github.com/vchain-us/vcn@v0.9.11-0.20210921212052-a2484d23c0b3/docs/user-guide/bom.md (about) 1 # Bill of Materials (BoM) 2 3 `vcn` can identify, authenticate and notarize dependencies of the software assets. 4 5 ## Supported languages/environments 6 7 | Language(s)/environment | Component scheme | Source | Package manager | 8 |-|-|-|--| 9 | Go | `gocom` |compiled binary | | 10 | | | directory with `go.sum` file | | 11 | | | directory with `*.go` file(s) | | 12 | Python | `pythoncom` | `Pipfile.lock` file or directory containing this file | pipenv | 13 | | | `poetry.lock` file or directory containing this file | poetry | 14 | | | `requirements.txt` file or directory containing this file | pip | 15 | JVM (Java, Scala, Kotlin) | `javacom` | JAR file containing `pom.xml` | maven | 16 | .Net (C#, F#, Visual Basic) | `dotnet` | `*.sln` file or directory containing this file | NuGet | 17 | - C#, F# only| | `*.csproj` file or directory containing this file | | 18 | - Visual Basic only| | `*.vbproj` file or directory containing this file | | 19 | JavaScript | `nodecom` | `package-lock.json` file or directory containing this file | npm | 20 21 ## Working with builds 22 23 ### Resolving dependencies 24 25 `vcn bom <source> [--bom-file <BoM file>] [bom output options]` 26 27 This command resolves the dependencies for the source and prints out the list of dependencies. If `--bom-file` option is specified, it also stores the dependencies in the file for processing by notarization process. 28 29 Examples: 30 ``` 31 vcn bom immudb/immuclient 32 vcn bom immudb-py --bom-spdx immudb-py.spdx 33 vcn bom immudb-py/requirements.txt --bom-file .bom 34 ``` 35 36 ### Authentication 37 38 `vcn a --bom <source> [bom options] [bom output options]` 39 40 This command resolves the dependencies for the source, authenticates the dependencies and the source, and prints out the list of dependencies with their trust levels. 41 42 Following options modify the behavior of this command: 43 44 | Option | Default | Description | 45 |-|-|-| 46 | `--signerID` | current user | Signer ID to use for dependency and asset authentication. This isn't a BoM-specific options, but it has a special meaning for BoM | 47 | `--bom-trust-level` | `trusted` | Minimal accepted trust level for the dependencies (or its abbreviation), one of: | 48 ||| `untrusted` (`unt`) | 49 ||| `unsupported` (`uns`) | 50 ||| `unknown` (`unk`) | 51 ||| `trusted` (`t`) | 52 | `--bom-max-unsupported` | `0` | Max number of unsupported/unknown dependencies to accept, in percent. If number of unsupported/unknown dependencies doesn't exceed this threshold, authentication is considered successful | 53 | `--bom-file` || Name of the file to store dependencies for later processing by notarization process | 54 | `--bom-deps-only` |`false` (unset) | Authenticate only the dependencies, do not authenticate the BoM source| 55 56 Any of this options (except `--signerID`) implies `--bom` mode. 57 58 This command returns one of the following exit codes: 59 60 - `0` - success 61 - `1` - any dependency or BoM source is untrusted 62 - `2` - any dependency or BoM source is unknown and there are no untrusted or unsupported dependencies 63 - `3` - any dependency or BoM source is unknown and there are no untrusted dependencies 64 65 Examples: 66 ``` 67 vcn a immudb/immuclient --signerID auditor --bom-deps-only 68 vcn a immudb/cmd/immudb/ --bom-trust-level 3 --bom-spdx immudb.spdx --bom-file .bom 69 vcn a immudb-py --bom-max-unsupported 12.5 70 ``` 71 72 ### Notarization 73 74 `vcn n --bom <source> [bom options] [bom output options]` 75 76 This command resolves the dependencies for the source, authenticates and notarizes the dependencies (only the non-notarized ones which are not untrusted or unsupported) and the source, and prints out the list of dependencies with their trust levels. 77 78 Following options modify the behavior of this command: 79 80 | Option | Default | Description | 81 |-|-|-| 82 | `--bom-signerID` | current user | Signer ID to use for dependency authentication | 83 | `--bom-force` | `false` (unset) | Force notarization of all dependencies regardless of their trust levels. If unset, only unsupported and unknown dependencies are notarized. Also forces cascade operation | 84 | `--bom-file` || If specified, `vcn` uses the data from this file, previously created by `vcn bom` or `vcn a`,rather than resolve the dependencies (it may greatly improve the performance) | 85 | `--bom-deps-only` |`false` (unset) | Notarize only the dependencies, do not notarize the BoM source| 86 | `--bom-hashes` || If specified, don't resolve the dependencies but use components with provided hashes as dependencies. These components must be trusted. This option is incompatible with `--bom-deps-only` and BoM output options | 87 88 Any of this options implies `--bom` mode. 89 90 Examples: 91 ``` 92 vcn n immudb/immuclient --bom-signerID auditor --bom-deps-only 93 vcn n immudb/immudb/cmd/immudb/ --bom-trust-level 3 --bom-file .bom --attr version=v1.2.3 94 vcn n immudb-py --bom-force --bom-spdx immudb.spdx --attach immudb.spdx 95 ``` 96 97 ### Output options 98 99 User can specify one or several options to output BoM in different supported standard formats. 100 101 | Option | Description | 102 |-|-| 103 | `--bom-spdx` | Name of output SPDX tag-value file | 104 | `--bom-cyclonedx-json` | Name of output CycloneDX JSON file | 105 | `--bom-cyclonedx-xml` | Name of output CycloneDX XML file | 106 107 Any of this options implies `--bom` mode. 108 109 ## Working with individual components 110 111 `vcn a|n|ut|us <scheme>://<name>@<version> | --hash <hash>` 112 113 Individual components are authenticated/notarized/unsupported/untrusted as any other asset, but you need to specify either component hash with `--hash` option, or component path in the form `<scheme>://<name>@<version>`. Scheme specifies the type of software component, and should be the one from the [supported types](#supported-languagesenvironments). 114 115 Examples: 116 ``` 117 vcn a gocom://golang.org/x/text@v0.3.6 118 vcn n --hash 691631371bfa886425c956999a4e998181036be260d7c0f179b3d2adde9b8353 119 vcn ut pythoncom://six@1.14.0 120 ``` 121 122 ## Looking up builds by dependency 123 124 `vcn a --bom-what-includes (<scheme>://<name>@<version> | --hash <hash>)` 125 126 This command lists all assets where specified component is used as a dependency. Component must be specified by hash with `--hash` option, or component path in the form `<scheme>://<name>@<version>`. Scheme specifies the type of software component, and should be the one from the [supported types](#supported-languagesenvironments). 127 128 Examples: 129 ``` 130 vcn a --bom-what-includes gocom://golang.org/x/text@v0.3.6 131 vcn a --bom-what-includes --hash 691631371bfa886425c956999a4e998181036be260d7c0f179b3d2adde9b8353 132 ``` 133 134 ## Support for Docker 135 136 `vcn <command> docker://<image>:<tag> [command options] [--bom-container-binary <list_of_binaries>]` 137 138 When asset has `docker` scheme, `vcn` starts the container for the specified `<image>:<tag>` and finds the dependencies, therefore it is required that docker daemon is running and required image is already pulled to the system. Supported Linux distributions that use `apk` (Alpine), `dpkg` (Debian, Ubuntu) or `rpm` (RedHat, Fedora, CentOS, AlmaLinux, openSUSE etc.) package managers. 139 140 If `--bom-container-binary` is specified, `vcn` only processes the packages, required for the specified dynamically-linked binaries, otherwise it processes all the installed packages. 141 142 Examples: 143 ``` 144 vcn bom docker://alpine:latest --bom-spdx docker.spdx 145 vcn a --bom docker://debian:latest --bom-container-binary /usr/bin/wget,/usr/bin/curl 146 vcn n --bom docker://nginx:stable-alpine --bom-container-binary /usr/sbin/nginx 147 ``` 148 149 ## Cascade operations 150 151 `vcn notarize|untrust|unsupport [command options ...] --bom-cascade [--bom-force]` 152 153 It is possible to automatically propagate the action on the asset to other assets that include the one being processed, by specifying `--bom-cascade` option. 154 155 When this option is specified, `vcn` shows the list of assets that include current one, which has a status, different from desired one, and requests the confirmation (unless `--bom-force` is specified) from the user. 156 157 Examples: 158 ``` 159 vcn n --hash 0fcc60c04098ec262fc7e6369f8b01cfddc99fd251bf1762cb2a3c0937ee29a6 --bom-cascade 160 vcn untrust gocom://gopkg.in/yaml.v2@v2.4.0 --bom-cascade --bom-force 161 ```