@cyclonedx/cdxgen 8.2.2 → 8.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -0
- package/index.js +5 -4
- package/package.json +1 -1
- package/utils.js +21 -3
- package/utils.test.js +12 -0
package/README.md
CHANGED
|
@@ -270,6 +270,8 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
|
|
|
270
270
|
| SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc |
|
|
271
271
|
| SBOM_SIGN_PRIVATE_KEY | Private key to use for signing |
|
|
272
272
|
| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature |
|
|
273
|
+
| CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.6" |
|
|
274
|
+
| CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom |
|
|
273
275
|
|
|
274
276
|
## Plugins
|
|
275
277
|
|
package/index.js
CHANGED
|
@@ -986,10 +986,11 @@ const createJavaBom = async (path, options) => {
|
|
|
986
986
|
(options.multiProject ? "**/" : "") + "pom.xml"
|
|
987
987
|
);
|
|
988
988
|
if (pomFiles && pomFiles.length) {
|
|
989
|
-
|
|
990
|
-
|
|
991
|
-
"-
|
|
992
|
-
|
|
989
|
+
const cdxMavenPlugin =
|
|
990
|
+
process.env.CDX_MAVEN_PLUGIN ||
|
|
991
|
+
"org.cyclonedx:cyclonedx-maven-plugin:2.7.6";
|
|
992
|
+
const cdxMavenGoal = process.env.CDX_MAVEN_GOAL || "makeAggregateBom";
|
|
993
|
+
let mvnArgs = [`${cdxMavenPlugin}:${cdxMavenGoal}`, "-DoutputName=bom"];
|
|
993
994
|
// By using quiet mode we can reduce the maxBuffer used and avoid crashes
|
|
994
995
|
if (!DEBUG_MODE) {
|
|
995
996
|
mvnArgs.push("-q");
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "8.2.
|
|
3
|
+
"version": "8.2.4",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
package/utils.js
CHANGED
|
@@ -773,13 +773,22 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
773
773
|
dependsOn: ddeplist
|
|
774
774
|
});
|
|
775
775
|
}
|
|
776
|
-
|
|
776
|
+
let lockfileVersion = yamlObj.lockfileVersion;
|
|
777
|
+
try {
|
|
778
|
+
lockfileVersion = parseInt(lockfileVersion, 10);
|
|
779
|
+
} catch (e) {
|
|
780
|
+
// ignore parse errors
|
|
781
|
+
}
|
|
777
782
|
const packages = yamlObj.packages;
|
|
778
783
|
const pkgKeys = Object.keys(packages);
|
|
779
784
|
for (var k in pkgKeys) {
|
|
780
785
|
// Eg: @babel/code-frame/7.10.1
|
|
781
786
|
// In lockfileVersion 6, /@babel/code-frame@7.18.6
|
|
782
|
-
|
|
787
|
+
let fullName = pkgKeys[k].replace("/@", "@");
|
|
788
|
+
// Handle /vite@4.2.1(@types/node@18.15.11) in lockfileVersion 6
|
|
789
|
+
if (lockfileVersion >= 6 && fullName.includes("(")) {
|
|
790
|
+
fullName = fullName.split("(")[0];
|
|
791
|
+
}
|
|
783
792
|
const parts = fullName.split("/");
|
|
784
793
|
const integrity = packages[pkgKeys[k]].resolution.integrity;
|
|
785
794
|
const deps = packages[pkgKeys[k]].dependencies || [];
|
|
@@ -788,12 +797,14 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
788
797
|
let name = "";
|
|
789
798
|
let version = "";
|
|
790
799
|
let group = "";
|
|
791
|
-
if (lockfileVersion
|
|
800
|
+
if (lockfileVersion >= 6 && fullName.includes("@")) {
|
|
792
801
|
const tmpA = parts[parts.length - 1].split("@");
|
|
793
802
|
group = parts[0];
|
|
794
803
|
if (parts.length === 2 && tmpA.length > 1) {
|
|
795
804
|
name = tmpA[0];
|
|
796
805
|
version = tmpA[1];
|
|
806
|
+
} else {
|
|
807
|
+
console.log(parts, fullName);
|
|
797
808
|
}
|
|
798
809
|
} else {
|
|
799
810
|
if (parts.length === 2) {
|
|
@@ -805,6 +816,13 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
805
816
|
version = parts[2];
|
|
806
817
|
}
|
|
807
818
|
}
|
|
819
|
+
// Let's have some warnings till we fully support pnpm 8
|
|
820
|
+
if (!name) {
|
|
821
|
+
console.warn(
|
|
822
|
+
`Unable to extract name and version for string ${pkgKeys[k]}`
|
|
823
|
+
);
|
|
824
|
+
continue;
|
|
825
|
+
}
|
|
808
826
|
if (group !== "@types" && name.indexOf("file:") !== 0) {
|
|
809
827
|
const purlString = new PackageURL(
|
|
810
828
|
"npm",
|
package/utils.test.js
CHANGED
|
@@ -1215,6 +1215,18 @@ test("parsePnpmLock", async () => {
|
|
|
1215
1215
|
"sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==",
|
|
1216
1216
|
properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }]
|
|
1217
1217
|
});
|
|
1218
|
+
parsedList = await utils.parsePnpmLock("./test/data/pnpm-lock6a.yaml");
|
|
1219
|
+
expect(parsedList.pkgList.length).toEqual(229);
|
|
1220
|
+
expect(parsedList.dependenciesList.length).toEqual(229);
|
|
1221
|
+
expect(parsedList.pkgList[0]).toEqual({
|
|
1222
|
+
group: "@babel",
|
|
1223
|
+
name: "code-frame",
|
|
1224
|
+
version: "7.18.6",
|
|
1225
|
+
scope: "optional",
|
|
1226
|
+
_integrity:
|
|
1227
|
+
"sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
|
|
1228
|
+
properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6a.yaml" }]
|
|
1229
|
+
});
|
|
1218
1230
|
});
|
|
1219
1231
|
|
|
1220
1232
|
test("parseYarnLock", async () => {
|