diff --git a/docs/docs/guides/dependency-inventory.md b/docs/docs/guides/dependency-inventory.md index dca532de..fabce72b 100644 --- a/docs/docs/guides/dependency-inventory.md +++ b/docs/docs/guides/dependency-inventory.md @@ -1,16 +1,23 @@ --- -draft: true +draft: false +title: 📦 Dependency Inventory --- # Dependency Inventory +In this guide, we will use CycloneDX `gradle` plugin to generate a software +bill of material (SBOM) and scan it using `vet`. + ## CycloneDX Plugin Integration -An official [plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin) can be used with build automation tools such as Gradle, Maven, etc. to generate Software Bill of Materials(SBOM) for a Java/Android/Kotlin projects. +An official [plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin) can +be used with build automation tools such as Gradle, Maven, etc. to generate +Software Bill of Materials(SBOM) for a Java/Android/Kotlin projects. ### Gradle Plugin Integration -The gradle plugin for generating cyclonedx sbom file has to be integrated into the build script i.e. `build.gradle` file. +The gradle plugin for generating cyclonedx sbom file has to be integrated into +the build script i.e. `build.gradle` file. ```groovy plugins { @@ -34,24 +41,31 @@ cyclonedxBom { } ``` -Based on requirements, `includeConfigs` and `skipConfigs` properties in `cyclonedxBom` can be modified to only include runtime, compile-time, or implementation dependencies in the sbom artifact(s). Additionaly, in a multi-build project, `skipProjects` property can be used to exclude dependency resolution for a sub-project, thus reducing the noise. +Based on requirements, `includeConfigs` and `skipConfigs` properties in +`cyclonedxBom` can be modified to only include runtime, compile-time, or +implementation dependencies in the sbom artifact(s). Additionaly, in +a multi-build project, `skipProjects` property can be used to exclude +dependency resolution for a sub-project, thus reducing the noise. ### SBOM Generation -Now, to generate sbom artifacts, do a clean build of the project using its respective build tool: -`gradle cleanBuild -b build.gradle :cyclonedxBom` +Now, to generate sbom artifacts, do a clean build of the project using its +respective build tool: `gradle cleanBuild -b build.gradle :cyclonedxBom` ![sample gradle build](../../static/img/sample-gradle-build.png) -After a successful build, all the artifacts shall be stored in `build/reports` path, present in the project root. +After a successful build, all the artifacts shall be stored in `build/reports` +path, present in the project root. ## Scan SBOMs using Vet -Vet supports scanning of SBOM files in both SPDX and CycloneDX format. Depending upon the plugin and build tool being used, appropriate parsers can be used to scan the artifacts for a vulnerability report. +vet supports scanning of SBOM files in both SPDX and CycloneDX format. +Depending upon the plugin and build tool being used, appropriate parsers can be +used to scan the artifacts for a vulnerability report. ``` vet scan --lockfiles build/reports/bom.json --lockfile-as bom-cyclonedx --report-markdown=report.md vet scan --lockfiles build/reports/bom.json --lockfile-as bom-spdx --report-markdown=report.md ``` -![vet cyclonedx scan demo](../../static/img/vet-cyclonedx-scan-demo.png) \ No newline at end of file +![vet cyclonedx scan demo](../../static/img/vet-cyclonedx-scan-demo.png) diff --git a/pkg/code/code_graph.go b/pkg/code/code_graph.go index dca5afac..5a11199c 100644 --- a/pkg/code/code_graph.go +++ b/pkg/code/code_graph.go @@ -70,7 +70,8 @@ func NewCodeGraphBuilder(config CodeGraphBuilderConfig, config.Concurrency = 1 } - return &codeGraphBuilder{config: config, + return &codeGraphBuilder{ + config: config, repository: repository, lang: lang, storage: storage,