Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tool name: CycloneDX JavaScript Library #62

Open
8 of 60 tasks
jkowalleck opened this issue Jan 28, 2025 · 0 comments
Open
8 of 60 tasks

Tool name: CycloneDX JavaScript Library #62

jkowalleck opened this issue Jan 28, 2025 · 0 comments
Labels
foss-tool

Comments

@jkowalleck
Copy link

jkowalleck commented Jan 28, 2025
edited
Loading

homepage_url

https://github.com/CycloneDX/cyclonedx-javascript-library#readme-ov-file

contact_email

jan.kowalleck [at] owasp.org

code_view_url

https://github.com/CycloneDX/cyclonedx-javascript-library

spdx_license_expression

Apache-2.0

description

This software librart provides the core functionality of CycloneDX for JavaScript (Node.js or WebBrowsers),
written in TypeScript and compiled for the target.

Responsibilities

  • Provide a general purpose JavaScript-implementation of CycloneDX for Node.js and WebBrowsers.
  • Provide typing for said implementation, so developers and dev-tools can rely on it.
  • Provide data models to work with CycloneDX.
  • Provide JSON- and XML-normalizers, that...
    • supports all shipped data models.
    • respects any injected CycloneDX Specification and generates valid output according to it.
    • can be configured to generate reproducible/deterministic output.
    • can prepare data structures for JSON- and XML-serialization.
  • Serialization:
    • Provide a universal JSON-serializer for all target environments.
    • Provide an XML-serializer for all target environments.
    • Support the downstream implementation of custom XML-serializers tailored to specific environments
      by providing an abstract base class that takes care of normalization and BomRef-discrimination.
      This is done, because there is no universal XML support in JavaScript.
  • Provide formal JSON- and XML-validators according to CycloneDX Specification. (currently for Node.js only)

Capabilities

  • Enums for the following use cases:
    • AttachmentEncoding
    • ComponentScope
    • ComponentType
    • ExternalReferenceType
    • HashAlgorithm
    • Vulnerability related:
      • AffectStatus
      • AnalysisJustification
      • AnalysisResponse
      • AnalysisState
      • RatingMethod
      • Severity
  • Data models for the following use cases:
    • Attachment
    • Bom
    • BomLink, BomLinkDocument, BomLinkElement
    • BomRef, BomRefRepository
    • Component, ComponentRepository, ComponentEvidence
    • ExternalReference, ExternalReferenceRepository
    • Hash, HashContent, HashDictionary
    • LicenseExpression, NamedLicense, SpdxLicense, LicenseRepository
    • Metadata
    • OrganizationalContact, OrganizationalContactRepository
    • OrganizationalEntity, OrganizationalEntityRepository
    • Property, PropertyRepository
    • SWID
    • Tool, ToolRepository, Tools
    • Vulnerability related:
      • Advisory, AdvisoryRepository
      • Affect, AffectRepository, AffectedSingleVersion, AffectedVersionRange, AffectedVersionRepository
      • Analysis
      • Credits
      • Rating, RatingRepository
      • Reference, ReferenceRepository
      • Source
      • Vulnerability, VulnerabilityRepository
  • Utilities for the following use cases:
    • Generate valid random SerialNumbers for Bom.serialNumber
  • Factories for the following use cases:
    • Create data models from any license descriptor string
    • Create PackageURL from Component data models
    • Specific to Node.js: create data models from PackageJson-like data structures and derived data
  • Builders for the following use cases:
    • Specific to Node.js: create deep data models Tool or Component from PackageJson-like data structures
  • Implementation of the CycloneDX Specification for the following versions:
    • 1.6
    • 1.5
    • 1.4
    • 1.3
    • 1.2
  • Normalizers that convert data models to JSON structures
  • Normalizers that convert data models to XML structures
  • Universal serializer that converts Bom data models to JSON string
  • Specific Serializer that converts Bom data models to XML string
  • Formal validators for JSON string and XML string (currently for Node.js only)

primary_languages

TypeScript

short_term_roadmap

all things are community efforts - come and help/contribute

long_term_roadmap

all things are community efforts - come and help/contribute

proprietary_data

  • Yes, the tool depends on proprietary data sources

commercial_features

  • Yes, the tool has a commercial version with different/additional features

capabilities

  • Identifiers - Use Package-URL (PURL) identifiers
  • Identifiers - Use SPDX license expressions
  • Scanning - Analyze package manifests and lockfiles
  • Scanning - Analyze package files
  • Scanning - Scan for copyright
  • Scanning - Scan for license
  • Scanning - Analyze source code
  • Scanning - Analyze containers
  • Scanning - Analyze installed system packages (linux distros)
  • Scanning - Analyze installed application packages
  • Scanning - Other analysis
  • Packages - Inventory packages
  • Packages - Inventory packages dependencies
  • Packages - Resolve dependencies
  • Packages - Navigate or display dependency graph
  • Compliance - Generate CycloneDX SBOMs
  • Compliance - Generate SPDX SBOMs
  • Compliance - Validate CycloneDX SBOM
  • Compliance - Validate SPDX SBOMs
  • Compliance - Generate CycloneDX VEX
  • Compliance - Generate CSAF VEX
  • Compliance - Generate OpenVex
  • Compliance - Generate other compliance documents
  • Policies - Define and check license policies
  • Policies - Define and check security policies
  • Policies - Define and check other policies
  • Data - Database of Package metadata
  • Data - Database of Package dependency relationships
  • Data - Database of License obligations
  • Data - Database of Licenses
  • Data - Database of Vulnerabilities
  • License - Help triage license issues
  • License - Generate license credit and attribution notices
  • License - Generate source code redistribution lists
  • Vulnerabilities - Detect vulnerable code in packages
  • Vulnerabilities - Find known vulnerabilities for package
  • Vulnerabilities - Determine reachable vulnerabilities
  • Vulnerabilities - Help triage vulnerabilities
  • Binaries - Analyze binaries
  • Binaries - Analyze ELF binaries
  • Binaries - Analyze Windows binaries
  • Binaries - Analyze firmware binaries
  • Binaries - Analyze Other binaries
  • Matching - Match source code
  • Matching - Match binary code
  • Tracing - Trace code execution
  • Tracing - Trace build
  • Code Security - Analyze code statically (SAST/linting)
  • Code Security - Analyze code dynamically (DAST)
  • Download - Source package
  • Download - Source repositories
  • Download - Binary package
  • Deployment - Deployable as containers (Docker/OCI/k8s/etc)
  • Deployment - Deployable in CI/CD pipelines
  • Deployment - Deployable as a library
  • Run - Run as a command line tool
  • Run - Run as a web application
  • Run - Run as an API service

other_capabilities

License triage - When incorrect SPDX license identifiers are detected and can be mapped to correct SPDX License identifiers where possible this is identified
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
foss-tool
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jkowalleck