@herodevs/cli 2.0.0-beta.10 → 2.0.0-beta.12

package/README.md

@@ -10,6 +10,11 @@ The HeroDevs CLI
 * [@herodevs/cli](#herodevscli)
 <!-- tocstop -->
 
+### Terms and Data Security
+
+- [HeroDevs End of Life Dataset Terms of Service and Data Policy](https://docs.herodevs.com/legal/end-of-life-dataset-terms)
+- [HeroDevs End of Life Dataset Data Privacy and Security](https://docs.herodevs.com/eol-ds/data-privacy-and-security)
+
 ### Prerequisites
 
 - Install node v20 or higher: [Download Node](https://nodejs.org/en/download)
@@ -38,17 +43,13 @@ npm install -g @herodevs/cli@beta
 HeroDevs CLI is available as a binary installation, without requiring `npm`. To do that, you may either download and run the script manually, or use the following cURL or Wget command:
 
 ```sh
-curl -o- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.10/scripts/install.sh | bash
+curl -o- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.12/scripts/install.sh | bash
 ```
 
 ```sh
-wget -qO- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.10/scripts/install.sh | bash
+wget -qO- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.12/scripts/install.sh | bash
 ```
 
-## TERMS
-
-Use of this CLI is governed by the [HeroDevs End of Life Dataset Terms of Service and Data Policy](https://docs.herodevs.com/legal/end-of-life-dataset-terms).
-
 ## Scanning Behavior
 
 The CLI is designed to be non-invasive:
@@ -103,7 +104,7 @@ DESCRIPTION
   Display help for hd.
 ```
 
-_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.32/src/commands/help.ts)_
+_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.33/src/commands/help.ts)_
 
 ## `hd scan eol`
 
@@ -111,14 +112,18 @@ Scan a given SBOM for EOL data
 
 ```
 USAGE
-  $ hd scan eol [--json] [-f <value> | -d <value>] [-s] [--saveSbom] [--version]
+  $ hd scan eol [--json] [-f <value> | -d <value>] [-s] [-o <value>] [--saveSbom] [--sbomOutput <value>] [--saveTrimmedSbom] [--hideReportUrl] [--version]
 
 FLAGS
-  -d, --dir=<value>   [default: <current directory>] The directory to scan in order to create a cyclonedx SBOM
-  -f, --file=<value>  The file path of an existing cyclonedx SBOM to scan for EOL
-  -s, --save          Save the generated report as herodevs.report.json in the scanned directory
-      --saveSbom      Save the generated SBOM as herodevs.sbom.json in the scanned directory
-      --version       Show CLI version.
+  -d, --dir=<value>      [default: <current directory>] The directory to scan in order to scan for EOL
+  -f, --file=<value>     The file path of an existing SBOM to scan for EOL (supports CycloneDX and SPDX 2.3 formats)
+  -s, --save             Save the generated report as herodevs.report.json in the scanned directory
+  -o, --output=<value>   Save the generated report to a custom path (requires --save, defaults to herodevs.report.json when not provided)
+      --hideReportUrl    Hide the generated web report URL for this scan
+      --saveSbom         Save the generated SBOM as herodevs.sbom.json in the scanned directory
+      --sbomOutput=<value>  Save the generated SBOM to a custom path (requires --saveSbom, defaults to herodevs.sbom.json when not provided)
+      --saveTrimmedSbom  Save the trimmed SBOM as herodevs.sbom-trimmed.json in the scanned directory
+      --version          Show CLI version.
 
 GLOBAL FLAGS
   --json  Format output as json.
@@ -143,6 +148,10 @@ EXAMPLES
 
     $ hd scan eol --save --saveSbom
 
+  Save the report and SBOM to custom paths
+
+    $ hd scan eol --dir . --save --saveSbom --output ./reports/my-report.json --sbomOutput ./reports/my-sbom.json
+
   Output the report in JSON format (for APIs, CI, etc.)
 
     $ hd scan eol --json
@@ -188,7 +197,7 @@ EXAMPLES
     $ hd update --available
 ```
 
-_See code: [@oclif/plugin-update](https://github.com/oclif/plugin-update/blob/v4.7.4/src/commands/update.ts)_
+_See code: [@oclif/plugin-update](https://github.com/oclif/plugin-update/blob/v4.7.8/src/commands/update.ts)_
 <!-- commandsstop -->
 
 ## CI/CD Usage
@@ -200,6 +209,8 @@ You can use `@herodevs/cli` in your CI/CD pipelines to automate EOL scanning.
 We provide a Docker image that's pre-configured to run EOL scans. Based on [`cdxgen`](https://github.com/CycloneDX/cdxgen),
 it contains build tools for most project types and will provide best results when generating an SBOM. Use these templates to generate a report and save it to your CI job artifact for analysis and processing after your scan runs.
 
+**Note:** There is a potential to run into permission issues writing out the report to your CI runner. Please ensure that your CI runner is setup to have proper read/write permissions for wherever your output files are being written to.
+
 #### GitHub Actions
 
 ```yaml
@@ -215,19 +226,25 @@ on:
 jobs:
   scan:
     runs-on: ubuntu-latest
+    environment: demo
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v5
 
-      - name: Run EOL Scan with Docker
-        uses: docker://ghcr.io/herodevs/eol-scan
-        with:
-          args: "-s"
-      
-      - name: Upload   artifact
-        uses: actions/upload-artifact@v4
+      - name: Run EOL Scan
+        run: |
+          docker run --name eol-scanner \
+            -v $GITHUB_WORKSPACE:/app \
+            -w /app \
+            ghcr.io/herodevs/eol-scan --save --output /tmp/herodevs.report.json
+          docker cp eol-scanner:/tmp/herodevs.report.json ${{ runner.temp }}/herodevs.report.json
+          docker rm eol-scanner
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v5
         with:
           name: my-eol-report
-          path: herodevs.report.json
+          path: ${{ runner.temp }}/herodevs.report.json
 ```
 
 #### GitLab CI/CD
@@ -270,18 +287,19 @@ jobs:
   scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-node@v6
         with:
-          node-version: '20'
+          node-version: '24'
 
       - run: echo # Prepare environment, install tooling, perform setup, etc.
 
       - name: Run EOL Scan
-        run: npx @herodevs/cli@beta
+        run: npx @herodevs/cli@beta scan eol
 
-      - name: Upload   artifact
-        uses: actions/upload-artifact@v4
+      - name: Upload artifact
+        uses: actions/upload-artifact@v5
         with:
           name: my-eol-report
           path: herodevs.report.json

package/dist/api/nes.client.js

@@ -6,7 +6,8 @@ import { createReportMutation, getEolReportQuery } from "./gql-operations.js";
 export const createApollo = (uri) => new ApolloClient({
     cache: new InMemoryCache(),
     defaultOptions: {
-        query: { fetchPolicy: 'no-cache' },
+        query: { fetchPolicy: 'no-cache', errorPolicy: 'all' },
+        mutate: { errorPolicy: 'all' },
     },
     link: new HttpLink({
         uri,
@@ -21,6 +22,10 @@ export const SbomScanner = (client) => {
             mutation: createReportMutation,
             variables: { input },
         });
+        if (res?.errors?.length) {
+            debugLogger('GraphQL errors in createReport: %o', res.errors);
+            throw new Error('Failed to create EOL report');
+        }
         const result = res.data?.eol?.createReport;
         if (!result?.success || !result.id) {
             debugLogger('failed scan %o', result || {});
@@ -44,6 +49,10 @@ export const SbomScanner = (client) => {
             const batch = pages.slice(i, i + config.concurrentPageRequests);
             const batchResponses = await Promise.all(batch);
             for (const response of batchResponses) {
+                if (response?.errors?.length) {
+                    debugLogger('GraphQL errors in getReport query: %o', response.errors);
+                    throw new Error('Failed to fetch EOL report');
+                }
                 const report = response.data.eol.report;
                 reportMetadata ??= report;
                 components.push(...(report?.components ?? []));

package/dist/commands/scan/eol.d.ts

@@ -11,7 +11,11 @@ export default class ScanEol extends Command {
         file: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         dir: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
         save: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        output: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         saveSbom: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        sbomOutput: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        saveTrimmedSbom: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        hideReportUrl: import("@oclif/core/interfaces").BooleanFlag<boolean>;
         version: import("@oclif/core/interfaces").BooleanFlag<void>;
     };
     run(): Promise<EolReport | undefined>;
@@ -19,6 +23,7 @@ export default class ScanEol extends Command {
     private scanSbom;
     private saveReport;
     private saveSbom;
+    private saveTrimmedSbom;
     private displayResults;
     private getSbomFromScan;
     private getSbomFromFile;

package/dist/commands/scan/eol.js

@@ -5,8 +5,8 @@ import { submitScan } from "../../api/nes.client.js";
 import { config, filenamePrefix } from "../../config/constants.js";
 import { track } from "../../service/analytics.svc.js";
 import { createSbom } from "../../service/cdx.svc.js";
-import { countComponentsByStatus, formatScanResults, formatWebReportUrl } from "../../service/display.svc.js";
-import { readSbomFromFile, saveReportToFile, saveSbomToFile, validateDirectory } from "../../service/file.svc.js";
+import { countComponentsByStatus, formatDataPrivacyLink, formatReportSaveHint, formatScanResults, formatWebReportUrl, } from "../../service/display.svc.js";
+import { readSbomFromFile, saveArtifactToFile, validateDirectory } from "../../service/file.svc.js";
 import { getErrorMessage } from "../../service/log.svc.js";
 export default class ScanEol extends Command {
     static description = 'Scan a given SBOM for EOL data';
@@ -30,7 +30,7 @@ export default class ScanEol extends Command {
     static flags = {
         file: Flags.string({
             char: 'f',
-            description: 'The file path of an existing cyclonedx SBOM to scan for EOL',
+            description: 'The file path of an existing SBOM to scan for EOL (supports CycloneDX and SPDX 2.3 formats)',
             exclusive: ['dir'],
         }),
         dir: Flags.string({
@@ -45,11 +45,29 @@ export default class ScanEol extends Command {
             default: false,
             description: `Save the generated report as ${filenamePrefix}.report.json in the scanned directory`,
         }),
+        output: Flags.string({
+            char: 'o',
+            description: `Save the generated report to a custom path (defaults to ${filenamePrefix}.report.json when not provided)`,
+        }),
         saveSbom: Flags.boolean({
             aliases: ['save-sbom'],
             default: false,
             description: `Save the generated SBOM as ${filenamePrefix}.sbom.json in the scanned directory`,
         }),
+        sbomOutput: Flags.string({
+            aliases: ['sbom-output'],
+            description: `Save the generated SBOM to a custom path (defaults to ${filenamePrefix}.sbom.json when not provided)`,
+        }),
+        saveTrimmedSbom: Flags.boolean({
+            aliases: ['save-trimmed-sbom'],
+            default: false,
+            description: `Save the trimmed SBOM as ${filenamePrefix}.sbom-trimmed.json in the scanned directory`,
+        }),
+        hideReportUrl: Flags.boolean({
+            aliases: ['hide-report-url'],
+            default: false,
+            description: 'Hide the generated web report URL for this scan',
+        }),
         version: Flags.version(),
     };
     async run() {
@@ -57,7 +75,6 @@ export default class ScanEol extends Command {
         track('CLI EOL Scan Started', (context) => ({
             command: context.command,
             command_flags: context.command_flags,
-            scan_location: flags.dir,
         }));
         const sbomStartTime = performance.now();
         const sbom = await this.loadSbom();
@@ -66,12 +83,22 @@ export default class ScanEol extends Command {
             track('CLI SBOM Generated', (context) => ({
                 command: context.command,
                 command_flags: context.command_flags,
-                scan_location: flags.dir,
                 sbom_generation_time: (sbomEndTime - sbomStartTime) / 1000,
             }));
         }
-        if (flags.saveSbom && !flags.file) {
-            const sbomPath = this.saveSbom(flags.dir, sbom);
+        let reportOutputPath = flags.output;
+        let sbomOutputPath = flags.sbomOutput;
+        if (flags.output && !flags.save) {
+            this.warn('--output requires --save to write the report. Run again with --save to create the file.');
+            reportOutputPath = undefined;
+        }
+        if (flags.sbomOutput && !flags.saveSbom) {
+            this.warn('--sbomOutput requires --saveSbom to write the SBOM. Run again with --saveSbom to create the file.');
+            sbomOutputPath = undefined;
+        }
+        const shouldSaveSbom = !flags.file && flags.saveSbom;
+        if (shouldSaveSbom) {
+            const sbomPath = this.saveSbom(flags.dir, sbom, sbomOutputPath);
             this.log(`SBOM saved to ${sbomPath}`);
             track('CLI SBOM Output Saved', (context) => ({
                 command: context.command,
@@ -83,7 +110,6 @@ export default class ScanEol extends Command {
             track('CLI EOL Scan Ended, No Components Found', (context) => ({
                 command: context.command,
                 command_flags: context.command_flags,
-                scan_location: flags.dir,
             }));
             this.log('No components found in scan. Report not generated.');
             return;
@@ -100,13 +126,14 @@ export default class ScanEol extends Command {
             nes_available_count: componentCounts.NES_AVAILABLE,
             number_of_packages: componentCounts.TOTAL,
             sbom_created: !flags.file,
-            scan_location: flags.dir,
             scan_load_time: (scanEndTime - scanStartTime) / 1000,
             scanned_ecosystems: componentCounts.ECOSYSTEMS,
-            web_report_link: scan.id ? `${config.eolReportUrl}/${scan.id}` : undefined,
+            web_report_link: !flags.hideReportUrl && scan.id ? `${config.eolReportUrl}/${scan.id}` : undefined,
+            web_report_hidden: flags.hideReportUrl,
         }));
-        if (flags.save) {
-            const reportPath = this.saveReport(scan, flags.dir);
+        const shouldSaveReport = flags.save;
+        if (shouldSaveReport) {
+            const reportPath = this.saveReport(scan, flags.dir, reportOutputPath);
             this.log(`Report saved to ${reportPath}`);
             track('CLI JSON Scan Output Saved', (context) => ({
                 command: context.command,
@@ -115,7 +142,7 @@ export default class ScanEol extends Command {
             }));
         }
         if (!this.jsonEnabled()) {
-            this.displayResults(scan);
+            this.displayResults(scan, flags.hideReportUrl, Boolean(reportOutputPath || sbomOutputPath));
         }
         return scan;
     }
@@ -132,9 +159,21 @@ export default class ScanEol extends Command {
         return sbom;
     }
     async scanSbom(sbom) {
-        const spinner = ora().start('Scanning for EOL packages');
+        const { flags } = await this.parse(ScanEol);
+        const spinner = ora().start('Trimming SBOM');
+        const trimmedSbom = trimCdxBom(sbom);
+        spinner.succeed('SBOM trimmed');
+        if (flags.saveTrimmedSbom) {
+            const trimmedPath = this.saveTrimmedSbom(flags.dir, trimmedSbom);
+            this.log(`Trimmed SBOM saved to ${trimmedPath}`);
+            track('CLI Trimmed SBOM Output Saved', (context) => ({
+                command: context.command,
+                command_flags: context.command_flags,
+            }));
+        }
+        spinner.start('Scanning for EOL packages');
         try {
-            const scan = await submitScan({ sbom: trimCdxBom(sbom) });
+            const scan = await submitScan({ sbom: trimmedSbom });
             spinner.succeed('Scan completed');
             return scan;
         }
@@ -144,15 +183,14 @@ export default class ScanEol extends Command {
             track('CLI EOL Scan Failed', (context) => ({
                 command: context.command,
                 command_flags: context.command_flags,
-                scan_location: context.scan_location,
                 scan_failure_reason: errorMessage,
             }));
             this.error(`Failed to submit scan to NES. ${errorMessage}`);
         }
     }
-    saveReport(report, dir) {
+    saveReport(report, dir, outputPath) {
         try {
-            return saveReportToFile(dir, report);
+            return saveArtifactToFile(dir, { kind: 'report', payload: report, outputPath });
         }
         catch (error) {
             const errorMessage = getErrorMessage(error);
@@ -160,9 +198,9 @@ export default class ScanEol extends Command {
             this.error(errorMessage);
         }
     }
-    saveSbom(dir, sbom) {
+    saveSbom(dir, sbom, outputPath) {
         try {
-            return saveSbomToFile(dir, sbom);
+            return saveArtifactToFile(dir, { kind: 'sbom', payload: sbom, outputPath });
         }
         catch (error) {
             const errorMessage = getErrorMessage(error);
@@ -170,17 +208,37 @@ export default class ScanEol extends Command {
             this.error(errorMessage);
         }
     }
-    displayResults(report) {
+    saveTrimmedSbom(dir, sbom) {
+        try {
+            return saveArtifactToFile(dir, { kind: 'sbomTrimmed', payload: sbom });
+        }
+        catch (error) {
+            const errorMessage = getErrorMessage(error);
+            track('CLI Error Encountered', () => ({ error: errorMessage }));
+            this.error(errorMessage);
+        }
+    }
+    displayResults(report, hideReportUrl, hasCustomOutput) {
         const lines = formatScanResults(report);
         for (const line of lines) {
             this.log(line);
         }
-        if (report.id) {
+        if (!hideReportUrl && report.id) {
             const lines = formatWebReportUrl(report.id, config.eolReportUrl);
             for (const line of lines) {
                 this.log(line);
             }
         }
+        else if (hideReportUrl && !hasCustomOutput) {
+            const lines = formatReportSaveHint();
+            for (const line of lines) {
+                this.log(line);
+            }
+        }
+        const privacyLines = formatDataPrivacyLink();
+        for (const line of privacyLines) {
+            this.log(line);
+        }
         this.log('* Use --json to output the report payload');
         this.log(`* Use --save to save the report to ${filenamePrefix}.report.json`);
         this.log('* Use --help for more commands or options');

package/dist/hooks/finally/finally.js

@@ -2,16 +2,16 @@ import ora, {} from 'ora';
 import { track } from "../../service/analytics.svc.js";
 const hook = async (opts) => {
     const isHelpOrVersionCmd = opts.argv.includes('--help') || opts.argv.includes('--version');
+    const hasError = Boolean(opts.error);
     let spinner;
-    if (!isHelpOrVersionCmd) {
+    if (!isHelpOrVersionCmd && !hasError) {
         spinner = ora().start('Cleaning up');
     }
-    const event = track('CLI Session Ended', (context) => ({
+    await track('CLI Session Ended', (context) => ({
         cli_version: context.cli_version,
         ended_at: new Date(),
     })).promise;
-    if (!isHelpOrVersionCmd) {
-        await event;
+    if (!isHelpOrVersionCmd && !hasError) {
         spinner?.stop();
     }
 };

package/dist/service/analytics.svc.d.ts

@@ -11,7 +11,6 @@ interface AnalyticsContext {
     command?: string;
     command_flags?: string;
     error?: string;
-    scan_location?: string;
     eol_true_count?: number;
     eol_unknown_count?: number;
     nes_available_count?: number;

package/dist/service/cdx.svc.d.ts

@@ -1,3 +1,5 @@
+import { createBom } from '@cyclonedx/cdxgen';
+import { postProcess } from '@cyclonedx/cdxgen/stages/postgen/postgen';
 import type { CdxBom } from '@herodevs/eol-shared';
 export declare const SBOM_DEFAULT__OPTIONS: {
     $0: string;
@@ -61,4 +63,10 @@ export declare const SBOM_DEFAULT__OPTIONS: {
  * Lazy loads cdxgen (for ESM purposes), scans
  * `directory`, and returns the `bomJson` property.
  */
-export declare function createSbom(directory: string): Promise<CdxBom>;
+type CreateSbomDependencies = {
+    createBom: typeof createBom;
+    postProcess: typeof postProcess;
+};
+export declare function createSbomFactory({ createBom: createBomDependency, postProcess: postProcessDependency, }?: Partial<CreateSbomDependencies>): (directory: string) => Promise<CdxBom>;
+export declare const createSbom: (directory: string) => Promise<CdxBom>;
+export {};

package/dist/service/cdx.svc.js

@@ -1,4 +1,5 @@
 import { createBom } from '@cyclonedx/cdxgen';
+import { postProcess } from '@cyclonedx/cdxgen/stages/postgen/postgen';
 import { debugLogger } from "./log.svc.js";
 const author = process.env.npm_package_author ?? 'HeroDevs, Inc.';
 export const SBOM_DEFAULT__OPTIONS = {
@@ -24,8 +25,8 @@ export const SBOM_DEFAULT__OPTIONS = {
     includeFormulation: false,
     'no-install-deps': true,
     noInstallDeps: true,
-    'min-confidence': 1,
-    minConfidence: 1,
+    'min-confidence': 0.1,
+    minConfidence: 0.1,
     multiProject: true,
     'no-banner': false,
     noBabel: false,
@@ -62,14 +63,18 @@ export const SBOM_DEFAULT__OPTIONS = {
     usagesSlicesFile: 'usages.slices.json',
     validate: true,
 };
-/**
- * Lazy loads cdxgen (for ESM purposes), scans
- * `directory`, and returns the `bomJson` property.
- */
-export async function createSbom(directory) {
-    const sbom = await createBom(directory, SBOM_DEFAULT__OPTIONS);
-    if (!sbom)
-        throw new Error('SBOM not generated');
-    debugLogger('Successfully generated SBOM');
-    return sbom.bomJson;
+export function createSbomFactory({ createBom: createBomDependency = createBom, postProcess: postProcessDependency = postProcess, } = {}) {
+    return async function createSbom(directory) {
+        const sbom = await createBomDependency(directory, SBOM_DEFAULT__OPTIONS);
+        if (!sbom) {
+            throw new Error('SBOM not generated');
+        }
+        const postProcessedSbom = postProcessDependency(sbom, SBOM_DEFAULT__OPTIONS);
+        if (!postProcessedSbom) {
+            throw new Error('SBOM not generated');
+        }
+        debugLogger('Successfully generated SBOM');
+        return postProcessedSbom.bomJson;
+    };
 }
+export const createSbom = createSbomFactory();

package/dist/service/display.svc.d.ts

@@ -20,3 +20,11 @@ export declare function formatScanResults(report: EolReport): string[];
  * Formats web report URL for console display
  */
 export declare function formatWebReportUrl(id: string, reportCardUrl: string): string[];
+/**
+ * Formats data privacy information link for console display
+ */
+export declare function formatDataPrivacyLink(): string[];
+/**
+ * Formats the report save hint for console display when the web report URL is hidden
+ */
+export declare function formatReportSaveHint(): string[];

package/dist/service/display.svc.js

@@ -7,6 +7,7 @@ const STATUS_COLORS = {
     OK: 'green',
     EOL_UPCOMING: 'yellow',
 };
+const SEPARATOR_WIDTH = 40;
 /**
  * Formats status row text with appropriate color and icon
  */
@@ -54,7 +55,7 @@ export function formatScanResults(report) {
     }
     return [
         ux.colorize('bold', 'Scan results:'),
-        ux.colorize('bold', '-'.repeat(40)),
+        ux.colorize('bold', '-'.repeat(SEPARATOR_WIDTH)),
         ux.colorize('bold', `${report.components.length.toLocaleString()} total packages scanned`),
         getStatusRowText.EOL(`${EOL.toLocaleString().padEnd(5)} End-of-Life (EOL)`),
         getStatusRowText.EOL_UPCOMING(`${EOL_UPCOMING.toLocaleString().padEnd(5)} EOL Upcoming`),
@@ -68,5 +69,19 @@ export function formatScanResults(report) {
  */
 export function formatWebReportUrl(id, reportCardUrl) {
     const url = ux.colorize('blue', terminalLink(new URL(reportCardUrl).hostname, `${reportCardUrl}/${id}`, { fallback: (_, url) => url }));
-    return [ux.colorize('bold', '-'.repeat(40)), `🌐 View your full EOL report at: ${url}\n`];
+    return [ux.colorize('bold', '-'.repeat(SEPARATOR_WIDTH)), `🌐 View your full EOL report at: ${url}\n`];
+}
+/**
+ * Formats data privacy information link for console display
+ */
+export function formatDataPrivacyLink() {
+    const privacyUrl = 'https://docs.herodevs.com/eol-ds/data-privacy-and-security';
+    const link = ux.colorize('blue', terminalLink('Learn more about data privacy', privacyUrl, { fallback: (text, url) => `${text}: ${url}` }));
+    return [`🔒 ${link}\n`];
+}
+/**
+ * Formats the report save hint for console display when the web report URL is hidden
+ */
+export function formatReportSaveHint() {
+    return [ux.colorize('bold', '-'.repeat(SEPARATOR_WIDTH)), 'To save your detailed JSON report, use the --save flag'];
 }

package/dist/service/file.svc.d.ts

@@ -3,18 +3,28 @@ export interface FileError extends Error {
     code?: string;
 }
 /**
- * Reads an SBOM from a file path
+ * Reads an SBOM from a file path and converts it to CycloneDX format
+ * Supports both SPDX 2.3 and CycloneDX formats
  */
 export declare function readSbomFromFile(filePath: string): CdxBom;
 /**
  * Validates that a directory path exists and is actually a directory
  */
 export declare function validateDirectory(dirPath: string): void;
+type SaveArtifactRequest = {
+    kind: 'sbom';
+    payload: CdxBom;
+    outputPath?: string;
+} | {
+    kind: 'sbomTrimmed';
+    payload: CdxBom;
+} | {
+    kind: 'report';
+    payload: EolReport;
+    outputPath?: string;
+};
 /**
- * Saves an SBOM to a file in the specified directory
+ * Saves an SBOM, trimmed SBOM, or report to disk using the correct default filename.
  */
-export declare function saveSbomToFile(dir: string, sbom: CdxBom): string;
-/**
- * Saves an EOL report to a file in the specified directory
- */
-export declare function saveReportToFile(dir: string, report: EolReport): string;
+export declare function saveArtifactToFile(dir: string, request: SaveArtifactRequest): string;
+export {};

package/dist/service/file.svc.js

@@ -1,10 +1,70 @@
 import fs from 'node:fs';
 import path, { join, resolve } from 'node:path';
-import { isCdxBom } from '@herodevs/eol-shared';
+import { isCdxBom, isSpdxBom, spdxToCdxBom } from '@herodevs/eol-shared';
 import { filenamePrefix } from "../config/constants.js";
 import { getErrorMessage } from "./log.svc.js";
 /**
- * Reads an SBOM from a file path
+ * Computes an absolute output path using either a provided path or the base directory and default name.
+ */
+function resolveOutputPath(baseDir, defaultFilename, customPath) {
+    const defaultOutput = resolve(join(baseDir, defaultFilename));
+    if (!customPath) {
+        return { fileName: defaultFilename, fullPath: defaultOutput };
+    }
+    const resolvedCustomPath = resolve(customPath);
+    let targetPath = resolvedCustomPath;
+    const hasTrailingSeparator = /[\\/]$/.test(customPath);
+    const customIsDirectory = fs.existsSync(resolvedCustomPath) && fs.statSync(resolvedCustomPath).isDirectory();
+    if (hasTrailingSeparator || customIsDirectory) {
+        targetPath = join(resolvedCustomPath, defaultFilename);
+    }
+    return { fileName: path.basename(targetPath), fullPath: targetPath };
+}
+/**
+ * Ensures the output directory for a given path exists, is a directory, and is writable.
+ */
+function ensureOutputDirectory(fullPath, fileName) {
+    const targetDir = path.dirname(fullPath);
+    if (!fs.existsSync(targetDir)) {
+        throw new Error(`Unable to save ${fileName}`);
+    }
+    const stats = fs.statSync(targetDir);
+    if (!stats.isDirectory()) {
+        throw new Error(`Unable to save ${fileName}`);
+    }
+    try {
+        fs.accessSync(targetDir, fs.constants.W_OK);
+    }
+    catch {
+        throw new Error(`Unable to save ${fileName}`);
+    }
+}
+/**
+ * Writes JSON to disk after validating directory constraints and formats the payload for readability.
+ */
+function writeJsonFile(fullPath, fileName, payload, failureLabel) {
+    ensureOutputDirectory(fullPath, fileName);
+    try {
+        fs.writeFileSync(fullPath, JSON.stringify(payload, null, 2));
+        return fullPath;
+    }
+    catch (error) {
+        const fileError = error;
+        switch (fileError.code) {
+            case 'EACCES':
+                throw new Error(`Permission denied. Unable to save ${fileName}`);
+            case 'ENOSPC':
+                throw new Error(`No space left on device. Unable to save ${fileName}`);
+            case 'ENOENT':
+            case 'ENOTDIR':
+                throw new Error(`Unable to save ${fileName}`);
+        }
+        throw new Error(`Failed to save ${failureLabel}: ${getErrorMessage(error)}`);
+    }
+}
+/**
+ * Reads an SBOM from a file path and converts it to CycloneDX format
+ * Supports both SPDX 2.3 and CycloneDX formats
  */
 export function readSbomFromFile(filePath) {
     const file = resolve(filePath);
@@ -13,11 +73,14 @@ export function readSbomFromFile(filePath) {
     }
     try {
         const fileContent = fs.readFileSync(file, 'utf8');
-        const sbom = JSON.parse(fileContent);
-        if (!isCdxBom(sbom)) {
-            throw new Error(`Invalid SBOM file: ${file}`);
+        const jsonContent = JSON.parse(fileContent);
+        if (isSpdxBom(jsonContent)) {
+            return spdxToCdxBom(jsonContent);
+        }
+        if (isCdxBom(jsonContent)) {
+            return jsonContent;
         }
-        return sbom;
+        throw new Error(`Invalid SBOM file format. Expected SPDX 2.3 or CycloneDX format.`);
     }
     catch (error) {
         throw new Error(`Failed to read SBOM file: ${getErrorMessage(error)}`);
@@ -36,36 +99,17 @@ export function validateDirectory(dirPath) {
         throw new Error(`Path is not a directory: ${dir}`);
     }
 }
+const artifactFilenames = {
+    sbom: `${filenamePrefix}.sbom.json`,
+    sbomTrimmed: `${filenamePrefix}.sbom-trimmed.json`,
+    report: `${filenamePrefix}.report.json`,
+};
 /**
- * Saves an SBOM to a file in the specified directory
+ * Saves an SBOM, trimmed SBOM, or report to disk using the correct default filename.
  */
-export function saveSbomToFile(dir, sbom) {
-    const outputPath = join(dir, `${filenamePrefix}.sbom.json`);
-    try {
-        fs.writeFileSync(outputPath, JSON.stringify(sbom, null, 2));
-        return outputPath;
-    }
-    catch (error) {
-        throw new Error(`Failed to save SBOM: ${getErrorMessage(error)}`);
-    }
-}
-/**
- * Saves an EOL report to a file in the specified directory
- */
-export function saveReportToFile(dir, report) {
-    const reportPath = path.join(dir, `${filenamePrefix}.report.json`);
-    try {
-        fs.writeFileSync(reportPath, JSON.stringify(report, null, 2));
-        return reportPath;
-    }
-    catch (error) {
-        const fileError = error;
-        if (fileError.code === 'EACCES') {
-            throw new Error(`Permission denied. Unable to save report to ${filenamePrefix}.report.json`);
-        }
-        if (fileError.code === 'ENOSPC') {
-            throw new Error(`No space left on device. Unable to save report to ${filenamePrefix}.report.json`);
-        }
-        throw new Error(`Failed to save report: ${getErrorMessage(error)}`);
-    }
+export function saveArtifactToFile(dir, request) {
+    const defaultFilename = artifactFilenames[request.kind];
+    const customOutputPath = 'outputPath' in request ? request.outputPath : undefined;
+    const { fileName, fullPath } = resolveOutputPath(dir, defaultFilename, customOutputPath);
+    return writeJsonFile(fullPath, fileName, request.payload, fileName);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@herodevs/cli",
-  "version": "2.0.0-beta.10",
+  "version": "2.0.0-beta.12",
   "author": "HeroDevs, Inc",
   "bin": {
     "hd": "./bin/run.js"
@@ -39,34 +39,33 @@
     "herodevs cli"
   ],
   "dependencies": {
-    "@amplitude/analytics-node": "^1.5.8",
+    "@amplitude/analytics-node": "^1.5.20",
     "@apollo/client": "^3.13.8",
-    "@cyclonedx/cdxgen": "~11.4.4",
+    "@cyclonedx/cdxgen": "^11.11.0",
     "@herodevs/eol-shared": "github:herodevs/eol-shared#v0.1.11",
     "@oclif/core": "^4.5.3",
     "@oclif/plugin-help": "^6.2.32",
-    "@oclif/plugin-update": "^4.7.8",
-    "graphql": "^16.11.0",
+    "@oclif/plugin-update": "^4.7.13",
     "node-machine-id": "^1.1.12",
-    "ora": "^8.2.0",
+    "ora": "^9.0.0",
     "packageurl-js": "^2.0.1",
-    "terminal-link": "^4.0.0",
+    "terminal-link": "^5.0.0",
     "update-notifier": "^7.3.1"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.2.2",
     "@oclif/test": "^4.1.13",
     "@types/inquirer": "^9.0.9",
-    "@types/node": "^24.3.1",
+    "@types/node": "^24.9.2",
     "@types/sinon": "^17.0.4",
     "@types/update-notifier": "^6.0.8",
     "globstar": "^1.0.0",
-    "oclif": "^4.22.27",
+    "oclif": "^4.22.38",
     "shx": "^0.4.0",
     "sinon": "^21.0.0",
     "ts-node": "^10.9.2",
-    "tsx": "^4.20.5",
-    "typescript": "^5.9.2"
+    "tsx": "^4.20.6",
+    "typescript": "^5.9.3"
   },
   "engines": {
     "node": ">=20.0.0"

package/dist/service/sbom.worker.d.ts

@@ -1 +0,0 @@
-export {};

package/dist/service/sbom.worker.js

@@ -1,26 +0,0 @@
-import { writeFileSync } from 'node:fs';
-import { join } from 'node:path';
-import { createBom } from '@cyclonedx/cdxgen';
-import { filenamePrefix } from "../config/constants.js";
-import { SBOM_DEFAULT__OPTIONS } from "./cdx.svc.js";
-process.on('uncaughtException', (err) => {
-    console.error('Uncaught exception:', err.message);
-    process.exit(1);
-});
-process.on('unhandledRejection', (reason) => {
-    console.error('Unhandled rejection:', reason);
-    process.exit(1);
-});
-try {
-    console.log('Sbom worker started');
-    const options = JSON.parse(process.argv[2]);
-    const { path, opts } = options;
-    const { bomJson } = await createBom(path, { ...SBOM_DEFAULT__OPTIONS, ...opts });
-    const outputPath = join(path, `${filenamePrefix}.sbom.json`);
-    writeFileSync(outputPath, JSON.stringify(bomJson, null, 2));
-    process.exit(0);
-}
-catch (error) {
-    console.error('Error creating SBOM', error.message);
-    process.exit(1);
-}