Skip to content

Commit

Permalink
Update docs
Browse files Browse the repository at this point in the history 
Signed-off-by: Prabhu Subramanian <[email protected]>
  • Loading branch information
@prabhu
prabhu committed Feb 2, 2025
1 parent b704676 commit cb19d12
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 27 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryIn

You can also use the cdxgen container image with node, deno, or bun runtime versions.

The default version uses Node.js 22
The default version uses Node.js 23

```bash
docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:master -r /app -o /app/bom.json
Expand Down
49 changes: 25 additions & 24 deletions ci/base-images/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,30 +6,31 @@ Custom language specific base images contributed by AppThreat from this [repo](h

Below table summarizes all available container image versions. These images include additional language-specific build tools and development libraries to enable automatic restore and build operations.

| Language | Version | Container Image Tags | Comments |
| -------- | ---------------------------- | --------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| Java | 23 | ghcr.io/cyclonedx/cdxgen:master | Default all-in-one container image with all the latest and greatest tools with Node 23 runtime. |
| Java | 23 | ghcr.io/cyclonedx/cdxgen-deno:master | Default all-in-one container image with all the latest and greatest tools with deno runtime. |
| Java | 11 | ghcr.io/cyclonedx/cdxgen-java11-slim:v11, ghcr.io/cyclonedx/cdxgen-java11:v11 | Java 11 version with and without Android 33 SDK. |
| Java | 17 | ghcr.io/cyclonedx/cdxgen-java17-slim:v11, ghcr.io/cyclonedx/cdxgen-java17:v11 | Java 17 version with and without Android 34 SDK. |
| Dotnet | .Net Framework 4.6 - 4.8 | ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v11 | .Net Framework |
| Dotnet | .Net Core 2.1, 3.1, .Net 5.0 | ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v11 | Invoke with --platform=linux/amd64 for better compatibility. |
| Dotnet | .Net 6 | ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v11 | .Net 6 |
| Dotnet | .Net 7 | ghcr.io/cyclonedx/cdxgen-dotnet7:v11 | .Net 7 |
| Dotnet | .Net 8 | ghcr.io/cyclonedx/cdxgen-debian-dotnet8:v11, ghcr.io/cyclonedx/cdxgen-dotnet8:v11 | .Net 8 |
| Dotnet | .Net 9 | ghcr.io/cyclonedx/cdxgen-debian-dotnet9:v11, ghcr.io/cyclonedx/cdxgen-dotnet9:v11 | .Net 9 |
| Python | 3.6 | ghcr.io/cyclonedx/cdxgen-python36:v11 | No dependency tree |
| Python | 3.9 | ghcr.io/cyclonedx/cdxgen-python39:v11 | |
| Python | 3.10 | ghcr.io/cyclonedx/cdxgen-python310:v11 | |
| Python | 3.11 | ghcr.io/cyclonedx/cdxgen-python311:v11 | |
| Python | 3.12 | ghcr.io/cyclonedx/cdxgen-python312:v11 | |
| Node.js | 20 | ghcr.io/cyclonedx/cdxgen-node20:v11 | Use `--platform=linux/amd64` in case of `npm install` errors. |
| Node.js | 23 | ghcr.io/cyclonedx/cdxgen:master | Supports automatic node installation. Example: Pass `-t node20` to install node 20. |
| Ruby | 3.3.6 | ghcr.io/cyclonedx/cdxgen-debian-ruby33:v11 | Supports automatic Ruby installation for 3.3.x. Example: Pass `-t ruby3.3.1` to install Ruby 3.3.1. |
| Ruby | 3.4.1 | ghcr.io/cyclonedx/cdxgen-debian-ruby34:v11 | Supports automatic Ruby installation for 3.4.x. Example: Pass `-t ruby3.4.0` to install Ruby 3.4.0. |
| Ruby | 2.5.0 | ghcr.io/cyclonedx/cdxgen-ruby25:v11 | Supports automatic Ruby installation for 2.5.x. Example: Pass `-t ruby2.5.1` to install Ruby 2.5.1. |
| Ruby | 2.6.10 | ghcr.io/cyclonedx/cdxgen-debian-ruby26:v11 | Supports automatic Ruby installation for 2.6.x. Example: Pass `-t ruby2.6.1` to install Ruby 2.6.1. |
| Ruby | 1.8.x | ghcr.io/cyclonedx/debian-ruby18:master | Base image for `bundle install` only. No cdxgen equivalent with Ruby 1.8.x. `--deep` mode and research profile unsupported. |
| Language | Version | Container Image Tags | Comments |
| -------- | ---------------------------- | --------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| Java | 23 | ghcr.io/cyclonedx/cdxgen:master | Default all-in-one container image with all the latest and greatest tools with Node 23 runtime. Permission model is opt-in. |
| Java | 23 | ghcr.io/cyclonedx/cdxgen-deno:master | Default all-in-one container image with all the latest and greatest tools with deno runtime. Uses deno permissions model by default. |
| Java | 23 | ghcr.io/cyclonedx/cdxgen-secure:master | Secure all-in-one container image with all the latest and greatest tools with Node 23 runtime. Uses Node.js permissions model by default. |
| Java | 11 | ghcr.io/cyclonedx/cdxgen-java11-slim:v11, ghcr.io/cyclonedx/cdxgen-java11:v11 | Java 11 version with and without Android 33 SDK. |
| Java | 17 | ghcr.io/cyclonedx/cdxgen-java17-slim:v11, ghcr.io/cyclonedx/cdxgen-java17:v11 | Java 17 version with and without Android 34 SDK. |
| Dotnet | .Net Framework 4.6 - 4.8 | ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v11 | .Net Framework |
| Dotnet | .Net Core 2.1, 3.1, .Net 5.0 | ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v11 | Invoke with --platform=linux/amd64 for better compatibility. |
| Dotnet | .Net 6 | ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v11 | .Net 6 |
| Dotnet | .Net 7 | ghcr.io/cyclonedx/cdxgen-dotnet7:v11 | .Net 7 |
| Dotnet | .Net 8 | ghcr.io/cyclonedx/cdxgen-debian-dotnet8:v11, ghcr.io/cyclonedx/cdxgen-dotnet8:v11 | .Net 8 |
| Dotnet | .Net 9 | ghcr.io/cyclonedx/cdxgen-debian-dotnet9:v11, ghcr.io/cyclonedx/cdxgen-dotnet9:v11 | .Net 9 |
| Python | 3.6 | ghcr.io/cyclonedx/cdxgen-python36:v11 | No dependency tree |
| Python | 3.9 | ghcr.io/cyclonedx/cdxgen-python39:v11 | |
| Python | 3.10 | ghcr.io/cyclonedx/cdxgen-python310:v11 | |
| Python | 3.11 | ghcr.io/cyclonedx/cdxgen-python311:v11 | |
| Python | 3.12 | ghcr.io/cyclonedx/cdxgen-python312:v11 | |
| Node.js | 20 | ghcr.io/cyclonedx/cdxgen-node20:v11 | Use `--platform=linux/amd64` in case of `npm install` errors. |
| Node.js | 23 | ghcr.io/cyclonedx/cdxgen:master | Supports automatic node installation. Example: Pass `-t node20` to install node 20. |
| Ruby | 3.3.6 | ghcr.io/cyclonedx/cdxgen-debian-ruby33:v11 | Supports automatic Ruby installation for 3.3.x. Example: Pass `-t ruby3.3.1` to install Ruby 3.3.1. |
| Ruby | 3.4.1 | ghcr.io/cyclonedx/cdxgen-debian-ruby34:v11 | Supports automatic Ruby installation for 3.4.x. Example: Pass `-t ruby3.4.0` to install Ruby 3.4.0. |
| Ruby | 2.5.0 | ghcr.io/cyclonedx/cdxgen-ruby25:v11 | Supports automatic Ruby installation for 2.5.x. Example: Pass `-t ruby2.5.1` to install Ruby 2.5.1. |
| Ruby | 2.6.10 | ghcr.io/cyclonedx/cdxgen-debian-ruby26:v11 | Supports automatic Ruby installation for 2.6.x. Example: Pass `-t ruby2.6.1` to install Ruby 2.6.1. |
| Ruby | 1.8.x | ghcr.io/cyclonedx/debian-ruby18:master | Base image for `bundle install` only. No cdxgen equivalent with Ruby 1.8.x. `--deep` mode and research profile unsupported. |

Replace `:v11` with a release version tag or sha256 hash for fine-grained control over the image tag.

Expand Down
5 changes: 3 additions & 2 deletions contrib/cdxgenGPT/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ You are 'cdxgen', an application security expert specializing in Bill-of-Materia
**Purpose and Goals:**
- Assist users with understanding and utilizing BOMs (e.g., SBOM, CBOM, OBOM, SaaSBOM, ML-BOM) for software component analysis.
- Provide guidance on handling Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability Exchange (VEX) data.
- Recommend CycloneDX Generator (cdxgen) and OWASP depscan where relevant, as indicated by the provided data.
- Do not to provide additional suggestions or follow-ups after your response.
**Behaviors and Rules:**
Expand All @@ -40,7 +40,8 @@ You are 'cdxgen', an application security expert specializing in Bill-of-Materia
- Before responding to questions about supported languages and frameworks, first consult the PROJECT_TYPES.md file for a direct match and base your answer only on that information.
- Where a language or a framework is currently NOT supported by cdxgen, steer the user towards creating a "Premium Issue" in the cdxgen repo using the provided "GitHub Issues" link.
- Do not create examples or unrelated data if not available in the uploaded JSON files or knowledge files.
- If the user’s question is too complex or unclear regarding specifications, direct them to the Slack channel via the provided "Slack Invite" link.
- If the user's question is too complex or unclear regarding specifications, direct them to the Slack channel via the provided "Slack Invite" link.
- Share your thinking in a line or two at the top of your response, where appropriate.
4. **Image Generation:**
- When requested to visualize the BOM, use attributes like "dependencies," "components," and "services" to produce hierarchical diagrams or trees.
Expand Down
2 changes: 2 additions & 0 deletions contrib/cdxgenGPT/cdxgen-for-bots.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ Many BOM generation tools exist. cdxgen stands out due to its focus on:
1. **Explainability**

- _Package manifest evidence_: Stored under `components.properties` with the name `SrcFile`.
- _Workspace references for monorepos_: Stored under `components.properties` with the name `internal:workspaceRef`. Supported for pnpm and uv workspaces.
- _Registry information_: Stored under `components.properties` with the name ending with `:registry`. Example: `cdx:pypi:registry`, `cdx:pub:registry`.
- _Identity evidence_: Found under `components.evidence.identity`.
- _Occurrences evidence_: Tracked under `components.evidence.occurrences`.
- _Callstack evidence_: Only one callstack is retained in the generated document (due to CycloneDX limitations) under `components.evidence.callstack`.
Expand Down
1 change: 1 addition & 0 deletions contrib/cdxgenGPT/rate-my-xbom.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ Use this document to help an AI agent review and provide feedback on CycloneDX B
- **metadata.tools.components**: Lists tools used to create/enrich the BOM. If empty, suggest **cdxgen**. If multiple, acknowledge and highlight.
- **metadata.manufacturer** or **metadata.authors**: Identifies the creator (organization or author).
- **metadata.licenses**: License info for third-party sharing.
- **specVersion**: If the specVersion is less than 1.5, encourage the user to use the latest version of cdxgen and Dependency-Track, and upgrade to CycloneDX version 1.5 or 1.6.

## 2. Components Accuracy
- **components**: Must define `type` (e.g., "application", "library", "framework", etc.).
Expand Down

0 comments on commit cb19d12

Please sign in to comment.