@cyclonedx/cdxgen 8.4.1 → 8.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +27 -27
- package/index.js +3 -2
- package/package.json +1 -1
- package/utils.js +28 -23
package/README.md
CHANGED
|
@@ -246,33 +246,33 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
|
|
|
246
246
|
|
|
247
247
|
## Environment variables
|
|
248
248
|
|
|
249
|
-
| Variable | Description
|
|
250
|
-
| ---------------------------- |
|
|
251
|
-
| SCAN_DEBUG_MODE | Set to debug to enable debug messages
|
|
252
|
-
| GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information
|
|
253
|
-
| MVN_CMD | Set to override maven command
|
|
254
|
-
| MVN_ARGS | Set to pass additional arguments such as profile or settings to maven
|
|
255
|
-
| MAVEN_HOME | Specify maven home
|
|
256
|
-
| GRADLE_CACHE_DIR | Specify gradle cache directory. Useful for class name resolving
|
|
257
|
-
| GRADLE_MULTI_PROJECT_MODE | Set this variable for gradle multi-project applications. Do not use this with recurse mode.
|
|
258
|
-
| GRADLE_ARGS | Set to pass additional arguments such as profile or settings to gradle. Eg: --configuration runtimeClassPath
|
|
259
|
-
| GRADLE_HOME | Specify gradle home
|
|
260
|
-
| GRADLE_CMD | Set to override gradle command
|
|
261
|
-
| GRADLE_DEPENDENCY_TASK | By default cdxgen use the task "dependencies" to collect packages. Set to override the task name.
|
|
262
|
-
| SBT_CACHE_DIR | Specify sbt cache directory. Useful for class name resolving
|
|
263
|
-
| FETCH_LICENSE | Set this variable to fetch license information from the registry. npm and golang
|
|
264
|
-
| USE_GOSUM | Set to true to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod |
|
|
265
|
-
| CDXGEN_TIMEOUT_MS | Default timeout for known execution involving maven, gradle or sbt
|
|
266
|
-
| CDXGEN_SERVER_TIMEOUT_MS | Default timeout in server mode
|
|
267
|
-
| BAZEL_TARGET | Bazel target to build. Default :all (Eg: //java-maven)
|
|
268
|
-
| CLJ_CMD | Set to override the clojure cli command
|
|
269
|
-
| LEIN_CMD | Set to override the leiningen command
|
|
270
|
-
| SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc
|
|
271
|
-
| SBOM_SIGN_PRIVATE_KEY | Private key to use for signing
|
|
272
|
-
| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature
|
|
273
|
-
| CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.8"
|
|
274
|
-
| CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom
|
|
275
|
-
| CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true
|
|
249
|
+
| Variable | Description |
|
|
250
|
+
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
|
|
251
|
+
| SCAN_DEBUG_MODE | Set to `debug` to enable debug messages |
|
|
252
|
+
| GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information |
|
|
253
|
+
| MVN_CMD | Set to override maven command |
|
|
254
|
+
| MVN_ARGS | Set to pass additional arguments such as profile or settings to maven |
|
|
255
|
+
| MAVEN_HOME | Specify maven home |
|
|
256
|
+
| GRADLE_CACHE_DIR | Specify gradle cache directory. Useful for class name resolving |
|
|
257
|
+
| GRADLE_MULTI_PROJECT_MODE | Set this variable for gradle multi-project applications. Do not use this with recurse mode. |
|
|
258
|
+
| GRADLE_ARGS | Set to pass additional arguments such as profile or settings to gradle. Eg: --configuration runtimeClassPath |
|
|
259
|
+
| GRADLE_HOME | Specify gradle home |
|
|
260
|
+
| GRADLE_CMD | Set to override gradle command |
|
|
261
|
+
| GRADLE_DEPENDENCY_TASK | By default cdxgen use the task "dependencies" to collect packages. Set to override the task name. |
|
|
262
|
+
| SBT_CACHE_DIR | Specify sbt cache directory. Useful for class name resolving |
|
|
263
|
+
| FETCH_LICENSE | Set this variable to `true` or `1` to fetch license information from the registry. npm and golang |
|
|
264
|
+
| USE_GOSUM | Set to `true` or `1` to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod |
|
|
265
|
+
| CDXGEN_TIMEOUT_MS | Default timeout for known execution involving maven, gradle or sbt |
|
|
266
|
+
| CDXGEN_SERVER_TIMEOUT_MS | Default timeout in server mode |
|
|
267
|
+
| BAZEL_TARGET | Bazel target to build. Default :all (Eg: //java-maven) |
|
|
268
|
+
| CLJ_CMD | Set to override the clojure cli command |
|
|
269
|
+
| LEIN_CMD | Set to override the leiningen command |
|
|
270
|
+
| SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc |
|
|
271
|
+
| SBOM_SIGN_PRIVATE_KEY | Private key to use for signing |
|
|
272
|
+
| SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature |
|
|
273
|
+
| CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.8" |
|
|
274
|
+
| CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom |
|
|
275
|
+
| CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true |
|
|
276
276
|
|
|
277
277
|
## Plugins
|
|
278
278
|
|
package/index.js
CHANGED
|
@@ -2156,8 +2156,9 @@ const createGoBom = async (path, options) => {
|
|
|
2156
2156
|
(options.multiProject ? "**/" : "") + "go.sum"
|
|
2157
2157
|
);
|
|
2158
2158
|
|
|
2159
|
-
// If USE_GOSUM is true, generate BOM components only using go.sum.
|
|
2160
|
-
const useGosum =
|
|
2159
|
+
// If USE_GOSUM is true|1, generate BOM components only using go.sum.
|
|
2160
|
+
const useGosum =
|
|
2161
|
+
process.env.USE_GOSUM && ["true", "1"].includes(process.env.USE_GOSUM);
|
|
2161
2162
|
if (useGosum && gosumFiles.length) {
|
|
2162
2163
|
console.warn(
|
|
2163
2164
|
"Using go.sum to generate BOMs for go projects may return an inaccurate representation of transitive dependencies.\nSee: https://github.com/golang/go/wiki/Modules#is-gosum-a-lock-file-why-does-gosum-include-information-for-module-versions-i-am-no-longer-using\n",
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "8.4.
|
|
3
|
+
"version": "8.4.2",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
package/utils.js
CHANGED
|
@@ -32,6 +32,11 @@ const includeMavenTestScope =
|
|
|
32
32
|
["true", "1"].includes(process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE);
|
|
33
33
|
exports.includeMavenTestScope = includeMavenTestScope;
|
|
34
34
|
|
|
35
|
+
// Whether license information should be fetched
|
|
36
|
+
const fetchLicenses =
|
|
37
|
+
process.env.FETCH_LICENSE &&
|
|
38
|
+
["true", "1"].includes(process.env.FETCH_LICENSE);
|
|
39
|
+
|
|
35
40
|
const MAX_LICENSE_ID_LENGTH = 100;
|
|
36
41
|
|
|
37
42
|
/**
|
|
@@ -345,7 +350,7 @@ const parsePkgJson = async (pkgJsonFile) => {
|
|
|
345
350
|
// continue regardless of error
|
|
346
351
|
}
|
|
347
352
|
}
|
|
348
|
-
if (
|
|
353
|
+
if (fetchLicenses && pkgList && pkgList.length) {
|
|
349
354
|
if (DEBUG_MODE) {
|
|
350
355
|
console.log(
|
|
351
356
|
`About to fetch license information for ${pkgList.length} packages in parsePkgJson`
|
|
@@ -452,7 +457,7 @@ const parsePkgLock = async (pkgLockFile) => {
|
|
|
452
457
|
lockData
|
|
453
458
|
);
|
|
454
459
|
}
|
|
455
|
-
if (
|
|
460
|
+
if (fetchLicenses && pkgList && pkgList.length) {
|
|
456
461
|
if (DEBUG_MODE) {
|
|
457
462
|
console.log(
|
|
458
463
|
`About to fetch license information for ${pkgList.length} packages in parsePkgLock`
|
|
@@ -658,7 +663,7 @@ const parseYarnLock = async function (yarnLockFile) {
|
|
|
658
663
|
}
|
|
659
664
|
});
|
|
660
665
|
}
|
|
661
|
-
if (
|
|
666
|
+
if (fetchLicenses && pkgList && pkgList.length) {
|
|
662
667
|
if (DEBUG_MODE) {
|
|
663
668
|
console.log(
|
|
664
669
|
`About to fetch license information for ${pkgList.length} packages in parseYarnLock`
|
|
@@ -725,7 +730,7 @@ const parseNodeShrinkwrap = async function (swFile) {
|
|
|
725
730
|
}
|
|
726
731
|
}
|
|
727
732
|
}
|
|
728
|
-
if (
|
|
733
|
+
if (fetchLicenses && pkgList && pkgList.length) {
|
|
729
734
|
if (DEBUG_MODE) {
|
|
730
735
|
console.log(
|
|
731
736
|
`About to fetch license information for ${pkgList.length} packages in parseNodeShrinkwrap`
|
|
@@ -880,7 +885,7 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
880
885
|
}
|
|
881
886
|
}
|
|
882
887
|
}
|
|
883
|
-
if (
|
|
888
|
+
if (fetchLicenses && pkgList && pkgList.length) {
|
|
884
889
|
if (DEBUG_MODE) {
|
|
885
890
|
console.log(
|
|
886
891
|
`About to fetch license information for ${pkgList.length} packages in parsePnpmLock`
|
|
@@ -927,7 +932,7 @@ const parseBowerJson = async (bowerJsonFile) => {
|
|
|
927
932
|
// continue regardless of error
|
|
928
933
|
}
|
|
929
934
|
}
|
|
930
|
-
if (
|
|
935
|
+
if (fetchLicenses && pkgList && pkgList.length) {
|
|
931
936
|
if (DEBUG_MODE) {
|
|
932
937
|
console.log(
|
|
933
938
|
`About to fetch license information for ${pkgList.length} packages in parseBowerJson`
|
|
@@ -1001,7 +1006,7 @@ const parseMinJs = async (minJsFile) => {
|
|
|
1001
1006
|
// continue regardless of error
|
|
1002
1007
|
}
|
|
1003
1008
|
}
|
|
1004
|
-
if (
|
|
1009
|
+
if (fetchLicenses && pkgList && pkgList.length) {
|
|
1005
1010
|
if (DEBUG_MODE) {
|
|
1006
1011
|
console.log(
|
|
1007
1012
|
`About to fetch license information for ${pkgList.length} packages in parseMinJs`
|
|
@@ -1538,7 +1543,7 @@ const getMvnMetadata = async function (pkgList) {
|
|
|
1538
1543
|
}
|
|
1539
1544
|
for (const p of pkgList) {
|
|
1540
1545
|
// If the package already has key metadata skip querying maven
|
|
1541
|
-
if (p.group && p.name && p.version && !
|
|
1546
|
+
if (p.group && p.name && p.version && !fetchLicenses) {
|
|
1542
1547
|
cdepList.push(p);
|
|
1543
1548
|
continue;
|
|
1544
1549
|
}
|
|
@@ -1648,7 +1653,7 @@ exports.parsePyRequiresDist = parsePyRequiresDist;
|
|
|
1648
1653
|
* @param {Boolean} fetchIndirectDeps Should we also fetch data about indirect dependencies from pypi
|
|
1649
1654
|
*/
|
|
1650
1655
|
const getPyMetadata = async function (pkgList, fetchIndirectDeps) {
|
|
1651
|
-
if (!
|
|
1656
|
+
if (!fetchLicenses && !fetchIndirectDeps) {
|
|
1652
1657
|
return pkgList;
|
|
1653
1658
|
}
|
|
1654
1659
|
const PYPI_URL = "https://pypi.org/pypi/";
|
|
@@ -2050,7 +2055,7 @@ exports.getGoPkgLicense = getGoPkgLicense;
|
|
|
2050
2055
|
const getGoPkgComponent = async function (group, name, version, hash) {
|
|
2051
2056
|
let pkg = {};
|
|
2052
2057
|
let license = undefined;
|
|
2053
|
-
if (
|
|
2058
|
+
if (fetchLicenses) {
|
|
2054
2059
|
if (DEBUG_MODE) {
|
|
2055
2060
|
console.log(
|
|
2056
2061
|
`About to fetch go package license information for ${group}:${name}`
|
|
@@ -2224,7 +2229,7 @@ const parseGosumData = async function (gosumData) {
|
|
|
2224
2229
|
const version = tmpA[1].replace("/go.mod", "");
|
|
2225
2230
|
const hash = tmpA[tmpA.length - 1].replace("h1:", "sha256-");
|
|
2226
2231
|
let license = undefined;
|
|
2227
|
-
if (
|
|
2232
|
+
if (fetchLicenses) {
|
|
2228
2233
|
if (DEBUG_MODE) {
|
|
2229
2234
|
console.log(
|
|
2230
2235
|
`About to fetch go package license information for ${name}`
|
|
@@ -2277,7 +2282,7 @@ const parseGopkgData = async function (gopkgData) {
|
|
|
2277
2282
|
case "name":
|
|
2278
2283
|
pkg.group = "";
|
|
2279
2284
|
pkg.name = value;
|
|
2280
|
-
if (
|
|
2285
|
+
if (fetchLicenses) {
|
|
2281
2286
|
pkg.license = await getGoPkgLicense({
|
|
2282
2287
|
group: pkg.group,
|
|
2283
2288
|
name: pkg.name
|
|
@@ -2407,7 +2412,7 @@ const parseGemspecData = async function (gemspecData) {
|
|
|
2407
2412
|
}
|
|
2408
2413
|
});
|
|
2409
2414
|
pkgList = [pkg];
|
|
2410
|
-
if (
|
|
2415
|
+
if (fetchLicenses) {
|
|
2411
2416
|
return await getRubyGemsMetadata(pkgList);
|
|
2412
2417
|
} else {
|
|
2413
2418
|
return pkgList;
|
|
@@ -2456,7 +2461,7 @@ const parseGemfileLockData = async function (gemLockData) {
|
|
|
2456
2461
|
specsFound = false;
|
|
2457
2462
|
}
|
|
2458
2463
|
});
|
|
2459
|
-
if (
|
|
2464
|
+
if (fetchLicenses) {
|
|
2460
2465
|
return await getRubyGemsMetadata(pkgList);
|
|
2461
2466
|
} else {
|
|
2462
2467
|
return pkgList;
|
|
@@ -2623,7 +2628,7 @@ const parseCargoTomlData = async function (cargoData) {
|
|
|
2623
2628
|
if (pkg) {
|
|
2624
2629
|
pkgList.push(pkg);
|
|
2625
2630
|
}
|
|
2626
|
-
if (
|
|
2631
|
+
if (fetchLicenses) {
|
|
2627
2632
|
return await getCratesMetadata(pkgList);
|
|
2628
2633
|
} else {
|
|
2629
2634
|
return pkgList;
|
|
@@ -2671,7 +2676,7 @@ const parseCargoData = async function (cargoData) {
|
|
|
2671
2676
|
}
|
|
2672
2677
|
}
|
|
2673
2678
|
});
|
|
2674
|
-
if (
|
|
2679
|
+
if (fetchLicenses) {
|
|
2675
2680
|
return await getCratesMetadata(pkgList);
|
|
2676
2681
|
} else {
|
|
2677
2682
|
return pkgList;
|
|
@@ -2700,7 +2705,7 @@ const parseCargoAuditableData = async function (cargoData) {
|
|
|
2700
2705
|
});
|
|
2701
2706
|
}
|
|
2702
2707
|
});
|
|
2703
|
-
if (
|
|
2708
|
+
if (fetchLicenses) {
|
|
2704
2709
|
return await getCratesMetadata(pkgList);
|
|
2705
2710
|
} else {
|
|
2706
2711
|
return pkgList;
|
|
@@ -2740,7 +2745,7 @@ const parsePubLockData = async function (pubLockData) {
|
|
|
2740
2745
|
}
|
|
2741
2746
|
}
|
|
2742
2747
|
});
|
|
2743
|
-
if (
|
|
2748
|
+
if (fetchLicenses) {
|
|
2744
2749
|
return await getDartMetadata(pkgList);
|
|
2745
2750
|
} else {
|
|
2746
2751
|
return pkgList;
|
|
@@ -3434,7 +3439,7 @@ const parseNupkg = async function (nupkgFile) {
|
|
|
3434
3439
|
}
|
|
3435
3440
|
];
|
|
3436
3441
|
pkgList.push(pkg);
|
|
3437
|
-
if (
|
|
3442
|
+
if (fetchLicenses) {
|
|
3438
3443
|
return await getNugetMetadata(pkgList);
|
|
3439
3444
|
} else {
|
|
3440
3445
|
return pkgList;
|
|
@@ -3466,7 +3471,7 @@ const parseCsPkgData = async function (pkgData) {
|
|
|
3466
3471
|
pkg.version = p.version;
|
|
3467
3472
|
pkgList.push(pkg);
|
|
3468
3473
|
}
|
|
3469
|
-
if (
|
|
3474
|
+
if (fetchLicenses) {
|
|
3470
3475
|
return await getNugetMetadata(pkgList);
|
|
3471
3476
|
} else {
|
|
3472
3477
|
return pkgList;
|
|
@@ -3521,7 +3526,7 @@ const parseCsProjData = async function (csProjData) {
|
|
|
3521
3526
|
}
|
|
3522
3527
|
}
|
|
3523
3528
|
}
|
|
3524
|
-
if (
|
|
3529
|
+
if (fetchLicenses) {
|
|
3525
3530
|
return await getNugetMetadata(pkgList);
|
|
3526
3531
|
} else {
|
|
3527
3532
|
return pkgList;
|
|
@@ -3561,7 +3566,7 @@ const parseCsProjAssetsData = async function (csProjData) {
|
|
|
3561
3566
|
pkgList.push(pkg);
|
|
3562
3567
|
}
|
|
3563
3568
|
}
|
|
3564
|
-
if (
|
|
3569
|
+
if (fetchLicenses) {
|
|
3565
3570
|
return await getNugetMetadata(pkgList);
|
|
3566
3571
|
} else {
|
|
3567
3572
|
return pkgList;
|
|
@@ -3590,7 +3595,7 @@ const parseCsPkgLockData = async function (csLockData) {
|
|
|
3590
3595
|
pkgList.push(pkg);
|
|
3591
3596
|
}
|
|
3592
3597
|
}
|
|
3593
|
-
if (
|
|
3598
|
+
if (fetchLicenses) {
|
|
3594
3599
|
return await getNugetMetadata(pkgList);
|
|
3595
3600
|
} else {
|
|
3596
3601
|
return pkgList;
|