Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/patriksvensson/covenant

A tool to generate SBOM (Software Bill of Material) from source code artifacts.
https://github.com/patriksvensson/covenant

cyclonedx openchain sbom spdx

Last synced: 3 months ago
JSON representation

A tool to generate SBOM (Software Bill of Material) from source code artifacts.

Awesome Lists containing this project

README 

        
# Covenant



A tool to generate SBOM (Software Bill of Material) from source code artifacts.



NOTE:

Covenant requires all projects to have been built, and all dependencies to have been restored to make an as accurate analysis as possible.



## Supported SBOM formats



* [CycloneDx](https://cyclonedx.org/)

* [SPDX](https://spdx.dev/)



## Supported sources



* .NET 5 to .NET 8

* .NET Core

* NPM

* CycloneDX BOM

  * `*.cdx.xml` or `bom.xml`



## Installation



Install by running the following command in your repository:



```shell

$ dotnet tool install covenant

```



You can also install Covenant globally on your machine:



```shell

$ dotnet tool install -g covenant

``````



## Configuration file



The configuration file is used to configure different aspects of Covenant.



```json

{

    "$schema": "https://raw.githubusercontent.com/patriksvensson/covenant/main/schema/0.14.json"

    

    // Used for arbitrary files to be included in the SBOM (optional)

    "files": [

        {

            "path": "./files/lol.txt",

            "license": "MIT"

        },

        {

            "path": "./**/foo.c"

        }

    ],

    

    // Used for compliance checks (optional)

    "licenses": { 

        "banned": [

            "MIT"

        ]

    }

}

```



## Generate Covenant SBOM



```

Usage:

  covenant generate [] [options]



Arguments:

    A file or directory to use as input



Options:

  -o, --output          The output path of the SBOM file

  -n, --name            The SBOM name

  -v, --version      The SBOM version [default: 0.0.0]

  -m, --metadata    Arbitrary metadata in the form 'key=value'

  -c, --configuration   The Covenant configuration file to use

  --design-time-build         Performs a design time build for .NET projects [default: False]

  --no-dev-dependencies       Excludes dev dependencies for NPM projects [default: False]

  -?, -h, --help              Show help and usage information

```



To generate an Covenant SBOM from the current directory:



```bash

dotnet covenant generate 

```



To generate an Covenant SBOM from a specific directory:



```bash

dotnet covenant generate "C:\Source\Foo"

```



To generate an Covenant SBOM from a specific file:



```bash

dotnet covenant generate "C:\Source\Foo\Foo.sln"

```



## Convert Covenant SBOM to third party SBOM formats



```

Usage:

  covenant convert [command] [options]



Options:

  -?, -h, --help  Show help and usage information



Commands:

  cyclonedx 

  spdx 

```



### SPDX



```

Usage:

  covenant convert spdx  [options]



Arguments:

    The Covenant SBOM file to convert



Options:

  -o, --output       The output path

  --namespace   The SPDX namespace

  -?, -h, --help           Show help and usage information

```



```bash

dotnet covenant convert spdx "C:\Source\Foo\Foo.covenant.json"

```



### CycloneDX



```

Usage:

  covenant convert cyclonedx  [options]



Arguments:

    The Covenant SBOM file to convert



Options:

  -o, --output   The output path

  -?, -h, --help       Show help and usage information

```



```bash

dotnet covenant convert cyclonedx "C:\Source\Foo\Foo.covenant.json"

```



## Creating reports



```

Usage:

  covenant report  [options]



Arguments:

    The Covenant SBOM file to create a HTML report for



Options:

  -o, --output   The output path of the HTML report

  -?, -h, --help       Show help and usage information

```



```bash

dotnet covenant report "C:\Source\Foo\Foo.covenant.json"

```



## Checking compliance



```

Usage:

  covenant check  [options]



Arguments:

    The Covenant SBOM file to run compliance checks for



Options:

  -c, --configuration   The Covenant configuration file to use

  -?, -h, --help              Show help and usage information

```



```bash

dotnet covenant check "C:\Source\Foo\Foo.covenant.json"

```



You can put a file called `covenant.config` next to the SPDX report,

or providing one via the `--config` parameter, to configure the 

compliance rules.



```json

{

    "licenses": {

        "banned": [

            "MIT"

        ]

    }

}

```



## Building



We're using [Cake](https://github.com/cake-build/cake) as a 

[dotnet tool](https://docs.microsoft.com/en-us/dotnet/core/tools/global-tools) 

for building. So make sure that you've restored Cake by running 

the following in the repository root:



```

> dotnet tool restore

```



After that, running the build is as easy as writing:



```

> dotnet cake

```