cyclonedx / cyclonedx-node-module Goto Github PK
View Code? Open in Web Editor NEWcreates CycloneDX Software-Bill-of-Materials (SBOM) from node-based projects
Home Page: https://cyclonedx.org/
License: Apache License 2.0
creates CycloneDX Software-Bill-of-Materials (SBOM) from node-based projects
Home Page: https://cyclonedx.org/
License: Apache License 2.0
As the lincenseText(s) can be quite long, it would be nice to have the option to include or not include the licenseText.
The maven module provides a similar option:
<includeLicenseText>true</includeLicenseText>
I observe a regression in the version 2.0.2, this happens:
cyclonedx-bom -h
/usr/lib/node_modules/@cyclonedx/bom/node_modules/ssri/index.js:25
const ssriOpts = (opts = {}) => ({ ...defaultOpts, ...opts })
^^^
SyntaxError: Unexpected token ...
at createScript (vm.js:56:10)
at Object.runInThisContext (vm.js:97:10)
at Module._compile (module.js:549:28)
at Object.Module._extensions..js (module.js:586:10)
at Module.load (module.js:494:32)
at tryModuleLoad (module.js:453:12)
at Function.Module._load (module.js:445:3)
at Module.require (module.js:504:17)
at require (internal/module.js:20:19)
at Object. (/usr/lib/node_modules/@cyclonedx/bom/model/HashList.js:19:14)
Note : the program behaves normally in version 2.0.1
In preparation of v1.2 of the spec we need to support JSON output.
It would be great if packages that are installed from non-NPM origin had the information in their purl.
For example
npm install git+ssh://[email protected]:npm/cli.git#v1.0.27
Would create a component with purl pkg:npm/[email protected]?vcs_url=git+git+ssh://[email protected]:npm/cli.git#v1.0.27
Similarly repository_url
could be added for packages installed from custom registries.
Starting with version 1.1.0, the following error is encountered when running on a project with no dependencies:
$ npm install -g @cyclonedx/bom
/usr/local/bin/cyclonedx-bom -> /usr/local/lib/node_modules/@cyclonedx/bom/bin/cyclonedx-bom
+ @cyclonedx/[email protected]
added 41 packages from 37 contributors in 2.149s
$ cyclonedx-bom -o bom.xml
/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/xmlbuilder/lib/XMLNode.js:191
throw new Error("Could not create any elements with: " + name + ". " + this.debugInfo());
^
Error: Could not create any elements with: . node: <components>, parent: <bom>
at XMLElement.element (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/xmlbuilder/lib/XMLNode.js:191:17)
at XMLElement.ele (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/xmlbuilder/lib/XMLNode.js:611:21)
at /usr/local/lib/node_modules/@cyclonedx/bom/index.js:208:27
at /usr/local/lib/node_modules/@cyclonedx/bom/node_modules/read-installed/read-installed.js:142:5
at /usr/local/lib/node_modules/@cyclonedx/bom/node_modules/read-installed/read-installed.js:263:14
at cb (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/slide/lib/async-map.js:47:24)
at /usr/local/lib/node_modules/@cyclonedx/bom/node_modules/read-installed/read-installed.js:263:14
at cb (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/slide/lib/async-map.js:47:24)
at /usr/local/lib/node_modules/@cyclonedx/bom/node_modules/read-installed/read-installed.js:263:14
at cb (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/slide/lib/async-map.js:47:24)
ERROR: Job failed: exit code 1
The output does appear correct if devDependencies
are included.
Previous versions would generate the following output:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1" serialNumber="urn:uuid:3b14e096-3de2-4fec-81ce-7ad082ff99fe">
<components>
</components>
</bom>
First of all, thanks for a great package!
I'm working with a few legacy projects and would like to track the bower dependencies in these projects.
I would like to ask if the direction of this project would allow support for bower?
I understand that bower is not being recommended anymore and I would be happy to help implement this functionality, however I thought I'd ask before submitting a PR or creating a separate module.
Thanks
Seems like the contract of the cli is broken since 11 hours ago.
We have used option -a to append cyclonedx bom generation in our ci pipelines
Now that the CLI tool is available to merge SBOMs deprecation is planned for the --append
option.
As per Low risk vulnerability:
https://snyk.io/vuln/SNYK-JS-XMLDOM-1084960
Many thanks
It would be helpful when I can set the name and version of the metaData component from outside.
Hi there! I am planning on using this tool and want to include an entry in my Bill of Materials for it.
I am trying to formulate a CPE for it and this is what I have come up with: cpe:2.3:a:cyclonedx:cyclonedx-node-module:3.0.3:*:*:*:*:*:*:*
.
Does this seem reasonable? I just want to be able to use it to look up any CVEs that may come up.
Thanks!
Dependabot couldn't reach artifact.devsnc.com/content/groups/npm-all as it timed out.
Is artifact.devsnc.com/content/groups/npm-all accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.
I'm trying to get my head around scoped packages in npm.
Maybe I'm wrong and overlooked something, please have a look.
According to purl-spec for npm packages scoped packages shall use the package's scope as purl namespace. Example from spec
pkg:npm/%40angular/[email protected]
npm
@angular
encoded as %40angular
animation
12.3.1
However, when I use cyclonedx-bom -d -o bom.xml
I get in the generated BOM URLs like this:
<purl>pkg:npm/angular/%40angular%[email protected]</purl>
npm
✔️angular
, not encoded because no @
in there
@angular
@angular/animation
, encoded as %40angular%2Fanimations
animation
9.1.4
✔️$ cyclonedx-bom --version
1.1.3
To get list of installed components cyclonedx-node-module
uses module read-installed
. Which read this information from package.json
and node_modules
(see https://github.com/npm/read-installed/blob/master/read-installed.js). So we need either update docs for usage of cyclonedx-node-module
and add required base step npm install
before launching of cyclonedx-bom
. Or implement support for package-lock.json
...Without this step cyclonedx-bom
generates empty BOM file for project with package.json
and package-lock.json
but without node_modules
.
When running 3.0.5 with npx after building with yarn we get this crash. Running exact same in 3.0.4 works.
internal/fs/utils.js:220
throw err;
^
Error: ENOENT: no such file or directory, open 'package-lock.json'
�[90m at Object.openSync (fs.js:440:3)�[39m
�[90m at Object.readFileSync (fs.js:342:35)�[39m
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/index.js:26:34
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mread-installed�[24m/read-installed.js:142:5
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mread-installed�[24m/read-installed.js:263:14
at cb (/root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mslide�[24m/lib/async-map.js:47:24)
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mread-installed�[24m/read-installed.js:263:14
at cb (/root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mslide�[24m/lib/async-map.js:47:24)
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mread-installed�[24m/read-installed.js:263:14
at cb (/root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mslide�[24m/lib/async-map.js:47:24) {
errno: �[33m-2�[39m,
syscall: �[32m'open'�[39m,
code: �[32m'ENOENT'�[39m,
path: �[32m'package-lock.json'�[39m
I have a problem creating a bom file for a Vue.js project.
The bom file includes an empty component like this:
<component type="library">
<name>
</name>
<version>
</version>
<description>
<![CDATA[]]>
</description>
<licenses>
<license>
</license>
</licenses>
<purl>pkg:npm/@</purl>
<modified>false</modified>
</component>
otherwise the bom file can be imported to dependency track only after deleting the empty component.
Any idea how to debug this!
When generating node BOM and using -a to add an already generated maven-project BOM (1.5.0+) the xml is broken since the maven BOM, since version 1.5.x has dg: namespace defined. Node generated BOM has not.
This scenario is very useful for us since we deliver Java-backend and JS frontend in same package but they are build with their respective build tools.
cyclonedx-node-module 0.2.4
npm 5.4.2
node 8.6.0
dependency-track 3.4.0
I have a web project using npm to load dependencies. I have the cyclonedx-node-module running on my build server generating a bom file for my project. I'm seeing a dependency in the list that was flagged as critical, and I didn't recognize the package, so naturally I tried to find where it was being referenced.
See "macaddress" dependency in this image:
When I run a scan on my project folder I do not find a direct reference to the "macaddress" dependency in package.json, but I do find it in the package-lock.json file.
"macaddress": {
"version": "0.2.8",
"resolved": "https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz",
"integrity": "sha1-WQTcU3w57G2+/q6QIycTX6hRHxI="
},
I then found that there was a second reference under package-lock.json for "macaddress"
"uniqid": {
"version": "4.1.1",
"resolved": "https://registry.npmjs.org/uniqid/-/uniqid-4.1.1.tgz",
"integrity": "sha1-iSIN32t1GuUrX3JISGNShZa7hME=",
"requires": {
"macaddress": "0.2.8"
}
},
Which appears to be the parent dependency pulling "macaddress" in.
And that comes from...
"postcss-filter-plugins": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/postcss-filter-plugins/-/postcss-filter-plugins-2.0.2.tgz",
"integrity": "sha1-bYWGJTTXNaxCDkqFgG4fXUKG2Ew=",
"requires": {
"postcss": "5.2.18",
"uniqid": "4.1.1"
},
"dependencies": {
And so on...
Eventually, this builds out to a dependency tree like this:
css-loader (referenced in "dependencies" section of package.json)
|-cssnano
|--postcss-filter-plugins
|---uniqid
|----macaddress
My question is how can we resolve this dependency tree in the cyclonedx-node-module bom generation? Either that or dependency-track itself should resolve this. I'm going to have people asking about critical vuln dependencies and I would love to figure out how the heck these are getting pulled in without doing the time-intensive dirty work. Seems like this should be possible.
Let me know if I need to elaborate further.
Thanks!
Drew
I'm running cyclonedx-bom v. 1.0.4 and want to test and generate a POM from the Vue.js repo (https://github.com/vuejs/vue). I have cloned the repo locally and cd:d to that directory:
cyclonedx-bom
Result:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1" serialNumber="urn:uuid:87c904d4-7d21-4f51-aef2-8aaa7496a556">
<components>
</components>
</bom>
The I try to run npm install
which results in:
added 1491 packages from 1554 contributors and audited 11951 packages in 36.94s
found 14 vulnerabilities (3 low, 10 high, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Once again I try cyclonedx-bom
:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1" serialNumber="urn:uuid:85ab67e4-1942-4f07-abd4-3b8d5ed2ef3c">
<components>
</components>
</bom>
What am I doing wrong here? Seems to me the output should not be an empty XML file?
I have a project with multiple packages on it. I would like to execute cyclonedx-bom on each package and append results to the root one but I am unable to do so.
steps to reproduce:
cd /tmp
git clone https://github.com/lerna/lerna
cd lerna
npm install
cyclonedx-bom
cat bom.xml | wc -l
> 37
cd utils/log-packed/
npm install
cyclonedx-bom -a /tmp/lerna/bom.xml
cat /tmp/lerna/bom.xml |wc -l
> 37
cat /tmp/lerna/utils/log-packed/bom.xml | wc -l
> 873
after running plugin in root directory I have bom of 37 lines (empty becouse root package.json does not contain any dependancies), after running cyclonedx-bom on another package (which has few dependencies) i get bom with 873 lines but setting -a to root bom did nothing, still 37 lines.
Can anyone give me a hint how to make it work?
Hi Team,
Im working on end to end declarative pipeline involving DC and DT, so need inputs from the community as after the DC report (xml) is generated, how to convert it to cyclonedx bom, or directly upload dependency-check-report.xml to DT.
I have started using CycloneDX for our node.js (angular) project and our .Net Core 3.1 Rest API. It works great however we never see a Dependency graph (" nodes") in our generated BOM reports. What do I need to get this information added to the BOM file?
We are using this library in auditjs
to generate an SBOM to send to Nexus IQ Server.
We've run into an issue with a few libraries where the license is presented as something that isn't in your current list.
An example is:
https://github.com/substack/node-optimist/blob/master/package.json#L35
That license is declared as MIT/X11
when in reality it should either be MIT X
(not in your list) or X11
When the sbom is created, a license section with a Name is created, just no ID, and this fails validation in Nexus IQ Server.
I'm curious if we should add these kinda odd license types to your list, or if a PR of some sort where if it can't find an ID it adds something that indicates the license is Non-Conforming
or something akin?
Thanks!
npm v5.4.2
node v8.6.0
cyclonedx-bom v0.2.4
Having an issue on my build server where a bom.xml file is generated, but is missing most/all of the dependencies specified in the package.json file:
<bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1">
<components>
<component type="library">
<name>MyApp</name>
<version>1.0.0</version>
<description>
<![CDATA[Customer Facing Reporting Tool]]>
</description>
<licenses>
<license>
<name>UNLICENSED</name>
</license>
</licenses>
<purl>pkg:npm/[email protected]</purl>
<modified>false</modified>
</component>
</components>
</bom>
However, looking at the package.json file, I can clearly see many dependencies specified:
{
"name": "MyApp",
"version": "1.0.0",
"description": "Customer Facing Reporting Tool",
"author": "My Company",
"license": "UNLICENSED",
"repository": "http://somedomain/tfs/DefaultCollection/SMG.Global/",
"private": true,
"config": {
"environment": "local"
},
...
"dependencies": {
"angular": "1.5.9",
"angular-animate": "1.5.9",
"angular-aria": "1.5.9",
"angular-drag-and-drop-lists": "^2.1.0",
"angular-local-storage": "^0.6.0",
"angular-material": "1.1.4",
"angular-messages": "1.5.3",
"angular-resource": "1.4.8",
"angular-route": "1.3.15",
"angular-template-cache": "^1.2.0",
"angular-touch": "1.5.9",
"angular-translate-loader-pluggable": "^1.3.1",
"angular-ui-router": "0.2.15",
"file-saver": "^1.3.3",
"gulp-string-replace": "^1.1.1",
"lodash.assign": "^4.2.0",
"tinymce": "^4.8.1",
"xlsx": "0.10.3"
},
"devDependencies": {
"babel-core": "6.24.1",
"babel-preset-es2015": "^6.14.0",
"chromedriver": "2.29.0",
"commander": "1.1.0",
"del": "^3.0.0",
"envar": "2.0.0",
"eslint": "^3.19.0",
"eslint-config-angular": "^0.5.0",
"eslint-plugin-angular": "^1.3.1",
"gulp": "^3.9.1",
"gulp-angular-filesort": "^1.1.1",
"gulp-angular-templatecache": "1.9.1",
"gulp-babel": "^6.1.2",
"gulp-clean-css": "^2.0.12",
"gulp-cli": "^1.4.0",
...
}
}
The odd thing here is that on my development machine (npm v5.4.2, node v8.9.3, cyclonedx-bom v0.2.4) I get the full listing of dependencies....
Is this a node version issue? Can I somehow get some verbose/debug logging to find out what's up?
Thanks!
Drew
@cyclonedx/[email protected]
npm v5.4.2
node v8.9.3
Running this command:
cyclonedx-bom -o . <path>
Seeing this error:
let purlName = pkg.name.replace("@", "%40"); // Encode 'scoped' npm packages in purl
^
TypeError: Cannot read property 'replace' of undefined
at addComponent (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\index.js:46:29)
at listComponents (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\index.js:35:5)
at readInstalled (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\index.js:159:15)
at C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\read-installed\read-installed.js:142:5
at C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\read-installed\read-installed.js:263:14
at asyncMap (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\slide\lib\async-map.js:27:18)
at next (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\read-installed\read-installed.js:234:5)
at C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\read-installed\read-installed.js:179:7
at LOOP (fs.js:1745:14)
at _combinedTickCallback (internal/process/next_tick.js:131:7)
The fix in 1.1.2 that merges using DOM creates extra tag making only the JS dependencies get parsed by dtrack, not the java ones.
Here is a short example file merging with an existing cyclonedx-maven 1.6.0 bom file.
Bugsnag is from cyclonedx-node and FasterXML from cyclonedx-maven 1.6.0.
The dg: elements are dropped as noted in previous fix, but notice the extra components element in the middle of the two components, and also the two elements.
<?xml version="1.0" encoding="utf-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" serialNumber="urn:uuid:8aa6025b-9439-42c8-b93f-8835b71d7214" version="1">
<components>
<component type="library" bom-ref="pkg:npm/bugsnag/%40bugsnag%[email protected]">
<group>bugsnag</group>
<name>js</name>
<version>6.5.0</version>
<description>
<![CDATA[Universal Javascript error reporting. Automatically detect JavaScript errors in the browser and Node.js, with plugins for React, Vue, Angular, Express, Restify and Koa.]]>
</description>
<licenses>
<license>
<id>MIT</id>
<text content-type="text/txt">
<![CDATA[Copyright (c) Bugsnag, https://www.bugsnag.com/
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the Software
is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
]]>
</text>
</license>
</licenses>
<purl>pkg:npm/bugsnag/%40bugsnag%[email protected]</purl>
<externalReferences>
<reference type="website">
<url>https://www.bugsnag.com/</url>
</reference>
<reference type="issue-tracker">
<url>https://github.com/bugsnag/bugsnag-js/issues</url>
</reference>
<reference type="vcs">
<url>git+ssh://[email protected]/bugsnag/bugsnag-js.git</url>
</reference>
</externalReferences>
</component>
<components>
<component bom-ref="pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar" type="library">
<publisher>FasterXML</publisher>
<group>com.fasterxml.jackson.core</group>
<name>jackson-core</name>
<version>2.10.2</version>
<description>Core Jackson processing abstractions (aka Streaming API), implementation for JSON</description>
<scope>required</scope>
<hashes>
<hash alg="MD5">5514a46e38331f8c8262ea63bf36483e</hash>
<hash alg="SHA-1">73d4322a6bda684f676a2b5fe918361c4e5c7cca</hash>
<hash alg="SHA-256">4c41f22a48f6ebb28752baeb6d25bf09ba4ff0ad8bfb82650dde448928b9da4f</hash>
<hash alg="SHA-384">4c7522e20c2a13aead0522d5529dd3b549584fd06e11fe06f1d61925699b632974a85be017bdfec8246151ff3b8c1c60</hash>
<hash alg="SHA-512">5055943790cea2c3abbacbe91e63634e6d2e977cd59b08ce102c0ee7d859995eb5d150d530da3848235b2b1b751a8df55cff2c33d43da695659248187ddf1bff</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar</purl>
<externalReferences>
<reference type="vcs">
<url>http://github.com/FasterXML/jackson-core</url>
</reference>
<reference type="website">
<url>http://fasterxml.com/</url>
</reference>
<reference type="distribution">
<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
</reference>
<reference type="issue-tracker">
<url>https://github.com/FasterXML/${project.artifactId}/issues</url>
</reference>
</externalReferences>
</component>
</components>
</components>
</bom>
We have a .net and npm project. When first analyzing the .net application with dotnet-cyclonedx a bom.xml is generated. If I want to use -a to combine the results from cyclonedx-bom and the dotnet-cyclonedx, it seems it removes every other .net package found from the combined list.
In the combined output I see all the npm packages, and only half of the package reported by dotnet.
What I notice: dotnet reports for instance packages A B C D E F G H
then in the combined output I see A C E G
Or am I doing something wrong here?
npm 6.4.1
node v10.15.3
@cyclonedx/bom 1.0.2
The generated xml output differs, if you generate it on Windows or on Linux. Actually with Linux you get less components with license texts. The license texts of the components is missing, if their license file has only a lowercase file name.
E.g. on Linux:
We use a mono repo with yarn workspaces. I've tried running cyclonedx-bom
at the repo root and in individual projects but it doesn't detect any packages.
Cli Error:
There are no components in the BOM. The project may not contain dependencies or node_modules does not exist. Executing
npm install
prior to CycloneDX may solve the issue.
Testing with a single project repository works as expected.
Is this supported?
I have created two projects(first_project and second_project) . I was trying to append json output from first_project
to the current json output added to second_project
using the following command cyclonedx-bom -o ../second_bom.json -a ~/first_project/first_bom.json
When I open second_bom.json
output file I can only see components for second_project
.
Expected to see components for first_project
appended to second_bom.json
file
Hello,
I tried to generate a BOM file but it raises an error :
cyclonedx-bom -o bom.xml
/usr/local/lib/node_modules/@cyclonedx/bom/bin/cyclonedx-bom:10
let arguments = process.argv.slice(2);
^
SyntaxError: Identifier 'arguments' has already been declared
at Object.exports.runInThisContext (vm.js:76:16)
at Module._compile (module.js:542:28)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.runMain (module.js:604:10)
at run (bootstrap_node.js:394:7)
at startup (bootstrap_node.js:149:9)
at bootstrap_node.js:509:3
I have observed some differences in the output (bom.xml) of cyclonedx-bom compared to the output of cdxgen.
In some projects cyclonedx-bom reports less dependencies than cdxgen, and on rare occurences 2 or 3 more (but they mostly are the project itself).
For example, I have a project in which cyclonedx-bom only detects 5 dependencies, when cdxgen reports 63 dependencies.
Do you have a clue on what is going on?
When generating a bom with this repo I have found that the component, externalReferences, reference type of vcs will produce an invalid url which will start with "git+" as shown below
<externalReferences>
<reference type="website">
<url>https://material-ui.com/</url>
</reference>
<reference type="issue-tracker">
<url>https://github.com/mui-org/material-ui/issues</url>
</reference>
<reference type="vcs">
<url>git+https://github.com/mui-org/material-ui.git</url>
</reference>
</externalReferences>
When trying to reenter a bom generated with the incorrect url, the vcs reference type will drop. In my case the vcs is similar enough to the other two references that this is no impact.
Using CyloneDX Node.js module 2.0.2 with node version 14.4.0
Version: 2.0.1
Node Version: 10.20.1
OS: macOS Mojave 10.14.6
When running cyclonedx-bom and specifying a custom output location, if the location specified doesn't exist, the bom file won't be created but the process will exit successfully with no indication of failure
Given that this library aims to support Node 8.x and onward, it'd probably make the most sense to return a non-zero exit code and provide some kind of error message in this case (since native support for auto-creation of subdirectories on fs.writeFile doesn't seem to exist until 10.12.0 and this seems to be the culprit: https://github.com/CycloneDX/cyclonedx-node-module/blob/master/bin/cyclonedx-bom#L82)
Now that the CLI tool is available to convert between different schema versions deprecation is planned for multiple schema version support.
Running command:
npx @cyclonedx/[email protected] -o bom.xml
Bom is generated perfekt.
Running command:
npx @cyclonedx/bom -o bom.xml
OR npx @cyclonedx/bom -o super-bom.xml -a composer-bom.xml
Bom is NOT generated.
Error:
\AppData\Roaming\npm-cache_npx\5908\node_modules@cyclonedx\bom\node_modules\packageurl-js\src\package-url.js:28
throw new Error('Invalid purl: "' + key + '" is a required field.');
Error: Invalid purl: "name" is a required field.
Nothing in release notes about updating commands for generation of bom files.
Recently, the -o and --output flags seem to have no effect. It always outputs to bom.xml now
Hello guys
while I'm trying to execute cyclonedx-bom, I'm always getting this
"There are no components in the BOM. The project may not contain dependencies or node_modules does not exist. Executing npm install
prior to CycloneDX may solve the issue."
This is the screenshot.. as you can see after executing npm install, I have the node_modules created, but the cycloneDx doesn't really recognize it.
Can you help me with that please?
Thanks a lot
Vince
Changed outline of the pipeline as described above
command :
cyclonedx-bom -o D:\Builds\GenericAgent1_work\246\s/FrontEnd/bom.xml
throw "Unsupported component type. Supported types are " + Component.supportedComponentTypes().toString();
This is now breaking all of our ci/cd pipelines
The option to include dev dependencies is not correctly passed to the read-installed
package. Because of this, --include-dev
does nothing.
This line should be changed:
cyclonedx-node-module/bin/cyclonedx-bom
Line 61 in 5bf10df
readInstalledOptions.dev = options.includeDev;
Official support of Node.js 8 ended last year. I'm proposing to drop support for it.
@stevespringett any concerns from you? It will mean another major version bump.
Is there a way to create the bom.xml with only the "dependencies", excluding the "devDependencies" ?
I'm sending this bom.xml to Dependency Track, and I don't want to register dev dependencies like protractor test lib's or angular-devkit.
integrating your excellent tool into a security orchestrator i'm building at the moment
and noticed your apache 2.0 license doesn't look completed, needs year/person populated
Copyright {yyyy} {name of copyright owner}
https://github.com/CycloneDX/cyclonedx-node-module/blob/master/LICENSE
also it might be easier to embed the short form linked version of the license, i find it makes it easier as you can see where to edit it at the top rather at the bottom of a long license ! :)
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License."
http://www.apache.org/licenses/LICENSE-2.0#apply
ta
Anthony
Hash support needs serious improvement. It appears that hashes are derived from the package itself, rather than calculating them. If the package didn't have a hash, it doesn't show up in the resulting bom. In addition, if a components package does have a hash, its rare that it will contain more than one (sha1, sha-512, but not both for example).
Need to investigate the ability to generate all supported hashes for packages and ensure that unmodified packages have the same hash value as stated in the package manifest. If a hash is generated that doesn't match what's in the package, then flip the modified
element to true.
In NPM 7 (used in node engine v14+), there is a new package-lock.json
structure (lockfile version 2). This structure removes all module integrity information from the module specific package.json
files, and moves it into the top-level package-lock.json
. It appears that this tool only looks in the old location, and does not consider the integrity
that may be in the package-lock.json
. Because of this, the cyclonedx-node-module tool does not find any hashes for node modules in apps that use node-engine v14+. Ideally, I would still expect hashes to be located for these apps.
I mentioned this issue in #25, but I think this issue can be resolved by expanding the files that are looked at in HashList.js to include the lockfile.
Dependabot couldn't reach artifact.devsnc.com/content/groups/npm-all as it timed out.
Is artifact.devsnc.com/content/groups/npm-all accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.
I just tried out @cyclonedx/[email protected]
and noticed that I couldn't install a new dependency after I updgraded this module. npm install
failed with code EISGIT
.
Run the following in an empty directory.
npm init -y && npm install --save @cyclonedx/bom && npm install
The reason .git
directory was included in the package was README.sample
in node_modules/@cyclonedx/bom/.git/hooks
. That file should be ignored when publishing the package to NPM. Similar thing happened recently with [email protected]
.
If this happens to you, you can remove the directory causing EISGIT
: rm -rf node_modules/@cyclonedx/bom/.git
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.