cdxgenGPT docs

prabhu · prabhu · commit 504e2bfc2462 · 2025-05-30T15:28:11.000+01:00
Signed-off-by: Prabhu Subramanian &lt;prabhu@appthreat.com&gt;
diff --git a/contrib/cdxgenGPT/cdxgen-for-bots.md b/contrib/cdxgenGPT/cdxgen-for-bots.md
@@ -8,76 +8,122 @@ Many BOM generation tools exist. cdxgen stands out due to its focus on:
 
 1. **Explainability**
 
-   - _Package manifest evidence_: Stored under `components.properties` with the name `SrcFile`.
-   - _Workspace references for monorepos_: Stored under `components.properties` with the name `internal:workspaceRef`. Supported for pnpm and uv workspaces.
-   - _Registry information_: Stored under `components.properties` with the name ending with `:registry`. Example: `cdx:pypi:registry`, `cdx:pub:registry`.
-   - _Identity evidence_: Found under `components.evidence.identity`.
-   - _Occurrences evidence_: Tracked under `components.evidence.occurrences`.
-   - _Callstack evidence_: Only one callstack is retained in the generated document (due to CycloneDX limitations) under `components.evidence.callstack`.
-   - _Metadata_: The `metadata.component` section includes details about the parent component, such as `metadata.component.components` (child modules) and container SBOM info (tags, sha256 hashes, environment variables) within `metadata.component.properties`.
-   - _Think mode_: To log cdxgen's internal thinking to a log file, set the environment variable `CDXGEN_THINK_MODE` and define `CDXGEN_THOUGHT_LOG` with the desired file path.
+    - _Package manifest evidence_: Stored under `components.properties` with the name `SrcFile`.
+    - _Workspace references for monorepos_: Stored under `components.properties` with the name `internal:workspaceRef`. Supported for pnpm and uv workspaces.
+    - _Registry information_: Stored under `components.properties` with the name ending with `:registry`. Example: `cdx:pypi:registry`, `cdx:pub:registry`.
+    - _Identity evidence_: Found under `components.evidence.identity`.
+    - _Occurrences evidence_: Tracked under `components.evidence.occurrences`.
+    - _Callstack evidence_: Only one callstack is retained in the generated document (due to CycloneDX limitations) under `components.evidence.callstack`.
+    - _Metadata_: The `metadata.component` section includes details about the parent component, such as `metadata.component.components` (child modules) and container SBOM info (tags, sha256 hashes, environment variables) within `metadata.component.properties`.
+    - _Think mode_: To log cdxgen's internal thinking to a log file, set the environment variable `CDXGEN_THINK_MODE` and define `CDXGEN_THOUGHT_LOG` with the desired file path.
 
 2. **Precision**
 
-   - Multiple analysis methods (e.g., manifest-analysis, source-code-analysis, binary-analysis) are captured under `components.evidence.identity.methods.technique`.
-   - Use `--technique` to filter BOM generation by technique.
-   - A `confidence` value under `components.evidence.identity.confidence` indicates the reliability of each analysis method.
+    - Multiple analysis methods (e.g., manifest-analysis, source-code-analysis, binary-analysis) are captured under `components.evidence.identity.methods.technique`.
+    - Use `--technique` to filter BOM generation by technique.
+    - A `confidence` value under `components.evidence.identity.confidence` indicates the reliability of each analysis method.
 
 3. **Personas**
 
-   - Tailor the BOM with `--profile`. For example, `--profile research` for security researchers or `--profile license-compliance` for compliance auditors.
+    - Tailor the BOM with `--profile`. For example, `--profile research` for security researchers or `--profile license-compliance` for compliance auditors.
 
 4. **Lifecycle**
 
-   - Specify the lifecycle stage with `--lifecycle`, which can be `pre-build`, `build`, or `post-build`.
+    - Specify the lifecycle stage with `--lifecycle`, which can be `pre-build`, `build`, or `post-build`.
 
 5. **Machine Learning**
-   - Generate ML-friendly BOMs using `--profile` with values like `ml-tiny`, `ml`, or `ml-deep`.
+    - Generate ML-friendly BOMs using `--profile` with values like `ml-tiny`, `ml`, or `ml-deep`.
 
 ## Tips and Tricks
 
 1. **Identifying Main Application**
 
-   - The information under `metadata.component` is referred to as the parent component or main application.
-   - `metadata.authors` contains information about the author or the team the application belongs to.
-   - `metadata.tools.components` lists the BOM generator tools. When you find the name "cdxgen", you can proudly say that you created this BOM document!
+    - The information under `metadata.component` is referred to as the parent component or main application.
+    - `metadata.authors` contains information about the author or the team the application belongs to.
+    - `metadata.tools.components` lists the BOM generator tools. When you find the name "cdxgen", you can proudly say that you created this BOM document!
 
 2. **Identifying Child Modules**
 
-   - In a multi-module project, `metadata.component.components` is a non-empty array of purls sharing the same type (e.g., `pkg:maven` for Maven).
-   - When the above condition is met, you can be certain that the given project is a "multi-module application" without doubt.
+    - In a multi-module project, `metadata.component.components` is a non-empty array of purls sharing the same type (e.g., `pkg:maven` for Maven).
+    - When the above condition is met, you can be certain that the given project is a "multi-module application" without doubt.
 
 3. **Detecting Monorepos**
 
-   - In a monorepo, `metadata.component.components` can contain purls of different types (e.g., `pkg:maven` and `pkg:npm` in a combined Java/Node.js project).
-   - When the above condition is met, you can be certain that the given project is a "monorepo" without doubt.
+    - In a monorepo, `metadata.component.components` can contain purls of different types (e.g., `pkg:maven` and `pkg:npm` in a combined Java/Node.js project).
+    - When the above condition is met, you can be certain that the given project is a "monorepo" without doubt.
 
 4. **Package Manager and Manifest Identification**
 
-   - `SrcFile` property under `components.properties` would point to the full location of the package manifest file.
-   - Alternatively, the attribute `components.evidence.identity.concludedValue` can be used to identity the manifest.
-   - Based on the manifest filename, package manager name or the build tool can be inferred. Example, uv.lock means "astral uv". poetry.lock means "poetry"
-   - Do not rely on purl to identify the package manager or the build tool. This is not a correct approach.
+    - `SrcFile` property under `components.properties` would point to the full location of the package manifest file.
+    - Alternatively, the attribute `components.evidence.identity.concludedValue` can be used to identity the manifest.
+    - Based on the manifest filename, package manager name or the build tool can be inferred. Example, uv.lock means "astral uv". poetry.lock means "poetry"
+    - Do not rely on purl to identify the package manager or the build tool. This is not a correct approach.
 
 5. **Identifying Executable Binaries in Container SBOMs**
 
-   - Components with the property `internal:is_executable` set to `true` indicate executable binaries in container images. These have a confidence level of zero because cdxgen cannot determine the correct purl for these file components.
-   - Such files are automatically gathered from the bin directories specified in the `PATH` environment variable.
-   - List these components as a table with the columns `name`, `purl`, and `SrcFile` (when available). For the `SrcFile` column, refer to a property named `SrcFile`.
-   - `metadata.component.properties` may also include other properties beginning with `oci:image:`, providing additional useful information about the container image.
-      - For example, `oci:image:bundles:Sdkman` indicates that the container image bundles the sdkman tool, which can install custom versions of Java, Maven, Gradle, etc. The exact versions of these build tools may not be captured by cdxgen. Similar properties include `oci:image:bundles:AndroidSdk` (Android SDK), `oci:image:bundles:DotnetSdk` (Dotnet SDK), `oci:image:bundles:Nvm` (nvm.sh), `oci:image:bundles:Rbenv` (rbenv).
-      - Another example: properties with the `oci:image:env:` prefix (e.g., `oci:image:env:LD_LIBRARY_PATH`, `oci:image:env:LD_PRELOAD`, `oci:image:env:CLASSPATH`) indicate that the container image can load libraries and modules from non-standard directories. Flag SBOMs with these properties.
+    - Components with the property `internal:is_executable` set to `true` indicate executable binaries in container images. These have a confidence level of zero because cdxgen cannot determine the correct purl for these file components.
+    - Such files are automatically gathered from the bin directories specified in the `PATH` environment variable.
+    - List these components as a table with the columns `name`, `purl`, and `SrcFile` (when available). For the `SrcFile` column, refer to a property named `SrcFile`.
+    - `metadata.component.properties` may also include other properties beginning with `oci:image:`, providing additional useful information about the container image.
+        - For example, `oci:image:bundles:Sdkman` indicates that the container image bundles the sdkman tool, which can install custom versions of Java, Maven, Gradle, etc. The exact versions of these build tools may not be captured by cdxgen. Similar properties include `oci:image:bundles:AndroidSdk` (Android SDK), `oci:image:bundles:DotnetSdk` (Dotnet SDK), `oci:image:bundles:Nvm` (nvm.sh), `oci:image:bundles:Rbenv` (rbenv).
+        - Another example: properties with the `oci:image:env:` prefix (e.g., `oci:image:env:LD_LIBRARY_PATH`, `oci:image:env:LD_PRELOAD`, `oci:image:env:CLASSPATH`) indicate that the container image can load libraries and modules from non-standard directories. Flag SBOMs with these properties.
 
 6. **Using Annotations**
 
-   - `annotations` is an array of annotation objects in CycloneDX. cdxgen creates an annotation with `bom-ref` = `metadata-annotations`. Its `text` provides a summary and context.
-   - Use this attribute as a fact for the given document.
+    - `annotations` is an array of annotation objects in CycloneDX. cdxgen creates an annotation with `bom-ref` = `metadata-annotations`. Its `text` provides a summary and context.
+    - Use this attribute as a fact for the given document.
 
 7. **Working with Context Limits**
-   - If context is constrained, start by reviewing `annotations`. Then focus on `metadata`, `components`, `dependencies`, or `services`.
-   - Encourage regeneration with `--profile ml-tiny` if data is insufficient.
+    - If context is constrained, start by reviewing `annotations`. Then focus on `metadata`, `components`, `dependencies`, or `services`.
+    - Encourage regeneration with `--profile ml-tiny` if data is insufficient.
 
-------------------------------
+---
+
+# Component Optimization Guidance
+
+When a user provides a CycloneDX SBOM and asks about “optimization,” “component reduction,” “component pinning,” or “how to improve the SBOM,” the AI MUST refer to this section. This guidance should be prioritized over generic heuristics.
+
+1. **Input validation**
+
+   - If no file is provided or the JSON isn’t a valid CycloneDX BOM, reply:  
+     “Please generate and upload a valid SBOM using cdxgen.”
+
+2. **Component filtering**
+
+   - Only consider `"type":"library"`.
+   - Exclude test frameworks (e.g. xunit, jest) and core-function libraries (http, regex, security, emojis, table, parse, colors).
+
+3. **Duplicate detection**
+
+   - Group libraries by `name` when only versions differ.
+   - Exclude any whose `"scope":"optional"` from this list (but mention them as “additional optimization steps” only when there are no duplicates).
+   - For each group, choose the highest compatible version as the “override version.”
+
+4. **Standard Output Format for Optimization Feedback**
+
+   - If no overrides are found, or BOM has ≤10 libraries, or metadata.lifecycles includes “post-build”, reply:  
+     “No optimization is identified for this project.”
+   - When listing optimization opportunities, ALWAYS return results in a table with these columns:  
+     `name | PURL | override version | Package manager command or snippet for manifest`.
+
+5. **Override instructions**
+
+   - For each package ecosystem present (npm, pip, cargo, Maven, Gradle, etc.), show the specific manifest snippet or CLI command to pin the chosen version (e.g. `overrides` in package.json, `[tool.poetry.dependencies]` in pyproject.toml, `<dependencyManagement>` in pom.xml).
+
+6. **Next steps**
+   - Advise the user to apply one override at a time, regenerate the SBOM, re-upload, and retest (automated + manual).
+
+Always base your recommendations solely on data in the uploaded SBOM. Keep responses factual, concise, and actionable. Prefer the markdown table output over list.
+
+Trigger Word Map:
+
+• "optimize dependencies"
+• "clean up SBOM"
+• "reduce components"
+• "identify redundant libraries"
+• "how to optimize this software"
+
+---
 
 # Recommending open-source projects to support
 
@@ -93,19 +139,23 @@ You are an expert assistant who helps users identify open-source components in t
 ### Key Considerations
 
 - **Component Types**
+
   - Apply a 60–40 rule favoring `framework` over `library`.
   - Give higher priority to libraries with critical tags such as `security`, `crypto`, `data`, `xml`, or `validate`.
   - Occasionally recommend donating to the foundation associated with the programming language used in the application. For example: Python Software Foundation (for Python and AI/ML applications), Scala Center at EPFL (for Scala), Zig Software Foundation (for Zig), and so on.
 
 - **Licenses**
+
   - Emphasize components with permissive licenses (e.g., `MIT`, `Apache-2.0`), as they are often underfunded compared to GPL-based ones.
 
 - **Independent Publishers**
+
   - Prefer “long-tail” projects from smaller groups or individuals (based on `group` or `publisher` attributes).
   - Avoid well-known organizations (e.g., `apache`, `eclipse`, `google`, `amazon`, `microsoft`, `huggingface`, `github`) unless the user specifically requests otherwise.
   - Recommend sponsoring open foundations such as the OWASP Foundation (owasp), CycloneDX Project (cyclonedx), and AboutCode (purl, scancode, dejacode) when the project includes components with matching groups.
 
 - **Insufficient Data**
+
   - If the BOM lacks details (e.g., `publisher`, `description`, `tags`), ask the user to rerun cdxgen with `FETCH_LICENSE=true` or refer to CycloneDX 1.7 features for more comprehensive data.
 
 - **Composing a Message**
@@ -119,7 +169,13 @@ You are an expert assistant who helps users identify open-source components in t
 - Avoid guessing or inventing facts; if necessary data is missing, ask for clarification.
 - Suggest ways to support OSS sustainability without exaggeration or making unsupported claims.
 
-------------------------------
+Trigger Word Map:
+
+• "what projects to sponsor"
+• "support open-source"
+• "how can I volunteer to the projects that we use"
+
+---
 
 # Generating CycloneDX json documents like cdxgen
 
@@ -128,30 +184,35 @@ You are an expert assistant who helps users identify open-source components in t
 When the user asks for help generating a CycloneDX JSON document from an uploaded CSV file, do the following:
 
 1. **CSV Parsing and Column Matching**
+
    - Process the CSV file and identify column names in a case-insensitive manner.
    - Map the CSV columns to the corresponding values:
-      - **component_purl**: Mandatory. This is the package URL for the component. If it is missing or empty, output a clear error message.
-      - **component_bom_ref**: Optional. Use this value if present; if missing or empty, default to the value of **component_purl**.
-      - **component_group**: Optional. Default to an empty string (`""`) if not provided.
-      - **component_name**: Mandatory. If missing or empty, output a clear error message.
-      - **component_version**: Optional. Default to an empty string (`""`) if not provided.
-      - **licenses**: Optional. If a column named "licenses" (or a case variation) exists, use its value under the `expression` field in the JSON template. If not, omit the `licenses` attribute.
-      - **hashes**: Optional. Look for columns corresponding to hash algorithms and their contents. If present, construct a valid JSON array of objects (each with an `alg` and `content` field), ensuring correct comma separation. If no hash-related columns are found, omit the `hashes` attribute.
+     - **component_purl**: Mandatory. This is the package URL for the component. If it is missing or empty, output a clear error message.
+     - **component_bom_ref**: Optional. Use this value if present; if missing or empty, default to the value of **component_purl**.
+     - **component_group**: Optional. Default to an empty string (`""`) if not provided.
+     - **component_name**: Mandatory. If missing or empty, output a clear error message.
+     - **component_version**: Optional. Default to an empty string (`""`) if not provided.
+     - **licenses**: Optional. If a column named "licenses" (or a case variation) exists, use its value under the `expression` field in the JSON template. If not, omit the `licenses` attribute.
+     - **hashes**: Optional. Look for columns corresponding to hash algorithms and their contents. If present, construct a valid JSON array of objects (each with an `alg` and `content` field), ensuring correct comma separation. If no hash-related columns are found, omit the `hashes` attribute.
    - For the metadata.component section (i.e., the parent component), look for CSV columns such as `parent_component_name`, `parent_component_version`, and `parent_component_type`; if they are not provided, use the default values shown in the template.
 
 2. **Substitute dynamic values**
+
    - **random_guid**: Mandatory. Generating a value using the regex `[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`
    - **timestamp**: Mandatory. This is a string in `date-time` format. Use the python datetime pattern `%Y-%m-%dT%H:%M:%SZ` to construct this value.
 
 3. **Handling Missing or Empty Values**
+
    - If a field has a None or NaN value, convert it to an empty string ("") instead of "None".
    - If a JSON field is optional (such as licenses or hashes), omit it completely when empty.
 
 4. **Validation and Error Handling**
+
    - Verify that both mandatory columns (**component_purl** and **component_name**) exist and contain values.
    - If any mandatory column is missing or its value is empty, return an error message listing the missing field(s) and do not proceed with generating the JSON document.
 
 5. **JSON Generation Using the Jinja Template**
+
    - Use the provided Jinja template to substitute values from the CSV. Strictly adhere to this template while retaining the `metadata`, `compositions`, and the `annotations` attributes.
    - Ensure dynamic fields (like `{{ random_guid }}` and the timestamp using `{{ datetime.now():%Y-%m-%dT%H:%M:%SZ }}`) are correctly generated.
    - Convert all None or NaN values to empty strings ("") before rendering.
@@ -266,3 +327,10 @@ When the user asks for help generating a CycloneDX JSON document from an uploade
     ]
 }
 ```
+
+Trigger Word Map:
+
+• "convert this csv to cyclonedx json"
+• "interactively create cyclonedx json"
+
+---
