@cyclonedx/cdxgen 10.4.3 → 10.5.0

package/README.md

@@ -1,5 +1,7 @@
 [![JSR](https://img.shields.io/jsr/v/%40cyclonedx/cdxgen)](https://jsr.io/@cyclonedx/cdxgen) [![NPM](https://img.shields.io/npm/v/%40cyclonedx%2Fcdxgen)](https://www.npmjs.com/package/@cyclonedx/cdxgen) [![GitHub Releases](https://img.shields.io/github/v/release/cyclonedx/cdxgen)](https://github.com/CycloneDX/cdxgen/releases) [![NPM Downloads](https://img.shields.io/npm/dy/%40cyclonedx%2Fcdxgen)](<(https://www.npmjs.com/package/@cyclonedx/cdxgen)>) [![GitHub License](https://img.shields.io/github/license/cyclonedx/cdxgen)](./LICENSE.md) [![GitHub Contributors](https://img.shields.io/github/contributors/cyclonedx/cdxgen)](https://github.com/CycloneDX/cdxgen/graphs/contributors)
 
+[![SWH](https://archive.softwareheritage.org/badge/origin/https://github.com/CycloneDX/cdxgen/)](https://archive.softwareheritage.org/browse/origin/?origin_url=https://github.com/CycloneDX/cdxgen)
+
 # CycloneDX Generator
 
 ![cdxgen logo](cdxgen.png)
@@ -9,7 +11,7 @@ cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a val
 When used with plugins:
 
 - cdxgen could generate an OBOM for Linux docker images and even VMs running Linux or Windows operating systems
-- cdxgen also includes an evinse tool to generate component evidence, CBOM and SaaSBOM for some languages
+- cdxgen also includes an evinse tool to generate component evidence, CBOM, and SaaSBOM for some languages
 
 ## Why cdxgen?
 
@@ -124,7 +126,7 @@ For the bun version, use `ghcr.io/cyclonedx/cdxgen-bun` as the image name.
 docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun -r /app -o /app/bom.json
 ```
 
-In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as library](#integration-as-library)
+In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)
 
 ```ts
 import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
@@ -201,6 +203,13 @@ Options:
                                                       [boolean] [default: false]
       --include-crypto         Include crypto libraries found under formulation.
                                                       [boolean] [default: false]
+      --standard               The list of standards which may consist of regula
+                               tions, industry or organizational-specific standa
+                               rds, maturity models, best practices, or any othe
+                               r requirements which can be evaluated against or
+                               attested to.
+  [array] [choices: "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "
+                     pcissc-secure-slc-1.1", "scvs-1.0.0", "ssaf-DRAFT-2023-11"]
       --auto-compositions      Automatically set compositions when the BOM was f
                                iltered. Defaults to true
                                                        [boolean] [default: true]

package/analyzer.js

@@ -26,6 +26,7 @@ const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
       "codemods",
       "flow-typed",
       "i18n",
+      "coverage",
     ];
 
 const IGNORE_FILE_PATTERN = new RegExp(

package/bin/cdxgen.js

@@ -244,11 +244,25 @@ const args = yargs(hideBin(process.argv))
     default: false,
     description: "Include crypto libraries found under formulation.",
   })
+  .option("standard", {
+    description:
+      "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.",
+    choices: [
+      "asvs-4.0.3",
+      "bsimm-v13",
+      "masvs-2.0.0",
+      "nist_ssdf-1.1",
+      "pcissc-secure-slc-1.1",
+      "scvs-1.0.0",
+      "ssaf-DRAFT-2023-11",
+    ],
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("filter")
   .array("only")
   .array("author")
   .array("exclude")
+  .array("standard")
   .option("auto-compositions", {
     type: "boolean",
     default: true,
@@ -318,7 +332,9 @@ if (process.argv[1].includes("cbom")) {
   options.specVersion = 1.6;
   options.deep = true;
 }
-
+if (options.standard) {
+  options.specVersion = 1.6;
+}
 /**
  * Method to apply advanced options such as profile and lifecycles
  *
@@ -442,7 +458,12 @@ const checkPermissions = (filePath) => {
     options.usagesSlicesFile = `${options.projectName}-usages.json`;
   }
   let bomNSData = (await createBom(filePath, options)) || {};
-  if (options.requiredOnly || options["filter"] || options["only"]) {
+  if (
+    options.requiredOnly ||
+    options["filter"] ||
+    options["only"] ||
+    options.standard
+  ) {
     bomNSData = postProcess(bomNSData, options);
   }
   if (
@@ -666,5 +687,11 @@ const checkPermissions = (filePath) => {
   if (options.print && bomNSData.bomJson && bomNSData.bomJson.components) {
     printDependencyTree(bomNSData.bomJson);
     printTable(bomNSData.bomJson);
+    // CBOM related print
+    if (options.includeCrypto) {
+      console.log("*** Cryptography BOM ***");
+      printTable(bomNSData.bomJson, ["cryptographic-asset"]);
+      printDependencyTree(bomNSData.bomJson, "provides");
+    }
   }
 })();

package/bin/repl.js

@@ -244,6 +244,32 @@ cdxgenRepl.defineCommand("print", {
     this.displayPrompt();
   },
 });
+cdxgenRepl.defineCommand("cryptos", {
+  help: "print the components of type cryptographic-asset as a table",
+  action() {
+    if (sbom) {
+      printTable(sbom, ["cryptographic-asset"]);
+    } else {
+      console.log(
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM",
+      );
+    }
+    this.displayPrompt();
+  },
+});
+cdxgenRepl.defineCommand("frameworks", {
+  help: "print the components of type framework as a table",
+  action() {
+    if (sbom) {
+      printTable(sbom, ["framework"]);
+    } else {
+      console.log(
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM",
+      );
+    }
+    this.displayPrompt();
+  },
+});
 cdxgenRepl.defineCommand("tree", {
   help: "display the dependency tree",
   action() {
@@ -257,6 +283,19 @@ cdxgenRepl.defineCommand("tree", {
     this.displayPrompt();
   },
 });
+cdxgenRepl.defineCommand("provides", {
+  help: "display the provides tree",
+  action() {
+    if (sbom) {
+      printDependencyTree(sbom, "provides");
+    } else {
+      console.log(
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM",
+      );
+    }
+    this.displayPrompt();
+  },
+});
 cdxgenRepl.defineCommand("validate", {
   help: "validate the bom using jsonschema",
   action() {

package/binary.js

@@ -245,6 +245,8 @@ const OS_DISTRO_ALIAS = {
   "ubuntu-20.10": "groovy",
   "ubuntu-22.04": "jammy",
   "ubuntu-23.04": "lunar",
+  "ubuntu-23.10": "mantic",
+  "ubuntu-24.04": "noble",
   "debian-14": "forky",
   "debian-14.5": "forky",
   "debian-13": "trixie",

package/data/crypto-oid.json

@@ -1946,5 +1946,37 @@
   "sm2sign_with_": {
     "oid": "1.2.156.10197.1.501",
     "description": "Chinese Cryptography Standardization Technology Committee (CCSTC)"
+  },
+  "PBKDF2": {
+    "oid": "1.2.840.113549.1.5.12",
+    "description": "PBKDF2 key derivation algorithm"
+  },
+  "pbeWithMD2AndDES-CBC": {
+    "oid": "1.2.840.113549.1.5.1",
+    "description": "Password Based Encryption Algorithm"
+  },
+  "pbeWithMD5AndDES-CBC": {
+    "oid": "1.2.840.113549.1.5.3",
+    "description": "Password Based Encryption Algorithm"
+  },
+  "pbeWithMD2AndRC2-CBC": {
+    "oid": "1.2.840.113549.1.5.4",
+    "description": "Password Based Encryption Algorithm. Uses RC2 in Cipher Block Chaining Mode (RC2-CBC)"
+  },
+  "pbeWithMD5AndRC2-CBC": {
+    "oid": "1.2.840.113549.1.5.6",
+    "description": "Password Based Encryption Algorithm. Uses RC2 in Cipher Block Chaining Mode (RC2-CBC)"
+  },
+  "pbeWithMD5AndXOR": {
+    "oid": "1.2.840.113549.1.5.9",
+    "description": "Password Based Encryption Algorithm. Uses XOR. Uses MD5 to hash a password & salt to get Key and IV."
+  },
+  "pbeWithSHA1AndDES-CBC": {
+    "oid": "1.2.840.113549.1.5.10",
+    "description": "Password Based Encryption Algorithm. Uses Data Encryption Standard in Cipher Block Chaining Mode (DES-CBC)"
+  },
+  "pbeWithSHA1AndRC2-CBC": {
+    "oid": "1.2.840.113549.1.5.11",
+    "description": "Password Based Encryption Algorithm. Uses RC2 in Cipher Block Chaining Mode (RC2-CBC)."
   }
 }

package/data/lic-mapping.json

@@ -174,7 +174,8 @@
       "GNU Lesser General Public License",
       "GNU Lesser General Public License Version 2.1",
       "GNU Lesser General Public License Version 2.1, February 1999",
-      "GNU Library or Lesser General Public License (LGPL) V2.1"
+      "GNU Library or Lesser General Public License (LGPL) V2.1",
+      "GNU Library or Lesser General Public License (LGPL)"
     ]
   },
   {
@@ -192,6 +193,7 @@
       "LGPL v3.0",
       "LGPL-3.0",
       "LGPL3.0",
+      "LGPL 3",
       "GNU Lesser General Public License (LGPL), version 3",
       "GNU Lesser General Public License (LGPL), version 3.0",
       "GNU Lesser General Public License v3.0",
@@ -203,9 +205,15 @@
     "names": [
       "GNU Lesser General Public License (LGPL), version 3 or later",
       "GNU Lesser General Public License (LGPL), version 3.0 or later",
-      "GNU Lesser General Public License v3.0 or later"
+      "GNU Lesser General Public License v3.0 or later",
+      "GNU Lesser General Public License v3 or later (LGPLv3+)",
+      "LGPLv3+"
     ]
   },
+  {
+    "exp": "GPL-1.0-only",
+    "names": ["GNU General Public License (GPL)"]
+  },
   {
     "exp": "GPL-2.0-only",
     "names": [
@@ -217,7 +225,8 @@
       "GNU General Public License v2.0",
       "GNU General Public License Version 2",
       "GNU General Public License, version 2",
-      "GNU General Public License as published by the Free Software Foundation; version 2."
+      "GNU General Public License as published by the Free Software Foundation; version 2.",
+      "GNU General Public License v2 (GPLv2)"
     ]
   },
   {
@@ -251,7 +260,8 @@
       "GNU General Public License v3.0",
       "GNU General Public License as published by the Free Software Foundation, version 3.",
       "GPL-3",
-      "GPL-3.0"
+      "GPL-3.0",
+      "GNU GPL 3"
     ]
   },
   {

package/data/templates/README.md

@@ -0,0 +1,3 @@
+Content copied from https://github.com/CycloneDX/official-3rd-party-standards available under CC0-1.0
+
+Individual templates use a range of licenses. Refer to the `metadata.licenses` attribute.