diff --git a/ADVANCED.md b/ADVANCED.md index ab58b651f..6dfea44c3 100644 --- a/ADVANCED.md +++ b/ADVANCED.md @@ -1,8 +1,8 @@ # Advanced Usage -## Evinse Mode / SaaSBoM +## Evinse Mode / SaaSBOM -Evinse (Evinse Verification Is Nearly SBoM Evidence) is a new command with cdxgen to generate component evidence and SaaSBoM for supported languages. The tool is powered by [atom](https://github.com/AppThreat/atom) +Evinse (Evinse Verification Is Nearly SBOM Evidence) is a new command with cdxgen to generate component evidence and SaaSBOM for supported languages. The tool is powered by [atom](https://github.com/AppThreat/atom) occurrence evidence @@ -14,14 +14,14 @@ Evinse (Evinse Verification Is Nearly SBoM Evidence) is a new command with cdxge - Java > 17 installed - Application source code -- Input SBoM in CycloneDX >1.5 format. Use cdxgen to generate one. +- Input SBOM in CycloneDX >1.5 format. Use cdxgen to generate one. ### Usage ```shell evinse -h Options: - -i, --input Input SBoM file. Default bom.json + -i, --input Input SBOM file. Default bom.json [default: "bom.json"] -o, --output Output file. Default bom.evinse.json [default: "bom.evinse.json"] @@ -52,7 +52,7 @@ Options: -h Show help [boolean] ``` -To generate an SBoM with evidence for a java project. +To generate an SBOM with evidence for a java project. ```shell evinse -i bom.json -o bom.evinse.json @@ -76,14 +76,14 @@ For JavaScript or TypeScript projects, pass `-l javascript`. evinse -i bom.json -o bom.evinse.json --usages-slices-file usages.json --data-flow-slices-file data-flow.json -l javascript --with-data-flow ``` -## Generate SBoM from maven or gradle cache +## Generate SBOM from maven or gradle cache There could be Java applications with complex dependency requirements. Or you might be interested in cataloging your Maven or gradle cache. -A bonus of this mode is that the resulting SBoM would have a property called `Namespaces` with a list of class names belonging to each jar. +A bonus of this mode is that the resulting SBOM would have a property called `Namespaces` with a list of class names belonging to each jar. ### Generate evidence of usage -After generating an SBoM from a cache, we can now look for evidence of direct usage with evinse! +After generating an SBOM from a cache, we can now look for evidence of direct usage with evinse! ```shell # compile or build your application @@ -106,19 +106,19 @@ To improve performance for re-runs, pass the argument `--skip-maven-collector` t | Command | Description | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| .create | Create an SBoM from a path | -| .import | Import an existing SBoM from a path. Any SBoM in CycloneDX format is supported. | +| .create | Create an BOM from a path | +| .import | Import an existing BOM from a path. Any BOM in CycloneDX format is supported. | | .search | Search the given string in the components name, group, purl and description | | .sort | Sort the components based on the given attribute. Eg: .sort name to sort by name. Accepts full jsonata [order by](http://docs.jsonata.org/path-operators#order-by-) clause too. Eg: `.sort components^(>name)` | | .query | Pass a raw query in [jsonata](http://docs.jsonata.org/) format | -| .print | Print the SBoM as a table | +| .print | Print the BOM as a table | | .tree | Print the dependency tree if available | -| .validate | Validate the SBoM | +| .validate | Validate the SBOM | | .exit | To exit the shell | -| .save | To save the modified SBoM to a new file | +| .save | To save the modified BOM to a new file | | .update | Update components based on query expression. Use syntax `\| query \| new object \|`. See example. | -| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBoM | -| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBoM | +| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBOM | +| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBOM | | .services | View services as a table | In addition, all the keys from [queries.json](./data/queries.json) are also valid commands. Example: `processes`, `apt_sources`, etc. Type `.help` to view the full list of commands. @@ -131,7 +131,7 @@ Start the REPL server. cdxi ``` -Below are some example commands to create an SBoM for a spring application and perform searches and queries. +Below are some example commands to create an SBOM for a spring application and perform searches and queries. ``` .create /mnt/work/vuln-spring @@ -151,11 +151,11 @@ Repl history will persist under the `$`HOME/.config/.cdxgen`directory. To overri ## Mixed Java Projects -If a java project uses Maven and gradle, maven is selected for SBoM generation under default settings. To force cdxgen to use gradle, use the argument `-t gradle`. Similarly, use `-t scala` for scala SBT. +If a java project uses Maven and gradle, maven is selected for SBOM generation under default settings. To force cdxgen to use gradle, use the argument `-t gradle`. Similarly, use `-t scala` for scala SBT. -## Generating container SBoM on Windows +## Generating container SBOM on Windows -cdxgen supports generating container SBoM for Linux images on Windows. Follow the steps listed below. +cdxgen supports generating container SBOM for Linux images on Windows. Follow the steps listed below. - Ensure cdxgen-plugins-bin > 1.4.0 is installed. @@ -171,7 +171,7 @@ npm install -g @cyclonedx/cdxgen-plugins-bin cdxgen -t docker -o bom.json ``` -## Generate SBoM with evidence for the cdxgen repo +## Generate SBOM with evidence for the cdxgen repo Why not? diff --git a/README.md b/README.md index 53d4d56ac..b2b5682e1 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ ![cdxgen logo](cdxgen.png) -cdxgen is a cli tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse. +cdxgen is a cli tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill of Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse. -When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBoM for some languages. +When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBOM for some languages. NOTE: @@ -12,7 +12,7 @@ CycloneDX 1.5 specification is new and unsupported by many downstream tools. Use ## Why cdxgen? -A typical application might have several repos, components, and libraries. Traditional techniques to generate a single SBoM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBoM generator! +A typical application might have several repos, components, and libraries. Traditional techniques to generate a single SBOM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBOM generator! why cdxgen @@ -71,11 +71,11 @@ Footnotes: ### Automatic usage detection -For node.js projects, lock files are parsed initially, so the SBoM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBoM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file. +For node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBOM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file. This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs. -By passing the argument `--required-only`, you can limit the SBoM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files. +By passing the argument `--required-only`, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files. For go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev). @@ -132,7 +132,7 @@ $ cdxgen -h -r, --recurse Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable. [boolean] [default: true] - -p, --print Print the SBoM as a table with tree. [boolean] + -p, --print Print the SBOM as a table with tree. [boolean] -c, --resolve-class Resolve class names for packages. jars only for n ow. [boolean] --deep Perform deep searches for components. Useful whil @@ -149,12 +149,12 @@ $ cdxgen -h d or the project name and version together --parent-project-id Dependency track parent project id --required-only Include only the packages with required scope on - the SBoM. [boolean] + the SBOM. [boolean] --fail-on-error Fail if any dependency extractor fails. [boolean] --no-babel Do not use babel to perform usage analysis for Ja vaScript/TypeScript projects. [boolean] --generate-key-and-sign Generate an RSA public/private key pair and then - sign the generated SBoM using JSON Web Signatures + sign the generated SBOM using JSON Web Signatures . [boolean] --server Run cdxgen as a server [boolean] --server-host Listen address [default: "127.0.0.1"] @@ -163,7 +163,7 @@ $ cdxgen -h cts. Defaults to true but disabled for containers and oci scans. Use --no-install-deps to disable this feature. [boolean] [default: true] - --validate Validate the generated SBoM using json schema. De + --validate Validate the generated SBOM using json schema. De faults to true. Pass --no-validate to disable. [boolean] [default: true] --usages-slices-file Path for the usages slice file created by atom. @@ -191,7 +191,7 @@ For a java project. cdxgen would automatically detect maven, gradle, or sbt and cdxgen -t java -o bom.json ``` -To print the SBoM as a table pass `-p` argument. +To print the SBOM as a table pass `-p` argument. ```shell cdxgen -t java -o bom.json -p @@ -203,13 +203,13 @@ To recursively generate a single BoM for all languages pass `-r` argument. cdxgen -r -o bom.json ``` -To generate SBoM for an older specification version, such as 1.4, pass the version number using the `--spec-version` argument. +To generate SBOM for an older specification version, such as 1.4, pass the version number using the `--spec-version` argument. ```shell cdxgen -r -o bom.json --spec-version 1.4 ``` -To generate SBoM for C or Python, ensure Java >= 17 is installed. +To generate SBOM for C or Python, ensure Java >= 17 is installed. ```shell # Install java >= 17 @@ -218,11 +218,11 @@ cdxgen -t c -o bom.json NOTE: cdxgen is known to freeze with Java 8 or 11, so ensure >= 17 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image. -## Universal SBoM +## Universal SBOM -By passing the type argument `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container, and Kubernetes manifests. The resulting SBoM could have over a thousand components, thus requiring additional triaging before use with traditional SCA tools. +By passing the type argument `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container, and Kubernetes manifests. The resulting SBOM could have over a thousand components, thus requiring additional triaging before use with traditional SCA tools. -## SBoM server +## SBOM server Invoke cdxgen with `--server` argument to run it in server mode. By default, it listens to port `9090`, which can be customized with the arguments `--server-host` and `--server-port`. @@ -246,7 +246,7 @@ Arguments can be passed either via the query string or as a JSON body. The follo | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | type | Project type | | multiProject | [boolean] | -| requiredOnly | Include only the packages with required scope on the SBoM. [boolean] | +| requiredOnly | Include only the packages with required scope on the SBOM. [boolean] | | noBabel | Do not use babel to perform usage analysis for JavaScript/TypeScript projects. [boolean] | | installDeps | Install dependencies automatically for some projects. Defaults to true but disabled for containers and oci scans. [boolean] [default: true] | | project | | @@ -349,7 +349,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s | LEIN_CMD | Set to override the leiningen command | | SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc | | SBOM_SIGN_PRIVATE_KEY | Private key to use for signing | -| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature | +| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBOM signature | | CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.8" | | CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom | | CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true | @@ -358,7 +358,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s ## Plugins -cdxgen could be extended with external binary plugins to support more SBoM use cases. These are now installed as an optional dependency. +cdxgen could be extended with external binary plugins to support more SBOM use cases. These are now installed as an optional dependency. ```shell sudo npm install -g @cyclonedx/cdxgen-plugins-bin @@ -409,9 +409,9 @@ obom # cdxgen -t os ``` -This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types, such as operating-system, device-drivers, files, and data. +This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBOM file with thousands of components of various types, such as operating-system, device-drivers, files, and data. -## Generating SaaSBoM and component evidences +## Generating SaaSBOM and component evidences See [evinse mode](./ADVANCED.md) in the advanced documentation. @@ -425,7 +425,7 @@ cdxgen can sign the generated BoM json file to increase authenticity and non-rep To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature`, which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation. -![SBoM signing](sbom-sign.jpg) +![SBOM signing](sbom-sign.jpg) ### Verifying the signature @@ -444,7 +444,7 @@ There are many [libraries](https://jwt.io/#libraries-io) available to validate J # npm install jws const jws = require("jws"); const fs = require("fs"); -// Location of the SBoM json file +// Location of the SBOM json file const bomJsonFile = "bom.json"; // Location of the public key const publicKeyFile = "public.key"; @@ -455,13 +455,13 @@ const validationResult = jws.verify(bomSignature, bomJson.signature.algorithm, f if (validationResult) { console.log("Signature is valid!"); } else { - console.log("SBoM signature is invalid :("); + console.log("SBOM signature is invalid :("); } ``` ## Automatic services detection -cdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the `services` attribute in the generated SBoM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code. +cdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the `services` attribute in the generated SBOM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code. ## Conversion to SPDX format diff --git a/bin/cdxgen.js b/bin/cdxgen.js index efa95af1c..e0e5886b9 100755 --- a/bin/cdxgen.js +++ b/bin/cdxgen.js @@ -41,7 +41,7 @@ const args = yargs(hideBin(process.argv)) .option("print", { alias: "p", type: "boolean", - description: "Print the SBoM as a table with tree." + description: "Print the SBOM as a table with tree." }) .option("resolve-class", { alias: "c", @@ -78,7 +78,7 @@ const args = yargs(hideBin(process.argv)) }) .option("required-only", { type: "boolean", - description: "Include only the packages with required scope on the SBoM." + description: "Include only the packages with required scope on the SBOM." }) .option("fail-on-error", { type: "boolean", @@ -92,7 +92,7 @@ const args = yargs(hideBin(process.argv)) .option("generate-key-and-sign", { type: "boolean", description: - "Generate an RSA public/private key pair and then sign the generated SBoM using JSON Web Signatures." + "Generate an RSA public/private key pair and then sign the generated SBOM using JSON Web Signatures." }) .option("server", { type: "boolean", @@ -116,12 +116,12 @@ const args = yargs(hideBin(process.argv)) type: "boolean", default: true, description: - "Validate the generated SBoM using json schema. Defaults to true. Pass --no-validate to disable." + "Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to disable." }) .option("evidence", { type: "boolean", default: false, - description: "Generate SBoM with evidence for supported languages. WIP" + description: "Generate SBOM with evidence for supported languages. WIP" }) .option("usages-slices-file", { description: "Path for the usages slice file created by atom." @@ -241,7 +241,7 @@ const checkPermissions = (filePath) => { * Method to start the bom creation process */ (async () => { - // Start SBoM server + // Start SBOM server if (args.server) { return await _serverStart(options); } @@ -384,12 +384,12 @@ const checkPermissions = (filePath) => { ); if (signatureVerification) { console.log( - "SBoM signature is verifiable with the public key and the algorithm", + "SBOM signature is verifiable with the public key and the algorithm", publicKeyFile, alg ); } else { - console.log("SBoM signature verification was unsuccessful"); + console.log("SBOM signature verification was unsuccessful"); console.log( "Check if the public key was exported in PEM format" ); @@ -397,7 +397,7 @@ const checkPermissions = (filePath) => { } } } catch (ex) { - console.log("SBoM signing was unsuccessful", ex); + console.log("SBOM signing was unsuccessful", ex); console.log("Check if the private key was exported in PEM format"); } } diff --git a/bin/evinse.js b/bin/evinse.js index 4274498c4..17775b305 100755 --- a/bin/evinse.js +++ b/bin/evinse.js @@ -1,6 +1,6 @@ #!/usr/bin/env node -// Evinse (Evinse Verification Is Nearly SBoM Evidence) +// Evinse (Evinse Verification Is Nearly SBOM Evidence) import yargs from "yargs"; import { hideBin } from "yargs/helpers"; import { join } from "node:path"; @@ -30,7 +30,7 @@ if (!process.env.ATOM_DB && !fs.existsSync(ATOM_DB)) { const args = yargs(hideBin(process.argv)) .option("input", { alias: "i", - description: "Input SBoM file. Default bom.json", + description: "Input SBOM file. Default bom.json", default: "bom.json" }) .option("output", { @@ -108,9 +108,9 @@ console.log(evinseArt); if (dbObjMap) { // Analyze the project using atom. Convert package namespaces to purl using the db const sliceArtefacts = await analyzeProject(dbObjMap, args); - // Create the SBoM with Evidence + // Create the SBOM with Evidence const bomJson = createEvinseFile(sliceArtefacts, args); - // Validate our final SBoM + // Validate our final SBOM if (!validateBom(bomJson)) { process.exit(1); } diff --git a/bin/repl.js b/bin/repl.js index 3b98e947d..18d9271c4 100755 --- a/bin/repl.js +++ b/bin/repl.js @@ -61,10 +61,10 @@ export const importSbom = (sbomOrPath) => { if (sbomOrPath && sbomOrPath.endsWith(".json") && fs.existsSync(sbomOrPath)) { try { sbom = JSON.parse(fs.readFileSync(sbomOrPath, "utf-8")); - console.log(`✅ SBoM imported successfully from ${sbomOrPath}`); + console.log(`✅ SBOM imported successfully from ${sbomOrPath}`); } catch (e) { console.log( - `⚠ Unable to import the SBoM from ${sbomOrPath} due to ${e}` + `⚠ Unable to import the SBOM from ${sbomOrPath} due to ${e}` ); } } else { @@ -74,13 +74,13 @@ export const importSbom = (sbomOrPath) => { // Load any sbom passed from the command line if (process.argv.length > 2) { importSbom(process.argv[process.argv.length - 1]); - console.log("💭 Type .print to view the SBoM as a table"); + console.log("💭 Type .print to view the SBOM as a table"); } else if (fs.existsSync("bom.json")) { // If the current directory has a bom.json load it importSbom("bom.json"); } else { - console.log("💭 Use .create to create an SBoM for the given path."); - console.log("💭 Use .import to import an existing SBoM."); + console.log("💭 Use .create to create an SBOM for the given path."); + console.log("💭 Use .import to import an existing SBOM."); console.log("💭 Type .exit or press ctrl+d to close."); } @@ -98,7 +98,7 @@ if (historyFile) { ); } cdxgenRepl.defineCommand("create", { - help: "create an SBoM for the given path", + help: "create an SBOM for the given path", async action(sbomOrPath) { this.clearBufferedCommand(); const tempDir = fs.mkdtempSync(join(tmpdir(), "cdxgen-repl-")); @@ -267,7 +267,7 @@ cdxgenRepl.defineCommand("validate", { if (sbom) { const result = validateBom(sbom); if (result) { - console.log("SBoM is valid!"); + console.log("SBOM is valid!"); } } else { console.log( @@ -379,7 +379,7 @@ cdxgenRepl.defineCommand("callstack", { let components = await expression.evaluate(sbom); if (!components) { console.log( - "callstack evidence was not found. Use evinse command to generate an SBoM with evidence." + "callstack evidence was not found. Use evinse command to generate an SBOM with evidence." ); } else { if (!Array.isArray(components)) { @@ -392,7 +392,7 @@ cdxgenRepl.defineCommand("callstack", { } } else { console.log( - "⚠ No SBoM is loaded. Use .import command to import an evinse SBoM" + "⚠ No SBOM is loaded. Use .import command to import an evinse SBOM" ); } this.displayPrompt(); @@ -407,7 +407,7 @@ cdxgenRepl.defineCommand("services", { let services = await expression.evaluate(sbom); if (!services) { console.log( - "No services found. Use evinse command to generate an SBoM with evidence." + "No services found. Use evinse command to generate an SBOM with evidence." ); } else { if (!Array.isArray(services)) { @@ -420,7 +420,7 @@ cdxgenRepl.defineCommand("services", { } } else { console.log( - "⚠ No SBoM is loaded. Use .import command to import an evinse SBoM" + "⚠ No SBOM is loaded. Use .import command to import an evinse SBOM" ); } this.displayPrompt(); diff --git a/bin/verify.js b/bin/verify.js index 0a3dcf137..e463ec5fa 100755 --- a/bin/verify.js +++ b/bin/verify.js @@ -74,7 +74,7 @@ if (!bomSignature) { if (validationResult) { console.log("Signature is valid!"); } else { - console.log("SBoM signature is invalid!"); + console.log("SBOM signature is invalid!"); process.exit(1); } } diff --git a/ci/Dockerfile b/ci/Dockerfile index f9cdd2584..b8d9bd453 100644 --- a/ci/Dockerfile +++ b/ci/Dockerfile @@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \ org.opencontainers.image.vendor="cyclonedx" \ org.opencontainers.image.licenses="Apache-2.0" \ org.opencontainers.image.title="cdxgen" \ - org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \ + org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \ org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server" ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561 diff --git a/ci/Dockerfile-deno b/ci/Dockerfile-deno index 53477b8f5..fe4bf299f 100644 --- a/ci/Dockerfile-deno +++ b/ci/Dockerfile-deno @@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \ org.opencontainers.image.vendor="cyclonedx" \ org.opencontainers.image.licenses="Apache-2.0" \ org.opencontainers.image.title="cdxgen" \ - org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \ + org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \ org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app --server" ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561 diff --git a/ci/Dockerfile-ppc64 b/ci/Dockerfile-ppc64 index 93f2f10cc..d7e853bfc 100644 --- a/ci/Dockerfile-ppc64 +++ b/ci/Dockerfile-ppc64 @@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \ org.opencontainers.image.vendor="cyclonedx" \ org.opencontainers.image.licenses="Apache-2.0" \ org.opencontainers.image.title="cdxgen" \ - org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \ + org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \ org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ppc64 -r /app --server" ARG SBT_VERSION=1.9.6 diff --git a/contrib/README.md b/contrib/README.md index 80afce7c9..d4cc95cf6 100644 --- a/contrib/README.md +++ b/contrib/README.md @@ -1,6 +1,6 @@ # Useful scripts -## Validate SBoM using jsonschema +## Validate SBOM using jsonschema ```shell python bom-validate.py --json ../test/data/vuln-spring-1.5.bom.json diff --git a/contrib/bom-validate.py b/contrib/bom-validate.py index b1fda0a41..dd48bda07 100644 --- a/contrib/bom-validate.py +++ b/contrib/bom-validate.py @@ -11,7 +11,7 @@ def build_args(): Constructs command line arguments for the comparison tool """ parser = argparse.ArgumentParser( - description="Validate SBoM files against BOM 1.5 schema." + description="Validate SBOM files against BOM 1.5 schema." ) parser.add_argument( "--json", @@ -29,7 +29,7 @@ def vsbom(bom_json): vex_obj = json.load(vp) try: validate(instance=vex_obj, schema=json.load(sp)) - print("SBoM file is valid") + print("SBOM file is valid") except ValidationError as ve: print(ve) sys.exit(1) diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md index dc28f2a47..41b2638ee 100644 --- a/docs/ADVANCED.md +++ b/docs/ADVANCED.md @@ -1,8 +1,8 @@ # Advanced Usage -## Evinse Mode / SaaSBoM +## Evinse Mode / SaaSBOM -Evinse (Evinse Verification Is Nearly SBoM Evidence) is a new command with cdxgen to generate component evidence and SaaSBoM for supported languages. The tool is powered by [atom](https://github.com/AppThreat/atom). +Evinse (Evinse Verification Is Nearly SBOM Evidence) is a new command with cdxgen to generate component evidence and SaaSBOM for supported languages. The tool is powered by [atom](https://github.com/AppThreat/atom). occurrence evidence @@ -14,14 +14,14 @@ Evinse (Evinse Verification Is Nearly SBoM Evidence) is a new command with cdxge - Java > 17 installed - Application source code -- Input SBoM in CycloneDX >1.5 format. Use cdxgen to generate one. +- Input SBOM in CycloneDX >1.5 format. Use cdxgen to generate one. ### Usage ```shell evinse -h Options: - -i, --input Input SBoM file. Default bom.json + -i, --input Input SBOM file. Default bom.json [default: "bom.json"] -o, --output Output file. Default bom.evinse.json [default: "bom.evinse.json"] @@ -52,7 +52,7 @@ Options: -h Show help [boolean] ``` -To generate an SBoM with evidence for a java project. +To generate an SBOM with evidence for a java project. ```shell evinse -i bom.json -o bom.evinse.json @@ -76,14 +76,14 @@ For JavaScript or TypeScript projects, pass `-l javascript`. evinse -i bom.json -o bom.evinse.json --usages-slices-file usages.json --data-flow-slices-file data-flow.json -l javascript --with-data-flow ``` -## Generate SBoM from maven or gradle cache +## Generate SBOM from maven or gradle cache There could be Java applications with complex dependency requirements. Or you might be interested in cataloging your Maven or gradle cache. -A bonus of this mode is that the resulting SBoM would have a property called `Namespaces` with a list of class names belonging to each jar. +A bonus of this mode is that the resulting SBOM would have a property called `Namespaces` with a list of class names belonging to each jar. ### Generate evidence of usage -After generating an SBoM from a cache, we can now look for evidence of direct usage with evinse! +After generating an SBOM from a cache, we can now look for evidence of direct usage with evinse! ```shell # compile or build your application @@ -98,11 +98,11 @@ To improve performance for re-runs, pass the argument `--skip-maven-collector` t ## Mixed Java Projects -If a java project uses maven and gradle, maven is selected for SBoM generation under default settings. To force cdxgen to use gradle, use the argument `-t gradle`. Similarly, use `-t scala` for scala SBT. +If a java project uses maven and gradle, maven is selected for SBOM generation under default settings. To force cdxgen to use gradle, use the argument `-t gradle`. Similarly, use `-t scala` for scala SBT. -## Generating container SBoM on Windows +## Generating container SBOM on Windows -cdxgen supports generating container SBoM for Linux images on Windows. Follow the steps listed below. +cdxgen supports generating container SBOM for Linux images on Windows. Follow the steps listed below. - Ensure cdxgen-plugins-bin > 1.4.0 is installed. @@ -118,7 +118,7 @@ npm install -g @cyclonedx/cdxgen-plugins-bin cdxgen -t docker -o bom.json ``` -## Generate SBoM with evidence for the cdxgen repo +## Generate SBOM with evidence for the cdxgen repo Why not? diff --git a/docs/CLI.md b/docs/CLI.md index 6af02f524..70ffcfd22 100644 --- a/docs/CLI.md +++ b/docs/CLI.md @@ -51,7 +51,7 @@ $ cdxgen -h -r, --recurse Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable. [boolean] [default: true] - -p, --print Print the SBoM as a table with tree. [boolean] + -p, --print Print the SBOM as a table with tree. [boolean] -c, --resolve-class Resolve class names for packages. jars only for n ow. [boolean] --deep Perform deep searches for components. Useful whil @@ -68,12 +68,12 @@ $ cdxgen -h d or the project name and version together --parent-project-id Dependency track parent project id --required-only Include only the packages with required scope on - the SBoM. [boolean] + the SBOM. [boolean] --fail-on-error Fail if any dependency extractor fails. [boolean] --no-babel Do not use babel to perform usage analysis for Ja vaScript/TypeScript projects. [boolean] --generate-key-and-sign Generate an RSA public/private key pair and then - sign the generated SBoM using JSON Web Signatures + sign the generated SBOM using JSON Web Signatures . [boolean] --server Run cdxgen as a server [boolean] --server-host Listen address [default: "127.0.0.1"] @@ -82,7 +82,7 @@ $ cdxgen -h cts. Defaults to true but disabled for containers and oci scans. Use --no-install-deps to disable this feature. [boolean] [default: true] - --validate Validate the generated SBoM using json schema. De + --validate Validate the generated SBOM using json schema. De faults to true. Pass --no-validate to disable. [boolean] [default: true] --usages-slices-file Path for the usages slice file created by atom. diff --git a/docs/ENV.md b/docs/ENV.md index 10ea2fd2e..b0f1f8ae6 100644 --- a/docs/ENV.md +++ b/docs/ENV.md @@ -30,7 +30,7 @@ The following environment variables are available to configure the bom generatio | LEIN_CMD | Set to override the leiningen command | | SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc | | SBOM_SIGN_PRIVATE_KEY | Private key to use for signing | -| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature | +| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBOM signature | | CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.8" | | CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom | | CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true | diff --git a/docs/README.md b/docs/README.md index 20694b5a9..f409d11ee 100644 --- a/docs/README.md +++ b/docs/README.md @@ -4,7 +4,7 @@ cdxgen is available as an npm package, container image, and single application e -#### **Generate SBoM for git repos** +#### **Generate SBOM for git repos** ## Installation @@ -36,7 +36,7 @@ For a java project. This would automatically detect maven, gradle or sbt and bui cdxgen -t java -o bom.json ``` -To print the SBoM as a table pass `-p` argument. +To print the SBOM as a table pass `-p` argument. ```shell cdxgen -t java -o bom.json -p @@ -48,20 +48,20 @@ To recursively generate a single BoM for all languages pass `-r` argument. cdxgen -r -o bom.json ``` -To generate SBoM for an older specification version such as 1.4, pass the version using the `--spec-version` argument. +To generate SBOM for an older specification version such as 1.4, pass the version using the `--spec-version` argument. ```shell cdxgen -r -o bom.json --spec-version 1.4 ``` -To generate SBoM for C or Python, ensure Java >= 17 is installed. +To generate SBOM for C or Python, ensure Java >= 17 is installed. ```shell # Install java >= 17 cdxgen -t c -o bom.json ``` -#### **Generate SBoM for container images** +#### **Generate SBOM for container images** ## Installation @@ -117,7 +117,7 @@ obom # cdxgen -t os ``` -This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](https://github.com/CycloneDX/cdxgen/blob/master/data/queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types such as operating-system, device-drivers, files, and data. +This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](https://github.com/CycloneDX/cdxgen/blob/master/data/queries.json). The process would take several minutes and result in an SBOM file with thousands of components of various types such as operating-system, device-drivers, files, and data. #### **Integrate with Dependency Track** @@ -209,7 +209,7 @@ cdxgen can automatically query public registries such as maven, npm, or nuget to export FETCH_LICENSE=true ``` -#### **SBoM Server** +#### **SBOM Server** Invoke cdxgen with `--server` argument to run it in server mode. By default, it listens to port `9090`, which can be customized with the arguments `--server-host` and `--server-port`. @@ -273,7 +273,7 @@ cdxgen can sign the generated BoM json file to increase authenticity and non-rep To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature`, which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation. -![SBoM signing](_media/sbom-sign.jpg) +![SBOM signing](_media/sbom-sign.jpg) ### Verifying the signature @@ -292,7 +292,7 @@ There are many [libraries](https://jwt.io/#libraries-io) available to validate J # npm install jws const jws = require("jws"); const fs = require("fs"); -// Location of the SBoM json file +// Location of the SBOM json file const bomJsonFile = "bom.json"; // Location of the public key const publicKeyFile = "public.key"; @@ -303,7 +303,7 @@ const validationResult = jws.verify(bomSignature, bomJson.signature.algorithm, f if (validationResult) { console.log("Signature is valid!"); } else { - console.log("SBoM signature is invalid :("); + console.log("SBOM signature is invalid :("); } ``` @@ -317,19 +317,19 @@ if (validationResult) { | Command | Description | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| .create | Create an SBoM from a path | -| .import | Import an existing SBoM from a path. Any SBoM in CycloneDX format is supported. | +| .create | Create an SBOM from a path | +| .import | Import an existing SBOM from a path. Any SBOM in CycloneDX format is supported. | | .search | Search the given string in the components name, group, purl and description | | .sort | Sort the components based on the given attribute. Eg: .sort name to sort by name. Accepts full jsonata [order by](http://docs.jsonata.org/path-operators#order-by-) clause too. Eg: `.sort components^(>name)` | | .query | Pass a raw query in [jsonata](http://docs.jsonata.org/) format | -| .print | Print the SBoM as a table | +| .print | Print the SBOM as a table | | .tree | Print the dependency tree if available | -| .validate | Validate the SBoM | +| .validate | Validate the SBOM | | .exit | To exit the shell | -| .save | To save the modified SBoM to a new file | +| .save | To save the modified SBOM to a new file | | .update | Update components based on query expression. Use syntax `\| query \| new object \|`. See example. | -| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBoM | -| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBoM | +| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBOM | +| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBOM | | .services | View services as a table | In addition, all the keys from [queries.json](./data/queries.json) are also valid commands. Example: `processes`, `apt_sources`, etc. Type `.help` to view the full list of commands. @@ -342,7 +342,7 @@ Start the REPL server. cdxi ``` -Below are some example commands to create an SBoM for a spring application and perform searches and queries. +Below are some example commands to create an SBOM for a spring application and perform searches and queries. ``` .create /mnt/work/vuln-spring diff --git a/docs/SERVER.md b/docs/SERVER.md index 28240fdc0..3a8b32ce4 100644 --- a/docs/SERVER.md +++ b/docs/SERVER.md @@ -24,7 +24,7 @@ Arguments can be passed either via the query string or as a JSON body. The follo | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | type | Project type | | multiProject | [boolean] | -| requiredOnly | Include only the packages with required scope on the SBoM. [boolean] | +| requiredOnly | Include only the packages with required scope on the SBOM. [boolean] | | noBabel | Do not use babel to perform usage analysis for JavaScript/TypeScript projects. [boolean] | | installDeps | Install dependencies automatically for some projects. Defaults to true but disabled for containers and oci scans. [boolean] [default: true] | | project | | diff --git a/docs/_coverpage.md b/docs/_coverpage.md index 1fd371a44..1e64468b1 100644 --- a/docs/_coverpage.md +++ b/docs/_coverpage.md @@ -2,9 +2,9 @@ # CycloneDX Generator (cdxgen) -> A polyglot tool and a library for generating various Bill-of-Materials in CycloneDX specification. +> A polyglot tool and a library for generating various Bill of Materials in CycloneDX specification. -- Generate Software Bill-of-Materials (SBoM) for most applications and container images with a single command -- Generate Operations Bill-of-Materials (OBoM) for Linux and Windows hosts +- Generate Software Bill of Materials (SBOM) for most applications and container images with a single command +- Generate Operations Bill of Materials (OBoM) for Linux and Windows hosts - Integrate with any CI/CD pipeline - Automatically submit the generated BoM to your dependency track server for analysis diff --git a/evinser.js b/evinser.js index 892274e85..d663b8f21 100644 --- a/evinser.js +++ b/evinser.js @@ -31,7 +31,7 @@ export const prepareDB = async (options) => { const bomJson = JSON.parse(fs.readFileSync(bomJsonFile, "utf8")); if (bomJson.specVersion < 1.5) { console.log( - "Evinse requires the input SBoM in CycloneDX 1.5 format or above. You can generate one by invoking cdxgen without any --spec-version argument." + "Evinse requires the input SBOM in CycloneDX 1.5 format or above. You can generate one by invoking cdxgen without any --spec-version argument." ); process.exit(0); } @@ -741,7 +741,7 @@ export const isSlicingRequired = (purl) => { }; /** - * Method to create the SBoM with evidence file called evinse file. + * Method to create the SBOM with evidence file called evinse file. * * @param {object} sliceArtefacts Various artefacts from the slice operation * @param {object} options Command line options @@ -841,7 +841,7 @@ export const createEvinseFile = (sliceArtefacts, options) => { console.log(evinseOutFile, "created successfully."); } else { console.log( - "Unable to identify component evidence for the input SBoM. Only java, javascript and python projects are supported by evinse." + "Unable to identify component evidence for the input SBOM. Only java, javascript and python projects are supported by evinse." ); } if (tempDir && tempDir.startsWith(tmpdir())) { diff --git a/index.js b/index.js index a3fbc5da9..ff23ef485 100644 --- a/index.js +++ b/index.js @@ -1670,7 +1670,7 @@ export const createJavaBom = async (path, options) => { let sbtProjectFiles = getAllFiles( path, (options.multiProject ? "**/" : "") + - "project/{build.properties,*.sbt,*.scala}" + "project/{build.properties,*.sbt,*.scala}" ); let sbtProjects = []; @@ -3577,7 +3577,7 @@ export const createContainerSpecLikeBom = async (path, options) => { // img could have .service, .ociSpec or .image if (img.ociSpec) { console.log( - `NOTE: ${img.ociSpec} needs to built using docker or podman and referred with a name to get included in this SBoM.` + `NOTE: ${img.ociSpec} needs to built using docker or podman and referred with a name to get included in this SBOM.` ); ociSpecs.push({ group: "", @@ -3699,7 +3699,7 @@ export const createContainerSpecLikeBom = async (path, options) => { // Parse privado files if (privadoFiles.length) { console.log( - "Enriching your SBoM with information from privado.ai scan reports" + "Enriching your SBOM with information from privado.ai scan reports" ); let rows = [["Classification", "Flow"]]; const config = { @@ -5287,12 +5287,12 @@ export async function submitBom(args, bomContents) { }).json(); } catch (error) { console.log( - "Unable to submit the SBoM to the Dependency-Track server using POST method" + "Unable to submit the SBOM to the Dependency-Track server using POST method" ); console.log(error); } } else { - console.log("Unable to submit the SBoM to the Dependency-Track server"); + console.log("Unable to submit the SBOM to the Dependency-Track server"); console.log(error); } } diff --git a/package.json b/package.json index 20e227054..e4e3ea4e5 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@cyclonedx/cdxgen", "version": "9.8.5", - "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image", + "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image", "homepage": "http://github.com/cyclonedx/cdxgen", "author": "Prabhu Subramanian ", "license": "Apache-2.0", @@ -105,4 +105,4 @@ "jest": "^29.7.0", "prettier": "3.0.3" } -} +} \ No newline at end of file diff --git a/server.js b/server.js index 58df93ba1..84bc16ec0 100644 --- a/server.js +++ b/server.js @@ -112,7 +112,7 @@ const start = (options) => { srcDir = gitClone(filePath); cleanup = true; } - console.log("Generating SBoM for", srcDir); + console.log("Generating SBOM for", srcDir); const bomNSData = (await createBom(srcDir, options)) || {}; if (bomNSData.bomJson) { if ( @@ -125,7 +125,7 @@ const start = (options) => { } } if (options.serverUrl && options.apiKey) { - console.log("Publishing SBoM to Dependency Track"); + console.log("Publishing SBOM to Dependency Track"); submitBom(options, bomNSData.bomJson); } res.end("\n"); diff --git a/test/data/composer-3.lock b/test/data/composer-3.lock index 78f28f21b..33c4944f6 100644 --- a/test/data/composer-3.lock +++ b/test/data/composer-3.lock @@ -1292,7 +1292,7 @@ "role": "Developer" } ], - "description": "Work with CycloneDX Software Bill-of-Materials (SBOM)", + "description": "Work with CycloneDX Software Bil -of Materials (SBOM)", "homepage": "https://github.com/CycloneDX/cyclonedx-php-library/#readme", "keywords": [ "CycloneDX", diff --git a/tools_config/org.cyclonedx.cdxgen.appdata.xml b/tools_config/org.cyclonedx.cdxgen.appdata.xml index a9b91fbf9..9c2bd8ee5 100644 --- a/tools_config/org.cyclonedx.cdxgen.appdata.xml +++ b/tools_config/org.cyclonedx.cdxgen.appdata.xml @@ -3,17 +3,20 @@ org.cyclonedx.cdxgen cdxgen - Create valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for node.js, php, python, java and Go projects + Create valid CycloneDX Software Bill of Materials (SBOM) containing an aggregate of all + project dependencies for node.js, php, python, java and Go projects FSFAP Apache-2.0

- Create valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for node.js, php, python, java and Go projects. + Create valid CycloneDX Software Bill of Materials (SBOM) containing an aggregate of all + project dependencies for node.js, php, python, java and Go projects.

- CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse. + CycloneDX is a lightweight SBOM specification that is easily created, human and machine + readable, and simple to parse.

@@ -29,4 +32,4 @@ cdxgen - + \ No newline at end of file diff --git a/utils.js b/utils.js index c8bd3d469..38bb7261a 100644 --- a/utils.js +++ b/utils.js @@ -1886,7 +1886,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) { } if (result.stderr.includes("not get unknown property")) { console.log( - "2. Check if the SBoM is generated for the correct root project for your application." + "2. Check if the SBOM is generated for the correct root project for your application." ); } } @@ -1905,8 +1905,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) { */ export const parseBazelActionGraph = function (rawOutput) { const mavenPrefixRegex = RegExp( - `^.*v1/https/[^/]*(?:${ - process.env.BAZEL_STRIP_MAVEN_PREFIX || "/maven2/" + `^.*v1/https/[^/]*(?:${process.env.BAZEL_STRIP_MAVEN_PREFIX || "/maven2/" })?(.*)/(.*)/(.*)/(.*.jar)(?:"| \\\\)?$`, "g" ); @@ -6302,7 +6301,7 @@ export const executeAtom = (src, args) => { result.stderr.includes("Error: Could not create the Java Virtual Machine") ) { console.log( - "Atom requires Java 17 or above. To improve the SBoM accuracy, please install a suitable version, set the JAVA_HOME environment variable, and re-run cdxgen.\nAlternatively, use the cdxgen container image." + "Atom requires Java 17 or above. To improve the SBOM accuracy, please install a suitable version, set the JAVA_HOME environment variable, and re-run cdxgen.\nAlternatively, use the cdxgen container image." ); console.log(`Current JAVA_HOME: ${env["JAVA_HOME"] || ""}`); } else if (result.stderr.includes("astgen")) { @@ -6377,14 +6376,12 @@ export const findAppModules = function ( }; const flattenDeps = (dependenciesMap, pkgList, reqOrSetupFile, t) => { - const tRef = `pkg:pypi/${t.name.replace(/_/g, "-").toLowerCase()}@${ - t.version - }`; + const tRef = `pkg:pypi/${t.name.replace(/_/g, "-").toLowerCase()}@${t.version + }`; const dependsOn = []; for (const d of t.dependencies) { - const pkgRef = `pkg:pypi/${d.name.replace(/_/g, "-").toLowerCase()}@${ - d.version - }`; + const pkgRef = `pkg:pypi/${d.name.replace(/_/g, "-").toLowerCase()}@${d.version + }`; dependsOn.push(pkgRef); if (!dependenciesMap[pkgRef]) { dependenciesMap[pkgRef] = []; @@ -6587,7 +6584,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => { ) { versionRelatedError = true; console.log( - "The version or the version specifiers used for a dependency is invalid. Resolve the below error to improve SBoM accuracy." + "The version or the version specifiers used for a dependency is invalid. Resolve the below error to improve SBOM accuracy." ); console.log(result.stderr); } @@ -6595,7 +6592,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => { console.log("args used:", pipInstallArgs); console.log(result.stdout, result.stderr); console.log( - "Possible build errors detected. The resulting list in the SBoM would therefore be incomplete.\nTry installing any missing build tools or development libraries to improve the accuracy." + "Possible build errors detected. The resulting list in the SBOM would therefore be incomplete.\nTry installing any missing build tools or development libraries to improve the accuracy." ); if (platform() === "win32") { console.log( @@ -6618,7 +6615,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => { if (env.VIRTUAL_ENV && env.VIRTUAL_ENV.length) { /** * At this point, the previous attempt to do a pip install might have failed and we might have an unclean virtual environment with an incomplete list - * The position taken by cdxgen is "Some SBoM is better than no SBoM", so we proceed to collecting the dependencies that got installed with pip freeze + * The position taken by cdxgen is "Some SBOM is better than no SBOM", so we proceed to collecting the dependencies that got installed with pip freeze */ if (DEBUG_MODE) { console.log( @@ -6674,7 +6671,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => { } else { if (DEBUG_MODE) { console.log( - "NOTE: Setup and activate a python virtual environment for this project prior to invoking cdxgen to improve SBoM accuracy." + "NOTE: Setup and activate a python virtual environment for this project prior to invoking cdxgen to improve SBOM accuracy." ); } } @@ -6732,9 +6729,8 @@ export const addEvidenceForImports = (pkgList, allImports) => { pkg.evidence = pkg.evidence || {}; pkg.evidence.occurrences = pkg.evidence.occurrences || []; pkg.evidence.occurrences.push({ - location: `${evidence.fileName}${ - evidence.lineNumber ? "#" + evidence.lineNumber : "" - }` + location: `${evidence.fileName}${evidence.lineNumber ? "#" + evidence.lineNumber : "" + }` }); importedModules.add(evidence.importedAs); for (const importedSm of evidence.importedModules || []) { @@ -7205,11 +7201,11 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => { let name = fileName.replace(extn, ""); let apkg = getOSPackageForFile(afile, osPkgsList) || epkgMap[name] || { - name, - group, - version: "", - type: pkgType - }; + name, + group, + version: "", + type: pkgType + }; // If this is a relative file, there is a good chance we can reuse the project group if (!afile.startsWith(_sep)) { group = options.projectGroup || "";