@cyclonedx/cdxgen 9.1.1 → 9.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +18 -5
- package/bin/cdxgen.js +19 -5
- package/binary.js +4 -10
- package/data/bom-1.4.schema.json +1605 -0
- package/data/pypi-pkg-aliases.json +487 -485
- package/docker.js +1 -9
- package/index.js +313 -243
- package/package.json +1 -1
- package/utils.js +82 -35
- package/utils.test.js +34 -9
- package/validator.js +199 -0
package/README.md
CHANGED
|
@@ -8,7 +8,7 @@ When used with plugins, cdxgen could generate an SBoM for Linux docker images an
|
|
|
8
8
|
|
|
9
9
|
NOTE:
|
|
10
10
|
|
|
11
|
-
CycloneDX 1.5 specification is brand new and unsupported by many downstream tools. Use version 8.6.0 for 1.4 compatibility.
|
|
11
|
+
CycloneDX 1.5 specification is brand new and unsupported by many downstream tools. Use version 8.6.0 for 1.4 compatibility or pass the argument `--spec-version 1.4`.
|
|
12
12
|
|
|
13
13
|
## Supported languages and package format
|
|
14
14
|
|
|
@@ -80,7 +80,7 @@ For go, `go mod why` command is used to identify required packages. For php, com
|
|
|
80
80
|
```shell
|
|
81
81
|
sudo npm install -g @cyclonedx/cdxgen
|
|
82
82
|
|
|
83
|
-
# For CycloneDX 1.4 compatibility use version 8.6.0
|
|
83
|
+
# For CycloneDX 1.4 compatibility use version 8.6.0 or pass the argument `--spec-version 1.4`
|
|
84
84
|
sudo npm install -g @cyclonedx/cdxgen@8.6.0
|
|
85
85
|
```
|
|
86
86
|
|
|
@@ -118,7 +118,9 @@ Options:
|
|
|
118
118
|
-o, --output Output file for bom.xml or bom.json. Default bom.
|
|
119
119
|
json
|
|
120
120
|
-t, --type Project type
|
|
121
|
-
-r, --recurse Recurse mode suitable for mono-repos
|
|
121
|
+
-r, --recurse Recurse mode suitable for mono-repos. Defaults to
|
|
122
|
+
true. Pass --no-recurse to disable.
|
|
123
|
+
[boolean] [default: true]
|
|
122
124
|
-p, --print Print the SBoM as a table with tree. Defaults to
|
|
123
125
|
true if output file is not specified with -o
|
|
124
126
|
[boolean]
|
|
@@ -150,12 +152,17 @@ Options:
|
|
|
150
152
|
cts. Defaults to true but disabled for containers
|
|
151
153
|
and oci scans. Use --no-install-deps to disable
|
|
152
154
|
this feature. [boolean] [default: true]
|
|
153
|
-
--validate Validate the generated SBoM using json schema.
|
|
154
|
-
|
|
155
|
+
--validate Validate the generated SBoM using json schema. De
|
|
156
|
+
faults to true. Pass --no-validate to disable.
|
|
157
|
+
[boolean] [default: true]
|
|
158
|
+
--spec-version CycloneDX Specification version to use. Defaults
|
|
159
|
+
to 1.5 [default: 1.5]
|
|
155
160
|
--version Show version number [boolean]
|
|
156
161
|
-h Show help [boolean]
|
|
157
162
|
```
|
|
158
163
|
|
|
164
|
+
All boolean arguments accepts `--no` prefix to toggle the behavior.
|
|
165
|
+
|
|
159
166
|
## Example
|
|
160
167
|
|
|
161
168
|
Minimal example.
|
|
@@ -182,6 +189,12 @@ To recursively generate a single BoM for all languages pass `-r` argument.
|
|
|
182
189
|
cdxgen -r -o bom.json
|
|
183
190
|
```
|
|
184
191
|
|
|
192
|
+
To generate SBoM for an older specification version such as 1.4, pass the version using the `--spec-version` argument.
|
|
193
|
+
|
|
194
|
+
```shell
|
|
195
|
+
cdxgen -r -o bom.json --spec-version 1.4
|
|
196
|
+
```
|
|
197
|
+
|
|
185
198
|
## Universal SBoM
|
|
186
199
|
|
|
187
200
|
By passing the type `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container and kubernetes manifests. The resulting SBoM could have over thousand components thus requiring additional triaging before use with traditional SCA tools.
|
package/bin/cdxgen.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
|
|
3
|
-
import { createBom, submitBom
|
|
3
|
+
import { createBom, submitBom } from "../index.js";
|
|
4
|
+
import { validateBom } from "../validator.js";
|
|
4
5
|
import fs from "node:fs";
|
|
5
6
|
import { tmpdir } from "node:os";
|
|
6
7
|
import { basename, dirname, join, resolve } from "node:path";
|
|
@@ -33,7 +34,9 @@ const args = yargs(hideBin(process.argv))
|
|
|
33
34
|
.option("recurse", {
|
|
34
35
|
alias: "r",
|
|
35
36
|
type: "boolean",
|
|
36
|
-
|
|
37
|
+
default: true,
|
|
38
|
+
description:
|
|
39
|
+
"Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable."
|
|
37
40
|
})
|
|
38
41
|
.option("print", {
|
|
39
42
|
alias: "p",
|
|
@@ -109,8 +112,13 @@ const args = yargs(hideBin(process.argv))
|
|
|
109
112
|
})
|
|
110
113
|
.option("validate", {
|
|
111
114
|
type: "boolean",
|
|
112
|
-
default:
|
|
113
|
-
description:
|
|
115
|
+
default: true,
|
|
116
|
+
description:
|
|
117
|
+
"Validate the generated SBoM using json schema. Defaults to true. Pass --no-validate to disable."
|
|
118
|
+
})
|
|
119
|
+
.option("spec-version", {
|
|
120
|
+
description: "CycloneDX Specification version to use. Defaults to 1.5",
|
|
121
|
+
default: 1.5
|
|
114
122
|
})
|
|
115
123
|
.scriptName("cdxgen")
|
|
116
124
|
.version()
|
|
@@ -144,6 +152,11 @@ if (!args.projectName) {
|
|
|
144
152
|
}
|
|
145
153
|
}
|
|
146
154
|
|
|
155
|
+
// To help dependency track users, we downgrade the spec version to 1.4 automatically
|
|
156
|
+
if (args.serverUrl || args.apiKey) {
|
|
157
|
+
args.specVersion = 1.4;
|
|
158
|
+
}
|
|
159
|
+
|
|
147
160
|
/**
|
|
148
161
|
* projectType: python, nodejs, java, golang
|
|
149
162
|
* multiProject: Boolean to indicate monorepo or multi-module projects
|
|
@@ -165,7 +178,8 @@ const options = {
|
|
|
165
178
|
projectVersion: args.projectVersion,
|
|
166
179
|
server: args.server,
|
|
167
180
|
serverHost: args.serverHost,
|
|
168
|
-
serverPort: args.serverPort
|
|
181
|
+
serverPort: args.serverPort,
|
|
182
|
+
specVersion: args.specVersion
|
|
169
183
|
};
|
|
170
184
|
|
|
171
185
|
/**
|
package/binary.js
CHANGED
|
@@ -3,6 +3,7 @@ import { existsSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
|
|
|
3
3
|
import { join, dirname, basename } from "node:path";
|
|
4
4
|
import { spawnSync } from "node:child_process";
|
|
5
5
|
import { PackageURL } from "packageurl-js";
|
|
6
|
+
import { DEBUG_MODE } from "./utils.js";
|
|
6
7
|
|
|
7
8
|
import { fileURLToPath } from "node:url";
|
|
8
9
|
import path from "node:path";
|
|
@@ -15,13 +16,6 @@ const dirName = import.meta ? path.dirname(fileURLToPath(url)) : __dirname;
|
|
|
15
16
|
|
|
16
17
|
const isWin = _platform() === "win32";
|
|
17
18
|
|
|
18
|
-
// Debug mode flag
|
|
19
|
-
const DEBUG_MODE =
|
|
20
|
-
process.env.CDXGEN_DEBUG_MODE === "debug" ||
|
|
21
|
-
process.env.SCAN_DEBUG_MODE === "debug" ||
|
|
22
|
-
process.env.SHIFTLEFT_LOGGING_LEVEL === "debug" ||
|
|
23
|
-
process.env.NODE_ENV === "development";
|
|
24
|
-
|
|
25
19
|
let platform = _platform();
|
|
26
20
|
let extn = "";
|
|
27
21
|
if (platform == "win32") {
|
|
@@ -388,7 +382,7 @@ export const getOSPackages = (src) => {
|
|
|
388
382
|
purlObj.qualifiers,
|
|
389
383
|
purlObj.subpath
|
|
390
384
|
).toString();
|
|
391
|
-
comp["bom-ref"] = comp.purl;
|
|
385
|
+
comp["bom-ref"] = decodeURIComponent(comp.purl);
|
|
392
386
|
}
|
|
393
387
|
if (purlObj.type !== "none") {
|
|
394
388
|
allTypes.add(purlObj.type);
|
|
@@ -430,7 +424,7 @@ export const getOSPackages = (src) => {
|
|
|
430
424
|
purlObj.qualifiers,
|
|
431
425
|
purlObj.subpath
|
|
432
426
|
).toString();
|
|
433
|
-
comp["bom-ref"] = comp.purl;
|
|
427
|
+
comp["bom-ref"] = decodeURIComponent(comp.purl);
|
|
434
428
|
}
|
|
435
429
|
}
|
|
436
430
|
} catch (err) {
|
|
@@ -474,7 +468,7 @@ export const getOSPackages = (src) => {
|
|
|
474
468
|
purlObj.subpath
|
|
475
469
|
).toString();
|
|
476
470
|
}
|
|
477
|
-
newComp["bom-ref"] = newComp.purl;
|
|
471
|
+
newComp["bom-ref"] = decodeURIComponent(newComp.purl);
|
|
478
472
|
pkgList.push(newComp);
|
|
479
473
|
}
|
|
480
474
|
}
|