Skip to content

Commit

Permalink
Update references of SBoM to SBOM for consistency
Browse files Browse the repository at this point in the history
  • Loading branch information
@setchy
setchy committed Oct 4, 2023
1 parent dd2cd0e commit ba75467
Show file tree
Hide file tree
Showing 13 changed files with 41 additions and 41 deletions.
8 changes: 4 additions & 4 deletions bin/evinse.js
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/usr/bin/env node

// Evinse (Evinse Verification Is Nearly SBoM Evidence)
// Evinse (Evinse Verification Is Nearly SBOM Evidence)
import yargs from "yargs";
import { hideBin } from "yargs/helpers";
import { join } from "node:path";
Expand Down Expand Up @@ -30,7 +30,7 @@ if (!process.env.ATOM_DB && !fs.existsSync(ATOM_DB)) {
const args = yargs(hideBin(process.argv))
.option("input", {
alias: "i",
description: "Input SBoM file. Default bom.json",
description: "Input SBOM file. Default bom.json",
default: "bom.json"
})
.option("output", {
Expand Down Expand Up @@ -108,9 +108,9 @@ console.log(evinseArt);
if (dbObjMap) {
// Analyze the project using atom. Convert package namespaces to purl using the db
const sliceArtefacts = await analyzeProject(dbObjMap, args);
// Create the SBoM with Evidence
// Create the SBOM with Evidence
const bomJson = createEvinseFile(sliceArtefacts, args);
// Validate our final SBoM
// Validate our final SBOM
if (!validateBom(bomJson)) {
process.exit(1);
}
Expand Down
2 changes: 1 addition & 1 deletion bin/verify.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ if (!bomSignature) {
if (validationResult) {
console.log("Signature is valid!");
} else {
console.log("SBoM signature is invalid!");
console.log("SBOM signature is invalid!");
process.exit(1);
}
}
2 changes: 1 addition & 1 deletion ci/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
org.opencontainers.image.vendor="cyclonedx" \
org.opencontainers.image.licenses="Apache-2.0" \
org.opencontainers.image.title="cdxgen" \
org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \
org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server"

ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
Expand Down
2 changes: 1 addition & 1 deletion ci/Dockerfile-deno
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
org.opencontainers.image.vendor="cyclonedx" \
org.opencontainers.image.licenses="Apache-2.0" \
org.opencontainers.image.title="cdxgen" \
org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \
org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app --server"

ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
Expand Down
2 changes: 1 addition & 1 deletion ci/Dockerfile-ppc64
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
org.opencontainers.image.vendor="cyclonedx" \
org.opencontainers.image.licenses="Apache-2.0" \
org.opencontainers.image.title="cdxgen" \
org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \
org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ppc64 -r /app --server"

ARG SBT_VERSION=1.9.6
Expand Down
2 changes: 1 addition & 1 deletion contrib/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Useful scripts

## Validate SBoM using jsonschema
## Validate SBOM using jsonschema

```shell
python bom-validate.py --json ../test/data/vuln-spring-1.5.bom.json
Expand Down
4 changes: 2 additions & 2 deletions contrib/bom-validate.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ def build_args():
Constructs command line arguments for the comparison tool
"""
parser = argparse.ArgumentParser(
description="Validate SBoM files against BOM 1.5 schema."
description="Validate SBOM files against BOM 1.5 schema."
)
parser.add_argument(
"--json",
Expand All @@ -29,7 +29,7 @@ def vsbom(bom_json):
vex_obj = json.load(vp)
try:
validate(instance=vex_obj, schema=json.load(sp))
print("SBoM file is valid")
print("SBOM file is valid")
except ValidationError as ve:
print(ve)
sys.exit(1)
Expand Down
8 changes: 4 additions & 4 deletions docs/CLI.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ $ cdxgen -h
-r, --recurse Recurse mode suitable for mono-repos. Defaults to
true. Pass --no-recurse to disable.
[boolean] [default: true]
-p, --print Print the SBoM as a table with tree. [boolean]
-p, --print Print the SBOM as a table with tree. [boolean]
-c, --resolve-class Resolve class names for packages. jars only for n
ow. [boolean]
--deep Perform deep searches for components. Useful whil
Expand All @@ -68,12 +68,12 @@ $ cdxgen -h
d or the project name and version together
--parent-project-id Dependency track parent project id
--required-only Include only the packages with required scope on
the SBoM. [boolean]
the SBOM. [boolean]
--fail-on-error Fail if any dependency extractor fails. [boolean]
--no-babel Do not use babel to perform usage analysis for Ja
vaScript/TypeScript projects. [boolean]
--generate-key-and-sign Generate an RSA public/private key pair and then
sign the generated SBoM using JSON Web Signatures
sign the generated SBOM using JSON Web Signatures
. [boolean]
--server Run cdxgen as a server [boolean]
--server-host Listen address [default: "127.0.0.1"]
Expand All @@ -82,7 +82,7 @@ $ cdxgen -h
cts. Defaults to true but disabled for containers
and oci scans. Use --no-install-deps to disable
this feature. [boolean] [default: true]
--validate Validate the generated SBoM using json schema. De
--validate Validate the generated SBOM using json schema. De
faults to true. Pass --no-validate to disable.
[boolean] [default: true]
--usages-slices-file Path for the usages slice file created by atom.
Expand Down
2 changes: 1 addition & 1 deletion docs/ENV.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ The following environment variables are available to configure the bom generatio
| LEIN_CMD | Set to override the leiningen command |
| SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc |
| SBOM_SIGN_PRIVATE_KEY | Private key to use for signing |
| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature |
| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBOM signature |
| CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.8" |
| CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom |
| CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true |
Expand Down
36 changes: 18 additions & 18 deletions docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ cdxgen is available as an npm package, container image, and single application e

<!-- tabs:start -->

#### **Generate SBoM for git repos**
#### **Generate SBOM for git repos**

## Installation

Expand Down Expand Up @@ -36,7 +36,7 @@ For a java project. This would automatically detect maven, gradle or sbt and bui
cdxgen -t java -o bom.json
```

To print the SBoM as a table pass `-p` argument.
To print the SBOM as a table pass `-p` argument.

```shell
cdxgen -t java -o bom.json -p
Expand All @@ -48,20 +48,20 @@ To recursively generate a single BoM for all languages pass `-r` argument.
cdxgen -r -o bom.json
```

To generate SBoM for an older specification version such as 1.4, pass the version using the `--spec-version` argument.
To generate SBOM for an older specification version such as 1.4, pass the version using the `--spec-version` argument.

```shell
cdxgen -r -o bom.json --spec-version 1.4
```

To generate SBoM for C or Python, ensure Java >= 17 is installed.
To generate SBOM for C or Python, ensure Java >= 17 is installed.

```shell
# Install java >= 17
cdxgen -t c -o bom.json
```

#### **Generate SBoM for container images**
#### **Generate SBOM for container images**

## Installation

Expand Down Expand Up @@ -117,7 +117,7 @@ obom
# cdxgen -t os
```

This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](https://github.com/CycloneDX/cdxgen/blob/master/data/queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types such as operating-system, device-drivers, files, and data.
This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](https://github.com/CycloneDX/cdxgen/blob/master/data/queries.json). The process would take several minutes and result in an SBOM file with thousands of components of various types such as operating-system, device-drivers, files, and data.

#### **Integrate with Dependency Track**

Expand Down Expand Up @@ -209,7 +209,7 @@ cdxgen can automatically query public registries such as maven, npm, or nuget to
export FETCH_LICENSE=true
```

#### **SBoM Server**
#### **SBOM Server**

Invoke cdxgen with `--server` argument to run it in server mode. By default, it listens to port `9090`, which can be customized with the arguments `--server-host` and `--server-port`.

Expand Down Expand Up @@ -273,7 +273,7 @@ cdxgen can sign the generated BoM json file to increase authenticity and non-rep

To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature`, which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation.

![SBoM signing](_media/sbom-sign.jpg)
![SBOM signing](_media/sbom-sign.jpg)

### Verifying the signature

Expand All @@ -292,7 +292,7 @@ There are many [libraries](https://jwt.io/#libraries-io) available to validate J
# npm install jws
const jws = require("jws");
const fs = require("fs");
// Location of the SBoM json file
// Location of the SBOM json file
const bomJsonFile = "bom.json";
// Location of the public key
const publicKeyFile = "public.key";
Expand All @@ -303,7 +303,7 @@ const validationResult = jws.verify(bomSignature, bomJson.signature.algorithm, f
if (validationResult) {
console.log("Signature is valid!");
} else {
console.log("SBoM signature is invalid :(");
console.log("SBOM signature is invalid :(");
}
```

Expand All @@ -317,19 +317,19 @@ if (validationResult) {

| Command | Description |
| ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| .create | Create an SBoM from a path |
| .import | Import an existing SBoM from a path. Any SBoM in CycloneDX format is supported. |
| .create | Create an SBOM from a path |
| .import | Import an existing SBOM from a path. Any SBOM in CycloneDX format is supported. |
| .search | Search the given string in the components name, group, purl and description |
| .sort | Sort the components based on the given attribute. Eg: .sort name to sort by name. Accepts full jsonata [order by](http://docs.jsonata.org/path-operators#order-by-) clause too. Eg: `.sort components^(>name)` |
| .query | Pass a raw query in [jsonata](http://docs.jsonata.org/) format |
| .print | Print the SBoM as a table |
| .print | Print the SBOM as a table |
| .tree | Print the dependency tree if available |
| .validate | Validate the SBoM |
| .validate | Validate the SBOM |
| .exit | To exit the shell |
| .save | To save the modified SBoM to a new file |
| .save | To save the modified SBOM to a new file |
| .update | Update components based on query expression. Use syntax `\| query \| new object \|`. See example. |
| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBoM |
| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBoM |
| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBOM |
| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBOM |
| .services | View services as a table |

In addition, all the keys from [queries.json](./data/queries.json) are also valid commands. Example: `processes`, `apt_sources`, etc. Type `.help` to view the full list of commands.
Expand All @@ -342,7 +342,7 @@ Start the REPL server.
cdxi
```

Below are some example commands to create an SBoM for a spring application and perform searches and queries.
Below are some example commands to create an SBOM for a spring application and perform searches and queries.

```
.create /mnt/work/vuln-spring
Expand Down
6 changes: 3 additions & 3 deletions evinser.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ export const prepareDB = async (options) => {
const bomJson = JSON.parse(fs.readFileSync(bomJsonFile, "utf8"));
if (bomJson.specVersion < 1.5) {
console.log(
"Evinse requires the input SBoM in CycloneDX 1.5 format or above. You can generate one by invoking cdxgen without any --spec-version argument."
"Evinse requires the input SBOM in CycloneDX 1.5 format or above. You can generate one by invoking cdxgen without any --spec-version argument."
);
process.exit(0);
}
Expand Down Expand Up @@ -741,7 +741,7 @@ export const isSlicingRequired = (purl) => {
};

/**
* Method to create the SBoM with evidence file called evinse file.
* Method to create the SBOM with evidence file called evinse file.
*
* @param {object} sliceArtefacts Various artefacts from the slice operation
* @param {object} options Command line options
Expand Down Expand Up @@ -841,7 +841,7 @@ export const createEvinseFile = (sliceArtefacts, options) => {
console.log(evinseOutFile, "created successfully.");
} else {
console.log(
"Unable to identify component evidence for the input SBoM. Only java, javascript and python projects are supported by evinse."
"Unable to identify component evidence for the input SBOM. Only java, javascript and python projects are supported by evinse."
);
}
if (tempDir && tempDir.startsWith(tmpdir())) {
Expand Down
4 changes: 2 additions & 2 deletions package.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "@cyclonedx/cdxgen",
"version": "9.8.5",
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
"description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
"homepage": "http://github.com/cyclonedx/cdxgen",
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
"license": "Apache-2.0",
Expand Down Expand Up @@ -105,4 +105,4 @@
"jest": "^29.7.0",
"prettier": "3.0.3"
}
}
}
4 changes: 2 additions & 2 deletions server.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ const start = (options) => {
srcDir = gitClone(filePath);
cleanup = true;
}
console.log("Generating SBoM for", srcDir);
console.log("Generating SBOM for", srcDir);
const bomNSData = (await createBom(srcDir, options)) || {};
if (bomNSData.bomJson) {
if (
Expand All @@ -125,7 +125,7 @@ const start = (options) => {
}
}
if (options.serverUrl && options.apiKey) {
console.log("Publishing SBoM to Dependency Track");
console.log("Publishing SBOM to Dependency Track");
submitBom(options, bomNSData.bomJson);
}
res.end("\n");
Expand Down

0 comments on commit ba75467

Please sign in to comment.