github.com/vchain-us/vcn@v0.9.11-0.20210921212052-a2484d23c0b3/docs/user-guide/bom.md (about)

     1  # Bill of Materials (BoM)
     2  
     3  `vcn` can identify, authenticate and notarize dependencies of the software assets.
     4  
     5  ## Supported languages/environments
     6  
     7  | Language(s)/environment | Component scheme | Source | Package manager |
     8  |-|-|-|--|
     9  | Go | `gocom` |compiled binary | |
    10  | | | directory with `go.sum` file | |
    11  | | | directory with `*.go` file(s) | |
    12  | Python | `pythoncom` | `Pipfile.lock` file or directory containing this file | pipenv |
    13  | | | `poetry.lock` file or directory containing this file | poetry |
    14  | | | `requirements.txt` file or directory containing this file | pip |
    15  | JVM (Java, Scala, Kotlin) | `javacom` | JAR file containing `pom.xml` | maven |
    16  | .Net (C#, F#, Visual Basic) | `dotnet` | `*.sln` file or directory containing this file | NuGet |
    17  |   - C#, F# only| | `*.csproj` file or directory containing this file | |
    18  |   - Visual Basic only| | `*.vbproj` file or directory containing this file | |
    19  | JavaScript | `nodecom` | `package-lock.json` file or directory containing this file | npm |
    20  
    21  ## Working with builds
    22  
    23  ### Resolving dependencies
    24  
    25  `vcn bom <source> [--bom-file <BoM file>] [bom output options]`
    26  
    27  This command resolves the dependencies for the source and prints out the list of dependencies. If `--bom-file` option is specified, it also stores the dependencies in the file for processing by notarization process.
    28  
    29  Examples:
    30  ```
    31  vcn bom immudb/immuclient
    32  vcn bom immudb-py --bom-spdx immudb-py.spdx
    33  vcn bom immudb-py/requirements.txt --bom-file .bom
    34  ```
    35  
    36  ### Authentication
    37  
    38  `vcn a --bom <source> [bom options] [bom output options]`
    39  
    40  This command resolves the dependencies for the source, authenticates the dependencies and the source, and prints out the list of dependencies with their trust levels.
    41  
    42  Following options modify the behavior of this command:
    43  
    44  | Option | Default | Description |
    45  |-|-|-|
    46  | `--signerID` | current user | Signer ID to use for dependency and asset authentication. This isn't a BoM-specific options, but it has a special meaning for BoM |
    47  | `--bom-trust-level` | `trusted` | Minimal accepted trust level for the dependencies (or its abbreviation), one of: |
    48  ||| `untrusted` (`unt`) |
    49  ||| `unsupported` (`uns`) |
    50  ||| `unknown` (`unk`) |
    51  ||| `trusted` (`t`) |
    52  | `--bom-max-unsupported` | `0` | Max number of unsupported/unknown dependencies to accept, in percent. If number of unsupported/unknown dependencies doesn't exceed this threshold, authentication is considered successful |
    53  | `--bom-file` || Name of the file to store dependencies for later processing by notarization process |
    54  | `--bom-deps-only` |`false` (unset) | Authenticate only the dependencies, do not authenticate the BoM source|
    55  
    56  Any of this options (except `--signerID`) implies `--bom` mode.
    57  
    58  This command returns one of the following exit codes:
    59  
    60  - `0` - success
    61  - `1` - any dependency or BoM source is untrusted
    62  - `2` - any dependency or BoM source is unknown and there are no untrusted or unsupported dependencies
    63  - `3` - any dependency or BoM source is unknown and there are no untrusted dependencies
    64  
    65  Examples:
    66  ```
    67  vcn a immudb/immuclient --signerID auditor --bom-deps-only
    68  vcn a immudb/cmd/immudb/ --bom-trust-level 3 --bom-spdx immudb.spdx --bom-file .bom
    69  vcn a immudb-py --bom-max-unsupported 12.5
    70  ```
    71  
    72  ### Notarization
    73  
    74  `vcn n --bom <source> [bom options] [bom output options]`
    75  
    76  This command resolves the dependencies for the source, authenticates and notarizes the dependencies (only the non-notarized ones which are not untrusted or unsupported) and the source, and prints out the list of dependencies with their trust levels.
    77  
    78  Following options modify the behavior of this command:
    79  
    80  | Option | Default | Description |
    81  |-|-|-|
    82  | `--bom-signerID` | current user | Signer ID to use for dependency authentication |
    83  | `--bom-force` | `false` (unset) | Force notarization of all dependencies regardless of their trust levels. If unset, only unsupported and unknown dependencies are notarized. Also forces cascade operation |
    84  | `--bom-file` || If specified, `vcn` uses the data from this file, previously created by `vcn bom` or `vcn a`,rather than resolve the dependencies (it may greatly improve the performance) |
    85  | `--bom-deps-only` |`false` (unset) | Notarize only the dependencies, do not notarize the BoM source|
    86  | `--bom-hashes` || If specified, don't resolve the dependencies but use components with provided hashes as dependencies. These components must be trusted. This option is incompatible with `--bom-deps-only` and BoM output options |
    87  
    88  Any of this options implies `--bom` mode.
    89  
    90  Examples:
    91  ```
    92  vcn n immudb/immuclient --bom-signerID auditor --bom-deps-only
    93  vcn n immudb/immudb/cmd/immudb/ --bom-trust-level 3 --bom-file .bom --attr version=v1.2.3
    94  vcn n immudb-py --bom-force --bom-spdx immudb.spdx --attach immudb.spdx
    95  ```
    96  
    97  ### Output options
    98  
    99  User can specify one or several options to output BoM in different supported standard formats.
   100  
   101  | Option | Description |
   102  |-|-|
   103  | `--bom-spdx` | Name of output SPDX tag-value file |
   104  | `--bom-cyclonedx-json` | Name of output CycloneDX JSON file |
   105  | `--bom-cyclonedx-xml` | Name of output CycloneDX XML file |
   106  
   107  Any of this options implies `--bom` mode.
   108  
   109  ## Working with individual components
   110  
   111  `vcn a|n|ut|us <scheme>://<name>@<version> | --hash <hash>`
   112  
   113  Individual components are authenticated/notarized/unsupported/untrusted as any other asset, but you need to specify either component hash with `--hash` option, or component path in the form `<scheme>://<name>@<version>`. Scheme specifies the type of software component, and should be the one from the [supported types](#supported-languagesenvironments).
   114  
   115  Examples:
   116  ```
   117  vcn a gocom://golang.org/x/text@v0.3.6
   118  vcn n --hash 691631371bfa886425c956999a4e998181036be260d7c0f179b3d2adde9b8353
   119  vcn ut pythoncom://six@1.14.0
   120  ```
   121  
   122  ## Looking up builds by dependency
   123  
   124  `vcn a --bom-what-includes (<scheme>://<name>@<version> | --hash <hash>)`
   125  
   126  This command lists all assets where specified component is used as a dependency. Component must be specified by hash with `--hash` option, or component path in the form `<scheme>://<name>@<version>`. Scheme specifies the type of software component, and should be the one from the [supported types](#supported-languagesenvironments).
   127  
   128  Examples:
   129  ```
   130  vcn a --bom-what-includes gocom://golang.org/x/text@v0.3.6
   131  vcn a --bom-what-includes --hash 691631371bfa886425c956999a4e998181036be260d7c0f179b3d2adde9b8353
   132  ```
   133  
   134  ## Support for Docker
   135  
   136  `vcn <command> docker://<image>:<tag> [command options] [--bom-container-binary <list_of_binaries>]`
   137  
   138  When asset has `docker` scheme, `vcn` starts the container for the specified `<image>:<tag>` and finds the dependencies, therefore it is required that docker daemon is running and required image is already pulled to the system. Supported Linux distributions that use `apk` (Alpine), `dpkg` (Debian, Ubuntu) or `rpm` (RedHat, Fedora, CentOS, AlmaLinux, openSUSE etc.) package managers.
   139  
   140  If `--bom-container-binary` is specified, `vcn` only processes the packages, required for the specified dynamically-linked binaries, otherwise it processes all the installed packages.
   141  
   142  Examples:
   143  ```
   144  vcn bom docker://alpine:latest --bom-spdx docker.spdx
   145  vcn a --bom docker://debian:latest --bom-container-binary /usr/bin/wget,/usr/bin/curl
   146  vcn n --bom docker://nginx:stable-alpine --bom-container-binary /usr/sbin/nginx
   147  ```
   148  
   149  ## Cascade operations
   150  
   151  `vcn notarize|untrust|unsupport [command options ...] --bom-cascade [--bom-force]`
   152  
   153  It is possible to automatically propagate the action on the asset to other assets that include the one being processed, by specifying `--bom-cascade` option.
   154  
   155  When this option is specified, `vcn` shows the list of assets that include current one, which has a status, different from desired one, and requests the confirmation (unless `--bom-force` is specified) from the user.
   156  
   157  Examples:
   158  ```
   159  vcn n --hash 0fcc60c04098ec262fc7e6369f8b01cfddc99fd251bf1762cb2a3c0937ee29a6 --bom-cascade
   160  vcn untrust gocom://gopkg.in/yaml.v2@v2.4.0 --bom-cascade --bom-force
   161  ```