diff --git a/bin/evinse.js b/bin/evinse.js index 4274498c4..17775b305 100755 --- a/bin/evinse.js +++ b/bin/evinse.js @@ -1,6 +1,6 @@ #!/usr/bin/env node -// Evinse (Evinse Verification Is Nearly SBoM Evidence) +// Evinse (Evinse Verification Is Nearly SBOM Evidence) import yargs from "yargs"; import { hideBin } from "yargs/helpers"; import { join } from "node:path"; @@ -30,7 +30,7 @@ if (!process.env.ATOM_DB && !fs.existsSync(ATOM_DB)) { const args = yargs(hideBin(process.argv)) .option("input", { alias: "i", - description: "Input SBoM file. Default bom.json", + description: "Input SBOM file. Default bom.json", default: "bom.json" }) .option("output", { @@ -108,9 +108,9 @@ console.log(evinseArt); if (dbObjMap) { // Analyze the project using atom. Convert package namespaces to purl using the db const sliceArtefacts = await analyzeProject(dbObjMap, args); - // Create the SBoM with Evidence + // Create the SBOM with Evidence const bomJson = createEvinseFile(sliceArtefacts, args); - // Validate our final SBoM + // Validate our final SBOM if (!validateBom(bomJson)) { process.exit(1); } diff --git a/bin/verify.js b/bin/verify.js index 0a3dcf137..e463ec5fa 100755 --- a/bin/verify.js +++ b/bin/verify.js @@ -74,7 +74,7 @@ if (!bomSignature) { if (validationResult) { console.log("Signature is valid!"); } else { - console.log("SBoM signature is invalid!"); + console.log("SBOM signature is invalid!"); process.exit(1); } } diff --git a/ci/Dockerfile b/ci/Dockerfile index f9cdd2584..b8d9bd453 100644 --- a/ci/Dockerfile +++ b/ci/Dockerfile @@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \ org.opencontainers.image.vendor="cyclonedx" \ org.opencontainers.image.licenses="Apache-2.0" \ org.opencontainers.image.title="cdxgen" \ - org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \ + org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \ org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server" ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561 diff --git a/ci/Dockerfile-deno b/ci/Dockerfile-deno index 53477b8f5..fe4bf299f 100644 --- a/ci/Dockerfile-deno +++ b/ci/Dockerfile-deno @@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \ org.opencontainers.image.vendor="cyclonedx" \ org.opencontainers.image.licenses="Apache-2.0" \ org.opencontainers.image.title="cdxgen" \ - org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \ + org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \ org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app --server" ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561 diff --git a/ci/Dockerfile-ppc64 b/ci/Dockerfile-ppc64 index 93f2f10cc..d7e853bfc 100644 --- a/ci/Dockerfile-ppc64 +++ b/ci/Dockerfile-ppc64 @@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \ org.opencontainers.image.vendor="cyclonedx" \ org.opencontainers.image.licenses="Apache-2.0" \ org.opencontainers.image.title="cdxgen" \ - org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \ + org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \ org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ppc64 -r /app --server" ARG SBT_VERSION=1.9.6 diff --git a/contrib/README.md b/contrib/README.md index 80afce7c9..d4cc95cf6 100644 --- a/contrib/README.md +++ b/contrib/README.md @@ -1,6 +1,6 @@ # Useful scripts -## Validate SBoM using jsonschema +## Validate SBOM using jsonschema ```shell python bom-validate.py --json ../test/data/vuln-spring-1.5.bom.json diff --git a/contrib/bom-validate.py b/contrib/bom-validate.py index b1fda0a41..dd48bda07 100644 --- a/contrib/bom-validate.py +++ b/contrib/bom-validate.py @@ -11,7 +11,7 @@ def build_args(): Constructs command line arguments for the comparison tool """ parser = argparse.ArgumentParser( - description="Validate SBoM files against BOM 1.5 schema." + description="Validate SBOM files against BOM 1.5 schema." ) parser.add_argument( "--json", @@ -29,7 +29,7 @@ def vsbom(bom_json): vex_obj = json.load(vp) try: validate(instance=vex_obj, schema=json.load(sp)) - print("SBoM file is valid") + print("SBOM file is valid") except ValidationError as ve: print(ve) sys.exit(1) diff --git a/docs/CLI.md b/docs/CLI.md index 6af02f524..70ffcfd22 100644 --- a/docs/CLI.md +++ b/docs/CLI.md @@ -51,7 +51,7 @@ $ cdxgen -h -r, --recurse Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable. [boolean] [default: true] - -p, --print Print the SBoM as a table with tree. [boolean] + -p, --print Print the SBOM as a table with tree. [boolean] -c, --resolve-class Resolve class names for packages. jars only for n ow. [boolean] --deep Perform deep searches for components. Useful whil @@ -68,12 +68,12 @@ $ cdxgen -h d or the project name and version together --parent-project-id Dependency track parent project id --required-only Include only the packages with required scope on - the SBoM. [boolean] + the SBOM. [boolean] --fail-on-error Fail if any dependency extractor fails. [boolean] --no-babel Do not use babel to perform usage analysis for Ja vaScript/TypeScript projects. [boolean] --generate-key-and-sign Generate an RSA public/private key pair and then - sign the generated SBoM using JSON Web Signatures + sign the generated SBOM using JSON Web Signatures . [boolean] --server Run cdxgen as a server [boolean] --server-host Listen address [default: "127.0.0.1"] @@ -82,7 +82,7 @@ $ cdxgen -h cts. Defaults to true but disabled for containers and oci scans. Use --no-install-deps to disable this feature. [boolean] [default: true] - --validate Validate the generated SBoM using json schema. De + --validate Validate the generated SBOM using json schema. De faults to true. Pass --no-validate to disable. [boolean] [default: true] --usages-slices-file Path for the usages slice file created by atom. diff --git a/docs/ENV.md b/docs/ENV.md index 10ea2fd2e..b0f1f8ae6 100644 --- a/docs/ENV.md +++ b/docs/ENV.md @@ -30,7 +30,7 @@ The following environment variables are available to configure the bom generatio | LEIN_CMD | Set to override the leiningen command | | SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc | | SBOM_SIGN_PRIVATE_KEY | Private key to use for signing | -| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature | +| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBOM signature | | CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.8" | | CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom | | CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true | diff --git a/docs/README.md b/docs/README.md index 20694b5a9..f409d11ee 100644 --- a/docs/README.md +++ b/docs/README.md @@ -4,7 +4,7 @@ cdxgen is available as an npm package, container image, and single application e -#### **Generate SBoM for git repos** +#### **Generate SBOM for git repos** ## Installation @@ -36,7 +36,7 @@ For a java project. This would automatically detect maven, gradle or sbt and bui cdxgen -t java -o bom.json ``` -To print the SBoM as a table pass `-p` argument. +To print the SBOM as a table pass `-p` argument. ```shell cdxgen -t java -o bom.json -p @@ -48,20 +48,20 @@ To recursively generate a single BoM for all languages pass `-r` argument. cdxgen -r -o bom.json ``` -To generate SBoM for an older specification version such as 1.4, pass the version using the `--spec-version` argument. +To generate SBOM for an older specification version such as 1.4, pass the version using the `--spec-version` argument. ```shell cdxgen -r -o bom.json --spec-version 1.4 ``` -To generate SBoM for C or Python, ensure Java >= 17 is installed. +To generate SBOM for C or Python, ensure Java >= 17 is installed. ```shell # Install java >= 17 cdxgen -t c -o bom.json ``` -#### **Generate SBoM for container images** +#### **Generate SBOM for container images** ## Installation @@ -117,7 +117,7 @@ obom # cdxgen -t os ``` -This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](https://github.com/CycloneDX/cdxgen/blob/master/data/queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types such as operating-system, device-drivers, files, and data. +This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](https://github.com/CycloneDX/cdxgen/blob/master/data/queries.json). The process would take several minutes and result in an SBOM file with thousands of components of various types such as operating-system, device-drivers, files, and data. #### **Integrate with Dependency Track** @@ -209,7 +209,7 @@ cdxgen can automatically query public registries such as maven, npm, or nuget to export FETCH_LICENSE=true ``` -#### **SBoM Server** +#### **SBOM Server** Invoke cdxgen with `--server` argument to run it in server mode. By default, it listens to port `9090`, which can be customized with the arguments `--server-host` and `--server-port`. @@ -273,7 +273,7 @@ cdxgen can sign the generated BoM json file to increase authenticity and non-rep To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature`, which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation. -![SBoM signing](_media/sbom-sign.jpg) +![SBOM signing](_media/sbom-sign.jpg) ### Verifying the signature @@ -292,7 +292,7 @@ There are many [libraries](https://jwt.io/#libraries-io) available to validate J # npm install jws const jws = require("jws"); const fs = require("fs"); -// Location of the SBoM json file +// Location of the SBOM json file const bomJsonFile = "bom.json"; // Location of the public key const publicKeyFile = "public.key"; @@ -303,7 +303,7 @@ const validationResult = jws.verify(bomSignature, bomJson.signature.algorithm, f if (validationResult) { console.log("Signature is valid!"); } else { - console.log("SBoM signature is invalid :("); + console.log("SBOM signature is invalid :("); } ``` @@ -317,19 +317,19 @@ if (validationResult) { | Command | Description | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| .create | Create an SBoM from a path | -| .import | Import an existing SBoM from a path. Any SBoM in CycloneDX format is supported. | +| .create | Create an SBOM from a path | +| .import | Import an existing SBOM from a path. Any SBOM in CycloneDX format is supported. | | .search | Search the given string in the components name, group, purl and description | | .sort | Sort the components based on the given attribute. Eg: .sort name to sort by name. Accepts full jsonata [order by](http://docs.jsonata.org/path-operators#order-by-) clause too. Eg: `.sort components^(>name)` | | .query | Pass a raw query in [jsonata](http://docs.jsonata.org/) format | -| .print | Print the SBoM as a table | +| .print | Print the SBOM as a table | | .tree | Print the dependency tree if available | -| .validate | Validate the SBoM | +| .validate | Validate the SBOM | | .exit | To exit the shell | -| .save | To save the modified SBoM to a new file | +| .save | To save the modified SBOM to a new file | | .update | Update components based on query expression. Use syntax `\| query \| new object \|`. See example. | -| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBoM | -| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBoM | +| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBOM | +| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBOM | | .services | View services as a table | In addition, all the keys from [queries.json](./data/queries.json) are also valid commands. Example: `processes`, `apt_sources`, etc. Type `.help` to view the full list of commands. @@ -342,7 +342,7 @@ Start the REPL server. cdxi ``` -Below are some example commands to create an SBoM for a spring application and perform searches and queries. +Below are some example commands to create an SBOM for a spring application and perform searches and queries. ``` .create /mnt/work/vuln-spring diff --git a/evinser.js b/evinser.js index 892274e85..d663b8f21 100644 --- a/evinser.js +++ b/evinser.js @@ -31,7 +31,7 @@ export const prepareDB = async (options) => { const bomJson = JSON.parse(fs.readFileSync(bomJsonFile, "utf8")); if (bomJson.specVersion < 1.5) { console.log( - "Evinse requires the input SBoM in CycloneDX 1.5 format or above. You can generate one by invoking cdxgen without any --spec-version argument." + "Evinse requires the input SBOM in CycloneDX 1.5 format or above. You can generate one by invoking cdxgen without any --spec-version argument." ); process.exit(0); } @@ -741,7 +741,7 @@ export const isSlicingRequired = (purl) => { }; /** - * Method to create the SBoM with evidence file called evinse file. + * Method to create the SBOM with evidence file called evinse file. * * @param {object} sliceArtefacts Various artefacts from the slice operation * @param {object} options Command line options @@ -841,7 +841,7 @@ export const createEvinseFile = (sliceArtefacts, options) => { console.log(evinseOutFile, "created successfully."); } else { console.log( - "Unable to identify component evidence for the input SBoM. Only java, javascript and python projects are supported by evinse." + "Unable to identify component evidence for the input SBOM. Only java, javascript and python projects are supported by evinse." ); } if (tempDir && tempDir.startsWith(tmpdir())) { diff --git a/package.json b/package.json index 20e227054..e4e3ea4e5 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@cyclonedx/cdxgen", "version": "9.8.5", - "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image", + "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image", "homepage": "http://github.com/cyclonedx/cdxgen", "author": "Prabhu Subramanian ", "license": "Apache-2.0", @@ -105,4 +105,4 @@ "jest": "^29.7.0", "prettier": "3.0.3" } -} +} \ No newline at end of file diff --git a/server.js b/server.js index 58df93ba1..84bc16ec0 100644 --- a/server.js +++ b/server.js @@ -112,7 +112,7 @@ const start = (options) => { srcDir = gitClone(filePath); cleanup = true; } - console.log("Generating SBoM for", srcDir); + console.log("Generating SBOM for", srcDir); const bomNSData = (await createBom(srcDir, options)) || {}; if (bomNSData.bomJson) { if ( @@ -125,7 +125,7 @@ const start = (options) => { } } if (options.serverUrl && options.apiKey) { - console.log("Publishing SBoM to Dependency Track"); + console.log("Publishing SBOM to Dependency Track"); submitBom(options, bomNSData.bomJson); } res.end("\n");