Skip to content

Commit

Permalink
update readme (#24)
Browse files Browse the repository at this point in the history
Signed-off-by: Nicklas Körtge <[email protected]>
  • Loading branch information
n1ckl0sk0rtge authored Sep 20, 2024
1 parent 822d5f4 commit 4243a05
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 10 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ dev-frontend:
# run the prod setup using docker compose
production:
env CBOMKIT_VERSION=${VERSION} CBOMKIT_VIEWER=false POSTGRESQL_AUTH_USERNAME=cbomkit POSTGRESQL_AUTH_PASSWORD=cbomkit docker-compose --profile prod up
viewer:
coeus:
env CBOMKIT_VERSION=${VERSION} CBOMKIT_VIEWER=true docker-compose --profile viewer up
ext-compliance:
env CBOMKIT_VERSION=${VERSION} CBOMKIT_VIEWER=false POSTGRESQL_AUTH_USERNAME=cbomkit POSTGRESQL_AUTH_PASSWORD=cbomkit docker-compose --profile ext-compliance up
21 changes: 12 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
# CBOMkit - the essentials for CBOMs

[![License](https://img.shields.io/github/license/IBM/cbomkit.svg?)](https://opensource.org/licenses/Apache-2.0) <!--- long-description-skip-begin -->
[![Current Release](https://img.shields.io/github/release/IBM/cbomkit.svg?logo=IBM)](https://github.com/IBM/cbomkit/releases)

CBOMkit is a toolset for dealing with Cryptography Bill of Materials (CBOM). CBOMkit includes a
- **CBOM Generation**: Generate CBOMs from source code by scanning git repositories to find the used cryptography.
- **CBOM Viewer**: Visualize a generated or uploaded CBOM and access comprehensive statistics.
- **CBOM Generation** ([CBOMkit-hyperion](https://github.com/IBM/sonar-cryptography), [CBOMkit-theia](https://github.com/IBM/cbomkit-theia)): Generate CBOMs from source code by scanning git repositories to find the used cryptography.
- **CBOM Viewer (aka CBOMkit-coeus)**: Visualize a generated or uploaded CBOM and access comprehensive statistics.
- **CBOM Compliance Check**: Evaluate CBOMs created or uploaded against specified compliance policies and receive detailed compliance status reports.
- **CBOM Database**: Collect and store CBOMs into the database and expose this data through a RESTful API.

Expand Down Expand Up @@ -37,21 +40,21 @@ helm install cbomkit

The CBOMkit consists of three integral components: a web frontend, an API server, and a database.

### Frontend and CBOM Viewer
### Frontend and CBOMkit-coeus

The web frontend serves as an intuitive user interface for interacting with the API server. It offers a range of functionalities, including:
- Browsing the inventory of existing Cryptographic Bills of Materials (CBOMs)
- Initiating new scans to generate CBOMs
- Uploading existing CBOMs for visualization and analysis

#### CBOM Viewer
#### CBOMkit-coeus

For enhanced flexibility, the frontend component can be deployed as a standalone version, known as the CBOM Viewer.
For enhanced flexibility, the frontend component can be deployed as a standalone version, known as the CBOMkit-coeus.
This option allows for streamlined visualization and compliance analysis independent of the full CBOMkit suite.

```shell
# use this command if you want to run only the CBOM Viewer
make viewer
# use this command if you want to run only the CBOMkit-coeus
make coeus
```

### API Server
Expand Down Expand Up @@ -98,15 +101,15 @@ Different deployment configurations utilize distinct sources for compliance veri

| Deployment | How is the compliance check performed? |
|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `viewer` | A `quantum-safe` algorithm compliance check is natively implemented within the frontend. This integration allows for immediate, client-side assessment of basic quantum resistance criteria. |
| `coeus` | A `quantum-safe` algorithm compliance check is natively implemented within the frontend. This integration allows for immediate, client-side assessment of basic quantum resistance criteria. |
| `production` | In the standard deployment, a core compliance service is integrated into the backend service. This implementation enables the execution of compliance checks via the RESTful API, providing a scalable and centralized approach to cryptographic policy verification. |
| `ext-compliance` | In advanced deployment scenarios, compliance evaluation is delegated to a dedicated external service. This service can invoked by the API server as needed. This configuration maintains the standard user experience for both the frontend and API of the CBOMkit, mirroring the functionality of the `production` configuration while allowing for more sophisticated or specialized compliance checks to be performed externally. |

### Scanning and CBOM Generation

The CBOMkit leverages advanced scanning technology to identify cryptographic usage within source code and generate
Cryptography Bills of Materials (CBOMs). This scanning capability is provided by the
[Sonar Cryptography Plugin](https://github.com/IBM/sonar-cryptography), an open-source tool developed by IBM.
[CBOMkit-hyperion (Sonar Cryptography Plugin)](https://github.com/IBM/sonar-cryptography), an open-source tool developed by IBM.

#### Supported languages and libraries

Expand Down

0 comments on commit 4243a05

Please sign in to comment.