Skip to content

Commit

Permalink
feat: tools as components (#1235)
Browse files Browse the repository at this point in the history
fixes #1233

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
  • Loading branch information
jkowalleck authored Jan 23, 2025
1 parent 33c1136 commit edb3165
Show file tree
Hide file tree
Showing 219 changed files with 16,279 additions and 11,326 deletions.
14 changes: 11 additions & 3 deletions HISTORY.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,17 @@ All notable changes to this project will be documented in this file.
<!-- unreleased changes go here -->

* BREAKING changes
* Create dir for output file if not exist ([#1241] via [#1242])
* Emit `.metadata.tools` as components ([#1233] via [#1235])
This affects only CycloneDX spec-version 1.5 and later.
* Emitted `.purl` values might be partially url-encoded (via [#1235])
This is cased by changes on underlying 3rd-party dependency `packageurl-js`.
* Create dir for output file if not exists ([#1241] via [#1242])
This is only a breaking change if you relied on non-existent result paths.
* Misc
* Raised dependency `@cyclonedx/cyclonedx-library@^7.0.0`, was `@^6.11.0` (via [#1235])

[#1233]: https://github.com/CycloneDX/cyclonedx-node-npm/issues/1233
[#1235]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1235
[#1241]: https://github.com/CycloneDX/cyclonedx-node-npm/issues/1241
[#1242]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1242

Expand Down Expand Up @@ -73,7 +81,7 @@ All notable changes to this project will be documented in this file.

* Added
* Licenses acknowledgement might be populated ([#1171] via [#1183])
* Misc
* Dependencies
* Raised dependency `@cyclonedx/cyclonedx-library@^6.6.0`, was `@^6.5.0` (via [#1183])

[#1171]: https://github.com/CycloneDX/cyclonedx-node-npm/issues/1171
Expand Down Expand Up @@ -265,7 +273,7 @@ Details
They should be marked as expression, now.
* Added
* Added detection for package integrity with SHA-1 ([#699] via [#735])
* Misc
* Dependencies
* Raised dependency `@cyclonedx/cyclonedx-library@^2.0.0`, was `@^1.14.0` (via [#726])

[#699]: https://github.com/CycloneDX/cyclonedx-node-npm/issues/699
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
}
],
"dependencies": {
"@cyclonedx/cyclonedx-library": "^6.11.0",
"@cyclonedx/cyclonedx-library": "^7.0.0",
"commander": "^10.0.0",
"normalize-package-data": "^3||^4||^5||^6",
"xmlbuilder2": "^3.0.2"
Expand Down
33 changes: 16 additions & 17 deletions src/builders.ts
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ type cPath = string
type AllComponents = Map<cPath, Models.Component>

export class BomBuilder {
toolBuilder: Builders.FromNodePackageJson.ToolBuilder
componentBuilder: Builders.FromNodePackageJson.ComponentBuilder
treeBuilder: TreeBuilder
purlFactory: Factories.FromNodePackageJson.PackageUrlFactory
Expand All @@ -69,14 +68,12 @@ export class BomBuilder {
console: Console

constructor (
toolBuilder: BomBuilder['toolBuilder'],
componentBuilder: BomBuilder['componentBuilder'],
treeBuilder: BomBuilder['treeBuilder'],
purlFactory: BomBuilder['purlFactory'],
options: BomBuilderOptions,
console_: BomBuilder['console']
) {
this.toolBuilder = toolBuilder
this.componentBuilder = componentBuilder
this.treeBuilder = treeBuilder
this.purlFactory = purlFactory
Expand Down Expand Up @@ -236,14 +233,14 @@ export class BomBuilder {

bom.metadata.component = rootComponent

bom.metadata.tools.add(new Models.Tool({
name: 'npm',
version: npmVersion // use the self-proclaimed `version`
// omit `vendor` and `externalReferences`, because we cannot be sure about the used tool's actual origin
bom.metadata.tools.components.add(new Models.Component(
Enums.ComponentType.Application, 'npm', {
version: npmVersion // use the self-proclaimed `version`
// omit `group` and `externalReferences`, because we cannot be sure about the used tool's actual origin
// omit `hashes`, because unfortunately there is no agreed process of generating them
}))
for (const tool of this.makeTools()) {
bom.metadata.tools.add(tool)
}))
for (const toolC of this.makeToolCs()) {
bom.metadata.tools.components.add(toolC)
}

if (!this.reproducible) {
Expand Down Expand Up @@ -608,8 +605,10 @@ export class BomBuilder {
}
}

private * makeTools (): Generator<Models.Tool> {
const packageJsonPaths = [path.resolve(module.path, '..', 'package.json')]
private * makeToolCs (): Generator<Models.Component> {
const packageJsonPaths: Array<[string, Enums.ComponentType]> = [
[path.resolve(module.path, '..', 'package.json'), Enums.ComponentType.Application]
]

const libs = [
'@cyclonedx/cyclonedx-library'
Expand All @@ -621,19 +620,19 @@ export class BomBuilder {
for (const nodeModulePath of nodeModulePaths) {
const packageJsonPath = path.resolve(nodeModulePath, ...lib, 'package.json')
if (existsSync(packageJsonPath)) {
packageJsonPaths.push(packageJsonPath)
packageJsonPaths.push([packageJsonPath, Enums.ComponentType.Library])
continue libsLoop
}
}
}
/* eslint-enable no-labels */

for (const packageJsonPath of packageJsonPaths) {
for (const [packageJsonPath, cType] of packageJsonPaths) {
const packageData: object = loadJsonFile(packageJsonPath) ?? {}
normalizePackageData(packageData /* add debug for warnings? */)
const tool = this.toolBuilder.makeTool(packageData)
if (tool !== undefined) {
yield tool
const toolC = this.componentBuilder.makeComponent(packageData, cType)
if (toolC !== undefined) {
yield toolC
}
}
}
Expand Down
5 changes: 1 addition & 4 deletions src/cli.ts
Original file line number Diff line number Diff line change
Expand Up @@ -238,13 +238,10 @@ export async function run (process: NodeJS.Process): Promise<number> {
throw new Error('missing evidence')
}

const extRefFactory = new Factories.FromNodePackageJson.ExternalReferenceFactory()

myConsole.log('LOG | gathering BOM data ...')
const bom = new BomBuilder(
new Builders.FromNodePackageJson.ToolBuilder(extRefFactory),
new Builders.FromNodePackageJson.ComponentBuilder(
extRefFactory,
new Factories.FromNodePackageJson.ExternalReferenceFactory(),
new Factories.LicenseFactory()
),
new TreeBuilder(),
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit edb3165

Please sign in to comment.