@cyclonedx/cdxgen 8.4.0 → 8.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +27 -26
- package/index.js +5 -6
- package/package.json +1 -1
- package/utils.js +20 -13
- package/utils.test.js +7 -4
package/README.md
CHANGED
|
@@ -246,32 +246,33 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
|
|
|
246
246
|
|
|
247
247
|
## Environment variables
|
|
248
248
|
|
|
249
|
-
| Variable
|
|
250
|
-
|
|
|
251
|
-
| SCAN_DEBUG_MODE
|
|
252
|
-
| GITHUB_TOKEN
|
|
253
|
-
| MVN_CMD
|
|
254
|
-
| MVN_ARGS
|
|
255
|
-
| MAVEN_HOME
|
|
256
|
-
| GRADLE_CACHE_DIR
|
|
257
|
-
| GRADLE_MULTI_PROJECT_MODE
|
|
258
|
-
| GRADLE_ARGS
|
|
259
|
-
| GRADLE_HOME
|
|
260
|
-
| GRADLE_CMD
|
|
261
|
-
| GRADLE_DEPENDENCY_TASK
|
|
262
|
-
| SBT_CACHE_DIR
|
|
263
|
-
| FETCH_LICENSE
|
|
264
|
-
| USE_GOSUM
|
|
265
|
-
| CDXGEN_TIMEOUT_MS
|
|
266
|
-
| CDXGEN_SERVER_TIMEOUT_MS
|
|
267
|
-
| BAZEL_TARGET
|
|
268
|
-
| CLJ_CMD
|
|
269
|
-
| LEIN_CMD
|
|
270
|
-
| SBOM_SIGN_ALGORITHM
|
|
271
|
-
| SBOM_SIGN_PRIVATE_KEY
|
|
272
|
-
| SBOM_SIGN_PUBLIC_KEY
|
|
273
|
-
| CDX_MAVEN_PLUGIN
|
|
274
|
-
| CDX_MAVEN_GOAL
|
|
249
|
+
| Variable | Description |
|
|
250
|
+
| ---------------------------- | -------------------------------------------------------------------------------------------------------------------|
|
|
251
|
+
| SCAN_DEBUG_MODE | Set to debug to enable debug messages |
|
|
252
|
+
| GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information |
|
|
253
|
+
| MVN_CMD | Set to override maven command |
|
|
254
|
+
| MVN_ARGS | Set to pass additional arguments such as profile or settings to maven |
|
|
255
|
+
| MAVEN_HOME | Specify maven home |
|
|
256
|
+
| GRADLE_CACHE_DIR | Specify gradle cache directory. Useful for class name resolving |
|
|
257
|
+
| GRADLE_MULTI_PROJECT_MODE | Set this variable for gradle multi-project applications. Do not use this with recurse mode. |
|
|
258
|
+
| GRADLE_ARGS | Set to pass additional arguments such as profile or settings to gradle. Eg: --configuration runtimeClassPath |
|
|
259
|
+
| GRADLE_HOME | Specify gradle home |
|
|
260
|
+
| GRADLE_CMD | Set to override gradle command |
|
|
261
|
+
| GRADLE_DEPENDENCY_TASK | By default cdxgen use the task "dependencies" to collect packages. Set to override the task name. |
|
|
262
|
+
| SBT_CACHE_DIR | Specify sbt cache directory. Useful for class name resolving |
|
|
263
|
+
| FETCH_LICENSE | Set this variable to fetch license information from the registry. npm and golang only |
|
|
264
|
+
| USE_GOSUM | Set to true to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod |
|
|
265
|
+
| CDXGEN_TIMEOUT_MS | Default timeout for known execution involving maven, gradle or sbt |
|
|
266
|
+
| CDXGEN_SERVER_TIMEOUT_MS | Default timeout in server mode |
|
|
267
|
+
| BAZEL_TARGET | Bazel target to build. Default :all (Eg: //java-maven) |
|
|
268
|
+
| CLJ_CMD | Set to override the clojure cli command |
|
|
269
|
+
| LEIN_CMD | Set to override the leiningen command |
|
|
270
|
+
| SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc |
|
|
271
|
+
| SBOM_SIGN_PRIVATE_KEY | Private key to use for signing |
|
|
272
|
+
| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature |
|
|
273
|
+
| CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.8" |
|
|
274
|
+
| CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom |
|
|
275
|
+
| CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true |
|
|
275
276
|
|
|
276
277
|
## Plugins
|
|
277
278
|
|
package/index.js
CHANGED
|
@@ -988,13 +988,12 @@ const createJavaBom = async (path, options) => {
|
|
|
988
988
|
if (pomFiles && pomFiles.length) {
|
|
989
989
|
const cdxMavenPlugin =
|
|
990
990
|
process.env.CDX_MAVEN_PLUGIN ||
|
|
991
|
-
"org.cyclonedx:cyclonedx-maven-plugin:2.7.
|
|
991
|
+
"org.cyclonedx:cyclonedx-maven-plugin:2.7.8";
|
|
992
992
|
const cdxMavenGoal = process.env.CDX_MAVEN_GOAL || "makeAggregateBom";
|
|
993
|
-
let mvnArgs = [
|
|
994
|
-
|
|
995
|
-
"-
|
|
996
|
-
|
|
997
|
-
];
|
|
993
|
+
let mvnArgs = [`${cdxMavenPlugin}:${cdxMavenGoal}`, "-DoutputName=bom"];
|
|
994
|
+
if (utils.includeMavenTestScope) {
|
|
995
|
+
mvnArgs.push("-DincludeTestScope=true");
|
|
996
|
+
}
|
|
998
997
|
// By using quiet mode we can reduce the maxBuffer used and avoid crashes
|
|
999
998
|
if (!DEBUG_MODE) {
|
|
1000
999
|
mvnArgs.push("-q");
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "8.4.
|
|
3
|
+
"version": "8.4.1",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
package/utils.js
CHANGED
|
@@ -26,6 +26,12 @@ const DEBUG_MODE =
|
|
|
26
26
|
// Metadata cache
|
|
27
27
|
let metadata_cache = {};
|
|
28
28
|
|
|
29
|
+
// Whether test scope shall be included for java/maven projects; default, if unset shall be 'true'
|
|
30
|
+
const includeMavenTestScope =
|
|
31
|
+
!process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE ||
|
|
32
|
+
["true", "1"].includes(process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE);
|
|
33
|
+
exports.includeMavenTestScope = includeMavenTestScope;
|
|
34
|
+
|
|
29
35
|
const MAX_LICENSE_ID_LENGTH = 100;
|
|
30
36
|
|
|
31
37
|
/**
|
|
@@ -1035,18 +1041,19 @@ const parsePom = function (pomFile) {
|
|
|
1035
1041
|
let versionStr = undefined;
|
|
1036
1042
|
if (version && version._ && version._.indexOf("$") == -1) {
|
|
1037
1043
|
versionStr = version._;
|
|
1038
|
-
|
|
1039
|
-
|
|
1040
|
-
|
|
1041
|
-
|
|
1042
|
-
|
|
1043
|
-
|
|
1044
|
-
|
|
1045
|
-
|
|
1046
|
-
|
|
1047
|
-
|
|
1048
|
-
|
|
1049
|
-
|
|
1044
|
+
if (includeMavenTestScope || !adep.scope || adep.scope !== "test")
|
|
1045
|
+
deps.push({
|
|
1046
|
+
group: adep.groupId ? adep.groupId._ : "",
|
|
1047
|
+
name: adep.artifactId ? adep.artifactId._ : "",
|
|
1048
|
+
version: versionStr,
|
|
1049
|
+
qualifiers: { type: "jar" },
|
|
1050
|
+
properties: [
|
|
1051
|
+
{
|
|
1052
|
+
name: "SrcFile",
|
|
1053
|
+
value: pomFile
|
|
1054
|
+
}
|
|
1055
|
+
]
|
|
1056
|
+
});
|
|
1050
1057
|
}
|
|
1051
1058
|
}
|
|
1052
1059
|
}
|
|
@@ -1071,7 +1078,7 @@ const parseMavenTree = function (rawOutput) {
|
|
|
1071
1078
|
let last_purl = "";
|
|
1072
1079
|
let stack = [];
|
|
1073
1080
|
tmpA.forEach((l) => {
|
|
1074
|
-
if (l.endsWith(":test")) {
|
|
1081
|
+
if (!includeMavenTestScope && l.endsWith(":test")) {
|
|
1075
1082
|
return;
|
|
1076
1083
|
}
|
|
1077
1084
|
let level = 0;
|
package/utils.test.js
CHANGED
|
@@ -235,8 +235,8 @@ test("parse maven tree", () => {
|
|
|
235
235
|
let parsedList = utils.parseMavenTree(
|
|
236
236
|
fs.readFileSync("./test/data/sample-mvn-tree.txt", { encoding: "utf-8" })
|
|
237
237
|
);
|
|
238
|
-
expect(parsedList.pkgList.length).toEqual(
|
|
239
|
-
expect(parsedList.dependenciesList.length).toEqual(
|
|
238
|
+
expect(parsedList.pkgList.length).toEqual(61);
|
|
239
|
+
expect(parsedList.dependenciesList.length).toEqual(61);
|
|
240
240
|
expect(parsedList.pkgList[0]).toEqual({
|
|
241
241
|
group: "com.pogeyan.cmis",
|
|
242
242
|
name: "copper-server",
|
|
@@ -259,6 +259,7 @@ test("parse maven tree", () => {
|
|
|
259
259
|
"pkg:maven/commons-fileupload/commons-fileupload@1.4?type=jar",
|
|
260
260
|
"pkg:maven/com.fasterxml.jackson.core/jackson-core@2.12.0?type=jar",
|
|
261
261
|
"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0?type=jar",
|
|
262
|
+
"pkg:maven/junit/junit@4.12?type=jar",
|
|
262
263
|
"pkg:maven/com.typesafe.akka/akka-actor_2.11@2.4.14?type=jar",
|
|
263
264
|
"pkg:maven/com.typesafe.akka/akka-cluster_2.11@2.4.14?type=jar",
|
|
264
265
|
"pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13?type=jar",
|
|
@@ -271,8 +272,8 @@ test("parse maven tree", () => {
|
|
|
271
272
|
encoding: "utf-8"
|
|
272
273
|
})
|
|
273
274
|
);
|
|
274
|
-
expect(parsedList.pkgList.length).toEqual(
|
|
275
|
-
expect(parsedList.dependenciesList.length).toEqual(
|
|
275
|
+
expect(parsedList.pkgList.length).toEqual(37);
|
|
276
|
+
expect(parsedList.dependenciesList.length).toEqual(37);
|
|
276
277
|
expect(parsedList.pkgList[0]).toEqual({
|
|
277
278
|
group: "com.gitlab.security_products.tests",
|
|
278
279
|
name: "java-maven",
|
|
@@ -282,7 +283,9 @@ test("parse maven tree", () => {
|
|
|
282
283
|
expect(parsedList.dependenciesList[0]).toEqual({
|
|
283
284
|
ref: "pkg:maven/com.gitlab.security_products.tests/java-maven@1.0-SNAPSHOT?type=jar",
|
|
284
285
|
dependsOn: [
|
|
286
|
+
"pkg:maven/org.powermock/powermock-api-mockito@1.7.3?type=jar",
|
|
285
287
|
"pkg:maven/io.netty/netty@3.9.1.Final?type=jar",
|
|
288
|
+
"pkg:maven/junit/junit@3.8.1?type=jar",
|
|
286
289
|
"pkg:maven/org.apache.maven/maven-artifact@3.3.9?type=jar",
|
|
287
290
|
"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.2?type=jar",
|
|
288
291
|
"pkg:maven/org.mozilla/rhino@1.7.10?type=jar",
|