Adding documentation and missing Generate a packaged-based Software B…

…ill Of Materials (SBOM) from container images and filesystems

Usage:
  syft [SOURCE] [flags]
  syft [command]

Examples:
  syft scan alpine:latest                                a summary of discovered packages
  syft scan alpine:latest -o json                        show all possible cataloging details
  syft scan alpine:latest -o cyclonedx                   show a CycloneDX formatted SBOM
  syft scan alpine:latest -o cyclonedx-json              show a CycloneDX JSON formatted SBOM
  syft scan alpine:latest -o spdx                        show a SPDX 2.3 Tag-Value formatted SBOM
  syft scan alpine:latest -o [email protected]                    show a SPDX 2.2 Tag-Value formatted SBOM
  syft scan alpine:latest -o spdx-json                   show a SPDX 2.3 JSON formatted SBOM
  syft scan alpine:latest -o [email protected]               show a SPDX 2.2 JSON formatted SBOM
  syft scan alpine:latest -vv                            show verbose debug information
  syft scan alpine:latest -o template -t my_format.tmpl  show a SBOM formatted according to given template file

  Supports the following image sources:
    syft scan yourrepo/yourimage:tag     defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
    syft scan path/to/a/file/or/dir      a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory

  You can also explicitly specify the scheme to use:
    syft scan docker:yourrepo/yourimage:tag            explicitly use the Docker daemon
    syft scan podman:yourrepo/yourimage:tag            explicitly use the Podman daemon
    syft scan registry:yourrepo/yourimage:tag          pull image directly from a registry (no container runtime required)
    syft scan docker-archive:path/to/yourimage.tar     use a tarball from disk for archives created from "docker save"
    syft scan oci-archive:path/to/yourimage.tar        use a tarball from disk for OCI archives (from Skopeo or otherwise)
    syft scan oci-dir:path/to/yourimage                read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
    syft scan singularity:path/to/yourimage.sif        read directly from a Singularity Image Format (SIF) container on disk
    syft scan dir:path/to/yourproject                  read directly from a path on disk (any directory)
    syft scan file:path/to/yourproject/file            read directly from a path on disk (any single file)

Available Commands:
  attest      Generate an SBOM as an attestation for the given [SOURCE] container image
  cataloger   Show available catalogers and configuration
  completion  Generate the autocompletion script for the specified shell
  config      show the syft configuration
  convert     Convert between SBOM formats
  help        Help about any command
  login       Log in to a registry
  scan        Generate an SBOM
  version     show version information

Flags:
      --base-path string                          base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
  -c, --config stringArray                        syft configuration file(s) to use
      --enrich stringArray                        enable package data enrichment from local and online sources (options: all, golang, java, javascript)
      --exclude stringArray                       exclude paths from being scanned using a glob expression
      --file string                               file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
      --from stringArray                          specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
  -h, --help                                      help for syft
  -o, --output stringArray                        report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
      --override-default-catalogers stringArray   set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
      --platform string                           an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
      --profile stringArray                       configuration profiles to use
  -q, --quiet                                     suppress all logging output
  -s, --scope string                              selection of layers to catalog, options=[squashed all-layers] (default "squashed")
      --select-catalogers stringArray             add, remove, and filter the catalogers to be used
      --source-name string                        set the name of the target being analyzed
      --source-version string                     set the version of the target being analyzed
  -t, --template string                           specify the path to a Go template file
  -v, --verbose count                             increase verbosity (-v = info, -vv = debug)
      --version                                   version for syft

Use "syft [command] --help" for more information about a command. fix

.github/actions/spelling/expect.txt

@@ -907,6 +907,7 @@ suseconds
 SVCLOGFILE
 SVCLOGFILEL
 swcaegitadmin
+syft
 synchronicity
 synopsys
 sysconf

cmake/target/sbom.cmake

@@ -11,15 +11,14 @@ set(REDIRECTOR "${CMAKE_CURRENT_LIST_DIR}/tools/redirector.py")
 # 
 # Used to register a global target that will build with "all" and generates the SBOM.
 #
-# TODO: will this install correctly, or do I need an install global target?
 #####
 function(sbom_add_global_target TARGET)
     find_program(SYFT NAMES syft)
     # Check if syft is available before running
     if (SYFT)
         add_custom_target("${TARGET}" ALL
             COMMAND
-            # Redirector to cleanly capture standard out
+            # Redirect to cleanly capture standard out
             ${PYTHON} ${REDIRECTOR} "${CMAKE_BINARY_DIR}/${PROJECT_NAME}_sbom.json"
             # syft arguments
             "${SYFT}" "dir:${FPRIME_PROJECT_ROOT}" -o spdx-json
@@ -38,12 +37,14 @@ endfunction()
 
 # For deployments
 function(sbom_add_deployment_target MODULE TARGET SOURCES DEPENDENCIES FULL_DEPENDENCIES)
-    append_list_property("${MODULE}" TARGET "${TARGET}" PROPERTY SBOM_DEPENDENCIES)
-    get_property(VAR1 TARGET "${TARGET}" PROPERTY SBOM_DEPENDENCIES)
+    if (TARGET "${TARGET}")
+        append_list_property("${MODULE}" TARGET "${TARGET}" PROPERTY SBOM_DEPENDENCIES)
+    endif()
 endfunction()
 
 # Used to register all modules
 function(sbom_add_module_target MODULE TARGET SOURCE_FILES DEPENDENCIES)
-    append_list_property("${MODULE}" TARGET "${TARGET}" PROPERTY SBOM_DEPENDENCIES)
-    get_property(VAR1 TARGET "${TARGET}" PROPERTY SBOM_DEPENDENCIES)
+    if (TARGET "${TARGET}")
+        append_list_property("${MODULE}" TARGET "${TARGET}" PROPERTY SBOM_DEPENDENCIES)
+    endif()
 endfunction()

docs/documentation/user-manual/index.md

@@ -19,5 +19,8 @@ In-depth user guide and language specification for FPP
 ## __Ground Data System (GDS)__
 Dive into the F´ GDS and its testing framework
 
+## __Security__
+Security documentation spanning the F Prime ecosystem
+
 ## __Design__
 Explanation of the F Prime architecture and design philosophies

docs/documentation/user-manual/security/software-bill-of-materials.md

@@ -0,0 +1,31 @@
+# Software Bill Of Materials Generation
+
+A software bill of materials is a record of the software that constitutes a product. F Prime will automatically generate a Bill of Materials for a your project as part of the build system. Generation requires the `syft` tool to be installed.
+
+## Running Software Bill of Materials
+
+To generate the software bill of material you must first install [`syft`](https://github.com/anchore/syft). Follow the instruction in the README to install `syft` and ensure that it is on the PATH.
+
+Once `syft` is installed the path, your software bill of materials will be installed in the `build-artifacts/` folder.
+
+## Details and Idiosyncrasies
+
+F Prime uses the `spdx-json` format for the bill of materials using the `syft` tool. It will capture software tools installed in the filesystem rooted at the project root. This will include python installations, `requirements.txt` packages, and various other tools detectable by `syft`.
+
+To see the full catalog run `syft cataloger list`.
+
+>[!WARNING]
+> `cmake` and your C++ compiler are not likely installed within the project file system. To generate a bill of materials including these external tools, you will need to build a container to build your product and scan that container.
+
+## Scanning for Vulnerabilities
+
+To scan for vulnerabilities in the bill of materials, you must first install [`grype`](https://github.com/anchore/grype). Follow the instructions in the README to install `grype` and ensure it is on the PATH.
+
+Once `grype` is installed, you can scan the bill of materials using the following command.
+
+```
+grype ./build-artifacts/*_sbom.json
+```
+
+![WARNING]
+! `grype` is just one tool to look for vulnerabilities in your project. Vulnerabilities may be found by other means.

docs/mkdocs.yml

@@ -303,6 +303,8 @@ nav:
         - 'GDS Dashboard Reference': documentation/user-manual/gds/gds-dashboard-reference.md
         - 'Integration Test API': documentation/user-manual/gds/gds-test-api-guide.md
         - 'Sequencing in F´': documentation/user-manual/gds/seqgen.md
+      - Security:
+        - 'Software Bill of Materials Generation': documentation/user-manual/security/software-bill-of-materials.md
       - Design:
         - 'F´ Software Architecture': documentation/user-manual/design/fprime-architecture.md
         - 'Numerical Types Design': documentation/user-manual/design/numerical-types.md