UNPKG

@cyclonedx/yarn-plugin-cyclonedx

Version:

Create CycloneDX Software Bill of Materials (SBOM) from yarn projects.

github.com/CycloneDX/cyclonedx-node-yarn

CycloneDX/cyclonedx-node-yarn

154 lines (119 loc) 7.62 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# CycloneDX SBOM for yarn [![shield_yarnpkg-version]][link_yarnpkg] [![shield_npm-version]][link_npm] [![shield_gh-workflow-test]][link_gh-workflow-test] [![shield_coverage]][link_codacy] [![shield_ossf-best-practices]][link_ossf-best-practices] [![shield_license]][license_file] [![shield_website]][link_website] [![shield_slack]][link_slack] [![shield_groups]][link_discussion] [![shield_twitter-follow]][link_twitter] ---- Create [CycloneDX] Software Bill of Materials (SBOM) from _[yarn]_ projects. This is probably the most accurate, complete SBOM generator for yarn-based projects. ## Requirements * `node >= 20.18.0` * `yarn >= 4.0.0` (berry) However, there are older version of this software which support * Node v18 and later * Yarn v3 and later ## Installation Install the plugin into your yarn project via one of the following methods: * **zero-install**: No install needed, just call on demand via dlx-wrapper as described in section "usage". * **cli-wrapper**: As a development dependency of the current project: ```shell yarn add --dev @cyclonedx/yarn-plugin-cyclonedx ``` * **plugin**: Install the [latest version from GitHub release](https://github.com/CycloneDX/cyclonedx-node-yarn/releases/latest) asset as a plugin for the current project: ```shell yarn plugin import https://github.com/CycloneDX/cyclonedx-node-yarn/releases/latest/download/yarn-plugin-cyclonedx.cjs ``` ## Usage Usage depends on the installation method: * With **zero-install** via dlx-wrapper: ```shell yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --help ``` * After **cli-wrapper** installation: ```shell yarn exec cyclonedx-yarn --help ``` * After **plugin** installation: ```shell yarn cyclonedx --help ``` The help page: ```text Generates CycloneDX SBOM for current workspace. ━━━ Usage ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ $ yarn cyclonedx ━━━ Options ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ --production,--prod Exclude development dependencies. (default: true if the NODE_ENV environment variable is set to "production", otherwise false) --gather-license-texts Search for license files in components and include them as license evidence. This feature is experimental. --short-PURLs Omit all qualifiers from PackageURLs. This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings. --sv,--spec-version #0 Which version of CycloneDX to use. (choices: 1.2, 1.3, 1.4, 1.5, 1.6, default: 1.6) --output-reproducible Whether to go the extra mile and make the output reproducible. This might result in loss of time- and random-based values. --of,--output-format #0 Which output format to use. (choices: JSON, XML, default: JSON) -o,--output-file #0 Path to the output file. Set to "-" to write to STDOUT. (default: write to STDOUT) --mc-type #0 Type of the main component. (choices: application, library, firmware, default: application) -v,--verbose Increase the verbosity of messages. Use multiple times to increase the verbosity even more. ━━━ Details ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Recursively scan workspace dependencies and emits them as Software-Bill-of-Materials(SBOM) in CycloneDX format. ``` ## Internals This _yarn_ plugin utilizes the [CycloneDX library][CycloneDX-library] to generate the actual data structures. This tool does **not** expose any additional _public_ API or classes - all code is intended to be internal and might change without any notice during version upgrades. However, the CLI is stable - you may call it programmatically like: ```javascript const { execFileSync } = require('node:child_process') const { constants: { MAX_LENGTH: BUFFER_MAX_LENGTH } } = require('node:buffer') const sbom = JSON.parse(execFileSync(process.execPath, [ '.../path/to/this/package/bin/cyclonedx-yarn-cli.js', '--output-format', 'JSON', '--output-file', '-' // additional CLI args ], {stdio: ['ignore', 'pipe', 'ignore'], encoding: 'buffer', maxBuffer: BUFFER_MAX_LENGTH })) ``` ## Development & Contributing Feel free to open issues, bugreports or pull requests. See the [`CONTRIBUTING`][contributing_file] file for details. ## License Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [`LICENSE`][license_file] file for the full license. For details and license posture of the assembly, see the `LICENSE` file in the respective release assets. [license_file]: https://github.com/CycloneDX/cyclonedx-node-yarn/blob/main/LICENSE [contributing_file]: https://github.com/CycloneDX/cyclonedx-node-yarn/blob/main/CONTRIBUTING.md [CycloneDX]: https://cyclonedx.org/ [yarn]: https://yarnpkg.com/ [cyclonedx-library]: https://www.npmjs.com/package/@cyclonedx/cyclonedx-library [shield_gh-workflow-test]: https://img.shields.io/github/actions/workflow/status/CycloneDX/cyclonedx-node-yarn/nodejs.yml?branch=main&logo=GitHub&logoColor=white "tests" [shield_coverage]: https://img.shields.io/codacy/coverage/b0af77db5c7b4ab7a36eab255c7f9ede?logo=Codacy&logoColor=white "test coverage" [shield_ossf-best-practices]: https://img.shields.io/cii/percentage/8960?label=OpenSSF%20best%20practices "OpenSSF best practices" [shield_yarnpkg-version]: https://img.shields.io/npm/v/%40cyclonedx%2Fyarn-plugin-cyclonedx/latest?registry_uri=https%3A%2F%2Fregistry.yarnpkg.com&logo=yarn&logoColor=white&label=yarnpkg "yarnpkg" [shield_npm-version]: https://img.shields.io/npm/v/%40cyclonedx%2Fyarn-plugin-cyclonedx/latest?logo=npm&logoColor=white&label=npm "npm" [shield_license]: https://img.shields.io/github/license/CycloneDX/cyclonedx-node-yarn?logo=open%20source%20initiative&logoColor=white "license" [shield_website]: https://img.shields.io/badge/https://-cyclonedx.org-blue.svg "homepage" [shield_slack]: https://img.shields.io/badge/slack-join-blue?logo=Slack&logoColor=white "slack join" [shield_groups]: https://img.shields.io/badge/discussion-groups.io-blue.svg "groups discussion" [shield_twitter-follow]: https://img.shields.io/badge/Twitter-follow-blue?logo=Twitter&logoColor=white "twitter follow" [link_website]: https://cyclonedx.org/ [link_gh-workflow-test]: https://github.com/CycloneDX/cyclonedx-node-yarn/actions/workflows/nodejs.yml?query=branch%3Amain [link_yarnpkg]: https://yarnpkg.com/package?name=%40cyclonedx%2Fyarn-plugin-cyclonedx [link_npm]: https://www.npmjs.com/package/@cyclonedx/yarn-plugin-cyclonedx [link_codacy]: https://app.codacy.com/gh/CycloneDX/cyclonedx-node-yarn/dashboard [link_ossf-best-practices]: https://www.bestpractices.dev/projects/8960 [link_slack]: https://cyclonedx.org/slack/invite [link_discussion]: https://groups.io/g/CycloneDX [link_twitter]: https://twitter.com/CycloneDX_Spec