CBOMkit is a toolset for handling Cryptographic Bill of Materials (CBOM). This page describes how you can join the community in this goal.
If you are new to the community? We recommend you do the following before diving into the code:
- Read the Code of Conduct
- Familiarize yourself with the community (via GitHub etc.)
The Sonar Cryptography Plugin uses the following labels to help non-maintainers find issues best suited to their interest and experience level:
- good first issue - these issues are typically the simplest available to work on, ideal for newcomers. They should already be fully scoped, with a clear approach outlined in the descriptions.
- help wanted - these issues are generally more complex than good first issues. They typically cover work that core maintainers don't currently have capacity to implement and may require more investigation/discussion. These are a great option for experienced contributors looking for something a bit more challenging.
Check if all java files are well formated and license headers are in place.
mvn spotless:check
Applies format and license headers to files.
mvn spotless:apply
Spotless Maven Documentation: https://github.com/diffplug/spotless/blob/main/plugin-maven/README.md
Check for coding style
mvn checkstyle::check
To build or run CBOMkit, you need access to the
sonar-cryptography-plugin
dependency, hosted on GitHub as a GitHub Package. Using GitHub Packages requires you to authenticate with a GitHub account using a personal access token. You will find explanations here.
# builds a JAR file for the Api server
make build-backend
# creates a docker image for the Api server
make build-backend-image
# creates a docker image for the frontend/viewer
make build-frontend-image
Depending on where you want to change things, you can spin up different development environments.
# creates a dev environment, including
# - postgres database
make dev
# creates a dev environment, including
# - postgres database
# - frontend
make dev-backend
# creates a dev environment, including
# - postgres database
# - api server (backend)
make dev-frontend
# using the cli
quarkus dev
# using maven
./mvnw quarkus:dev
Download and install the quarkus-cli from here.
# change to the frontend directory
cd frontend/
# use vue cli to start the frontend in dev mode
vue-cli-service serve --port 8001
When the service is deployed, it first attempts to parse the purls.json
file from the resource directory as part of the initialization procedure.
This process extracts repository related purls for a particular software
package referenced in the file and stores it as an identifier in a database
table along with other related purls.
The folks at ScanOSS maintain a repository called scanoss/purl2cpe.
This repository is the basis for the purls.json
file,
as it already contains a large number of purls and their associated software packages.
When the purls-generation/main.py
Python script is executed,
it traverses the resource folder containing a clone of the ScanOSS repository
from a given point in time and generates the purls.json
file.
When a new file should be generated the variable version
should be increased in
the purls-generation/main.py
script. Only when the version changed, the CBOM Generator
will reread the purl.json file from the resource directory.