preship 2.0.10 → 2.1.0

package/README.md

@@ -211,6 +211,8 @@ npx preship list --format csv       # CSV output
 npx preship report                                    # Full compliance report
 npx preship report --license-only                     # License NOTICE file
 npx preship report --out compliance.json --format json # JSON export
+npx preship report --format cyclonedx                  # CycloneDX 1.6 SBOM
+npx preship report --format spdx                       # SPDX 2.3 SBOM
 ```
 
 ### `preship allow <package>` — Add exceptions
@@ -288,7 +290,32 @@ PreShip scans your source code for accidentally committed credentials:
 - Lockfiles (`package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`)
 - Minified files and files larger than 1MB
 
-**Shannon entropy analysis** catches secrets that don't match any rule pattern but have suspiciously high randomness (hex strings > 3.5 bits/char, base64 > 4.0 bits/char).
+**Shannon entropy analysis** catches secrets that don't match any rule pattern but have suspiciously high randomness (hex strings > 3.5 bits/char, base64 > 5.8 bits/char).
+
+### SBOM Export (Software Bill of Materials)
+
+Generate industry-standard SBOMs from your scan results for compliance and supply chain transparency:
+
+```bash
+npx preship report --format cyclonedx    # CycloneDX 1.6 JSON
+npx preship report --format spdx         # SPDX 2.3 JSON
+```
+
+**CycloneDX 1.6** output includes:
+- All dependency components with Package URLs (PURLs)
+- License information per component (SPDX expressions)
+- Security vulnerabilities mapped from scan findings
+- Dependency graph (direct and transitive relationships)
+- Tool metadata (preship version, scan timestamp)
+
+**SPDX 2.3** output includes:
+- All packages with SPDX IDs and external references (PURLs)
+- License concluded and declared per package
+- Relationship types: `DESCRIBES`, `DEPENDS_ON`, `DEV_DEPENDENCY_OF`
+- Unique document namespace per generation
+- Creator info and license list version
+
+Both formats are generated from the same `unifiedScan()` data with zero additional dependencies.
 
 ---
 
@@ -523,7 +550,7 @@ git clone https://github.com/dipen-code/preship.git
 cd preship
 npm install
 npm run build
-npm test        # 613 tests across 21 test files
+npm test        # 684 tests across 24 test files
 ```
 
 ---

package/dist/cli.js

@@ -27,10 +27,20 @@ var import_commander = require("commander");
 
 // src/scanner.ts
 var path = __toESM(require("path"));
+var fs = __toESM(require("fs"));
 var import_core = require("@preship/core");
 var import_license = require("@preship/license");
 var import_security = require("@preship/security");
 var import_secrets = require("@preship/secrets");
+function getCliVersion() {
+  try {
+    const pkgPath = path.join(__dirname, "..", "package.json");
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+    return pkg.version || "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
 async function scan(options) {
   const startTime = Date.now();
   const projectPath = path.resolve(options?.projectPath ?? process.cwd());
@@ -192,7 +202,7 @@ async function unifiedScan(options) {
   const allPassed = (licenseResult?.passed ?? true) && (securityResult?.passed ?? true) && (secretsResult?.passed ?? true);
   const totalScanDurationMs = Date.now() - startTime;
   return {
-    version: "2.0.0",
+    version: getCliVersion(),
     projectPath,
     projectType: project.type,
     framework: project.framework,
@@ -981,7 +991,7 @@ function registerScanCommand(program2) {
 }
 
 // src/commands/init.ts
-var fs = __toESM(require("fs"));
+var fs2 = __toESM(require("fs"));
 var path2 = __toESM(require("path"));
 function registerInitCommand(program2) {
   program2.command("init").description("Set up PreShip in the current project").option("--policy <name>", "Policy template: commercial-safe, saas-safe, distribution-safe, strict, permissive-only", "commercial-safe").option("--skip-hooks", "Don't add npm lifecycle hooks to package.json").action((options) => {
@@ -989,12 +999,12 @@ function registerInitCommand(program2) {
       const projectPath = process.cwd();
       const configContent = generateConfigContent(options.policy);
       const configPath = path2.join(projectPath, "preship-config.yml");
-      fs.writeFileSync(configPath, configContent, "utf-8");
+      fs2.writeFileSync(configPath, configContent, "utf-8");
       console.log(`\u2705 Created preship-config.yml (policy: ${options.policy})`);
       if (!options.skipHooks) {
         const pkgPath = path2.join(projectPath, "package.json");
-        if (fs.existsSync(pkgPath)) {
-          const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+        if (fs2.existsSync(pkgPath)) {
+          const pkg = JSON.parse(fs2.readFileSync(pkgPath, "utf-8"));
           pkg.scripts = pkg.scripts || {};
           if (pkg.scripts.postinstall) {
             pkg.scripts.postinstall = `preship scan --warn-only && ${pkg.scripts.postinstall}`;
@@ -1006,7 +1016,7 @@ function registerInitCommand(program2) {
           } else {
             pkg.scripts.prebuild = "preship scan";
           }
-          fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n", "utf-8");
+          fs2.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n", "utf-8");
           console.log("\u2705 Added postinstall hook to package.json (warn mode)");
           console.log("\u2705 Added prebuild hook to package.json (block mode)");
         }
@@ -1163,11 +1173,304 @@ function registerListCommand(program2) {
 }
 
 // src/commands/report.ts
-var fs2 = __toESM(require("fs"));
+var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
+
+// src/formatters/cyclonedx.ts
+var crypto = __toESM(require("crypto"));
+
+// src/formatters/purl.ts
+function generatePurl(name, version) {
+  let encodedName;
+  if (name.startsWith("@")) {
+    const withoutAt = name.slice(1);
+    encodedName = `%40${withoutAt}`;
+  } else {
+    encodedName = name;
+  }
+  if (version) {
+    return `pkg:npm/${encodedName}@${version}`;
+  }
+  return `pkg:npm/${encodedName}`;
+}
+function sanitizeSpdxId(value) {
+  return value.replace(/[^a-zA-Z0-9.-]/g, "-");
+}
+
+// src/formatters/cyclonedx.ts
+function formatCycloneDx(result) {
+  const bom = generateCycloneDxBom(result);
+  return JSON.stringify(bom, null, 2);
+}
+function generateCycloneDxBom(result) {
+  const projectName = getProjectName2(result.projectPath);
+  const rootBomRef = `pkg:npm/${projectName}`;
+  const allPolicyResults = getLicenseResults(result);
+  const components = allPolicyResults.map((pr) => buildComponent(pr));
+  const directDeps = allPolicyResults.filter((pr) => pr.dependency.isDirect).map((pr) => generateBomRef(pr.dependency.name, pr.dependency.version));
+  const dependencies = [
+    {
+      ref: rootBomRef,
+      dependsOn: directDeps
+    },
+    // Each component with no known transitive deps
+    ...components.map((c) => ({
+      ref: c["bom-ref"]
+    }))
+  ];
+  const vulnerabilities = getVulnerabilities(result, allPolicyResults);
+  const bom = {
+    bomFormat: "CycloneDX",
+    specVersion: "1.6",
+    serialNumber: `urn:uuid:${crypto.randomUUID()}`,
+    version: 1,
+    metadata: {
+      timestamp: result.timestamp,
+      tools: {
+        components: [
+          {
+            type: "application",
+            name: "preship",
+            version: result.version
+          }
+        ]
+      },
+      component: {
+        type: "application",
+        name: projectName,
+        version: "0.0.0",
+        // Root project version not available from scan
+        "bom-ref": rootBomRef
+      }
+    },
+    components,
+    dependencies
+  };
+  if (vulnerabilities.length > 0) {
+    bom.vulnerabilities = vulnerabilities;
+  }
+  return bom;
+}
+function getProjectName2(projectPath) {
+  const parts = projectPath.replace(/\\/g, "/").split("/");
+  return parts[parts.length - 1] || "unknown-project";
+}
+function getLicenseResults(result) {
+  if (!result.modules.license) return [];
+  const license = result.modules.license;
+  return [
+    ...license.allowed,
+    ...license.warned,
+    ...license.rejected,
+    ...license.unknown
+  ];
+}
+function generateBomRef(name, version) {
+  return generatePurl(name, version);
+}
+function buildComponent(pr) {
+  const dep = pr.dependency;
+  const component = {
+    type: "library",
+    name: dep.name,
+    version: dep.version,
+    purl: generatePurl(dep.name, dep.version),
+    "bom-ref": generatePurl(dep.name, dep.version)
+  };
+  if (dep.isDevDependency) {
+    component.scope = "optional";
+  } else {
+    component.scope = "required";
+  }
+  if (dep.license && dep.license !== "UNKNOWN") {
+    component.licenses = [
+      {
+        license: {
+          id: dep.license
+        }
+      }
+    ];
+  }
+  return component;
+}
+function getVulnerabilities(result, allPolicyResults) {
+  if (!result.modules.security) return [];
+  const security = result.modules.security;
+  const vulnerabilities = [];
+  for (const vuln of security.vulnerabilities) {
+    const bomRef = findBomRefForPackage(vuln.package, vuln.version, allPolicyResults);
+    const cdxVuln = {
+      id: vuln.id,
+      source: {
+        name: getSourceName(vuln.source),
+        url: vuln.references[0]
+      },
+      ratings: [
+        {
+          severity: vuln.severity
+        }
+      ],
+      description: vuln.summary
+    };
+    if (bomRef) {
+      cdxVuln.affects = [{ ref: bomRef }];
+    }
+    if (vuln.fixedVersion) {
+      cdxVuln.recommendation = `Upgrade to version ${vuln.fixedVersion}`;
+    }
+    vulnerabilities.push(cdxVuln);
+  }
+  return vulnerabilities;
+}
+function findBomRefForPackage(packageName, version, allPolicyResults) {
+  const found = allPolicyResults.find(
+    (pr) => pr.dependency.name === packageName && pr.dependency.version === version
+  );
+  if (found) {
+    return generatePurl(found.dependency.name, found.dependency.version);
+  }
+  return void 0;
+}
+function getSourceName(source) {
+  switch (source) {
+    case "osv":
+      return "OSV";
+    case "github-advisory":
+      return "GitHub Advisory Database";
+    case "npm-audit":
+      return "npm Audit";
+    default:
+      return source;
+  }
+}
+
+// src/formatters/spdx.ts
+var crypto2 = __toESM(require("crypto"));
+function formatSpdx(result) {
+  const doc = generateSpdxDocument(result);
+  return JSON.stringify(doc, null, 2);
+}
+function generateSpdxDocument(result) {
+  const projectName = getProjectName3(result.projectPath);
+  const uuid = crypto2.randomUUID();
+  const allPolicyResults = getLicenseResults2(result);
+  const rootPackage = {
+    SPDXID: "SPDXRef-RootPackage",
+    name: projectName,
+    versionInfo: "0.0.0",
+    downloadLocation: "NOASSERTION",
+    filesAnalyzed: false,
+    licenseConcluded: "NOASSERTION",
+    licenseDeclared: "NOASSERTION",
+    copyrightText: "NOASSERTION",
+    supplier: "NOASSERTION",
+    externalRefs: []
+  };
+  const depPackages = allPolicyResults.map((pr) => buildSpdxPackage(pr));
+  const relationships = [];
+  relationships.push({
+    spdxElementId: "SPDXRef-DOCUMENT",
+    relatedSpdxElement: "SPDXRef-RootPackage",
+    relationshipType: "DESCRIBES"
+  });
+  for (const pr of allPolicyResults) {
+    const depSpdxId = generateSpdxPackageId(pr.dependency.name, pr.dependency.version);
+    if (pr.dependency.isDevDependency) {
+      relationships.push({
+        spdxElementId: depSpdxId,
+        relatedSpdxElement: "SPDXRef-RootPackage",
+        relationshipType: "DEV_DEPENDENCY_OF"
+      });
+    } else if (pr.dependency.isDirect) {
+      relationships.push({
+        spdxElementId: "SPDXRef-RootPackage",
+        relatedSpdxElement: depSpdxId,
+        relationshipType: "DEPENDS_ON"
+      });
+    } else {
+      relationships.push({
+        spdxElementId: "SPDXRef-RootPackage",
+        relatedSpdxElement: depSpdxId,
+        relationshipType: "DEPENDS_ON"
+      });
+    }
+  }
+  return {
+    spdxVersion: "SPDX-2.3",
+    dataLicense: "CC0-1.0",
+    SPDXID: "SPDXRef-DOCUMENT",
+    name: projectName,
+    documentNamespace: `https://preship.dev/spdxdocs/${projectName}-${uuid}`,
+    creationInfo: {
+      created: result.timestamp,
+      creators: [`Tool: preship-${result.version}`],
+      licenseListVersion: "3.22"
+    },
+    packages: [rootPackage, ...depPackages],
+    relationships
+  };
+}
+function getProjectName3(projectPath) {
+  const parts = projectPath.replace(/\\/g, "/").split("/");
+  return parts[parts.length - 1] || "unknown-project";
+}
+function getLicenseResults2(result) {
+  if (!result.modules.license) return [];
+  const license = result.modules.license;
+  return [
+    ...license.allowed,
+    ...license.warned,
+    ...license.rejected,
+    ...license.unknown
+  ];
+}
+function generateSpdxPackageId(name, version) {
+  const sanitizedName = sanitizeSpdxId(name);
+  const sanitizedVersion = sanitizeSpdxId(version);
+  return `SPDXRef-Package-${sanitizedName}-${sanitizedVersion}`;
+}
+function buildSpdxPackage(pr) {
+  const dep = pr.dependency;
+  const spdxId = generateSpdxPackageId(dep.name, dep.version);
+  const purl = generatePurl(dep.name, dep.version);
+  const license = dep.license === "UNKNOWN" ? "NOASSERTION" : dep.license;
+  const downloadLocation = `https://registry.npmjs.org/${dep.name}/-/${getPackageBasename(dep.name)}-${dep.version}.tgz`;
+  return {
+    SPDXID: spdxId,
+    name: dep.name,
+    versionInfo: dep.version,
+    downloadLocation,
+    filesAnalyzed: false,
+    licenseConcluded: license,
+    licenseDeclared: license,
+    copyrightText: "NOASSERTION",
+    supplier: "NOASSERTION",
+    externalRefs: [
+      {
+        referenceCategory: "PACKAGE-MANAGER",
+        referenceType: "purl",
+        referenceLocator: purl
+      }
+    ]
+  };
+}
+function getPackageBasename(name) {
+  if (name.startsWith("@")) {
+    const parts = name.split("/");
+    return parts[parts.length - 1];
+  }
+  return name;
+}
+
+// src/commands/report.ts
 function registerReportCommand(program2) {
-  program2.command("report").description("Generate a license attribution/NOTICE file or full scan report").option("--out <path>", "Output file path", "NOTICE.txt").option("--format <type>", "Format: text, json, csv", "text").option("--project <path>", "Path to project root", process.cwd()).option("--license-only", "Generate license-only report (legacy mode)").option("--no-license", "Exclude license information from report").option("--no-security", "Exclude security information from report").option("--no-secrets", "Exclude secrets information from report").action(async (options) => {
+  program2.command("report").description("Generate a license attribution/NOTICE file or full scan report").option("--out <path>", "Output file path", "NOTICE.txt").option("--format <type>", "Format: text, json, csv, cyclonedx, spdx", "text").option("--project <path>", "Path to project root", process.cwd()).option("--license-only", "Generate license-only report (legacy mode)").option("--no-license", "Exclude license information from report").option("--no-security", "Exclude security information from report").option("--no-secrets", "Exclude secrets information from report").action(async (options) => {
     try {
+      const validFormats = ["text", "json", "csv", "cyclonedx", "spdx"];
+      if (!validFormats.includes(options.format)) {
+        console.error(`\u274C Unknown format: "${options.format}". Valid formats: ${validFormats.join(", ")}`);
+        process.exit(2);
+      }
       if (options.licenseOnly) {
         const result2 = await scan({
           projectPath: options.project,
@@ -1199,15 +1502,16 @@ function registerReportCommand(program2) {
             break;
         }
         const outPath2 = path3.resolve(options.out);
-        fs2.writeFileSync(outPath2, content2, "utf-8");
+        fs3.writeFileSync(outPath2, content2, "utf-8");
         console.log(`\u2705 Generated ${options.out} with ${allResults.length} package attributions`);
         return;
       }
+      const isSbomFormat = options.format === "cyclonedx" || options.format === "spdx";
       const result = await unifiedScan({
         projectPath: options.project,
         config: {
           scanDevDependencies: true,
-          modules: {
+          modules: isSbomFormat ? { license: true, security: true, secrets: true } : {
             license: options.license !== void 0 ? options.license : void 0,
             security: options.security !== void 0 ? options.security : void 0,
             secrets: options.secrets !== void 0 ? options.secrets : void 0
@@ -1222,12 +1526,26 @@ function registerReportCommand(program2) {
         case "csv":
           content = generateUnifiedCsvReport(result);
           break;
+        case "cyclonedx":
+          content = formatCycloneDx(result);
+          break;
+        case "spdx":
+          content = formatSpdx(result);
+          break;
         default:
           content = generateUnifiedTextReport(result);
           break;
       }
-      const outPath = path3.resolve(options.out === "NOTICE.txt" ? "preship-report.txt" : options.out);
-      fs2.writeFileSync(outPath, content, "utf-8");
+      let defaultOut;
+      if (options.format === "cyclonedx") {
+        defaultOut = "preship-sbom.cdx.json";
+      } else if (options.format === "spdx") {
+        defaultOut = "preship-sbom.spdx.json";
+      } else {
+        defaultOut = "preship-report.txt";
+      }
+      const outPath = path3.resolve(options.out === "NOTICE.txt" ? defaultOut : options.out);
+      fs3.writeFileSync(outPath, content, "utf-8");
       const modulesRan = [];
       if (result.modules.license) modulesRan.push("license");
       if (result.modules.security) modulesRan.push("security");
@@ -1257,8 +1575,8 @@ function generateNoticeText(results, projectPath) {
       for (const lf of licenseFiles) {
         const licensePath = path3.join(r.dependency.path, lf);
         try {
-          if (fs2.existsSync(licensePath)) {
-            const licenseContent = fs2.readFileSync(licensePath, "utf-8");
+          if (fs3.existsSync(licensePath)) {
+            const licenseContent = fs3.readFileSync(licensePath, "utf-8");
             lines.push("");
             lines.push(licenseContent.trim());
             break;
@@ -1381,7 +1699,7 @@ function escapeCsv2(value) {
 }
 
 // src/commands/allow.ts
-var fs3 = __toESM(require("fs"));
+var fs4 = __toESM(require("fs"));
 var path4 = __toESM(require("path"));
 
 // ../../node_modules/js-yaml/dist/js-yaml.mjs
@@ -3977,8 +4295,8 @@ function registerAllowCommand(program2) {
       const projectPath = process.cwd();
       const configPath = path4.join(projectPath, "preship-config.yml");
       let config = {};
-      if (fs3.existsSync(configPath)) {
-        const content = fs3.readFileSync(configPath, "utf-8");
+      if (fs4.existsSync(configPath)) {
+        const content = fs4.readFileSync(configPath, "utf-8");
         const parsed = load(content);
         if (parsed && typeof parsed === "object") {
           config = parsed;
@@ -4007,7 +4325,7 @@ function registerAllowCommand(program2) {
         quotingType: '"',
         forceQuotes: false
       });
-      fs3.writeFileSync(configPath, yamlContent, "utf-8");
+      fs4.writeFileSync(configPath, yamlContent, "utf-8");
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
       console.error(`\u274C ${message}`);

package/dist/index.js

@@ -37,10 +37,20 @@ module.exports = __toCommonJS(index_exports);
 
 // src/scanner.ts
 var path = __toESM(require("path"));
+var fs = __toESM(require("fs"));
 var import_core = require("@preship/core");
 var import_license = require("@preship/license");
 var import_security = require("@preship/security");
 var import_secrets = require("@preship/secrets");
+function getCliVersion() {
+  try {
+    const pkgPath = path.join(__dirname, "..", "package.json");
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+    return pkg.version || "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
 async function scan(options) {
   const startTime = Date.now();
   const projectPath = path.resolve(options?.projectPath ?? process.cwd());
@@ -202,7 +212,7 @@ async function unifiedScan(options) {
   const allPassed = (licenseResult?.passed ?? true) && (securityResult?.passed ?? true) && (secretsResult?.passed ?? true);
   const totalScanDurationMs = Date.now() - startTime;
   return {
-    version: "2.0.0",
+    version: getCliVersion(),
     projectPath,
     projectType: project.type,
     framework: project.framework,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "preship",
-  "version": "2.0.10",
+  "version": "2.1.0",
   "description": "Pre-ship verification for modern dev teams. License compliance, security vulnerability scanning, and secret detection — all in one CLI. Zero config. Fully offline. Free forever.",
   "keywords": [
     "license",
@@ -25,7 +25,11 @@
     "offline",
     "air-gap",
     "osv",
-    "cve"
+    "cve",
+    "sbom",
+    "cyclonedx",
+    "spdx",
+    "software-bill-of-materials"
   ],
   "author": "Cyfox Inc.",
   "license": "Apache-2.0",