@cyclonedx/cdxgen 10.4.2 → 10.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -5
- package/analyzer.js +1 -1
- package/bin/cdxgen.js +4 -1
- package/binary.js +2 -2
- package/index.js +6 -22
- package/package.json +8 -10
- package/utils.test.js +3 -3
package/README.md
CHANGED
|
@@ -80,7 +80,7 @@ For node.js projects, lock files are parsed initially, so the SBOM would include
|
|
|
80
80
|
|
|
81
81
|
This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.
|
|
82
82
|
|
|
83
|
-
|
|
83
|
+
With the argument `--required-only`, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
|
|
84
84
|
|
|
85
85
|
For go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).
|
|
86
86
|
|
|
@@ -98,18 +98,18 @@ If you are a [Homebrew](https://brew.sh/) user, you can also install [cdxgen](ht
|
|
|
98
98
|
$ brew install cdxgen
|
|
99
99
|
```
|
|
100
100
|
|
|
101
|
-
Deno
|
|
101
|
+
Deno and bun runtime can be used with limited support.
|
|
102
102
|
|
|
103
103
|
```shell
|
|
104
104
|
deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net -n cdxgen "npm:@cyclonedx/cdxgen/cdxgen"
|
|
105
105
|
```
|
|
106
106
|
|
|
107
|
-
You can also use the cdxgen container image
|
|
107
|
+
You can also use the cdxgen container image with node, deno, or bun runtime versions.
|
|
108
|
+
|
|
109
|
+
The default version uses Node.js 20
|
|
108
110
|
|
|
109
111
|
```bash
|
|
110
112
|
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/bom.json
|
|
111
|
-
|
|
112
|
-
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:v8.6.0 -r /app -o /app/bom.json
|
|
113
113
|
```
|
|
114
114
|
|
|
115
115
|
To use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.
|
|
@@ -118,6 +118,12 @@ To use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.
|
|
|
118
118
|
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app -o /app/bom.json
|
|
119
119
|
```
|
|
120
120
|
|
|
121
|
+
For the bun version, use `ghcr.io/cyclonedx/cdxgen-bun` as the image name.
|
|
122
|
+
|
|
123
|
+
```bash
|
|
124
|
+
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun -r /app -o /app/bom.json
|
|
125
|
+
```
|
|
126
|
+
|
|
121
127
|
In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as library](#integration-as-library)
|
|
122
128
|
|
|
123
129
|
```ts
|
package/analyzer.js
CHANGED
|
@@ -26,7 +26,6 @@ const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
|
|
|
26
26
|
"codemods",
|
|
27
27
|
"flow-typed",
|
|
28
28
|
"i18n",
|
|
29
|
-
"__tests__",
|
|
30
29
|
];
|
|
31
30
|
|
|
32
31
|
const IGNORE_FILE_PATTERN = new RegExp(
|
|
@@ -54,6 +53,7 @@ const getAllFiles = (deep, dir, extn, files, result, regex) => {
|
|
|
54
53
|
const dirName = basename(file);
|
|
55
54
|
if (
|
|
56
55
|
dirName.startsWith(".") ||
|
|
56
|
+
dirName.startsWith("__") ||
|
|
57
57
|
IGNORE_DIRS.includes(dirName.toLowerCase())
|
|
58
58
|
) {
|
|
59
59
|
continue;
|
package/bin/cdxgen.js
CHANGED
|
@@ -371,10 +371,13 @@ const applyAdvancedOptions = (options) => {
|
|
|
371
371
|
"aab",
|
|
372
372
|
"go",
|
|
373
373
|
"golang",
|
|
374
|
+
"rust",
|
|
375
|
+
"rust-lang",
|
|
376
|
+
"cargo",
|
|
374
377
|
].includes(options.projectType)
|
|
375
378
|
) {
|
|
376
379
|
console.log(
|
|
377
|
-
"PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, and
|
|
380
|
+
"PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, go, and Rust projects. Please specify the type using the -t argument.",
|
|
378
381
|
);
|
|
379
382
|
process.exit(1);
|
|
380
383
|
}
|
package/binary.js
CHANGED
|
@@ -71,7 +71,7 @@ let CDXGEN_PLUGINS_DIR = process.env.CDXGEN_PLUGINS_DIR;
|
|
|
71
71
|
if (
|
|
72
72
|
!CDXGEN_PLUGINS_DIR &&
|
|
73
73
|
existsSync(join(dirName, "plugins")) &&
|
|
74
|
-
existsSync(join(dirName, "plugins", "
|
|
74
|
+
existsSync(join(dirName, "plugins", "trivy"))
|
|
75
75
|
) {
|
|
76
76
|
CDXGEN_PLUGINS_DIR = join(dirName, "plugins");
|
|
77
77
|
}
|
|
@@ -94,7 +94,7 @@ if (
|
|
|
94
94
|
"@cyclonedx",
|
|
95
95
|
`cdxgen-plugins-bin${pluginsBinSuffix}`,
|
|
96
96
|
"plugins",
|
|
97
|
-
"
|
|
97
|
+
"trivy",
|
|
98
98
|
),
|
|
99
99
|
)
|
|
100
100
|
) {
|
package/index.js
CHANGED
|
@@ -1030,13 +1030,12 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
|
|
|
1030
1030
|
components,
|
|
1031
1031
|
dependencies,
|
|
1032
1032
|
};
|
|
1033
|
-
const formulationData =
|
|
1034
|
-
const formulation =
|
|
1033
|
+
const formulationData =
|
|
1035
1034
|
options.includeFormulation && options.specVersion >= 1.5
|
|
1036
|
-
?
|
|
1035
|
+
? addFormulationSection(options)
|
|
1037
1036
|
: undefined;
|
|
1038
|
-
if (
|
|
1039
|
-
jsonTpl.formulation = formulation;
|
|
1037
|
+
if (formulationData) {
|
|
1038
|
+
jsonTpl.formulation = formulationData.formulation;
|
|
1040
1039
|
}
|
|
1041
1040
|
bomNSData.bomJson = jsonTpl;
|
|
1042
1041
|
bomNSData.nsMapping = nsMapping;
|
|
@@ -3017,23 +3016,8 @@ export async function createRustBom(path, options) {
|
|
|
3017
3016
|
} catch (err) {
|
|
3018
3017
|
maybeBinary = false;
|
|
3019
3018
|
}
|
|
3020
|
-
if (maybeBinary) {
|
|
3021
|
-
|
|
3022
|
-
const dlist = await parseCargoAuditableData(cargoData);
|
|
3023
|
-
if (dlist?.length) {
|
|
3024
|
-
pkgList = pkgList.concat(dlist);
|
|
3025
|
-
}
|
|
3026
|
-
// Since this pkg list is derived from the binary mark them as used.
|
|
3027
|
-
const allImports = {};
|
|
3028
|
-
for (const mpkg of pkgList) {
|
|
3029
|
-
const pkgFullName = `${mpkg.group}/${mpkg.name}`;
|
|
3030
|
-
allImports[pkgFullName] = true;
|
|
3031
|
-
}
|
|
3032
|
-
return buildBomNSData(options, pkgList, "cargo", {
|
|
3033
|
-
allImports,
|
|
3034
|
-
src: path,
|
|
3035
|
-
filename: path,
|
|
3036
|
-
});
|
|
3019
|
+
if (maybeBinary || options.lifecycle === "post-build") {
|
|
3020
|
+
return createBinaryBom(path, options);
|
|
3037
3021
|
}
|
|
3038
3022
|
let cargoLockFiles = getAllFiles(
|
|
3039
3023
|
path,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "10.4.
|
|
3
|
+
"version": "10.4.3",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
|
@@ -40,7 +40,6 @@
|
|
|
40
40
|
"cdx-verify": "bin/verify.js"
|
|
41
41
|
},
|
|
42
42
|
"scripts": {
|
|
43
|
-
"docs": "docsify serve docs",
|
|
44
43
|
"test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false docker.test.js utils.test.js display.test.js postgen.test.js",
|
|
45
44
|
"watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch --inject-globals false",
|
|
46
45
|
"lint:check": "biome check *",
|
|
@@ -87,13 +86,13 @@
|
|
|
87
86
|
"optionalDependencies": {
|
|
88
87
|
"@appthreat/atom": "2.0.9",
|
|
89
88
|
"@appthreat/cdx-proto": "1.0.1",
|
|
90
|
-
"@cyclonedx/cdxgen-plugins-bin": "
|
|
91
|
-
"@cyclonedx/cdxgen-plugins-bin-arm64": "
|
|
92
|
-
"@cyclonedx/cdxgen-plugins-bin-darwin-amd64": "
|
|
93
|
-
"@cyclonedx/cdxgen-plugins-bin-darwin-arm64": "
|
|
94
|
-
"@cyclonedx/cdxgen-plugins-bin-ppc64": "
|
|
95
|
-
"@cyclonedx/cdxgen-plugins-bin-windows-amd64": "
|
|
96
|
-
"@cyclonedx/cdxgen-plugins-bin-windows-arm64": "
|
|
89
|
+
"@cyclonedx/cdxgen-plugins-bin": "1.6.0",
|
|
90
|
+
"@cyclonedx/cdxgen-plugins-bin-arm64": "1.6.0",
|
|
91
|
+
"@cyclonedx/cdxgen-plugins-bin-darwin-amd64": "1.6.0",
|
|
92
|
+
"@cyclonedx/cdxgen-plugins-bin-darwin-arm64": "1.6.0",
|
|
93
|
+
"@cyclonedx/cdxgen-plugins-bin-ppc64": "1.6.0",
|
|
94
|
+
"@cyclonedx/cdxgen-plugins-bin-windows-amd64": "1.6.0",
|
|
95
|
+
"@cyclonedx/cdxgen-plugins-bin-windows-arm64": "1.6.0",
|
|
97
96
|
"body-parser": "^1.20.2",
|
|
98
97
|
"compression": "^1.7.4",
|
|
99
98
|
"connect": "^3.7.0",
|
|
@@ -104,7 +103,6 @@
|
|
|
104
103
|
"files": ["*.js", "bin/", "data/", "types/"],
|
|
105
104
|
"devDependencies": {
|
|
106
105
|
"@biomejs/biome": "1.7.0",
|
|
107
|
-
"docsify-cli": "^4.4.4",
|
|
108
106
|
"jest": "^29.7.0",
|
|
109
107
|
"typescript": "^5.4.5"
|
|
110
108
|
}
|
package/utils.test.js
CHANGED
|
@@ -1534,7 +1534,7 @@ test("parse github actions workflow data", () => {
|
|
|
1534
1534
|
dep_list = parseGitHubWorkflowData(
|
|
1535
1535
|
readFileSync("./.github/workflows/repotests.yml", { encoding: "utf-8" }),
|
|
1536
1536
|
);
|
|
1537
|
-
expect(dep_list.length).toEqual(
|
|
1537
|
+
expect(dep_list.length).toEqual(10);
|
|
1538
1538
|
expect(dep_list[0]).toEqual({
|
|
1539
1539
|
group: "actions",
|
|
1540
1540
|
name: "checkout",
|
|
@@ -2220,8 +2220,8 @@ test("parsePkgLock v3", async () => {
|
|
|
2220
2220
|
projectName: "cdxgen",
|
|
2221
2221
|
});
|
|
2222
2222
|
deps = parsedList.pkgList;
|
|
2223
|
-
expect(deps.length).toEqual(
|
|
2224
|
-
expect(parsedList.dependenciesList.length).toEqual(
|
|
2223
|
+
expect(deps.length).toEqual(845);
|
|
2224
|
+
expect(parsedList.dependenciesList.length).toEqual(845);
|
|
2225
2225
|
});
|
|
2226
2226
|
|
|
2227
2227
|
test("parseBowerJson", async () => {
|