Skip to content

Commit

Permalink
First cut for automatic annotations and tagging
Browse files Browse the repository at this point in the history 
Signed-off-by: Prabhu Subramanian <[email protected]>
  • Loading branch information
@prabhu
prabhu committed Nov 11, 2024
1 parent 21726cb commit 5d7fefe
Show file tree
Hide file tree
Showing 28 changed files with 690 additions and 55 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/repotests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,7 +288,7 @@ jobs:
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-5.json --only spring
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-6.json --deep --evidence
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-7.json --profile research --export-proto
PREFER_MAVEN_DEPS_TREE=true bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-8.json --profile license-compliance
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-8.json --profile license-compliance
bin/cdxgen.js -p -t java -t github repotests/java-sec-code -o bomresults/bom-java-sec-code-9.json
bin/cdxgen.js -p -t java -exclude-type js repotests/java-sec-code -o bomresults/bom-java-sec-code-10.json
shell: bash
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/snapshot-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ jobs:
SDKMAN_DIR: /home/runner/.sdkman
CDXGEN_DEBUG_MODE: debug
CDXGEN_LOG: /home/runner/work/new_snapshots/generate.log
PREFER_MAVEN_DEPS_TREE: false
run: |
mkdir /home/runner/work/new_snapshots
python test/diff/generate.py
Expand Down
11 changes: 6 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ Options:
--deep Perform deep searches for components. Useful while scanning C/C++ apps, live OS and oci i
mages. [boolean]
--server-url Dependency track url. Eg: https://deptrack.cyclonedx.io
--skip-dt-tls-check Skip TLS certificate check when calling Dependency-Track. [boolean] [default: false]
--api-key Dependency track api key
--project-group Dependency track project group
--project-name Dependency track project name. Default use the directory name
Expand All @@ -137,19 +138,19 @@ Options:
--validate Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di
sable. [boolean] [default: true]
--evidence Generate SBOM with evidence for supported languages. [boolean] [default: false]
--spec-version CycloneDX Specification version to use. Defaults to 1.5 [number] [default: 1.5]
--spec-version CycloneDX Specification version to use. Defaults to 1.6 [number] [default: 1.6]
--filter Filter components containing this word in purl or component.properties.value. Multiple va
lues allowed. [array]
--only Include components only containing this word in purl. Useful to generate BOM with first p
arty components alone. Multiple values allowed. [array]
--author The person(s) who created the BOM. Set this value if you're intending the modify the BOM
and claim authorship. [array] [default: "OWASP Foundation"]
--profile BOM profile to use for generation. Default generic.
[choices: "appsec", "research", "operational", "threat-modeling", "license-compliance", "generic"] [default: "generic"
]
[choices: "appsec", "research", "operational", "threat-modeling", "license-compliance", "generic", "machine-learning",
"ml"] [default: "generic"]
--exclude Additional glob pattern(s) to ignore [array]
--include-formulation Generate formulation section with git metadata and build tools. Defaults to true. Invoke
with --no-include-formulation to disable. [boolean] [default: true]
--include-formulation Generate formulation section with git metadata and build tools. Defaults to false.
[boolean] [default: false]
--include-crypto Include crypto libraries as components. [boolean] [default: false]
--standard The list of standards which may consist of regulations, industry or organizational-specif
ic standards, maturity models, best practices, or any other requirements which can be eva
Expand Down
10 changes: 10 additions & 0 deletions bin/cdxgen.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,8 @@ const args = yargs(hideBin(process.argv))
"threat-modeling",
"license-compliance",
"generic",
"machine-learning",
"ml",
],
})
.option("lifecycle", {
Expand Down Expand Up @@ -414,6 +416,14 @@ const applyAdvancedOptions = (options) => {
case "license-compliance":
process.env.FETCH_LICENSE = "true";
break;
case "machine-learning":
case "ml":
process.env.FETCH_LICENSE = "true";
options.deep = true;
options.evidence = false;
options.includeCrypto = false;
options.installDeps = true;
break;
default:
break;
}
Expand Down
2 changes: 1 addition & 1 deletion ci/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ LABEL maintainer="cyclonedx" \
org.opencontainers.image.authors="Prabhu Subramanian <[email protected]>" \
org.opencontainers.image.source="https://github.com/cyclonedx/cdxgen" \
org.opencontainers.image.url="https://github.com/cyclonedx/cdxgen" \
org.opencontainers.image.version="10.11.x" \
org.opencontainers.image.version="11.0.x" \
org.opencontainers.image.vendor="cyclonedx" \
org.opencontainers.image.licenses="Apache-2.0" \
org.opencontainers.image.title="cdxgen" \
Expand Down
2 changes: 1 addition & 1 deletion ci/Dockerfile-bun
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ LABEL maintainer="cyclonedx" \
org.opencontainers.image.authors="Prabhu Subramanian <[email protected]>" \
org.opencontainers.image.source="https://github.com/cyclonedx/cdxgen" \
org.opencontainers.image.url="https://github.com/cyclonedx/cdxgen" \
org.opencontainers.image.version="10.11.x" \
org.opencontainers.image.version="11.0.x" \
org.opencontainers.image.vendor="cyclonedx" \
org.opencontainers.image.licenses="Apache-2.0" \
org.opencontainers.image.title="cdxgen" \
Expand Down
2 changes: 1 addition & 1 deletion ci/Dockerfile-deno
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ LABEL maintainer="cyclonedx" \
org.opencontainers.image.authors="Prabhu Subramanian <[email protected]>" \
org.opencontainers.image.source="https://github.com/cyclonedx/cdxgen" \
org.opencontainers.image.url="https://github.com/cyclonedx/cdxgen" \
org.opencontainers.image.version="10.11.x" \
org.opencontainers.image.version="11.0.x" \
org.opencontainers.image.vendor="cyclonedx" \
org.opencontainers.image.licenses="Apache-2.0" \
org.opencontainers.image.title="cdxgen" \
Expand Down
2 changes: 1 addition & 1 deletion ci/Dockerfile-ppc64
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ LABEL maintainer="cyclonedx" \
org.opencontainers.image.authors="Prabhu Subramanian <[email protected]>" \
org.opencontainers.image.source="https://github.com/cyclonedx/cdxgen" \
org.opencontainers.image.url="https://github.com/cyclonedx/cdxgen" \
org.opencontainers.image.version="10.11.x" \
org.opencontainers.image.version="11.0.x" \
org.opencontainers.image.vendor="cyclonedx" \
org.opencontainers.image.licenses="Apache-2.0" \
org.opencontainers.image.title="cdxgen" \
Expand Down
3 changes: 1 addition & 2 deletions ci/base-images/cdxgen/Dockerfile.rolling
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
FROM ghcr.io/cyclonedx/opensuse-lang:master

ENV PREFER_MAVEN_DEPS_TREE=true \
CDXGEN_DEBUG_MODE=debug \
ENV CDXGEN_DEBUG_MODE=debug \
SCAN_DEBUG_MODE=debug \
CDXGEN_IN_CONTAINER=true \
PYTHONPATH=/opt/pypi
Expand Down
3 changes: 2 additions & 1 deletion data/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,5 @@ Contents of data directory and their purpose.
| wrapdb-releases.json | Database of all available meson wraps. Generated using contrib/wrapdb.py. |
| frameworks-list.json | List of string fragments to categorize components into frameworks |
| crypto-oid.json | Peter Gutmann's crypto oid [mapping](https://www.cs.auckland.ac.nz/~pgut001). GPL, BSD, or CC BY license |
| glibc-stdlib.json | Standard libraries that can be filtered out in C++ |
| glibc-stdlib.json | Standard libraries that can be filtered out in C++ |
| component-tags.json | List of tags to extract from component description text for easy classification. |
160 changes: 160 additions & 0 deletions data/component-tags.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
{
"description": [
"sql",
"http",
"xml",
"web",
"security",
"database",
"json",
"yaml",
"validat",
"sanitizat",
"cloud",
"iam",
"auth",
"middleware",
"serializat",
"event",
"stream",
"rpc",
"socket",
"proto",
"resource",
"data",
"sensitive",
"template",
"log",
"logging",
"service",
"api",
"slf4j",
"parse",
"emit",
"jdbc",
"connect",
"pool",
"beans",
"transact",
"mysql",
"postgres",
"oracle",
"mongo",
"redis",
"splunk",
"stripe",
"payment",
"finance",
"currency",
"coin",
"monero",
"ssl",
"traffic",
"mvc",
"html",
"escape",
"unescape",
"rest",
"tomcat",
"jackson",
"hibernate",
"orm",
"aop",
"jwt",
"saml",
"token",
"tls",
"codec",
"cron",
"crypto",
"jce",
"certificate",
"developer",
"tools",
"autoconfigure",
"test",
"jsonpath",
"bytecode",
"mock",
"inject",
"comparators",
"transform",
"encode",
"decode",
"ldap",
"owasp",
"fileupload",
"beanshell",
"spel",
"mail",
"apacheds",
"jndi",
"ldif",
"jdbm",
"kerberos",
"oidc",
"oauth2",
"cli",
"binary",
"ml",
"ai",
"azure",
"gcp",
"terraform",
"redis",
"valkey",
"lint",
"bundle",
"object-persistence",
"text-to-image",
"translat",
"object-detect",
"mvc",
"framework",
"graph",
"templates",
"fastjson",
"simd",
"event-driven",
"productivity",
"annotations",
"typesafe",
"projections",
"performance",
"plugins",
"non-block",
"microsoft"
],
"properties": [
"sql",
"http",
"xml",
"security",
"cloud",
"middleware",
"framework",
"bluetooth",
"wifi",
"wireless",
"driver",
"graphics",
"firmware",
"gyroscope",
"accelerometer",
"mobile",
"network",
"battery",
"matrix",
"thunderbolt",
"crypto",
"algorithm",
"encrypt",
"decrypt",
"registry",
"maps",
"payment",
"stripe",
"apple-pay",
"icloud"
]
}
4 changes: 2 additions & 2 deletions deno.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cyclonedx/cdxgen",
"version": "10.11.0",
"version": "11.0.0",
"exports": "./lib/cli/index.js",
"compilerOptions": {
"lib": ["deno.window"],
Expand All @@ -20,7 +20,7 @@
"include": ["bin/", "*.js", "lib/**"],
"exclude": ["test/", "data/", "contrib/"],
"rules": {
"tags": ["recommended", "no-self-compare"],
"tags": ["recommended"],
"exclude": ["no-unused-vars", "no-invalid-regexp"]
}
},
Expand Down
1 change: 0 additions & 1 deletion docs/ADVANCED.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ Some package managers support filtering dependencies. For example, maven `depend
Java maven example:

```shell
export PREFER_MAVEN_DEPS_TREE=true
export MVN_ARGS="-Dexcludes=:::*-SNAPSHOT"
```

Expand Down
2 changes: 1 addition & 1 deletion docs/ENV.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ The following environment variables are available to configure the bom generatio
| MVN_CMD | Set to override maven command |
| MVN_ARGS | Set to pass additional arguments such as profile or settings to maven |
| MAVEN_HOME | Specify maven home |
| PREFER_MAVEN_DEPS_TREE | Use maven `dependency:tree` command instead of the cyclonedx maven plugin |
| PREFER_MAVEN_DEPS_TREE | Use maven `dependency:tree` command instead of the cyclonedx maven plugin. Defaults to true from v11. Set to false to use the cyclonedx-maven-plugin. |
| MAVEN_CENTRAL_URL | Specify URL of Maven Central for metadata fetching (e.g. when private repo is used) |
| ANDROID_MAVEN_URL | Specify URL of Android Maven Repository for metadata fetching (e.g. when private repo is used) |
| BAZEL_ARGS | Additional arguments for Bazel command. Eg: --bazelrc=bazelrc.remote |
Expand Down
2 changes: 1 addition & 1 deletion jsr.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cyclonedx/cdxgen",
"version": "10.11.0",
"version": "11.0.0",
"exports": "./lib/cli/index.js",
"include": ["*.js", "lib/**", "bin/**", "data/**", "types/**"],
"exclude": [
Expand Down
15 changes: 12 additions & 3 deletions lib/helpers/display.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,13 @@ export function printTable(
columnDefault: {
width: 30,
},
columnCount: 4,
columnCount: 5,
columns: [
{ width: 25 },
{ width: 35 },
{ width: 25, alignment: "right" },
{ width: 15 },
{ width: 25 },
],
};
const stream = createStream(config);
Expand All @@ -52,6 +53,7 @@ export function printTable(
"Name",
filterTypes?.includes("cryptographic-asset") ? "Version / oid" : "Version",
"Scope",
"Tags",
]);
for (const comp of bomJson.components) {
if (filterTypes && !filterTypes.includes(comp.type)) {
Expand All @@ -70,6 +72,7 @@ export function printTable(
highlightStr(comp.name, highlight),
`\x1b[1;35m${comp.version || ""}\x1b[0m`,
comp.scope || "",
(comp.tags || []).join(", "),
]);
}
}
Expand Down Expand Up @@ -436,17 +439,23 @@ export function printSummary(bomJson) {
alignment: "center",
content: "BOM summary",
},
columns: [{ wrapWord: true, width: 100 }],
};
const metadataProperties = bomJson?.metadata?.properties;
if (!metadataProperties) {
return;
}
const tools = bomJson?.metadata?.tools?.components;
let message = "";
let bomPkgTypes = [];
let bomPkgNamespaces = [];
// Print any annotations found
const annotations = bomJson?.annotations || [];
for (const annot of annotations) {
message = `${message}\n${annot.text}`;
}
const tools = bomJson?.metadata?.tools?.components;
if (tools) {
message = "** Generator Tools **";
message = `${message}\n\n** Generator Tools **`;
for (const atool of tools) {
if (atool.name && atool.version) {
message = `${message}\n${atool.name} (${atool.version})`;
Expand Down
Loading

0 comments on commit 5d7fefe

Please sign in to comment.