npm - @cyclonedx/cdxgen - Versions diffs - 12.0.0 → 12.1.0-beta.1 - Mend

@cyclonedx/cdxgen 12.0.0 → 12.1.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/README.md CHANGED Viewed

@@ -10,7 +10,7 @@
 <img src="./docs/_media/cdxgen.png" width="200" height="auto" />
-cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.6.
+cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.7.
 Supported BOM formats:
@@ -51,6 +51,7 @@ Sections include:
 ## Usage
 ## For Contributors / Developers
 ```shell
 pnpm install
 pnpm dlx cdxgen
@@ -122,10 +123,10 @@ Commands:
 Options:
   -o, --output                    Output file. Default bom.json                                    [default: "bom.json"]
-  -t, --type                      Project type. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for s
-                                  upported languages/platforms.                                                  [array]
-      --exclude-type              Project types to exclude. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT
-                                  _TYPES for supported languages/platforms.
+  -t, --type                      Project type. Please refer to https://cdxgen.github.io/cdxgen/#/PROJECT_TYPES for supp
+                                  orted languages/platforms.                                                     [array]
+      --exclude-type              Project types to exclude. Please refer to https://cdxgen.github.io/cdxgen/#/PROJECT_TY
+                                  PES for supported languages/platforms.
   -r, --recurse                   Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable.
                                                                                                [boolean] [default: true]
   -p, --print                     Print the SBOM as a table with tree.                                         [boolean]
@@ -138,6 +139,7 @@ Options:
       --project-group             Dependency track project group
       --project-name              Dependency track project name. Default use the directory name
       --project-version           Dependency track project version                                [string] [default: ""]
+      --project-tag               Dependency track project tag. Multiple values allowed.                         [array]
       --project-id                Dependency track project id. Either provide the id or the project name and version tog
                                   ether                                                                         [string]
       --parent-project-id         Dependency track parent project id                                            [string]
@@ -297,7 +299,7 @@ curl -H "Content-Type: application/json" http://localhost:9090/sbom -XPOST -d $'
 ### Docker compose
 ```shell
-git clone https://github.com/cyclonedx/cdxgen.git
+git clone https://github.com/cdxgen/cdxgen.git
 docker compose up
 ```
@@ -345,27 +347,23 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Ruby (Gemfile.lock)
 - Rust (Cargo.lock)
 ## Plugins
 cdxgen could be extended with external binary plugins to support more SBOM use cases. These are now installed as an optional dependency.
 ```shell
-sudo npm install -g @cyclonedx/cdxgen-plugins-bin
+sudo npm install -g @cdxgen/cdxgen-plugins-bin
 ```
 ## Plugins (pnpm)
 `cdxgen` can be extended with external binary plugins to support more SBOM use cases.
 These are now installed as optional dependencies and can be used without a global install.
 ```shell
-pnpm dlx @cyclonedx/cdxgen-plugins-bin
+pnpm dlx @cdxgen/cdxgen-plugins-bin
 ```
 ## Docker / OCI container support
 `docker` type is automatically detected based on the presence of values such as `sha256` or `docker.io` prefix etc in the path.
@@ -411,7 +409,7 @@ obom
 # cdxgen -t os
 ```
-This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](data/queries.json). The process would take several minutes and result in an SBOM file with thousands of components of various types, such as operating-system, device-drivers, files, and data.
+This feature is powered by osquery, which is [installed](https://github.com/cdxgen/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](data/queries.json). The process would take several minutes and result in an SBOM file with thousands of components of various types, such as operating-system, device-drivers, files, and data.
 ## Generate Cryptography Bill of Materials (CBOM)
@@ -447,7 +445,6 @@ npm install -g @cyclonedx/cdxgen
 cdx-verify -i bom.json --public-key public.key
 ```
 ### Verifying the signature (pnpm)
 Use the bundled `cdx-verify` command, which supports verifying a single signature added at the BOM level.
@@ -458,7 +455,6 @@ You can run it directly using pnpm (no global install needed):
 pnpm dlx @cyclonedx/cdxgen cdx-verify -i bom.json --public-key public.key
 ```
 ### Custom verification tool (Node.js example)
 There are many [libraries][jwt-libraries] available to validate JSON Web Tokens. Below is a javascript example.
@@ -566,11 +562,10 @@ Use `pnpm add -g` command to quickly test the main branch.
 ```shell
 corepack pnpm bin -g
 corepack pnpm setup
-corepack pnpm add -g --allow-build @appthreat/sqlite3 https://github.com/CycloneDX/cdxgen
+corepack pnpm add -g --allow-build @appthreat/sqlite3 https://github.com/cdxgen/cdxgen
 cdxgen --help
 ```
 ### Testing main branch (No Global Install)
 To quickly test the latest main branch without installing globally, you can use `pnpm` in a local or temporary environment.
@@ -581,15 +576,18 @@ pnpm install --prefer-offline
 pnpm dlx cdxgen --help
 ```
 ## Sponsors
 <div style="display: flex; align-items: center; gap: 20px;">
-  <img src="./docs/_media/LevoLogo-LightBg.jpg" width="200" height="auto">
-  <img src="./docs/_media/GithubLogo-LightBg.png" width="170" height="auto">
-  <img src="./docs/_media/MicrosoftLogo.png" width="180" height="auto">
+  <img src="./docs/_media/GithubLogo-LightBg.png" width="180" height="180">
+  <img src="./docs/_media/MicrosoftLogo.png" width="180" height="180">
 </div>
+Some features are funded through [NGI Zero Core](https://nlnet.nl/core), a fund established by [NLnet](https://nlnet.nl) with financial support from the European Commission's [Next Generation Internet](https://ngi.eu) program. Learn more at the [NLnet project page](https://nlnet.nl/project/OWASP-dep-scan).
+[<img src="https://nlnet.nl/logo/banner.png" alt="NLnet foundation logo" width="20%" />](https://nlnet.nl)
+[<img src="https://nlnet.nl/image/logos/NGI0_tag.svg" alt="NGI Zero Logo" width="20%" />](https://nlnet.nl/core)
 <!-- LINK LABELS -->
 <!-- Badges -->
@@ -599,26 +597,26 @@ pnpm dlx cdxgen --help
 [badge-jsr]: https://img.shields.io/jsr/v/%40cyclonedx/cdxgen
 [badge-npm]: https://img.shields.io/npm/v/%40cyclonedx%2Fcdxgen
 [badge-npm-downloads]: https://img.shields.io/npm/dy/%40cyclonedx%2Fcdxgen
-[badge-swh]: https://archive.softwareheritage.org/badge/origin/https://github.com/CycloneDX/cdxgen/
+[badge-swh]: https://archive.softwareheritage.org/badge/origin/https://github.com/cdxgen/cdxgen/
 <!-- cdxgen github project -->
-[github-contribute]: https://github.com/CycloneDX/cdxgen/contribute
-[github-contributors]: https://github.com/CycloneDX/cdxgen/graphs/contributors
-[github-issues]: https://github.com/CycloneDX/cdxgen/issues
-[github-license]: https://github.com/cyclonedx/cdxgen/blob/master/LICENSE
-[github-releases]: https://github.com/CycloneDX/cdxgen/releases
+[github-contribute]: https://github.com/cdxgen/cdxgen/contribute
+[github-contributors]: https://github.com/cdxgen/cdxgen/graphs/contributors
+[github-issues]: https://github.com/cdxgen/cdxgen/issues
+[github-license]: https://github.com/cdxgen/cdxgen/blob/master/LICENSE
+[github-releases]: https://github.com/cdxgen/cdxgen/releases
 <!-- cdxgen documentation site -->
-[docs-homepage]: https://cyclonedx.github.io/cdxgen
-[docs-advanced-usage]: https://cyclonedx.github.io/cdxgen/#/ADVANCED
-[docs-cli]: https://cyclonedx.github.io/cdxgen/#/CLI
-[docs-env-vars]: https://cyclonedx.github.io/cdxgen/#/ENV
-[docs-permissions]: https://cyclonedx.github.io/cdxgen/#/PERMISSIONS
-[docs-project-types]: https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES
-[docs-server]: https://cyclonedx.github.io/cdxgen/#/SERVER
-[docs-support]: https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES
+[docs-homepage]: https://cdxgen.github.io/cdxgen
+[docs-advanced-usage]: https://cdxgen.github.io/cdxgen/#/ADVANCED
+[docs-cli]: https://cdxgen.github.io/cdxgen/#/CLI
+[docs-env-vars]: https://cdxgen.github.io/cdxgen/#/ENV
+[docs-permissions]: https://cdxgen.github.io/cdxgen/#/PERMISSIONS
+[docs-project-types]: https://cdxgen.github.io/cdxgen/#/PROJECT_TYPES
+[docs-server]: https://cdxgen.github.io/cdxgen/#/SERVER
+[docs-support]: https://cdxgen.github.io/cdxgen/#/PROJECT_TYPES
 <!-- web links-->
@@ -637,5 +635,5 @@ pnpm dlx cdxgen --help
 [npmjs-cdxgen]: https://www.npmjs.com/package/@cyclonedx/cdxgen
 [podman-github-rootless]: https://github.com/containers/podman/blob/master/docs/tutorials/rootless_tutorial.md
 [podman-github-remote]: https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md
-[swh-cdxgen]: https://archive.softwareheritage.org/browse/origin/?origin_url=https://github.com/CycloneDX/cdxgen
+[swh-cdxgen]: https://archive.softwareheritage.org/browse/origin/?origin_url=https://github.com/cdxgen/cdxgen
 [cdxgen-gpt]: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cyclonedx-generator-cdxgen

package/bin/cdxgen.js CHANGED Viewed

@@ -85,11 +85,11 @@ const args = _yargs
   .option("type", {
     alias: "t",
     description:
-      "Project type. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for supported languages/platforms.",
+      "Project type. Please refer to https://cdxgen.github.io/cdxgen/#/PROJECT_TYPES for supported languages/platforms.",
   })
   .option("exclude-type", {
     description:
-      "Project types to exclude. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for supported languages/platforms.",
+      "Project types to exclude. Please refer to https://cdxgen.github.io/cdxgen/#/PROJECT_TYPES for supported languages/platforms.",
   })
   .option("recurse", {
     alias: "r",
@@ -136,6 +136,9 @@ const args = _yargs
     default: "",
     type: "string",
   })
+  .option("project-tag", {
+    description: "Dependency track project tag. Multiple values allowed.",
+  })
   .option("project-id", {
     description:
       "Dependency track project id. Either provide the id or the project name and version together",
@@ -378,7 +381,7 @@ const args = _yargs
     ],
     ["$0 --server", "Run cdxgen as a server"],
   ])
-  .epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
+  .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
   .config(config)
   .scriptName("cdxgen")
   .version(retrieveCdxgenVersion())
@@ -592,8 +595,6 @@ const applyAdvancedOptions = (options) => {
     case "post-build":
       if (
         !options.projectType ||
-        (Array.isArray(options.projectType) &&
-          options.projectType.length > 1) ||
         ![
           "csharp",
           "dotnet",
@@ -609,6 +610,7 @@ const applyAdvancedOptions = (options) => {
           "rust",
           "rust-lang",
           "cargo",
+          "caxa",
         ].includes(options.projectType[0])
       ) {
         console.log(

package/bin/dependencies.js CHANGED Viewed

@@ -17,6 +17,15 @@ const missingPnpmOverrides = [];
 const obsoleteNpmOverrides = [];
 const obsoletePnpmOverrides = [];
+for (const _package in pkgJson.dependencies) {
+  checkOverride(_package, pkgJson.dependencies[_package]);
+}
+for (const _package in pkgJson.devDependencies) {
+  checkOverride(_package, pkgJson.devDependencies[_package]);
+}
+for (const _package in pkgJson.optionalDependencies) {
+  checkOverride(_package, pkgJson.optionalDependencies[_package]);
+}
 for (const _package in pnpmLockYaml.snapshots) {
   const indexOfSeparator = _package.split("(")[0].lastIndexOf("@");
   const packageName = _package.substring(0, indexOfSeparator);

package/bin/evinse.js CHANGED Viewed

@@ -128,7 +128,7 @@ const args = yargs(hideBin(process.argv))
     ],
   ])
   .completion("completion", "Generate bash/zsh completion")
-  .epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
+  .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
   .scriptName("evinse")
   .version()
   .help("h")

package/bin/repl.js CHANGED Viewed

@@ -23,6 +23,7 @@ import {
 import { readBinary } from "../lib/helpers/protobom.js";
 import { getTmpDir } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/helpers/validator.js";
+import { getBomWithOras } from "../lib/managers/oci.js";
 const options = {
   useColors: true,
@@ -86,6 +87,22 @@ export const importSbom = (sbomOrPath) => {
   ) {
     sbom = readBinary(sbomOrPath, true);
     printSummary(sbom);
+  } else if (
+    sbomOrPath.startsWith("ghcr.io") ||
+    sbomOrPath.startsWith("docker.io")
+  ) {
+    try {
+      sbom = getBomWithOras(sbomOrPath);
+      if (sbom) {
+        printSummary(sbom);
+      } else {
+        console.log(
+          `cyclonedx sbom attachment was not found within ${sbomOrPath}`,
+        );
+      }
+    } catch (e) {
+      console.log(`⚠ Unable to import the BOM from ${sbomOrPath} due to ${e}`);
+    }
   } else {
     console.log(`⚠ ${sbomOrPath} is invalid.`);
   }
@@ -574,7 +591,185 @@ cdxgenRepl.defineCommand("osinfocategories", {
     this.displayPrompt();
   },
 });
+cdxgenRepl.defineCommand("licenses", {
+  help: "visualize license distribution",
+  async action() {
+    if (!sbom || !sbom.components) {
+      console.log("⚠ No SBOM loaded.");
+      this.displayPrompt();
+      return;
+    }
+    const licenseCounts = {};
+    let unknown = 0;
+    sbom.components.forEach((c) => {
+      if (c.licenses && c.licenses.length > 0) {
+        c.licenses.forEach((l) => {
+          const name = l.license?.id || l.license?.name || "Unknown";
+          licenseCounts[name] = (licenseCounts[name] || 0) + 1;
+        });
+      } else {
+        unknown++;
+      }
+    });
+    if (unknown > 0) licenseCounts["None/Unknown"] = unknown;
+    const sorted = Object.entries(licenseCounts).sort((a, b) => b[1] - a[1]);
+    const maxVal = sorted[0][1];
+    const maxBarLength = 40;
+    console.log("\n📊 License Distribution:\n");
+    sorted.forEach(([license, count]) => {
+      const barLen = Math.ceil((count / maxVal) * maxBarLength);
+      const bar = "█".repeat(barLen);
+      let icon = "✅";
+      if (["GPL", "AGPL"].some((r) => license.includes(r))) icon = "⚖️ ";
+      if (license === "None/Unknown") icon = "❓";
+      console.log(`${icon} ${license.padEnd(60)} | ${bar} (${count})`);
+    });
+    console.log("");
+    this.displayPrompt();
+  },
+});
+cdxgenRepl.defineCommand("inspect", {
+  help: "view full JSON details of a component: .inspect <name_search_string>",
+  async action(nameStr) {
+    if (sbom?.components) {
+      const found = sbom.components.find(
+        (c) =>
+          c.name.toLowerCase().includes(nameStr.toLowerCase()) ||
+          c.purl?.includes(nameStr),
+      );
+      if (found) {
+        console.log(JSON.stringify(found, null, 2));
+      } else {
+        console.log("❌ Component not found.");
+      }
+    }
+    this.displayPrompt();
+  },
+});
+cdxgenRepl.defineCommand("tagcloud", {
+  help: "generate a text/tag cloud based on component descriptions and tags",
+  action() {
+    if (!sbom || !sbom.components) {
+      console.log("⚠ No SBOM loaded.");
+      this.displayPrompt();
+      return;
+    }
+    const stopWords = new Set([
+      "the",
+      "and",
+      "for",
+      "with",
+      "that",
+      "this",
+      "from",
+      "are",
+      "can",
+      "use",
+      "library",
+      "framework",
+      "package",
+      "component",
+      "module",
+      "application",
+      "software",
+      "tool",
+      "version",
+      "implementation",
+      "support",
+      "based",
+      "provided",
+      "provides",
+      "using",
+      "api",
+      "interface",
+      "data",
+      "system",
+      "http",
+      "https",
+      "com",
+      "org",
+      "net",
+      "git",
+      "source",
+      "code",
+      "file",
+      "project",
+      "open",
+      "free",
+      "web",
+      "runtime",
+      "client",
+      "server",
+      "utils",
+    ]);
+    const wordCounts = new Map();
+    const addWord = (w) => {
+      if (!w) return;
+      const clean = w.toLowerCase().replace(/[^a-z0-9-]/g, "");
+      if (clean.length > 2 && !stopWords.has(clean) && Number.isNaN(clean)) {
+        wordCounts.set(clean, (wordCounts.get(clean) || 0) + 1);
+      }
+    };
+    sbom.components.forEach((c) => {
+      if (c.tags) {
+        c.tags.forEach((t) => {
+          addWord(t);
+          addWord(t);
+        });
+      }
+      if (c.description) {
+        c.description.split(/\s+/).forEach(addWord);
+      }
+      if (c.group) {
+        addWord(c.group);
+      }
+    });
+    if (wordCounts.size === 0) {
+      console.log("⚠ Not enough text data found in Description or Tags.");
+      this.displayPrompt();
+      return;
+    }
+    let sortedWords = Array.from(wordCounts.entries()).sort(
+      (a, b) => b[1] - a[1],
+    );
+    sortedWords = sortedWords.slice(0, 100);
+    const maxCount = sortedWords[0][1];
+    const minCount = sortedWords[sortedWords.length - 1][1];
+    const styles = {
+      tier1: (str) => `\x1b[1;35m${str.toUpperCase()}\x1b[0m`,
+      tier2: (str) => `\x1b[1;36m${str}\x1b[0m`,
+      tier3: (str) => `\x1b[32m${str}\x1b[0m`,
+      tier4: (str) => `\x1b[2m${str}\x1b[0m`,
+    };
+    const cloudNodes = sortedWords.map(([word, count]) => {
+      const score = (count - minCount) / (maxCount - minCount || 1);
+      let styledWord = "";
+      if (score > 0.7) styledWord = styles.tier1(word);
+      else if (score > 0.4) styledWord = styles.tier2(word);
+      else if (score > 0.1) styledWord = styles.tier3(word);
+      else styledWord = styles.tier4(word);
+      return styledWord;
+    });
+    for (let i = cloudNodes.length - 1; i > 0; i--) {
+      const j = Math.floor(Math.random() * (i + 1));
+      [cloudNodes[i], cloudNodes[j]] = [cloudNodes[j], cloudNodes[i]];
+    }
+    console.log("\n☁️  Word Cloud\n");
+    const terminalWidth = process.stdout.columns || 80;
+    let currentLine = "";
+    cloudNodes.forEach((node) => {
+      const visualLength = node.replace(/[[0-9;]*m/g, "").length + 1;
+      if (currentLine.length + visualLength > terminalWidth) {
+        console.log(currentLine);
+        currentLine = "";
+      }
+      currentLine += `${node} `;
+    });
+    console.log(currentLine);
+    console.log("\n");
+    this.displayPrompt();
+  },
+});
 // Let's dynamically define more commands from the queries
 [
   "apt_sources",

package/bin/verify.js CHANGED Viewed

@@ -8,7 +8,11 @@ import jws from "jws";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
-import { dirNameStr, retrieveCdxgenVersion } from "../lib/helpers/utils.js";
+import {
+  dirNameStr,
+  retrieveCdxgenVersion,
+  safeExistsSync,
+} from "../lib/helpers/utils.js";
 import { getBomWithOras } from "../lib/managers/oci.js";
 const dirName = dirNameStr;
@@ -29,7 +33,7 @@ const args = _yargs
     description: "Public key in PEM format. Default public.key",
   })
   .completion("completion", "Generate bash/zsh completion")
-  .epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
+  .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
   .scriptName("cdx-verify")
   .version(retrieveCdxgenVersion())
   .help(false)
@@ -74,12 +78,15 @@ function getBom(args) {
   }
   return undefined;
 }
 const bomJson = getBom(args);
 if (!bomJson) {
   console.log(`${args.input} is invalid!`);
   process.exit(1);
 }
+if (bomJson && !safeExistsSync(args.publicKey)) {
+  console.log("Public key for signature verification is missing!");
+  process.exit(1);
+}
 let hasInvalidComp = false;
 // Validate any component signature
 for (const comp of bomJson.components) {

package/data/README.md CHANGED Viewed

@@ -2,26 +2,26 @@
 Contents of data directory and their purpose.
-| Filename              | Purpose                                                                                                  |
-| --------------------- |----------------------------------------------------------------------------------------------------------|
-| bom-1.4.schema.json   | CycloneDX 1.4 jsonschema for validation                                                                  |
-| bom-1.5.schema.json   | CycloneDX 1.5 jsonschema for validation                                                                  |
-| cosdb-queries.json    | osquery useful for identifying OS packages for C                                                         |
-| cbomosdb-queries.json | osquery for identifying ssl packages in OS                                                               |
-| jsf-0.82.schema.json  | jsonschema for validation                                                                                |
-| known-licenses.json   | Hard coded list to correct any license id. Not maintained.                                               |
-| lic-mapping.json      | Hard coded list to match a license id based on name                                                      |
-| pypi-pkg-aliases.json | Hard coded list to match a pypi package name from module name                                            |
-| python-stdlib.json    | Standard libraries that can be filtered out in python                                                    |
-| queries-win.json      | osquery used to generate obom for windows                                                                |
-| queries.json          | osquery used to generate obom for linux                                                                  |
-| queries-darwin.json   | osquery used to generate obom for darwin                                                                 |
-| spdx-licenses.json    | valid spdx id                                                                                            |
-| spdx.schema.json      | jsonschema for validation                                                                                |
-| vendor-alias.json     | List to correct the group names. Used while parsing .jar files                                           |
-| wrapdb-releases.json  | Database of all available meson wraps. Generated using contrib/wrapdb.py.                                |
-| frameworks-list.json  | List of string fragments to categorize components into frameworks                                        |
-| crypto-oid.json       | Peter Gutmann's crypto oid [mapping](https://www.cs.auckland.ac.nz/~pgut001). GPL, BSD, or CC BY license |
-| glibc-stdlib.json     | Standard libraries that can be filtered out in C++                                                       |
-| component-tags.json   | List of tags to extract from component description text for easy classification.                         |
-| ruby-known-modules.json | Module names for certain known gems. Example: rails                                                    |
+| Filename                | Purpose                                                                                                  |
+| ----------------------- | -------------------------------------------------------------------------------------------------------- |
+| bom-1.4.schema.json     | CycloneDX 1.4 jsonschema for validation                                                                  |
+| bom-1.5.schema.json     | CycloneDX 1.5 jsonschema for validation                                                                  |
+| cosdb-queries.json      | osquery useful for identifying OS packages for C                                                         |
+| cbomosdb-queries.json   | osquery for identifying ssl packages in OS                                                               |
+| jsf-0.82.schema.json    | jsonschema for validation                                                                                |
+| known-licenses.json     | Hard coded list to correct any license id. Not maintained.                                               |
+| lic-mapping.json        | Hard coded list to match a license id based on name                                                      |
+| pypi-pkg-aliases.json   | Hard coded list to match a pypi package name from module name                                            |
+| python-stdlib.json      | Standard libraries that can be filtered out in python                                                    |
+| queries-win.json        | osquery used to generate obom for windows                                                                |
+| queries.json            | osquery used to generate obom for linux                                                                  |
+| queries-darwin.json     | osquery used to generate obom for darwin                                                                 |
+| spdx-licenses.json      | valid spdx id                                                                                            |
+| spdx.schema.json        | jsonschema for validation                                                                                |
+| vendor-alias.json       | List to correct the group names. Used while parsing .jar files                                           |
+| wrapdb-releases.json    | Database of all available meson wraps. Generated using contrib/wrapdb.py.                                |
+| frameworks-list.json    | List of string fragments to categorize components into frameworks                                        |
+| crypto-oid.json         | Peter Gutmann's crypto oid [mapping](https://www.cs.auckland.ac.nz/~pgut001). GPL, BSD, or CC BY license |
+| glibc-stdlib.json       | Standard libraries that can be filtered out in C++                                                       |
+| component-tags.json     | List of tags to extract from component description text for easy classification.                         |
+| ruby-known-modules.json | Module names for certain known gems. Example: rails                                                      |