Skip to content

Commit

Permalink
feat: add support for targetting specific workspaces
Browse files Browse the repository at this point in the history
Signed-off-by: MalickBurger <[email protected]>
  • Loading branch information
MalickBurger committed Aug 23, 2024
1 parent 4c03947 commit 4ac8c52
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 38 deletions.
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,5 +47,5 @@ Please sign off your commits, to show that you agree to publish your changes und
, and to indicate agreement with [Developer Certificate of Origin (DCO)](https://developercertificate.org/).

```shell
git commit --signed-off ...
git commit --signoff ...
```
73 changes: 37 additions & 36 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,44 +74,45 @@ Usage: cyclonedx-npm [options] [--] [<package-manifest>]
Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
Arguments:
<package-manifest> Path to project's manifest file.
(default: "package.json" file in current working directory)
<package-manifest> Path to project's manifest file.
(default: "package.json" file in current working directory)
Options:
--ignore-npm-errors Whether to ignore errors of NPM.
This might be used, if "npm install" was run with "--force" or "--legacy-peer-deps".
(default: false)
--package-lock-only Whether to only use the lock file, ignoring "node_modules".
This means the output will be based only on the few details in and the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory.
(default: false)
--omit <type...> Dependency types to omit from the installation tree.
(can be set multiple times)
(choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty)
--flatten-components Whether to flatten the components.
This means the actual nesting of node packages is not represented in the SBOM result.
(default: false)
--short-PURLs Omit all qualifiers from PackageURLs.
This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
(default: false)
--spec-version <version> Which version of CycloneDX spec to use.
(choices: "1.2", "1.3", "1.4", "1.5", "1.6", default: "1.4")
--output-reproducible Whether to go the extra mile and make the output reproducible.
This requires more resources, and might result in loss of time- and random-based-values.
(env: BOM_REPRODUCIBLE)
--output-format <format> Which output format to use.
(choices: "JSON", "XML", default: "JSON")
--output-file <file> Path to the output file.
Set to "-" to write to STDOUT.
(default: write to STDOUT)
--validate Validate resulting BOM before outputting.
Validation is skipped, if requirements not met. See the README.
--no-validate Disable validation of resulting BOM.
--mc-type <type> Type of the main component.
(choices: "application", "firmware", "library", default: "application")
-v, --verbose Increase the verbosity of messages.
Use multiple times to increase the verbosity even more.
-V, --version output the version number
-h, --help display help for command
--ignore-npm-errors Whether to ignore errors of NPM.
This might be used, if "npm install" was run with "--force" or "--legacy-peer-deps".
(default: false)
--package-lock-only Whether to only use the lock file, ignoring "node_modules".
This means the output will be based only on the few details in and the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory.
(default: false)
--omit <type...> Dependency types to omit from the installation tree.
(can be set multiple times)
(choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty)
--flatten-components Whether to flatten the components.
This means the actual nesting of node packages is not represented in the SBOM result.
(default: false)
--short-PURLs Omit all qualifiers from PackageURLs.
This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
(default: false)
--spec-version <version> Which version of CycloneDX spec to use.
(choices: "1.2", "1.3", "1.4", "1.5", "1.6", default: "1.4")
--output-reproducible Whether to go the extra mile and make the output reproducible.
This requires more resources, and might result in loss of time- and random-based-values.
(env: BOM_REPRODUCIBLE)
--output-format <format> Which output format to use.
(choices: "JSON", "XML", default: "JSON")
--output-file <file> Path to the output file.
Set to "-" to write to STDOUT.
(default: write to STDOUT)
--validate Validate resulting BOM before outputting.
Validation is skipped, if requirements not met. See the README.
--no-validate Disable validation of resulting BOM.
--mc-type <type> Type of the main component.
(choices: "application", "firmware", "library", default: "application")
--workspaces <workspace...> Whether to only include dependencies for specific workspaces. (can be set multiple times) (default: empty)
-v, --verbose Increase the verbosity of messages.
Use multiple times to increase the verbosity even more.
-V, --version output the version number
-h, --help display help for command
```

## Demo
Expand Down
7 changes: 7 additions & 0 deletions src/builders.ts
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ interface BomBuilderOptions {
reproducible?: BomBuilder['reproducible']
flattenComponents?: BomBuilder['flattenComponents']
shortPURLs?: BomBuilder['shortPURLs']
workspaces?: BomBuilder['workspaces']
}

type cPath = string
Expand All @@ -57,6 +58,7 @@ export class BomBuilder {
reproducible: boolean
flattenComponents: boolean
shortPURLs: boolean
workspaces: string[]

console: Console

Expand All @@ -80,6 +82,7 @@ export class BomBuilder {
this.reproducible = options.reproducible ?? false
this.flattenComponents = options.flattenComponents ?? false
this.shortPURLs = options.shortPURLs ?? false
this.workspaces = options.workspaces ?? []

this.console = console_
}
Expand Down Expand Up @@ -166,6 +169,10 @@ export class BomBuilder {
}
}

for (const workspace of this.workspaces) {
args.push(`--workspace=${workspace}`)
}

this.console.info('INFO | gathering dependency tree ...')
this.console.debug('DEBUG | npm-ls: run npm with %j in %j', args, projectDir)
let npmLsReturns: Buffer
Expand Down
10 changes: 9 additions & 1 deletion src/cli.ts
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ interface CommandOptions {
outputFile: string
validate: boolean | undefined
mcType: Enums.ComponentType
workspace: string[] | undefined
verbose: number
}

Expand Down Expand Up @@ -166,6 +167,12 @@ function makeCommand (process: NodeJS.Process): Command {
).default(
Enums.ComponentType.Application
)
).addOption(
new Option(
'--workspaces <workspace...>',
'Whether to only include dependencies for specific workspaces. ' +
'(can be set multiple times)'
).default([], 'empty')
).addOption(
new Option(
'-v, --verbose',
Expand Down Expand Up @@ -249,7 +256,8 @@ export async function run (process: NodeJS.Process): Promise<number> {
omitDependencyTypes: options.omit,
reproducible: options.outputReproducible,
flattenComponents: options.flattenComponents,
shortPURLs: options.shortPURLs
shortPURLs: options.shortPURLs,
workspaces: options.workspace
},
myConsole
).buildFromProjectDir(projectDir, process)
Expand Down

0 comments on commit 4ac8c52

Please sign in to comment.