UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cdxgen/cdxgen

cdxgen/cdxgen

111 lines (99 loc) 3.17 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/usr/bin/env node import fs from "node:fs"; import process from "node:process"; import yargs from "yargs"; import { hideBin } from "yargs/helpers"; import { signBom } from "../lib/helpers/bomSigner.js"; import { getNonCycloneDxErrorMessage, isCycloneDxBom, } from "../lib/helpers/bomUtils.js"; import { retrieveCdxgenVersion, safeExistsSync } from "../lib/helpers/utils.js"; const _yargs = yargs(hideBin(process.argv)); const args = _yargs .option("input", { alias: "i", default: "bom.json", description: "Input SBOM json to sign.", }) .option("output", { alias: "o", description: "Output signed SBOM json. Defaults to overwriting input.", }) .option("private-key", { alias: "k", demandOption: true, description: "Private key in PEM format.", }) .option("algorithm", { alias: "a", default: "RS512", description: "JSF Signature Algorithm (e.g., RS512, ES256, Ed25519).", }) .option("mode", { alias: "m", default: "replace", choices: ["replace", "signers", "chain"], description: "Signature mode. Use 'signers' for multi-signing, 'chain' for sequential chaining.", }) .option("key-id", { description: "Optional identifier for the key (keyId) to embed in the signature block.", }) .option("sign-components", { type: "boolean", default: true, description: "Sign granular components. Disable (--no-sign-components) when appending multi-signatures.", }) .option("sign-services", { type: "boolean", default: true, description: "Sign granular services. Disable (--no-sign-services) when appending multi-signatures.", }) .option("sign-annotations", { type: "boolean", default: true, description: "Sign granular annotations. Disable (--no-sign-annotations) when appending multi-signatures.", }) .scriptName("cdx-sign") .version(retrieveCdxgenVersion()) .help() .wrap(Math.min(120, yargs().terminalWidth())).argv; if (!safeExistsSync(args.input)) { console.error(`Input file '${args.input}' not found.`); process.exit(1); } if (!safeExistsSync(args.privateKey)) { console.error(`Private key file '${args.privateKey}' not found.`); process.exit(1); } try { const bomJson = JSON.parse(fs.readFileSync(args.input, "utf8")); const privateKey = fs.readFileSync(args.privateKey, "utf8"); if (!isCycloneDxBom(bomJson)) { console.error(getNonCycloneDxErrorMessage(bomJson, "cdx-sign")); process.exit(1); } const signedBom = signBom(bomJson, { privateKey, algorithm: args.algorithm, keyId: args.keyId, mode: args.mode, signComponents: args.signComponents, signServices: args.signServices, signAnnotations: args.signAnnotations, }); const outputPath = args.output || args.input; fs.writeFileSync(outputPath, JSON.stringify(signedBom, null, null)); console.log(`Successfully signed BOM and saved to '${outputPath}'`); console.log( `Mode: ${args.mode} | Algorithm: ${args.algorithm}${args.keyId ? ` | KeyId: ${args.keyId}` : ""}`, ); } catch (error) { console.error("SBOM signing failed:", error.message); process.exit(1); }