npm - @cyclonedx/cdxgen - Versions diffs - 9.8.6 → 9.8.8 - Mend

@cyclonedx/cdxgen 9.8.6 → 9.8.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md CHANGED Viewed

@@ -4,7 +4,7 @@
 cdxgen is a cli tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill of Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
-When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBOM for some languages.
+When used with plugins, cdxgen could generate an OBOM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBOM for some languages.
 NOTE:
@@ -27,7 +27,7 @@ A typical application might have several repos, components, and libraries. Tradi
 | go                              | binary, go.mod, go.sum, Gopkg.lock                                                                                | Yes except binary                                                                                 |
 | ruby                            | Gemfile.lock, gemspec                                                                                             | Only for Gemfile.lock                                                                             |
 | rust                            | binary, Cargo.toml, Cargo.lock                                                                                    | Only for Cargo.lock                                                                               |
-| .Net                            | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg                                     | Only for project.assets.json, packages.lock.json                                                  |
+| .Net                            | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock                         | Only for project.assets.json, packages.lock.json, paket.lock                                      |
 | dart                            | pubspec.lock, pubspec.yaml                                                                                        | Only for pubspec.lock                                                                             |
 | haskell                         | cabal.project.freeze                                                                                              | Yes                                                                                               |
 | elixir                          | mix.lock                                                                                                          | Yes                                                                                               |
@@ -61,7 +61,7 @@ NOTE:
 Footnotes:
-- [1] - For multi-module applications, the BoM file could include components not included in the packaged war or ear file.
+- [1] - For multi-module applications, the BOM file could include components not included in the packaged war or ear file.
 - [2] - Pip freeze is automatically performed to improve precision. Requires virtual environment.
 - [3] - Perform dotnet or nuget restore to generate project.assets.json. Without this file, cdxgen would not include indirect dependencies.
 - [4] - See the section on plugins
@@ -197,7 +197,7 @@ To print the SBOM as a table pass `-p` argument.
 cdxgen -t java -o bom.json -p
 ```
-To recursively generate a single BoM for all languages pass `-r` argument.
+To recursively generate a single BOM for all languages pass `-r` argument.
 ```shell
 cdxgen -r -o bom.json
@@ -254,6 +254,14 @@ Arguments can be passed either via the query string or as a JSON body. The follo
 | projectGroup   | Dependency track project group                                                                                                              |
 | projectVersion | Dependency track project version [default: ""]                                                                                              |
+### Health endpoint
+Use the /health endpoint to check if the SBOM server is up and running.
+```shell
+curl "http://127.0.0.1:9090/health"
+```
 ### Scanning a local path
 ```shell
@@ -281,7 +289,7 @@ docker compose up
 ## War file support
-cdxgen can generate a BoM file from a given war file.
+cdxgen can generate a BOM file from a given war file.
 ```shell
 # cdxgen -t java app.war
@@ -318,6 +326,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Scala SBT
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
 - csharp (projects.assets.json)
+- Go (go.mod)
 ## Environment variables
@@ -399,9 +408,9 @@ systemctl --user start podman.socket
 podman system service -t 0 &
 ```
-### Generate OBoM for a live system
+### Generate OBOM for a live system
-You can use the `obom` command to generate an OBoM for a live system or a VM for compliance and vulnerability management purposes. Windows and Linux operating systems are supported in this mode.
+You can use the `obom` command to generate an OBOM for a live system or a VM for compliance and vulnerability management purposes. Windows and Linux operating systems are supported in this mode.
 ```shell
 # obom is an alias for cdxgen -t os
@@ -417,7 +426,7 @@ See [evinse mode](./ADVANCED.md) in the advanced documentation.
 ## BoM signing
-cdxgen can sign the generated BoM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
+cdxgen can sign the generated BOM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
 - SBOM_SIGN_ALGORITHM: Algorithm. Example: RS512
 - SBOM_SIGN_PRIVATE_KEY: Location to the RSA private key

package/analyzer.js CHANGED Viewed

@@ -1,8 +1,8 @@
 import { parse } from "@babel/parser";
 import traverse from "@babel/traverse";
-import { join } from "path";
-import { readdirSync, statSync, readFileSync } from "fs";
-import { basename, resolve, isAbsolute, relative } from "path";
+import { join } from "node:path";
+import { readdirSync, statSync, readFileSync } from "node:fs";
+import { basename, resolve, isAbsolute, relative } from "node:path";
 const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
   ? process.env.ASTGEN_IGNORE_DIRS.split(",")

package/bin/cdxgen.js CHANGED Viewed

@@ -6,8 +6,7 @@ import fs from "node:fs";
 import { tmpdir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
 import jws from "jws";
-import crypto from "crypto";
-import { start as _serverStart } from "../server.js";
+import crypto from "node:crypto";
 import { fileURLToPath } from "node:url";
 import globalAgent from "global-agent";
 import process from "node:process";
@@ -243,7 +242,8 @@ const checkPermissions = (filePath) => {
 (async () => {
   // Start SBOM server
   if (args.server) {
-    return await _serverStart(options);
+    const serverModule = await import("../server.js");
+    return await serverModule.start(options);
   }
   // Check if cdxgen has the required permissions
   if (!checkPermissions(filePath)) {

package/bin/repl.js CHANGED Viewed

@@ -110,16 +110,16 @@ cdxgenRepl.defineCommand("create", {
     });
     if (bomNSData) {
       sbom = bomNSData.bomJson;
-      console.log("✅ BoM imported successfully.");
-      console.log("💭 Type .print to view the BoM as a table");
+      console.log("✅ BOM imported successfully.");
+      console.log("💭 Type .print to view the BOM as a table");
     } else {
-      console.log("BoM was not generated successfully");
+      console.log("BOM was not generated successfully");
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("import", {
-  help: "import an existing BoM",
+  help: "import an existing BOM",
   action(sbomOrPath) {
     this.clearBufferedCommand();
     importSbom(sbomOrPath);
@@ -139,7 +139,7 @@ cdxgenRepl.defineCommand("sbom", {
       console.log(sbom);
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -171,7 +171,7 @@ cdxgenRepl.defineCommand("search", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -205,7 +205,7 @@ cdxgenRepl.defineCommand("sort", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -229,7 +229,7 @@ cdxgenRepl.defineCommand("query", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -242,7 +242,7 @@ cdxgenRepl.defineCommand("print", {
       printTable(sbom);
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -255,7 +255,7 @@ cdxgenRepl.defineCommand("tree", {
       printDependencyTree(sbom);
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -271,7 +271,7 @@ cdxgenRepl.defineCommand("validate", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -285,10 +285,10 @@ cdxgenRepl.defineCommand("save", {
         saveToFile = "bom.json";
       }
       fs.writeFileSync(saveToFile, JSON.stringify(sbom, null, 2));
-      console.log(`BoM saved successfully to ${saveToFile}`);
+      console.log(`BOM saved successfully to ${saveToFile}`);
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -313,10 +313,10 @@ cdxgenRepl.defineCommand("update", {
       if (newSbom && newSbom.components.length <= sbom.components.length) {
         sbom = newSbom;
       }
-      console.log("BoM updated successfully.");
+      console.log("BOM updated successfully.");
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -333,7 +333,7 @@ cdxgenRepl.defineCommand("occurrences", {
         let components = await expression.evaluate(sbom);
         if (!components) {
           console.log(
-            "No results found. Use evinse command to generate an BoM with evidence."
+            "No results found. Use evinse command to generate an BOM with evidence."
           );
         } else {
           if (!Array.isArray(components)) {
@@ -346,7 +346,7 @@ cdxgenRepl.defineCommand("occurrences", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an evinse BoM"
+        "⚠ No BOM is loaded. Use .import command to import an evinse BOM"
       );
     }
     this.displayPrompt();
@@ -437,7 +437,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
         let catgories = await expression.evaluate(sbom);
         if (!catgories) {
           console.log(
-            "Unable to retrieve the os info categories. Only OBoMs generated by cdxgen are supported by this tool."
+            "Unable to retrieve the os info categories. Only OBOMs generated by cdxgen are supported by this tool."
           );
         } else {
           console.log(catgories.join("\n"));
@@ -447,7 +447,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
       }
     } else {
       console.log(
-        "⚠ No OBoM is loaded. Use .import command to import an OBoM"
+        "⚠ No OBOM is loaded. Use .import command to import an OBOM"
       );
     }
     this.displayPrompt();
@@ -546,7 +546,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
         }
       } else {
         console.log(
-          "⚠ No OBoM is loaded. Use .import command to import an OBoM"
+          "⚠ No OBOM is loaded. Use .import command to import an OBOM"
         );
       }
       this.displayPrompt();

package/binary.js CHANGED Viewed

@@ -230,7 +230,7 @@ export const getGoBuildInfo = (src) => {
     let result = spawnSync(GOVERSION_BIN, [src], {
       encoding: "utf-8"
     });
-    if (result.status !== 0 || result.error) {
+    if (result.status !== 0 || result.error || !result.stdout) {
       if (result.stdout || result.stderr) {
         console.error(result.stdout, result.stderr);
       }

package/docker.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import got from "got";
 import { globSync } from "glob";
-import { parse } from "url";
+import { parse } from "node:url";
 import stream from "node:stream/promises";
 import {
   existsSync,