From 15d2d192ca91de7762ce8a8faaa2a09fb23197f6 Mon Sep 17 00:00:00 2001 From: Roland Asmann Date: Thu, 16 Jan 2025 00:27:44 +0100 Subject: [PATCH 1/5] Added configurable reference generation between the components of a multi-language SBOM Signed-off-by: Roland Asmann --- docs/ENV.md | 4 ++-- lib/cli/index.js | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/ENV.md b/docs/ENV.md index f0b204469..1e1d29f91 100644 --- a/docs/ENV.md +++ b/docs/ENV.md @@ -6,6 +6,7 @@ The following environment variables are available to configure the bom generatio | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CDXGEN_DEBUG_MODE | Set to `debug` to enable debug messages | | GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information | +| MULTI_BOM_COMPONENT_REF | When building a multi-language BOM, choose how the references between the components is handled. This can be useful if other tooling used to eg visualize the dependency-tree only uses 'dependsOn' (as the name dependency-tree more or less implies). Possible values: `dependsOn`, `provides`. Default: `provides`. | | MVN_CMD | Set to override maven command | | MVN_ARGS | Set to pass additional arguments such as profile or settings to maven | | MAVEN_HOME | Specify maven home | @@ -28,6 +29,7 @@ The following environment variables are available to configure the bom generatio | GRADLE_RESOLVE_FROM_NODE | If some of your gradle modules are included from node (eg when using expo or react-native), set this to true to use the npm-packages as your dependencies. The big advantage of this, is that the generated purls will be of actually known components (eg in OSS Index) instead of generic names for the packages. | | GRADLE_SKIP_MODULE_DEPENDENCIES | Comma-separated list of modules to skip during the "dependencies" task. This can be useful if you have modules that would fail the gradle build, eg when they do not have dependencies in the given configuration. Use "root" if the top most module should be skipped, use their gradle-name (so WITH leading ":") for all others. | | GRADLE_SKIP_MODULES | Comma-separated list of modules to skip for both "properties" and "dependencies" task. Use the gradle-name (so WITH leading ":"). NOTICE: when using this, neither the configured ID (group, name & version) nor the dependencies of these modules will be available! | +| GRADLE_USER_HOME | Specifies the directory for the Gradle user home, which typically contains cache files, build dependencies, and other configuration files used by Gradle. | | SBT_CACHE_DIR | Specify sbt cache directory. Useful for class name resolving | | FETCH_LICENSE | Set this variable to `true` or `1` to fetch license information from the registry. npm and golang | | SEARCH_MAVEN_ORG | If maven metadata is missing in jar file, a search is performed on search.maven.org. Set to `false` or `0` to disable search. (defaults to `true`) | @@ -82,8 +84,6 @@ The following environment variables are available to configure the bom generatio | PIP_TARGET | Specifies the target directory for pip installations, often used when dependencies are installed into temporary or isolated directories. | | NODE_NO_READLINE | Set to `1` to disable canonical terminal settings and enable custom readline behavior for Node.js REPL or command-line tools. | | CDXGEN_REPL_HISTORY | Specifies the path to save REPL command history. If not set and the default directory does not exist, REPL history will not be saved. | -| GRADLE_USER_HOME | Specifies the directory for the Gradle user home, which typically contains cache files, build dependencies, and other configuration files used by Gradle. | -| GRADLE_ARGS | A space-separated list of additional arguments passed to Gradle commands. Useful for providing custom profiles, configurations, or settings for builds. | | SDKMAN_VERSION | Specifies the version of SDKMAN to use. Useful for managing SDKs and ensuring compatibility with tools and environments. | | NVM_DIR | Defines the directory where Node Version Manager (NVM) is installed. Used to locate and manage Node.js versions in environments where NVM is utilized. | | RBENV_CMD | rbenv command to use | diff --git a/lib/cli/index.js b/lib/cli/index.js index cc75e8611..0eae4a34a 100644 --- a/lib/cli/index.js +++ b/lib/cli/index.js @@ -6554,6 +6554,22 @@ export async function createMultiXBom(pathList, options) { parentComponent = parentComponent.components[0]; delete parentComponent.components; } + // Add references between the multiple sub-boms + // Default is 'provides', but since some tools only generate a tree for 'dependsOn', + // this can be configured with an EnvVar + const multiBomComponentRef = + "dependsOn" === process.env.MULTI_BOM_COMPONENT_REF + ? "dependsOn" + : "provides"; + const parentDependencies = dependencies.find( + (d) => d["ref"] === parentComponent["bom-ref"], + ); + if (!parentDependencies[multiBomComponentRef]) { + parentDependencies[multiBomComponentRef] = []; + } + for (const parentSub of parentSubComponents) { + parentDependencies[multiBomComponentRef].push(parentSub["bom-ref"]); + } } // some cleanup, but not complete for (const path of pathList) { From 07072c4a32d5b04b51f5427ec047454c18581cbe Mon Sep 17 00:00:00 2001 From: Roland Asmann Date: Thu, 16 Jan 2025 01:28:08 +0100 Subject: [PATCH 2/5] The dependencies for the parent component can (apparently) be undefined... Signed-off-by: Roland Asmann --- lib/cli/index.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/cli/index.js b/lib/cli/index.js index 0eae4a34a..4fbaef06f 100644 --- a/lib/cli/index.js +++ b/lib/cli/index.js @@ -6561,9 +6561,15 @@ export async function createMultiXBom(pathList, options) { "dependsOn" === process.env.MULTI_BOM_COMPONENT_REF ? "dependsOn" : "provides"; - const parentDependencies = dependencies.find( + let parentDependencies = dependencies.find( (d) => d["ref"] === parentComponent["bom-ref"], ); + if (!parentDependencies) { + parentDependencies = { + ref: parentComponent["bom-ref"], + }; + dependencies = mergeDependencies(dependencies, parentDependencies); + } if (!parentDependencies[multiBomComponentRef]) { parentDependencies[multiBomComponentRef] = []; } From 78b4aa8f3284403f2b431f56f5f69311b785de24 Mon Sep 17 00:00:00 2001 From: Roland Asmann Date: Thu, 16 Jan 2025 22:55:04 +0100 Subject: [PATCH 3/5] Changed default to 'dependsOn' Signed-off-by: Roland Asmann --- docs/ENV.md | 2 +- lib/cli/index.js | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/ENV.md b/docs/ENV.md index 1e1d29f91..95ce7943e 100644 --- a/docs/ENV.md +++ b/docs/ENV.md @@ -6,7 +6,7 @@ The following environment variables are available to configure the bom generatio | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CDXGEN_DEBUG_MODE | Set to `debug` to enable debug messages | | GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information | -| MULTI_BOM_COMPONENT_REF | When building a multi-language BOM, choose how the references between the components is handled. This can be useful if other tooling used to eg visualize the dependency-tree only uses 'dependsOn' (as the name dependency-tree more or less implies). Possible values: `dependsOn`, `provides`. Default: `provides`. | +| MULTI_BOM_COMPONENT_REF | When building a multi-language BOM, choose how the references between the components is handled. This can be useful if other tooling used to eg visualize the dependency-tree only uses 'dependsOn' (as the name dependency-tree more or less implies). Possible values: `dependsOn`, `provides`. Default: `dependesOn`. | | MVN_CMD | Set to override maven command | | MVN_ARGS | Set to pass additional arguments such as profile or settings to maven | | MAVEN_HOME | Specify maven home | diff --git a/lib/cli/index.js b/lib/cli/index.js index 4fbaef06f..88582d0b6 100644 --- a/lib/cli/index.js +++ b/lib/cli/index.js @@ -6558,9 +6558,9 @@ export async function createMultiXBom(pathList, options) { // Default is 'provides', but since some tools only generate a tree for 'dependsOn', // this can be configured with an EnvVar const multiBomComponentRef = - "dependsOn" === process.env.MULTI_BOM_COMPONENT_REF - ? "dependsOn" - : "provides"; + "provides" === process.env.MULTI_BOM_COMPONENT_REF + ? "provides" + : "dependsOn"; let parentDependencies = dependencies.find( (d) => d["ref"] === parentComponent["bom-ref"], ); From ccb1b08f9398634675f0e58ad4e10e7ccc21df22 Mon Sep 17 00:00:00 2001 From: Roland Asmann Date: Fri, 17 Jan 2025 01:23:49 +0100 Subject: [PATCH 4/5] Removed the ability to configure ref and hard-coded it with 'dependsOn' Signed-off-by: Roland Asmann --- docs/ENV.md | 1 - lib/cli/index.js | 12 +++--------- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/docs/ENV.md b/docs/ENV.md index 95ce7943e..829884899 100644 --- a/docs/ENV.md +++ b/docs/ENV.md @@ -6,7 +6,6 @@ The following environment variables are available to configure the bom generatio | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CDXGEN_DEBUG_MODE | Set to `debug` to enable debug messages | | GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information | -| MULTI_BOM_COMPONENT_REF | When building a multi-language BOM, choose how the references between the components is handled. This can be useful if other tooling used to eg visualize the dependency-tree only uses 'dependsOn' (as the name dependency-tree more or less implies). Possible values: `dependsOn`, `provides`. Default: `dependesOn`. | | MVN_CMD | Set to override maven command | | MVN_ARGS | Set to pass additional arguments such as profile or settings to maven | | MAVEN_HOME | Specify maven home | diff --git a/lib/cli/index.js b/lib/cli/index.js index 88582d0b6..52113ca9c 100644 --- a/lib/cli/index.js +++ b/lib/cli/index.js @@ -6555,12 +6555,6 @@ export async function createMultiXBom(pathList, options) { delete parentComponent.components; } // Add references between the multiple sub-boms - // Default is 'provides', but since some tools only generate a tree for 'dependsOn', - // this can be configured with an EnvVar - const multiBomComponentRef = - "provides" === process.env.MULTI_BOM_COMPONENT_REF - ? "provides" - : "dependsOn"; let parentDependencies = dependencies.find( (d) => d["ref"] === parentComponent["bom-ref"], ); @@ -6570,11 +6564,11 @@ export async function createMultiXBom(pathList, options) { }; dependencies = mergeDependencies(dependencies, parentDependencies); } - if (!parentDependencies[multiBomComponentRef]) { - parentDependencies[multiBomComponentRef] = []; + if (!parentDependencies["dependsOn"]) { + parentDependencies["dependsOn"] = []; } for (const parentSub of parentSubComponents) { - parentDependencies[multiBomComponentRef].push(parentSub["bom-ref"]); + parentDependencies["dependsOn"].push(parentSub["bom-ref"]); } } // some cleanup, but not complete From f3e667e6e168b58a70554f3839685e258b57c83d Mon Sep 17 00:00:00 2001 From: Roland Asmann Date: Fri, 17 Jan 2025 01:25:05 +0100 Subject: [PATCH 5/5] Added a test for multi-bom Signed-off-by: Roland Asmann --- .github/workflows/repotests.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml index 05e96ebaf..ae517f246 100644 --- a/.github/workflows/repotests.yml +++ b/.github/workflows/repotests.yml @@ -503,8 +503,9 @@ jobs: - name: repotests expo run: | cd repotests/expo-test && npm ci && cd ../.. - GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo.json - GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo-npm.json + GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo.json + GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo-npm.json + GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle -t npm repotests/expo-test -o bomresults/bom-expo-multi.json shell: bash - name: repotests elasticsearch run: |