Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Enhance SBOM docs (fixes #2922) #3029

Merged
merged 2 commits into from
May 24, 2023
Merged

fix: Enhance SBOM docs (fixes #2922) #3029

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
47c844f
Issue #2922: Enhance SBOM docs
fmbertol Apr 28, 2023
8c312ff
Fix spelling error. Include 'tagvalue' in the known words list.
offsake May 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/actions/spelling/allow.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,7 @@ syslogng
sysstat
systemd
SYSV
tagvalue
taskbar
tcpdump
tcpreplay
Expand Down
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ Scanning of product names within an SBOM file is case insensitive.

> You can also store the nvd-api-key in an environment variable rather than passing it through on the command line: [nvd_api_key instructions](#national-vulnerability-database-nvd).

The [SBOM scanning how-to guide](https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/sbom.md) provides additional SBOM scanning examples.

### Providing triage input

The `--triage-input-file` option can be used to add extra triage data like remarks, comments etc. while scanning a directory so that output will reflect this triage data and you can save time of re-triaging (Usage: `cve-bin-tool --triage-input-file test.vex /path/to/scan`).
Expand Down Expand Up @@ -541,6 +543,8 @@ Valid SBOM types are [SPDX](https://spdx.dev/specifications/) and [CycloneDX](ht

The generated SBOM will include product name, version and supplier (where available). License information is not provided.

The [SBOM generation how-to guide](https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/sbom.md) provides additional SBOM generation examples.

## Limitations

This scanner does not attempt to exploit issues or examine the code in greater
Expand Down
27 changes: 26 additions & 1 deletion doc/how_to_guides/sbom.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#How do I use CVE Binary Tool to scan a SBOM?
# How do I use CVE Binary Tool to scan a SBOM?

The cve-bin-tool can be used to scan a software bill of materials (SBOM) file to identify the vulnerabilities within the packages identified in the file.

Expand Down Expand Up @@ -46,6 +46,31 @@ To determine the format of the SBOM file, the following filename conventions are
| CycloneDX | JSON | .json |
| SWID | XML | .xml |

## Examples

Scan a SPDX SBOM in TagValue format with the name sbom.spdx

```
cve-bin-tool --sbom spdx --sbom-file sbom.spdx
```

If the `--sbom` option is omitted, the scan defaults to a SPDX SBOM in TagValue format. The above and below examples are equivalent.

```
cve-bin-tool --sbom-file sbom.spdx
```

Scan a CycloneDX SBOM in JSON format with the name sbom.json

```
cve-bin-tool --sbom cyclonedx --sbom-file sbom.json
```

Scan a SWID SBOM in XML format with the name sbom.xml

```
cve-bin-tool --sbom swid --sbom-file sbom.xml
```

## Help

Expand Down
51 changes: 51 additions & 0 deletions doc/how_to_guides/sbom_generation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# How do I use CVE Binary Tool to generate a SBOM?

The cve-bin-tool can be used to generate a software bill of materials (SBOM) file, which is a file that contains a list of all components detected by the scan in a standardized format.

## SBOM support

The cve-bin-tool generates SBOMs in the following formats

| SBOM Type | Format | Filename extension |
| --------- | -------- | ------------------ |
| SPDX | TagValue | .spdx |
| SPDX | JSON | .spdx.json |
| SPDX | YAML | .spdx.yaml |
| SPDX | YAML | .spdx.yml |
| CycloneDX | JSON | .json |

Details of the formats for each of the supported SBOM formats are available for [SPDX](https://spdx.dev/) and [CycloneDX](https://cyclonedx.org/)

## Usage

To generate a SBOM, run the tool as shown. See the examples below for details about optional arguments and default values used.

```
cve-bin-tool --sbom-type <sbom type> --sbom-format <sbom format> --sbom-output <sbom filename>
```

## Examples

Generate a SPDX SBOM in TagValue format with the name sbom.spdx

```
cve-bin-tool --sbom-type spdx --sbom-format tagvalue --sbom-output sbom.spdx
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like you'll need to add "tagvalue" to allow.txt . I guess only the capitalized version was added, since it wasn't caught above.

```

If the `--sbom-type` option is omitted, a SBOM is generated in the SPDX type. If the `--sbom-format` option is omitted, the format is inferred from the extension of the `--sbom-output` filename. The above and below examples are equivalent.

```
cve-bin-tool --sbom-output sbom.spdx
```

Generate a SPDX SBOM in YAML format with the name sbom.yml

```
cve-bin-tool --sbom-type spdx --sbom-format yaml --sbom-output sbom.yml
```

Generate a CycloneDX SBOM in JSON format with the name sbom.json. Note that CycloneDX SBOMs are only generated in JSON, so the `--sbom-format` option is unnecessary.

```
cve-bin-tool --sbom-type cyclonedx --sbom-output sbom.json
```