UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cyclonedx/cdxgen

CycloneDX/cdxgen

67 lines (65 loc) 1.84 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import { Buffer } from "node:buffer"; import { spawnSync } from "node:child_process"; import fs from "node:fs"; import { MAX_BUFFER, getAllFiles, getTmpDir, isWin } from "../helpers/utils.js"; export function getBomWithOras(image) { let result = spawnSync( "oras", [ "discover", "--format", "json", "--artifact-type", "sbom/cyclonedx", image, ], { encoding: "utf-8", shell: isWin, maxBuffer: MAX_BUFFER, }, ); if (result.status !== 0 || result.error) { console.log( "Install oras by following the instructions at: https://oras.land/docs/installation", ); if (result.stderr) { console.log(result.stderr); } return undefined; } if (result.stdout) { const out = Buffer.from(result.stdout).toString(); try { const manifestObj = JSON.parse(out); if ( manifestObj?.manifests?.length && Array.isArray(manifestObj.manifests) && manifestObj.manifests[0]?.reference ) { const imageRef = manifestObj.manifests[0].reference; const tmpDir = getTmpDir(); result = spawnSync("oras", ["pull", imageRef, "-o", tmpDir], { encoding: "utf-8", shell: isWin, maxBuffer: MAX_BUFFER, }); if (result.status !== 0 || result.error) { console.log( `Unable to pull the SBOM attachment for ${imageRef} with oras!`, ); return undefined; } const bomFiles = getAllFiles(tmpDir, "**/*.{bom,cdx}.json"); if (bomFiles.length) { return JSON.parse(fs.readFileSync(bomFiles.pop(), "utf8")); } } else { console.log(`${image} does not contain any SBOM attachment!`); } } catch (e) { console.log(e); } } return undefined; }