Annotation improvements - part 2 (#1451)

* Adds ml-tiny profile to reduce the size further. Improved stemming. Signed-off-by: Prabhu Subramanian <[email protected]> * obom tagging Signed-off-by: Prabhu Subramanian <[email protected]> --------- Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Nov 13, 2024 · a45feac · a45feac
1 parent 8446feb
commit a45feac
Show file tree

Hide file tree

Showing 18 changed files with 513 additions and 227 deletions.
diff --git a/README.md b/README.md
@@ -93,7 +93,7 @@ docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghc
 In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)
 
 ```ts
-import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^10.9.6";
+import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^11.0.0";
 ```
 
 ## Getting Help
@@ -148,7 +148,7 @@ Options:
                                and claim authorship.                               [array] [default: "OWASP Foundation"]
       --profile                BOM profile to use for generation. Default generic.
   [choices: "appsec", "research", "operational", "threat-modeling", "license-compliance", "generic", "machine-learning",
-                                                                  "ml", "deep-learning", "ml-deep"] [default: "generic"]
+                                                       "ml", "deep-learning", "ml-deep", "ml-tiny"] [default: "generic"]
       --exclude                Additional glob pattern(s) to ignore                                              [array]
       --include-formulation    Generate formulation section with git metadata and build tools. Defaults to false.
                                                                                               [boolean] [default: false]

diff --git a/bin/cdxgen.js b/bin/cdxgen.js
@@ -239,6 +239,7 @@ const args = yargs(hideBin(process.argv))
       "ml",
       "deep-learning",
       "ml-deep",
+      "ml-tiny",
     ],
   })
   .option("lifecycle", {
@@ -317,6 +318,14 @@ const args = yargs(hideBin(process.argv))
       "$0 -t java -t js .",
       "Generate a SBOM for Java and JavaScript in the current directory",
     ],
+    [
+      "$0 -t java --profile ml .",
+      "Generate a Java SBOM for machine learning purposes.",
+    ],
+    [
+      "$0 -t python --profile research .",
+      "Generate a Python SBOM for appsec research.",
+    ],
     ["$0 --server", "Run cdxgen as a server"],
   ])
   .epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
@@ -418,6 +427,13 @@ const applyAdvancedOptions = (options) => {
     case "license-compliance":
       process.env.FETCH_LICENSE = "true";
       break;
+    case "ml-tiny":
+      process.env.FETCH_LICENSE = "true";
+      options.deep = false;
+      options.evidence = false;
+      options.includeCrypto = false;
+      options.installDeps = false;
+      break;
     case "machine-learning":
     case "ml":
       process.env.FETCH_LICENSE = "true";
@@ -705,8 +721,10 @@ const checkPermissions = (filePath) => {
       usagesSlicesFile: options.usagesSlicesFile,
       dataFlowSlicesFile: options.dataFlowSlicesFile,
       reachablesSlicesFile: options.reachablesSlicesFile,
+      semanticsSlicesFile: options.semanticsSlicesFile,
       includeCrypto: options.includeCrypto,
       specVersion: options.specVersion,
+      profile: options.profile,
     };
     const dbObjMap = await evinserModule.prepareDB(evinseOptions);
     if (dbObjMap) {
@@ -719,8 +737,6 @@ const checkPermissions = (filePath) => {
         evinseOptions,
       );
       bomNSData.bomJson = evinseJson;
-      // Redo post processing with evinse data
-      bomNSData = postProcess(bomNSData, options);
       if (options.print && evinseJson) {
         printOccurrences(evinseJson);
         printCallStack(evinseJson);

diff --git a/bin/repl.js b/bin/repl.js
@@ -161,7 +161,7 @@ cdxgenRepl.defineCommand("search", {
           let dependenciesSearchStr = searchStr;
           if (!searchStr.includes("~>")) {
             dependenciesSearchStr = `dependencies[ref ~> /${searchStr}/i or dependsOn ~> /${searchStr}/i or provides ~> /${searchStr}/i]`;
-            searchStr = `components[group ~> /${searchStr}/i or name ~> /${searchStr}/i or description ~> /${searchStr}/i or publisher ~> /${searchStr}/i or purl ~> /${searchStr}/i]`;
+            searchStr = `components[group ~> /${searchStr}/i or name ~> /${searchStr}/i or description ~> /${searchStr}/i or publisher ~> /${searchStr}/i or purl ~> /${searchStr}/i or tags ~> /${searchStr}/i]`;
           }
           const expression = jsonata(searchStr);
           let components = await expression.evaluate(sbom);

diff --git a/ci/Dockerfile b/ci/Dockerfile
@@ -21,7 +21,7 @@ ARG SBT_VERSION=1.10.2
 ARG MAVEN_VERSION=3.9.9
 ARG GRADLE_VERSION=8.10
 ARG GO_VERSION=1.23.1
-ARG NODE_VERSION=23.1.0
+ARG NODE_VERSION=23.2.0
 ARG PYTHON_VERSION=3.12
 
 ENV GOPATH=/opt/app-root/go \

diff --git a/ci/base-images/cdxgen/Dockerfile.python b/ci/base-images/cdxgen/Dockerfile.python
@@ -11,7 +11,7 @@ LABEL maintainer="CycloneDX" \
       org.opencontainers.image.description="Rolling image with cdxgen SBOM generator for Python 3.12 apps" \
       org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-python:v10 -r /app --server"
 
-ARG NODE_VERSION=23.1.0
+ARG NODE_VERSION=23.2.0
 
 ENV NVM_DIR="/root/.nvm" \
     PYTHON_CMD=python3 \

diff --git a/ci/base-images/sle/Dockerfile.lang b/ci/base-images/sle/Dockerfile.lang
@@ -3,7 +3,7 @@ FROM registry.suse.com/bci/python:3.12
 ARG JAVA_VERSION=23-tem
 ARG MAVEN_VERSION=3.9.9
 ARG GCC_VERSION=13
-ARG NODE_VERSION=23.1.0
+ARG NODE_VERSION=23.2.0
 
 ENV JAVA_VERSION=$JAVA_VERSION \
     MAVEN_VERSION=$MAVEN_VERSION \