docs: enhance documentation (#65)

* add instructions for goreleaser integration Signed-off-by: nscuro <[email protected]> * don't be too verbose on hashes explanation Signed-off-by: nscuro <[email protected]> * fix and improve code documentation; update changelog Signed-off-by: nscuro <[email protected]> * cli documentation tweaks Signed-off-by: nscuro <[email protected]> * reference #20 in changelog Signed-off-by: nscuro <[email protected]> * readme tweaks Signed-off-by: nscuro <[email protected]> * update examples docker image to include sbom validation Signed-off-by: nscuro <[email protected]> * correction Signed-off-by: nscuro <[email protected]> * update changelog Signed-off-by: nscuro <[email protected]> * improve cli documentation Signed-off-by: nscuro <[email protected]> * update cli help in readme Signed-off-by: nscuro <[email protected]> * update changelog Signed-off-by: nscuro <[email protected]> * update cli docs and readme Signed-off-by: nscuro <[email protected]> * regenerate example sboms Signed-off-by: nscuro <[email protected]> * fix InvalidSerialNumber test Signed-off-by: nscuro <[email protected]> Closes #31
CycloneDX · Sep 27, 2021 · a31c1e4 · a31c1e4
1 parent d54784c
commit a31c1e4
Show file tree

Hide file tree

Showing 20 changed files with 397 additions and 283 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,13 +7,15 @@
 * Introduce multi-command CLI ([#42](https:/CycloneDX/cyclonedx-gomod/issues/42) via [#45](https:/CycloneDX/cyclonedx-gomod/pull/45))
 * Output SBOMs in v1.3 of the CycloneDX specification ([#43](https:/CycloneDX/cyclonedx-gomod/issues/43) via [`5bab19b`](https:/CycloneDX/cyclonedx-gomod/commit/5bab19bbed9c6de22112ebeb2f71691c4b4163f5))
 * Add support for application SBOMs ([#44](https:/CycloneDX/cyclonedx-gomod/issues/44) via [#50](https:/CycloneDX/cyclonedx-gomod/pull/50))
+ * Also addresses [#20](https:/CycloneDX/cyclonedx-gomod/issues/20) (thanks [dlorenc](https:/dlorenc) for reporting!)
 * Add support for binary SBOMs ([#21](https:/CycloneDX/cyclonedx-gomod/issues/21) via [#46](https:/CycloneDX/cyclonedx-gomod/pull/46))
 * Include applicable build constraints in application SBOMs ([#29](https:/CycloneDX/cyclonedx-gomod/issues/29) via [#59](https:/CycloneDX/cyclonedx-gomod/pull/59))
 * Add license detection support for binary SBOMs ([#51](https:/CycloneDX/cyclonedx-gomod/issues/51) via [#52](https:/CycloneDX/cyclonedx-gomod/pull/52))
 * Generate pseudo versions using `golang.org/x/mod` ([#55](https:/CycloneDX/cyclonedx-gomod/issues/55) via [#57](https:/CycloneDX/cyclonedx-gomod/pull/57))
 * Use [license evidence](https://cyclonedx.org/news/cyclonedx-v1.3-released/#copyright-and-license-evidence) for detected licenses ([#40](https:/CycloneDX/cyclonedx-gomod/issues/40) via [#49](https:/CycloneDX/cyclonedx-gomod/pull/49))
 * Build with and test against Go 1.17 (via [#54](https:/CycloneDX/cyclonedx-gomod/pull/54))
-* Produce and publish an SBOM for each binary built when releasing (via [#62](https:/CycloneDX/cyclonedx-gomod/pull/62))
+* Introduce improved logging (via [#46](https:/CycloneDX/cyclonedx-gomod/pull/46))
+* Add indication for which application the SBOM was generated for ([#67](https:/CycloneDX/cyclonedx-gomod/pull/67) via [#71](https:/CycloneDX/cyclonedx-gomod/pull/71))
 
 ### Fixes
 
@@ -22,12 +24,20 @@
 
 ### Breaking Changes
 
-* The CLI now consists of multiple subcommands, thus being incompatible with the CLI in cyclonedx-gomod `v0.x`.
-* Detected licenses (when using the `-licenses` flag) will now use the `components/evidence/licenses` node instead of `components/licenses`. Tools that consume SBOMs and don't support CycloneDX v1.3 yet may not recognize those licenses. 
-* Version normalization has been removed ([#60](https:/CycloneDX/cyclonedx-gomod/pull/60)). As a consequence, `+incompatible` suffixes and `v` prefixes (`-noprefix` flag in cyclonedx-gomod v0.x) are not trimmed anymore.
+* The CLI now consists of multiple subcommands, thus being incompatible with the CLI in cyclonedx-gomod `v0.x`
+* Detected licenses (when using the `-licenses` flag) will now use the `components/evidence/licenses` node instead of `components/licenses`. Tools that consume SBOMs and don't support CycloneDX v1.3 yet may not recognize those licenses
+* Version normalization has been removed ([#60](https:/CycloneDX/cyclonedx-gomod/pull/60)). As a consequence, `+incompatible` suffixes and `v` prefixes (`-novprefix` flag in `v0.x`) are not trimmed anymore
+* The `-reproducible` flag has been removed (via [`9b45f4a`](https:/CycloneDX/cyclonedx-gomod/commit/9b45f4a0e905dc89bef1d238c28de908bd4163a0))
 
 ### Dependency Updates
 
 * Update `github.com/CycloneDX/cyclonedx-go` from `v0.3.0` to `v0.4.0` (via [`5bab19b`](https:/CycloneDX/cyclonedx-gomod/commit/5bab19bbed9c6de22112ebeb2f71691c4b4163f5))
-* Update `golang.org/x/mod` from `v0.4.2` to `v0.5.0` (via [#57](https:/CycloneDX/cyclonedx-gomod/pull/57))
+* Update `golang.org/x/mod` from `v0.4.2` to `v0.5.1` (via [#57](https:/CycloneDX/cyclonedx-gomod/pull/57) and [`088f0e3`](https:/CycloneDX/cyclonedx-gomod/commit/088f0e30e6aa80a37f767651877cf943563960a4))
 * Update `golang.org/x/crypto` from `v0.0.0-20210711020723-a769d52b0f97` to `v0.0.0-20210817164053-32db794688a5` (via [`75ae52a`](https:/CycloneDX/cyclonedx-gomod/commit/75ae52ac039d9d702a1861c9625d0a14116097ce))
+
+### Building and Packaging
+
+* Produce and publish an SBOM for each binary built when releasing (via [#62](https:/CycloneDX/cyclonedx-gomod/pull/62))
+* Builds for `windows/386` and `linux/386` have been dropped (via [#62](https:/CycloneDX/cyclonedx-gomod/pull/62))
+* Use standard Go notation for architectures in release artifact names (via [#62](https:/CycloneDX/cyclonedx-gomod/pull/62))
+ * e.g. `cyclonedx-gomod_1.0.0_windows_x64.zip` is now `cyclonedx-gomod_1.0.0_windows_amd64.zip`
diff --git a/Dockerfile.examples b/Dockerfile.examples
@@ -17,11 +17,21 @@ VOLUME /examples
 # Create non-root user
 RUN useradd -m --uid 1000 cdx
 
+# Install CycloneDX CLI
+RUN apt update && \
+ apt install -y libicu-dev && \
+ wget -q -O /usr/local/bin/cyclonedx https:/CycloneDX/cyclonedx-cli/releases/download/v0.18.0/cyclonedx-linux-x64 && \
+ echo "6b387448d3660147fed9f60a74feadf2d165c6275e2915a22193a1350d5f9436 /usr/local/bin/cyclonedx" | sha256sum -c && \
+ chmod +x /usr/local/bin/cyclonedx
+
 # Create generation script
 RUN echo "#!/bin/bash\n\n\
 cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1.bom.json -licenses -main cmd/minikube/main.go /home/cdx/minikube \n\
 cyclonedx-gomod mod -json -output /examples/mod_minikube-v1.23.1.bom.json -licenses /home/cdx/minikube \n\
 cyclonedx-gomod bin -json -output /examples/bin_minikube-v1.23.1.bom.json -licenses -version v1.23.1 /home/cdx/minikube-linux-amd64 \n\
+cyclonedx validate --input-file /examples/app_minikube-v1.23.1.bom.json --input-format json_v1_3 --fail-on-errors \n\
+cyclonedx validate --input-file /examples/mod_minikube-v1.23.1.bom.json --input-format json_v1_3 --fail-on-errors \n\
+cyclonedx validate --input-file /examples/bin_minikube-v1.23.1.bom.json --input-format json_v1_3 --fail-on-errors \n\
 " > /home/cdx/generate-examples.sh
 
 # Install cyclonedx-gomod