@cyclonedx/cdxgen 10.1.2 → 10.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/README.md +57 -47
  2. package/analyzer.js +2 -0
  3. package/bin/cdxgen.js +52 -10
  4. package/binary.js +54 -13
  5. package/display.js +3 -3
  6. package/evinser.js +9 -4
  7. package/index.js +125 -65
  8. package/package.json +9 -9
  9. package/types/analyzer.d.ts.map +1 -1
  10. package/types/db.d.ts.map +1 -1
  11. package/types/index.d.ts.map +1 -1
  12. package/types/utils.d.ts +2 -0
  13. package/types/utils.d.ts.map +1 -1
  14. package/utils.js +391 -344
  15. package/utils.test.js +21 -6
package/README.md CHANGED
@@ -6,54 +6,51 @@ cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a val
6
6
 
7
7
  When used with plugins, cdxgen could generate an OBOM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBOM for some languages.
8
8
 
9
- NOTE:
10
-
11
- CycloneDX 1.5 specification is new and unsupported by many downstream tools. Use version 8.6.0 for 1.4 compatibility or pass the argument `--spec-version 1.4`.
12
-
13
9
  ## Why cdxgen?
14
10
 
15
- Most SBOM tools are like barcode scanners. They can scan a few package manifest and create a list of components only based on these files without any deep inspection. Further, a typical application might have several repos, components, and libraries. Traditional techniques to generate a SBOM per language or package manifest either do not work in enterprise environments or doesn't provide the confidence required for both compliance and automated analysis. So we built cdxgen - the universal polyglot SBOM generator that is both precise and comprehensive!
11
+ Most SBOM tools are like simple barcode scanners. For easy applications, they can parse a few package manifests and create a list of components only based on these files without any deep inspection. Further, a typical application might have several repos, components, and libraries with complex build requirements. Traditional techniques to generate an SBOM per language or package manifest either do not work in enterprise environments or don't provide the confidence required for both compliance and automated analysis. So we built cdxgen - the universal polyglot SBOM generator that is user-friendly, precise and comprehensive!
16
12
 
17
13
  <img src="./docs/why-cdxgen.jpg" alt="why cdxgen" width="256">
18
14
 
19
15
  ## Supported languages and package format
20
16
 
21
- | Language/Platform | Package format | Transitive dependencies | Evidence |
22
- | ------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | -------- |
23
- | Node.js | npm-shrinkwrap.json, package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js | Yes except .min.js | Yes |
24
- | Java | maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel | Yes unless pom.xml is manually parsed due to unavailability of maven or errors | Yes |
25
- | PHP | composer.lock | Yes | Yes |
26
- | Python | pyproject.toml, setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, pdm.lock, bdist_wheel, .whl, .egg-info | Yes using the automatic pip install/freeze. When disabled, only with Pipfile.lock and poetry.lock | Yes |
27
- | Go | binary, go.mod, go.sum, Gopkg.lock | Yes except binary | Yes |
28
- | Ruby | Gemfile.lock, gemspec | Only for Gemfile.lock | |
29
- | Rust | binary, Cargo.toml, Cargo.lock | Only for Cargo.lock | |
30
- | .Net | .csproj, .vbproj, .fsproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock | Only for project.assets.json, packages.lock.json, paket.lock | |
31
- | Dart | pubspec.lock, pubspec.yaml | Only for pubspec.lock | |
32
- | Haskell | cabal.project.freeze | Yes | |
33
- | Elixir | mix.lock | Yes | |
34
- | C/C++/Objective C/C++11 | conan.lock, conanfile.txt, \*.cmake, CMakeLists.txt, meson.build, codebase without package managers! | Yes only for conan.lock. Best effort basis for cmake without version numbers. | Yes |
35
- | Clojure | Clojure CLI (deps.edn), Leiningen (project.clj) | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command | |
36
- | Swift | Package.resolved, Package.swift (swiftpm) | Yes | |
37
- | Docker / oci image | All supported languages. Linux OS packages with plugins [4] | Best effort based on lock files | Yes |
38
- | GitHub Actions | .github/workflows/\*.yml | N/A | Yes |
39
- | Linux | All supported languages. Linux OS packages with plugins [5] | Best effort based on lock files | Yes |
40
- | Windows | All supported languages. OS packages with best effort [5] | Best effort based on lock files | Yes |
41
- | Jenkins Plugins | .hpi files | | Yes |
42
- | Helm Charts | .yaml | N/A | |
43
- | Skaffold | .yaml | N/A | |
44
- | kustomization | .yaml | N/A | |
45
- | Tekton tasks | .yaml | N/A | |
46
- | Kubernetes | .yaml | N/A | |
47
- | Maven Cache | $HOME/.m2/repository/\*\*/\*.jar | N/A | |
48
- | SBT Cache | $HOME/.ivy2/cache/\*\*/\*.jar | N/A | |
49
- | Gradle Cache | $HOME/caches/modules-2/files-2.1/\*\*/\*.jar | N/A | |
50
- | Helm Index | $HOME/.cache/helm/repository/\*\*/\*.yaml | N/A | |
51
- | Docker compose | docker-compose\*.yml. Images would also be scanned. | N/A | |
52
- | Dockerfile | `*Dockerfile*` Images would also be scanned. | N/A | |
53
- | Containerfile | `*Containerfile*`. Images would also be scanned. | N/A | |
54
- | Bitbucket Pipelines | `bitbucket-pipelines.yml` images and pipes would also be scanned. | N/A | |
55
- | Google CloudBuild configuration | cloudbuild.yaml | N/A | |
56
- | OpenAPI | openapi\*.json, openapi\*.yaml | N/A | |
17
+ | Language/Platform | Package format | Transitive dependencies | Evidence |
18
+ | ------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | -------- |
19
+ | Node.js | npm-shrinkwrap.json, package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js | Yes except .min.js | Yes |
20
+ | Java | maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel | Yes unless pom.xml is manually parsed due to unavailability of maven or errors | Yes |
21
+ | Android | apk, aab | |
22
+ | PHP | composer.lock | Yes | Yes |
23
+ | Python | pyproject.toml, setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, pdm.lock, bdist_wheel, .whl, .egg-info | Yes using the automatic pip install/freeze. When disabled, only with Pipfile.lock and poetry.lock | Yes |
24
+ | Go | binary, go.mod, go.sum, Gopkg.lock | Yes except binary | Yes |
25
+ | Ruby | Gemfile.lock, gemspec | Only for Gemfile.lock | |
26
+ | Rust | binary, Cargo.toml, Cargo.lock | Only for Cargo.lock | |
27
+ | .Net | .csproj, .vbproj, .fsproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock, binary | Only for project.assets.json, packages.lock.json, paket.lock | |
28
+ | Dart | pubspec.lock, pubspec.yaml | Only for pubspec.lock | |
29
+ | Haskell | cabal.project.freeze | Yes | |
30
+ | Elixir | mix.lock | Yes | |
31
+ | C/C++/Objective C/C++11 | conan.lock, conanfile.txt, \*.cmake, CMakeLists.txt, meson.build, codebase without package managers! | Yes only for conan.lock. Best effort basis for cmake without version numbers. | Yes |
32
+ | Clojure | Clojure CLI (deps.edn), Leiningen (project.clj) | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command | |
33
+ | Swift | Package.resolved, Package.swift (swiftpm) | Yes | |
34
+ | Docker / oci image | All supported languages. Linux OS packages with plugins [4] | Best effort based on lock files | Yes |
35
+ | GitHub Actions | .github/workflows/\*.yml | N/A | Yes |
36
+ | Linux | All supported languages. Linux OS packages with plugins [5] | Best effort based on lock files | Yes |
37
+ | Windows | All supported languages. OS packages with best effort [5] | Best effort based on lock files | Yes |
38
+ | Jenkins Plugins | .hpi files | | Yes |
39
+ | Helm Charts | .yaml | N/A | |
40
+ | Skaffold | .yaml | N/A | |
41
+ | kustomization | .yaml | N/A | |
42
+ | Tekton tasks | .yaml | N/A | |
43
+ | Kubernetes | .yaml | N/A | |
44
+ | Maven Cache | $HOME/.m2/repository/\*\*/\*.jar | N/A | |
45
+ | SBT Cache | $HOME/.ivy2/cache/\*\*/\*.jar | N/A | |
46
+ | Gradle Cache | $HOME/caches/modules-2/files-2.1/\*\*/\*.jar | N/A | |
47
+ | Helm Index | $HOME/.cache/helm/repository/\*\*/\*.yaml | N/A | |
48
+ | Docker compose | docker-compose\*.yml. Images would also be scanned. | N/A | |
49
+ | Dockerfile | `*Dockerfile*` Images would also be scanned. | N/A | |
50
+ | Containerfile | `*Containerfile*`. Images would also be scanned. | N/A | |
51
+ | Bitbucket Pipelines | `bitbucket-pipelines.yml` images and pipes would also be scanned. | N/A | |
52
+ | Google CloudBuild configuration | cloudbuild.yaml | N/A | |
53
+ | OpenAPI | openapi\*.json, openapi\*.yaml | N/A | |
57
54
 
58
55
  NOTE:
59
56
 
@@ -131,6 +128,7 @@ import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
131
128
  $ cdxgen -h
132
129
  Options:
133
130
  -o, --output Output file. Default bom.json
131
+ [default: "bom.json"]
134
132
  -t, --type Project type
135
133
  -r, --recurse Recurse mode suitable for mono-repos. Defaults to
136
134
  true. Pass --no-recurse to disable.
@@ -147,10 +145,12 @@ Options:
147
145
  --project-group Dependency track project group
148
146
  --project-name Dependency track project name. Default use the di
149
147
  rectory name
150
- --project-version Dependency track project version [default: ""]
148
+ --project-version Dependency track project version
149
+ [string] [default: ""]
151
150
  --project-id Dependency track project id. Either provide the i
152
151
  d or the project name and version together
153
- --parent-project-id Dependency track parent project id
152
+ [string]
153
+ --parent-project-id Dependency track parent project id [string]
154
154
  --required-only Include only the packages with required scope on
155
155
  the SBOM. Would set compositions.aggregate to inc
156
156
  omplete unless --no-auto-compositions is passed.
@@ -174,13 +174,13 @@ Options:
174
174
  --evidence Generate SBOM with evidence for supported languag
175
175
  es. [boolean] [default: false]
176
176
  --spec-version CycloneDX Specification version to use. Defaults
177
- to 1.5 [default: 1.5]
177
+ to 1.5 [number] [default: 1.5]
178
178
  --filter Filter components containing this word in purl or
179
179
  component.properties.value. Multiple values allo
180
180
  wed. [array]
181
- --only Include components only containing this word in
182
- purl. Useful to generate BOM with first party co
183
- mponents alone. Multiple values allowed. [array]
181
+ --only Include components only containing this word in p
182
+ url. Useful to generate BOM with first party comp
183
+ onents alone. Multiple values allowed. [array]
184
184
  --author The person(s) who created the BOM. Set this value
185
185
  if you're intending the modify the BOM and claim
186
186
  authorship.[array] [default: "OWASP Foundation"]
@@ -188,8 +188,11 @@ Options:
188
188
  c.
189
189
  [choices: "appsec", "research", "operational", "threat-modeling", "license-com
190
190
  pliance", "generic"] [default: "generic"]
191
+ --exclude Additional glob pattern(s) to ignore [array]
191
192
  --include-formulation Generate formulation section using git metadata.
192
193
  [boolean] [default: false]
194
+ --include-crypto Include crypto libraries found under formulation.
195
+ [boolean] [default: false]
193
196
  --auto-compositions Automatically set compositions when the BOM was f
194
197
  iltered. Defaults to true
195
198
  [boolean] [default: true]
@@ -296,6 +299,13 @@ curl "http://127.0.0.1:9090/sbom?path=/Volumes/Work/sandbox/vulnerable-aws-koa-a
296
299
  curl "http://127.0.0.1:9090/sbom?url=https://github.com/HooliCorp/vulnerable-aws-koa-app.git&multiProject=true&type=js"
297
300
  ```
298
301
 
302
+ If you need to pass credentials to authenticate.
303
+
304
+ ```shell
305
+ curl "http://127.0.0.1:9090/sbom?url=https://<access_token>@github.com/some/repo.git&multiProject=true&type=js"
306
+ curl "http://127.0.0.1:9090/sbom?url=https://<username>:<password>@bitbucket.org/some/repo.git&multiProject=true&type=js"
307
+ ```
308
+
299
309
  You can POST the arguments.
300
310
 
301
311
  ```bash
package/analyzer.js CHANGED
@@ -93,6 +93,8 @@ const babelParserOptions = {
93
93
  allowSuperOutsideMethod: true,
94
94
  errorRecovery: true,
95
95
  allowUndeclaredExports: true,
96
+ createImportExpressions: true,
97
+ tokens: true,
96
98
  attachComment: false,
97
99
  plugins: [
98
100
  "optionalChaining",
package/bin/cdxgen.js CHANGED
@@ -150,8 +150,6 @@ const args = yargs(hideBin(process.argv))
150
150
  })
151
151
  .option("install-deps", {
152
152
  type: "boolean",
153
- hidden: true,
154
- default: true,
155
153
  description:
156
154
  "Install dependencies automatically for some projects. Defaults to true but disabled for containers and oci scans. Use --no-install-deps to disable this feature."
157
155
  })
@@ -216,9 +214,13 @@ const args = yargs(hideBin(process.argv))
216
214
  "generic"
217
215
  ]
218
216
  })
217
+ .option("lifecycle", {
218
+ description: "Product lifecycle for the generated BOM.",
219
+ hidden: true,
220
+ choices: ["pre-build", "build", "post-build"]
221
+ })
219
222
  .option("exclude", {
220
- description: "Additional glob pattern(s) to ignore",
221
- hidden: true
223
+ description: "Additional glob pattern(s) to ignore"
222
224
  })
223
225
  .option("export-proto", {
224
226
  type: "boolean",
@@ -239,8 +241,7 @@ const args = yargs(hideBin(process.argv))
239
241
  .option("include-crypto", {
240
242
  type: "boolean",
241
243
  default: false,
242
- description: "Include crypto libraries found under formulation.",
243
- hidden: true
244
+ description: "Include crypto libraries found under formulation."
244
245
  })
245
246
  .completion("completion", "Generate bash/zsh completion")
246
247
  .array("filter")
@@ -298,14 +299,22 @@ if (process.argv[1].includes("obom") && !args.type) {
298
299
  args.type = "os";
299
300
  }
300
301
 
301
- const applyProfile = (options) => {
302
+ /**
303
+ * Method to apply advanced options such as profile and lifecycles
304
+ *
305
+ * @param {object} CLI options
306
+ */
307
+ const applyAdvancedOptions = (options) => {
302
308
  switch (options.profile) {
303
309
  case "appsec":
304
310
  options.deep = true;
311
+ options.includeFormulation = true;
305
312
  break;
306
313
  case "research":
307
314
  options.deep = true;
308
315
  options.evidence = true;
316
+ options.includeFormulation = true;
317
+ options.includeCrypto = true;
309
318
  process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE = "true";
310
319
  process.env.ASTGEN_IGNORE_DIRS = "";
311
320
  process.env.ASTGEN_IGNORE_FILE_PATTERN = "";
@@ -313,7 +322,9 @@ const applyProfile = (options) => {
313
322
  case "operational":
314
323
  options.projectType = options.projectType || "os";
315
324
  break;
316
- case "threat-modeling": // unused
325
+ case "threat-modeling":
326
+ options.deep = true;
327
+ options.evidence = true;
317
328
  break;
318
329
  case "license-compliance":
319
330
  process.env.FETCH_LICENSE = "true";
@@ -321,6 +332,36 @@ const applyProfile = (options) => {
321
332
  default:
322
333
  break;
323
334
  }
335
+ switch (options.lifecycle) {
336
+ case "pre-build":
337
+ options.installDeps = false;
338
+ break;
339
+ case "post-build":
340
+ if (
341
+ !options.projectType ||
342
+ ![
343
+ "csharp",
344
+ "dotnet",
345
+ "container",
346
+ "docker",
347
+ "podman",
348
+ "oci",
349
+ "android",
350
+ "apk",
351
+ "aab"
352
+ ].includes(options.projectType)
353
+ ) {
354
+ console.log(
355
+ "PREVIEW: post-build lifecycle SBOM generation is supported only for android and dotnet projects. Please specify the type using the -t argument."
356
+ );
357
+ process.exit(1);
358
+ }
359
+ options.installDeps = true;
360
+ break;
361
+ default:
362
+ options.installDeps = true;
363
+ break;
364
+ }
324
365
  return options;
325
366
  };
326
367
 
@@ -334,7 +375,7 @@ const options = Object.assign({}, args, {
334
375
  project: args.projectId,
335
376
  deep: args.deep || args.evidence
336
377
  });
337
- applyProfile(options);
378
+ applyAdvancedOptions(options);
338
379
 
339
380
  /**
340
381
  * Check for node >= 20 permissions
@@ -563,7 +604,8 @@ const checkPermissions = (filePath) => {
563
604
  withReachables: options.deep,
564
605
  usagesSlicesFile: options.usagesSlicesFile,
565
606
  dataFlowSlicesFile: options.dataFlowSlicesFile,
566
- reachablesSlicesFile: options.reachablesSlicesFile
607
+ reachablesSlicesFile: options.reachablesSlicesFile,
608
+ includeCrypto: options.includeCrypto
567
609
  };
568
610
  const dbObjMap = await evinserModule.prepareDB(evinseOptions);
569
611
  if (dbObjMap) {
package/binary.js CHANGED
@@ -8,7 +8,7 @@ import {
8
8
  readFileSync,
9
9
  rmSync
10
10
  } from "node:fs";
11
- import { basename, dirname, join } from "node:path";
11
+ import { basename, dirname, join, resolve } from "node:path";
12
12
  import { spawnSync } from "node:child_process";
13
13
  import { PackageURL } from "packageurl-js";
14
14
  import { DEBUG_MODE, TIMEOUT_MS, findLicenseId } from "./utils.js";
@@ -198,6 +198,9 @@ if (existsSync(join(CDXGEN_PLUGINS_DIR, "dosai"))) {
198
198
  DOSAI_BIN = process.env.DOSAI_CMD;
199
199
  }
200
200
 
201
+ // Blint bin
202
+ const BLINT_BIN = process.env.BLINT_CMD || "blint";
203
+
201
204
  // Keep this list updated every year
202
205
  const OS_DISTRO_ALIAS = {
203
206
  "ubuntu-4.10": "warty",
@@ -264,7 +267,7 @@ const OS_DISTRO_ALIAS = {
264
267
  "debian-1.1": "buzz"
265
268
  };
266
269
 
267
- export const getGoBuildInfo = (src) => {
270
+ export function getGoBuildInfo(src) {
268
271
  if (GOVERSION_BIN) {
269
272
  let result = spawnSync(GOVERSION_BIN, [src], {
270
273
  encoding: "utf-8"
@@ -294,9 +297,9 @@ export const getGoBuildInfo = (src) => {
294
297
  }
295
298
  }
296
299
  return undefined;
297
- };
300
+ }
298
301
 
299
- export const getCargoAuditableInfo = (src) => {
302
+ export function getCargoAuditableInfo(src) {
300
303
  if (CARGO_AUDITABLE_BIN) {
301
304
  const result = spawnSync(CARGO_AUDITABLE_BIN, [src], {
302
305
  encoding: "utf-8"
@@ -315,9 +318,9 @@ export const getCargoAuditableInfo = (src) => {
315
318
  }
316
319
  }
317
320
  return undefined;
318
- };
321
+ }
319
322
 
320
- export const getOSPackages = (src) => {
323
+ export function getOSPackages(src) {
321
324
  const pkgList = [];
322
325
  const dependenciesList = [];
323
326
  const allTypes = new Set();
@@ -652,7 +655,7 @@ export const getOSPackages = (src) => {
652
655
  dependenciesList,
653
656
  allTypes: Array.from(allTypes)
654
657
  };
655
- };
658
+ }
656
659
 
657
660
  const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
658
661
  try {
@@ -685,7 +688,7 @@ const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
685
688
  return undefined;
686
689
  };
687
690
 
688
- export const executeOsQuery = (query) => {
691
+ export function executeOsQuery(query) {
689
692
  if (OSQUERY_BIN) {
690
693
  if (!query.endsWith(";")) {
691
694
  query = query + ";";
@@ -733,16 +736,16 @@ export const executeOsQuery = (query) => {
733
736
  }
734
737
  }
735
738
  return undefined;
736
- };
739
+ }
737
740
 
738
741
  /**
739
742
  * Method to execute dosai to create slices for dotnet
740
743
  *
741
- * @param {string} src
742
- * @param {string} slicesFile
744
+ * @param {string} src Source Path
745
+ * @param {string} slicesFile Slices file name
743
746
  * @returns boolean
744
747
  */
745
- export const getDotnetSlices = (src, slicesFile) => {
748
+ export function getDotnetSlices(src, slicesFile) {
746
749
  if (!DOSAI_BIN) {
747
750
  return false;
748
751
  }
@@ -766,4 +769,42 @@ export const getDotnetSlices = (src, slicesFile) => {
766
769
  return false;
767
770
  }
768
771
  return true;
769
- };
772
+ }
773
+
774
+ /**
775
+ * Method to generate binary SBOM using blint
776
+ *
777
+ * @param {string} src Path to binary or its directory
778
+ * @param {string} binaryBomFile Path to binary
779
+ * @param {boolean} deepMode Deep mode flag
780
+ *
781
+ * @return {boolean} Result of the generation
782
+ */
783
+ export function getBinaryBom(src, binaryBomFile, deepMode) {
784
+ if (!BLINT_BIN) {
785
+ return false;
786
+ }
787
+ const args = ["sbom", "-i", resolve(src), "-o", binaryBomFile];
788
+ if (deepMode) {
789
+ args.push("--deep");
790
+ }
791
+ if (DEBUG_MODE) {
792
+ console.log("Executing", BLINT_BIN, args.join(" "));
793
+ }
794
+ const result = spawnSync(BLINT_BIN, args, {
795
+ encoding: "utf-8",
796
+ timeout: TIMEOUT_MS,
797
+ cwd: src
798
+ });
799
+ if (result.status !== 0 || result.error) {
800
+ if (result.stderr) {
801
+ console.error(result.stdout, result.stderr);
802
+ } else {
803
+ console.log(
804
+ "Install blint using 'pip install blint' or use the cdxgen container image."
805
+ );
806
+ }
807
+ return false;
808
+ }
809
+ return true;
810
+ }
package/display.js CHANGED
@@ -41,7 +41,7 @@ export const printTable = (bomJson) => {
41
41
  stream.write([
42
42
  comp.group || "",
43
43
  comp.name,
44
- `\x1b[1;35m${comp.version}\x1b[0m`,
44
+ `\x1b[1;35m${comp.version || ""}\x1b[0m`,
45
45
  comp.scope || ""
46
46
  ]);
47
47
  }
@@ -129,7 +129,7 @@ export const printOccurrences = (bomJson) => {
129
129
  data.push([
130
130
  comp.group || "",
131
131
  comp.name,
132
- comp.version,
132
+ comp.version || "",
133
133
  comp.evidence.occurrences
134
134
  .map((l) => l.location)
135
135
  .sort(locationComparator)
@@ -178,7 +178,7 @@ export const printCallStack = (bomJson) => {
178
178
  data.push([
179
179
  comp.group || "",
180
180
  comp.name,
181
- comp.version,
181
+ comp.version || "",
182
182
  frameDisplay.join("\n")
183
183
  ]);
184
184
  }
package/evinser.js CHANGED
@@ -229,21 +229,26 @@ export const createSlice = (
229
229
  }
230
230
  const atomFile = path.join(sliceOutputDir, "app.atom");
231
231
  const slicesFile = path.join(sliceOutputDir, `${sliceType}.slices.json`);
232
- const args = [
233
- sliceType,
232
+ let args = [sliceType];
233
+ // Support for crypto slices aka CBOM
234
+ if (sliceType === "reachables" && options.includeCrypto) {
235
+ args.push("--include-crypto");
236
+ }
237
+ args = args.concat([
234
238
  "-l",
235
239
  language,
236
240
  "-o",
237
241
  path.resolve(atomFile),
238
242
  "--slice-outfile",
239
243
  path.resolve(slicesFile)
240
- ];
244
+ ]);
241
245
  // For projects with several layers, slice depth needs to be increased from the default 7 to 15 or 20
242
246
  // This would increase the time but would yield more deeper paths
243
- if (sliceType == "data-flow" && process.env.ATOM_SLICE_DEPTH) {
247
+ if (sliceType === "data-flow" && process.env.ATOM_SLICE_DEPTH) {
244
248
  args.push("--slice-depth");
245
249
  args.push(process.env.ATOM_SLICE_DEPTH);
246
250
  }
251
+
247
252
  args.push(path.resolve(filePath));
248
253
  const result = executeAtom(filePath, args);
249
254
  if (!result || !fs.existsSync(slicesFile)) {