@cyclonedx/cdxgen 8.3.0 → 8.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/binary.js +15 -6
- package/docker.js +19 -7
- package/package.json +11 -11
- package/utils.js +17 -4
package/binary.js
CHANGED
|
@@ -279,8 +279,12 @@ const getOSPackages = (src) => {
|
|
|
279
279
|
const bomJsonFile = path.join(tempDir, "trivy-bom.json");
|
|
280
280
|
const args = [
|
|
281
281
|
imageType,
|
|
282
|
-
"--skip-update",
|
|
282
|
+
"--skip-db-update",
|
|
283
|
+
"--skip-java-db-update",
|
|
283
284
|
"--offline-scan",
|
|
285
|
+
"--no-progress",
|
|
286
|
+
"--exit-code",
|
|
287
|
+
"0",
|
|
284
288
|
"--format",
|
|
285
289
|
"cyclonedx",
|
|
286
290
|
"--output",
|
|
@@ -302,11 +306,16 @@ const getOSPackages = (src) => {
|
|
|
302
306
|
}
|
|
303
307
|
}
|
|
304
308
|
if (fs.existsSync(bomJsonFile)) {
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
309
|
+
let tmpBom = {};
|
|
310
|
+
try {
|
|
311
|
+
tmpBom = JSON.parse(
|
|
312
|
+
fs.readFileSync(bomJsonFile, {
|
|
313
|
+
encoding: "utf-8"
|
|
314
|
+
})
|
|
315
|
+
);
|
|
316
|
+
} catch (e) {
|
|
317
|
+
// ignore errors
|
|
318
|
+
}
|
|
310
319
|
// Clean up
|
|
311
320
|
if (tempDir && tempDir.startsWith(os.tmpdir())) {
|
|
312
321
|
if (DEBUG_MODE) {
|
package/docker.js
CHANGED
|
@@ -159,9 +159,11 @@ const getConnection = async (options) => {
|
|
|
159
159
|
dockerConn = got.extend(opts);
|
|
160
160
|
if (DEBUG_MODE) {
|
|
161
161
|
if (isDockerRootless) {
|
|
162
|
-
console.log("Docker service in rootless mode detected
|
|
162
|
+
console.log("Docker service in rootless mode detected.");
|
|
163
163
|
} else {
|
|
164
|
-
console.log(
|
|
164
|
+
console.log(
|
|
165
|
+
"Docker service in root mode detected. Consider switching to rootless mode to improve security. See https://docs.docker.com/engine/security/rootless/"
|
|
166
|
+
);
|
|
165
167
|
}
|
|
166
168
|
}
|
|
167
169
|
} catch (err) {
|
|
@@ -172,7 +174,7 @@ const getConnection = async (options) => {
|
|
|
172
174
|
dockerConn = got.extend(opts);
|
|
173
175
|
isDockerRootless = true;
|
|
174
176
|
if (DEBUG_MODE) {
|
|
175
|
-
console.log("Docker service in rootless mode detected
|
|
177
|
+
console.log("Docker service in rootless mode detected.");
|
|
176
178
|
}
|
|
177
179
|
return dockerConn;
|
|
178
180
|
} catch (err) {
|
|
@@ -185,7 +187,7 @@ const getConnection = async (options) => {
|
|
|
185
187
|
dockerConn = got.extend(opts);
|
|
186
188
|
isWinLocalTLS = true;
|
|
187
189
|
if (DEBUG_MODE) {
|
|
188
|
-
console.log("Docker desktop on Windows detected
|
|
190
|
+
console.log("Docker desktop on Windows detected.");
|
|
189
191
|
}
|
|
190
192
|
} else {
|
|
191
193
|
opts.prefixUrl = opts.podmanRootlessPrefixUrl;
|
|
@@ -194,7 +196,9 @@ const getConnection = async (options) => {
|
|
|
194
196
|
isPodmanRootless = true;
|
|
195
197
|
dockerConn = got.extend(opts);
|
|
196
198
|
if (DEBUG_MODE) {
|
|
197
|
-
console.log(
|
|
199
|
+
console.log(
|
|
200
|
+
"Podman in rootless mode detected. Thank you for using podman!"
|
|
201
|
+
);
|
|
198
202
|
}
|
|
199
203
|
}
|
|
200
204
|
} catch (err) {
|
|
@@ -205,7 +209,9 @@ const getConnection = async (options) => {
|
|
|
205
209
|
isPodman = true;
|
|
206
210
|
isPodmanRootless = false;
|
|
207
211
|
dockerConn = got.extend(opts);
|
|
208
|
-
console.log(
|
|
212
|
+
console.log(
|
|
213
|
+
"Podman in root mode detected. Consider switching to rootless mode to improve security. See https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md"
|
|
214
|
+
);
|
|
209
215
|
} catch (err) {
|
|
210
216
|
if (os.platform() === "win32") {
|
|
211
217
|
console.warn(
|
|
@@ -416,7 +422,13 @@ const extractTar = async (fullImageName, dir) => {
|
|
|
416
422
|
strict: true,
|
|
417
423
|
C: dir,
|
|
418
424
|
portable: true,
|
|
419
|
-
onwarn: () => {}
|
|
425
|
+
onwarn: () => {},
|
|
426
|
+
filter: (path) => {
|
|
427
|
+
if (path.endsWith("cacerts")) {
|
|
428
|
+
return false;
|
|
429
|
+
}
|
|
430
|
+
return true;
|
|
431
|
+
}
|
|
420
432
|
})
|
|
421
433
|
);
|
|
422
434
|
return true;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "8.3.
|
|
3
|
+
"version": "8.3.1",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
|
@@ -49,8 +49,8 @@
|
|
|
49
49
|
"url": "https://github.com/cyclonedx/cdxgen/issues"
|
|
50
50
|
},
|
|
51
51
|
"dependencies": {
|
|
52
|
-
"@babel/parser": "^7.
|
|
53
|
-
"@babel/traverse": "^7.
|
|
52
|
+
"@babel/parser": "^7.21.4",
|
|
53
|
+
"@babel/traverse": "^7.21.4",
|
|
54
54
|
"cheerio": "^1.0.0-rc.12",
|
|
55
55
|
"edn-data": "^1.0.0",
|
|
56
56
|
"glob": "^8.1.0",
|
|
@@ -59,24 +59,24 @@
|
|
|
59
59
|
"js-yaml": "^4.1.0",
|
|
60
60
|
"jws": "^4.0.0",
|
|
61
61
|
"node-stream-zip": "^1.15.0",
|
|
62
|
-
"packageurl-js": "^1.0.
|
|
62
|
+
"packageurl-js": "^1.0.2",
|
|
63
63
|
"parse-packagejson-name": "^1.0.1",
|
|
64
64
|
"prettify-xml": "^1.2.0",
|
|
65
65
|
"properties-reader": "^2.2.0",
|
|
66
|
-
"semver": "^7.
|
|
66
|
+
"semver": "^7.5.0",
|
|
67
67
|
"ssri": "^8.0.1",
|
|
68
68
|
"table": "^6.8.1",
|
|
69
69
|
"tar": "^6.1.13",
|
|
70
70
|
"uuid": "^9.0.0",
|
|
71
71
|
"xml-js": "^1.6.11",
|
|
72
72
|
"xmlbuilder": "^15.1.1",
|
|
73
|
-
"yargs": "^17.
|
|
73
|
+
"yargs": "^17.7.1"
|
|
74
74
|
},
|
|
75
75
|
"optionalDependencies": {
|
|
76
|
-
"@cyclonedx/cdxgen-plugins-bin": "^1.0
|
|
77
|
-
"
|
|
78
|
-
"
|
|
79
|
-
"
|
|
76
|
+
"@cyclonedx/cdxgen-plugins-bin": "^1.1.0",
|
|
77
|
+
"body-parser": "^1.20.2",
|
|
78
|
+
"compression": "^1.7.4",
|
|
79
|
+
"connect": "^3.7.0"
|
|
80
80
|
},
|
|
81
81
|
"files": [
|
|
82
82
|
"*.js",
|
|
@@ -88,7 +88,7 @@
|
|
|
88
88
|
"queries.json"
|
|
89
89
|
],
|
|
90
90
|
"devDependencies": {
|
|
91
|
-
"eslint": "^8.
|
|
91
|
+
"eslint": "^8.39.0",
|
|
92
92
|
"jest": "^26.6.3"
|
|
93
93
|
}
|
|
94
94
|
}
|
package/utils.js
CHANGED
|
@@ -4207,8 +4207,13 @@ const extractJarArchive = function (jarFile, tempDir) {
|
|
|
4207
4207
|
}
|
|
4208
4208
|
if (pomname && fs.existsSync(pomname)) {
|
|
4209
4209
|
tempDir = path.dirname(jarFile);
|
|
4210
|
-
} else {
|
|
4211
|
-
|
|
4210
|
+
} else if (!fs.existsSync(path.join(tempDir, fname))) {
|
|
4211
|
+
// Only copy if the file doesn't exist
|
|
4212
|
+
fs.copyFileSync(
|
|
4213
|
+
jarFile,
|
|
4214
|
+
path.join(tempDir, fname),
|
|
4215
|
+
fs.constants.COPYFILE_FICLONE
|
|
4216
|
+
);
|
|
4212
4217
|
}
|
|
4213
4218
|
if (jarFile.endsWith(".war") || jarFile.endsWith(".hpi")) {
|
|
4214
4219
|
let jarResult = spawnSync("jar", ["-xf", path.join(tempDir, fname)], {
|
|
@@ -4405,7 +4410,11 @@ const addPlugin = function (projectPath, plugin) {
|
|
|
4405
4410
|
var originalPluginsFile = null;
|
|
4406
4411
|
if (fs.existsSync(pluginsFile)) {
|
|
4407
4412
|
originalPluginsFile = pluginsFile + ".cdxgen";
|
|
4408
|
-
fs.copyFileSync(
|
|
4413
|
+
fs.copyFileSync(
|
|
4414
|
+
pluginsFile,
|
|
4415
|
+
originalPluginsFile,
|
|
4416
|
+
fs.constants.COPYFILE_FICLONE
|
|
4417
|
+
);
|
|
4409
4418
|
}
|
|
4410
4419
|
|
|
4411
4420
|
fs.writeFileSync(pluginsFile, plugin, { flag: "a" });
|
|
@@ -4429,7 +4438,11 @@ const cleanupPlugin = function (projectPath, originalPluginsFile) {
|
|
|
4429
4438
|
return !fs.existsSync(pluginsFile);
|
|
4430
4439
|
} else {
|
|
4431
4440
|
// Bring back the original file
|
|
4432
|
-
fs.copyFileSync(
|
|
4441
|
+
fs.copyFileSync(
|
|
4442
|
+
originalPluginsFile,
|
|
4443
|
+
pluginsFile,
|
|
4444
|
+
fs.constants.COPYFILE_FICLONE
|
|
4445
|
+
);
|
|
4433
4446
|
fs.unlinkSync(originalPluginsFile);
|
|
4434
4447
|
return true;
|
|
4435
4448
|
}
|