UNPKG

@cyclonedx/cyclonedx-esbuild

Version:

Creates CycloneDX Software Bill of Materials (SBoM) from esbuild projects

github.com/CycloneDX/cyclonedx-esbuild

CycloneDX/cyclonedx-esbuild

155 lines (150 loc) 8.12 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
"use strict"; /*! This file is part of CycloneDX generator for esbuild. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. SPDX-License-Identifier: Apache-2.0 Copyright (c) OWASP Foundation. All Rights Reserved. */ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || (function () { var ownKeys = function(o) { ownKeys = Object.getOwnPropertyNames || function (o) { var ar = []; for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k; return ar; }; return ownKeys(o); }; return function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]); __setModuleDefault(result, mod); return result; }; })(); Object.defineProperty(exports, "__esModule", { value: true }); exports.cyclonedxEsbuildPlugin = exports.PLUGIN_NAME = void 0; const node_fs_1 = require("node:fs"); const node_path_1 = require("node:path"); const CDX = __importStar(require("@cyclonedx/cyclonedx-library")); const _helpers_1 = require("./_helpers"); const builders_1 = require("./builders"); const logger_1 = require("./logger"); exports.PLUGIN_NAME = 'cyclonedx-esbuild'; const cyclonedxEsbuildPlugin = (opts = {}) => ({ name: exports.PLUGIN_NAME, setup(build) { build.initialOptions.metafile = true; const logger = (0, logger_1.makeConsoleLogger)(process.stdout, process.stderr, LogLevelMap[build.initialOptions.logLevel ?? 'warning']); logger.debug(`${logger_1.LogPrefixes.DEBUG} setup => opt: %j`, opts); const options = { gatherLicenseTexts: opts.gatherLicenseTexts ?? false, outputReproducible: opts.outputReproducible ?? false, specVersion: opts.specVersion ?? CDX.Spec.Version.v1dot6, outputFile: opts.outputFile || 'bom.json', validate: opts.validate, mcType: opts.mcType ?? CDX.Enums.ComponentType.Application }; logger.debug(`${logger_1.LogPrefixes.DEBUG} setup => options: %j`, options); const serializeSpec = CDX.Spec.SpecVersionDict[options.specVersion]; if (serializeSpec === undefined) { throw new Error(`Unknown specVersion: ${options.specVersion}`); } const esbuildWorkingDir = build.initialOptions.absWorkingDir || process.cwd(); build.onEnd(async (result) => { if (result.metafile === undefined) { throw new Error('missing result.metafile'); } logger.info(logger_1.LogPrefixes.INFO, 'start build BOM ...'); const cdxExternalReferenceFactory = new CDX.Factories.FromNodePackageJson.ExternalReferenceFactory(); const cdxLicenseFactory = new CDX.Factories.LicenseFactory(); const cdxComponentBuilder = new CDX.Builders.FromNodePackageJson.ComponentBuilder(cdxExternalReferenceFactory, cdxLicenseFactory); const bomBuilder = new builders_1.BomBuilder(cdxComponentBuilder, new CDX.Factories.FromNodePackageJson.PackageUrlFactory('npm'), new CDX.Utils.LicenseUtility.LicenseEvidenceGatherer()); const bom = bomBuilder.fromMetafile(result.metafile, esbuildWorkingDir, options.gatherLicenseTexts, logger); bom.metadata.lifecycles.add(CDX.Enums.LifecyclePhase.Build); bom.metadata.tools.components.add(new CDX.Models.Component(CDX.Enums.ComponentType.Application, 'esbuild', { version: build.esbuild.version })); for (const toolC of (0, _helpers_1.makeToolCs)(CDX.Enums.ComponentType.Library, cdxComponentBuilder, logger)) { bom.metadata.tools.components.add(toolC); } bom.serialNumber = options.outputReproducible ? undefined : CDX.Utils.BomUtility.randomSerialNumber(); bom.metadata.timestamp = options.outputReproducible ? undefined : new Date(); if (bom.metadata.component !== undefined) { bom.metadata.component.type = options.mcType; } const serializer = new CDX.Serialize.JsonSerializer(new CDX.Serialize.JSON.Normalize.Factory(serializeSpec)); const serializeOptions = { sortLists: options.outputReproducible, space: 2 }; const serialized = serializer.serialize(bom, serializeOptions); if (options.validate !== false) { const validator = new CDX.Validation.JsonStrictValidator(serializeSpec.version); try { const validationErrors = await validator.validate(serialized); if (validationErrors !== null) { logger.debug(logger_1.LogPrefixes.DEBUG, 'BOM result invalid. details:', validationErrors); throw new _helpers_1.ValidationError(`Failed to generate valid BOM "${options.outputFile}"\n` + 'Please report the issue and provide the npm lock file of the current project to:\n' + 'https://github.com/CycloneDX/cyclonedx-esbuild/issues/new?template=ValidationError-report.md&labels=ValidationError&title=%5BValidationError%5D', validationErrors); } } catch (err) { if (err instanceof CDX.Validation.MissingOptionalDependencyError && !options.validate) { logger.info(logger_1.LogPrefixes.INFO, 'skipped validate BOM:', err.message); } else { logger.error(logger_1.LogPrefixes.ERROR, 'unexpected error'); throw err; } } } const outputFPn = (0, node_path_1.resolve)(esbuildWorkingDir, build.initialOptions.outdir || (0, node_path_1.dirname)(build.initialOptions.outfile ?? ''), options.outputFile); logger.debug(logger_1.LogPrefixes.DEBUG, 'outputFPn:', outputFPn); const outputFDir = (0, node_path_1.dirname)(outputFPn); if (!(0, node_fs_1.existsSync)(outputFDir)) { logger.info(logger_1.LogPrefixes.INFO, 'creating directory', outputFDir); (0, node_fs_1.mkdirSync)(outputFDir, { recursive: true }); } logger.log(logger_1.LogPrefixes.LOG, 'writing BOM to', options.outputFile); const written = await (0, _helpers_1.writeAllSync)((0, node_fs_1.openSync)(outputFPn, 'w'), serialized); logger.info(logger_1.LogPrefixes.INFO, 'wrote %d bytes to %s', written, options.outputFile); }); } }); exports.cyclonedxEsbuildPlugin = cyclonedxEsbuildPlugin; const LogLevelMap = { 'silent': 0, 'error': 1, 'warning': 1, 'info': 2, 'debug': 3, 'verbose': 4, };