UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cdxgen/cdxgen

cdxgen/cdxgen

213 lines (205 loc) 6.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
#!/usr/bin/env node import { writeFileSync } from "node:fs"; import { dirname } from "node:path"; import process from "node:process"; import yargs from "yargs"; import { hideBin } from "yargs/helpers"; import { finalizeAuditReport, runAudit } from "../lib/audit/index.js"; import { createProgressTracker } from "../lib/audit/progress.js"; import { retrieveCdxgenVersion, safeExistsSync, safeMkdirSync, } from "../lib/helpers/utils.js"; const args = yargs(hideBin(process.argv)) .option("bom", { description: "Path to a CycloneDX JSON BOM file.", type: "string", }) .option("bom-dir", { description: "Directory containing one or more CycloneDX JSON BOM files.", type: "string", }) .option("workspace-dir", { description: "Optional directory to reuse git clones for purl-to-source enrichment.", type: "string", }) .option("reports-dir", { description: "Optional directory to store generated per-purl SBOMs and findings.", type: "string", }) .option("direct-bom-audit", { default: false, description: "Evaluate audit rules directly against the supplied BOM(s) instead of running only the predictive dependency audit.", type: "boolean", }) .option("rules-dir", { description: "Directory containing additional YAML audit rules (merged with built-in). Applies to direct BOM audit and predictive child-SBOM rule evaluation.", type: "string", }) .option("report", { choices: ["console", "json", "sarif"], default: "console", description: "Output format.", }) .option("report-file", { alias: "o", description: "Write the report to this file. Defaults to stdout.", type: "string", }) .option("categories", { description: "Comma-separated rule categories. In predictive mode this applies to generated child SBOMs (default: ai-agent, ci-permission, dependency-source, package-integrity). In direct BOM audit mode it applies to the supplied BOM(s) themselves (default: obom-runtime for OBOMs, all categories otherwise).", type: "string", }) .option("min-severity", { choices: ["low", "medium", "high", "critical"], default: "low", description: "Minimum final target severity to include in console or SARIF output.", type: "string", }) .option("fail-severity", { choices: ["low", "medium", "high", "critical"], default: "high", description: "Exit with code 3 when any target reaches this final severity or above.", type: "string", }) .option("max-targets", { description: "Optional safety limit for the number of unique npm/PyPI purls to analyze.", type: "number", }) .option("scope", { choices: ["all", "required"], default: "all", description: "Target selection scope. Use 'required' to scan only components with CycloneDX scope=required (missing scope is treated as required).", type: "string", }) .option("include-trusted", { default: false, description: "Include packages already marked with trusted publishing metadata in predictive audit target selection.", type: "boolean", }) .option("only-trusted", { default: false, description: "Restrict predictive audit target selection to packages marked with trusted publishing metadata.", type: "boolean", }) .option("prioritize-direct-runtime", { default: true, description: "Prioritize direct runtime dependencies ahead of optional, development-only, or platform-specific transitive packages during target selection.", type: "boolean", }) .option("allowlist-file", { description: "Optional JSON array or newline-delimited file of purl prefixes to exclude from predictive audit target selection in addition to the built-in well-known allowlist.", type: "string", }) .check((argv) => { if (!argv.bom && !argv.bomDir) { throw new Error("Specify --bom or --bom-dir."); } if (argv.bom && argv.bomDir) { throw new Error("Use either --bom or --bom-dir, not both."); } if (argv.output && argv.reportFile) { throw new Error("Use either --report-file or --output, not both."); } if (argv.includeTrusted && argv.onlyTrusted) { throw new Error( "Use either --include-trusted or --only-trusted, not both.", ); } return true; }) .completion("completion", "Generate bash/zsh completion") .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen") .scriptName("cdx-audit") .version(retrieveCdxgenVersion()) .help() .wrap(Math.min(120, yargs().terminalWidth())).argv; /** * Split a CSV option into a normalized string array. * * @param {string | undefined} value CSV string * @returns {string[] | undefined} parsed values */ function splitCsv(value) { if (!value) { return undefined; } return value .split(",") .map((entry) => entry.trim()) .filter(Boolean); } /** * Print or write rendered report output. * * @param {string} output rendered output * @param {string | undefined} outputPath optional file path * @returns {void} */ function writeOrPrint(output, outputPath) { if (!outputPath) { process.stdout.write(output); return; } const parentDir = dirname(outputPath); if (!safeExistsSync(parentDir)) { safeMkdirSync(parentDir, { recursive: true }); } writeFileSync(outputPath, output); } (async () => { const progressTracker = createProgressTracker(); try { const reportFile = args.reportFile || args.output; const report = await runAudit({ allowlistFile: args.allowlistFile, bom: args.bom, bomDir: args.bomDir, categories: splitCsv(args.categories), directBomAudit: args.directBomAudit, failSeverity: args.failSeverity, maxTargets: args.maxTargets, minSeverity: args.minSeverity, onProgress: progressTracker.onProgress, prioritizeDirectRuntime: args.prioritizeDirectRuntime, report: args.report, reportsDir: args.reportsDir, rulesDir: args.rulesDir, scope: args.scope === "required" ? "required" : undefined, trusted: args.onlyTrusted ? "only" : args.includeTrusted ? "include" : undefined, trustedSelectionHelp: "Use --include-trusted to include them or --only-trusted to audit just those packages.", workspaceDir: args.workspaceDir, }); const finalized = finalizeAuditReport(report, { failSeverity: args.failSeverity, minSeverity: args.minSeverity, report: args.report, }); writeOrPrint(finalized.output, reportFile); process.exit(finalized.exitCode); } catch (error) { console.error(error.message); process.exit(1); } finally { progressTracker.stop(); } })();