@cyclonedx/cdxgen 9.11.6 → 10.0.0

package/README.md

@@ -130,8 +130,7 @@ import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
 ```text
 $ cdxgen -h
 Options:
-  -o, --output                 Output file for bom.xml or bom.json. Default bom.
-                               json
+  -o, --output                 Output file. Default bom.json
   -t, --type                   Project type
   -r, --recurse                Recurse mode suitable for mono-repos. Defaults to
                                 true. Pass --no-recurse to disable.
@@ -188,6 +187,8 @@ Options:
                                c.
   [choices: "appsec", "research", "operational", "threat-modeling", "license-com
                                        pliance", "generic"] [default: "generic"]
+      --include-formulation    Generate formulation section using git metadata.
+                                                      [boolean] [default: false]
       --auto-compositions      Automatically set compositions when the BOM was f
                                iltered. Defaults to true
                                                        [boolean] [default: true]
@@ -383,7 +384,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | SBOM_SIGN_ALGORITHM          | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc                                       |
 | SBOM_SIGN_PRIVATE_KEY        | Private key to use for signing                                                                                                       |
 | SBOM_SIGN_PUBLIC_KEY         | Optional. Public key to include in the SBOM signature                                                                                |
-| CDX_MAVEN_PLUGIN             | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.10"                                                 |
+| CDX_MAVEN_PLUGIN             | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.11"                                                 |
 | CDX_MAVEN_GOAL               | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom                                 |
 | CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true                                               |
 | ASTGEN_IGNORE_DIRS           | Comma separated list of directories to ignore while analyzing using babel. The environment variable is also used by atom and astgen. |
@@ -510,7 +511,7 @@ Permission to modify and redistribute is granted under the terms of the Apache 2
 
 ## Integration as library
 
-cdxgen is [ESM only](https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c) and could be imported and used with both deno and Node.js >= 16
+cdxgen is [ESM only](https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c) and could be imported and used with both deno and Node.js >= 20
 
 Minimal example:
 
@@ -522,7 +523,7 @@ See the [Deno Readme](./contrib/deno/README.md) for detailed instructions.
 
 ```javascript
 import { createBom, submitBom } from "@cyclonedx/cdxgen";
-// bomNSData would contain bomJson, bomXml
+// bomNSData would contain bomJson
 const bomNSData = await createBom(filePath, options);
 // Submission to dependency track server
 const dbody = await submitBom(args, bomNSData.bomJson);

package/analyzer.js

@@ -1,6 +1,7 @@
 import { parse } from "@babel/parser";
 import traverse from "@babel/traverse";
 import { join } from "node:path";
+import process from "node:process";
 import { readdirSync, lstatSync, readFileSync } from "node:fs";
 import { basename, resolve, isAbsolute, relative } from "node:path";
 

package/bin/cdxgen.js

@@ -7,7 +7,7 @@ import { tmpdir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
 import jws from "jws";
 import crypto from "node:crypto";
-import { fileURLToPath } from "node:url";
+import { fileURLToPath, URL } from "node:url";
 import globalAgent from "global-agent";
 import process from "node:process";
 import {
@@ -56,7 +56,7 @@ const args = yargs(hideBin(process.argv))
   .env("CDXGEN")
   .option("output", {
     alias: "o",
-    description: "Output file for bom.xml or bom.json. Default bom.json",
+    description: "Output file. Default bom.json",
     default: "bom.json"
   })
   .option("evinse-output", {
@@ -231,6 +231,17 @@ const args = yargs(hideBin(process.argv))
     default: "bom.cdx",
     hidden: true
   })
+  .option("include-formulation", {
+    type: "boolean",
+    default: false,
+    description: "Generate formulation section using git metadata."
+  })
+  .option("include-crypto", {
+    type: "boolean",
+    default: false,
+    description: "Include crypto libraries found under formulation.",
+    hidden: true
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("filter")
   .array("only")
@@ -295,7 +306,7 @@ const applyProfile = (options) => {
     case "research":
       options.deep = true;
       options.evidence = true;
-      process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE = true;
+      process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE = "true";
       process.env.ASTGEN_IGNORE_DIRS = "";
       process.env.ASTGEN_IGNORE_FILE_PATTERN = "";
       break;
@@ -305,7 +316,7 @@ const applyProfile = (options) => {
     case "threat-modeling": // unused
       break;
     case "license-compliance":
-      process.env.FETCH_LICENSE = true;
+      process.env.FETCH_LICENSE = "true";
       break;
     default:
       break;
@@ -382,162 +393,149 @@ const checkPermissions = (filePath) => {
     options.output &&
     (typeof options.output === "string" || options.output instanceof String)
   ) {
-    if (bomNSData.bomXmlFiles) {
-      console.log("BOM files produced:", bomNSData.bomXmlFiles);
-    } else {
-      const jsonFile = options.output.replace(".xml", ".json");
-      // Create bom json file
-      if (!options.output.endsWith(".xml") && bomNSData.bomJson) {
-        let jsonPayload = undefined;
-        if (
-          typeof bomNSData.bomJson === "string" ||
-          bomNSData.bomJson instanceof String
-        ) {
-          fs.writeFileSync(jsonFile, bomNSData.bomJson);
-          jsonPayload = bomNSData.bomJson;
-        } else {
-          jsonPayload = JSON.stringify(bomNSData.bomJson, null, 2);
-          fs.writeFileSync(jsonFile, jsonPayload);
+    const jsonFile = options.output;
+    // Create bom json file
+    if (bomNSData.bomJson) {
+      let jsonPayload = undefined;
+      if (
+        typeof bomNSData.bomJson === "string" ||
+        bomNSData.bomJson instanceof String
+      ) {
+        fs.writeFileSync(jsonFile, bomNSData.bomJson);
+        jsonPayload = bomNSData.bomJson;
+      } else {
+        jsonPayload = JSON.stringify(bomNSData.bomJson, null, 2);
+        fs.writeFileSync(jsonFile, jsonPayload);
+      }
+      if (
+        jsonPayload &&
+        (options.generateKeyAndSign ||
+          (process.env.SBOM_SIGN_ALGORITHM &&
+            process.env.SBOM_SIGN_ALGORITHM !== "none" &&
+            process.env.SBOM_SIGN_PRIVATE_KEY &&
+            fs.existsSync(process.env.SBOM_SIGN_PRIVATE_KEY)))
+      ) {
+        let alg = process.env.SBOM_SIGN_ALGORITHM || "RS512";
+        if (alg.includes("none")) {
+          alg = "RS512";
         }
-        if (
-          jsonPayload &&
-          (options.generateKeyAndSign ||
-            (process.env.SBOM_SIGN_ALGORITHM &&
-              process.env.SBOM_SIGN_ALGORITHM !== "none" &&
-              process.env.SBOM_SIGN_PRIVATE_KEY &&
-              fs.existsSync(process.env.SBOM_SIGN_PRIVATE_KEY)))
-        ) {
-          let alg = process.env.SBOM_SIGN_ALGORITHM || "RS512";
-          if (alg.includes("none")) {
-            alg = "RS512";
-          }
-          let privateKeyToUse = undefined;
-          let jwkPublicKey = undefined;
-          let publicKeyFile = undefined;
-          if (options.generateKeyAndSign) {
-            const jdirName = dirname(jsonFile);
-            publicKeyFile = join(jdirName, "public.key");
-            const privateKeyFile = join(jdirName, "private.key");
-            const { privateKey, publicKey } = crypto.generateKeyPairSync(
-              "rsa",
-              {
-                modulusLength: 4096,
-                publicKeyEncoding: {
-                  type: "spki",
-                  format: "pem"
-                },
-                privateKeyEncoding: {
-                  type: "pkcs8",
-                  format: "pem"
-                }
-              }
-            );
-            fs.writeFileSync(publicKeyFile, publicKey);
-            fs.writeFileSync(privateKeyFile, privateKey);
-            console.log(
-              "Created public/private key pairs for testing purposes",
-              publicKeyFile,
-              privateKeyFile
-            );
-            privateKeyToUse = privateKey;
+        let privateKeyToUse = undefined;
+        let jwkPublicKey = undefined;
+        let publicKeyFile = undefined;
+        if (options.generateKeyAndSign) {
+          const jdirName = dirname(jsonFile);
+          publicKeyFile = join(jdirName, "public.key");
+          const privateKeyFile = join(jdirName, "private.key");
+          const { privateKey, publicKey } = crypto.generateKeyPairSync("rsa", {
+            modulusLength: 4096,
+            publicKeyEncoding: {
+              type: "spki",
+              format: "pem"
+            },
+            privateKeyEncoding: {
+              type: "pkcs8",
+              format: "pem"
+            }
+          });
+          fs.writeFileSync(publicKeyFile, publicKey);
+          fs.writeFileSync(privateKeyFile, privateKey);
+          console.log(
+            "Created public/private key pairs for testing purposes",
+            publicKeyFile,
+            privateKeyFile
+          );
+          privateKeyToUse = privateKey;
+          jwkPublicKey = crypto
+            .createPublicKey(publicKey)
+            .export({ format: "jwk" });
+        } else {
+          privateKeyToUse = fs.readFileSync(
+            process.env.SBOM_SIGN_PRIVATE_KEY,
+            "utf8"
+          );
+          if (
+            process.env.SBOM_SIGN_PUBLIC_KEY &&
+            fs.existsSync(process.env.SBOM_SIGN_PUBLIC_KEY)
+          ) {
             jwkPublicKey = crypto
-              .createPublicKey(publicKey)
+              .createPublicKey(
+                fs.readFileSync(process.env.SBOM_SIGN_PUBLIC_KEY, "utf8")
+              )
               .export({ format: "jwk" });
-          } else {
-            privateKeyToUse = fs.readFileSync(
-              process.env.SBOM_SIGN_PRIVATE_KEY,
-              "utf8"
-            );
-            if (
-              process.env.SBOM_SIGN_PUBLIC_KEY &&
-              fs.existsSync(process.env.SBOM_SIGN_PUBLIC_KEY)
-            ) {
-              jwkPublicKey = crypto
-                .createPublicKey(
-                  fs.readFileSync(process.env.SBOM_SIGN_PUBLIC_KEY, "utf8")
-                )
-                .export({ format: "jwk" });
-            }
           }
-          try {
-            // Sign the individual components
-            // Let's leave the services unsigned for now since it might require additional cleansing
-            const bomJsonUnsignedObj = JSON.parse(jsonPayload);
-            for (const comp of bomJsonUnsignedObj.components) {
-              const compSignature = jws.sign({
-                header: { alg },
-                payload: comp,
-                privateKey: privateKeyToUse
-              });
-              const compSignatureBlock = {
-                algorithm: alg,
-                value: compSignature
-              };
-              if (jwkPublicKey) {
-                compSignatureBlock.publicKey = jwkPublicKey;
-              }
-              comp.signature = compSignatureBlock;
-            }
-            const signature = jws.sign({
+        }
+        try {
+          // Sign the individual components
+          // Let's leave the services unsigned for now since it might require additional cleansing
+          const bomJsonUnsignedObj = JSON.parse(jsonPayload);
+          for (const comp of bomJsonUnsignedObj.components) {
+            const compSignature = jws.sign({
               header: { alg },
-              payload: JSON.stringify(bomJsonUnsignedObj, null, 2),
+              payload: comp,
               privateKey: privateKeyToUse
             });
-            if (signature) {
-              const signatureBlock = {
-                algorithm: alg,
-                value: signature
-              };
-              if (jwkPublicKey) {
-                signatureBlock.publicKey = jwkPublicKey;
-              }
-              bomJsonUnsignedObj.signature = signatureBlock;
-              fs.writeFileSync(
-                jsonFile,
-                JSON.stringify(bomJsonUnsignedObj, null, 2)
+            const compSignatureBlock = {
+              algorithm: alg,
+              value: compSignature
+            };
+            if (jwkPublicKey) {
+              compSignatureBlock.publicKey = jwkPublicKey;
+            }
+            comp.signature = compSignatureBlock;
+          }
+          const signature = jws.sign({
+            header: { alg },
+            payload: JSON.stringify(bomJsonUnsignedObj, null, 2),
+            privateKey: privateKeyToUse
+          });
+          if (signature) {
+            const signatureBlock = {
+              algorithm: alg,
+              value: signature
+            };
+            if (jwkPublicKey) {
+              signatureBlock.publicKey = jwkPublicKey;
+            }
+            bomJsonUnsignedObj.signature = signatureBlock;
+            fs.writeFileSync(
+              jsonFile,
+              JSON.stringify(bomJsonUnsignedObj, null, 2)
+            );
+            if (publicKeyFile) {
+              // Verifying this signature
+              const signatureVerification = jws.verify(
+                signature,
+                alg,
+                fs.readFileSync(publicKeyFile, "utf8")
               );
-              if (publicKeyFile) {
-                // Verifying this signature
-                const signatureVerification = jws.verify(
-                  signature,
-                  alg,
-                  fs.readFileSync(publicKeyFile, "utf8")
+              if (signatureVerification) {
+                console.log(
+                  "SBOM signature is verifiable with the public key and the algorithm",
+                  publicKeyFile,
+                  alg
+                );
+              } else {
+                console.log("SBOM signature verification was unsuccessful");
+                console.log(
+                  "Check if the public key was exported in PEM format"
                 );
-                if (signatureVerification) {
-                  console.log(
-                    "SBOM signature is verifiable with the public key and the algorithm",
-                    publicKeyFile,
-                    alg
-                  );
-                } else {
-                  console.log("SBOM signature verification was unsuccessful");
-                  console.log(
-                    "Check if the public key was exported in PEM format"
-                  );
-                }
               }
             }
-          } catch (ex) {
-            console.log("SBOM signing was unsuccessful", ex);
-            console.log("Check if the private key was exported in PEM format");
           }
+        } catch (ex) {
+          console.log("SBOM signing was unsuccessful", ex);
+          console.log("Check if the private key was exported in PEM format");
         }
       }
-      // Create bom xml file
-      if (options.output.endsWith(".xml") && bomNSData.bomXml) {
-        fs.writeFileSync(options.output, bomNSData.bomXml);
-      }
-      //
-      if (bomNSData.nsMapping && Object.keys(bomNSData.nsMapping).length) {
-        const nsFile = jsonFile + ".map";
-        fs.writeFileSync(nsFile, JSON.stringify(bomNSData.nsMapping));
-      }
+    }
+    // bom ns mapping
+    if (bomNSData.nsMapping && Object.keys(bomNSData.nsMapping).length) {
+      const nsFile = jsonFile + ".map";
+      fs.writeFileSync(nsFile, JSON.stringify(bomNSData.nsMapping));
     }
   } else if (!options.print) {
     if (bomNSData.bomJson) {
       console.log(JSON.stringify(bomNSData.bomJson, null, 2));
-    } else if (bomNSData.bomXml) {
-      console.log(Buffer.from(bomNSData.bomXml).toString());
     } else {
       console.log("Unable to produce BOM for", filePath);
       console.log("Try running the command with -t <type> or -r argument");

package/bin/repl.js

@@ -155,7 +155,7 @@ cdxgenRepl.defineCommand("search", {
             searchStr = `components[group ~> /${searchStr}/i or name ~> /${searchStr}/i or description ~> /${searchStr}/i or publisher ~> /${searchStr}/i or purl ~> /${searchStr}/i]`;
           }
           const expression = jsonata(searchStr);
-          let components = await expression.evaluate(sbom);
+          const components = await expression.evaluate(sbom);
           if (!components) {
             console.log("No results found!");
           } else {
@@ -187,7 +187,7 @@ cdxgenRepl.defineCommand("sort", {
             sortStr = `components^(${sortStr})`;
           }
           const expression = jsonata(sortStr);
-          let components = await expression.evaluate(sbom);
+          const components = await expression.evaluate(sbom);
           if (!components) {
             console.log("No results found!");
           } else {
@@ -354,14 +354,14 @@ cdxgenRepl.defineCommand("occurrences", {
 });
 cdxgenRepl.defineCommand("discord", {
   help: "display the discord invite link for support",
-  async action() {
+  action() {
     console.log("Head to https://discord.gg/pF4BYWEJcS for support");
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("sponsor", {
   help: "display the sponsorship link to fund this project",
-  async action() {
+  action() {
     console.log(
       "Hey, thanks a lot for considering! https://github.com/sponsors/prabhu"
     );
@@ -434,7 +434,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
         const expression = jsonata(
           '$distinct(components.properties[name="cdx:osquery:category"].value)'
         );
-        let catgories = await expression.evaluate(sbom);
+        const catgories = await expression.evaluate(sbom);
         if (!catgories) {
           console.log(
             "Unable to retrieve the os info categories. Only OBOMs generated by cdxgen are supported by this tool."

package/bin/verify.js

@@ -5,7 +5,7 @@ import { hideBin } from "yargs/helpers";
 import fs from "node:fs";
 import jws from "jws";
 import process from "node:process";
-import { fileURLToPath } from "node:url";
+import { fileURLToPath, URL } from "node:url";
 import { dirname, join } from "node:path";
 
 let url = import.meta.url;

package/binary.js

@@ -1,4 +1,6 @@
 import { platform as _platform, arch as _arch, tmpdir, homedir } from "node:os";
+import process from "node:process";
+import { Buffer } from "node:buffer";
 import {
   existsSync,
   mkdirSync,
@@ -11,7 +13,7 @@ import { spawnSync } from "node:child_process";
 import { PackageURL } from "packageurl-js";
 import { DEBUG_MODE, TIMEOUT_MS, findLicenseId } from "./utils.js";
 
-import { fileURLToPath } from "node:url";
+import { fileURLToPath, URL } from "node:url";
 
 let url = import.meta.url;
 if (!url.startsWith("file://")) {
@@ -108,16 +110,18 @@ if (!CDXGEN_PLUGINS_DIR) {
       }
     }
   }
-  const globalPlugins = join(
-    globalNodePath,
-    "@cyclonedx",
-    "cdxgen-plugins-bin" + pluginsBinSuffix,
-    "plugins"
-  );
-  if (existsSync(globalPlugins)) {
-    CDXGEN_PLUGINS_DIR = globalPlugins;
-    if (DEBUG_MODE) {
-      console.log("Found global plugins", CDXGEN_PLUGINS_DIR);
+  if (globalNodePath) {
+    const globalPlugins = join(
+      globalNodePath,
+      "@cyclonedx",
+      "cdxgen-plugins-bin" + pluginsBinSuffix,
+      "plugins"
+    );
+    if (existsSync(globalPlugins)) {
+      CDXGEN_PLUGINS_DIR = globalPlugins;
+      if (DEBUG_MODE) {
+        console.log("Found global plugins", CDXGEN_PLUGINS_DIR);
+      }
     }
   }
 }
@@ -398,7 +402,7 @@ export const getOSPackages = (src) => {
       }
       let distro_codename = osReleaseData["VERSION_CODENAME"] || "";
       let distro_id = osReleaseData["ID"] || "";
-      let distro_id_like = osReleaseData["ID_LIKE"] || "";
+      const distro_id_like = osReleaseData["ID_LIKE"] || "";
       let purl_type = "rpm";
       switch (distro_id) {
         case "debian":
@@ -464,6 +468,7 @@ export const getOSPackages = (src) => {
                   comp.group = group;
                   purlObj.namespace = group;
                 }
+                purlObj.qualifiers = purlObj.qualifiers || {};
                 if (distro_id && distro_id.length) {
                   purlObj.qualifiers["distro"] = distro_id;
                 }
@@ -647,6 +652,7 @@ const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
         const tmpPurl = PackageURL.fromString(d.replace("none", compPurl.type));
         tmpPurl.type = compPurl.type;
         tmpPurl.namespace = compPurl.namespace;
+        tmpPurl.qualifiers = tmpPurl.qualifiers || {};
         if (compPurl.qualifiers) {
           if (compPurl.qualifiers.distro_name) {
             tmpPurl.qualifiers.distro_name = compPurl.qualifiers.distro_name;
@@ -682,7 +688,7 @@ export const executeOsQuery = (query) => {
       timeout: 60 * 1000
     });
     if (result.status !== 0 || result.error) {
-      if (DEBUG_MODE && result.error) {
+      if (DEBUG_MODE && result.stderr) {
         console.error(result.stdout, result.stderr);
       }
     }

package/cbomutils.js

@@ -0,0 +1,39 @@
+import { readFileSync } from "node:fs";
+import { convertOSQueryResults, dirNameStr } from "./utils.js";
+import { executeOsQuery } from "./binary.js";
+import { join } from "node:path";
+const cbomosDbQueries = JSON.parse(
+  readFileSync(join(dirNameStr, "data", "cbomosdb-queries.json"), "utf-8")
+);
+
+/**
+ * Method to collect crypto and ssl libraries from the OS.
+ *
+ * @param {Object} options
+ * @returns osPkgsList Array of OS crypto packages
+ */
+export const collectOSCryptoLibs = (options) => {
+  let osPkgsList = [];
+  for (const queryCategory of Object.keys(cbomosDbQueries)) {
+    const queryObj = cbomosDbQueries[queryCategory];
+    const results = executeOsQuery(queryObj.query);
+    const dlist = convertOSQueryResults(
+      queryCategory,
+      queryObj,
+      results,
+      false
+    );
+    if (dlist && dlist.length) {
+      osPkgsList = osPkgsList.concat(dlist);
+      // Should we downgrade from cryptographic-asset to data for < 1.6 spec
+      if (options && options.specVersion && options.specVersion < 1.6) {
+        for (const apkg of osPkgsList) {
+          if (apkg.type === "cryptographic-asset") {
+            apkg.type = "data";
+          }
+        }
+      }
+    }
+  }
+  return osPkgsList;
+};

package/cbomutils.test.js

@@ -0,0 +1,8 @@
+import { expect, test } from "@jest/globals";
+
+import { collectOSCryptoLibs } from "./cbomutils.js";
+
+test("cbom utils tests", () => {
+  const cryptoLibs = collectOSCryptoLibs();
+  expect(cryptoLibs).toBeDefined();
+});

package/data/README.md

@@ -7,6 +7,7 @@ Contents of data directory and their purpose.
 | bom-1.4.schema.json   | CycloneDX 1.4 jsonschema for validation                                   |
 | bom-1.5.schema.json   | CycloneDX 1.5 jsonschema for validation                                   |
 | cosdb-queries.json    | osquery useful for identifying OS packages for C                          |
+| cbomosdb-queries.json | osquery for identifying ssl packages in OS                                |
 | jsf-0.82.schema.json  | jsonschema for validation                                                 |
 | known-licenses.json   | Hard coded list to correct any license id. Not maintained.                |
 | lic-mapping.json      | Hard coded list to match a license id based on name                       |

package/data/cbomosdb-queries.json

@@ -0,0 +1,68 @@
+{
+  "deb_packages": {
+    "query": "select * from deb_packages where name like '%ssl%' OR name like '%crypto%';",
+    "description": "Retrieves all the installed DEB packages in the target Linux system.",
+    "purlType": "deb",
+    "componentType": "library"
+  },
+  "portage_packages": {
+    "query": "select * from portage_packages where package like '%ssl%' OR package like '%crypto%';",
+    "description": "Retrieves all the installed packages on the target Linux system.",
+    "purlType": "ebuild",
+    "componentType": "library"
+  },
+  "rpm_packages": {
+    "query": "select * from rpm_packages where name like '%ssl%' OR name like '%crypto%';",
+    "description": "Retrieves all the installed RPM packages in the target Linux system.",
+    "purlType": "rpm",
+    "componentType": "library"
+  },
+  "python_packages": {
+    "query": "select * from python_packages where name like '%ssl%' OR name like '%crypto%';",
+    "description": "Python packages installed on system.",
+    "purlType": "pypi",
+    "componentType": "library"
+  },
+  "windows_programs": {
+    "query": "select * from programs where name like '%ssl%' OR name like '%crypto%';",
+    "description": "Retrieves the list of products as they are installed by Windows Installer in the target Windows system.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "homebrew_packages": {
+    "query": "SELECT * FROM homebrew_packages where name like '%ssl%' OR name like '%crypto%';",
+    "description": "List all homebrew_packages.",
+    "purlType": "swid",
+    "componentType": "library"
+  },
+  "authorized_keys": {
+    "query": "SELECT * FROM authorized_keys;",
+    "description": "List of authorized keys.",
+    "purlType": "generic",
+    "componentType": "cryptographic-asset"
+  },
+  "certificates": {
+    "query": "SELECT * FROM certificates;",
+    "description": "List of certificates.",
+    "purlType": "generic",
+    "componentType": "cryptographic-asset"
+  },
+  "keychain_items": {
+    "query": "SELECT * FROM keychain_items;",
+    "description": "Generic details about keychain items.",
+    "purlType": "generic",
+    "componentType": "data"
+  },
+  "kernel_keys": {
+    "query": "SELECT * FROM kernel_keys;",
+    "description": "List of security data, authentication keys and encryption keys.",
+    "purlType": "generic",
+    "componentType": "cryptographic-asset"
+  },
+  "yum_sources": {
+    "query": "SELECT * FROM yum_sources;",
+    "description": "Current list of Yum repositories or software channels.",
+    "purlType": "generic",
+    "componentType": "data"
+  }
+}