JS reachables

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> Updated docs and atom Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
CycloneDX · Oct 22, 2023 · fb4fe13 · fb4fe13
1 parent 5a00176
commit fb4fe13
Show file tree

Hide file tree

Showing 14 changed files with 317 additions and 147 deletions.
diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml
@@ -147,11 +147,12 @@ jobs:
       - uses: actions/checkout@v4
         with:
           repository: 'hoolicorp/java-sec-code'
-          path: 'repotests/java-sec-code'    
+          path: 'repotests/java-sec-code'
       - uses: dtolnay/rust-toolchain@stable
       - name: repotests
         run: |
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code.json
+          bin/cdxgen.js -p -t java --author foo --author bar repotests/java-sec-code -o bomresults/bom-java-sec-code.json
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code.json --required-only
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code.json --filter postgres --filter json
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code.json --only spring

diff --git a/README.md b/README.md
diff --git a/bin/cdxgen.js b/bin/cdxgen.js
@@ -143,6 +143,7 @@ const args = yargs(hideBin(process.argv))
       "Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to disable."
   })
   .option("evidence", {
+    hidden: true,
     type: "boolean",
     default: false,
     description: "Generate SBOM with evidence for supported languages. WIP"
@@ -165,8 +166,15 @@ const args = yargs(hideBin(process.argv))
     description:
       "Include components only containining this word in purl. Useful to generate BOM with first party components alone. Multiple values allowed."
   })
+  .option("author", {
+    description:
+      "The person(s) who created the BOM. Set this value if you're intending the modify the BOM and claim authorship.",
+    default: "OWASP Foundation"
+  })
+  .completion("completion", "Generate bash/zsh completion")
   .array("filter")
   .array("only")
+  .array("author")
   .option("auto-compositions", {
     type: "boolean",
     default: true,

diff --git a/bin/evinse.js b/bin/evinse.js
@@ -121,6 +121,18 @@ const args = yargs(hideBin(process.argv))
     type: "boolean",
     description: "Print the evidences as table"
   })
+  .example([
+    [
+      "$0 -i bom.json -o bom.evinse.json -l java .",
+      "Generate a Java SBOM with evidence for the current directory"
+    ],
+    [
+      "$0 -i bom.json -o bom.evinse.json -l java --with-reachables .",
+      "Generate a Java SBOM with occurrence and reachable evidence for the current directory"
+    ]
+  ])
+  .completion("completion", "Generate bash/zsh completion")
+  .epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
   .config(config)
   .scriptName("evinse")
   .version()
@@ -129,8 +141,8 @@ const args = yargs(hideBin(process.argv))
 const evinseArt = `
 ███████╗██╗   ██╗██╗███╗   ██╗███████╗███████╗
 ██╔════╝██║   ██║██║████╗  ██║██╔════╝██╔════╝
-█████╗  ██║   ██║██║██╔██╗ ██║███████╗█████╗  
-██╔══╝  ╚██╗ ██╔╝██║██║╚██╗██║╚════██║██╔══╝  
+█████╗  ██║   ██║██║██╔██╗ ██║███████╗█████╗
+██╔══╝  ╚██╗ ██╔╝██║██║╚██╗██║╚════██║██╔══╝
 ███████╗ ╚████╔╝ ██║██║ ╚████║███████║███████╗
 ╚══════╝  ╚═══╝  ╚═╝╚═╝  ╚═══╝╚══════╝╚══════╝
 `;

diff --git a/bin/verify.js b/bin/verify.js
@@ -24,6 +24,8 @@ const args = yargs(hideBin(process.argv))
     default: "public.key",
     description: "Public key in PEM format. Default public.key"
   })
+  .completion("completion", "Generate bash/zsh completion")
+  .epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
   .scriptName("cdx-verify")
   .version()
   .help("h").argv;

diff --git a/data/README.md b/data/README.md
@@ -18,3 +18,4 @@ Contents of data directory and their purpose.
 | spdx.schema.json      | jsonschema for validation                                                 |
 | vendor-alias.json     | List to correct the group names. Used while parsing .jar files            |
 | wrapdb-releases.json  | Database of all available meson wraps. Generated using contrib/wrapdb.py. |
+| frameworks-list.json  | List of string fragments to categorize components into frameworks         |
diff --git a/data/frameworks-list.json b/data/frameworks-list.json
@@ -0,0 +1,128 @@
+{
+  "all": [
+    "System.Web",
+    "System.ServiceModel",
+    "System.Data",
+    "spring",
+    "flask",
+    "django",
+    "beego",
+    "chi",
+    "echo",
+    "github.com/gin-gonic/gin",
+    "gorilla",
+    "rye",
+    "httprouter",
+    "akka",
+    "dropwizard",
+    "vertx",
+    "gwt",
+    "jax-rs",
+    "jax-ws",
+    "jsf",
+    "play",
+    "spark",
+    "struts",
+    "angular",
+    "react",
+    "next",
+    "ember",
+    "express",
+    "knex",
+    "vue",
+    "aiohttp",
+    "bottle",
+    "cherrypy",
+    "drt",
+    "falcon",
+    "hug",
+    "pyramid",
+    "sanic",
+    "tornado",
+    "vibora",
+    "koa",
+    "-sdk",
+    "org.apache",
+    "appfuse",
+    "drools",
+    "jbpm",
+    "activiti",
+    "barracuda",
+    "birt",
+    "biojava",
+    "bluecove",
+    "bouncycastle",
+    "cascading",
+    "deeplearning4j",
+    "eclipselink",
+    "geoapi",
+    "geotools",
+    "hibernate",
+    "hsqldb",
+    "ibatis",
+    "javassist",
+    "jersey",
+    "jetty",
+    "jfreechart",
+    "jhipster",
+    "jmonkeyengine",
+    "jsf",
+    "keycloak",
+    "liquibase",
+    "lwjgl",
+    "micronaut",
+    "mybatis",
+    "netty",
+    "neuroph",
+    "opencv",
+    "orientdb",
+    "ormlite",
+    "payara",
+    "primefaces",
+    "quarkus",
+    "quartz",
+    "sax",
+    "slf4j",
+    "jasper",
+    "spock",
+    "thymeleaf",
+    "vaadin",
+    "vertx",
+    "wildfly",
+    "zkoss",
+    "org.ow2.asm",
+    "backbone",
+    "dojo",
+    "ember",
+    "enyo",
+    "extjs",
+    "jquery",
+    "jqwidgets",
+    "knockout",
+    "mootools",
+    "prototypejs",
+    "qooxdoo",
+    "openui5",
+    "solidjs",
+    "sproutcore",
+    "svelte",
+    "wakanda",
+    "webix",
+    "github.com/aerogo/aero",
+    "github.com/aofei/air",
+    "github.com/go-the-way/anoweb",
+    "github.com/appist/appy",
+    "github.com/ungerik/go-rest",
+    "goa.design/goa",
+    "github.com/aceld/zinx",
+    "github.com/dolab/gogo",
+    "github.com/yarf-framework/yarf",
+    "github.com/norunners/vert",
+    "pkg:cargo/rocket",
+    "pkg:cargo/actix",
+    "pkg:cargo/nickel",
+    "pkg:cargo/yew",
+    "pkg:cargo/azul",
+    "pkg:cargo/conrod"
+  ]
+}
diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md
@@ -284,3 +284,19 @@ ATOM_DB = join(homedir(), "AppData", "Local", ".atomdb");
 // Mac
 ATOM_DB = join(homedir(), "Library", "Application Support", ".atomdb");
 ```
+
+## Customize metadata.authors in BOM
+
+Use the argument `--author` to override the author name.
+
+## Generate bash/zsh command completions
+
+Run the commands such as cdxgen, evinse etc with completion as the argument.
+
+```shell
+cdxgen completion >> ~/.zshrc
+
+# cdxgen completion >> ~/.bashrc
+
+# evinse completion >> ~/.zshrc
+```
diff --git a/docs/CLI.md b/docs/CLI.md
@@ -119,6 +119,9 @@ Options:
       --only                   Include components only containining this word in
                                 purl. Useful to generate BOM with first party co
                                mponents alone. Multiple values allowed.  [array]
+      --author                 The person(s) who created the BOM. Set this value
+                                if you're intending the modify the BOM and claim
+                                authorship.[array] [default: "OWASP Foundation"]
       --auto-compositions      Automatically set compositions when the BOM was f
                                iltered. Defaults to true
                                                        [boolean] [default: true]