@cyclonedx/cdxgen 11.4.4 → 11.6.0

package/README.md

@@ -117,73 +117,76 @@ Commands:
   cdxgen completion  Generate bash/zsh completion
 
 Options:
-  -o, --output                 Output file. Default bom.json                                       [default: "bom.json"]
-  -t, --type                   Project type. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for supp
-                               orted languages/platforms.                                                        [array]
-      --exclude-type           Project types to exclude. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TY
-                               PES for supported languages/platforms.
-  -r, --recurse                Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable.
+  -o, --output                    Output file. Default bom.json                                    [default: "bom.json"]
+  -t, --type                      Project type. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for s
+                                  upported languages/platforms.                                                  [array]
+      --exclude-type              Project types to exclude. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT
+                                  _TYPES for supported languages/platforms.
+  -r, --recurse                   Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable.
                                                                                                [boolean] [default: true]
-  -p, --print                  Print the SBOM as a table with tree.                                            [boolean]
-  -c, --resolve-class          Resolve class names for packages. jars only for now.                            [boolean]
-      --deep                   Perform deep searches for components. Useful while scanning C/C++ apps, live OS and oci i
-                               mages.                                                                          [boolean]
-      --server-url             Dependency track url. Eg: https://deptrack.cyclonedx.io
-      --skip-dt-tls-check      Skip TLS certificate check when calling Dependency-Track.      [boolean] [default: false]
-      --api-key                Dependency track api key
-      --project-group          Dependency track project group
-      --project-name           Dependency track project name. Default use the directory name
-      --project-version        Dependency track project version                                   [string] [default: ""]
-      --project-id             Dependency track project id. Either provide the id or the project name and version togeth
-                               er                                                                               [string]
-      --parent-project-id      Dependency track parent project id                                               [string]
-      --required-only          Include only the packages with required scope on the SBOM. Would set compositions.aggrega
-                               te to incomplete unless --no-auto-compositions is passed.                       [boolean]
-      --fail-on-error          Fail if any dependency extractor fails.                                         [boolean]
-      --no-babel               Do not use babel to perform usage analysis for JavaScript/TypeScript projects.  [boolean]
-      --generate-key-and-sign  Generate an RSA public/private key pair and then sign the generated SBOM using JSON Web S
-                               ignatures.                                                                      [boolean]
-      --server                 Run cdxgen as a server                                                          [boolean]
-      --server-host            Listen address                                                     [default: "127.0.0.1"]
-      --server-port            Listen port                                                             [default: "9090"]
-      --install-deps           Install dependencies automatically for some projects. Defaults to true but disabled for c
-                               ontainers and oci scans. Use --no-install-deps to disable this feature.
+  -p, --print                     Print the SBOM as a table with tree.                                         [boolean]
+  -c, --resolve-class             Resolve class names for packages. jars only for now.                         [boolean]
+      --deep                      Perform deep searches for components. Useful while scanning C/C++ apps, live OS and oc
+                                  i images.                                                                    [boolean]
+      --server-url                Dependency track url. Eg: https://deptrack.cyclonedx.io
+      --skip-dt-tls-check         Skip TLS certificate check when calling Dependency-Track.   [boolean] [default: false]
+      --api-key                   Dependency track api key
+      --project-group             Dependency track project group
+      --project-name              Dependency track project name. Default use the directory name
+      --project-version           Dependency track project version                                [string] [default: ""]
+      --project-id                Dependency track project id. Either provide the id or the project name and version tog
+                                  ether                                                                         [string]
+      --parent-project-id         Dependency track parent project id                                            [string]
+      --required-only             Include only the packages with required scope on the SBOM. Would set compositions.aggr
+                                  egate to incomplete unless --no-auto-compositions is passed.                 [boolean]
+      --fail-on-error             Fail if any dependency extractor fails.                                      [boolean]
+      --no-babel                  Do not use babel to perform usage analysis for JavaScript/TypeScript projects.
+                                                                                                               [boolean]
+      --generate-key-and-sign     Generate an RSA public/private key pair and then sign the generated SBOM using JSON We
+                                  b Signatures.                                                                [boolean]
+      --server                    Run cdxgen as a server                                                       [boolean]
+      --server-host               Listen address                                                  [default: "127.0.0.1"]
+      --server-port               Listen port                                                          [default: "9090"]
+      --install-deps              Install dependencies automatically for some projects. Defaults to true but disabled fo
+                                  r containers and oci scans. Use --no-install-deps to disable this feature.
                                                                                                [boolean] [default: true]
-      --validate               Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di
-                               sable.                                                          [boolean] [default: true]
-      --evidence               Generate SBOM with evidence for supported languages.           [boolean] [default: false]
-      --spec-version           CycloneDX Specification version to use. Defaults to 1.6
-                                                                        [number] [choices: 1.4, 1.5, 1.6] [default: 1.6]
-      --filter                 Filter components containing this word in purl or component.properties.value. Multiple va
-                               lues allowed.                                                                     [array]
-      --only                   Include components only containing this word in purl. Useful to generate BOM with first p
-                               arty components alone. Multiple values allowed.                                   [array]
-      --author                 The person(s) who created the BOM. Set this value if you're intending the modify the BOM
-                               and claim authorship.                               [array] [default: "OWASP Foundation"]
-      --profile                BOM profile to use for generation. Default generic.
+      --validate                  Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to
+                                   disable.                                                    [boolean] [default: true]
+      --evidence                  Generate SBOM with evidence for supported languages.        [boolean] [default: false]
+      --spec-version              CycloneDX Specification version to use. Defaults to 1.6
+                                                                   [number] [choices: 1.4, 1.5, 1.6, 1.7] [default: 1.6]
+      --filter                    Filter components containing this word in purl or component.properties.value. Multiple
+                                   values allowed.                                                               [array]
+      --only                      Include components only containing this word in purl. Useful to generate BOM with firs
+                                  t party components alone. Multiple values allowed.                             [array]
+      --author                    The person(s) who created the BOM. Set this value if you're intending the modify the B
+                                  OM and claim authorship.                         [array] [default: "OWASP Foundation"]
+      --profile                   BOM profile to use for generation. Default generic.
   [choices: "appsec", "research", "operational", "threat-modeling", "license-compliance", "generic", "machine-learning",
                                                        "ml", "deep-learning", "ml-deep", "ml-tiny"] [default: "generic"]
-      --exclude                Additional glob pattern(s) to ignore                                              [array]
-      --export-proto           Serialize and export BOM as protobuf binary.                   [boolean] [default: false]
-      --proto-bin-file         Path for the serialized protobuf binary.                             [default: "bom.cdx"]
-      --include-formulation    Generate formulation section with git metadata and build tools. Defaults to false.
+      --include-regex             glob pattern to include. This overrides the default pattern used during auto-detection
+                                  .                                                                             [string]
+      --exclude, --exclude-regex  Additional glob pattern(s) to ignore                                           [array]
+      --export-proto              Serialize and export BOM as protobuf binary.                [boolean] [default: false]
+      --proto-bin-file            Path for the serialized protobuf binary.                          [default: "bom.cdx"]
+      --include-formulation       Generate formulation section with git metadata and build tools. Defaults to false.
                                                                                               [boolean] [default: false]
-      --include-crypto         Include crypto libraries as components.                        [boolean] [default: false]
-      --standard               The list of standards which may consist of regulations, industry or organizational-specif
-                               ic standards, maturity models, best practices, or any other requirements which can be eva
-                               luated against or attested to.
+      --include-crypto            Include crypto libraries as components.                     [boolean] [default: false]
+      --standard                  The list of standards which may consist of regulations, industry or organizational-spe
+                                  cific standards, maturity models, best practices, or any other requirements which can
+                                  be evaluated against or attested to.
   [array] [choices: "asvs-5.0", "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "pcissc-secure-slc-1.1", "scv
                                                                                          s-1.0.0", "ssaf-DRAFT-2023-11"]
-      --json-pretty            Pretty-print the generated BOM json.                           [boolean] [default: false]
-      --min-confidence         Minimum confidence needed for the identity of a component from 0 - 1, where 1 is 100% con
-                               fidence.                                                            [number] [default: 0]
-      --technique              Analysis technique to use
+      --json-pretty               Pretty-print the generated BOM json.                        [boolean] [default: false]
+      --min-confidence            Minimum confidence needed for the identity of a component from 0 - 1, where 1 is 100%
+                                  confidence.                                                      [number] [default: 0]
+      --technique                 Analysis technique to use
   [array] [choices: "auto", "source-code-analysis", "binary-analysis", "manifest-analysis", "hash-comparison", "instrume
                                                                                                    ntation", "filename"]
-      --auto-compositions      Automatically set compositions when the BOM was filtered. Defaults to true
+      --auto-compositions         Automatically set compositions when the BOM was filtered. Defaults to true
                                                                                                [boolean] [default: true]
-  -h, --help                   Show help                                                                       [boolean]
-  -v, --version                Show version number                                                             [boolean]
+  -h, --help                      Show help                                                                    [boolean]
+  -v, --version                   Show version number                                                          [boolean]
 ```
 
 All boolean arguments accept `--no` prefix to toggle the behavior.
@@ -214,14 +217,11 @@ To recursively generate a single BOM for all languages pass `-r` argument.
 cdxgen -r -o bom.json
 ```
 
-The default specification used by cdxgen is 1.5. To generate BOM for a different specification version, such as 1.6 or 1.4, pass the version number using the `--spec-version` argument.
+The default specification used by cdxgen is 1.6. To generate BOM for a different specification version, such as 1.5 or 1.4, pass the version number using the `--spec-version` argument.
 
 ```shell
-# 1.6 is unsupported by most tools
-cdxgen -r -o bom.json --spec-version 1.6
-
-# 1.4 is supported by most tools
-cdxgen -r -o bom.json --spec-version 1.4
+# 1.5 is supported by most tools
+cdxgen -r -o bom.json --spec-version 1.5
 ```
 
 To generate SBOM for C or Python, ensure Java >= 21 is installed.
@@ -543,7 +543,11 @@ cdxgen --help
 
 ## Sponsors
 
-<img src="./docs/_media/LevoLogo-LightBg.jpg" width="200" height="auto">
+<div style="display: flex; align-items: center; gap: 20px;">
+  <img src="./docs/_media/LevoLogo-LightBg.jpg" width="200" height="auto">
+  <img src="./docs/_media/GithubLogo-LightBg.png" width="170" height="auto">
+  <img src="./docs/_media/MicrosoftLogo.png" width="180" height="auto">
+</div>
 
 <!-- LINK LABELS -->
 <!-- Badges -->

package/bin/cdxgen.js

@@ -29,6 +29,7 @@ import {
   commandsExecuted,
   DEBUG_MODE,
   dirNameStr,
+  getRuntimeInformation,
   getTmpDir,
   isMac,
   isSecureMode,
@@ -66,7 +67,9 @@ for (const configPattern of configPaths) {
   }
 }
 
-const args = yargs(hideBin(process.argv))
+const _yargs = yargs(hideBin(process.argv));
+
+const args = _yargs
   .env("CDXGEN")
   .parserConfiguration({
     "greedy-arrays": false,
@@ -261,8 +264,15 @@ const args = yargs(hideBin(process.argv))
     hidden: true,
     choices: ["pre-build", "build", "post-build"],
   })
+  .option("include-regex", {
+    description:
+      "glob pattern to include. This overrides the default pattern used during auto-detection.",
+    type: "string",
+  })
   .option("exclude", {
+    alias: "exclude-regex",
     description: "Additional glob pattern(s) to ignore",
+    type: "array",
   })
   .option("export-proto", {
     type: "boolean",
@@ -346,7 +356,6 @@ const args = yargs(hideBin(process.argv))
   .array("filter")
   .array("only")
   .array("author")
-  .array("exclude")
   .array("standard")
   .array("feature-flags")
   .array("technique")
@@ -375,25 +384,36 @@ const args = yargs(hideBin(process.argv))
   .epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
   .config(config)
   .scriptName("cdxgen")
-  .version()
+  .version(version())
   .alias("v", "version")
-  .help("h")
-  .alias("h", "help")
+  .help(false)
+  .option("help", {
+    alias: "h",
+    type: "boolean",
+    description: "Show help",
+  })
   .wrap(Math.min(120, yargs().terminalWidth())).argv;
 
 if (process.env?.CDXGEN_NODE_OPTIONS) {
   process.env.NODE_OPTIONS = `${process.env.NODE_OPTIONS || ""} ${process.env.CDXGEN_NODE_OPTIONS}`;
 }
 
-if (args.version) {
+if (args.help) {
+  console.log(`${version()}\n`);
+  _yargs.showHelp();
+  process.exit(0);
+}
+
+function version() {
   const packageJsonAsString = fs.readFileSync(
-    join(dirName, "..", "package.json"),
+    join(dirName, "package.json"),
     "utf-8",
   );
   const packageJson = JSON.parse(packageJsonAsString);
 
-  console.log(packageJson.version);
-  process.exit(0);
+  const runtimeInfo = getRuntimeInformation();
+
+  return `\x1b[1mCycloneDX Generator ${packageJson.version}\x1b[0m\nRuntime: ${runtimeInfo.runtime}, Version: ${runtimeInfo.version}`;
 }
 
 if (process.env.GLOBAL_AGENT_HTTP_PROXY || process.env.HTTP_PROXY) {
@@ -447,6 +467,8 @@ const options = Object.assign({}, args, {
     isSecureMode && args.output === "bom.json"
       ? resolve(join(filePath, args.output))
       : args.output,
+  exclude: args.exclude || args.excludeRegex,
+  include: args.include || args.includeRegex,
 });
 // Should we create the output directory?
 const outputDirectory = dirname(options.output);