@cyclonedx/cdxgen/lib/helpers/caxa.js

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

import { readFileSync } from "node:fs";

import { getNpmMetadata, shouldFetchPackageMetadata } from "./utils.js";

export async function parseCaxaMetadata(mfile) {
  let mdata;
  try {
    mdata = JSON.parse(readFileSync(mfile));
  } catch (_e) {
    return {};
  }
  if (!mdata?.components) {
    return {};
  }
  const { parentComponent } = mdata;
  if (parentComponent) {
    parentComponent.properties = parentComponent.properties || [];
    parentComponent.properties.push({
      name: "internal:is_executable",
      value: "true",
    });
  }
  for (const comp of mdata.components) {
    comp.scope = "required";
    comp.properties = comp.properties || [];
    if (comp.purl.startsWith("pkg:generic/node@")) {
      comp.properties.push({
        name: "internal:is_executable",
        value: "true",
      });
    }
    comp.evidence = {
      identity: {
        field: "purl",
        confidence: 1,
        methods: [
          {
            technique: "binary-analysis",
            confidence: 1,
            value: parentComponent.name,
          },
          {
            technique: "manifest-analysis",
            confidence: 1,
            value: mfile,
          },
        ],
      },
    };
  }
  if (shouldFetchPackageMetadata()) {
    mdata.components = await getNpmMetadata(mdata.components);
  }
  return mdata;
}