@cyclonedx/cdxgen 11.2.1 → 11.2.3

package/README.md

@@ -147,7 +147,8 @@ Options:
       --server-host            Listen address                                                     [default: "127.0.0.1"]
       --server-port            Listen port                                                             [default: "9090"]
       --install-deps           Install dependencies automatically for some projects. Defaults to true but disabled for c
-                               ontainers and oci scans. Use --no-install-deps to disable this feature.         [boolean]
+                               ontainers and oci scans. Use --no-install-deps to disable this feature.
+                                                                                               [boolean] [default: true]
       --validate               Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di
                                sable.                                                          [boolean] [default: true]
       --evidence               Generate SBOM with evidence for supported languages.           [boolean] [default: false]
@@ -170,6 +171,7 @@ Options:
                                luated against or attested to.
   [array] [choices: "asvs-5.0", "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "pcissc-secure-slc-1.1", "scv
                                                                                          s-1.0.0", "ssaf-DRAFT-2023-11"]
+      --json-pretty            Pretty-print the generated BOM json.                           [boolean] [default: false]
       --min-confidence         Minimum confidence needed for the identity of a component from 0 - 1, where 1 is 100% con
                                fidence.                                                            [number] [default: 0]
       --technique              Analysis technique to use

package/bin/cdxgen.js

@@ -24,6 +24,7 @@ import {
 import { thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
 import {
   ATOM_DB,
+  DEBUG_MODE,
   dirNameStr,
   getTmpDir,
   isMac,
@@ -221,6 +222,7 @@ const args = yargs(hideBin(process.argv))
     description: "CycloneDX Specification version to use. Defaults to 1.6",
     default: 1.6,
     type: "number",
+    choices: [1.4, 1.5, 1.6],
   })
   .option("filter", {
     description:
@@ -303,6 +305,11 @@ const args = yargs(hideBin(process.argv))
     description:
       "Do not show the donation banner. Set this attribute if you are an active sponsor for OWASP CycloneDX.",
   })
+  .option("json-pretty", {
+    type: "boolean",
+    default: DEBUG_MODE,
+    description: "Pretty-print the generated BOM json.",
+  })
   .option("feature-flags", {
     description: "Experimental feature flags to enable. Advanced users only.",
     hidden: true,
@@ -442,11 +449,23 @@ if (!options.projectType) {
     "Ok, the user wants me to identify all the project types and generate a consolidated BOM document.",
   );
 }
-if (process.argv[1].includes("cbom")) {
-  thoughtLog(
-    "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
-  );
-  options.includeCrypto = true;
+// Handle dedicated cbom and saasbom commands
+if (["cbom", "saasbom"].includes(process.argv[1])) {
+  if (process.argv[1].includes("cbom")) {
+    thoughtLog(
+      "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
+    );
+    options.includeCrypto = true;
+  } else if (process.argv[1].includes("saasbom")) {
+    thoughtLog(
+      "Ok, the user wants to generate a Software as a Service Bill-of-Materials (SaaSBOM). I should carefully collect the services, endpoints, and data flows.",
+    );
+    if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
+      thoughtLog(
+        "Wait, I'm not running in a container. This means the chances of successfully collecting this inventory are quite low. Perhaps this is an advanced user who has set up atom and atom-tools already 🤔?",
+      );
+    }
+  }
   options.evidence = true;
   options.specVersion = 1.6;
   options.deep = true;
@@ -693,7 +712,7 @@ const checkPermissions = (filePath, options) => {
       "usages-slices-file",
       "reachables-slices-file",
     ];
-    if (options?.type?.includes("swift")) {
+    if (options?.type?.includes("swift") || options?.type?.includes("scala")) {
       slicesFilesKeys.push("semantics-slices-file");
     }
     for (const sf of slicesFilesKeys) {
@@ -798,7 +817,11 @@ const checkPermissions = (filePath, options) => {
         fs.writeFileSync(jsonFile, bomNSData.bomJson);
         jsonPayload = bomNSData.bomJson;
       } else {
-        jsonPayload = JSON.stringify(bomNSData.bomJson, null, null);
+        jsonPayload = JSON.stringify(
+          bomNSData.bomJson,
+          null,
+          options.jsonPretty ? 2 : null,
+        );
         fs.writeFileSync(jsonFile, jsonPayload);
         if (jsonFile.endsWith("bom.json")) {
           thoughtLog(
@@ -900,7 +923,11 @@ const checkPermissions = (filePath, options) => {
             bomJsonUnsignedObj.signature = signatureBlock;
             fs.writeFileSync(
               jsonFile,
-              JSON.stringify(bomJsonUnsignedObj, null, null),
+              JSON.stringify(
+                bomJsonUnsignedObj,
+                null,
+                options.jsonPretty ? 2 : null,
+              ),
             );
             thoughtLog(`Signing the BOM file "${jsonFile}".`);
             if (publicKeyFile) {
@@ -937,7 +964,9 @@ const checkPermissions = (filePath, options) => {
     }
   } else if (!options.print) {
     if (bomNSData.bomJson) {
-      console.log(JSON.stringify(bomNSData.bomJson, null, 2));
+      console.log(
+        JSON.stringify(bomNSData.bomJson, null, options.jsonPretty ? 2 : null),
+      );
     } else {
       console.log("Unable to produce BOM for", filePath);
       console.log("Try running the command with -t <type> or -r argument");
@@ -967,6 +996,7 @@ const checkPermissions = (filePath, options) => {
       includeCrypto: options.includeCrypto,
       specVersion: options.specVersion,
       profile: options.profile,
+      jsonPretty: options.jsonPretty,
     };
     const dbObjMap = await evinserModule.prepareDB(evinseOptions);
     if (dbObjMap) {
@@ -1003,6 +1033,7 @@ const checkPermissions = (filePath, options) => {
       await submitBom(options, bomNSData.bomJson);
     } catch (err) {
       console.log(err);
+      process.exit(1);
     }
   }
   // Protobuf serialization

package/bin/evinse.js

@@ -73,6 +73,7 @@ const args = yargs(hideBin(process.argv))
       "swift",
       "ios",
       "ruby",
+      "scala",
     ],
   })
   .option("db-path", {
@@ -127,7 +128,10 @@ const args = yargs(hideBin(process.argv))
   .option("semantics-slices-file", {
     description: "Use an existing semantics slices file.",
     default: "semantics.slices.json",
-    hidden: true,
+  })
+  .option("openapi-spec-file", {
+    description: "Use an existing openapi specification file (SaaSBOM).",
+    default: "openapi.json",
   })
   .option("print", {
     alias: "p",

package/data/component-tags.json

@@ -320,8 +320,8 @@
       {
         "browser": [
           "^(edge)",
-          "(firefox|chrome|opera|brave|mullvad|tor|chromium)",
-          "(microsoft+edge|microsoft+edge+webview2|microsoft+html)"
+          "^(firefox|chrome|opera|brave|mullvad|tor|chromium)",
+          "^(microsoft+edge|microsoft+edge+webview2|microsoft+html)"
         ]
       },
       {