@cyclonedx/cdxgen 12.2.0 → 12.2.1

package/lib/helpers/utils.js

@@ -337,6 +337,13 @@ export const DEBUG_MODE =
   ["debug", "verbose"].includes(process.env.CDXGEN_DEBUG_MODE) ||
   process.env.SCAN_DEBUG_MODE === "debug";
 
+// Table border style for console output.
+export const TABLE_BORDER_STYLE = ["ascii", "unicode", "auto"].includes(
+  `${process.env.CDXGEN_TABLE_BORDER || ""}`.toLowerCase(),
+)
+  ? `${process.env.CDXGEN_TABLE_BORDER}`.toLowerCase()
+  : "auto";
+
 // Timeout milliseconds. Default 20 mins
 export const TIMEOUT_MS =
   Number.parseInt(process.env.CDXGEN_TIMEOUT_MS, 10) || 20 * 60 * 1000;
@@ -1120,7 +1127,44 @@ export function getLicenses(pkg) {
               licenseContent.name = l;
             }
           } else if (Object.keys(l).length) {
-            licenseContent = l;
+            licenseContent = { ...l };
+            if (
+              licenseContent.type &&
+              !licenseContent.id &&
+              !licenseContent.name &&
+              !licenseContent.expression
+            ) {
+              if (spdxLicenses.includes(licenseContent.type)) {
+                licenseContent.id = licenseContent.type;
+              } else if (isSpdxLicenseExpression(licenseContent.type)) {
+                licenseContent.expression = licenseContent.type;
+              } else {
+                licenseContent.name = licenseContent.type;
+              }
+            }
+            if (
+              !licenseContent.id &&
+              !licenseContent.name &&
+              !licenseContent.expression &&
+              licenseContent.url?.startsWith("http")
+            ) {
+              const knownLicense = getKnownLicense(licenseContent.url, pkg);
+              if (knownLicense) {
+                if (knownLicense.id) {
+                  licenseContent.id = knownLicense.id;
+                } else if (knownLicense.name) {
+                  licenseContent.name = knownLicense.name;
+                }
+              }
+            }
+            if (
+              !licenseContent.id &&
+              !licenseContent.name &&
+              !licenseContent.expression
+            ) {
+              licenseContent.name = "CUSTOM";
+            }
+            delete licenseContent.type;
           } else {
             return undefined;
           }
@@ -1572,7 +1616,8 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
     const srcFilePath = node.path.includes(`${_sep}node_modules`)
       ? node.path.split(`${_sep}node_modules`)[0]
       : node.path;
-    const scope = node.dev === true ? "optional" : undefined;
+    const scope =
+      node.dev === true || node.optional === true ? "optional" : undefined;
     const integrity = node.integrity ? node.integrity : undefined;
 
     let pkg;
@@ -1645,6 +1690,9 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
         purl: purlString,
         "bom-ref": decodeURIComponent(purlString),
       };
+      if (node.dev === true) {
+        _setNpmDevelopmentProperty(pkg);
+      }
       if (node.resolved) {
         if (node.resolved.startsWith("file:")) {
           pkg.properties.push({
@@ -2826,6 +2874,51 @@ function _markTreeOptional(
   }
 }
 
+function _markTreeDevelopment(
+  dbomRef,
+  dependenciesMap,
+  possibleDevelopmentDeps,
+  visited,
+) {
+  // Production-required packages set this map entry to false, and that wins
+  // over any later attempt to propagate a development-only marking.
+  if (possibleDevelopmentDeps[dbomRef] === undefined) {
+    possibleDevelopmentDeps[dbomRef] = true;
+  }
+  if (dependenciesMap[dbomRef] && !visited[dbomRef]) {
+    visited[dbomRef] = true;
+    for (const eachDep of dependenciesMap[dbomRef]) {
+      // Undefined means we have not classified this dependency yet, so we
+      // continue propagating the dev-only marking unless it was already proven
+      // to be non-development via a false entry.
+      if (possibleDevelopmentDeps[eachDep] !== false) {
+        _markTreeDevelopment(
+          eachDep,
+          dependenciesMap,
+          possibleDevelopmentDeps,
+          visited,
+        );
+      }
+    }
+  }
+}
+
+function _setNpmDevelopmentProperty(pkg) {
+  if (!pkg.properties) {
+    pkg.properties = [];
+  }
+  if (
+    !pkg.properties.some((property) => {
+      return property.name === "cdx:npm:package:development";
+    })
+  ) {
+    pkg.properties.push({
+      name: "cdx:npm:package:development",
+      value: "true",
+    });
+  }
+}
+
 function _setTreeWorkspaceRef(
   dependenciesMap,
   depref,
@@ -3201,6 +3294,7 @@ export async function parsePnpmLock(
   // See: #1163
   // Moreover, we have changed >= 9 for >= 6
   // See: discussion #1359
+  const possibleDevelopmentDeps = {};
   const possibleOptionalDeps = {};
   const dependenciesMap = {};
   let ppurl = "";
@@ -3293,7 +3387,7 @@ export async function parsePnpmLock(
           null,
           null,
         ).toString();
-        possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
+        possibleDevelopmentDeps[decodeURIComponent(dpurl)] = true;
       }
       // Find the root optional and peer dependencies
       for (const rdk of Object.keys({ ...rootOptionalDeps, ...rootPeerDeps })) {
@@ -3317,6 +3411,7 @@ export async function parsePnpmLock(
           null,
         ).toString();
         possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
+        possibleDevelopmentDeps[decodeURIComponent(dpurl)] = false;
       }
       // Find the root direct dependencies
       for (const dk of Object.keys(rootDirectDeps)) {
@@ -3344,6 +3439,7 @@ export async function parsePnpmLock(
           // These are direct dependencies so cannot be optional
           possibleOptionalDeps[decodeURIComponent(dpurl)] = false;
         }
+        possibleDevelopmentDeps[decodeURIComponent(dpurl)] = false;
       }
       // pnpm-lock.yaml contains more than root dependencies in importers
       // we do what we did above but for all the other components
@@ -3469,6 +3565,7 @@ export async function parsePnpmLock(
           // This is a definite dependency of this component
           comDepList.add(depRef);
           possibleOptionalDeps[depRef] = false;
+          possibleDevelopmentDeps[depRef] = false;
           // Track the package.json files
           if (pkgSrcFile) {
             if (!srcFilesMap[depRef]) {
@@ -3488,7 +3585,7 @@ export async function parsePnpmLock(
             null,
           ).toString();
           const devDpRef = decodeURIComponent(dpurl);
-          possibleOptionalDeps[devDpRef] = true;
+          possibleDevelopmentDeps[devDpRef] = true;
           // This is also a dependency of this component
           comDepList.add(devDpRef);
         }
@@ -3506,6 +3603,7 @@ export async function parsePnpmLock(
             null,
           ).toString();
           possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
+          possibleDevelopmentDeps[decodeURIComponent(dpurl)] = false;
         }
         dependenciesList.push({
           ref: decodeURIComponent(compPurl),
@@ -3708,7 +3806,21 @@ export async function parsePnpmLock(
             null,
           ).toString();
           const bomRef = decodeURIComponent(purlString);
+          if (
+            packageNode.dev === true &&
+            possibleDevelopmentDeps[bomRef] === undefined
+          ) {
+            possibleDevelopmentDeps[bomRef] = true;
+          }
           const isBaseOptional = possibleOptionalDeps[bomRef];
+          // optionalDependencies are tracked separately because they may still
+          // be runtime-relevant and should keep the CycloneDX optional scope.
+          // packageNode.dev captures explicit dev-only packages from the lock
+          // entry, while possibleDevelopmentDeps lets that marking propagate to
+          // transitive dependencies discovered through the dependency graph.
+          const isBaseDevelopment =
+            packageNode.dev === true ||
+            possibleDevelopmentDeps[bomRef] === true;
           const deplist = [];
           for (let dpkgName of Object.keys(deps)) {
             let vers = deps[dpkgName];
@@ -3751,6 +3863,18 @@ export async function parsePnpmLock(
                 {},
               );
             }
+            if (
+              isBaseDevelopment &&
+              possibleDevelopmentDeps[dbomRef] === undefined
+            ) {
+              possibleDevelopmentDeps[dbomRef] = true;
+              _markTreeDevelopment(
+                dbomRef,
+                dependenciesMap,
+                possibleDevelopmentDeps,
+                {},
+              );
+            }
           }
           if (!dependenciesMap[bomRef]) {
             dependenciesMap[bomRef] = [];
@@ -3910,6 +4034,19 @@ export async function parsePnpmLock(
       }
     }
   }
+  // Repeat development dependency detection after the dependency graph is fully
+  // built, since a single package iteration can encounter a dev-only component
+  // before its own dependency list has been captured in dependenciesMap.
+  for (const dependencyRef of Object.keys(possibleDevelopmentDeps)) {
+    if (possibleDevelopmentDeps[dependencyRef] === true) {
+      _markTreeDevelopment(
+        dependencyRef,
+        dependenciesMap,
+        possibleDevelopmentDeps,
+        {},
+      );
+    }
+  }
 
   // Problem: We might have over aggressively marked a package as optional even it is both required and optional
   // The below loops ensure required packages continue to stay required
@@ -3940,6 +4077,15 @@ export async function parsePnpmLock(
     if (requiredDependencies[apkg["bom-ref"]]) {
       apkg.scope = undefined;
     }
+    if (
+      !requiredDependencies[apkg["bom-ref"]] &&
+      possibleDevelopmentDeps[apkg["bom-ref"]]
+    ) {
+      if (!apkg.scope) {
+        apkg.scope = "optional";
+      }
+      _setNpmDevelopmentProperty(apkg);
+    }
     if (possibleAliasesRefs[apkg["bom-ref"]]) {
       apkg.properties.push({
         name: "cdx:pnpm:alias",
@@ -16447,6 +16593,7 @@ export async function addEvidenceForImports(
       : [name];
     let isImported = false;
     for (const alias of aliases) {
+      const isWasmAlias = /\.wasm([?#].*)?$/i.test(alias);
       const all_includes = impPkgs.filter(
         (find_pkg) =>
           find_pkg.startsWith(alias) &&
@@ -16456,12 +16603,20 @@ export async function addEvidenceForImports(
         find_pkg.startsWith(alias),
       );
       if (all_exports?.length) {
-        let exportedModules = new Set(all_exports);
+        let exportedModules = new Set(isWasmAlias ? [] : all_exports);
         pkg.properties = pkg.properties || [];
         for (const subevidence of all_exports) {
           const evidences = allExports[subevidence];
           for (const evidence of evidences) {
             if (evidence && Object.keys(evidence).length) {
+              if (isWasmAlias) {
+                for (const wasmImportedModule of evidence.importedModules ||
+                  []) {
+                  if (wasmImportedModule?.length) {
+                    exportedModules.add(wasmImportedModule);
+                  }
+                }
+              }
               if (evidence.exportedModules.length > 1) {
                 for (const aexpsubm of evidence.exportedModules) {
                   // Be selective on the submodule names
@@ -16496,6 +16651,8 @@ export async function addEvidenceForImports(
       if (impPkgs.includes(alias) || all_includes.length) {
         isImported = true;
         let importedModules = new Set();
+        let wasmExportedModules = new Set();
+        const seenOccurrenceLocations = new Set();
         pkg.scope = "required";
         for (const subevidence of all_includes) {
           const evidences = allImports[subevidence];
@@ -16503,16 +16660,23 @@ export async function addEvidenceForImports(
             if (evidence && Object.keys(evidence).length && evidence.fileName) {
               pkg.evidence = pkg.evidence || {};
               pkg.evidence.occurrences = pkg.evidence.occurrences || [];
-              pkg.evidence.occurrences.push({
-                location: `${evidence.fileName}${
-                  evidence.lineNumber ? `#${evidence.lineNumber}` : ""
-                }`,
-              });
+              const occurrenceLocation = `${evidence.fileName}${
+                evidence.lineNumber ? `#${evidence.lineNumber}` : ""
+              }`;
+              if (!seenOccurrenceLocations.has(occurrenceLocation)) {
+                pkg.evidence.occurrences.push({
+                  location: occurrenceLocation,
+                });
+                seenOccurrenceLocations.add(occurrenceLocation);
+              }
               importedModules.add(evidence.importedAs);
               for (const importedSm of evidence.importedModules || []) {
                 if (!importedSm) {
                   continue;
                 }
+                if (isWasmAlias) {
+                  wasmExportedModules.add(importedSm);
+                }
                 // Store both the short and long form of the imported sub modules
                 if (importedSm.length > 3) {
                   importedModules.add(importedSm);
@@ -16523,6 +16687,7 @@ export async function addEvidenceForImports(
           }
         }
         importedModules = Array.from(importedModules);
+        wasmExportedModules = Array.from(wasmExportedModules);
         if (importedModules.length) {
           pkg.properties = pkg.properties || [];
           pkg.properties.push({
@@ -16530,6 +16695,15 @@ export async function addEvidenceForImports(
             value: importedModules.join(","),
           });
         }
+        if (isWasmAlias && wasmExportedModules.length) {
+          pkg.properties = pkg.properties || [];
+          if (!pkg.properties.some((p) => p.name === "ExportedModules")) {
+            pkg.properties.push({
+              name: "ExportedModules",
+              value: wasmExportedModules.join(","),
+            });
+          }
+        }
         break;
       }
       if (

package/lib/helpers/utils.poku.js

@@ -2671,7 +2671,7 @@ it("parse github actions workflow data", () => {
   dep_list = parseGitHubWorkflowData("./test/data/github-actions-tj.yaml");
   assert.deepStrictEqual(dep_list.length, 4);
   dep_list = parseGitHubWorkflowData("./.github/workflows/repotests.yml");
-  assert.deepStrictEqual(dep_list.length, 90);
+  assert.deepStrictEqual(dep_list.length, 91);
 });
 // biome-ignore-end lint/suspicious/noTemplateCurlyInString: fp
 
@@ -3575,6 +3575,23 @@ it("get licenses", () => {
     },
   ]);
 
+  licenses = getLicenses({
+    license: [
+      {
+        type: "MIT",
+        url: "https://github.com/harvesthq/chosen/blob/master/LICENSE.md",
+      },
+    ],
+  });
+  assert.deepStrictEqual(licenses, [
+    {
+      license: {
+        id: "MIT",
+        url: "https://github.com/harvesthq/chosen/blob/master/LICENSE.md",
+      },
+    },
+  ]);
+
   licenses = getLicenses({
     license: "GPL-2.0+",
   });
@@ -3677,6 +3694,30 @@ it("parsePkgLock v2", async () => {
       ],
     },
   });
+  const devOnlyPkg = deps.find(
+    (pkg) => pkg["bom-ref"] === "pkg:npm/@types/shelljs@0.8.11",
+  );
+  assert.ok(devOnlyPkg);
+  assert.deepStrictEqual(devOnlyPkg.scope, "optional");
+  assert.ok(
+    devOnlyPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:package:development" &&
+        property.value === "true",
+    ),
+  );
+  const devOptionalPkg = deps.find(
+    (pkg) => pkg["bom-ref"] === "pkg:npm/@esbuild/android-arm@0.15.12",
+  );
+  assert.ok(devOptionalPkg);
+  assert.deepStrictEqual(devOptionalPkg.scope, "optional");
+  assert.ok(
+    devOptionalPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:package:development" &&
+        property.value === "true",
+    ),
+  );
   assert.deepStrictEqual(parsedList.dependenciesList.length, 134);
 });
 
@@ -3865,10 +3906,8 @@ it("parsePnpmLock", async () => {
     type: "library",
     version: "7.16.7",
     properties: [
-      {
-        name: "SrcFile",
-        value: "./test/data/pnpm-lock.yaml",
-      },
+      { name: "SrcFile", value: "./test/data/pnpm-lock.yaml" },
+      { name: "cdx:npm:package:development", value: "true" },
     ],
     evidence: {
       identity: {
@@ -3970,7 +4009,10 @@ it("parsePnpmLock", async () => {
     type: "library",
     _integrity:
       "sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
-    properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }],
+    properties: [
+      { name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" },
+      { name: "cdx:npm:package:development", value: "true" },
+    ],
     evidence: {
       identity: {
         field: "purl",
@@ -3995,7 +4037,10 @@ it("parsePnpmLock", async () => {
     type: "library",
     _integrity:
       "sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==",
-    properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }],
+    properties: [
+      { name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" },
+      { name: "cdx:npm:package:development", value: "true" },
+    ],
     evidence: {
       identity: {
         field: "purl",
@@ -4023,7 +4068,10 @@ it("parsePnpmLock", async () => {
     type: "library",
     _integrity:
       "sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
-    properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6a.yaml" }],
+    properties: [
+      { name: "SrcFile", value: "./test/data/pnpm-lock6a.yaml" },
+      { name: "cdx:npm:package:development", value: "true" },
+    ],
     evidence: {
       identity: {
         field: "purl",
@@ -4038,6 +4086,18 @@ it("parsePnpmLock", async () => {
       },
     },
   });
+  const pnpmDevOptionalPkg = parsedList.pkgList.find(
+    (pkg) => pkg["bom-ref"] === "pkg:npm/@cyclonedx/cdxgen-plugins-bin@1.0.5",
+  );
+  assert.ok(pnpmDevOptionalPkg);
+  assert.deepStrictEqual(pnpmDevOptionalPkg.scope, "optional");
+  assert.ok(
+    pnpmDevOptionalPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:package:development" &&
+        property.value === "true",
+    ),
+  );
   // Test case to see if parsePnpmLock is finding all root deps
   const dummpyParent = {
     name: "rush",
@@ -4079,7 +4139,15 @@ it("parsePnpmLock", async () => {
   assert.deepStrictEqual(parsedList.pkgList.length, 1007);
   assert.deepStrictEqual(parsedList.dependenciesList.length, 1006);
   assert.deepStrictEqual(
-    parsedList.pkgList.filter((pkg) => !pkg.scope).length,
+    parsedList.pkgList.filter(
+      (pkg) =>
+        !pkg.scope &&
+        !pkg.properties?.some(
+          (property) =>
+            property.name === "cdx:npm:package:development" &&
+            property.value === "true",
+        ),
+    ).length,
     0,
   );
   parsedList = await parsePnpmLock("./test/data/pnpm-lock9b.yaml", {
@@ -4089,7 +4157,15 @@ it("parsePnpmLock", async () => {
   assert.deepStrictEqual(parsedList.pkgList.length, 1366);
   assert.deepStrictEqual(parsedList.dependenciesList.length, 1353);
   assert.deepStrictEqual(
-    parsedList.pkgList.filter((pkg) => !pkg.scope).length,
+    parsedList.pkgList.filter(
+      (pkg) =>
+        !pkg.scope &&
+        !pkg.properties?.some(
+          (property) =>
+            property.name === "cdx:npm:package:development" &&
+            property.value === "true",
+        ),
+    ).length,
     12,
   );
   parsedList = await parsePnpmLock("./test/data/pnpm-lock9c.yaml", {
@@ -4099,9 +4175,40 @@ it("parsePnpmLock", async () => {
   assert.deepStrictEqual(parsedList.pkgList.length, 461);
   assert.deepStrictEqual(parsedList.dependenciesList.length, 462);
   assert.deepStrictEqual(
-    parsedList.pkgList.filter((pkg) => !pkg.scope).length,
+    parsedList.pkgList.filter(
+      (pkg) =>
+        !pkg.scope &&
+        !pkg.properties?.some(
+          (property) =>
+            property.name === "cdx:npm:package:development" &&
+            property.value === "true",
+        ),
+    ).length,
     3,
   );
+  parsedList = await parsePnpmLock(
+    "./test/data/pnpm-lock-dev-propagation.yaml",
+  );
+  assert.deepStrictEqual(parsedList.pkgList.length, 4);
+  assert.deepStrictEqual(parsedList.dependenciesList.length, 4);
+  assert.deepStrictEqual(
+    parsedList.pkgList.filter(
+      (pkg) =>
+        pkg.scope === "optional" &&
+        pkg.properties?.some(
+          (property) =>
+            property.name === "cdx:npm:package:development" &&
+            property.value === "true",
+        ),
+    ).length,
+    4,
+  );
+  assert.ok(
+    parsedList.pkgList.find((pkg) => pkg["bom-ref"] === "pkg:npm/gamma@1.0.0"),
+  );
+  assert.ok(
+    parsedList.pkgList.find((pkg) => pkg["bom-ref"] === "pkg:npm/delta@1.0.0"),
+  );
   parsedList = await parsePnpmLock(
     "./test/data/pnpm_locks/bytemd-pnpm-lock.yaml",
   );

package/lib/server/openapi.yaml

@@ -94,11 +94,31 @@ paths:
           required: false
           schema:
             $ref: '#/components/schemas/CDXGEN/properties/projectVersion'
+        - name: autoCreate
+          in: query
+          required: false
+          schema:
+            $ref: '#/components/schemas/CDXGEN/properties/autoCreate'
+        - name: isLatest
+          in: query
+          required: false
+          schema:
+            $ref: '#/components/schemas/CDXGEN/properties/isLatest'
         - name: parentUUID
           in: query
           required: false
           schema:
             $ref: '#/components/schemas/CDXGEN/properties/parentUUID'
+        - name: parentProjectName
+          in: query
+          required: false
+          schema:
+            $ref: '#/components/schemas/CDXGEN/properties/parentProjectName'
+        - name: parentProjectVersion
+          in: query
+          required: false
+          schema:
+            $ref: '#/components/schemas/CDXGEN/properties/parentProjectVersion'
         - name: serverUrl
           in: query
           required: false
@@ -252,9 +272,22 @@ components:
           type: string
           description: Dependency Track project version
           default: ""
+        autoCreate:
+          type: boolean
+          description: Dependency Track autoCreate value for BOM submissions
+          default: true
+        isLatest:
+          type: boolean
+          description: Dependency Track isLatest value for BOM submissions
         parentUUID:
           type: string
           description: UUID of the parent Dependency Track project
+        parentProjectName:
+          type: string
+          description: Name of the parent Dependency Track project
+        parentProjectVersion:
+          type: string
+          description: Version of the parent Dependency Track project
         serverUrl:
           type: string
           description: URL to the Dependency Track API server

package/lib/server/server.js

@@ -36,7 +36,11 @@ const ALLOWED_PARAMS = [
   "projectGroup",
   "projectTag",
   "projectVersion",
+  "autoCreate",
+  "isLatest",
   "parentUUID",
+  "parentProjectName",
+  "parentProjectVersion",
   "serverUrl",
   "apiKey",
   "specVersion",
@@ -270,7 +274,10 @@ function gitClone(repoUrl, branch = null) {
     "core.fsmonitor=false",
     "-c",
     "safe.bareRepository=explicit",
+    "-c",
+    "core.hooksPath=/dev/null",
     "clone",
+    "--template=",
     repoUrl,
     "--depth",
     "1",
@@ -297,13 +304,14 @@ function gitClone(repoUrl, branch = null) {
     GIT_CONFIG_VALUE_0: "false",
     GIT_CONFIG_KEY_1: "safe.bareRepository",
     GIT_CONFIG_VALUE_1: "explicit",
+    GIT_TERMINAL_PROMPT: "0",
   };
   const env = isSecureMode
     ? {
         ...process.env,
         ...envConfigs,
         GIT_CONFIG_NOSYSTEM: "1",
-        GIT_CONFIG_NOGLOBAL: "1",
+        GIT_CONFIG_GLOBAL: "/dev/null",
         GIT_ALLOW_PROTOCOL: gitAllowProtocol,
       }
     : {
@@ -676,4 +684,4 @@ const start = (options) => {
   });
 };
 
-export { configureServer, start };
+export { configureServer, gitClone, start };