Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tool name: CycloneDX Python Library #60

Open
7 of 60 tasks
jkowalleck opened this issue Jan 28, 2025 · 0 comments
Open
7 of 60 tasks

Tool name: CycloneDX Python Library #60

jkowalleck opened this issue Jan 28, 2025 · 0 comments
Labels
foss-tool

Comments

@jkowalleck
Copy link

jkowalleck commented Jan 28, 2025
edited
Loading

homepage_url

https://github.com/CycloneDX/cyclonedx-python-lib#readme-ov-file

contact_email

jan.kowalleck [at] owasp.org

code_view_url

https://github.com/CycloneDX/cyclonedx-python-lib

spdx_license_expression

Apache-2.0

description

This Python package(library) provides data models, validators and more, to help you create/render/read CycloneDX documents.

Responsibilities

  • Provide a general purpose Python-implementation of CycloneDX.
  • Provide type hints for said implementation, so developers and dev-tools can rely on it.
  • Provide data models to work with CycloneDX.
  • Provide data model-validators according to CycloneDX Specification.
  • Provide JSON- and XML-serializers, that…
    • support all shipped data models.
    • respect any supported CycloneDX Specification and generates valid output accordingly.
    • generate reproducible/deterministic results.
  • Provide formal JSON- and XML-validators according to CycloneDX Specification.
  • Provide mechanisms for JSON- and XML-deserialization of all shipped data models.
  • Pre-populate bom-ref, so linkage is possible. (affects only some data models)

Capabilities

  • Enums and Data models for the following use cases:
    • Bom and Metadata
    • BomRef
    • Component, Evidence, Patch, Pedigree, and more
    • Organizational Contact and Entity
    • Cryptographic properties and more
    • Definition and Standard
    • Dependency
    • Impact and related Analysis
    • Issue
    • License Named, SPDX, Expression, and more
    • Lifecycle
    • Release Notes
    • Service
    • Tool
    • Vulnerability and related Analysis
    • Attachment Copyright, DataFlow, ExternalReference, Hash, Property, and more
  • Factories for the following use cases:
    • Create data models from any license descriptor string
  • Builders for the following use cases:
    • Build a Component data model that represents this library
    • Build a Tool data model that represents this library
  • Implementation of the CycloneDX Specification for the following versions:
    • 1.6
    • 1.5
    • 1.4
    • 1.3
    • 1.2
    • 1.1
    • 1.0
  • Serializer that converts Bom data models to XML string
  • Serializer that converts Bom data models to JSON string
  • Formal validators for JSON string and XML string.
  • Shipped data model are serializable to and deserializable from both, JSON and XML.

primary_languages

Python

short_term_roadmap

all things are community efforts - come and help/contribute

long_term_roadmap

all things are community efforts - come and help/contribute

proprietary_data

  • Yes, the tool depends on proprietary data sources

commercial_features

  • Yes, the tool has a commercial version with different/additional features

capabilities

  • Identifiers - Use Package-URL (PURL) identifiers
  • Identifiers - Use SPDX license expressions
  • Scanning - Analyze package manifests and lockfiles
  • Scanning - Analyze package files
  • Scanning - Scan for copyright
  • Scanning - Scan for license
  • Scanning - Analyze source code
  • Scanning - Analyze containers
  • Scanning - Analyze installed system packages (linux distros)
  • Scanning - Analyze installed application packages
  • Scanning - Other analysis
  • Packages - Inventory packages
  • Packages - Inventory packages dependencies
  • Packages - Resolve dependencies
  • Packages - Navigate or display dependency graph
  • Compliance - Generate CycloneDX SBOMs
  • Compliance - Generate SPDX SBOMs
  • Compliance - Validate CycloneDX SBOM
  • Compliance - Validate SPDX SBOMs
  • Compliance - Generate CycloneDX VEX
  • Compliance - Generate CSAF VEX
  • Compliance - Generate OpenVex
  • Compliance - Generate other compliance documents
  • Policies - Define and check license policies
  • Policies - Define and check security policies
  • Policies - Define and check other policies
  • Data - Database of Package metadata
  • Data - Database of Package dependency relationships
  • Data - Database of License obligations
  • Data - Database of Licenses
  • Data - Database of Vulnerabilities
  • License - Help triage license issues
  • License - Generate license credit and attribution notices
  • License - Generate source code redistribution lists
  • Vulnerabilities - Detect vulnerable code in packages
  • Vulnerabilities - Find known vulnerabilities for package
  • Vulnerabilities - Determine reachable vulnerabilities
  • Vulnerabilities - Help triage vulnerabilities
  • Binaries - Analyze binaries
  • Binaries - Analyze ELF binaries
  • Binaries - Analyze Windows binaries
  • Binaries - Analyze firmware binaries
  • Binaries - Analyze Other binaries
  • Matching - Match source code
  • Matching - Match binary code
  • Tracing - Trace code execution
  • Tracing - Trace build
  • Code Security - Analyze code statically (SAST/linting)
  • Code Security - Analyze code dynamically (DAST)
  • Download - Source package
  • Download - Source repositories
  • Download - Binary package
  • Deployment - Deployable as containers (Docker/OCI/k8s/etc)
  • Deployment - Deployable in CI/CD pipelines
  • Deployment - Deployable as a library
  • Run - Run as a command line tool
  • Run - Run as a web application
  • Run - Run as an API service

other_capabilities

License triage - When incorrect SPDX license identifiers are detected and can be mapped to correct SPDX License identifiers where possible this is identified
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
foss-tool
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jkowalleck