Plan is for rego to check:
- Non-empty inventory — packages count ≥ a threshold (an SBOM with 0–1 packages usually means generation silently failed).
→ defined
- Every package has a version — no versionInfo missing/"NOASSERTION". An unversioned dependency isn't managed.
- Every package has a resolvable identity — a purl in externalRefs (type PACKAGE-MANAGER) or a downloadLocation !=
"NOASSERTION". → auditable
- Every package has a declared license — licenseDeclared/licenseConcluded present and not NOASSERTION (or: count of
unknown-license packages is 0, or below a tolerated cap you record explicitly).
- Valid, current document — spdxVersion is an allowed value, creationInfo.created present, and creationInfo.creators
records the generating tool (proves how it was built → auditable).
- Has relationships — relationships non-empty, so it's a real dependency graph rooted at the image, not a flat list.
Plan is for rego to check:
→ defined
"NOASSERTION". → auditable
unknown-license packages is 0, or below a tolerated cap you record explicitly).
records the generating tool (proves how it was built → auditable).