accesses if the component is stored in a default repository
+- **Is Registered Test**: Uses PURLs to verify if the component exists in the [default PURL repository](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst)
+  
+### Licensing
+> Accesses if the SBOM has valid license data
+- **Has License Data Test**: Test to see if Licenses are stored
+- **Valid SPDX License Test**: Test to see if the License is stored in the [SPDX License List](https://spdx.org/licenses/) and if they are depreciated
+
+### SPDX
+> Accesses for features that are required specifically for [SPDX SBOMs](https://spdx.github.io/spdx-spec/v2.3/).
+- **Has Data License SPDX Test**: Test to see if the SBOM's DataLicense field contain the CC0-1.0 license
+- **Has SPDX ID Test**: Test to see if each component has a valid SPDXID
+- **Has Document Namespace Test**: Test to see if the SBOM contains a valid document namespace
+- **Has Download Location Test**: Test to see if each component has a download location
+- **Has Creation Info Test**: Test to see if the SBOM contains creation information
+- **Has Verification Code Test**: Test to see if each component has a package verification code (FilesAnalyzed is true) or is it omitted (FilesAnalyzed if false)
+- **Has Extracted Licenses Test**: Test to see if there are any extracted licenses not on the SPDX license list in the SBOM
+- **Extracted License Minimum Element Test**: Test to see if the extracted licenses contain the required fields LicenseName, LicenseID, and LicenseCrossReference
+
+### CycloneDX
+> Accesses for features that are required specifically for [CycloneDX SBOMs](https://cyclonedx.org/specification/overview/).
+- **Has Bom-Ref Test**: Test to see if a component has a unique bom-ref to reference inside the SBOM
+- **Has Bom Version Test**: Test to see if the SBOM has a version number declared
+
 
 ## Contributors
 **Principal Investigator:** [Mehdi Mirakhorli](mailto:[email protected])
@@ -65,14 +100,18 @@
 
 **Developer Team Leads**
 - [Tina DiLorenzo](mailto:[email protected])
+- [Tyler Drake](mailto:[email protected])
 - [Matt London](mailto:[email protected])
 - [Dylan Mulligan](mailto:[email protected])
 
 **Developer Team**
-- [Tyler Drake](mailto:[email protected])
+- [Michael Alfonzetti](mailto:[email protected])
 - [Ian Dunn](mailto:[email protected])
 - [Asa Horn](mailto:[email protected])
 - [Justin Jantzi](mailto:[email protected])
+- [Ping Liu](mailto:[email protected])
+- [Matthew Morrison](mailto:[email protected])
+- [Ethan Numan](mailto:[email protected])
 - [Henry Orsagh](mailto:[email protected])
 - [Juan Francisco Patino](mailto:[email protected])
 - [Max Stein](mailto:[email protected])