go post build sbom (#924)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

Author: prabhu

.github/workflows/repotests.yml

@@ -353,6 +353,16 @@ jobs:
           curl -LO https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai-osx-arm64
           cd ..
           bin/cdxgen.js -p -t dotnet --lifecycle post-build -o bomresults/bom-binary.json bintests
+          mkdir -p gobintests
+          cd gobintests
+          curl -LO https://github.com/anchore/syft/releases/download/v1.0.1/syft_1.0.1_linux_arm64.tar.gz
+          tar -xvf syft_1.0.1_linux_arm64.tar.gz
+          rm syft_1.0.1_linux_arm64.tar.gz
+          curl -LO https://github.com/containerd/containerd/releases/download/v2.0.0-rc.0/containerd-static-2.0.0-rc.0-linux-amd64.tar.gz
+          tar -xvf containerd-static-2.0.0-rc.0-linux-amd64.tar.gz
+          rm containerd-static-2.0.0-rc.0-linux-amd64.tar.gz
+          cd ..
+          bin/cdxgen.js -p -t go --lifecycle post-build -o bomresults/bom-go-binary.json gobintests
         shell: bash
       - name: repotests 1.4
         run: |

bin/cdxgen.js

@@ -348,11 +348,13 @@ const applyAdvancedOptions = (options) => {
           "oci",
           "android",
           "apk",
-          "aab"
+          "aab",
+          "go",
+          "golang"
         ].includes(options.projectType)
       ) {
         console.log(
-          "PREVIEW: post-build lifecycle SBOM generation is supported only for android and dotnet projects. Please specify the type using the -t argument."
+          "PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, and go projects. Please specify the type using the -t argument."
         );
         process.exit(1);
       }

deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.2.3",
+  "version": "10.2.4",
   "exports": "./index.js",
   "compilerOptions": {
     "allowJs": true,
@@ -38,10 +38,10 @@
     "exe": "deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net --output build/cdxgenx-devel bin/cdxgen.js"
   },
   "imports": {
-    "@appthreat/atom": "npm:@appthreat/atom@2.0.8",
+    "@appthreat/atom": "npm:@appthreat/atom@2.0.9",
     "@appthreat/cdx-proto": "npm:@appthreat/cdx-proto@^0.0.4",
-    "@babel/parser": "npm:@babel/parser@^7.24.0",
-    "@babel/traverse": "npm:@babel/traverse@^7.24.0",
+    "@babel/parser": "npm:@babel/parser@^7.24.1",
+    "@babel/traverse": "npm:@babel/traverse@^7.24.1",
     "@npmcli/arborist": "npm:@npmcli/arborist@7.4.0",
     "ajv": "npm:ajv@^8.12.0",
     "ajv-formats": "npm:ajv-formats@^2.1.1",

docs/ADVANCED.md

@@ -342,7 +342,7 @@ With profiles, cdxgen can generate a BOM that is optimized for a specific use ca
 
 ## BOM lifecycles
 
-By default, cdxgen attempts to generate a BOM for the `build` lifecycle [phase](https://cyclonedx.org/docs/1.5/json/#tab-pane_metadata_lifecycles_items_oneOf_i0) for applications and `post-build` phase for container images. Using the argument, `--no-install-deps` it is possible to generate `pre-build` BOM for certain languages and ecosystems (Eg: Python) by disabling the package installation feature. Or explicitly pass `--lifecycle post-build` to generate an SBOM for android and dotnet binaries.
+By default, cdxgen attempts to generate a BOM for the `build` lifecycle [phase](https://cyclonedx.org/docs/1.5/json/#tab-pane_metadata_lifecycles_items_oneOf_i0) for applications and `post-build` phase for container images. Using the argument, `--no-install-deps` it is possible to generate `pre-build` BOM for certain languages and ecosystems (Eg: Python) by disabling the package installation feature. Or explicitly pass `--lifecycle post-build` to generate an SBOM for android, dotnet, and go binaries.
 
 Example:
 
@@ -354,6 +354,10 @@ cdxgen -t android --lifecycle post-build -o bom.json <path to apks>
 cdxgen -t dotnet --lifecycle post-build -o bom.json <path to dotnet binaries>
 ```
 
+```shell
+cdxgen -t go --lifecycle post-build -o bom.json <path to go binaries>
+```
+
 ## Nydus - next-generation container image
 
 [Nydus](https://github.com/dragonflyoss/nydus) enhances the current OCI image specification by improving container launch speed, image space and network bandwidth efficiency, and data integrity. cdxgen container images are available in nydus format with the `-nydus` suffix.

jsr.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.2.3",
+  "version": "10.2.4",
   "exports": "./index.js",
   "include": ["*.js", "bin/**", "data/**", "types/**"],
   "exclude": ["test/", "docs/", "contrib/", "ci/", "tools_config/"]

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.2.3",
+  "version": "10.2.4",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -57,8 +57,8 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.24.0",
-    "@babel/traverse": "^7.24.0",
+    "@babel/parser": "^7.24.1",
+    "@babel/traverse": "^7.24.1",
     "@npmcli/arborist": "7.4.0",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
@@ -84,7 +84,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "2.0.8",
+    "@appthreat/atom": "2.0.9",
     "@appthreat/cdx-proto": "^0.0.4",
     "@cyclonedx/cdxgen-plugins-bin": "^1.5.8",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.5.8",