From 4ac8c52ab5b898e9371de4f85705962bce55c285 Mon Sep 17 00:00:00 2001 From: MalickBurger Date: Fri, 23 Aug 2024 12:51:43 +0100 Subject: [PATCH] feat: add support for targetting specific workspaces Signed-off-by: MalickBurger --- CONTRIBUTING.md | 2 +- README.md | 73 +++++++++++++++++++++++++------------------------ src/builders.ts | 7 +++++ src/cli.ts | 10 ++++++- 4 files changed, 54 insertions(+), 38 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 12bc288f7..970551b7d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -47,5 +47,5 @@ Please sign off your commits, to show that you agree to publish your changes und , and to indicate agreement with [Developer Certificate of Origin (DCO)](https://developercertificate.org/). ```shell -git commit --signed-off ... +git commit --signoff ... ``` diff --git a/README.md b/README.md index b92eeb5e7..a1a4fc9c8 100644 --- a/README.md +++ b/README.md @@ -74,44 +74,45 @@ Usage: cyclonedx-npm [options] [--] [] Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects. Arguments: - Path to project's manifest file. - (default: "package.json" file in current working directory) + Path to project's manifest file. + (default: "package.json" file in current working directory) Options: - --ignore-npm-errors Whether to ignore errors of NPM. - This might be used, if "npm install" was run with "--force" or "--legacy-peer-deps". - (default: false) - --package-lock-only Whether to only use the lock file, ignoring "node_modules". - This means the output will be based only on the few details in and the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory. - (default: false) - --omit Dependency types to omit from the installation tree. - (can be set multiple times) - (choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty) - --flatten-components Whether to flatten the components. - This means the actual nesting of node packages is not represented in the SBOM result. - (default: false) - --short-PURLs Omit all qualifiers from PackageURLs. - This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings. - (default: false) - --spec-version Which version of CycloneDX spec to use. - (choices: "1.2", "1.3", "1.4", "1.5", "1.6", default: "1.4") - --output-reproducible Whether to go the extra mile and make the output reproducible. - This requires more resources, and might result in loss of time- and random-based-values. - (env: BOM_REPRODUCIBLE) - --output-format Which output format to use. - (choices: "JSON", "XML", default: "JSON") - --output-file Path to the output file. - Set to "-" to write to STDOUT. - (default: write to STDOUT) - --validate Validate resulting BOM before outputting. - Validation is skipped, if requirements not met. See the README. - --no-validate Disable validation of resulting BOM. - --mc-type Type of the main component. - (choices: "application", "firmware", "library", default: "application") - -v, --verbose Increase the verbosity of messages. - Use multiple times to increase the verbosity even more. - -V, --version output the version number - -h, --help display help for command + --ignore-npm-errors Whether to ignore errors of NPM. + This might be used, if "npm install" was run with "--force" or "--legacy-peer-deps". + (default: false) + --package-lock-only Whether to only use the lock file, ignoring "node_modules". + This means the output will be based only on the few details in and the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory. + (default: false) + --omit Dependency types to omit from the installation tree. + (can be set multiple times) + (choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty) + --flatten-components Whether to flatten the components. + This means the actual nesting of node packages is not represented in the SBOM result. + (default: false) + --short-PURLs Omit all qualifiers from PackageURLs. + This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings. + (default: false) + --spec-version Which version of CycloneDX spec to use. + (choices: "1.2", "1.3", "1.4", "1.5", "1.6", default: "1.4") + --output-reproducible Whether to go the extra mile and make the output reproducible. + This requires more resources, and might result in loss of time- and random-based-values. + (env: BOM_REPRODUCIBLE) + --output-format Which output format to use. + (choices: "JSON", "XML", default: "JSON") + --output-file Path to the output file. + Set to "-" to write to STDOUT. + (default: write to STDOUT) + --validate Validate resulting BOM before outputting. + Validation is skipped, if requirements not met. See the README. + --no-validate Disable validation of resulting BOM. + --mc-type Type of the main component. + (choices: "application", "firmware", "library", default: "application") + --workspaces Whether to only include dependencies for specific workspaces. (can be set multiple times) (default: empty) + -v, --verbose Increase the verbosity of messages. + Use multiple times to increase the verbosity even more. + -V, --version output the version number + -h, --help display help for command ``` ## Demo diff --git a/src/builders.ts b/src/builders.ts index c925094db..426b4cd1f 100644 --- a/src/builders.ts +++ b/src/builders.ts @@ -38,6 +38,7 @@ interface BomBuilderOptions { reproducible?: BomBuilder['reproducible'] flattenComponents?: BomBuilder['flattenComponents'] shortPURLs?: BomBuilder['shortPURLs'] + workspaces?: BomBuilder['workspaces'] } type cPath = string @@ -57,6 +58,7 @@ export class BomBuilder { reproducible: boolean flattenComponents: boolean shortPURLs: boolean + workspaces: string[] console: Console @@ -80,6 +82,7 @@ export class BomBuilder { this.reproducible = options.reproducible ?? false this.flattenComponents = options.flattenComponents ?? false this.shortPURLs = options.shortPURLs ?? false + this.workspaces = options.workspaces ?? [] this.console = console_ } @@ -166,6 +169,10 @@ export class BomBuilder { } } + for (const workspace of this.workspaces) { + args.push(`--workspace=${workspace}`) + } + this.console.info('INFO | gathering dependency tree ...') this.console.debug('DEBUG | npm-ls: run npm with %j in %j', args, projectDir) let npmLsReturns: Buffer diff --git a/src/cli.ts b/src/cli.ts index 58165f068..2c4d5cadb 100644 --- a/src/cli.ts +++ b/src/cli.ts @@ -51,6 +51,7 @@ interface CommandOptions { outputFile: string validate: boolean | undefined mcType: Enums.ComponentType + workspace: string[] | undefined verbose: number } @@ -166,6 +167,12 @@ function makeCommand (process: NodeJS.Process): Command { ).default( Enums.ComponentType.Application ) + ).addOption( + new Option( + '--workspaces ', + 'Whether to only include dependencies for specific workspaces. ' + + '(can be set multiple times)' + ).default([], 'empty') ).addOption( new Option( '-v, --verbose', @@ -249,7 +256,8 @@ export async function run (process: NodeJS.Process): Promise { omitDependencyTypes: options.omit, reproducible: options.outputReproducible, flattenComponents: options.flattenComponents, - shortPURLs: options.shortPURLs + shortPURLs: options.shortPURLs, + workspaces: options.workspace }, myConsole ).buildFromProjectDir(projectDir, process)