From e62291fc8101f84837aa4bcde481fe941ffa701d Mon Sep 17 00:00:00 2001 From: abhisek Date: Mon, 16 Sep 2024 10:46:15 +0530 Subject: [PATCH 1/2] docs: Fix style for dependency inventory doc --- docs/docs/guides/dependency-inventory.md | 31 +++++++++++++++++------- pkg/code/code_graph.go | 3 ++- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/docs/docs/guides/dependency-inventory.md b/docs/docs/guides/dependency-inventory.md index dca532de..875366ce 100644 --- a/docs/docs/guides/dependency-inventory.md +++ b/docs/docs/guides/dependency-inventory.md @@ -1,16 +1,22 @@ --- -draft: true +draft: false --- # Dependency Inventory +In this guide, we will use CycloneDX `gradle` plugin to generate a software +bill of material (SBOM) and scan it using `vet`. + ## CycloneDX Plugin Integration -An official [plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin) can be used with build automation tools such as Gradle, Maven, etc. to generate Software Bill of Materials(SBOM) for a Java/Android/Kotlin projects. +An official [plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin) can +be used with build automation tools such as Gradle, Maven, etc. to generate +Software Bill of Materials(SBOM) for a Java/Android/Kotlin projects. ### Gradle Plugin Integration -The gradle plugin for generating cyclonedx sbom file has to be integrated into the build script i.e. `build.gradle` file. +The gradle plugin for generating cyclonedx sbom file has to be integrated into +the build script i.e. `build.gradle` file. ```groovy plugins { @@ -34,24 +40,31 @@ cyclonedxBom { } ``` -Based on requirements, `includeConfigs` and `skipConfigs` properties in `cyclonedxBom` can be modified to only include runtime, compile-time, or implementation dependencies in the sbom artifact(s). Additionaly, in a multi-build project, `skipProjects` property can be used to exclude dependency resolution for a sub-project, thus reducing the noise. +Based on requirements, `includeConfigs` and `skipConfigs` properties in +`cyclonedxBom` can be modified to only include runtime, compile-time, or +implementation dependencies in the sbom artifact(s). Additionaly, in +a multi-build project, `skipProjects` property can be used to exclude +dependency resolution for a sub-project, thus reducing the noise. ### SBOM Generation -Now, to generate sbom artifacts, do a clean build of the project using its respective build tool: -`gradle cleanBuild -b build.gradle :cyclonedxBom` +Now, to generate sbom artifacts, do a clean build of the project using its +respective build tool: `gradle cleanBuild -b build.gradle :cyclonedxBom` ![sample gradle build](../../static/img/sample-gradle-build.png) -After a successful build, all the artifacts shall be stored in `build/reports` path, present in the project root. +After a successful build, all the artifacts shall be stored in `build/reports` +path, present in the project root. ## Scan SBOMs using Vet -Vet supports scanning of SBOM files in both SPDX and CycloneDX format. Depending upon the plugin and build tool being used, appropriate parsers can be used to scan the artifacts for a vulnerability report. +vet supports scanning of SBOM files in both SPDX and CycloneDX format. +Depending upon the plugin and build tool being used, appropriate parsers can be +used to scan the artifacts for a vulnerability report. ``` vet scan --lockfiles build/reports/bom.json --lockfile-as bom-cyclonedx --report-markdown=report.md vet scan --lockfiles build/reports/bom.json --lockfile-as bom-spdx --report-markdown=report.md ``` -![vet cyclonedx scan demo](../../static/img/vet-cyclonedx-scan-demo.png) \ No newline at end of file +![vet cyclonedx scan demo](../../static/img/vet-cyclonedx-scan-demo.png) diff --git a/pkg/code/code_graph.go b/pkg/code/code_graph.go index dca5afac..5a11199c 100644 --- a/pkg/code/code_graph.go +++ b/pkg/code/code_graph.go @@ -70,7 +70,8 @@ func NewCodeGraphBuilder(config CodeGraphBuilderConfig, config.Concurrency = 1 } - return &codeGraphBuilder{config: config, + return &codeGraphBuilder{ + config: config, repository: repository, lang: lang, storage: storage, From 2b478588b74da03d49f62548230cb9975850cdf3 Mon Sep 17 00:00:00 2001 From: abhisek Date: Mon, 16 Sep 2024 10:50:13 +0530 Subject: [PATCH 2/2] docs: Add title for dependency inventory doc --- docs/docs/guides/dependency-inventory.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/guides/dependency-inventory.md b/docs/docs/guides/dependency-inventory.md index 875366ce..fabce72b 100644 --- a/docs/docs/guides/dependency-inventory.md +++ b/docs/docs/guides/dependency-inventory.md @@ -1,5 +1,6 @@ --- draft: false +title: 📦 Dependency Inventory --- # Dependency Inventory