The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- OSI Mac Compatibility
- New
CDX14XMLDeserializer
to deserialize CycloneDX 1.4 sboms- Now support upload and manipulate with SVIP resources
OSI v4, add extra tool support and major overhaul of OSI to support future expansion
validate.sh
: Validation script that runs before launching flask api server in OSI to confirm what languages, package managers, and tools are installedrunner.sh
: Launch script that sets up flask and runs validate.sh- New Tool config files to use YAML files instead of old Tool mapper
- Dynamic tool checking to find what tools apply to the project
- 9 new tools to OSI
- New SVIP endpoint
.../svip/generators/osi/project
to upload code to bound directories
- Fixed installation bugs inside OSI container
- Fixed bad port mappings inside container
- Fixed missing permissions in dockerfile for mac
- Updated Adding Additional OSI Tools to user new configs/scripts
- Overhaul debug messages inside OSI to provide more inside on tool generation
- Consolidated OSIv3 java files into Controller / Services for API
- SVIP endpoint
.../svip/generators/osi/tools
takes optionallist
param to get all tools or just the ones that can be used against the uploaded project - SVIP endpoint
.../svip/generators/osi/
no longer takes project zip file (moved to.../svip/generators/osi/project
) - SBOMs generated with OSI are removed from database after they have been merged
- Outdated Docker Binaries from OSI documentation
- Added Serialization support for CycloneDX 1.4 XML SBOMs.
CDX14XMLSerializer.java
Class - Serializes CycloneDX 1.4 XML SBOMs
- Added repair for "Valid PURL" failing test
- Skips duplicate components for SPDX23Pipel
- Reworked QualityReport and implemented repair
FixType.java
Enum - Type of fix for mapping purposesRepairSPDX24CDX14.java
Class - Implements fixes and generates a new repaired SBOM for SPDX23 and CDX14
RepairController.java
Class - Modified repairStatement and repairSBOM methods to new mappingQualityReport.java
Class - Components are mapped by hashcode instead of nameSVIPPipeline.java
Class - Removed UID param for processQAPipeline.java
Class - removed UID param for processCDX14Pipeline.java
Class - Removed UID param for process, added copyright testSPDX23Pipeline.java
Class - Removed UID param for process, added copyright testResult.java
Class - Added fixes array for when result fails and solutions are availableCPEFixes.java
Class - Finds component by hashcode instead of name, also corrected the CPE build order and implemented FixTypeEmptyOrNullFixes.java
Class - Fixed null cases, implemented FixTypeFix.java
Class - Added helper functions and FixType paramFixes.java
Interface - Renamed repairSubType to componentName and added componentHashCodePURLFixes.java
Class - Corrected fix implementationRepair.java
Class - Removed uid param and changed mapping of componentsFixTest.java
Class - Added FixType param
RepairCDX14.java
Class - Consolidated to RepairSPDX24CDX14RepairSPDX23.java
Class - Consolidated to RepairSPDX24CDX14
- Conversion now split up into three different components
- manipulate
- manipulates data fields within an SBOM object; typically to modify their values from one standard to another.
- toSchema
- converts an SVIP Internal SBOM to an Internal SBOM of a different standard.
- toSVIP
- converts an Internal SBOM of any standard into an SVIP Internal SBOM.
- Conversion
- Conversion controller reworked to handle different conversion/manipulation scenarios.
- manipulate
- Fixed SPDX23TagValue Serializer to display
##### Relationships
over relationships
- Fixed parsing issues with SPDX23TagValue Deserializer to use regex
- Update correct number of "#" in the SPDX Tag Value Serializer
- Correct order of keys in the SPDX Tag Value Serializer
- SBOM components objects are now compared by name and version
- Improved accuracy when determining the schema and format of an SBOM in
SerializerFactory.java
resolveSchema()
resolveFormat()
Extraction.java
Class - Abstract class to obtain information from package managersNugetExtraction.java
Class - Obtains information from the Nuget package managerRepairNullOrEmptyTest.java
Class - Unit tests for null or empty fixes in repair statementsNugetExtractionTest.java
Class - Unit tests for extracting information from nugetnull-copyright-cdx.json
File - CycloneDX SBOM for testing a component with null copyrightnull-copyright.spdx
File - SPDX SBOM for testing a component with null copyright
CDX14Pipeline.java
Class - Implemented copyright fixes to processSPDX23Pipeline.java
Class - Implemented copyright fixes to TestSPDX23Package
- Reworked Convert into several new features.
- New
manipulate
package to alter SVIPSBOM data:ManipulateController
ClassManipulateSVIP
ClassSchemaManipulationMap
Class
- New
toSVIP
package to convert SBOMs to SVIPSBOMs:CDX14
ClassSPDX23
ClassToSVIP
InterfaceToSVIPController
Class
- New
toSchema
package to convert SVIPSBOMs into SBOMs:ToCDX14
ClassToSPDX23
ClassToSchema
InterfaceToSchemaController
Class
Conversion
Class controller has been reworked.
- Changed the max packet size for MySQL to 256M
LicenseFixes.java
Class - Suggests a list of fixes for deprecated licensesLicense.java
Class - Stores the id, name, and url of a license
- Change tool name from SBOM Visualization Integration Platform (SVIP) to SBOM-in-a-Box, to better represent the platform
- SBOM components objects are now compared by name and version
- Changed the max packet size for MySQL to 256M
HashFixes.java
Class - Suggests a list of fixes for invalid hashes and hashing algorithmsHash.validAlgorithms()
Method - Returns a list of valid hashing algorithms that match a hash- Missing unit tests
FixTest.java
HashTest.java
- Changed the port from 5000 to 50001 due to Airplay being on port 5000 for Macs
- Updated path so API can connect to the OSI container both inside of and outside the docker container
sboms/repair/statement
API endpointRepairController.java
SBOMFileService.repair()
- Added docstrings to repair backend
- Combined
RepairStatementSPDX23
andRepairStatementCDX14
intoRepairStatementSPDX23CDX14
- Both SBOM schemas can be repaired similarly
CDX14JSONDeserializer.java
- Component licenses can now be created with an
id
or aname
. Previously you could only usename
- Authors in the metadata now only need at least one of the following: name/email/phone, rather than all three
- Component licenses can now be created with an
- Implemented the missing creationTool externalReferences to the following files:
CreationTool.java
- Added missing externalReferences field for creationTools
CDX14JSONDeserializer
andCDX14JSONSerializer
- Integrated creationTool externalReferences into the serialization/deserialization process
API Refactor Update - Separated >700 line SVIPAPIController into multiple, more testable classes. See the API documentation for all updated endpoints
- New
controller
classes to separate responsibility:DiffController
Class - Manage/sboms/compare
OSIController
Class - Manage/generators/osi
&/generators/osi/tools
ParserController
Class - Manage/generators/parsers
QAController
Class - Manage/sboms/qa
SBOMController
Class - Manage all SBOM & table CRUD endpoints.VEXController
Class - Manage/sboms/vex
- New
entities
package to manage database table schemas:ComparisonFile
Class -comparison
TableConflictFile
Class -conflict
TableQualityReportFile
Class -quality_report
TableSBOM
Class -sbom
TableVEXFile
Class -vex
Table
- New
repository
interfaces to manage access database tables:ComparisonFileRepository
ClassConflictFileRepository
ClassQualityReportFileRepository
ClassSBOMRepository
ClassVEXFileRepository
Class
- New
requests
package to create and manage request bodies for database file uploads:UploadComparisonFileInput
ClassUploadConflictFileInput
ClassUploadQRFileInput
ClassUploadSBOMFileInput
ClassUploadVEXFileInput
Class
- New
services
package to provide utility wrappers for therepository
interfaces:DiffService
ClassQualityReportFileService
ClassSBOMFileService
ClassSBOMService
ClassVEXFileService
Class
- New unit tests to more accurately test controllers, requests, and services with ~80% overall code coverage:
controller
package:DiffControllerTest
ClassOSIControllerTest
ClassParserControllerTest
ClassQAControllerTest
ClassSBOMControllerTest
ClassVEXControllerTest
Class
requests
package:UploadSBOMFileInputTest
Class
services
package:DiffServiceTest
QualityReportFileServiceTest
ClassSBOMFileServiceTest
ClassVexFileServiceTest
Class
- Renamed
core
packageParserController
toParserManager
to avoid confusion
- Old
SVIPAPIController
class - Old
model
package:MockMultipartFile
SBOMFile
- Old
SBOMFile
-related classes:SBOMFileIdentifierGenerator
SBOMFileRepository
- Old
utils
classes:Converter
Utils
- Old Unit Tests:
APITest
CompareAPITest
ConvertFromAPITest
DeleteFromAPITest
GenerateFromOSIAPITest
GenerateFromParserAPITest
GenerateVEXAPITest
GetSBOMAPITest
GetToolsFromOSIAPITest
MergeFromAPITest
UploadToAPITest
ViewAllFromAPITest
ViewFromAPITest
MergerSVIP.java
Class - Merges two SVIPSBOMs into oneComponentMerger
Class - Holds logic to merge two genericComponent
objects into one of a desired type
MergerUtils
Class- String.equals() fixes
- Allowed merging of components to
SVIPComponentObject
- Duplicate component issue resolved
- If two components are of the same name, but one has a version that's null, and the other doesn't, then they can be merged
OSI v3 - Instead of creating a container dynamically, we now have a Flask API running inside of a container with consistent uptime to send requests to and get/select certain tools to run.
/generators/osi/tools
Endpoint - Returns a list of supported open source tool names that can be passed to/generators/osi
to select what tools to run.
OSI
Class methods to get tools and generate with specific tools.OSIClient
Class - Moved it out ofOSI
& removed all reliance ondocker-java
external dependency.server
package to hold all Flask API utility files.constants.py
- Holds all BOM, language, directory, etc. constants relevant to the API and open source tools.OSIAPIController.py
- The main controller for the API with two endpoints:/tools
&/generate
OSTool.py
- A dataclass to store attributes of the open source tools supported by OSI.ToolMapper.py
- A list of currently available open source tools represented asOSTools
.ToolUtils.py
- Several utilities to clean directories, run tools, detect languages and manifest files, and validate tools.
/generators/osi
Endpoint - Now takes in an optionaltools
request body to determine what tools to run.
ContainerController.py
- Separated functionality into multiple files & API.
- Added null checks to the deserializers to avoid null metadata or files keys.
Know Issue: Deleting SBOMs with comparison references in fast succession will cause errors in the database
DiffService
for handling database operations for Comparisons and ConflictsUploadComaprisonFileInput
to handle new Comparisons and ensure relationships are added correctlyUploadConflictFileInput
to handle new Conflicts and ensure relationships are added correctlyComaprisonFile
that acts as a relationship table for sbom comparisonConflictFile
holds conflict details
- Moved
/svip/sboms/compare
endpoint toDiffController
- Diff Report logic has changed
- 1:1 comparisons between sboms are arrogated into a diffreport at request time.
- Comparisons are stored in the database and used to put diffreports together
- Made
Comparison
its own class - Single delete sbom will delete any associated comparisons
- Deprecated DiffReport.java file
Conversion.java
- Core functionality of SBOM conversion
Convert.java
interfaceConvertCDX14.java
ConvertSPDX23.java
ConvertTest.java
Class containing comprehensive unit tests for both schema converters
- Simplified table names by removing the
_file
suffix - Move
toSBOMObject
/toSBOMObjectAsJSON
to the SBOMFile rather than object - Refactored services to reference other services instead of depending on contollers
saveQualityReport
andsaveVEX
moved to their respective services
- Services take objects instead of ids
- Relevant exceptions for conversion endpoint
DeserializerException
SerializerException
SBOMBuilderException
- Convert endpoint in
SBOMController.java
ConvertFromApiTest.java
- Deleted old
Converter.java
- Relevant exceptions for conversion endpoint
DeserializerException
SerializerException
SBOMBuilderException
- Convert endpoint in
SBOMController.java
ConvertFromApiTest.java
- Deleted old
Converter.java
Conversion.java
- Core functionality of SBOM conversion
Convert.java
interfaceConvertCDX14.java
ConvertSPDX23.java
ConvertTest.java
Class containing comprehensive unit tests for both schema converters
SBOMService
for handling database operationsUploadSBOMFileInput
to handle new SBOM entries uploaded via APISBOMController
to handle SBOM API operations
- Moved the following endpoints to
SBOMController
fromSVIPApiController
- POST
/sboms
No longer takes
SBOMFile
as body, usage has not changed. UsesUploadSBOMFileInput
instead - GET
/sbom
Note: Now returns a JSON String
- GET
/sboms/content
- GET
/sboms
- DELETE
/sboms
- POST
MockMultipartFile
for testing uploading binariesParserController
null checkSBOMFileIdentifierGenerator
ID generator class implementing JPA's IdentifierGenerator forSBOMFile.id
/generators/parsers
successfully takes in binary zip files of projects and generates an SBOM- passes Postman tests and
GenerateFromParserAPITest
- passes Postman tests and
/generators/osi
should take in binary zip files of projects and generates an SBOM- passes Postman tests and
GenerateFromOSIAPITest
- passes Postman tests and
- Maximum file upload and request size to 2GB in
application.properties
- Fix incorrect OSI filepaths not allowing API to build.
- Overhaul directory structure to be feature focused
- SBOM Objects have built in comparison methods
- Added
hashcode
methods to components to usename
andversion
as UIDs
PURLTest.java
andCPETest.java
updated:- Provides results for each field tested in accuracy test instead of a single result
- Added two new types of
INFO.java
:MATCHING
andNOT_MATCHING
- Updated QA Results to provide better and more useful information
ResultFactory
is built for each method-test- Endpoints in
SVIPAPiController.java
to match documentation /generators/parsers
unzips a zipped project and parses it into an SBOM/sboms/content
returns the entire SBOMFile instead of just file contents
- VEX API Endpoint
- VEX API test
GenerateVEXAPITest
VEXResult.java
- Class that holds both the VEX Object and any errors that occurred for the API endpoint
- Test SBOMs that contain vulnerable components
/svip/generators/osi
endpoint to theSVIPAPIController
classGenerateFromOSIAPITest
class that contains unit tests for the OSI endpoint
- Updated
API.md
documentation with the VEX endpoint - Updated
GenerateFromParserAPITest
class to be consistent withGenerateFromOSIAPITest
class - Cleaned up utilities in
api.utils
and moved some methods into their respective core classes as there was some duplicate code. - Fixed a bug where running OSI in the API would create bind directories in the API package instead of the core package.
/sboms
to/sbom
when getting SBOM object
OSI Refactor Update (Docker build steps updated)
osi.scripts
packagesetup.sh
called from the inline Dockerfile to install all SBOM utilities to the image.ContainerController.py
- moved fromosi
package.
DockerNotAvailableExceptionTest
unit tests to increase code coverage to >80%.- Methods to
OSI
class resulting in a higher abstraction level above Docker and the filesystem:addSourceFile()
- Add a single source file to be processedaddSourceDirectory()
- Copy the contents of an entire directory to be processed (for unit tests)generateSBOMs()
- Runs the container, clears directories, and returns a Map of all SBOM files
- Updated
docker-compose.yml
to contain all setup and service details for OSI OSITest
unit testsSVIPAPIController
now attempts to construct anOSI
instance on startup if a constructor flag is enabled, Docker is running, and an image/container exists.- The constructor flag allows us to disable OSI construction for unit tests as well as the OSI endpoint itself.
osi/Dockerfile
as all setup behavior is taken care of in the docker-compose file and the OSI class.
Endpoint Standardization
-
Updated endpoints to a REST-ful standard
-
Upload SBOM
- prev: [get] http://localhost:8080/svip/upload
- new: [post] http://localhost:8080/svip/sboms
-
Get SBOM content by id
- prev: [get] http://localhost:8080/svip/view
- new: [get] http://localhost:8080/svip/sboms/content
-
Get SBOMs
- prev: [get] http://localhost:8080/svip/viewFiles
- new:[get] http://localhost:8080/svip/sboms
note: /getSBOM would instead use the /sboms endpoint and instead an id parameter should be used.
EX: [get] http://localhost:8080/svip/sboms?id={id}
-
Delete SBOM by id
- prev: [delete] http://localhost:8080/svip/delete
- new: [delete] http://localhost:8080/svip/sboms?id={id}
-
Merge SBOMs
- prev: [post] http://localhost:8080/svip/merge
- new: [post] http://localhost:8080/svip/sboms/merge
-
Convert SBOM by id
- prev: [get] http://localhost:8080/svip/convert
- new: [put] http://localhost:8080/svip/sboms
-
Merge SBOMs
- prev: [post] http://localhost:8080/svip/merge
- new: [post] http://localhost:8080/svip/sboms/merge
-
Generate SBOMs with SVIP
- prev: [post] http://localhost:8080/svip/generate
- new: [post] http://localhost:8080/svip/sboms/generate
-
Grade SBOMs
- prev: [get] http://localhost:8080/svip/qa
- new: [get] http://localhost:8080/svip/sboms/qa
-
-
Updated
API.md
documentation with the updated endpoints
- Merge API Endpoint
- Merge API test
MergeFromAPITest.java
MergerCrossSchema.java
- Allows merging two SBOMs regardless of origin format
- Utility classes for Merger
MergerUtils.java
comparison/utils/Utils.java
- New NVD API Client implementation:
NVDClient
- Class that, when given an SBOM, will create a new VEX Document object with the NVD API database
Merger.java
abstract class and overall architecture
- QA API Endpoint
SBOMBuilders
instantiated with empty sets and hashmaps instead of null values.buildAndFlush()
methods now clear sets/hashmaps instead of setting to null
/generators/parsers
endpoint inSVIPApiController
.- Relevant unit tests in
GenerateFromParserAPITest
:sbomFilesNullPropertiesTest
- Asserts a 'bad request' is returned.
CDXTagValueTest
- Asserts a 'bad request' is returned.
generateTest
- Comprehensive test to ensure generation from parsers works in the API.
APITest.java
:- Is scalable for adding sample projects for future generator tests.
- Utility classes to merge SBOMs together:
Merger
- Core merger class.MergerCDX
- Merger for CDX14 SBOMs.MergerController
- Controller to handle all SBOM merging.MergerException
- Exception thrown for merge errors.MergerSPDX
- Merger for SPDX23 SBOMs.MergerSVIP
- Merger for SVIP SBOMs.
MergerTest
class for unit testing.
- Old
Merger
Class & Test
- Organized all builder interfaces and objects into
sbom.builder
package. - Organized all factory interfaces and objects into
sbom.model
package.
translators
package as the translators have been deprecated by the deserializers- Legacy endpoint API unit tests
- /convert endpoint
- Relevant unit tests in
ConvertFromAPITest
invalidSchemaAndFormatTest()
CDXTagValueTest()
convertTest()
- Serializer + deserializer fixes
- Moved conversion functionality from
Utils.java
toConverter.java
NOTE: Serializers may serialize null fields; this should be fixed in a later version.
- Refactored
parsers
package to use the newSVIPSBOM
&SVIPComponentObject
.- Refactored all parser unit tests to reflect this (100% passing, code coverage TBD).
- Refactored
SBOMGeneratorCLI
class to useserializers
&parsers
packages. - New OSV API Client implementation:
OSVClient
- Class that, when given an SBOM, will create a new VEX Document object with the OSV API database
- Moved
Debug
,QueryWorker
, &VirtualPath
classes to the baseutils
package.
Resolver.java
as the new API endpoints don't take string file arguments anymore.generators
package as it has now been fully replaced by theserializers
&parsers
packages.translators
unit tests as the translators have been deprecated by the deserializers and will be removed once the API endpoints have been refactored.
- All unit tests for the
serializers
package at ~91% method code coverage. - New Metrics refactor to test SBOM and component fields:
ATTRIBUTE
- Enumeration of all possible test attributesMetricTest
- Abstract class that templates all tests (Except EmptyOrNull)CPETest
- Class that holds all tests for CPEsHashTest
- Class that holds all tests for HashesLicenseTest
- Class that holds all tests for licensesPURLTest
- Class that holds all tests for PURLs
EmptyOrNullTest
QualityReport
- Class to report all results through the pipelinesQAPipeline
- Generic interface for all pipelinesCDX14Tests
- Interface that hold CycloneDX 1.4 specific testsSPDX23Tests
- Interface that holds SPDX 2.3 specific testsCDX14Pipeline
- Class that runs through all tests for a CycloneDX 1.4 sbom and componentsSPDX23Pipeline
- Class that runs through all tests for a SPDX 2.3 sbom and componentsSVIPPipeline
- Class that runs through all tests for an SVIP sbom and components
- New Result class to output tests results:
ResultFactory
- Class that helps create new ResultsResult
- Class that holds the basic information of a resultText
- Class that helps provide messages and details for ResultsINFO
- Enumeration that holds all possible info for a testSTATUS
- Enumeration that holds all statuses of a result
- Unit tests to be completed for each test, pipeline, and ResultFactory
- New Serializer refactor and implementation of the old generator serializers to use the SBOM object:
SerializerFactory
Class - Responsible for recieving parameters and constructing/configuring serializers/deserializersSerializer
InterfaceCDX14JSONSerializer
Class - CycloneDX v1.4 JSON serializerSPDX23JSONSerializer
Class - SPDX v2.3 JSON serializerSPDX23TagValueSerializer
Class - SPDX v2.3 Tag-Value (.spdx) serializerSVIPSBOMJSONSerializer
Class - Data serializer to represent all fields in an SVIP SBOM object instance
Deserializer
InterfaceCDX14JSONDeserializer
Class - CycloneDX v1.4 JSON deserializerSPDX23JSONDeserializer
Class - SPDX v2.3 JSON deserializerSPDX23TagValueDeserializer
Class - SPDX v2.3 Tag-Value (.spdx) deserializer
- New VEX and VEXStatement Implementation. This covers the following files:
VEX
- Class that build a VEX Document objectVEXType
- An enumeration of the possible VEX file typesVEXStatement
- Class for a single VEX Statement in a VEX fileProduct
- Class that defines a product inside a VEX StatementVulnerability
- Class that defines the vulnerability for a VEX StatementStatus
- Class that defines the status of a VEX StatementVulnStatus
- An enumeration for all the possible statuses of a VEX StatementJustification
- An enumeration of all possible justifications for a NOT_AFFECTED VEX Statement
- Unit tests for SBOM and Component Builders.
BuildAndFlush()
methods now call their basebuild()
method rather than using duplicate code.- Fixed a bug where
SVIPSBOM.Build()
was returning anSBOM
rather than anSVIPSBOM
. - Patched various methods that did not check if a list was null before trying to access it.
- Unit tests for SBOM and Component Builders.
BuildAndFlush()
methods now call their basebuild()
method rather than using duplicate code.- Fixed a bug where
SVIPSBOM.Build()
was returning anSBOM
rather than anSVIPSBOM
. - Patched various methods that did not check if a list was null before trying to access it.
- New SBOM Refactor and Implementation. This covers the following files:
SBOM
- An interface that covers SBOM information that is similar to both CycloneDX and SPDX formatsCDX14Schema
- An interface that covers SBOM information specific to CycloneDX 1.4 SBOMsSPDX23Schema
- An interface that covers SBOM information specific to SPDX 2.3 SBOMsCDX14SBOM
- A class that is used to file for CycloneDX 1.4 SBOM informationSVIPSBOM
- A class that is used to file for SVIP SBOM GenerationSPDX23SBOM
- A class that is used to file for SPDX 2.3 SBOM informationRelationship
- A class that holds relationship information between SBOM componentsExternalReferences
- A class that holds external reference information for an SBOM- New Component Refactor and Implementation. This covers the following files:
Component
- An interface that holds shared component data regardless of SBOM formatLicenseCollection
- A class that holds the licenses of the componentSPDX23Component
- An interface that covers SPDX 2.3 specific package/file informationSPDX23File
- An interface that covers SPDX 2.3 file specific informationSPDX23Package
- An interface that covers SPDX 2.3 package specific informationSBOMPackage
- An interface that covers SPDX 2.3 and CycloneDX 1.4 package informationDescription
- A class that holds a package's descriptionSPDX23FileObject
- A class that is used to file an SPDX 2.3 FileSPDX23PackageObject
- A class that is used to file for an SPDX 2.3 packageSVIPComponentObject
- A class that is used to file for an SVIP componentCDX14ComponentObject
- A class that is used to file for a CycloneDX 1.4 component
Dockerfile
&docker-compose.yml
to build the API and run a MySQL server with persistent storage in separate Docker containers.application.properties
&.env
files created to setup Spring and Docker configuration.
repository.SBOMFileRepository
Class to interact with the MySQL database.- New API endpoints (
upload
,view
,viewAll
,delete
) to run CRUD operations on thefiles
table.- Added unit tests that mock the
repository.SBOMFileRepository
to avoid any local storage during testing.
- Added unit tests that mock the
- Refactored
NVIPApiController
,PlugFestApiController
, &NVIPApiController
Classes intocontroller
package. - Refactored
utils.Utils.SBOMFile
into its own classmodel.SBOMFile
- Uses Hibernate decorators to automatically create a custom
files
table on the MySQL server.
- Uses Hibernate decorators to automatically create a custom
- Old API endpoints & tests (
compare
,generateSBOM
,merge
,parse
, &qa
)
This update focuses on caching the filesystem at program start via the VirtualTree
implementation and using this to
enable fixing all unit tests.
ALL UNIT TESTS ARE NOW PASSING
VirtualTree
implementation. This covers the following classes:VirtualNode
- Represents a node in aVirtualTree
. This is either a file or directory. If a VirtualNode is a file, it contains the contents of the file internally. It usesVirtualPaths
to store the name of each file/directory, and can then be concatenated recursively byVirtualTree
to retrieve the whole filepath.VirtualTree
- A complete, internal, in-memory representation of any file tree. A VirtualTree is constructed by adding a several file paths, and an internal structure of VirtualNodes is created to represent each directory and file. It also stores the file contents, and can return a list of all files in the file tree.
- Unit tests for
VirtualPath
,VirtualNode
, andVirtualTree
. - Added
ParserController.parseAll()
method to parse all files in the internalVirtualTree
, as well as cache the list of files to pass intoparse()
. - Added
Parser.setInternalFiles()
method to pass in aList<VirtualNode>
of internal files to theinternalFiles
field to use when checking internal files.- This is derived from the
VirtualTree.getAllFiles()
method.
- This is derived from the
ParserController
now holds aVirtualTree
representation of an arbitrary filesystem on construction.- Now, each file can be parsed by looping through all files in the
VirtualTree
and parsing their contents, completely in-memory. parse()
now accepts an additional parameterinternalFiles
to pass into each parser, regenerated once per call toparseAll()
from theVirtualTree
representation.
- Now, each file can be parsed by looping through all files in the
LanguageParser.isInternalComponent()
refactored to use theinternalFiles
field instead of usingFiles.walk()
.- Moved all utilities in
sbomfactory.generators
to a singleutils
package with organized sub-packages. - Renamed
GeneratorsTestMain
toSBOMGeneratorCLI
and moved it to thesvip
package along with the other main classes. - Changed
SBOMGeneratorCLI
to use theVirtualTree.buildTree()
static method to read all files and file contents from a source directory into aVirtualTree
, which can then be passed into aParserController
instance. - Updated
OSITest
to check if Docker is running, and if not simply ignore the tests.
This update focuses mainly on adding several test cases for most generator classes and fixing bugs in the stores, serializers, and translators.
- Added tests for
SBOMGenerator.writeFileToString()
inSBOMGeneratorTest
.- These test for cases where pretty-printing is enabled and disabled.
- Added a mostly complete suite of test cases for all non-dataclasses in the
sbomfactory.generators.generators
package.BOMStoreTestCore
- An abstract test class to setup an SBOM and test component behavior for all classes that extendBOMStore
.CycloneDXStoreTest
- Tests all CycloneDX BOM manipulation methodsSPDXStoreTest
- Tests all SPDX Document manipulation methods
- Added test cases for all custom serializer classes in the
sbomfactory.generators.generators
package.- For each class, a generator serializes a test SBOM object to a file. Then, the SVIP translators are used to translate
the SBOM file back into an SBOM object. The two are then checked to ensure equality, and if so the test passes. This
allows us to ensure that an SBOM can go both ways, via the generators and translators.
CycloneDXSerializerTest
CycloneDXXMLSerializerTest
SPDXTagValueWriterTest
- Note that because there are no translators for SPDX JSON and XML formats (yet), we cannot test the outputs of those corresponding serializers.
- For each class, a generator serializes a test SBOM object to a file. Then, the SVIP translators are used to translate
the SBOM file back into an SBOM object. The two are then checked to ensure equality, and if so the test passes. This
allows us to ensure that an SBOM can go both ways, via the generators and translators.
- Added INTERNAL SBOM comparison methods:
SBOM.equals()
- This tests for equality of all relevant fields, including the SBOMDependencyTree
.DependencyTree.equals()
- This is a quick-and-dirty fix to compare two instances of aDependencyTree
WITHOUT regard to UUIDs. This allows us to have two separate SBOMs with the same components (with randomly generated UUIDs) and still be equal.DependencyTree.toString()
&DependencyTree.dependencyMapToString()
, which were both added to supportDependencyTree.equals()
. Theequals()
method simply compares thetoString()
methods of eachDependencyTree
, which are generated by thedependencyMapToString()
method.- This is a simple recursive method that uses indentations to represent how an individual component is nested, thus removing a reliance on UUIDs.
- Each component can then be compared by checking its string representation (which is currently just the component name)
- Added "copy" constructor to
ParserComponent
Class to construct an instance from aComponent
instance.- Updated
SBOMGenerator
to allow processing SBOMs that containComponent
instances.
- Updated
- All tests in
SBOMGeneratorTest
now useDebug.log()
instead of default system I/O. - Both output methods in
SBOMGenerator
(writeFile()
&writeFileToString
) now throw aGeneratorException
for ease of testing. SBOMGeneratorTest.addTestComponentsToSBOM()
is now static to allow re-use in other tests.SBOMGeneratorTest.generatePathToSBOM()
is now public to allow use for filepath generation in tests.- Translator fixes:
- Fixed
TranslatorCDXJSON
Class parsing in timestamps in the wrong format. - Fixed
TranslatorCDXJSON
&TranslatorCDXXML
Classes parsing in an incorrect tool string. - Fixed
TranslatorSPDX
Class incorrectly parsing an SPDX document namespace UUID.
- Fixed
SPDXTagValueWriter
Class now re-uses as many tags as possible fromTranslatorSPDX
Class for accuracy.- Fixed
SPDXStore
not containing the defaultSPDXRef-DOCUMENT DESCRIBES SPDXRef-DOCUMENT
relationship.
- Removed file parsing in
SBOMGeneratorTest
. Instead, a sample SBOM is created from scratch. - Removed default root wrapping property of
ObjectMapper
-based serializers, as it was causing the class name to be the top-level object of the generated SBOM. - Removed
bom:
namespace prefix from generated CycloneDX XML SBOMs, as it was interfering with the corresponding translator. - Removed all old sample SBOMs in
doc/Sample SBOMs
.
- Added a new
APPLICATION
type toParserComponent.Type
Enum to reflect the type of subprocess calls. - Added checking for duplicate components in the SBOM as well as in the components parsed in the
ParserController.parse()
Method.
NugetParser
which parses the main configuration file of Nuget projects, and queries the Nuget package-manager for any existing licenses.
- Updated
LicenseManager.parseLicense()
method to more accurately and efficiently match an arbitrary license string to- This is done by quantifying the number of token matches per license string and then choosing the string with the most matches.
- It also contains checks for common license keywords and short identifiers to increase speed.
- Updated
ParserComponent.resolveLicenses()
Method to support finding multiple licenses in a single, comma-separated .- This increases the license parsing accuracy, as one string can now be separated into multiple licenses.
- However, any invalid license after the first one is found will be discarded to avoid "garbage" licenses occuring in the SBOM.
- Updated
LanguageParser
Class to check for and handle import wildcards.- If any import wildcards are found while parsing a file, the component name will be replaced with the next-highest-level package in the import statement and the component group will be changed to reflect that.
- Fixed some backslashes not being changed to forward slashes to improve file readability.
- Ex:
\\
in a filepath will now always be changed to/
.
- Ex:
- Fixed components generated from subprocess calls not containing the files they were found in.
- Fixed duplicates being added to the internal SBOM in
ParserController.parse()
Method because of the way theContextParser
s were set up to store components.
- Add
SPDXTagValueWriter
Class to serialize an instance ofSPDXStore
to a tag-value document and output to either a string or file.- Contains methods for
writeToString()
andwriteToFile()
- Contains methods for
- Add new SPDX
GeneratorFormat
Enum Value inGeneratorSchema
Class to support file output for this value.
- Changed
SBOMGenerator
Class to use anSPDXTagValueWriter
instead of anObjectMapper
when dealing with the SPDX tag-value format.
- Add
LicenseManager.getConcatenatedLicenseString()
method to concisely concatenate all tool licenses to use when representing a Collection of licenses as a string.
- Ensure
SPDXSerializer
Class properly serializes an XML Document according to the documentation and official example. - Update
SPDXSerializer
Class to ensure the XML root element isDocument
when serializing using an instance ofToXmlGenerator
.
- Add
CycloneDXXMLSerializer
Class.- Similar to
CycloneDXSerializer
, this class overrides the JacksonStdSerializer
Class to allow serialization of aCycloneDXStore
instance to an XML file according to the CycloneDX v1.4 XML specification. - A separate serializer is required due to the inherent difference between JSON and XML.
- Similar to
- Add abstract
TranslatorCore
Class that all other translators extend to increase modularity.- This will eventually replace the current implementation of
Translator
, which used to act as a controller for the translators and is no longer needed. Instead, it will remain the abstract core class of the translators, to be extended to support a new schema/format easily.
- This will eventually replace the current implementation of
- Add abstract
TranslatorTestCore
Class that allows the tests to have a similar level of modularity. - Add
CSProjParserTest
to test the C# Package Parser.
- Update
GeneratorSchema.getObjectMapper()
to take a schema argument to register all serializers with their respectiveObjectMapper
- Previously, registering the custom serializers was done using Jackson decorators on all
BOMStore
classes. However, this made it difficult to have multiple different types of serializers. - Now, all
ObjectMapper
configuration and serialization setup is done ingetObjectMapper()
. This allows for simply calling the method on a specific format and passing in the schema to get a completely set upObjectMapper
whose serializer is dependent on the file format back.
- Previously, registering the custom serializers was done using Jackson decorators on all
- Update
ObjectMapper
pretty-printing to stop indenting each line of an array to enhance SBOM readability. - Refactor all translator tests (see below) to reflect the updated translator (and
TranslatorTestCore
) architecture.TranslatorCDXJSONTest
TranslatorCDXXMLTest
TranslatorSPDXTest
- Rename
GradleParserParseTest
toGradleParserTest
for semantics. - Update
CommentParser
,DeadImportParser
, &SubprocessParser
to add parsed contexts to SBOM components.CommentParser
could use a look in terms of the value of the data collected, as many comments provide no real, valuable information to our SBOM.
- Add
CPE
Class that generates CPE format strings by adding properties one-at-a-time as they are found. - Add
SBOMGeneratorTest
Test to begin testing our generators' file-writing capacities.SBOMGeneratorTest
also currently tests the correct creation of variousBOMStore
Objects.
- Add
writeFileToString()
Method toSBOMGenerator
to return a generated SBOM with a specified filetype as a string rather than as written to a file.- Includes the option to remove whitespace from or pretty-print the string output.
- Add
GradleParserParseTest
&RequirementsParserParseTest
- Update
POMParser
to build and add CPEs to individual components as they are discovered. - Update
GradleParser
to properly cover and parse a wide variety of edge cases.- Gradle documentation reference provided a fairly comprehensive set of different styles of dependency declaration to support.
- Update
PackageMangerParser
(& implementations) to make better use of inheritance when initializing- Common fields moved up levels of inheritance, constructors updated to simplify child class creation and better delegate the responsibilities of each class
- Update
PackageMangerParser
to handle property resolution- Generified code to resolve properties and fixed deep recursive edge cases
- This allows better access to the properties list that
PackageManagerParser
implementations store, and reduces all token replacement code to two methods - Any value read in from a
PackageManagerParser
has the potential to be or contain property reference tokens, this change makes the process of "resolving" any given value extremely easy and generic.
- This allows better access to the properties list that
- Generified code to resolve properties and fixed deep recursive edge cases
- Update
CycloneDXSerializer
&SPDXSerializer
Classes to include discovered CPE data. - Fix
ParserController
'stoFile()
test to ensure each file is being generated as expected.- Method also changed from type void to type String, giving the method the ability to output both directly to file,
as well as return the stringified file contents instead.
- This allows for our integration with the API, where we are not reading and writing directly to and from files, but passing stringified file contents around.
- Method also changed from type void to type String, giving the method the ability to output both directly to file,
as well as return the stringified file contents instead.
- Fix
GoParser
edge case bugs found during dataset development - Fix
ParserTestCore
(& implementations) typing- Instead of now storing a generic instance of
Parser
and casting it to a child class in order to access protected fields,ParserTestCore
was properly generalized (ParserTestCore<T extends Parser>
).
- Instead of now storing a generic instance of
- Update
POMParserParseTest
(& all new test files) to include two main teststestProperties
- Checks multiple properties for correctness- Includes recursive property resolution edge cases
testDependencies
- Checks multiple dependencies for correctness- Includes recursive dependency resolution edge cases
- NOTE: These may end up being broken into more granular tests
- Remove
CPEQueryWorker
Class as no API requests need to be made. - Remove
UNKNOWN
Type fromParserComponent
as it doesn't make sense to default to.
- Add
CycloneDXStore
&CycloneDXSerializer
Classes- The
CycloneDXStore
class stores all components and metadata associated with a CDX BOM. - The
CycloneDXSerializer
class can serialize an instance ofCycloneDXStore
to a CDX output file, using a custom implementation of a Jackson JSON serializer
- The
- Add
Tool
Class- A simple dataclass that allows storage of information about our generator tool.
- Add
License
Class- Contains methods to store a license string and its SPDX short identifier, parsed using the now-static
LicenseManager
Class. - Replaced storage via strings in all stores, serializers, and
Tool
.
- Contains methods to store a license string and its SPDX short identifier, parsed using the now-static
- Refactored common functionality from
SPDXStore
&CycloneDXStore
into aBOMStore
Class. - Add
version
,internalType
, &bomStoreType
fields toGeneratorSchema
Class.- This allows us to construct an
SBOMGenerator
with only an SBOM object and GeneratorSchema.
- This allows us to construct an
- Refactored SPDX-specific class names into generic class names to promote semantics.
SPDXRelationship
->Relationship
SPDXLicenseManager
->LicenseManager
- Refactored
SPDXStoreException
Class intoGeneratorException
Class to use between different generators. - Create
generators.utils
package, moved the following classes in:GeneratorException
,GeneratorSchema
,License
,LicenseManager
,Tool
LicenseManager
Class is now static and queries the SPDX license URL only once when first referenced.SBOMGenerator
Class is no longer abstract and contains all methods to construct aBOMStore
instance.ParserComponent
Class now stores multipleLicense
's and all files analyzed when constructing.ParserComponent
Class now contains agenerateHash()
method to obtain the checksum of a component.
Java_SPDX_old.json
as we now implement more fields than the previous implementation that usedspdx-java-library
.SPDXGenerator
&CycloneDXGenerator
Class- All functionality has been moved into
SBOMGenerator
- All functionality has been moved into
- Added
SPDXStore
,SPDXStoreSerializer
, &SPDXStoreException
Classes- The
SPDXStore
class holds responsibility for storing all data and relationships required by an SPDX document. - It can then be serialized to a file using the
SPDXStoreSerializer
, which is a custom implementation of a JSON serializer from the Jackson library. - The
SPDXStoreException
class is a useful exception to allow us to throw and catch any inconsistencies or errors while constructing the SPDX document. This also allows us to log more verbose details.
- The
- Added
SPDXRelationship
Class- Holds the data of a single SPDX relationship between packages.
- Defines allowed relationships between packages.
- Added
SPDXLicenseManager
&SPDXLicenseQueryWorker
Classes- These two classes work together to first query the page of the SPDX website that describes what licenses are allowed and what format they need to be in.
- Then, the license manager holds that data and allows us to test to see if a
parsed license of a package is a valid string and if it can be inserted into the package information.
- The license manager can also assume the license based on a tokenized string and a version if the license is not recognized.
- The
SPDXGenerator
class now uses an instance ofSPDXStore
and a JacksonObjectMapper
to write an SPDX document to a file. - The
hash()
method in theSBOMGenerator
class has been removed as an abstract method and replaced by thegetHash()
method that generates a unique SHA-256 hash of each generator instance.getHash()
is now used to generate an SBOM's serial number when one is passed intoSBOMGenerator
.
- The
GeneratorFormat
enumeration now contains a JacksonObjectMapper
field to allow file type selection.- This allows us to pass in a
GeneratorFormat
to theSBOMGenerator.writeFile()
method and automatically generate anObjectMapper
for each unique file format.
- This allows us to pass in a
DependencyTreeSerializer
as it has been deprecated by theSPDXStoreSerializer
class.
- Added
GeneratorSchema
&GeneratorFormat
Enumerations- These enums are tightly coupled to each other and the generators to ensure proper schema/format validation while allowing the user full control over the output file.
- Added
LanguageParser extends Parser
Class- Holds the language parsing logic previously accounted for by
Parser
- Holds the language parsing logic previously accounted for by
- Added abstract
ParserTestCore
Class- Holds the general testing logic for our testing structure
- Added abstract
ParseDepFileTestCore
Class- Holds the logic relating to testing the package manager data that is parsed from generated dependency files.
- Added
POMParserParseTest
Class- Stubbed out an implementation of
ParseDepFileTestCore
and began planning the testing structure forPackageManagerParser
s.
- Stubbed out an implementation of
- Added abstract
QueryWorker
Class- Runnable implementation that queries a given url and stores the information within a given component.
- The specific information storage is done by implementations of this class, which will have context on the information being queried.
PackageManagerParser.queryURLs()
allows for execution of any number of any class that extendQueryWorker
to be run in parallel via anExecuterService
and aCachedThreadPool
- Slow package manager index query times would increase time to parse some files more than 20x over, this fixes the speed issue, at the risk of hitting rate limits if we cannot find a specific index site without one.
- Runnable implementation that queries a given url and stores the information within a given component.
- Added
POMQueryWorker
,CPEQueryWorker
&RequirementsQueryWorker
Classes- These query their own respective package indexes and store found relevant information within
ParserComponent
s.
- These query their own respective package indexes and store found relevant information within
- Added
RequirementsParser
- Implemented to read in pip requirements files for dependency information
- Added
GradleParser
&CSProjParser
- Stubbed out
Parser
Class is now responsible for only general parsing logic, while abstract children will hold greater categorical logic, to be further implemented in the form of the individual parsers- What this means is that a
LanguageParser
can be treated very similarly to aPackageManagerParser
, and any new types of parsers that are added. The plan is to expand this system to include an abstractContextParser
(name pending). - This abstraction will allow for easy combination of data (in any way we want) within
ParserController
.
- What this means is that a
ParseRegexTestCore
Class modified to only be responsible for logic relating to testing the regex of the language parsers.POMParser
Class collects package license info and pom.xml properties (local variables)- This allows us to replace values like this:
${java_version}
with values like this:1.8
when storing the information- Work still needs to be done to handle recursive variable referencing, i.e. a property references another property, to the n-th level. This code is mostly written, but it is not functional currently
- This allows us to replace values like this:
- Added
SBOMGenerator
Class- Base abstract class for our suite of generators
- Added
FORMAT
Enum- Holds valid filetypes, eventually this will also validate that any given filetype is valid for the specified
schema (e.x. we do not want an instance of
CDXGenerator
writing to.spdx
)
- Holds valid filetypes, eventually this will also validate that any given filetype is valid for the specified
schema (e.x. we do not want an instance of
- Added
CDXGenerator extends SBOMGenerator
Class- This file implements our base generator class, and serves solely to perform CycloneDX-specific data manipulation and
write to file. We make use of CycloneDX's open-source, officially supported library
cyclonedx-core-java
to convert our internal objects to theirs, then are able to use theirBomGeneratorFactory
to format the data into stringified xml/json- We plan to write custom serializers to replace the usage of these OS libraries, however, this was a very simple solution that allowed us to output SBOMs quickly, and refine our generators right away.
- This file implements our base generator class, and serves solely to perform CycloneDX-specific data manipulation and
write to file. We make use of CycloneDX's open-source, officially supported library
- Added work-in-progress
SPDXGenerator extends SBOMGenerator
Class- This file will also implement the base generator class and perform SPDX-specific data manipulation and file
writing. This makes use of SPDX's open-source, officially supported library:
spdx-java-library
. We will be able to use their internal representation of documents and packages to convert our objects to theirs and then write the resulting SBOM to a file.
- This file will also implement the base generator class and perform SPDX-specific data manipulation and file
writing. This makes use of SPDX's open-source, officially supported library:
- Added
PackageManagerParser extends Parser
Class- This new type of parser aims to build on existing functionality around dependency parsing, while also expanding the range of data we can parse from only language files to also include managed dependency files.
- Added
POMParser extends PackageManagerParser
Class- This implementation of PackageManagerParser was a spike into the value of including information gathered from
managed dependency files / package managers, specifically,
pom.xml
files. - We were able to gather relevant dependency information, akin to what we are parsing from language files, however, often with more information on each dependency (enough to build a PURL)
- This implementation of PackageManagerParser was a spike into the value of including information gathered from
managed dependency files / package managers, specifically,
- Temporarily added copies of SVIP->
SBOM
/DependencyTree
/Component
/etc. for data class merge- This will be pulled from a single source in the future, but for now, they are just development artifacts
- System now uses
SBOM
Objects fromSVIP
when collecting information Component
Class ->ParserComponent extends SVIP.Component
Class- This allows for seamless use of existing functionality regarding SBOM/DependencyTree/Component/etc. within our system
- System now writes to
CycloneDX SBOM
format instead of "depFile" format, with a modular design meant to support more SBOM formats and schemas- Both
JSON
andXML
formats are currently supported
- Both
- All deprecated parser files removed
- Old language implementations
- Old tests
- Old data classes
- Filter feature removed
SRC
Property toParserCore
andParser
to store a static reference to project src.- Previously,
PWD
was being used as both a moving directory pointer, as well as the static project reference. Obviously, this caused some wierd issues, and is now fixed.
- Previously,
- All deprecated parser classes updated (as well as their tests)
- Parent Component selection was occurring for each file (of the new project) during an append,
it now only happens once, as intended.
- This was not apparent until a conflicting name was chosen, and a source project was appended.
- Uniqueness checking fixed once and for all (until it breaks)
- On a more serious note, this is now in a relatively stable place after the big rework, and it's a miracle that it worked as well as it did out of the box, and will now (hopefully) function flawlessly until its use case changes.
PythonParser.isLanguageComponent()
URL structure fixed to properly query multipart URLs- e.x. "foo/bar" -> "foo.bar.html"
- Fixed bug when appending absolute paths instead of relative paths
DepFileObject
Class modified to allow for short representations of filters.- i.e.
-f="external, internal"
->-f="e, i"
- Both are valid, and the quotes can be removed if the spaces between filters are removed.
- i.e.
ParserController
Class added to house the logic in-between the Main file driver and the language-specific parsers. Previously, this logic was bloatingParserCore
.Parser
Class added to house the code responsible for being the core of the language parsers. This includes the code previously assigned toParserCore
.DepFileObject
Class added to represent a collection of found Components. This Class is meant to house the logic and data related to that collection. Previously, this logic was also handled inParserCore
.Debug
Class added to house static methods used for debugging, the primary use of this class is thelog
method.
Main
Class reworked to perform only argument handling and file driving.- Argument handling is complex enough to warrant its own Class/File/Subsystem, and should be separated into one when possible.
- Required arguments changed:
parser.jar
:targetPath language <optArgs>
->targetPath <optArgs>
Component
Class reworked into a dedicatedComponent.java
file instead of as an internal class ofParserCore
.Append
feature reworked- Usage changed:
parser.jar
:oldPath -a=newPath:parentCName
->oldPath:parentCName -a=newPath
- Appending now functions in logical order, parse oldPath -> verify parent Component exists and acquire it -> parse newPath -> append to parent.
- Usage changed:
PythonParser
Class reworked to function with the new system design.CSharpParser
Class reworked to function with the new system design.CParser
Class reworked to function with the new system design.CPPParser
Class reworked to function with the new system design.PythonParserRegexTest
Class reworked to function with the new system design.PythonParserRegexBlockCommentTest
Class reworked to function with the new system design.PythonParserRegexLineCommentTest
Class reworked to function with the new system design.CSharpParserRegexTest
Class reworked to function with the new system design.CParserRegexTest
Class reworked to function with the new system design.CppParserRegexTest
Class reworked to function with the new system design.
ParserCore
Class, and its implementations, are now deprecated. Its responsibilities have been delegated accordingly and its implementations can and will be updated with relative ease.
- Backend now kills after closing app
- Backend no longer uses static constant file paths for OSI.
- VEXFactory has an incompatibility with NVIP API. This breaks vulnerability discovery and all features which rely on VEX data.
Conflicts
: Now when creating a master SBOM, conflicts between SBOMS are noted and sent to user.Download Report
: Users can now download SBOM reports
- Node graph zoom in/zoom out
- Node graph now fits within the frame
- Node graph node names no longer get cut off after a certain length
- SBOM Conflicts now save
- When there are no licenses, the SPDX translator now returns an empty array instead of "NONE"
- Log in errors are now shown to users
OSI
: Docker image builds upon app start up and remains open.
- VEXFactory has an incompatibility with NVIP API. This breaks vulnerability discovery and all features which rely on VEX data.
WebApp
: Contains the frontend which uses Angular and ElectronJS.SVIP
: Folder containing the backend which now utilizes Apache Maven with Springboot framework.SVIP Core
: Uses a Docker Container to generate SBOMs, merges them, and creates a D3 JSON Visual
- UI layout is more visually appealing
OSI
: OSI Now handles coverting projects into SBOMS and then formatting them for Node GrapsFrontend
: The frontend has been completly reworked- Electron JS now wraps the GUI to open as an app and obtain folder paths
- Angular is the framework used to create GUI design and implementation
Backend
: SVIP controller handles api requests using Springboot Framework.OSI
: Uses docker to create SBOM using multiple tools when given a user's project filepathMerger
: Merges multiple SBOMS into one 'master SBOM'Translator
: Translates SBOMS of different formats into an internal formatVEXFactory
: Communicates with the National Vulnerability Intelligence Program to get CVEs for components
Tree.html
,testSBOMS
,Converter
: all were removed after the introduction of Apache Maven Springboot & Angular/Electron.
- VEXFactory has an incompatibility with NVIP API. This breaks vulnerability discovery and all features which rely on VEX data.