@cyclonedx/cdxgen 11.2.1 → 11.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/data/component-tags.json +2 -2
- package/lib/cli/index.js +291 -70
- package/lib/helpers/utils.js +193 -9
- package/lib/helpers/validator.js +10 -1
- package/lib/managers/binary.js +160 -19
- package/lib/managers/docker.js +16 -8
- package/lib/stages/postgen/annotator.js +26 -3
- package/lib/stages/postgen/postgen.js +21 -7
- package/lib/stages/pregen/pregen.js +1 -1
- package/package.json +6 -6
- package/types/lib/cli/index.d.ts.map +1 -1
- package/types/lib/helpers/utils.d.ts +26 -0
- package/types/lib/helpers/utils.d.ts.map +1 -1
- package/types/lib/helpers/validator.d.ts.map +1 -1
- package/types/lib/managers/binary.d.ts +9 -8
- package/types/lib/managers/binary.d.ts.map +1 -1
- package/types/lib/managers/docker.d.ts +2 -0
- package/types/lib/managers/docker.d.ts.map +1 -1
- package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
- package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/data/component-tags.json
CHANGED
|
@@ -320,8 +320,8 @@
|
|
|
320
320
|
{
|
|
321
321
|
"browser": [
|
|
322
322
|
"^(edge)",
|
|
323
|
-
"(firefox|chrome|opera|brave|mullvad|tor|chromium)",
|
|
324
|
-
"(microsoft+edge|microsoft+edge+webview2|microsoft+html)"
|
|
323
|
+
"^(firefox|chrome|opera|brave|mullvad|tor|chromium)",
|
|
324
|
+
"^(microsoft+edge|microsoft+edge+webview2|microsoft+html)"
|
|
325
325
|
]
|
|
326
326
|
},
|
|
327
327
|
{
|
package/lib/cli/index.js
CHANGED
|
@@ -628,6 +628,10 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
|
|
|
628
628
|
}
|
|
629
629
|
metadata.component = parentComponent;
|
|
630
630
|
}
|
|
631
|
+
// Have we already captured the oci properties
|
|
632
|
+
if (metadata?.properties?.some((prop) => prop.name === "oci:image:Id")) {
|
|
633
|
+
return metadata;
|
|
634
|
+
}
|
|
631
635
|
if (options) {
|
|
632
636
|
const mproperties = [];
|
|
633
637
|
if (options.exportData) {
|
|
@@ -718,19 +722,137 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
|
|
|
718
722
|
value: lastLayerConfig.created,
|
|
719
723
|
});
|
|
720
724
|
}
|
|
721
|
-
|
|
722
|
-
|
|
723
|
-
|
|
725
|
+
}
|
|
726
|
+
const layerConfig =
|
|
727
|
+
lastLayerConfig?.config || options.exportData?.inspectData;
|
|
728
|
+
if (layerConfig) {
|
|
729
|
+
const env = layerConfig?.config?.Env || layerConfig?.Config?.Env;
|
|
730
|
+
if (env && Array.isArray(env) && env.length) {
|
|
731
|
+
mproperties.push({
|
|
732
|
+
name: "oci:image:lastLayer:Env",
|
|
733
|
+
value: env.join("\\n"),
|
|
734
|
+
});
|
|
735
|
+
// Does the image have any special packages that cdxgen cannot detect such as android-sdk and sdkman
|
|
736
|
+
const evalue = env.join(":");
|
|
737
|
+
if (
|
|
738
|
+
evalue.includes("android-sdk") ||
|
|
739
|
+
evalue.includes("commandlinetools")
|
|
740
|
+
) {
|
|
741
|
+
mproperties.push({
|
|
742
|
+
name: "oci:image:bundles:AndroidSdk",
|
|
743
|
+
value: "true",
|
|
744
|
+
});
|
|
745
|
+
}
|
|
746
|
+
// Track the use of special environment variables that could influence the search paths for libraries
|
|
747
|
+
// This list was generated by repeatedly prompting ChatGPT with examples.
|
|
748
|
+
// FIXME: Move these to a config file
|
|
749
|
+
for (const senvValue of [
|
|
750
|
+
"LD_LIBRARY_PATH",
|
|
751
|
+
"DYLD_LIBRARY_PATH",
|
|
752
|
+
"LD_PRELOAD",
|
|
753
|
+
"PYTHONPATH",
|
|
754
|
+
"CLASSPATH",
|
|
755
|
+
"PERL5LIB",
|
|
756
|
+
"PERLLIB",
|
|
757
|
+
"RUBYLIB",
|
|
758
|
+
"NODE_PATH",
|
|
759
|
+
"LUA_PATH",
|
|
760
|
+
"JULIA_LOAD_PATH",
|
|
761
|
+
"R_LIBS",
|
|
762
|
+
"R_LIBS_USER",
|
|
763
|
+
"GEM_PATH",
|
|
764
|
+
"DOTNET_ROOT",
|
|
765
|
+
"DOTNET_ADDITIONAL_DEPS",
|
|
766
|
+
"DOTNET_SHARED_STORE",
|
|
767
|
+
"DOTNET_STARTUP_HOOKS",
|
|
768
|
+
"DOTNET_BUNDLE_EXTRACT_BASE_DIR",
|
|
769
|
+
"JAVA_OPTIONS",
|
|
770
|
+
"JAVA_TOOL_OPTIONS",
|
|
771
|
+
"NODE_OPTIONS",
|
|
772
|
+
"PYTHONSTARTUP",
|
|
773
|
+
"RUBYOPT",
|
|
774
|
+
"WGETRC",
|
|
775
|
+
"APT_CONFIG",
|
|
776
|
+
"NPM_CONFIG_PREFIX",
|
|
777
|
+
"NPM_CONFIG_REGISTRY",
|
|
778
|
+
"YARN_CACHE_FOLDER",
|
|
779
|
+
"PNPM_STORE_PATH",
|
|
780
|
+
"PNPM_HOME",
|
|
781
|
+
"PNPM_CONFIG_",
|
|
782
|
+
]) {
|
|
783
|
+
if (evalue.includes(senvValue)) {
|
|
784
|
+
mproperties.push({
|
|
785
|
+
name: `oci:image:env:${senvValue}`,
|
|
786
|
+
value: "true",
|
|
787
|
+
});
|
|
788
|
+
}
|
|
789
|
+
}
|
|
790
|
+
// This value represents a filtered and expanded path
|
|
791
|
+
if (options?.binPaths?.length) {
|
|
792
|
+
mproperties.push({
|
|
793
|
+
name: "oci:image:env:PATH",
|
|
794
|
+
value: options.binPaths.join(":"),
|
|
795
|
+
});
|
|
796
|
+
}
|
|
797
|
+
if (evalue.includes(".sdkman")) {
|
|
798
|
+
mproperties.push({
|
|
799
|
+
name: "oci:image:bundles:Sdkman",
|
|
800
|
+
value: "true",
|
|
801
|
+
});
|
|
802
|
+
}
|
|
803
|
+
if (evalue.includes(".nvm")) {
|
|
724
804
|
mproperties.push({
|
|
725
|
-
name: "oci:image:
|
|
726
|
-
value:
|
|
805
|
+
name: "oci:image:bundles:Nvm",
|
|
806
|
+
value: "true",
|
|
727
807
|
});
|
|
728
808
|
}
|
|
729
|
-
|
|
730
|
-
|
|
809
|
+
if (evalue.includes(".rbenv")) {
|
|
810
|
+
mproperties.push({
|
|
811
|
+
name: "oci:image:bundles:Rbenv",
|
|
812
|
+
value: "true",
|
|
813
|
+
});
|
|
814
|
+
}
|
|
815
|
+
}
|
|
816
|
+
const ccmd =
|
|
817
|
+
layerConfig?.config?.Cmd ||
|
|
818
|
+
layerConfig?.Config?.Cmd ||
|
|
819
|
+
layerConfig?.Config?.EntryPoint;
|
|
820
|
+
if (ccmd) {
|
|
821
|
+
if (Array.isArray(ccmd) && ccmd.length) {
|
|
822
|
+
const fullCommand = ccmd.join(" ");
|
|
731
823
|
mproperties.push({
|
|
732
824
|
name: "oci:image:lastLayer:Cmd",
|
|
733
|
-
value:
|
|
825
|
+
value: fullCommand,
|
|
826
|
+
});
|
|
827
|
+
let appLanguage;
|
|
828
|
+
// TODO: Move these lists to a config file.
|
|
829
|
+
for (const lang in [
|
|
830
|
+
"java",
|
|
831
|
+
"node",
|
|
832
|
+
"dotnet",
|
|
833
|
+
"python",
|
|
834
|
+
"python3",
|
|
835
|
+
"ruby",
|
|
836
|
+
"php",
|
|
837
|
+
"php7",
|
|
838
|
+
"php8",
|
|
839
|
+
"perl",
|
|
840
|
+
]) {
|
|
841
|
+
if (fullCommand.includes(`${lang} `)) {
|
|
842
|
+
appLanguage = lang;
|
|
843
|
+
break;
|
|
844
|
+
}
|
|
845
|
+
}
|
|
846
|
+
if (appLanguage) {
|
|
847
|
+
mproperties.push({
|
|
848
|
+
name: "oci:image:appLanguage",
|
|
849
|
+
value: appLanguage,
|
|
850
|
+
});
|
|
851
|
+
}
|
|
852
|
+
} else {
|
|
853
|
+
mproperties.push({
|
|
854
|
+
name: "oci:image:lastLayer:Cmd",
|
|
855
|
+
value: ccmd.toString(),
|
|
734
856
|
});
|
|
735
857
|
}
|
|
736
858
|
}
|
|
@@ -742,7 +864,29 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
|
|
|
742
864
|
value: options.allOSComponentTypes.sort().join("\\n"),
|
|
743
865
|
});
|
|
744
866
|
}
|
|
745
|
-
|
|
867
|
+
// Should we move these to formulation?
|
|
868
|
+
if (options?.bundledSdks?.length) {
|
|
869
|
+
for (const sdk of options.bundledSdks) {
|
|
870
|
+
try {
|
|
871
|
+
const purlObj = PackageURL.fromString(sdk);
|
|
872
|
+
const sdkName = purlObj.name.split("-")[0].toLowerCase();
|
|
873
|
+
mproperties.push({
|
|
874
|
+
name: `oci:image:bundles:${sdkName}Sdk`,
|
|
875
|
+
value: "true",
|
|
876
|
+
});
|
|
877
|
+
} catch (e) {
|
|
878
|
+
// ignore
|
|
879
|
+
}
|
|
880
|
+
}
|
|
881
|
+
}
|
|
882
|
+
if (options?.bundledRuntimes?.length) {
|
|
883
|
+
for (const runt of options.bundledRuntimes) {
|
|
884
|
+
mproperties.push({
|
|
885
|
+
name: `oci:image:bundles:${runt}Runtime`,
|
|
886
|
+
value: "true",
|
|
887
|
+
});
|
|
888
|
+
}
|
|
889
|
+
}
|
|
746
890
|
if (mproperties.length) {
|
|
747
891
|
metadata.properties = mproperties;
|
|
748
892
|
}
|
|
@@ -1207,6 +1351,14 @@ export async function createJarBom(path, options) {
|
|
|
1207
1351
|
let pkgList = [];
|
|
1208
1352
|
let jarFiles;
|
|
1209
1353
|
let nsMapping = {};
|
|
1354
|
+
if (!options.exclude) {
|
|
1355
|
+
options.exclude = [];
|
|
1356
|
+
}
|
|
1357
|
+
// Exclude certain directories during oci sbom generation
|
|
1358
|
+
if (hasAnyProjectType(["oci"], options, false)) {
|
|
1359
|
+
options.exclude.push("**/android-sdk*/**");
|
|
1360
|
+
options.exclude.push("**/.sdkman/**");
|
|
1361
|
+
}
|
|
1210
1362
|
const parentComponent = createDefaultParentComponent(path, "maven", options);
|
|
1211
1363
|
if (options.useGradleCache) {
|
|
1212
1364
|
nsMapping = await collectGradleDependencies(
|
|
@@ -3086,9 +3238,9 @@ export async function createNodejsBom(path, options) {
|
|
|
3086
3238
|
}
|
|
3087
3239
|
}
|
|
3088
3240
|
if (!pkgList.length && (yarnLockFiles.length || pkgLockFiles.length)) {
|
|
3089
|
-
if (options.projectType
|
|
3241
|
+
if (options.projectType?.length) {
|
|
3090
3242
|
thoughtLog(
|
|
3091
|
-
`Despite seeing some lock files, I didn't find any components in this Node.js project. Is there an issue with the project type '${options.projectType
|
|
3243
|
+
`Despite seeing some lock files, I didn't find any components in this Node.js project. Is there an issue with the project type '${options.projectType?.join(", ")}' used 🤔? I recommend trying again with a different type.`,
|
|
3092
3244
|
);
|
|
3093
3245
|
} else {
|
|
3094
3246
|
thoughtLog(
|
|
@@ -4131,7 +4283,7 @@ export async function createRustBom(path, options) {
|
|
|
4131
4283
|
// options.deep is true or options.lifecycle == build or post-build with installDeps
|
|
4132
4284
|
// Why the need for installDeps? It currently defaults to true, so let's obey if someone wants no installs
|
|
4133
4285
|
if (
|
|
4134
|
-
options.deep
|
|
4286
|
+
(options.deep && !hasAnyProjectType(["oci"], options, false)) ||
|
|
4135
4287
|
(options.installDeps &&
|
|
4136
4288
|
!safeExistsSync(f.replace(".toml", ".lock")) &&
|
|
4137
4289
|
["build", "post-build"].includes(options.lifecycle))
|
|
@@ -4556,7 +4708,7 @@ export function createClojureBom(path, options) {
|
|
|
4556
4708
|
filename: leinFiles.join(", "),
|
|
4557
4709
|
});
|
|
4558
4710
|
}
|
|
4559
|
-
if (ednFiles.length) {
|
|
4711
|
+
if (ednFiles.length && !hasAnyProjectType(["oci"], options, false)) {
|
|
4560
4712
|
let CLJ_ARGS = ["-Stree"];
|
|
4561
4713
|
if (process.env.CLJ_ARGS) {
|
|
4562
4714
|
CLJ_ARGS = process.env.CLJ_ARGS.split(" ");
|
|
@@ -5790,7 +5942,10 @@ export async function createRubyBom(path, options) {
|
|
|
5790
5942
|
);
|
|
5791
5943
|
}
|
|
5792
5944
|
// Should we collect the module names for the gems
|
|
5793
|
-
if (
|
|
5945
|
+
if (
|
|
5946
|
+
options.resolveClass ||
|
|
5947
|
+
(options.deep && !hasAnyProjectType(["oci"], options, false))
|
|
5948
|
+
) {
|
|
5794
5949
|
if (gemHome && !isGemHomeEmpty) {
|
|
5795
5950
|
const rubyCommand =
|
|
5796
5951
|
process.env.CDXGEN_RUBY_CMD || process.env.RUBY_CMD || "ruby";
|
|
@@ -5883,7 +6038,7 @@ export async function createCsharpBom(path, options) {
|
|
|
5883
6038
|
let parentComponent = createDefaultParentComponent(path, "nuget", options);
|
|
5884
6039
|
const slnFiles = getAllFiles(
|
|
5885
6040
|
path,
|
|
5886
|
-
`${options.multiProject ? "**/" : ""}*.sln
|
|
6041
|
+
`${options.multiProject ? "**/" : ""}*.sln*`,
|
|
5887
6042
|
options,
|
|
5888
6043
|
);
|
|
5889
6044
|
const csProjFiles = getAllFiles(
|
|
@@ -6042,6 +6197,8 @@ export async function createCsharpBom(path, options) {
|
|
|
6042
6197
|
console.log("---------");
|
|
6043
6198
|
if (result.stderr) {
|
|
6044
6199
|
console.log(result.stderr);
|
|
6200
|
+
} else if (result.stdout) {
|
|
6201
|
+
console.log(result.stdout);
|
|
6045
6202
|
}
|
|
6046
6203
|
console.log("---------");
|
|
6047
6204
|
options.failOnError && process.exit(1);
|
|
@@ -6557,17 +6714,36 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6557
6714
|
hasAnyProjectType(["oci"], options, false) &&
|
|
6558
6715
|
options.allLayersExplodedDir
|
|
6559
6716
|
) {
|
|
6560
|
-
const {
|
|
6717
|
+
const {
|
|
6718
|
+
osPackages,
|
|
6719
|
+
dependenciesList,
|
|
6720
|
+
allTypes,
|
|
6721
|
+
bundledSdks,
|
|
6722
|
+
bundledRuntimes,
|
|
6723
|
+
binPaths,
|
|
6724
|
+
executables,
|
|
6725
|
+
sharedLibs,
|
|
6726
|
+
} = getOSPackages(
|
|
6561
6727
|
options.allLayersExplodedDir,
|
|
6728
|
+
options.exportData?.inspectData?.Config,
|
|
6562
6729
|
);
|
|
6730
|
+
// TODO: Need to test these with docker-compose type where multiple images could have different values.
|
|
6731
|
+
// This is also clearly misusing options, which must become immutable at some point.
|
|
6732
|
+
options.bundledSdks = bundledSdks;
|
|
6733
|
+
options.bundledRuntimes = bundledRuntimes;
|
|
6734
|
+
options.binPaths = binPaths;
|
|
6563
6735
|
if (DEBUG_MODE) {
|
|
6564
6736
|
console.log(
|
|
6565
|
-
`**OS**: Found ${osPackages.length} OS packages at ${options.allLayersExplodedDir}`,
|
|
6737
|
+
`**OS**: Found ${osPackages.length} OS packages, ${executables?.length} executables, and ${sharedLibs.length} shared libraries at ${options.allLayersExplodedDir}`,
|
|
6566
6738
|
);
|
|
6567
6739
|
}
|
|
6568
6740
|
if (osPackages.length) {
|
|
6569
6741
|
thoughtLog(
|
|
6570
|
-
`I found ${osPackages.length} OS packages at ${options.allLayersExplodedDir}`,
|
|
6742
|
+
`I found ${osPackages.length} OS packages and ${executables?.length} executables at ${options.allLayersExplodedDir}`,
|
|
6743
|
+
);
|
|
6744
|
+
} else if (executables?.length || sharedLibs?.length) {
|
|
6745
|
+
thoughtLog(
|
|
6746
|
+
`I couldn't find any OS packages, but I found ${executables.length} executables and ${sharedLibs.length} shared libraries at ${options.allLayersExplodedDir}. Perhaps the binary plugin wasn't available, or the architecture is unsupported.`,
|
|
6571
6747
|
);
|
|
6572
6748
|
} else {
|
|
6573
6749
|
thoughtLog(
|
|
@@ -6578,6 +6754,8 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6578
6754
|
options.allOSComponentTypes = allTypes;
|
|
6579
6755
|
}
|
|
6580
6756
|
components = components.concat(osPackages);
|
|
6757
|
+
components = components.concat(executables);
|
|
6758
|
+
components = components.concat(sharedLibs);
|
|
6581
6759
|
if (dependenciesList?.length) {
|
|
6582
6760
|
dependencies = dependencies.concat(dependenciesList);
|
|
6583
6761
|
}
|
|
@@ -6613,9 +6791,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6613
6791
|
}
|
|
6614
6792
|
// Node.js
|
|
6615
6793
|
if (hasAnyProjectType(["oci", "js"], options)) {
|
|
6616
|
-
|
|
6617
|
-
|
|
6618
|
-
|
|
6794
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
6795
|
+
thoughtLog(
|
|
6796
|
+
"**JS**: Now looking for JavaScript projects (npm, yarn, pnpm) and files.",
|
|
6797
|
+
);
|
|
6798
|
+
}
|
|
6619
6799
|
bomData = await createNodejsBom(path, options);
|
|
6620
6800
|
if (bomData?.bomJson?.components?.length) {
|
|
6621
6801
|
thoughtLog(
|
|
@@ -6648,9 +6828,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6648
6828
|
}
|
|
6649
6829
|
// Java
|
|
6650
6830
|
if (hasAnyProjectType(["oci", "java"], options)) {
|
|
6651
|
-
|
|
6652
|
-
|
|
6653
|
-
|
|
6831
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
6832
|
+
thoughtLog(
|
|
6833
|
+
"**JAVA**: Looking for Java projects (e.g., Maven, Gradle, SBT). I hope all configurations—from Java version to individual build settings—are correctly aligned.",
|
|
6834
|
+
);
|
|
6835
|
+
}
|
|
6654
6836
|
bomData = await createJavaBom(path, options);
|
|
6655
6837
|
if (bomData?.bomJson?.components?.length) {
|
|
6656
6838
|
thoughtLog(
|
|
@@ -6698,10 +6880,12 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6698
6880
|
}
|
|
6699
6881
|
}
|
|
6700
6882
|
if (hasAnyProjectType(["oci", "py"], options)) {
|
|
6701
|
-
|
|
6702
|
-
|
|
6703
|
-
|
|
6704
|
-
|
|
6883
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
6884
|
+
thoughtLog(
|
|
6885
|
+
"**PYTHON**: Looking for Python projects with package managers such as pip, poetry, uv, etc. Wish me good luck!",
|
|
6886
|
+
);
|
|
6887
|
+
}
|
|
6888
|
+
if (process.env?.CDXGEN_IN_CONTAINER !== "true" && pathList.length <= 2) {
|
|
6705
6889
|
thoughtLog(
|
|
6706
6890
|
"I'm running in a non-container environment. Let's hope the correct build tools are available ✌️.",
|
|
6707
6891
|
);
|
|
@@ -6730,9 +6914,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6730
6914
|
}
|
|
6731
6915
|
}
|
|
6732
6916
|
if (hasAnyProjectType(["oci", "go"], options)) {
|
|
6733
|
-
|
|
6734
|
-
|
|
6735
|
-
|
|
6917
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
6918
|
+
thoughtLog(
|
|
6919
|
+
"**GO**: Looking for go projects. I need to be cautious about purl namespaces and potential failures with the 'go list' command.",
|
|
6920
|
+
);
|
|
6921
|
+
}
|
|
6736
6922
|
bomData = await createGoBom(path, options);
|
|
6737
6923
|
if (bomData?.bomJson?.components?.length) {
|
|
6738
6924
|
thoughtLog(`I found ${bomData.bomJson.components.length} go packages.`);
|
|
@@ -6755,9 +6941,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6755
6941
|
}
|
|
6756
6942
|
}
|
|
6757
6943
|
if (hasAnyProjectType(["oci", "rust"], options)) {
|
|
6758
|
-
|
|
6759
|
-
|
|
6760
|
-
|
|
6944
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
6945
|
+
thoughtLog(
|
|
6946
|
+
"**RUST**: Let's search for Cargo/Rust projects. Should I warn the user that we don't support Cargo 'features' and native dependencies, which may lead to both false positives and false negatives? 🤔?",
|
|
6947
|
+
);
|
|
6948
|
+
}
|
|
6761
6949
|
bomData = await createRustBom(path, options);
|
|
6762
6950
|
if (bomData?.bomJson?.components?.length) {
|
|
6763
6951
|
thoughtLog(
|
|
@@ -6789,9 +6977,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6789
6977
|
}
|
|
6790
6978
|
}
|
|
6791
6979
|
if (hasAnyProjectType(["oci", "php"], options)) {
|
|
6792
|
-
|
|
6793
|
-
|
|
6794
|
-
|
|
6980
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
6981
|
+
thoughtLog(
|
|
6982
|
+
"**PHP**: About to search for Composer-based projects. I hope lock files are available; otherwise, the 'composer install' command might fail for various reasons.",
|
|
6983
|
+
);
|
|
6984
|
+
}
|
|
6795
6985
|
bomData = createPHPBom(path, options);
|
|
6796
6986
|
if (bomData?.bomJson?.components?.length) {
|
|
6797
6987
|
thoughtLog(
|
|
@@ -6823,9 +7013,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6823
7013
|
}
|
|
6824
7014
|
}
|
|
6825
7015
|
if (hasAnyProjectType(["oci", "ruby"], options)) {
|
|
6826
|
-
|
|
6827
|
-
|
|
6828
|
-
|
|
7016
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7017
|
+
thoughtLog(
|
|
7018
|
+
"**RUBY**: Are there any Ruby projects in this path? There's only one way to know.",
|
|
7019
|
+
);
|
|
7020
|
+
}
|
|
6829
7021
|
bomData = await createRubyBom(path, options);
|
|
6830
7022
|
if (bomData?.bomJson?.components?.length) {
|
|
6831
7023
|
thoughtLog(
|
|
@@ -6858,7 +7050,9 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6858
7050
|
}
|
|
6859
7051
|
}
|
|
6860
7052
|
if (hasAnyProjectType(["oci", "csharp"], options)) {
|
|
6861
|
-
|
|
7053
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7054
|
+
thoughtLog("**CSHARP**: What about csharp and fsharp projects?");
|
|
7055
|
+
}
|
|
6862
7056
|
bomData = await createCsharpBom(path, options);
|
|
6863
7057
|
if (bomData?.bomJson?.components?.length) {
|
|
6864
7058
|
thoughtLog(
|
|
@@ -6890,9 +7084,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6890
7084
|
}
|
|
6891
7085
|
}
|
|
6892
7086
|
if (hasAnyProjectType(["oci", "dart"], options)) {
|
|
6893
|
-
|
|
6894
|
-
|
|
6895
|
-
|
|
7087
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7088
|
+
thoughtLog(
|
|
7089
|
+
"**DART**: Looking for Dart projects. These are rare ones. Should I inform the user that they can pass the types argument via the command-line to speed things up?",
|
|
7090
|
+
);
|
|
7091
|
+
}
|
|
6896
7092
|
bomData = await createDartBom(path, options);
|
|
6897
7093
|
if (bomData?.bomJson?.components?.length) {
|
|
6898
7094
|
thoughtLog(
|
|
@@ -6917,9 +7113,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6917
7113
|
}
|
|
6918
7114
|
}
|
|
6919
7115
|
if (hasAnyProjectType(["oci", "haskell"], options)) {
|
|
6920
|
-
|
|
6921
|
-
|
|
6922
|
-
|
|
7116
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7117
|
+
thoughtLog(
|
|
7118
|
+
"**HASKELL**: Looking for Haskell projects. They're rarely encountered.",
|
|
7119
|
+
);
|
|
7120
|
+
}
|
|
6923
7121
|
bomData = createHaskellBom(path, options);
|
|
6924
7122
|
if (bomData?.bomJson?.components?.length) {
|
|
6925
7123
|
thoughtLog(
|
|
@@ -6944,9 +7142,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6944
7142
|
}
|
|
6945
7143
|
}
|
|
6946
7144
|
if (hasAnyProjectType(["oci", "elixir"], options)) {
|
|
6947
|
-
|
|
6948
|
-
|
|
6949
|
-
|
|
7145
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7146
|
+
thoughtLog(
|
|
7147
|
+
"**ELIXIR**: Looking for Elixir projects—they're quite rare as well.",
|
|
7148
|
+
);
|
|
7149
|
+
}
|
|
6950
7150
|
bomData = createElixirBom(path, options);
|
|
6951
7151
|
if (bomData?.bomJson?.components?.length) {
|
|
6952
7152
|
thoughtLog(
|
|
@@ -6971,9 +7171,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6971
7171
|
}
|
|
6972
7172
|
}
|
|
6973
7173
|
if (hasAnyProjectType(["oci", "c"], options)) {
|
|
6974
|
-
|
|
6975
|
-
|
|
6976
|
-
|
|
7174
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7175
|
+
thoughtLog(
|
|
7176
|
+
"**C/C++**: Looking for C/C++ projects. Should I warn the user that the generated SBOM might have low accuracy and contain errors?",
|
|
7177
|
+
);
|
|
7178
|
+
}
|
|
6977
7179
|
bomData = createCppBom(path, options);
|
|
6978
7180
|
if (bomData?.bomJson?.components?.length) {
|
|
6979
7181
|
thoughtLog(
|
|
@@ -6998,9 +7200,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
6998
7200
|
}
|
|
6999
7201
|
}
|
|
7000
7202
|
if (hasAnyProjectType(["oci", "clojure"], options)) {
|
|
7001
|
-
|
|
7002
|
-
|
|
7003
|
-
|
|
7203
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7204
|
+
thoughtLog(
|
|
7205
|
+
"**CLOJURE**: Looking for Clojure projects. Should I warn the user that the purl namespace 'clojars' isn't widely supported by tools like Dependency-Track?",
|
|
7206
|
+
);
|
|
7207
|
+
}
|
|
7004
7208
|
bomData = createClojureBom(path, options);
|
|
7005
7209
|
if (bomData?.bomJson?.components?.length) {
|
|
7006
7210
|
thoughtLog(
|
|
@@ -7025,7 +7229,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
7025
7229
|
}
|
|
7026
7230
|
}
|
|
7027
7231
|
if (hasAnyProjectType(["oci", "github"], options)) {
|
|
7028
|
-
|
|
7232
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7233
|
+
thoughtLog(
|
|
7234
|
+
"**GITHUB**: Looking for any github packages and workflows.",
|
|
7235
|
+
);
|
|
7236
|
+
}
|
|
7029
7237
|
bomData = createGitHubBom(path, options);
|
|
7030
7238
|
if (bomData?.bomJson?.components?.length) {
|
|
7031
7239
|
thoughtLog(
|
|
@@ -7050,9 +7258,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
7050
7258
|
}
|
|
7051
7259
|
}
|
|
7052
7260
|
if (hasAnyProjectType(["oci", "cloudbuild"], options)) {
|
|
7053
|
-
|
|
7054
|
-
|
|
7055
|
-
|
|
7261
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7262
|
+
thoughtLog(
|
|
7263
|
+
"**CLOUDBUILD**: Let's check for CloudBuild configuration files that include package dependencies.",
|
|
7264
|
+
);
|
|
7265
|
+
}
|
|
7056
7266
|
bomData = createCloudBuildBom(path, options);
|
|
7057
7267
|
if (bomData?.bomJson?.components?.length) {
|
|
7058
7268
|
thoughtLog(
|
|
@@ -7077,9 +7287,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
7077
7287
|
}
|
|
7078
7288
|
}
|
|
7079
7289
|
if (hasAnyProjectType(["oci", "swift"], options)) {
|
|
7080
|
-
|
|
7081
|
-
|
|
7082
|
-
|
|
7290
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7291
|
+
thoughtLog(
|
|
7292
|
+
"**SWIFT**: Now checking for Swift projects. We don't support CocoaPods, Objective-C, or pure Xcode projects, so the SBOM will be incomplete.",
|
|
7293
|
+
);
|
|
7294
|
+
}
|
|
7083
7295
|
bomData = await createSwiftBom(path, options);
|
|
7084
7296
|
if (bomData?.bomJson?.components?.length) {
|
|
7085
7297
|
thoughtLog(
|
|
@@ -7104,9 +7316,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
7104
7316
|
}
|
|
7105
7317
|
}
|
|
7106
7318
|
if (hasAnyProjectType(["oci", "jar", "war", "ear"], options)) {
|
|
7107
|
-
|
|
7108
|
-
|
|
7109
|
-
|
|
7319
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7320
|
+
thoughtLog(
|
|
7321
|
+
"**JAR**: Let's check for any bundled jar/war/ear files to improve the SBOM accuracy.",
|
|
7322
|
+
);
|
|
7323
|
+
}
|
|
7110
7324
|
bomData = await createJarBom(path, options);
|
|
7111
7325
|
if (bomData?.bomJson?.components?.length) {
|
|
7112
7326
|
thoughtLog(
|
|
@@ -7150,9 +7364,11 @@ export async function createMultiXBom(pathList, options) {
|
|
|
7150
7364
|
}
|
|
7151
7365
|
// Collect any crypto keys
|
|
7152
7366
|
if (options.specVersion >= 1.6 && options.includeCrypto) {
|
|
7153
|
-
|
|
7154
|
-
|
|
7155
|
-
|
|
7367
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7368
|
+
thoughtLog(
|
|
7369
|
+
"**CBOM**: Wait, the user wants me to look for cryptographic assets. Let's check thoroughly.",
|
|
7370
|
+
);
|
|
7371
|
+
}
|
|
7156
7372
|
bomData = await createCryptoCertsBom(path, options);
|
|
7157
7373
|
if (bomData?.bomJson?.components?.length) {
|
|
7158
7374
|
thoughtLog(
|
|
@@ -7195,7 +7411,9 @@ export async function createMultiXBom(pathList, options) {
|
|
|
7195
7411
|
}
|
|
7196
7412
|
// Retain the components of parent component
|
|
7197
7413
|
if (parentSubComponents.length) {
|
|
7198
|
-
|
|
7414
|
+
if (!hasAnyProjectType(["oci"], options, false)) {
|
|
7415
|
+
thoughtLog("**METADATA**: Tweaking the parent component hierarchy.");
|
|
7416
|
+
}
|
|
7199
7417
|
if (!parentComponent || !Object.keys(parentComponent).length) {
|
|
7200
7418
|
parentComponent = parentSubComponents[0];
|
|
7201
7419
|
}
|
|
@@ -7701,6 +7919,9 @@ export async function createBom(path, options) {
|
|
|
7701
7919
|
}
|
|
7702
7920
|
// Pass the entire export data about the image layers
|
|
7703
7921
|
options.exportData = exportData;
|
|
7922
|
+
if (exportData?.binPaths) {
|
|
7923
|
+
options.binPaths = exportData.binPaths;
|
|
7924
|
+
}
|
|
7704
7925
|
options.lastWorkingDir = exportData?.lastWorkingDir;
|
|
7705
7926
|
options.allLayersExplodedDir = exportData?.allLayersExplodedDir;
|
|
7706
7927
|
return await createMultiXBom(
|