@cyclonedx/cdxgen 9.7.5 → 9.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -1
- package/bin/cdxgen.js +3 -0
- package/index.js +33 -46
- package/package.json +7 -6
- package/utils.js +495 -391
- package/utils.test.js +201 -50
package/README.md
CHANGED
|
@@ -31,7 +31,7 @@ A typical application might comprise of several repos, components, and libraries
|
|
|
31
31
|
| dart | pubspec.lock, pubspec.yaml | Only for pubspec.lock |
|
|
32
32
|
| haskell | cabal.project.freeze | Yes |
|
|
33
33
|
| elixir | mix.lock | Yes |
|
|
34
|
-
| c/c++
|
|
34
|
+
| c/c++/Objective C/c++11 | conan.lock, conanfile.txt, \*.cmake, CMakeLists.txt, meson.build, codebase without package managers! | Yes only for conan.lock. Best effort basis for cmake without version numbers. |
|
|
35
35
|
| clojure | Clojure CLI (deps.edn), Leiningen (project.clj) | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command |
|
|
36
36
|
| swift | Package.resolved, Package.swift (swiftpm) | Yes |
|
|
37
37
|
| docker / oci image | All supported languages. Linux OS packages with plugins [4] | Best effort based on lock files |
|
|
@@ -147,6 +147,7 @@ $ cdxgen -h
|
|
|
147
147
|
--project-version Dependency track project version [default: ""]
|
|
148
148
|
--project-id Dependency track project id. Either provide the i
|
|
149
149
|
d or the project name and version together
|
|
150
|
+
--parent-project-id Dependency track parent project id
|
|
150
151
|
--required-only Include only the packages with required scope on
|
|
151
152
|
the SBoM. [boolean]
|
|
152
153
|
--fail-on-error Fail if any dependency extractor fails. [boolean]
|
package/bin/cdxgen.js
CHANGED
|
@@ -73,6 +73,9 @@ const args = yargs(hideBin(process.argv))
|
|
|
73
73
|
description:
|
|
74
74
|
"Dependency track project id. Either provide the id or the project name and version together"
|
|
75
75
|
})
|
|
76
|
+
.option("parent-project-id", {
|
|
77
|
+
description: "Dependency track parent project id"
|
|
78
|
+
})
|
|
76
79
|
.option("required-only", {
|
|
77
80
|
type: "boolean",
|
|
78
81
|
description: "Include only the packages with required scope on the SBoM."
|
package/index.js
CHANGED
|
@@ -97,7 +97,9 @@ import {
|
|
|
97
97
|
addEvidenceForImports,
|
|
98
98
|
parseSbtTree,
|
|
99
99
|
parseCmakeLikeFile,
|
|
100
|
-
getCppModules
|
|
100
|
+
getCppModules,
|
|
101
|
+
FETCH_LICENSE,
|
|
102
|
+
getNugetMetadata
|
|
101
103
|
} from "./utils.js";
|
|
102
104
|
import { spawnSync } from "node:child_process";
|
|
103
105
|
import { fileURLToPath } from "node:url";
|
|
@@ -3913,39 +3915,17 @@ export const createRubyBom = async (path, options) => {
|
|
|
3913
3915
|
return {};
|
|
3914
3916
|
};
|
|
3915
3917
|
|
|
3916
|
-
const removeDuplicates = (pkgList, dependencies) => {
|
|
3917
|
-
const uniqueItems = {};
|
|
3918
|
-
const uniqueRefs = new Set();
|
|
3919
|
-
const newPkgList = [];
|
|
3920
|
-
const newDependencies = [];
|
|
3921
|
-
|
|
3922
|
-
for (const item of pkgList) {
|
|
3923
|
-
if (item) {
|
|
3924
|
-
const { name, version } = item;
|
|
3925
|
-
const key = `${name}-${version}`;
|
|
3926
|
-
if (!uniqueItems[key] && key) {
|
|
3927
|
-
uniqueItems[key] = item;
|
|
3928
|
-
newPkgList.push(item);
|
|
3929
|
-
}
|
|
3930
|
-
}
|
|
3931
|
-
}
|
|
3932
|
-
|
|
3933
|
-
for (const item of dependencies) {
|
|
3934
|
-
const { ref } = item;
|
|
3935
|
-
if (!uniqueRefs.has(ref)) {
|
|
3936
|
-
uniqueRefs.add(ref);
|
|
3937
|
-
newDependencies.push(item);
|
|
3938
|
-
}
|
|
3939
|
-
}
|
|
3940
|
-
return [newPkgList, newDependencies];
|
|
3941
|
-
};
|
|
3942
3918
|
/**
|
|
3943
3919
|
* Function to create bom string for csharp projects
|
|
3944
3920
|
*
|
|
3945
3921
|
* @param path to the project
|
|
3946
3922
|
* @param options Parse options from the cli
|
|
3947
3923
|
*/
|
|
3948
|
-
export const createCsharpBom = async (
|
|
3924
|
+
export const createCsharpBom = async (
|
|
3925
|
+
path,
|
|
3926
|
+
options,
|
|
3927
|
+
parentComponent = undefined
|
|
3928
|
+
) => {
|
|
3949
3929
|
let manifestFiles = [];
|
|
3950
3930
|
let pkgData = undefined;
|
|
3951
3931
|
let dependencies = [];
|
|
@@ -3970,7 +3950,7 @@ export const createCsharpBom = async (path, options) => {
|
|
|
3970
3950
|
(options.multiProject ? "**/" : "") + "*.nupkg"
|
|
3971
3951
|
);
|
|
3972
3952
|
let pkgList = [];
|
|
3973
|
-
if (nupkgFiles.length) {
|
|
3953
|
+
if (nupkgFiles.length && projAssetsFiles.length === 0) {
|
|
3974
3954
|
manifestFiles = manifestFiles.concat(nupkgFiles);
|
|
3975
3955
|
for (const nf of nupkgFiles) {
|
|
3976
3956
|
if (DEBUG_MODE) {
|
|
@@ -4048,17 +4028,27 @@ export const createCsharpBom = async (path, options) => {
|
|
|
4048
4028
|
}
|
|
4049
4029
|
}
|
|
4050
4030
|
}
|
|
4031
|
+
if (!parentComponent) {
|
|
4032
|
+
parentComponent = createDefaultParentComponent(path, options.type, options);
|
|
4033
|
+
}
|
|
4051
4034
|
if (pkgList.length) {
|
|
4052
|
-
|
|
4053
|
-
|
|
4054
|
-
pkgList = uniquePkg[0];
|
|
4055
|
-
return buildBomNSData(options, pkgList, "nuget", {
|
|
4056
|
-
src: path,
|
|
4057
|
-
filename: manifestFiles.join(", "),
|
|
4058
|
-
dependencies
|
|
4059
|
-
});
|
|
4035
|
+
dependencies = mergeDependencies(dependencies, [], parentComponent);
|
|
4036
|
+
pkgList = trimComponents(pkgList, "json");
|
|
4060
4037
|
}
|
|
4061
|
-
|
|
4038
|
+
if (FETCH_LICENSE) {
|
|
4039
|
+
const retMap = await getNugetMetadata(pkgList, dependencies);
|
|
4040
|
+
if (retMap.dependencies && retMap.dependencies.length) {
|
|
4041
|
+
dependencies = dependencies.concat(retMap.dependencies);
|
|
4042
|
+
}
|
|
4043
|
+
dependencies = mergeDependencies(dependencies, [], parentComponent);
|
|
4044
|
+
pkgList = trimComponents(pkgList, "json");
|
|
4045
|
+
}
|
|
4046
|
+
return buildBomNSData(options, pkgList, "nuget", {
|
|
4047
|
+
src: path,
|
|
4048
|
+
filename: manifestFiles.join(", "),
|
|
4049
|
+
dependencies,
|
|
4050
|
+
parentComponent
|
|
4051
|
+
});
|
|
4062
4052
|
};
|
|
4063
4053
|
|
|
4064
4054
|
export const mergeDependencies = (
|
|
@@ -4404,7 +4394,7 @@ export const createMultiXBom = async (pathList, options) => {
|
|
|
4404
4394
|
listComponents(options, {}, bomData.bomJson.components, "gem", "xml")
|
|
4405
4395
|
);
|
|
4406
4396
|
}
|
|
4407
|
-
bomData = await createCsharpBom(path, options);
|
|
4397
|
+
bomData = await createCsharpBom(path, options, parentComponent);
|
|
4408
4398
|
if (bomData && bomData.bomJson && bomData.bomJson.components) {
|
|
4409
4399
|
if (DEBUG_MODE) {
|
|
4410
4400
|
console.log(
|
|
@@ -5229,6 +5219,9 @@ export async function submitBom(args, bomContents) {
|
|
|
5229
5219
|
autoCreate: "true",
|
|
5230
5220
|
bom: encodedBomContents
|
|
5231
5221
|
};
|
|
5222
|
+
if (typeof args.parentProjectId !== "undefined") {
|
|
5223
|
+
bomPayload.parentUUID = args.parentProjectId;
|
|
5224
|
+
}
|
|
5232
5225
|
if (DEBUG_MODE) {
|
|
5233
5226
|
console.log(
|
|
5234
5227
|
"Submitting BOM to",
|
|
@@ -5265,13 +5258,7 @@ export async function submitBom(args, bomContents) {
|
|
|
5265
5258
|
"Content-Type": "application/json",
|
|
5266
5259
|
"user-agent": `@CycloneDX/cdxgen ${_version}`
|
|
5267
5260
|
},
|
|
5268
|
-
json:
|
|
5269
|
-
project: args.projectId,
|
|
5270
|
-
projectName: args.projectName,
|
|
5271
|
-
projectVersion: projectVersion,
|
|
5272
|
-
autoCreate: "true",
|
|
5273
|
-
bom: encodedBomContents
|
|
5274
|
-
},
|
|
5261
|
+
json: bomPayload,
|
|
5275
5262
|
responseType: "json"
|
|
5276
5263
|
}).json();
|
|
5277
5264
|
} catch (error) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "9.
|
|
3
|
+
"version": "9.8.0",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
|
@@ -55,7 +55,8 @@
|
|
|
55
55
|
},
|
|
56
56
|
"dependencies": {
|
|
57
57
|
"@babel/parser": "^7.22.16",
|
|
58
|
-
"@babel/traverse": "^7.22.
|
|
58
|
+
"@babel/traverse": "^7.22.19",
|
|
59
|
+
"@npmcli/arborist": "^7.1.0",
|
|
59
60
|
"ajv": "^8.12.0",
|
|
60
61
|
"ajv-formats": "^2.1.1",
|
|
61
62
|
"cheerio": "^1.0.0-rc.12",
|
|
@@ -74,13 +75,13 @@
|
|
|
74
75
|
"ssri": "^10.0.4",
|
|
75
76
|
"table": "^6.8.1",
|
|
76
77
|
"tar": "^6.2.0",
|
|
77
|
-
"uuid": "^9.0.
|
|
78
|
+
"uuid": "^9.0.1",
|
|
78
79
|
"xml-js": "^1.6.11",
|
|
79
80
|
"xmlbuilder": "^15.1.1",
|
|
80
81
|
"yargs": "^17.7.2"
|
|
81
82
|
},
|
|
82
83
|
"optionalDependencies": {
|
|
83
|
-
"@appthreat/atom": "^1.
|
|
84
|
+
"@appthreat/atom": "^1.2.0",
|
|
84
85
|
"@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
|
|
85
86
|
"@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
|
|
86
87
|
"@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
|
|
@@ -98,8 +99,8 @@
|
|
|
98
99
|
],
|
|
99
100
|
"devDependencies": {
|
|
100
101
|
"caxa": "^3.0.1",
|
|
101
|
-
"eslint": "^8.
|
|
102
|
-
"jest": "^29.
|
|
102
|
+
"eslint": "^8.49.0",
|
|
103
|
+
"jest": "^29.7.0",
|
|
103
104
|
"prettier": "3.0.3"
|
|
104
105
|
}
|
|
105
106
|
}
|