Configuring CRA SBOM Generation
Code Risk Analyzer SBOM (Software Bill of Materials) is a structured inventory of all components, dependencies, and licenses in a software project generated by the Code Risk Analyser(CRA) tool. CRA SBOM follows the CycloneDX or SPDX standards to help ensure interoperability and accurate software supply chain visibility.
To learn more about SBOMs see Software Bill of Materials.
For more information on CRA SBOM for IBM Enterprise users, see CRA SBOM overview.
Generate the CRA SBOM
CRA SBOM parameters
The pipeline environment properties that are listed in the following table are used to customize the CRA SBOM generation.
| Parameter name | Description |
|---|---|
cra-custom-script-path |
Path to a custom script to be run before CRA scanning. This script is sourced to provide the option to set environment variables in the context of the CRA BOM tool. |
cra-docker-build-context |
If this flag is specified, Code Risk Analyzer uses the directory in the path parameter as the docker build context. The default value is false. |
cra-docker-buildflags |
Customize docker build command for build stage scanning. The default value of the parameter is empty. |
cra-dockerfile-pattern |
Ability to add Dockerfile with a different naming convention, such as enterprise-linux.Dockerfile |
cra-gradle-exclude-configs |
Specifies which Gradle configurations to exclude dependencies in scanning. Example: runtimeClasspath,testCompileClasspath. The default value of the parameter is empty. |
cra-ibmcloud-api-key |
Overwrites the ibmcloud-api-key that is used by the CRA tasks. |
cra-maven-exclude-scopes |
Specifies which maven scopes to exclude dependencies in scanning. Example: test,compile. The default value of the parameter is empty. |
cra-nodejs-create-package-lock |
Enable Code Risk Analyzer discovery to build the package-lock.json file for node.js repos. This parameter is set to false by default. |
Evidence and attachments
The DevSecOps pipeline uploads evidence to the locker and includes the evidence in the evidence summary for Change Requests.
| field | value |
|---|---|
tool type |
cra-bom |
evidence type |
com.ibm.code_bom_check |
asset type |
repo |
attachments |
<native gitsecure SBOM> |
attachments |
<cycloneDX package SBOM> |
Accessing your scan results
You can access your scan results by using the following method:
- Using the DevSecOps/CoCoa CLI command line tool to download your scan results from the evidence locker by using the information printed in the stage log. For more information, see the following resources: