Merge pull request #48 from Mariuxdeangelo/squash-and-signoff

squash commit for SBOM-Catalog contribution to SBOM-Everywhere SIG

.github/dependabot.yml

@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10

.github/workflows/build-and-publish-page.yml

@@ -0,0 +1,79 @@
+name: Node.js CI
+
+on:
+  release:
+    types: [published]
+
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js LTS
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+
+      - name: Install dependencies
+        run: cd SBOM-Catalog && npm install
+
+      - name: Run build
+        run: cd SBOM-Catalog && npm run build
+
+      - name: Upload pages artifact to action workflow
+        uses: actions/upload-artifact@v4
+        with:
+          name: pages-build-artifact
+          path: SBOM-Catalog/dist
+
+      - name: Create zip for release file
+        run: zip -r sbom-catalog-${{github.ref_name}}.zip SBOM-Catalog/dist
+
+      - name: Upload pages release asset
+        uses: softprops/action-gh-release@v2
+        with:
+          files: sbom-catalog-${{github.ref_name}}.zip
+
+      - name: Deploy
+        uses: JamesIves/github-pages-deploy-action@v4
+        with:
+          folder: SBOM-Catalog/dist
+          branch: gh-pages
+
+  create_spdx_sbom:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js LTS
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+
+      - name: Syft SPDX SBOM generation
+        uses: anchore/sbom-action@v0
+        with:
+          artifact-name: sbom-catalog-${{github.ref_name}}.spdx.json
+          format: spdx-json
+
+  create_cdx_sbom:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js LTS
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+
+      - name: Syft CycloneDx SBOM generation
+        uses: anchore/sbom-action@v0
+        with:
+          artifact-name: sbom-catalog-${{github.ref_name}}.cdx.json
+          format: cyclonedx-json

.github/workflows/build-pull-request.yml

@@ -0,0 +1,22 @@
+name: CI
+
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+
+      - name: Install dependencies
+        run: cd SBOM-Catalog && npm install
+
+      - name: Run build
+        run: cd SBOM-Catalog && npm run build

README.md

@@ -86,6 +86,14 @@ The Federal Government exists at every point of the Software Delivery Lifecycle,
   - [Minimum Standards for Federal Government End Users](https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/recommended-minimum-standard-vendor-or-developer)
 
 
+## SBOM Catalog
+To provide a better overview of the available tooling and their capabilities, this group maintains an SBOM Catalog which can be found under the following link:
+
+[https://ossf.github.io/sbom-everywhere/](https://ossf.github.io/sbom-everywhere/)
+
+If you want to get involved, please see the document [here](/SBOM-Catalog/contribute.md)
+
+
 ## Prior Work
 ### NTIA
 - [NTIA SBOM Resources](https://ntia.gov/SBOM)

SBOM-Catalog/.eslintrc.cjs

@@ -0,0 +1,18 @@
+/* eslint-env node */
+require('@rushstack/eslint-patch/modern-module-resolution')
+
+module.exports = {
+    root: true,
+    ignorePatterns: ["dist", "build", "node_modules", ".idea"],
+    'extends': [
+        'plugin:vue/vue3-recommended',
+        'eslint:recommended',
+        '@vue/eslint-config-typescript',
+        '@vue/eslint-config-prettier/skip-formatting'
+    ],
+    parserOptions: {
+        ecmaVersion: 'latest'
+    },
+    rules: {
+    }
+}

SBOM-Catalog/.gitignore

@@ -0,0 +1,24 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
+
+node_modules
+dist
+dist-ssr
+*.local
+
+# Editor directories and files
+.vscode/*
+!.vscode/extensions.json
+.idea
+.DS_Store
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?

SBOM-Catalog/contribute.md

@@ -0,0 +1,75 @@
+# SBOM Catalog
+
+This is a project to implement an SBOM Catalog inspired by the [Landscape of the Cloud Native Computing Foundation](https://landscape.cncf.io/).
+
+
+The page can be found [here](https://ossf.github.io/sbom-everywhere/)
+
+## How to add your tool
+If you know of a tool or project that should be listed here, please open an Issue or add a MergeRequest. There are three things to consider while adding a new tool:
+
+### 1. Add a new entry
+The public/data.yaml contains all the information a user can search on the page. Add a new entry to the list of tools. Please follow the following convention regarding the values. Please also refer to the tool's source, where the features are documented.
+
+##### Name
+The name of the tool. This should be distinct in the list and is used as an identifier.
+
+##### Publisher
+The publisher refers to the company or institution maintaining the tool. It should be spelled similarly each time so users can find all tools from the same publisher.
+
+##### Standards
+A list of Standards a tool can produce. Currently, the three standards which are recognized by the [NTIA](https://www.ntia.gov/sites/default/files/publications/sbom_formats_survey-version-2021_0.pdf) are supported:
+- SPDX
+- CycloneDx
+- SWID
+
+##### Abilities
+Abilities describe the capabilities of the tool. In what part of the software development lifecycle can the tool be used? The following abilities are supported:
+- **Compare**   - *Can compare two SBOMs*
+- **Consume**   - *Can use a provided SBOM in some form*
+- **Convert**   - *Can Convert between formats (SPDX, CycloneDX), versions or file-formats (json, xml)*
+- **Edit**      - *Can somehow edit the contents of a SBOM*
+- **Generate**  - *Can automatically generate a SBOM*
+- **Merge**     - *Can merge several SBOMs*
+- **Validate**  - *Can validate a SBOM against the file schema or requirements like defined by the NTIA*
+
+##### Type
+SBOMs may contain different forms of the minimum information sourced from different
+product artifacts. The following types are supported as published by the [NTIA](https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom). Because many tools specifically support the scanning of container images, the category **Container** is added additionally. Even if container scans can be considered *Analyzed*:
+- Design
+- Source
+- Build
+- Analyzed
+- Deployed
+- Runtime
+- Container
+
+### 2. Add a description
+You can add a detailed description to the /public/descriptions folder. The description should be written in markdown and named after the tool (the Same name as in the data.yaml). It should contain detailed information about the tools and features claimed in the data section. Feel free to add links to the GitHub repository or supplier.
+
+### 3. Add a logo
+You can add a logo to the /public/logos folder. The logo should be named after the tool (the Same name as in the data.yaml). It should be a PNG file with a transparent background and 200px x 200px.
+
+The logo will be displayed on the page in the Map View, the List View, and the details section. You can add Logos for all categories and also for the Publisher.
+
+If you add a Logo, we assume your project and/or company are OK with that. The logo should be used under the fair use policy. If you want to remove your logo, please open an issue, and we will remove it.
+
+## Shoutout
+
+A shoutout goes to D3JS for providing such a great library to visualize and interact with data. I stand on the shoulders of giants with this tooling. Also, thanks go to the people from vue.js, who just provide a great JavaScript framework.
+
+Special thanks to [Mike Bostock](https://observablehq.com/@d3/zoomable-circle-packing?intent=fork) for sharing their examples and snippets used under the [ISC License](https://choosealicense.com/licenses/isc/) to provide the different views in the landscape.
+
+<details><summary>ISC License</summary>
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+</details>

SBOM-Catalog/index.html

@@ -0,0 +1,13 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>SBOM Landscape</title>
+  </head>
+  <body>
+    <div id="app"></div>
+    <script type="module" src="/src/main.ts"></script>
+  </body>
+</html>