verimu 0.0.2 → 0.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +30 -10
- package/dist/cli.mjs +1616 -0
- package/dist/cli.mjs.map +1 -0
- package/dist/index.cjs +779 -16
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +422 -4
- package/dist/index.d.ts +422 -4
- package/dist/index.mjs +768 -13
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -2,19 +2,28 @@
|
|
|
2
2
|
|
|
3
3
|
The NPM package for `verimu`, a tool for producing CRA-compliant SBOMs via CI / CD pipelines.
|
|
4
4
|
|
|
5
|
-
##
|
|
5
|
+
## Documentation and Website
|
|
6
6
|
|
|
7
|
-
|
|
8
|
-
- [ ] GitLab CI
|
|
9
|
-
- [ ] Bitbucket Pipelines
|
|
7
|
+
[https://verimu.com](https://verimu.com)
|
|
10
8
|
|
|
9
|
+
## Supported CI / CD Platforms
|
|
11
10
|
|
|
12
|
-
|
|
11
|
+
The core scanning pipeline is CI-agnostic — it works in any environment with Node.js 20+.
|
|
12
|
+
Example CI configs are provided in the `ci-examples/` directory.
|
|
13
13
|
|
|
14
|
-
- [x]
|
|
15
|
-
- [
|
|
16
|
-
- [
|
|
17
|
-
|
|
14
|
+
- [x] GitHub Actions (`.github/workflows/test.yml`)
|
|
15
|
+
- [x] GitLab CI (`ci-examples/gitlab-ci.yml`)
|
|
16
|
+
- [x] Bitbucket Pipelines (`ci-examples/bitbucket-pipelines.yml`)
|
|
17
|
+
|
|
18
|
+
## Supported Package Ecosystems
|
|
19
|
+
|
|
20
|
+
- [x] npm (package-lock.json)
|
|
21
|
+
- [x] NuGet (packages.lock.json)
|
|
22
|
+
- [x] pip (requirements.txt, Pipfile.lock)
|
|
23
|
+
- [x] Cargo (Cargo.lock)
|
|
24
|
+
- [x] Maven (pom.xml + dependency-tree.txt or `mvn` on PATH)
|
|
25
|
+
- [x] Go (go.sum)
|
|
26
|
+
- [x] Ruby (Gemfile.lock)
|
|
18
27
|
|
|
19
28
|
## Development
|
|
20
29
|
|
|
@@ -22,4 +31,15 @@ To run the tests, use:
|
|
|
22
31
|
|
|
23
32
|
```bash
|
|
24
33
|
npm test
|
|
25
|
-
```
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
## Maven Scanner Notes
|
|
37
|
+
|
|
38
|
+
The Maven scanner needs resolved dependencies. Since Maven has no lockfile, it uses two strategies:
|
|
39
|
+
|
|
40
|
+
1. **Pre-generated dependency tree** (recommended for CI): Run `mvn dependency:list -DoutputFile=dependency-tree.txt -DappendOutput=true` before scanning.
|
|
41
|
+
2. **Auto-detect**: If `mvn` is on `$PATH`, the scanner runs `mvn dependency:list` automatically.
|
|
42
|
+
|
|
43
|
+
## Three CI / CD Pipelines as Self Check on the `verimu` package itself
|
|
44
|
+
|
|
45
|
+
There is a `bitbucket-pipelines.yml` and `.gitlab-ci.yml` in the root of the project, as well as a `.github/workflows/test.yml` file, all of which would run `verimu` against itself in each of the 3 frameworks we support (GitHub Actions, GitLab CI, Bitbucket Pipelines). The tests should pass in all 3 environments, confirming that `verimu` can successfully scan its own dependencies and produce a report.
|