@cyclonedx/cdxgen 10.5.2 → 10.6.2

package/README.md

@@ -5,17 +5,23 @@
 [![GitHub License][badge-github-license]][github-license]
 [![GitHub Contributors][badge-github-contributors]][github-contributors]
 [![SWH][badge-swh]][swh-cdxgen]
+[![Libraries.io dependency status][badge-libraries]][librariesio]
+
 
 # CycloneDX Generator (cdxgen)
 
 ![cdxgen logo](./docs/_media/cdxgen.png)
 
-cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies for C/C++, Node.js, PHP, Python, Ruby, Rust, Java, .Net, Dart, Haskell, Elixir, and Go projects in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.6.
+cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.6.
 
-When used with plugins:
+Supported BOM formats:
 
-- cdxgen could generate an OBOM for Linux docker images and even VMs running Linux or Windows operating systems
-- cdxgen also includes an evinse tool to generate component evidence, CBOM, and SaaSBOM for some languages
+- Software (SBOM) - For many languages and container images.
+- Cryptography (CBOM) - For Java and Python projects.
+- Operations (OBOM) - For Linux container images and VMs running Linux or Windows operating systems.
+- Software-as-a-Service (SaaSBOM) - For Java, Python, JavaScript, TypeScript, and PHP projects.
+- Attestations (CDXA) - Generate SBOM with templates for multiple standards. Sign the BOM document at a granular level to improve authenticity.
+- Vulnerability Disclosure Report (VDR) - Use cdxgen with [OWASP depscan](https://github.com/owasp-dep-scan/dep-scan) to automate the generation of VDR at scale.
 
 ## Why cdxgen?
 
@@ -23,11 +29,19 @@ Most SBOM tools are like simple barcode scanners. For easy applications, they ca
 
 <img src="./docs/_media/why-cdxgen.jpg" alt="why cdxgen" width="256">
 
+Our philosophy:
+
+- Explainability: Don't list, but explain with evidence.
+- Precision: Try using multiple techniques to improve precision, even if it takes extra time.
+- Personas: Cater to the needs of a range of personas such as security researchers, compliance auditors, developers, and SOC.
+- Lifecycle: Support BOM generation for various product lifecycles.
+
 ## Documentation
 
-Please visit our [documentation site][docs-homepage] for detailed usage, tutorials and support documentation.
+Please visit our [documentation site][docs-homepage] for detailed usage, tutorials, and support documentation.
 
 Sections include:
+
 - [Getting Started][docs-homepage]
 - [CLI Usage][docs-cli]
 - [Server Usage][docs-server]
@@ -37,7 +51,6 @@ Sections include:
 - [Permissions][docs-permissions]
 - [Support (Enterprise & Community)][docs-support]
 
-
 ### Automatic usage detection
 
 For node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBOM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
@@ -472,8 +485,6 @@ Use the [CycloneDX CLI][cyclonedx-cli-github] tool for advanced use cases such a
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE][github-license] file for the full license.
 
-
-
 ## Integration as library
 
 cdxgen is [ESM only](https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c) and could be imported and used with both deno and Node.js >= 20
@@ -498,30 +509,33 @@ const dbody = await submitBom(args, bomNSData.bomJson);
 
 Please check out our [contribute to CycloneDX/cdxgen documentation][github-contribute] if you are interested in helping.
 
-
 Before raising a PR, please run the following commands.
 
 ```bash
+corepack enable
+corepack pnpm install
 # Generate types using jsdoc syntax
-npm run gen-types
+corepack pnpm run gen-types
 # Run biomejs formatter and linter with auto fix
-npm run lint
+corepack pnpm run lint
 # Run jest tests
-npm test
+corepack pnpm test
 ```
 
-
 <!-- LINK LABELS -->
 <!-- Badges -->
+
 [badge-github-contributors]: https://img.shields.io/github/contributors/cyclonedx/cdxgen
 [badge-github-license]: https://img.shields.io/github/license/cyclonedx/cdxgen
 [badge-github-releases]: https://img.shields.io/github/v/release/cyclonedx/cdxgen
 [badge-jsr]: https://img.shields.io/jsr/v/%40cyclonedx/cdxgen
+[badge-libraries]: https://img.shields.io/librariesio/github/cyclonedx/cdxgen
 [badge-npm]: https://img.shields.io/npm/v/%40cyclonedx%2Fcdxgen
 [badge-npm-downloads]: https://img.shields.io/npm/dy/%40cyclonedx%2Fcdxgen
 [badge-swh]: https://archive.softwareheritage.org/badge/origin/https://github.com/CycloneDX/cdxgen/
 
 <!-- cdxgen github project -->
+
 [github-contribute]: https://github.com/CycloneDX/cdxgen/contribute
 [github-contributors]: https://github.com/CycloneDX/cdxgen/graphs/contributors
 [github-issues]: https://github.com/CycloneDX/cdxgen/issues
@@ -529,6 +543,7 @@ npm test
 [github-releases]: https://github.com/CycloneDX/cdxgen/releases
 
 <!-- cdxgen documentation site -->
+
 [docs-homepage]: https://cyclonedx.github.io/cdxgen
 [docs-advanced-usage]: https://cyclonedx.github.io/cdxgen/#/ADVANCED
 [docs-cli]: https://cyclonedx.github.io/cdxgen/#/CLI
@@ -539,6 +554,7 @@ npm test
 [docs-support]: https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES
 
 <!-- web links-->
+
 [appthreat-homepage]: https://www.appthreat.com
 [cyclonedx-homepage]: https://cyclonedx.org
 [cyclonedx-cli-github]: https://github.com/CycloneDX/cyclonedx-cli
@@ -549,7 +565,8 @@ npm test
 [jsr-cdxgen]: https://jsr.io/@cyclonedx/cdxgen
 [jwt-homepage]: https://jwt.io
 [jwt-libraries]: https://jwt.io/libraries
+[librariesio]: https://libraries.io/npm/@cyclonedx%2Fcdxgen
 [npmjs-cdxgen]: https://www.npmjs.com/package/@cyclonedx/cdxgen
 [podman-github-rootless]: https://github.com/containers/podman/blob/master/docs/tutorials/rootless_tutorial.md
 [podman-github-remote]: https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md
-[swh-cdxgen]: https://archive.softwareheritage.org/browse/origin/?origin_url=https://github.com/CycloneDX/cdxgen
+[swh-cdxgen]: https://archive.softwareheritage.org/browse/origin/?origin_url=https://github.com/CycloneDX/cdxgen

package/analyzer.js

@@ -292,7 +292,7 @@ export const findJSImportsExports = async (src, deep) => {
   const errFiles = [];
   try {
     const promiseMap = await getAllSrcJSAndTSFiles(src, deep);
-    const srcFiles = promiseMap.flatMap((d) => d);
+    const srcFiles = promiseMap.flat();
     for (const file of srcFiles) {
       try {
         parseFileASTTree(src, file, allImports, allExports);

package/bin/cdxgen.js

@@ -16,6 +16,7 @@ import {
   printOccurrences,
   printReachables,
   printServices,
+  printSponsorBanner,
   printTable,
 } from "../display.js";
 import { createBom, submitBom } from "../index.js";
@@ -258,6 +259,12 @@ const args = yargs(hideBin(process.argv))
       "ssaf-DRAFT-2023-11",
     ],
   })
+  .option("no-banner", {
+    type: "boolean",
+    default: false,
+    description:
+      "Do not show the donation banner. Set this attribute if you are an active sponsor for OWASP CycloneDX.",
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("filter")
   .array("only")
@@ -446,6 +453,8 @@ const checkPermissions = (filePath) => {
  * Method to start the bom creation process
  */
 (async () => {
+  // Display the sponsor banner
+  printSponsorBanner(options);
   // Start SBOM server
   if (options.server) {
     const serverModule = await import("../server.js");
@@ -675,8 +684,7 @@ const checkPermissions = (filePath) => {
   // biome-ignore lint/suspicious/noDoubleEquals: yargs passes true for empty values
   if (options.serverUrl && options.serverUrl != true && options.apiKey) {
     try {
-      const dbody = await submitBom(options, bomNSData.bomJson);
-      console.log("Response from server", dbody);
+      await submitBom(options, bomNSData.bomJson);
     } catch (err) {
       console.log(err);
     }

package/display.js

@@ -368,3 +368,25 @@ export function printVulnerabilities(vulnerabilities) {
   }
   console.log(`${vulnerabilities.length} vulnerabilities found.`);
 }
+
+export function printSponsorBanner(options) {
+  if (
+    process?.env?.CI &&
+    !options.noBanner &&
+    !process.env?.GITHUB_REPOSITORY?.toLowerCase().startsWith("cyclonedx")
+  ) {
+    const config = {
+      header: {
+        alignment: "center",
+        content: "\u00A4 Donate to the OWASP Foundation",
+      },
+    };
+    let message =
+      "OWASP foundation relies on donations to fund our projects.\nDonation link: https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX";
+    if (options.serverUrl && options.apiKey) {
+      message = `${message}\nDependency Track: https://owasp.org/donate/?reponame=www-project-dependency-track&title=OWASP+Dependency-Track`;
+    }
+    const data = [[message]];
+    console.log(table(data, config));
+  }
+}