@cyclonedx/cdxgen 9.2.0 → 9.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -3
- package/bin/cdxgen.js +5 -3
- package/index.js +11 -25
- package/package.json +1 -1
- package/utils.js +15 -3
- package/validator.js +8 -3
package/README.md
CHANGED
|
@@ -118,7 +118,9 @@ Options:
|
|
|
118
118
|
-o, --output Output file for bom.xml or bom.json. Default bom.
|
|
119
119
|
json
|
|
120
120
|
-t, --type Project type
|
|
121
|
-
-r, --recurse Recurse mode suitable for mono-repos
|
|
121
|
+
-r, --recurse Recurse mode suitable for mono-repos. Defaults to
|
|
122
|
+
true. Pass --no-recurse to disable.
|
|
123
|
+
[boolean] [default: true]
|
|
122
124
|
-p, --print Print the SBoM as a table with tree. Defaults to
|
|
123
125
|
true if output file is not specified with -o
|
|
124
126
|
[boolean]
|
|
@@ -151,13 +153,16 @@ Options:
|
|
|
151
153
|
and oci scans. Use --no-install-deps to disable
|
|
152
154
|
this feature. [boolean] [default: true]
|
|
153
155
|
--validate Validate the generated SBoM using json schema. De
|
|
154
|
-
faults to true.
|
|
156
|
+
faults to true. Pass --no-validate to disable.
|
|
157
|
+
[boolean] [default: true]
|
|
155
158
|
--spec-version CycloneDX Specification version to use. Defaults
|
|
156
|
-
to 1.5
|
|
159
|
+
to 1.5 [default: 1.5]
|
|
157
160
|
--version Show version number [boolean]
|
|
158
161
|
-h Show help [boolean]
|
|
159
162
|
```
|
|
160
163
|
|
|
164
|
+
All boolean arguments accepts `--no` prefix to toggle the behavior.
|
|
165
|
+
|
|
161
166
|
## Example
|
|
162
167
|
|
|
163
168
|
Minimal example.
|
package/bin/cdxgen.js
CHANGED
|
@@ -34,7 +34,9 @@ const args = yargs(hideBin(process.argv))
|
|
|
34
34
|
.option("recurse", {
|
|
35
35
|
alias: "r",
|
|
36
36
|
type: "boolean",
|
|
37
|
-
|
|
37
|
+
default: true,
|
|
38
|
+
description:
|
|
39
|
+
"Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable."
|
|
38
40
|
})
|
|
39
41
|
.option("print", {
|
|
40
42
|
alias: "p",
|
|
@@ -112,11 +114,11 @@ const args = yargs(hideBin(process.argv))
|
|
|
112
114
|
type: "boolean",
|
|
113
115
|
default: true,
|
|
114
116
|
description:
|
|
115
|
-
"Validate the generated SBoM using json schema. Defaults to true."
|
|
117
|
+
"Validate the generated SBoM using json schema. Defaults to true. Pass --no-validate to disable."
|
|
116
118
|
})
|
|
117
119
|
.option("spec-version", {
|
|
118
120
|
description: "CycloneDX Specification version to use. Defaults to 1.5",
|
|
119
|
-
default:
|
|
121
|
+
default: 1.5
|
|
120
122
|
})
|
|
121
123
|
.scriptName("cdxgen")
|
|
122
124
|
.version()
|
package/index.js
CHANGED
|
@@ -1312,6 +1312,7 @@ export const createJavaBom = async (path, options) => {
|
|
|
1312
1312
|
// Bug #317 fix
|
|
1313
1313
|
parentComponent.components = allProjects.flatMap((s) => {
|
|
1314
1314
|
delete s.qualifiers;
|
|
1315
|
+
delete s.evidence;
|
|
1315
1316
|
return s;
|
|
1316
1317
|
});
|
|
1317
1318
|
dependencies.push({
|
|
@@ -3787,6 +3788,7 @@ export const createMultiXBom = async (pathList, options) => {
|
|
|
3787
3788
|
) {
|
|
3788
3789
|
parentSubComponents.push(bomData.parentComponent);
|
|
3789
3790
|
}
|
|
3791
|
+
// Retain metadata.component.components
|
|
3790
3792
|
if (
|
|
3791
3793
|
bomData.parentComponent.components &&
|
|
3792
3794
|
bomData.parentComponent.components.length
|
|
@@ -3819,6 +3821,15 @@ export const createMultiXBom = async (pathList, options) => {
|
|
|
3819
3821
|
) {
|
|
3820
3822
|
parentSubComponents.push(bomData.parentComponent);
|
|
3821
3823
|
}
|
|
3824
|
+
// Retain metadata.component.components
|
|
3825
|
+
if (
|
|
3826
|
+
bomData.parentComponent.components &&
|
|
3827
|
+
bomData.parentComponent.components.length
|
|
3828
|
+
) {
|
|
3829
|
+
parentSubComponents = parentSubComponents.concat(
|
|
3830
|
+
bomData.parentComponent.components
|
|
3831
|
+
);
|
|
3832
|
+
}
|
|
3822
3833
|
componentsXmls = componentsXmls.concat(
|
|
3823
3834
|
listComponents(options, {}, bomData.bomJson.components, "maven", "xml")
|
|
3824
3835
|
);
|
|
@@ -4581,23 +4592,18 @@ export const createBom = async (path, options) => {
|
|
|
4581
4592
|
case "mvn":
|
|
4582
4593
|
case "maven":
|
|
4583
4594
|
case "sbt":
|
|
4584
|
-
options.multiProject = true;
|
|
4585
4595
|
return await createJavaBom(path, options);
|
|
4586
4596
|
case "jar":
|
|
4587
|
-
options.multiProject = true;
|
|
4588
4597
|
return createJarBom(path, options);
|
|
4589
4598
|
case "gradle-index":
|
|
4590
4599
|
case "gradle-cache":
|
|
4591
|
-
options.multiProject = true;
|
|
4592
4600
|
return createJarBom(GRADLE_CACHE_DIR, options);
|
|
4593
4601
|
case "sbt-index":
|
|
4594
4602
|
case "sbt-cache":
|
|
4595
|
-
options.multiProject = true;
|
|
4596
4603
|
return createJarBom(SBT_CACHE_DIR, options);
|
|
4597
4604
|
case "maven-index":
|
|
4598
4605
|
case "maven-cache":
|
|
4599
4606
|
case "maven-repo":
|
|
4600
|
-
options.multiProject = true;
|
|
4601
4607
|
return createJarBom(join(homedir(), ".m2", "repository"), options);
|
|
4602
4608
|
case "nodejs":
|
|
4603
4609
|
case "js":
|
|
@@ -4605,78 +4611,61 @@ export const createBom = async (path, options) => {
|
|
|
4605
4611
|
case "typescript":
|
|
4606
4612
|
case "ts":
|
|
4607
4613
|
case "tsx":
|
|
4608
|
-
options.multiProject = true;
|
|
4609
4614
|
return await createNodejsBom(path, options);
|
|
4610
4615
|
case "python":
|
|
4611
4616
|
case "py":
|
|
4612
|
-
options.multiProject = true;
|
|
4613
4617
|
return await createPythonBom(path, options);
|
|
4614
4618
|
case "go":
|
|
4615
4619
|
case "golang":
|
|
4616
|
-
options.multiProject = true;
|
|
4617
4620
|
return await createGoBom(path, options);
|
|
4618
4621
|
case "rust":
|
|
4619
4622
|
case "rust-lang":
|
|
4620
|
-
options.multiProject = true;
|
|
4621
4623
|
return await createRustBom(path, options);
|
|
4622
4624
|
case "php":
|
|
4623
|
-
options.multiProject = true;
|
|
4624
4625
|
return createPHPBom(path, options);
|
|
4625
4626
|
case "ruby":
|
|
4626
|
-
options.multiProject = true;
|
|
4627
4627
|
return await createRubyBom(path, options);
|
|
4628
4628
|
case "csharp":
|
|
4629
4629
|
case "netcore":
|
|
4630
4630
|
case "dotnet":
|
|
4631
|
-
options.multiProject = true;
|
|
4632
4631
|
return await createCsharpBom(path, options);
|
|
4633
4632
|
case "dart":
|
|
4634
4633
|
case "flutter":
|
|
4635
4634
|
case "pub":
|
|
4636
|
-
options.multiProject = true;
|
|
4637
4635
|
return await createDartBom(path, options);
|
|
4638
4636
|
case "haskell":
|
|
4639
4637
|
case "hackage":
|
|
4640
4638
|
case "cabal":
|
|
4641
|
-
options.multiProject = true;
|
|
4642
4639
|
return createHaskellBom(path, options);
|
|
4643
4640
|
case "elixir":
|
|
4644
4641
|
case "hex":
|
|
4645
4642
|
case "mix":
|
|
4646
|
-
options.multiProject = true;
|
|
4647
4643
|
return createElixirBom(path, options);
|
|
4648
4644
|
case "c":
|
|
4649
4645
|
case "cpp":
|
|
4650
4646
|
case "c++":
|
|
4651
4647
|
case "conan":
|
|
4652
|
-
options.multiProject = true;
|
|
4653
4648
|
return createCppBom(path, options);
|
|
4654
4649
|
case "clojure":
|
|
4655
4650
|
case "edn":
|
|
4656
4651
|
case "clj":
|
|
4657
4652
|
case "leiningen":
|
|
4658
|
-
options.multiProject = true;
|
|
4659
4653
|
return createClojureBom(path, options);
|
|
4660
4654
|
case "github":
|
|
4661
4655
|
case "actions":
|
|
4662
|
-
options.multiProject = true;
|
|
4663
4656
|
return createGitHubBom(path, options);
|
|
4664
4657
|
case "os":
|
|
4665
4658
|
case "osquery":
|
|
4666
4659
|
case "windows":
|
|
4667
4660
|
case "linux":
|
|
4668
|
-
options.multiProject = true;
|
|
4669
4661
|
return await createOSBom(path, options);
|
|
4670
4662
|
case "jenkins":
|
|
4671
|
-
options.multiProject = true;
|
|
4672
4663
|
return await createJenkinsBom(path, options);
|
|
4673
4664
|
case "helm":
|
|
4674
4665
|
case "charts":
|
|
4675
|
-
options.multiProject = true;
|
|
4676
4666
|
return createHelmBom(path, options);
|
|
4677
4667
|
case "helm-index":
|
|
4678
4668
|
case "helm-repo":
|
|
4679
|
-
options.multiProject = true;
|
|
4680
4669
|
return createHelmBom(
|
|
4681
4670
|
join(homedir(), ".cache", "helm", "repository"),
|
|
4682
4671
|
options
|
|
@@ -4691,13 +4680,10 @@ export const createBom = async (path, options) => {
|
|
|
4691
4680
|
case "kubernetes":
|
|
4692
4681
|
case "openshift":
|
|
4693
4682
|
case "yaml-manifest":
|
|
4694
|
-
options.multiProject = true;
|
|
4695
4683
|
return await createContainerSpecLikeBom(path, options);
|
|
4696
4684
|
case "cloudbuild":
|
|
4697
|
-
options.multiProject = true;
|
|
4698
4685
|
return createCloudBuildBom(path, options);
|
|
4699
4686
|
case "swift":
|
|
4700
|
-
options.multiProject = true;
|
|
4701
4687
|
return createSwiftBom(path, options);
|
|
4702
4688
|
default:
|
|
4703
4689
|
// In recurse mode return multi-language Bom
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "9.2.
|
|
3
|
+
"version": "9.2.2",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
package/utils.js
CHANGED
|
@@ -443,10 +443,22 @@ export const parsePkgJson = async (pkgJsonFile) => {
|
|
|
443
443
|
try {
|
|
444
444
|
const pkgData = JSON.parse(readFileSync(pkgJsonFile, "utf8"));
|
|
445
445
|
const pkgIdentifier = parsePackageJsonName(pkgData.name);
|
|
446
|
+
const name = pkgIdentifier.fullName || pkgData.name;
|
|
447
|
+
const group = pkgIdentifier.scope || "";
|
|
448
|
+
const purl = new PackageURL(
|
|
449
|
+
"npm",
|
|
450
|
+
encodeForPurl(group),
|
|
451
|
+
encodeForPurl(name),
|
|
452
|
+
pkgData.version,
|
|
453
|
+
null,
|
|
454
|
+
null
|
|
455
|
+
).toString();
|
|
446
456
|
pkgList.push({
|
|
447
|
-
name
|
|
448
|
-
group
|
|
457
|
+
name,
|
|
458
|
+
group,
|
|
449
459
|
version: pkgData.version,
|
|
460
|
+
purl,
|
|
461
|
+
"bom-ref": decodeURIComponent(purl),
|
|
450
462
|
properties: [
|
|
451
463
|
{
|
|
452
464
|
name: "SrcFile",
|
|
@@ -1740,7 +1752,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
|
|
|
1740
1752
|
if (subProject && subProject.match(/:/g).length >= 2) {
|
|
1741
1753
|
return defaultProps;
|
|
1742
1754
|
}
|
|
1743
|
-
|
|
1755
|
+
const gradlePropertiesArgs = [
|
|
1744
1756
|
subProject ? `${subProject}:properties` : "properties",
|
|
1745
1757
|
"-q",
|
|
1746
1758
|
"--console",
|
package/validator.js
CHANGED
|
@@ -68,11 +68,16 @@ export const validateMetadata = (bomJson) => {
|
|
|
68
68
|
warningsList.push("metadata.component is missing.");
|
|
69
69
|
}
|
|
70
70
|
if (bomJson.metadata.component) {
|
|
71
|
+
// Do we have a purl and bom-ref for metadata.component
|
|
72
|
+
if (!bomJson.metadata.component.purl) {
|
|
73
|
+
warningsList.push(`purl is missing for metadata.component`);
|
|
74
|
+
}
|
|
75
|
+
if (!bomJson.metadata.component["bom-ref"]) {
|
|
76
|
+
warningsList.push(`bom-ref is missing for metadata.component`);
|
|
77
|
+
}
|
|
71
78
|
// Do we have a version for metadata.component
|
|
72
79
|
if (!bomJson.metadata.component.version) {
|
|
73
|
-
warningsList.push(
|
|
74
|
-
`Version is missing for metadata.component with ref ${bomJson.metadata.component["bom-ref"]}`
|
|
75
|
-
);
|
|
80
|
+
warningsList.push(`Version is missing for metadata.component`);
|
|
76
81
|
}
|
|
77
82
|
// Is the same component getting repeated inside the components block
|
|
78
83
|
if (
|