Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update references of SBoM to SBOM #610

Merged
merged 3 commits into from
Oct 4, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 20 additions & 20 deletions ADVANCED.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Advanced Usage

## Evinse Mode / SaaSBoM
## Evinse Mode / SaaSBOM

Evinse (Evinse Verification Is Nearly SBoM Evidence) is a new command with cdxgen to generate component evidence and SaaSBoM for supported languages. The tool is powered by [atom](https://github.com/AppThreat/atom)
Evinse (Evinse Verification Is Nearly SBOM Evidence) is a new command with cdxgen to generate component evidence and SaaSBOM for supported languages. The tool is powered by [atom](https://github.com/AppThreat/atom)

<img src="./docs/occurrence-evidence.png" alt="occurrence evidence" width="256">

Expand All @@ -14,14 +14,14 @@ Evinse (Evinse Verification Is Nearly SBoM Evidence) is a new command with cdxge

- Java > 17 installed
- Application source code
- Input SBoM in CycloneDX >1.5 format. Use cdxgen to generate one.
- Input SBOM in CycloneDX >1.5 format. Use cdxgen to generate one.

### Usage

```shell
evinse -h
Options:
-i, --input Input SBoM file. Default bom.json
-i, --input Input SBOM file. Default bom.json
[default: "bom.json"]
-o, --output Output file. Default bom.evinse.json
[default: "bom.evinse.json"]
Expand Down Expand Up @@ -52,7 +52,7 @@ Options:
-h Show help [boolean]
```

To generate an SBoM with evidence for a java project.
To generate an SBOM with evidence for a java project.

```shell
evinse -i bom.json -o bom.evinse.json <path to the application>
Expand All @@ -76,14 +76,14 @@ For JavaScript or TypeScript projects, pass `-l javascript`.
evinse -i bom.json -o bom.evinse.json --usages-slices-file usages.json --data-flow-slices-file data-flow.json -l javascript --with-data-flow <path to the application>
```

## Generate SBoM from maven or gradle cache
## Generate SBOM from maven or gradle cache

There could be Java applications with complex dependency requirements. Or you might be interested in cataloging your Maven or gradle cache.
A bonus of this mode is that the resulting SBoM would have a property called `Namespaces` with a list of class names belonging to each jar.
A bonus of this mode is that the resulting SBOM would have a property called `Namespaces` with a list of class names belonging to each jar.

### Generate evidence of usage

After generating an SBoM from a cache, we can now look for evidence of direct usage with evinse!
After generating an SBOM from a cache, we can now look for evidence of direct usage with evinse!

```shell
# compile or build your application
Expand All @@ -106,19 +106,19 @@ To improve performance for re-runs, pass the argument `--skip-maven-collector` t

| Command | Description |
| ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| .create | Create an SBoM from a path |
| .import | Import an existing SBoM from a path. Any SBoM in CycloneDX format is supported. |
| .create | Create an BOM from a path |
| .import | Import an existing BOM from a path. Any BOM in CycloneDX format is supported. |
| .search | Search the given string in the components name, group, purl and description |
| .sort | Sort the components based on the given attribute. Eg: .sort name to sort by name. Accepts full jsonata [order by](http://docs.jsonata.org/path-operators#order-by-) clause too. Eg: `.sort components^(>name)` |
| .query | Pass a raw query in [jsonata](http://docs.jsonata.org/) format |
| .print | Print the SBoM as a table |
| .print | Print the BOM as a table |
| .tree | Print the dependency tree if available |
| .validate | Validate the SBoM |
| .validate | Validate the SBOM |
| .exit | To exit the shell |
| .save | To save the modified SBoM to a new file |
| .save | To save the modified BOM to a new file |
| .update | Update components based on query expression. Use syntax `\| query \| new object \|`. See example. |
| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBoM |
| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBoM |
| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBOM |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Occurrences and callstack are valid only for SBOM so these two are correct!

| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBOM |
| .services | View services as a table |

In addition, all the keys from [queries.json](./data/queries.json) are also valid commands. Example: `processes`, `apt_sources`, etc. Type `.help` to view the full list of commands.
Expand All @@ -131,7 +131,7 @@ Start the REPL server.
cdxi
```

Below are some example commands to create an SBoM for a spring application and perform searches and queries.
Below are some example commands to create an SBOM for a spring application and perform searches and queries.

```
.create /mnt/work/vuln-spring
Expand All @@ -151,11 +151,11 @@ Repl history will persist under the `$`HOME/.config/.cdxgen`directory. To overri

## Mixed Java Projects

If a java project uses Maven and gradle, maven is selected for SBoM generation under default settings. To force cdxgen to use gradle, use the argument `-t gradle`. Similarly, use `-t scala` for scala SBT.
If a java project uses Maven and gradle, maven is selected for SBOM generation under default settings. To force cdxgen to use gradle, use the argument `-t gradle`. Similarly, use `-t scala` for scala SBT.

## Generating container SBoM on Windows
## Generating container SBOM on Windows

cdxgen supports generating container SBoM for Linux images on Windows. Follow the steps listed below.
cdxgen supports generating container SBOM for Linux images on Windows. Follow the steps listed below.

- Ensure cdxgen-plugins-bin > 1.4.0 is installed.

Expand All @@ -171,7 +171,7 @@ npm install -g @cyclonedx/cdxgen-plugins-bin
cdxgen -t docker -o bom.json <image name>
```

## Generate SBoM with evidence for the cdxgen repo
## Generate SBOM with evidence for the cdxgen repo

Why not?

Expand Down
Loading