Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update references of SBoM to SBOM #610

Merged
merged 3 commits into from
Oct 4, 2023
Merged

Update references of SBoM to SBOM #610

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0a994c9
Update references of SBoM to SBOM for consistency
setchy Oct 4, 2023
e9a0876
Update references of SBoM to SBOM for consistency
setchy Oct 4, 2023
b368164
feedback : update SBOM to BOM
setchy Oct 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 20 additions & 20 deletions ADVANCED.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Advanced Usage

## Evinse Mode / SaaSBoM
## Evinse Mode / SaaSBOM

Evinse (Evinse Verification Is Nearly SBoM Evidence) is a new command with cdxgen to generate component evidence and SaaSBoM for supported languages. The tool is powered by [atom](https://github.com/AppThreat/atom)
Evinse (Evinse Verification Is Nearly SBOM Evidence) is a new command with cdxgen to generate component evidence and SaaSBOM for supported languages. The tool is powered by [atom](https://github.com/AppThreat/atom)

<img src="./docs/occurrence-evidence.png" alt="occurrence evidence" width="256">

Expand All @@ -14,14 +14,14 @@ Evinse (Evinse Verification Is Nearly SBoM Evidence) is a new command with cdxge

- Java > 17 installed
- Application source code
- Input SBoM in CycloneDX >1.5 format. Use cdxgen to generate one.
- Input SBOM in CycloneDX >1.5 format. Use cdxgen to generate one.

### Usage

```shell
evinse -h
Options:
-i, --input Input SBoM file. Default bom.json
-i, --input Input SBOM file. Default bom.json
[default: "bom.json"]
-o, --output Output file. Default bom.evinse.json
[default: "bom.evinse.json"]
Expand Down Expand Up @@ -52,7 +52,7 @@ Options:
-h Show help [boolean]
```

To generate an SBoM with evidence for a java project.
To generate an SBOM with evidence for a java project.

```shell
evinse -i bom.json -o bom.evinse.json <path to the application>
Expand All @@ -76,14 +76,14 @@ For JavaScript or TypeScript projects, pass `-l javascript`.
evinse -i bom.json -o bom.evinse.json --usages-slices-file usages.json --data-flow-slices-file data-flow.json -l javascript --with-data-flow <path to the application>
```

## Generate SBoM from maven or gradle cache
## Generate SBOM from maven or gradle cache

There could be Java applications with complex dependency requirements. Or you might be interested in cataloging your Maven or gradle cache.
A bonus of this mode is that the resulting SBoM would have a property called `Namespaces` with a list of class names belonging to each jar.
A bonus of this mode is that the resulting SBOM would have a property called `Namespaces` with a list of class names belonging to each jar.

### Generate evidence of usage

After generating an SBoM from a cache, we can now look for evidence of direct usage with evinse!
After generating an SBOM from a cache, we can now look for evidence of direct usage with evinse!

```shell
# compile or build your application
Expand All @@ -106,19 +106,19 @@ To improve performance for re-runs, pass the argument `--skip-maven-collector` t

| Command | Description |
| ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| .create | Create an SBoM from a path |
| .import | Import an existing SBoM from a path. Any SBoM in CycloneDX format is supported. |
| .create | Create an SBOM from a path |
setchy marked this conversation as resolved.
Show resolved Hide resolved
| .import | Import an existing SBOM from a path. Any SBOM in CycloneDX format is supported. |
setchy marked this conversation as resolved.
Show resolved Hide resolved
| .search | Search the given string in the components name, group, purl and description |
| .sort | Sort the components based on the given attribute. Eg: .sort name to sort by name. Accepts full jsonata [order by](http://docs.jsonata.org/path-operators#order-by-) clause too. Eg: `.sort components^(>name)` |
| .query | Pass a raw query in [jsonata](http://docs.jsonata.org/) format |
| .print | Print the SBoM as a table |
| .print | Print the SBOM as a table |
setchy marked this conversation as resolved.
Show resolved Hide resolved
| .tree | Print the dependency tree if available |
| .validate | Validate the SBoM |
| .validate | Validate the SBOM |
| .exit | To exit the shell |
| .save | To save the modified SBoM to a new file |
| .save | To save the modified SBOM to a new file |
setchy marked this conversation as resolved.
Show resolved Hide resolved
| .update | Update components based on query expression. Use syntax `\| query \| new object \|`. See example. |
| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBoM |
| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBoM |
| .occurrences | View components with evidence.occurrences as a table. Use evinse command to generate such an SBOM |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Occurrences and callstack are valid only for SBOM so these two are correct!

| .callstack | View components with evidence.callstack.frames as a table. Use evinse command to generate such an SBOM |
| .services | View services as a table |

In addition, all the keys from [queries.json](./data/queries.json) are also valid commands. Example: `processes`, `apt_sources`, etc. Type `.help` to view the full list of commands.
Expand All @@ -131,7 +131,7 @@ Start the REPL server.
cdxi
```

Below are some example commands to create an SBoM for a spring application and perform searches and queries.
Below are some example commands to create an SBOM for a spring application and perform searches and queries.

```
.create /mnt/work/vuln-spring
Expand All @@ -151,11 +151,11 @@ Repl history will persist under the `$`HOME/.config/.cdxgen`directory. To overri

## Mixed Java Projects

If a java project uses Maven and gradle, maven is selected for SBoM generation under default settings. To force cdxgen to use gradle, use the argument `-t gradle`. Similarly, use `-t scala` for scala SBT.
If a java project uses Maven and gradle, maven is selected for SBOM generation under default settings. To force cdxgen to use gradle, use the argument `-t gradle`. Similarly, use `-t scala` for scala SBT.

## Generating container SBoM on Windows
## Generating container SBOM on Windows

cdxgen supports generating container SBoM for Linux images on Windows. Follow the steps listed below.
cdxgen supports generating container SBOM for Linux images on Windows. Follow the steps listed below.

- Ensure cdxgen-plugins-bin > 1.4.0 is installed.

Expand All @@ -171,7 +171,7 @@ npm install -g @cyclonedx/cdxgen-plugins-bin
cdxgen -t docker -o bom.json <image name>
```

## Generate SBoM with evidence for the cdxgen repo
## Generate SBOM with evidence for the cdxgen repo

Why not?

Expand Down
Loading