cyclonedx-gomod

command module

v0.3.1 Latest Latest Go to latest Published: Apr 19, 2021 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/CycloneDX/cyclonedx-gomod

Links

Open Source Insights

README ¶

cyclonedx-gomod

cyclonedx-gomod creates CycloneDX Software Bill of Materials (SBOM) from Go modules

Installation

Prebuilt binaries are available on the releases page.

From Source

go install github.com/CycloneDX/cyclonedx-gomod@latest

Building from source requires Go 1.16 or newer.

Compatibility

cyclonedx-gomod will produce BOMs for the latest version of the CycloneDX specification supported by cyclonedx-go.
You can use the CycloneDX CLI to convert between multiple BOM formats or specification versions.

Usage

Usage of cyclonedx-gomod:
  -json
        Output in JSON format
  -module string
        Path to Go module (default ".")
  -noserial
        Omit serial number
  -novprefix
        Omit "v" version prefix
  -output string
        Output path (default "-")
  -serial string
        Serial number (default [random UUID])
  -std
        Include Go standard library as component and dependency of the module
  -type string
        Type of the main component (default "application")
  -version
        Show version

In order to be able to calculate hashes, all modules have to be present in Go's module cache.
Make sure to run go mod download before generating BOMs with cyclonedx-gomod.

Example

$ go mod tidy
$ go mod download
$ cyclonedx-gomod -output bom.xml -std

Checkout the examples directory for examples of BOMs generated by cyclonedx-gomod.

Hashes

cyclonedx-gomod uses the same hashing algorithm Go uses for its module integrity checks.
vikyd/go-checksum does a great job of explaining what exactly that entails. In essence, the hash you see in a BOM should be the same as in your go.sum file, just in a different format. This is because the CycloneDX specification enforces hashes to be provided in hex encoding, while Go uses base64 encoded values.

To verify a hash found in a BOM, do the following:

Hex decode the value
Base64 encode the value
Prefix the value with h1:

Given the hex encoded hash a8962d5e72515a6a5eee6ff75e5ca1aec2eb11446a1d1336931ce8c57ab2503b, we'd end up with a module checksum of h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=. Now, query your checksum database for the expected checksum and compare the values.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

Contributing

Pull requests are welcome. But please read the CycloneDX contributing guidelines first.

It is generally expected that pull requests will include relevant tests. Tests are automatically run against all supported Go versions for every pull request.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
internal
gocmd
gomod
util
version

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL