@cyclonedx/cdxgen 10.6.1 → 10.7.0

package/README.md

@@ -5,6 +5,8 @@
 [![GitHub License][badge-github-license]][github-license]
 [![GitHub Contributors][badge-github-contributors]][github-contributors]
 [![SWH][badge-swh]][swh-cdxgen]
+[![Libraries.io dependency status][badge-libraries]][librariesio]
+
 
 # CycloneDX Generator (cdxgen)
 
@@ -510,14 +512,14 @@ Please check out our [contribute to CycloneDX/cdxgen documentation][github-contr
 Before raising a PR, please run the following commands.
 
 ```bash
-corepack enable
-corepack pnpm install
+corepack enable pnpm
+pnpm install
 # Generate types using jsdoc syntax
-corepack pnpm run gen-types
+pnpm run gen-types
 # Run biomejs formatter and linter with auto fix
-corepack pnpm run lint
+pnpm run lint
 # Run jest tests
-corepack pnpm test
+pnpm test
 ```
 
 <!-- LINK LABELS -->
@@ -527,6 +529,7 @@ corepack pnpm test
 [badge-github-license]: https://img.shields.io/github/license/cyclonedx/cdxgen
 [badge-github-releases]: https://img.shields.io/github/v/release/cyclonedx/cdxgen
 [badge-jsr]: https://img.shields.io/jsr/v/%40cyclonedx/cdxgen
+[badge-libraries]: https://img.shields.io/librariesio/github/cyclonedx/cdxgen
 [badge-npm]: https://img.shields.io/npm/v/%40cyclonedx%2Fcdxgen
 [badge-npm-downloads]: https://img.shields.io/npm/dy/%40cyclonedx%2Fcdxgen
 [badge-swh]: https://archive.softwareheritage.org/badge/origin/https://github.com/CycloneDX/cdxgen/
@@ -562,6 +565,7 @@ corepack pnpm test
 [jsr-cdxgen]: https://jsr.io/@cyclonedx/cdxgen
 [jwt-homepage]: https://jwt.io
 [jwt-libraries]: https://jwt.io/libraries
+[librariesio]: https://libraries.io/npm/@cyclonedx%2Fcdxgen
 [npmjs-cdxgen]: https://www.npmjs.com/package/@cyclonedx/cdxgen
 [podman-github-rootless]: https://github.com/containers/podman/blob/master/docs/tutorials/rootless_tutorial.md
 [podman-github-remote]: https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md

package/analyzer.js

@@ -31,7 +31,7 @@ const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
 
 const IGNORE_FILE_PATTERN = new RegExp(
   process.env.ASTGEN_IGNORE_FILE_PATTERN ||
-    "(conf|config|test|spec|mock|\\.d)\\.(js|ts|tsx)$",
+    "(conf|config|test|spec|mock|setup-jest|\\.d)\\.(js|ts|tsx)$",
   "i",
 );
 

package/bin/cdxgen.js

@@ -16,6 +16,7 @@ import {
   printOccurrences,
   printReachables,
   printServices,
+  printSponsorBanner,
   printTable,
 } from "../display.js";
 import { createBom, submitBom } from "../index.js";
@@ -258,6 +259,12 @@ const args = yargs(hideBin(process.argv))
       "ssaf-DRAFT-2023-11",
     ],
   })
+  .option("no-banner", {
+    type: "boolean",
+    default: false,
+    description:
+      "Do not show the donation banner. Set this attribute if you are an active sponsor for OWASP CycloneDX.",
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("filter")
   .array("only")
@@ -336,6 +343,10 @@ if (process.argv[1].includes("cbom")) {
 }
 if (options.standard) {
   options.specVersion = 1.6;
+  options.includeFormulation = true;
+}
+if (options.deep && options.specVersion >= 1.5) {
+  options.includeFormulation = true;
 }
 /**
  * Method to apply advanced options such as profile and lifecycles
@@ -446,6 +457,8 @@ const checkPermissions = (filePath) => {
  * Method to start the bom creation process
  */
 (async () => {
+  // Display the sponsor banner
+  printSponsorBanner(options);
   // Start SBOM server
   if (options.server) {
     const serverModule = await import("../server.js");
@@ -675,8 +688,7 @@ const checkPermissions = (filePath) => {
   // biome-ignore lint/suspicious/noDoubleEquals: yargs passes true for empty values
   if (options.serverUrl && options.serverUrl != true && options.apiKey) {
     try {
-      const dbody = await submitBom(options, bomNSData.bomJson);
-      console.log("Response from server", dbody);
+      await submitBom(options, bomNSData.bomJson);
     } catch (err) {
       console.log(err);
     }

package/bin/repl.js

@@ -154,15 +154,31 @@ cdxgenRepl.defineCommand("search", {
     if (sbom) {
       if (searchStr) {
         try {
+          const originalSearchString = searchStr;
+          let dependenciesSearchStr = searchStr;
           if (!searchStr.includes("~>")) {
+            dependenciesSearchStr = `dependencies[ref ~> /${searchStr}/i or dependsOn ~> /${searchStr}/i or provides ~> /${searchStr}/i]`;
             searchStr = `components[group ~> /${searchStr}/i or name ~> /${searchStr}/i or description ~> /${searchStr}/i or publisher ~> /${searchStr}/i or purl ~> /${searchStr}/i]`;
           }
           const expression = jsonata(searchStr);
           const components = await expression.evaluate(sbom);
+          const dexpression = jsonata(dependenciesSearchStr);
+          const dependencies = await dexpression.evaluate(sbom);
           if (!components) {
             console.log("No results found!");
           } else {
-            printTable({ components, dependencies: [] });
+            printTable(
+              { components, dependencies },
+              undefined,
+              originalSearchString,
+            );
+            if (dependencies?.length) {
+              printDependencyTree(
+                { components, dependencies },
+                "dependsOn",
+                originalSearchString,
+              );
+            }
           }
         } catch (e) {
           console.log(e);

package/data/lic-mapping.json

@@ -38,7 +38,8 @@
       "BSD License",
       "BSD-like",
       "new BSD License",
-      "new BSD"
+      "new BSD",
+      "BSD, Public Domain"
     ]
   },
   {
@@ -197,7 +198,9 @@
       "GNU Lesser General Public License (LGPL), version 3",
       "GNU Lesser General Public License (LGPL), version 3.0",
       "GNU Lesser General Public License v3.0",
-      "GNU Lesser General Public License (LGPL), Version 3"
+      "GNU Lesser General Public License (LGPL), Version 3",
+      "GNU Lesser General Public License v3 (LGPLv3)",
+      "LGPL v3"
     ]
   },
   {

package/display.js

@@ -11,8 +11,17 @@ const SYMBOLS_ANSI = {
 };
 
 const MAX_TREE_DEPTH = 6;
-
-export const printTable = (bomJson, filterTypes = undefined) => {
+const highlightStr = (s, highlight) => {
+  if (highlight && s && s.includes(highlight)) {
+    s = s.replaceAll(highlight, `\x1b[1;33m${highlight}\x1b[0m`);
+  }
+  return s;
+};
+export const printTable = (
+  bomJson,
+  filterTypes = undefined,
+  highlight = undefined,
+) => {
   if (!bomJson || !bomJson.components) {
     return;
   }
@@ -56,8 +65,8 @@ export const printTable = (bomJson, filterTypes = undefined) => {
       ]);
     } else {
       stream.write([
-        comp.group || "",
-        comp.name,
+        highlightStr(comp.group || "", highlight),
+        highlightStr(comp.name, highlight),
         `\x1b[1;35m${comp.version || ""}\x1b[0m`,
         comp.scope || "",
       ]);
@@ -67,9 +76,9 @@ export const printTable = (bomJson, filterTypes = undefined) => {
   if (!filterTypes) {
     console.log(
       "BOM includes",
-      bomJson.components.length,
+      bomJson?.components?.length || 0,
       "components and",
-      bomJson.dependencies.length,
+      bomJson?.dependencies?.length || 0,
       "dependencies",
     );
   } else {
@@ -215,7 +224,11 @@ export const printCallStack = (bomJson) => {
     console.log(table(data, config));
   }
 };
-export const printDependencyTree = (bomJson, mode = "dependsOn") => {
+export const printDependencyTree = (
+  bomJson,
+  mode = "dependsOn",
+  highlight = undefined,
+) => {
   const dependencies = bomJson.dependencies || [];
   if (!dependencies.length) {
     return;
@@ -244,9 +257,11 @@ export const printDependencyTree = (bomJson, mode = "dependsOn") => {
         content: `${treeType} Tree\nGenerated with \u2665  by cdxgen`,
       },
     };
-    console.log(table([[treeGraphics.join("\n")]], config));
+    console.log(
+      table([[highlightStr(treeGraphics.join("\n"), highlight)]], config),
+    );
   } else {
-    console.log(treeGraphics.join("\n"));
+    console.log(highlightStr(treeGraphics.join("\n"), highlight));
   }
 };
 
@@ -368,3 +383,25 @@ export function printVulnerabilities(vulnerabilities) {
   }
   console.log(`${vulnerabilities.length} vulnerabilities found.`);
 }
+
+export function printSponsorBanner(options) {
+  if (
+    process?.env?.CI &&
+    !options.noBanner &&
+    !process.env?.GITHUB_REPOSITORY?.toLowerCase().startsWith("cyclonedx")
+  ) {
+    const config = {
+      header: {
+        alignment: "center",
+        content: "\u00A4 Donate to the OWASP Foundation",
+      },
+    };
+    let message =
+      "OWASP foundation relies on donations to fund our projects.\nDonation link: https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX";
+    if (options.serverUrl && options.apiKey) {
+      message = `${message}\nDependency Track: https://owasp.org/donate/?reponame=www-project-dependency-track&title=OWASP+Dependency-Track`;
+    }
+    const data = [[message]];
+    console.log(table(data, config));
+  }
+}

package/index.js

@@ -36,6 +36,7 @@ import {
   LEIN_CMD,
   MAX_BUFFER,
   PREFER_MAVEN_DEPS_TREE,
+  PYTHON_EXCLUDED_COMPONENTS,
   SWIFT_CMD,
   TIMEOUT_MS,
   addEvidenceForDotnet,
@@ -381,9 +382,10 @@ const addLifecyclesSection = (options) => {
  * Method to generate the formulation section based on git metadata
  *
  * @param {Object} options
+ * @param {Object} context Context
  * @returns {Array} formulation array
  */
-const addFormulationSection = (options) => {
+const addFormulationSection = (options, context) => {
   const formulation = [];
   const provides = [];
   const gitBranch = getBranch();
@@ -393,6 +395,12 @@ const addFormulationSection = (options) => {
   let parentOmniborId;
   let treeOmniborId;
   let components = [];
+  const aformulation = {};
+  // Reuse any existing formulation components
+  // See: PR #1172
+  if (context?.formulationList?.length) {
+    components = components.concat(trimComponents(context.formulationList));
+  }
   if (options.specVersion >= 1.6 && Object.keys(treeHashes).length === 2) {
     parentOmniborId = `gitoid:blob:sha1:${treeHashes.parent}`;
     treeOmniborId = `gitoid:blob:sha1:${treeHashes.tree}`;
@@ -417,8 +425,8 @@ const addFormulationSection = (options) => {
       provides: [treeOmniborId],
     });
   }
+  // Collect git related components
   if (gitBranch && originUrl && gitFiles) {
-    const aformulation = {};
     const gitFileComponents = gitFiles.map((f) =>
       options.specVersion >= 1.6
         ? {
@@ -442,57 +450,65 @@ const addFormulationSection = (options) => {
         provides: gitFiles.map((f) => f.ref),
       });
     }
-    // Collect build environment details
-    const infoComponents = collectEnvInfo(options.path);
-    if (infoComponents?.length) {
-      components = components.concat(infoComponents);
-    }
-    // Should we include the OS crypto libraries
-    if (options.includeCrypto) {
-      const cryptoLibs = collectOSCryptoLibs(options);
-      if (cryptoLibs?.length) {
-        components = components.concat(cryptoLibs);
-      }
-    }
-    aformulation["bom-ref"] = uuidv4();
-    aformulation.components = components;
-    let environmentVars = [{ name: "GIT_BRANCH", value: gitBranch }];
-    for (const aevar of Object.keys(process.env)) {
-      if (
-        (aevar.startsWith("GIT") ||
-          aevar.startsWith("CI_") ||
-          aevar.startsWith("CARGO") ||
-          aevar.startsWith("RUST")) &&
-        !aevar.toLowerCase().includes("key") &&
-        !aevar.toLowerCase().includes("token") &&
-        !aevar.toLowerCase().includes("pass") &&
-        process.env[aevar] &&
-        process.env[aevar].length
-      ) {
-        environmentVars.push({
-          name: aevar,
-          value: process.env[aevar],
-        });
-      }
+  }
+  // Collect build environment details
+  const infoComponents = collectEnvInfo(options.path);
+  if (infoComponents?.length) {
+    components = components.concat(infoComponents);
+  }
+  // Should we include the OS crypto libraries
+  if (options.includeCrypto) {
+    const cryptoLibs = collectOSCryptoLibs(options);
+    if (cryptoLibs?.length) {
+      components = components.concat(cryptoLibs);
     }
-    if (!environmentVars.length) {
-      environmentVars = undefined;
+  }
+  aformulation["bom-ref"] = uuidv4();
+  aformulation.components = components;
+  let environmentVars = gitBranch?.length
+    ? [{ name: "GIT_BRANCH", value: gitBranch }]
+    : [];
+  for (const aevar of Object.keys(process.env)) {
+    if (
+      (aevar.startsWith("GIT") ||
+        aevar.startsWith("CI_") ||
+        aevar.startsWith("ANDROID") ||
+        aevar.startsWith("DENO") ||
+        aevar.startsWith("DOTNET") ||
+        aevar.startsWith("JAVA_") ||
+        aevar.startsWith("SDKMAN") ||
+        aevar.startsWith("CARGO") ||
+        aevar.startsWith("CONDA") ||
+        aevar.startsWith("RUST")) &&
+      !aevar.toLowerCase().includes("key") &&
+      !aevar.toLowerCase().includes("token") &&
+      !aevar.toLowerCase().includes("pass") &&
+      !aevar.toLowerCase().includes("secret") &&
+      process.env[aevar] &&
+      process.env[aevar].length
+    ) {
+      environmentVars.push({
+        name: aevar,
+        value: process.env[aevar],
+      });
     }
-    aformulation.workflows = [
-      {
-        "bom-ref": uuidv4(),
-        uid: uuidv4(),
-        inputs: [
-          {
-            source: { ref: originUrl },
-            environmentVars,
-          },
-        ],
-        taskTypes: ["build", "clone"],
-      },
-    ];
-    formulation.push(aformulation);
   }
+  if (!environmentVars.length) {
+    environmentVars = undefined;
+  }
+  const sourceInput = environmentVars ? { environmentVars } : {};
+  if (originUrl) {
+    sourceInput.source = { ref: originUrl };
+  }
+  aformulation.workflows = [
+    {
+      "bom-ref": uuidv4(),
+      uid: uuidv4(),
+      inputs: [sourceInput],
+      taskTypes: originUrl ? ["build", "clone"] : ["build"],
+    },
+  ];
+  formulation.push(aformulation);
   return { formulation, provides };
 };
 
@@ -782,7 +798,11 @@ function addComponent(
     if (!name) {
       return;
     }
-    if (!ptype && pkg.qualifiers && pkg.qualifiers.type === "jar") {
+    // Do we need this still?
+    if (
+      !ptype &&
+      ["jar", "war", "ear", "pom"].includes(pkg?.qualifiers?.type)
+    ) {
       ptype = "maven";
     }
     const version = pkg.version || "";
@@ -814,7 +834,7 @@ function addComponent(
         impPkgs.includes(`@${group}`)
       ) {
         compScope = "required";
-      } else if (impPkgs.length) {
+      } else if (impPkgs.length && compScope !== "excluded") {
         compScope = "optional";
       }
     }
@@ -1057,7 +1077,7 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
     };
     const formulationData =
       options.includeFormulation && options.specVersion >= 1.5
-        ? addFormulationSection(options)
+        ? addFormulationSection(options, context)
         : undefined;
     if (formulationData) {
       jsonTpl.formulation = formulationData.formulation;
@@ -2643,6 +2663,7 @@ export async function createPythonBom(path, options) {
   let metadataFilename = "";
   let dependencies = [];
   let pkgList = [];
+  let formulationList = [];
   const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-venv-"));
   let parentComponent = createDefaultParentComponent(path, "pypi", options);
   const pipenvMode = existsSync(join(path, "Pipfile"));
@@ -2737,6 +2758,9 @@ export async function createPythonBom(path, options) {
         if (retMap.pkgList?.length) {
           pkgList = pkgList.concat(retMap.pkgList);
         }
+        if (retMap.formulationList?.length) {
+          formulationList = formulationList.concat(retMap.formulationList);
+        }
         if (retMap.dependenciesList) {
           dependencies = mergeDependencies(
             dependencies,
@@ -2761,6 +2785,7 @@ export async function createPythonBom(path, options) {
       filename: poetryFiles.join(", "),
       dependencies,
       parentComponent,
+      formulationList,
     });
   }
   if (metadataFiles?.length) {
@@ -2831,6 +2856,9 @@ export async function createPythonBom(path, options) {
               pkgList = pkgList.concat(pkgMap.pkgList);
               frozen = pkgMap.frozen;
             }
+            if (pkgMap.formulationList?.length) {
+              formulationList = formulationList.concat(pkgMap.formulationList);
+            }
             if (pkgMap.dependenciesList) {
               dependencies = mergeDependencies(
                 dependencies,
@@ -2939,6 +2967,9 @@ export async function createPythonBom(path, options) {
       if (pkgMap.pkgList?.length) {
         pkgList = pkgList.concat(pkgMap.pkgList);
       }
+      if (pkgMap.formulationList?.length) {
+        formulationList = formulationList.concat(pkgMap.formulationList);
+      }
       if (pkgMap.dependenciesList) {
         dependencies = mergeDependencies(
           dependencies,
@@ -2986,6 +3017,7 @@ export async function createPythonBom(path, options) {
     filename: metadataFilename,
     dependencies,
     parentComponent,
+    formulationList,
   });
 }
 
@@ -6305,6 +6337,7 @@ export async function createBom(path, options) {
  *
  * @param {Object} args CLI args
  * @param {Object} bomContents BOM Json
+ * @return {Promise<{ token: string } | { errors: string[] } | undefined>} a promise with a token (if request was successful), a body with errors (if request failed) or undefined (in case of invalid arguments)
  */
 export async function submitBom(args, bomContents) {
   const serverUrl = `${args.serverUrl.replace(/\/$/, "")}/api/v1/bom`;
@@ -6388,11 +6421,11 @@ export async function submitBom(args, bomContents) {
         console.log(
           "Unable to submit the SBOM to the Dependency-Track server using POST method",
         );
-        console.log(error);
       }
     } else {
       console.log("Unable to submit the SBOM to the Dependency-Track server");
-      console.log(error);
     }
+    console.log(error.response?.body);
+    return error.response?.body;
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.6.1",
+  "version": "10.7.0",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -58,17 +58,17 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.24.6",
-    "@babel/traverse": "^7.24.6",
-    "@npmcli/arborist": "7.5.2",
-    "ajv": "^8.14.0",
+    "@babel/parser": "^7.24.7",
+    "@babel/traverse": "^7.24.7",
+    "@npmcli/arborist": "7.5.3",
+    "ajv": "^8.16.0",
     "ajv-formats": "^3.0.1",
     "cheerio": "^1.0.0-rc.12",
-    "edn-data": "1.1.1",
+    "edn-data": "1.1.2",
     "find-up": "7.0.0",
     "glob": "^10.4.1",
     "global-agent": "^3.0.0",
-    "got": "14.3.0",
+    "got": "14.4.1",
     "iconv-lite": "^0.6.3",
     "js-yaml": "^4.1.0",
     "jws": "^4.0.0",
@@ -80,13 +80,13 @@
     "ssri": "^10.0.6",
     "table": "^6.8.2",
     "tar": "^6.2.1",
-    "uuid": "^9.0.1",
+    "uuid": "^10.0.0",
     "xml-js": "^1.6.11",
     "yargs": "^17.7.2",
     "validate-iri": "^1.0.1"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "2.0.12",
+    "@appthreat/atom": "2.0.13",
     "@appthreat/cdx-proto": "1.0.1",
     "@cyclonedx/cdxgen-plugins-bin": "1.6.0",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "1.6.0",
@@ -109,7 +109,7 @@
     "types/"
   ],
   "devDependencies": {
-    "@biomejs/biome": "1.8.0",
+    "@biomejs/biome": "1.8.1",
     "jest": "^29.7.0",
     "typescript": "^5.4.5"
   },

package/piptree.js

@@ -50,15 +50,16 @@ def get_installed_distributions():
     return [d._dist for d in dists]
 
 
-def find_deps(idx, visited, reqs, traverse_count):
+def find_deps(idx, path, reqs, traverse_count):
     freqs = []
     for r in reqs:
         d = idx.get(r.key)
         if not d:
             continue
         r.project_name = d.project_name if d is not None else r.project_name
-        if len(visited) > 100 or visited.get(r.project_name, 0) > 5:
-            return freqs
+        if r.key in path:
+            continue
+        current_path = path + [r.key]
         specs = sorted(r.specs, reverse=True)
         specs_str = ",".join(["".join(sp) for sp in specs]) if specs else ""
         dreqs = d.requires()
@@ -67,10 +68,9 @@ def find_deps(idx, visited, reqs, traverse_count):
                 "name": r.project_name,
                 "version": importlib_metadata.version(r.key),
                 "versionSpecifiers": specs_str,
-                "dependencies": find_deps(idx, visited, dreqs, traverse_count + 1) if dreqs and traverse_count < 200 else [],
+                "dependencies": find_deps(idx, current_path, dreqs, traverse_count + 1) if dreqs and traverse_count < 200 else [],
             }
         )
-        visited[r.project_name] = visited.get(r.project_name, 0) + 1
     return freqs
 
 
@@ -79,7 +79,6 @@ def main(argv):
     tree = []
     pkgs = get_installed_distributions()
     idx = {p.key: p for p in pkgs}
-    visited = {}
     traverse_count = 0
     for p in pkgs:
         fr = frozen_req_from_dist(p)
@@ -98,7 +97,7 @@ def main(argv):
             {
                 "name": name.split(" ")[0],
                 "version": version,
-                "dependencies": find_deps(idx, visited, p.requires(), traverse_count + 1),
+                "dependencies": find_deps(idx, [p.key], p.requires(), traverse_count + 1),
             }
         )
     all_deps = {}
@@ -117,7 +116,15 @@ if __name__ == "__main__":
 `;
 
 /**
- * Execute the piptree plugin and return the generated tree as json object
+ * Execute the piptree plugin and return the generated tree as json object.
+ * The resulting tree would also include dependencies belonging to pip.
+ * Usage analysis is performed at a later stage to mark many of these packages as optional.
+ *
+ * @param {Object} env Environment variables to use
+ * @param {String} python_cmd Python command to use
+ * @param {String} basePath Current working directory
+ *
+ * @returns {Object} Dependency tree
  */
 export const getTreeWithPlugin = (env, python_cmd, basePath) => {
   let tree = [];

package/server.js

@@ -131,10 +131,11 @@ const start = (options) => {
     if (!filePath) {
       res.writeHead(500, { "Content-Type": "application/json" });
       return res.end(
-        "{'error': 'true', 'message': 'path or url is required.'}\n",
+        JSON.stringify({
+          error: "path or url is required.",
+        }),
       );
     }
-    res.writeHead(200, { "Content-Type": "application/json" });
     let srcDir = filePath;
     if (filePath.startsWith("http") || filePath.startsWith("git")) {
       srcDir = gitClone(filePath, reqOptions.gitBranch);
@@ -145,6 +146,21 @@ const start = (options) => {
     if (reqOptions.requiredOnly || reqOptions["filter"] || reqOptions["only"]) {
       bomNSData = postProcess(bomNSData, reqOptions);
     }
+    if (reqOptions.serverUrl && reqOptions.apiKey) {
+      console.log("Publishing SBOM to Dependency Track");
+      const response = await submitBom(reqOptions, bomNSData.bomJson);
+      const errorMessages = response?.errors;
+      if (errorMessages) {
+        res.writeHead(500, { "Content-Type": "application/json" });
+        return res.end(
+          JSON.stringify({
+            error: "Unable to submit the SBOM to the Dependency-Track server",
+            details: errorMessages,
+          }),
+        );
+      }
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
     if (bomNSData.bomJson) {
       if (
         typeof bomNSData.bomJson === "string" ||
@@ -155,10 +171,6 @@ const start = (options) => {
         res.write(JSON.stringify(bomNSData.bomJson, null, null));
       }
     }
-    if (reqOptions.serverUrl && reqOptions.apiKey) {
-      console.log("Publishing SBOM to Dependency Track");
-      submitBom(reqOptions, bomNSData.bomJson);
-    }
     res.end("\n");
     if (cleanup && srcDir && srcDir.startsWith(os.tmpdir()) && fs.rmSync) {
       console.log(`Cleaning up ${srcDir}`);