cyclonedx-webpack-plugin icon indicating copy to clipboard operation
cyclonedx-webpack-plugin copied to clipboard
verified publisher icon CycloneDX

feat: File-type components and hashes

Open jkowalleck opened this issue 2 years ago • 1 comments

currently, SBOM "components" are detected based an a package.json file. thats cool for most situatons.

but what if there is just no package.json? or it is untrusted for reasons?

Let's add file-based (sub-)components, that have a proper hash to them. -> the feature is disabled by default, can be enabled by a new config option. name to be defined.

[!NOTE] since this PR will add properties of the BSI, ask @mschusterbsi for a review. a review of the code might not be nessessarry, a review of some example SBOMs should be enough.

expected outcome

  • update the README, tell that this tools includes properties of the BSI.
  • components that represent "packages" have sub-components, one for each file that us used.
    • each of the file-based sub-components has a computed set of hashes on them.
    • each of the file-based sub-components name is the relative path of the file. relative to the root component.
    • each of the file-based sub-components, if file ends with .js, then set property bsi:component:executable = executable
    • each of the file-based sub-componentshasproperty bsi:component:archive = no archive
    • each of the file-based sub-components has the property bsi:component:filename filled - see https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy
    • the component that represents the package has the property bsi:component:archive = archive and bsi:component:structured = structured. reason: it is a package, and BSI TR-03183-2 v2.0.0 section 8.1.5 calls out that packages are structured archives
  • if no package.json can be found (other than the projects own one), then the file used by webpack should be resulting in a SBOM component of type "file",
    • each of the file-based components has a computed set of hashes on them.
    • each of the file-based components name is the relative path of the file. relative to the root component.
    • each of the file-based sub-components, if file ends with .js then set property bsi:component:executable = executable
    • each of the file-based sub-components has the property bsi:component:filename filled - see https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy
    • the component that represents the package has the property bsi:component:archive set, and bsi:component:structured not set (reason: we did not find clear inidications weather this is a (structured) archive, but we cannot be sure at this point.)

BSI taxonomy: https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy May need an extra property taxonomy cdx:webpack according to https://github.com/CycloneDX/cyclonedx-property-taxonomy - but for now the one from BSI is sufficient

followup

  • write a small news/announcement article about how this now is BSI complete
  • tell BSI (email) about it

jkowalleck avatar Nov 09 '23 11:11 jkowalleck

as soon as this is implemented, publish example files here: https://github.com/CycloneDX/bom-examples/issues/38

jkowalleck avatar Oct 23 '24 10:10 jkowalleck