Skip to content

Commit

Permalink
Merge pull request #48 from Mariuxdeangelo/squash-and-signoff
Browse files Browse the repository at this point in the history
squash commit for SBOM-Catalog contribution to SBOM-Everywhere SIG
  • Loading branch information
joshbressers authored Apr 23, 2024
2 parents 03d79bf + fee9611 commit 338835f
Show file tree
Hide file tree
Showing 133 changed files with 10,147 additions and 0 deletions.
12 changes: 12 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

version: 2
updates:
- package-ecosystem: "npm" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "daily"
open-pull-requests-limit: 10
79 changes: 79 additions & 0 deletions .github/workflows/build-and-publish-page.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: Node.js CI

on:
release:
types: [published]

workflow_dispatch:

jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Use Node.js LTS
uses: actions/setup-node@v4
with:
node-version: 'lts/*'

- name: Install dependencies
run: cd SBOM-Catalog && npm install

- name: Run build
run: cd SBOM-Catalog && npm run build

- name: Upload pages artifact to action workflow
uses: actions/upload-artifact@v4
with:
name: pages-build-artifact
path: SBOM-Catalog/dist

- name: Create zip for release file
run: zip -r sbom-catalog-${{github.ref_name}}.zip SBOM-Catalog/dist

- name: Upload pages release asset
uses: softprops/action-gh-release@v2
with:
files: sbom-catalog-${{github.ref_name}}.zip

- name: Deploy
uses: JamesIves/github-pages-deploy-action@v4
with:
folder: SBOM-Catalog/dist
branch: gh-pages

create_spdx_sbom:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Use Node.js LTS
uses: actions/setup-node@v4
with:
node-version: 'lts/*'

- name: Syft SPDX SBOM generation
uses: anchore/sbom-action@v0
with:
artifact-name: sbom-catalog-${{github.ref_name}}.spdx.json
format: spdx-json

create_cdx_sbom:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Use Node.js LTS
uses: actions/setup-node@v4
with:
node-version: 'lts/*'

- name: Syft CycloneDx SBOM generation
uses: anchore/sbom-action@v0
with:
artifact-name: sbom-catalog-${{github.ref_name}}.cdx.json
format: cyclonedx-json
22 changes: 22 additions & 0 deletions .github/workflows/build-pull-request.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: CI

on:
pull_request:

jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: 'lts/*'

- name: Install dependencies
run: cd SBOM-Catalog && npm install

- name: Run build
run: cd SBOM-Catalog && npm run build
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,14 @@ The Federal Government exists at every point of the Software Delivery Lifecycle,
- [Minimum Standards for Federal Government End Users](https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/recommended-minimum-standard-vendor-or-developer)


## SBOM Catalog
To provide a better overview of the available tooling and their capabilities, this group maintains an SBOM Catalog which can be found under the following link:

[https://ossf.github.io/sbom-everywhere/](https://ossf.github.io/sbom-everywhere/)

If you want to get involved, please see the document [here](/SBOM-Catalog/contribute.md)


## Prior Work
### NTIA
- [NTIA SBOM Resources](https://ntia.gov/SBOM)
Expand Down
18 changes: 18 additions & 0 deletions SBOM-Catalog/.eslintrc.cjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
/* eslint-env node */
require('@rushstack/eslint-patch/modern-module-resolution')

module.exports = {
root: true,
ignorePatterns: ["dist", "build", "node_modules", ".idea"],
'extends': [
'plugin:vue/vue3-recommended',
'eslint:recommended',
'@vue/eslint-config-typescript',
'@vue/eslint-config-prettier/skip-formatting'
],
parserOptions: {
ecmaVersion: 'latest'
},
rules: {
}
}
24 changes: 24 additions & 0 deletions SBOM-Catalog/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Logs
logs
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
pnpm-debug.log*
lerna-debug.log*

node_modules
dist
dist-ssr
*.local

# Editor directories and files
.vscode/*
!.vscode/extensions.json
.idea
.DS_Store
*.suo
*.ntvs*
*.njsproj
*.sln
*.sw?
75 changes: 75 additions & 0 deletions SBOM-Catalog/contribute.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# SBOM Catalog

This is a project to implement an SBOM Catalog inspired by the [Landscape of the Cloud Native Computing Foundation](https://landscape.cncf.io/).


The page can be found [here](https://ossf.github.io/sbom-everywhere/)

## How to add your tool
If you know of a tool or project that should be listed here, please open an Issue or add a MergeRequest. There are three things to consider while adding a new tool:

### 1. Add a new entry
The public/data.yaml contains all the information a user can search on the page. Add a new entry to the list of tools. Please follow the following convention regarding the values. Please also refer to the tool's source, where the features are documented.

##### Name
The name of the tool. This should be distinct in the list and is used as an identifier.

##### Publisher
The publisher refers to the company or institution maintaining the tool. It should be spelled similarly each time so users can find all tools from the same publisher.

##### Standards
A list of Standards a tool can produce. Currently, the three standards which are recognized by the [NTIA](https://www.ntia.gov/sites/default/files/publications/sbom_formats_survey-version-2021_0.pdf) are supported:
- SPDX
- CycloneDx
- SWID

##### Abilities
Abilities describe the capabilities of the tool. In what part of the software development lifecycle can the tool be used? The following abilities are supported:
- **Compare** - *Can compare two SBOMs*
- **Consume** - *Can use a provided SBOM in some form*
- **Convert** - *Can Convert between formats (SPDX, CycloneDX), versions or file-formats (json, xml)*
- **Edit** - *Can somehow edit the contents of a SBOM*
- **Generate** - *Can automatically generate a SBOM*
- **Merge** - *Can merge several SBOMs*
- **Validate** - *Can validate a SBOM against the file schema or requirements like defined by the NTIA*

##### Type
SBOMs may contain different forms of the minimum information sourced from different
product artifacts. The following types are supported as published by the [NTIA](https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom). Because many tools specifically support the scanning of container images, the category **Container** is added additionally. Even if container scans can be considered *Analyzed*:
- Design
- Source
- Build
- Analyzed
- Deployed
- Runtime
- Container

### 2. Add a description
You can add a detailed description to the /public/descriptions folder. The description should be written in markdown and named after the tool (the Same name as in the data.yaml). It should contain detailed information about the tools and features claimed in the data section. Feel free to add links to the GitHub repository or supplier.

### 3. Add a logo
You can add a logo to the /public/logos folder. The logo should be named after the tool (the Same name as in the data.yaml). It should be a PNG file with a transparent background and 200px x 200px.

The logo will be displayed on the page in the Map View, the List View, and the details section. You can add Logos for all categories and also for the Publisher.

If you add a Logo, we assume your project and/or company are OK with that. The logo should be used under the fair use policy. If you want to remove your logo, please open an issue, and we will remove it.

## Shoutout

A shoutout goes to D3JS for providing such a great library to visualize and interact with data. I stand on the shoulders of giants with this tooling. Also, thanks go to the people from vue.js, who just provide a great JavaScript framework.

Special thanks to [Mike Bostock](https://observablehq.com/@d3/zoomable-circle-packing?intent=fork) for sharing their examples and snippets used under the [ISC License](https://choosealicense.com/licenses/isc/) to provide the different views in the landscape.

<details><summary>ISC License</summary>
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
</details>
13 changes: 13 additions & 0 deletions SBOM-Catalog/index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<link rel="icon" type="image/svg+xml" href="/favicon.svg" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>SBOM Landscape</title>
</head>
<body>
<div id="app"></div>
<script type="module" src="/src/main.ts"></script>
</body>
</html>
Loading

0 comments on commit 338835f

Please sign in to comment.