@cyclonedx/cdxgen 11.3.2 → 11.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/bin/cdxgen.js +38 -16
- package/bin/evinse.js +1 -25
- package/bin/verify.js +4 -1
- package/data/bom-1.6.schema.json +87 -65
- package/data/bom-1.7.schema.json +5915 -0
- package/data/component-tags.json +1 -1
- package/data/spdx-licenses.json +209 -4
- package/data/spdx.schema.json +29 -1
- package/lib/cli/index.js +35 -31
- package/lib/helpers/envcontext.js +15 -15
- package/lib/helpers/utils.js +79 -41
- package/lib/helpers/utils.test.js +9 -5
- package/lib/managers/binary.js +19 -9
- package/lib/managers/docker.js +13 -13
- package/lib/managers/oci.js +24 -20
- package/lib/managers/piptree.js +113 -20
- package/lib/server/openapi.yaml +21 -3
- package/lib/server/server.js +38 -38
- package/lib/stages/postgen/annotator.js +4 -0
- package/lib/stages/postgen/postgen.js +27 -6
- package/lib/stages/pregen/pregen.js +3 -3
- package/package.json +64 -23
- package/types/lib/cli/index.d.ts.map +1 -1
- package/types/lib/helpers/utils.d.ts +10 -3
- package/types/lib/helpers/utils.d.ts.map +1 -1
- package/types/lib/managers/binary.d.ts.map +1 -1
- package/types/lib/managers/docker.d.ts.map +1 -1
- package/types/lib/managers/oci.d.ts +1 -1
- package/types/lib/managers/oci.d.ts.map +1 -1
- package/types/lib/managers/piptree.d.ts.map +1 -1
- package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
- package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/README.md
CHANGED
|
@@ -534,7 +534,7 @@ Use `pnpm add -g` command to quickly test the main branch.
|
|
|
534
534
|
```shell
|
|
535
535
|
corepack pnpm bin -g
|
|
536
536
|
corepack pnpm setup
|
|
537
|
-
corepack pnpm add -g --allow-build sqlite3 https://github.com/CycloneDX/cdxgen
|
|
537
|
+
corepack pnpm add -g --allow-build @appthreat/sqlite3 https://github.com/CycloneDX/cdxgen
|
|
538
538
|
cdxgen --help
|
|
539
539
|
```
|
|
540
540
|
|
package/bin/cdxgen.js
CHANGED
|
@@ -4,10 +4,11 @@ import crypto from "node:crypto";
|
|
|
4
4
|
import fs from "node:fs";
|
|
5
5
|
import { basename, dirname, join, resolve } from "node:path";
|
|
6
6
|
import process from "node:process";
|
|
7
|
-
import { findUpSync } from "find-up";
|
|
8
7
|
import globalAgent from "global-agent";
|
|
9
8
|
import jws from "jws";
|
|
10
9
|
import { parse as _load } from "yaml";
|
|
10
|
+
import yargs from "yargs";
|
|
11
|
+
import { hideBin } from "yargs/helpers";
|
|
11
12
|
import { createBom, submitBom } from "../lib/cli/index.js";
|
|
12
13
|
import {
|
|
13
14
|
printCallStack,
|
|
@@ -35,15 +36,21 @@ import { validateBom } from "../lib/helpers/validator.js";
|
|
|
35
36
|
import { postProcess } from "../lib/stages/postgen/postgen.js";
|
|
36
37
|
import { prepareEnv } from "../lib/stages/pregen/pregen.js";
|
|
37
38
|
|
|
39
|
+
const dirName = dirNameStr;
|
|
40
|
+
|
|
38
41
|
// Support for config files
|
|
39
|
-
const
|
|
42
|
+
const configPaths = [
|
|
40
43
|
".cdxgenrc",
|
|
41
44
|
".cdxgen.json",
|
|
42
45
|
".cdxgen.yml",
|
|
43
46
|
".cdxgen.yaml",
|
|
44
|
-
]
|
|
47
|
+
];
|
|
45
48
|
let config = {};
|
|
46
|
-
|
|
49
|
+
for (const configPattern of configPaths) {
|
|
50
|
+
const configPath = join(process.cwd(), configPattern);
|
|
51
|
+
if (!safeExistsSync(configPath)) {
|
|
52
|
+
continue;
|
|
53
|
+
}
|
|
47
54
|
try {
|
|
48
55
|
if (configPath.endsWith(".yml") || configPath.endsWith(".yaml")) {
|
|
49
56
|
config = _load(fs.readFileSync(configPath, "utf-8"));
|
|
@@ -55,11 +62,6 @@ if (configPath) {
|
|
|
55
62
|
}
|
|
56
63
|
}
|
|
57
64
|
|
|
58
|
-
const dirName = dirNameStr;
|
|
59
|
-
|
|
60
|
-
import yargs from "yargs";
|
|
61
|
-
import { hideBin } from "yargs/helpers";
|
|
62
|
-
|
|
63
65
|
const args = yargs(hideBin(process.argv))
|
|
64
66
|
.env("CDXGEN")
|
|
65
67
|
.parserConfiguration({
|
|
@@ -218,7 +220,7 @@ const args = yargs(hideBin(process.argv))
|
|
|
218
220
|
description: "CycloneDX Specification version to use. Defaults to 1.6",
|
|
219
221
|
default: 1.6,
|
|
220
222
|
type: "number",
|
|
221
|
-
choices: [1.4, 1.5, 1.6],
|
|
223
|
+
choices: [1.4, 1.5, 1.6, 1.7],
|
|
222
224
|
})
|
|
223
225
|
.option("filter", {
|
|
224
226
|
description:
|
|
@@ -329,6 +331,13 @@ const args = yargs(hideBin(process.argv))
|
|
|
329
331
|
"filename",
|
|
330
332
|
],
|
|
331
333
|
})
|
|
334
|
+
.option("tlp-classification", {
|
|
335
|
+
description:
|
|
336
|
+
'Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is "CLEAR"',
|
|
337
|
+
choices: ["CLEAR", "GREEN", "AMBER", "AMBER_AND_STRICT", "RED"],
|
|
338
|
+
default: "CLEAR",
|
|
339
|
+
hidden: true,
|
|
340
|
+
})
|
|
332
341
|
.completion("completion", "Generate bash/zsh completion")
|
|
333
342
|
.array("type")
|
|
334
343
|
.array("excludeType")
|
|
@@ -784,8 +793,9 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
|
|
|
784
793
|
generateKeyAndSign ||
|
|
785
794
|
(process.env.SBOM_SIGN_ALGORITHM &&
|
|
786
795
|
process.env.SBOM_SIGN_ALGORITHM !== "none" &&
|
|
787
|
-
process.env.SBOM_SIGN_PRIVATE_KEY &&
|
|
788
|
-
|
|
796
|
+
((process.env.SBOM_SIGN_PRIVATE_KEY &&
|
|
797
|
+
safeExistsSync(process.env.SBOM_SIGN_PRIVATE_KEY)) ||
|
|
798
|
+
process.env.SBOM_SIGN_PRIVATE_KEY_BASE64));
|
|
789
799
|
|
|
790
800
|
/**
|
|
791
801
|
* Method to start the bom creation process
|
|
@@ -885,10 +895,17 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
|
|
|
885
895
|
.createPublicKey(publicKey)
|
|
886
896
|
.export({ format: "jwk" });
|
|
887
897
|
} else {
|
|
888
|
-
|
|
889
|
-
|
|
890
|
-
|
|
891
|
-
|
|
898
|
+
if (process.env?.SBOM_SIGN_PRIVATE_KEY) {
|
|
899
|
+
privateKeyToUse = fs.readFileSync(
|
|
900
|
+
process.env.SBOM_SIGN_PRIVATE_KEY,
|
|
901
|
+
"utf8",
|
|
902
|
+
);
|
|
903
|
+
} else if (process.env?.SBOM_SIGN_PRIVATE_KEY_BASE64) {
|
|
904
|
+
privateKeyToUse = Buffer.from(
|
|
905
|
+
process.env.SBOM_SIGN_PRIVATE_KEY_BASE64,
|
|
906
|
+
"base64",
|
|
907
|
+
).toString("utf8");
|
|
908
|
+
}
|
|
892
909
|
if (
|
|
893
910
|
process.env.SBOM_SIGN_PUBLIC_KEY &&
|
|
894
911
|
safeExistsSync(process.env.SBOM_SIGN_PUBLIC_KEY)
|
|
@@ -898,6 +915,11 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
|
|
|
898
915
|
fs.readFileSync(process.env.SBOM_SIGN_PUBLIC_KEY, "utf8"),
|
|
899
916
|
)
|
|
900
917
|
.export({ format: "jwk" });
|
|
918
|
+
} else if (process.env?.SBOM_SIGN_PUBLIC_KEY_BASE64) {
|
|
919
|
+
jwkPublicKey = Buffer.from(
|
|
920
|
+
process.env.SBOM_SIGN_PUBLIC_KEY_BASE64,
|
|
921
|
+
"base64",
|
|
922
|
+
).toString("utf8");
|
|
901
923
|
}
|
|
902
924
|
}
|
|
903
925
|
try {
|
package/bin/evinse.js
CHANGED
|
@@ -1,10 +1,7 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
|
+
// Evinse (Evinse Verification Is Nearly SBOM Evidence)
|
|
2
3
|
|
|
3
|
-
import fs from "node:fs";
|
|
4
4
|
import process from "node:process";
|
|
5
|
-
import { findUpSync } from "find-up";
|
|
6
|
-
import { parse as _load } from "yaml";
|
|
7
|
-
// Evinse (Evinse Verification Is Nearly SBOM Evidence)
|
|
8
5
|
import yargs from "yargs";
|
|
9
6
|
import { hideBin } from "yargs/helpers";
|
|
10
7
|
import {
|
|
@@ -21,26 +18,6 @@ import {
|
|
|
21
18
|
import { ATOM_DB } from "../lib/helpers/utils.js";
|
|
22
19
|
import { validateBom } from "../lib/helpers/validator.js";
|
|
23
20
|
|
|
24
|
-
// Support for config files
|
|
25
|
-
const configPath = findUpSync([
|
|
26
|
-
".cdxgenrc",
|
|
27
|
-
".cdxgen.json",
|
|
28
|
-
".cdxgen.yml",
|
|
29
|
-
".cdxgen.yaml",
|
|
30
|
-
]);
|
|
31
|
-
let config = {};
|
|
32
|
-
if (configPath) {
|
|
33
|
-
try {
|
|
34
|
-
if (configPath.endsWith(".yml") || configPath.endsWith(".yaml")) {
|
|
35
|
-
config = _load(fs.readFileSync(configPath, "utf-8"));
|
|
36
|
-
} else {
|
|
37
|
-
config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
|
|
38
|
-
}
|
|
39
|
-
} catch (e) {
|
|
40
|
-
console.log("Invalid config file", configPath);
|
|
41
|
-
}
|
|
42
|
-
}
|
|
43
|
-
|
|
44
21
|
const args = yargs(hideBin(process.argv))
|
|
45
22
|
.env("EVINSE")
|
|
46
23
|
.option("input", {
|
|
@@ -150,7 +127,6 @@ const args = yargs(hideBin(process.argv))
|
|
|
150
127
|
])
|
|
151
128
|
.completion("completion", "Generate bash/zsh completion")
|
|
152
129
|
.epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
|
|
153
|
-
.config(config)
|
|
154
130
|
.scriptName("evinse")
|
|
155
131
|
.version()
|
|
156
132
|
.help("h")
|
package/bin/verify.js
CHANGED
|
@@ -17,6 +17,9 @@ const args = yargs(hideBin(process.argv))
|
|
|
17
17
|
default: "bom.json",
|
|
18
18
|
description: "Input json to validate. Default bom.json",
|
|
19
19
|
})
|
|
20
|
+
.option("platform", {
|
|
21
|
+
description: "The platform to validate. No default",
|
|
22
|
+
})
|
|
20
23
|
.option("public-key", {
|
|
21
24
|
default: "public.key",
|
|
22
25
|
description: "Public key in PEM format. Default public.key",
|
|
@@ -53,7 +56,7 @@ function getBom(args) {
|
|
|
53
56
|
args.input.includes("docker") ||
|
|
54
57
|
args.input.includes("ghcr")
|
|
55
58
|
) {
|
|
56
|
-
return getBomWithOras(args.input);
|
|
59
|
+
return getBomWithOras(args.input, args.platform);
|
|
57
60
|
}
|
|
58
61
|
return undefined;
|
|
59
62
|
}
|