Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/patriksvensson/covenant
A tool to generate SBOM (Software Bill of Material) from source code artifacts.
https://github.com/patriksvensson/covenant
cyclonedx openchain sbom spdx
Last synced: about 1 month ago
JSON representation
A tool to generate SBOM (Software Bill of Material) from source code artifacts.
- Host: GitHub
- URL: https://github.com/patriksvensson/covenant
- Owner: patriksvensson
- License: mit
- Created: 2022-10-09T21:53:47.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-03-25T09:46:37.000Z (9 months ago)
- Last Synced: 2024-10-19T18:01:40.179Z (about 2 months ago)
- Topics: cyclonedx, openchain, sbom, spdx
- Language: C#
- Homepage:
- Size: 111 KB
- Stars: 60
- Watchers: 4
- Forks: 7
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
- Funding: .github/funding.yml
- License: LICENSE.md
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
- awesome-software-supply-chain-security - patriksvensson/covenant: A tool to generate SBOM (Software Bill of Material) from source code artifacts.
README
# Covenant
A tool to generate SBOM (Software Bill of Material) from source code artifacts.
NOTE:
Covenant requires all projects to have been built, and all dependencies to have been restored to make an as accurate analysis as possible.## Supported SBOM formats
* [CycloneDx](https://cyclonedx.org/)
* [SPDX](https://spdx.dev/)## Supported sources
* .NET 5 to .NET 8
* .NET Core
* NPM
* CycloneDX BOM
* `*.cdx.xml` or `bom.xml`## Installation
Install by running the following command in your repository:
```shell
$ dotnet tool install covenant
```You can also install Covenant globally on your machine:
```shell
$ dotnet tool install -g covenant
``````## Configuration file
The configuration file is used to configure different aspects of Covenant.
```json
{
"$schema": "https://raw.githubusercontent.com/patriksvensson/covenant/main/schema/0.14.json"
// Used for arbitrary files to be included in the SBOM (optional)
"files": [
{
"path": "./files/lol.txt",
"license": "MIT"
},
{
"path": "./**/foo.c"
}
],
// Used for compliance checks (optional)
"licenses": {
"banned": [
"MIT"
]
}
}
```## Generate Covenant SBOM
```
Usage:
covenant generate [] [options]Arguments:
A file or directory to use as inputOptions:
-o, --output The output path of the SBOM file
-n, --name The SBOM name
-v, --version The SBOM version [default: 0.0.0]
-m, --metadata Arbitrary metadata in the form 'key=value'
-c, --configuration The Covenant configuration file to use
--design-time-build Performs a design time build for .NET projects [default: False]
--no-dev-dependencies Excludes dev dependencies for NPM projects [default: False]
-?, -h, --help Show help and usage information
```To generate an Covenant SBOM from the current directory:
```bash
dotnet covenant generate
```To generate an Covenant SBOM from a specific directory:
```bash
dotnet covenant generate "C:\Source\Foo"
```To generate an Covenant SBOM from a specific file:
```bash
dotnet covenant generate "C:\Source\Foo\Foo.sln"
```## Convert Covenant SBOM to third party SBOM formats
```
Usage:
covenant convert [command] [options]Options:
-?, -h, --help Show help and usage informationCommands:
cyclonedx
spdx
```### SPDX
```
Usage:
covenant convert spdx [options]Arguments:
The Covenant SBOM file to convertOptions:
-o, --output The output path
--namespace The SPDX namespace
-?, -h, --help Show help and usage information
``````bash
dotnet covenant convert spdx "C:\Source\Foo\Foo.covenant.json"
```### CycloneDX
```
Usage:
covenant convert cyclonedx [options]Arguments:
The Covenant SBOM file to convertOptions:
-o, --output The output path
-?, -h, --help Show help and usage information
``````bash
dotnet covenant convert cyclonedx "C:\Source\Foo\Foo.covenant.json"
```## Creating reports
```
Usage:
covenant report [options]Arguments:
The Covenant SBOM file to create a HTML report forOptions:
-o, --output The output path of the HTML report
-?, -h, --help Show help and usage information
``````bash
dotnet covenant report "C:\Source\Foo\Foo.covenant.json"
```## Checking compliance
```
Usage:
covenant check [options]Arguments:
The Covenant SBOM file to run compliance checks forOptions:
-c, --configuration The Covenant configuration file to use
-?, -h, --help Show help and usage information
``````bash
dotnet covenant check "C:\Source\Foo\Foo.covenant.json"
```You can put a file called `covenant.config` next to the SPDX report,
or providing one via the `--config` parameter, to configure the
compliance rules.```json
{
"licenses": {
"banned": [
"MIT"
]
}
}
```## Building
We're using [Cake](https://github.com/cake-build/cake) as a
[dotnet tool](https://docs.microsoft.com/en-us/dotnet/core/tools/global-tools)
for building. So make sure that you've restored Cake by running
the following in the repository root:```
> dotnet tool restore
```After that, running the build is as easy as writing:
```
> dotnet cake
```