@cyclonedx/cdxgen 8.5.3 → 8.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/README.md +38 -34
  2. package/bin/cdxgen +7 -2
  3. package/data/known-licenses.json +31 -0
  4. package/{lic-mapping.json → data/lic-mapping.json} +11 -39
  5. package/data/pypi-pkg-aliases.json +1163 -0
  6. package/data/python-stdlib.json +307 -0
  7. package/{queries.json → data/queries.json} +8 -8
  8. package/data/vendor-alias.json +10 -0
  9. package/docker.js +3 -0
  10. package/index.js +54 -49
  11. package/package.json +9 -12
  12. package/utils.js +470 -50
  13. package/utils.test.js +53 -2
  14. package/known-licenses.json +0 -27
  15. package/vendor-alias.json +0 -10
  16. /package/{spdx-licenses.json → data/spdx-licenses.json} +0 -0
package/README.md CHANGED
@@ -8,40 +8,40 @@ When used with plugins, cdxgen could generate an SBoM for Linux docker images an
8
8
 
9
9
  ## Supported languages and package format
10
10
 
11
- | Language/Platform | Package format | Transitive dependencies |
12
- | ------------------------------------------------------ | ----------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- |
13
- | node.js | npm-shrinkwrap.json, package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js | Yes except .min.js |
14
- | java | maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel | Yes unless pom.xml is manually parsed due to unavailability of maven or errors |
15
- | php | composer.lock | Yes |
16
- | python | setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, bdist_wheel, .whl, .egg-info | Only with Pipfile.lock and poetry.lock |
17
- | go | binary, go.mod, go.sum, Gopkg.lock | Yes except binary |
18
- | ruby | Gemfile.lock, gemspec | Only for Gemfile.lock |
19
- | rust | binary, Cargo.toml, Cargo.lock | Only for Cargo.lock |
20
- | .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg | Only for project.assets.json, packages.lock.json |
21
- | dart | pubspec.lock, pubspec.yaml | Only for pubspec.lock |
22
- | haskell | cabal.project.freeze | Yes |
23
- | elixir | mix.lock | Yes |
24
- | c/c++ | conan.lock, conanfile.txt | Yes only for conan.lock |
25
- | clojure | Clojure CLI (deps.edn), Leiningen (project.clj) | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command |
26
- | swift | Package.resolved, Package.swift (swiftpm) | Yes |
27
- | docker / oci image | All supported languages. Linux OS packages with plugins [4] | Best effort based on lock files |
28
- | GitHub Actions | .github/workflows/\*.yml | N/A |
29
- | Linux | All supported languages. Linux OS packages with plugins [5] | Best effort based on lock files |
30
- | Windows | All supported languages. OS packages with best effort [5] | Best effort based on lock files |
31
- | Jenkins Plugins | .hpi files | |
32
- | Helm Charts | .yaml | N/A |
33
- | Skaffold | .yaml | N/A |
34
- | kustomization | .yaml | N/A |
35
- | Tekton tasks | .yaml | N/A |
36
- | Kubernetes | .yaml | N/A |
37
- | Maven Cache | $HOME/.m2/repository/\*\*/\*.jar | N/A |
38
- | SBT Cache | $HOME/.ivy2/cache/\*\*/\*.jar | N/A |
39
- | Gradle Cache | $HOME/caches/modules-2/files-2.1/\*\*/\*.jar | N/A |
40
- | Helm Index | $HOME/.cache/helm/repository/\*\*/\*.yaml | N/A |
41
- | Docker compose | docker-compose\*.yml. Images would also be scanned. | N/A |
42
- | Google CloudBuild configuration | cloudbuild.yaml | N/A |
43
- | OpenAPI | openapi\*.json, openapi\*.yaml | N/A |
44
- | [Privado](https://www.privado.ai?utm_source=cyclonedx) | privado.json | Data and service information will be included. Use with universal mode. |
11
+ | Language/Platform | Package format | Transitive dependencies |
12
+ | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- |
13
+ | node.js | npm-shrinkwrap.json, package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js | Yes except .min.js |
14
+ | java | maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel | Yes unless pom.xml is manually parsed due to unavailability of maven or errors |
15
+ | php | composer.lock | Yes |
16
+ | python | pyproject.toml, setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, bdist_wheel, .whl, .egg-info | Yes using the automatic pip install/freeze. When disabled, only with Pipfile.lock and poetry.lock |
17
+ | go | binary, go.mod, go.sum, Gopkg.lock | Yes except binary |
18
+ | ruby | Gemfile.lock, gemspec | Only for Gemfile.lock |
19
+ | rust | binary, Cargo.toml, Cargo.lock | Only for Cargo.lock |
20
+ | .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg | Only for project.assets.json, packages.lock.json |
21
+ | dart | pubspec.lock, pubspec.yaml | Only for pubspec.lock |
22
+ | haskell | cabal.project.freeze | Yes |
23
+ | elixir | mix.lock | Yes |
24
+ | c/c++ | conan.lock, conanfile.txt | Yes only for conan.lock |
25
+ | clojure | Clojure CLI (deps.edn), Leiningen (project.clj) | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command |
26
+ | swift | Package.resolved, Package.swift (swiftpm) | Yes |
27
+ | docker / oci image | All supported languages. Linux OS packages with plugins [4] | Best effort based on lock files |
28
+ | GitHub Actions | .github/workflows/\*.yml | N/A |
29
+ | Linux | All supported languages. Linux OS packages with plugins [5] | Best effort based on lock files |
30
+ | Windows | All supported languages. OS packages with best effort [5] | Best effort based on lock files |
31
+ | Jenkins Plugins | .hpi files | |
32
+ | Helm Charts | .yaml | N/A |
33
+ | Skaffold | .yaml | N/A |
34
+ | kustomization | .yaml | N/A |
35
+ | Tekton tasks | .yaml | N/A |
36
+ | Kubernetes | .yaml | N/A |
37
+ | Maven Cache | $HOME/.m2/repository/\*\*/\*.jar | N/A |
38
+ | SBT Cache | $HOME/.ivy2/cache/\*\*/\*.jar | N/A |
39
+ | Gradle Cache | $HOME/caches/modules-2/files-2.1/\*\*/\*.jar | N/A |
40
+ | Helm Index | $HOME/.cache/helm/repository/\*\*/\*.yaml | N/A |
41
+ | Docker compose | docker-compose\*.yml. Images would also be scanned. | N/A |
42
+ | Google CloudBuild configuration | cloudbuild.yaml | N/A |
43
+ | OpenAPI | openapi\*.json, openapi\*.yaml | N/A |
44
+ | [Privado](https://www.privado.ai?utm_source=cyclonedx) | privado.json | Data and service information will be included. Use with universal mode. |
45
45
 
46
46
  NOTE:
47
47
 
@@ -117,6 +117,10 @@ Options:
117
117
  --server Run cdxgen as a server [boolean]
118
118
  --server-host Listen address [default: "127.0.0.1"]
119
119
  --server-port Listen port [default: "9090"]
120
+ --install-deps Install dependencies automatically for some
121
+ projects. Defaults to true but disabled for
122
+ containers and oci scans. Use --no-install-deps
123
+ to disable this feature.[boolean] [default: true]
120
124
  --version Show version number [boolean]
121
125
  -h Show help [boolean]
122
126
  ```
package/bin/cdxgen CHANGED
@@ -87,6 +87,12 @@ const args = require("yargs")
87
87
  description: "Listen port",
88
88
  default: "9090"
89
89
  })
90
+ .option("install-deps", {
91
+ type: "boolean",
92
+ default: true,
93
+ description:
94
+ "Install dependencies automatically for some projects. Defaults to true but disabled for containers and oci scans. Use --no-install-deps to disable this feature."
95
+ })
90
96
  .scriptName("cdxgen")
91
97
  .version()
92
98
  .help("h").argv;
@@ -125,12 +131,11 @@ if (!args.projectName) {
125
131
  * multiProject: Boolean to indicate monorepo or multi-module projects
126
132
  */
127
133
  let options = {
128
- dev: true,
129
134
  projectType: args.type,
130
135
  multiProject: args.recurse,
131
136
  output: args.output,
132
137
  resolveClass: args.resolveClass,
133
- installDeps: true,
138
+ installDeps: args.installDeps,
134
139
  requiredOnly: args.requiredOnly,
135
140
  failOnError: args.failOnError,
136
141
  noBabel: args.noBabel || args.babel === false,
package/data/known-licenses.json ADDED
@@ -0,0 +1,31 @@
1
+ [
2
+ { "license": "Apache-2.0", "group": "cloud.google.com", "name": "go" },
3
+ { "license": "Apache-2.0", "group": "cloud.google.com/go", "name": "*" },
4
+ { "license": "Apache-2.0", "group": "cuelang.org", "name": "go" },
5
+ { "license": "MIT", "group": "pack.ag", "name": "amqp" },
6
+ { "license": "Apache-2.0", "group": "google.golang.org", "name": "*" },
7
+ { "license": "BSD-3-Clause", "group": "golang.org/x", "name": "*" },
8
+ {
9
+ "license": "BSD-3-Clause",
10
+ "group": "dmitri.shuralyov.com/gpu",
11
+ "name": "*"
12
+ },
13
+ { "license": "Apache-2.0", "group": "contrib.go.opencensus.io", "name": "*" },
14
+ { "license": "Apache-2.0", "group": "git.apache.org", "name": "*" },
15
+ { "license": "Apache-2.0", "group": ".", "name": "go.opencensus.io" },
16
+ { "license": "MIT", "group": "sigs.k8s.io", "name": "*" },
17
+ { "license": "BSD-3-Clause", "group": "rsc.io", "name": "*" },
18
+ { "license": "Apache-2.0", "group": "openpitrix.io", "name": "*" },
19
+ { "license": "BSD-3-Clause", "group": "modernc.org", "name": "*" },
20
+ { "license": "Apache-2.0", "group": "kubesphere.io", "name": "*" },
21
+ { "license": "Apache-2.0", "group": "k8s.io", "name": "*" },
22
+ { "license": "Apache-2.0", "group": "istio.io", "name": "*" },
23
+ { "license": "MIT", "group": "honnef.co/go", "name": "*" },
24
+ { "license": "Apache-2.0", "group": ".", "name": "gotest.tools" },
25
+ { "license": "Apache-2.0", "group": "gopkg.in", "name": "*" },
26
+ { "license": "Apache-2.0", "group": "code.cloudfoundry.org", "name": "*" },
27
+ { "license": "BSD-3-Clause", "group": "gonum.org/v1", "name": "*" },
28
+ { "license": "Apache-2.0", "group": "gomodules.xyz/jsonpatch", "name": "*" },
29
+ { "license": "MIT", "group": "go.uber.org", "name": "*" },
30
+ { "license": "MIT", "group": "go.etcd.io", "name": "*" }
31
+ ]
package/{lic-mapping.json → data/lic-mapping.json} RENAMED
@@ -22,12 +22,7 @@
22
22
  },
23
23
  {
24
24
  "exp": "0BSD",
25
- "names": [
26
- "Zero-Clause BSD",
27
- "BSD",
28
- "BSD License",
29
- "BSD-like"
30
- ]
25
+ "names": ["Zero-Clause BSD", "BSD", "BSD License", "BSD-like"]
31
26
  },
32
27
  {
33
28
  "exp": "BSD-2-Clause",
@@ -70,22 +65,15 @@
70
65
  },
71
66
  {
72
67
  "exp": "(CDDL-1.0 OR GPL-2.0-with-classpath-exception)",
73
- "names": [
74
- "CDDL + GPLv2 with classpath exception",
75
- "CDDL/GPLv2+CE"
76
- ]
68
+ "names": ["CDDL + GPLv2 with classpath exception", "CDDL/GPLv2+CE"]
77
69
  },
78
70
  {
79
71
  "exp": "CDDL-1.1",
80
- "names": [
81
- "CDDL 1.1"
82
- ]
72
+ "names": ["CDDL 1.1"]
83
73
  },
84
74
  {
85
75
  "exp": "(CDDL-1.1 OR GPL-2.0-only)",
86
- "names": [
87
- "Dual license consisting of the CDDL v1.1 and GPL v2"
88
- ]
76
+ "names": ["Dual license consisting of the CDDL v1.1 and GPL v2"]
89
77
  },
90
78
  {
91
79
  "exp": "EPL-1.0",
@@ -114,15 +102,11 @@
114
102
  },
115
103
  {
116
104
  "exp": "ECL-1.0",
117
- "names": [
118
- "Educational Community License, Version 1.0"
119
- ]
105
+ "names": ["Educational Community License, Version 1.0"]
120
106
  },
121
107
  {
122
108
  "exp": "ECL-2.0",
123
- "names": [
124
- "Educational Community License, Version 2.0"
125
- ]
109
+ "names": ["Educational Community License, Version 2.0"]
126
110
  },
127
111
  {
128
112
  "exp": "LGPL-2.0-only",
@@ -261,34 +245,22 @@
261
245
  },
262
246
  {
263
247
  "exp": "MPL-1.1",
264
- "names": [
265
- "MPL 1.1"
266
- ]
248
+ "names": ["MPL 1.1"]
267
249
  },
268
250
  {
269
251
  "exp": "MPL-2.0",
270
- "names": [
271
- "MPL 2.0",
272
- "Mozilla Public License 2.0"
273
- ]
252
+ "names": ["MPL 2.0", "Mozilla Public License 2.0"]
274
253
  },
275
254
  {
276
255
  "exp": "NetCDF",
277
- "names": [
278
- "(MIT-style) netCDF C library license"
279
- ]
256
+ "names": ["(MIT-style) netCDF C library license"]
280
257
  },
281
258
  {
282
259
  "exp": "JSON",
283
- "names": [
284
- "The JSON License",
285
- "JSON License"
286
- ]
260
+ "names": ["The JSON License", "JSON License"]
287
261
  },
288
262
  {
289
263
  "exp": "ISC",
290
- "names": [
291
- "ISC license"
292
- ]
264
+ "names": ["ISC license"]
293
265
  }
294
266
  ]