Skip to content

feat: File-type components and hashes #1235

New issue
New issue
Open
Open
feat: File-type components and hashes#1235
Labels
enhancementNew feature or requesthacktoberfesthelp wantedExtra attention is needed
@jkowalleck

Description

@jkowalleck
jkowalleck
opened on Nov 9, 2023

currently, SBOM "components" are detected based an a package.json file.
thats cool for most situatons.

but what if there is just no package.json? or it is untrusted for reasons?

Let's add file-based (sub-)components, that have a proper hash to them.
-> the feature is disabled by default, can be enabled by a new config option. name to be defined.

Note

since this PR will add properties of the BSI, ask @mschusterbsi for a review. a review of the code might not be nessessarry, a review of some example SBOMs should be enough.

expected outcome

  • update the README, tell that this tools includes properties of the BSI.
  • components that represent "packages" have sub-components, one for each file that us used.
    • each of the file-based sub-components has a computed set of hashes on them.
    • each of the file-based sub-components name is the relative path of the file. relative to the root component.
    • each of the file-based sub-components, if file ends with .js, then set property bsi:component:executable = executable
    • each of the file-based sub-componentshasproperty bsi:component:archive = no archive
    • each of the file-based sub-components has the property bsi:component:filename filled - see https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy
    • the component that represents the package has the property bsi:component:archive = archive and bsi:component:structured = structured. reason: it is a package, and BSI TR-03183-2 v2.0.0 section 8.1.5 calls out that packages are structured archives
  • if no package.json can be found (other than the projects own one), then the file used by webpack should be resulting in a SBOM component of type "file",
    • each of the file-based components has a computed set of hashes on them.
    • each of the file-based components name is the relative path of the file. relative to the root component.
    • each of the file-based sub-components, if file ends with .js then set property bsi:component:executable = executable
    • each of the file-based sub-components has the property bsi:component:filename filled - see https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy
    • the component that represents the package has the property bsi:component:archive set, and bsi:component:structured not set (reason: we did not find clear inidications weather this is a (structured) archive, but we cannot be sure at this point.)

BSI taxonomy: https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy
May need an extra property taxonomy cdx:webpack according to https://github.com/CycloneDX/cyclonedx-property-taxonomy - but for now the one from BSI is sufficient

followup

  • write a small news/announcement article about how this now is BSI complete
  • tell BSI (email) about it

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthacktoberfesthelp wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions