cdxgen v11.2.x - Think, Evaluate, and Improve

Imagine capturing a photo with your phone, believing you've framed the perfect shot. For most, this is enough. But for those who strive for excellence, what if your phone could analyze your photographic process in real-time? Envision it explaining its reasoning, examining subjects, lighting, and focus, then offering targeted tips on how to improve – perhaps suggesting a different angle, lens setting, or capturing moment. This continuous loop of self-evaluation and improvement, without disrupting the user experience, is the principle we’ve applied to revolutionize cdxgen and cdxgenGPT.

The latest release of cdxgen, v11.2.0, introduces a groundbreaking "continuous thought logging - evaluation loop." During SBOM generation, cdxgen now "thinks out loud," meticulously logging its internal processes. This includes everything from potential biases and confusions to build environment problems, path selections, and fallback mechanisms. Below are some examples of this thought logging feature:

Case 1: cdxgen correctly identifies the need for a gradle “composite build”, without getting confused by the presence of unwanted pom.xml files.

??Getting ready to generate the BOM ??.

??The user wants me to focus on a single type, 'gradle'. Could there be an issue with auto-detection, or might they use another tool like cyclonedx-cli to merge all the generated BOMs later?

??Found 5 files for the pattern '**/pom.xml' at '.'.

??Found 479 files for the pattern '**/build.gradle*' at '.'.

??Hmm, there is a gradle.properties file. Do we need any private modules or custom JVM arguments for this project ???

??PACKAGE MANAGER: Let's make use of the package manager 'gradle', which is allowed.

??Wait, this gradle project uses composite builds. I must carefully process these 4 projects including the root.

If an SBOM tool doesn’t support “composite builds,” the resulting SBOM will be significantly less accurate.

Case 2: cdxgen wonders why the lock files are missing despite a successful “npm install”

??Getting ready to generate the BOM ??.

??The user wants me to focus on a single type, 'npm'.?

??Despite a successful installation step, I didn't find any lock files. Perhaps they're being created elsewhere, such as in the root directory. I am currently checking the directory at /Volumes/Work/sandbox/theia-ide/applications/browser.

??Tweaking the generated BOM data with useful annotations and properties.

??BOM lacks package manifest details. Please help us improve!

??It looks like I didn't find any components, so the BOM is empty.

This rich log of reasoning and the generated BOM can then be uploaded to cdxgenGPT, our intelligent xBOM expert. cdxgenGPT is trained to understand and review the thoughts. It rigorously analyzes cdxgen’s thought process and the generated SBOM against industry best practices and authoritative sources like OWASP guidelines, SCVS standards, and CISA frameworks. This comprehensive evaluation identifies areas for improvement, not just for cdxgen’s code and algorithms, but also for developers using the tool and the ultimate end-users relying on the SBOMs.

Case 1: cdxgenGPT assessing the accuracy of the elasticsearch SBOM based on the thoughts log

Case 2: cdxgenGPT knows exactly why the SBOM was empty and offers ideas to fix it

Case 3: cdxgenGPT evaluates the contents of the SBOM for its intended purpose, based on its knowledge.

By adopting this innovative approach, moving beyond traditional testing methods and schema validations, we’re beginning to see significant improvements in v11.2.x. This "thought evaluation loop" has enabled us to uncover and resolve issues that were previously undetectable, resulting in more robust, reliable, and insightful SBOMs. This continuous improvement cycle ensures that cdxgen is constantly evolving, providing users with increasingly accurate and comprehensive software composition analysis. Ultimately, this benefits the entire software supply chain by fostering greater transparency, security, and trust through improved SBOM generation.

Keeping up with Rapid Innovation from CycloneDX

As we continue to explore cutting-edge techniques and untapped frontiers, staying updated on our team’s progress might seem daunting. The good news is that our GPT is continuously trained and always in the know. Simply ask cdxgenGPT about anything related to cdxgen, CycloneDX, or xBOMs.

OWASP Foundation and CycloneDX rely on your donations.

Continuously improving our tools, standards, and knowledge to enhance digital transparency and stay ahead in security and compliance requires financial support. Donations and sponsorships are a great way to reward and motivate passionate teams to keep everything open and free. The cdxgen team is fortunate to have support from public and private sources. However, the wider CycloneDX group and the OWASP Foundation need ongoing funding. A tool like cdxgen is just a small part of a much broader ecosystem. Many hard-working volunteers devote significant time and resources to develop specifications, guides, APIs, and processes. Not all of them are fortunate enough to receive backing from large enterprises, so your donations and sponsorships are essential. Please encourage your OSPO teams and procurement departments to find ways they can participate and support us.