-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathcyclone_dx_sbom.js
271 lines (239 loc) · 7.53 KB
/
cyclone_dx_sbom.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
import {EOL} from "os";
import {PackageURL} from "packageurl-js";
/**
*
* @param component {PackageURL}
* @param type type of package - application or library
* @return {{"bom-ref": string, name, purl: string, type, version}}
* @private
*/
function getComponent(component,type) {
let componentObject;
if(component instanceof PackageURL)
{
if(component.namespace) {
componentObject = {
"group": component.namespace,
"name": component.name,
"version": component.version,
"purl": component.toString(),
"type": type,
"bom-ref": component.toString()
}
}
else
{
componentObject = {
"name": component.name,
"version": component.version,
"purl": component.toString(),
"type": type,
"bom-ref": component.toString()
}
}
}
else
{
componentObject = component
}
return componentObject
}
function createDependency(dependency)
{
return {
"ref" : dependency,
"dependsOn" : new Array()
}
}
export default class CycloneDxSbom {
sbomObject
rootComponent
components
dependencies
sourceManifestForAuditTrail
constructor() {
this.dependencies = new Array()
this.components = new Array()
}
/**
* @param {PackageURL} root - add main/root component for sbom
* @return {CycloneDxSbom} the CycloneDxSbom Sbom Object
*/
addRoot(root) {
this.rootComponent =
getComponent(root, "application")
this.components.push(this.rootComponent)
return this
}
/**
* @return {{{"bom-ref": string, name, purl: string, type, version}}} root component of sbom.
*/
getRoot() {
return this.rootComponent
}
/**
* @param {component} sourceRef current target Component ( Starting from root component by clients)
* @param {PackageURL} targetRef current dependency to add to Dependencies list of component sourceRef
* @return Sbom
*/
addDependency(sourceRef, targetRef) {
let componentIndex = this.getComponentIndex(sourceRef);
if (componentIndex < 0) {
this.components.push(getComponent(sourceRef, "library"))
}
let dependencyIndex = this.getDependencyIndex(sourceRef.purl)
if (dependencyIndex < 0) {
this.dependencies.push(createDependency(sourceRef.purl))
dependencyIndex = this.getDependencyIndex(sourceRef.purl)
}
//Only if the dependency doesn't exists on the dependency list of dependency, then add it to this list.
if (this.dependencies[dependencyIndex].dependsOn.findIndex(dep => dep === targetRef.toString()) === -1) {
this.dependencies[dependencyIndex].dependsOn.push(targetRef.toString())
}
if (this.getDependencyIndex(targetRef.toString()) < 0) {
this.dependencies.push(createDependency(targetRef.toString()))
}
let newComponent = getComponent(targetRef, "library");
// Only if component doesn't exists in component list, add it to the list.
if (this.getComponentIndex(newComponent) < 0) {
this.components.push(newComponent)
}
return this
}
/** @param {{}} opts - various options, settings and configuration of application.
* @return String CycloneDx Sbom json object in a string format
*/
getAsJsonString(opts) {
let manifestType = opts["manifest-type"]
this.setSourceManifest(opts["source-manifest"])
this.sbomObject = {
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"metadata": {
"timestamp": new Date(),
"component": this.rootComponent,
"properties": new Array()
},
"components": this.components,
"dependencies": this.dependencies
}
if (this.rootComponent === undefined)
{
delete this.sbomObject.metadata.component
}
if(this.sourceManifestForAuditTrail !== undefined && manifestType !== undefined) {
this.sbomObject.metadata.properties.push({"name" : "rhda:manifest:content" , "value" : this.sourceManifestForAuditTrail})
this.sbomObject.metadata.properties.push({"name" : "rhda:manifest:filename" , "value" : manifestType})
}
else {
delete this.sbomObject.metadata.properties
}
if (process.env["EXHORT_DEBUG"] === "true") {
console.log("SBOM Generated for manifest, to be sent to exhort service:" + EOL + JSON.stringify(this.sbomObject, null, 4))
}
return JSON.stringify(this.sbomObject)
}
/**
*
* @param {String} dependency - purl string of the component.
* @return {int} - the index of the dependency in dependencies Array, returns -1 if not found.
*/
getDependencyIndex(dependency) {
return this.dependencies.findIndex(dep => dep.ref === dependency)
}
/**
*
* @param {component} theComponent - Component Object with purl field.
* @return {int} index of the found component entry, if not found returns -1.
* @private
*/
getComponentIndex(theComponent) {
return this.components.findIndex(component => component.purl === theComponent.purl)
}
/** This method gets a PackageUrl, and returns a Component of CycloneDx Sbom
* @param purl {PackageURL}
* @return component
*/
purlToComponent(purl) {
return getComponent(purl, "library")
}
/**
* This method gets an array of dependencies to be ignored, and remove all of them from CycloneDx Sbom
* @param {Array} dependencies to be removed from sbom
* @return {CycloneDxSbom} without ignored dependencies
*/
filterIgnoredDeps(deps) {
deps.forEach(dep => {
let index = this.components.findIndex(component => component.name === dep);
if (index >= 0) {
this.components.splice(index, 1)
}
index = this.dependencies.findIndex(dependency => dependency.ref.includes(dep));
if (index >= 0) {
this.dependencies.splice(index, 1)
}
this.dependencies.forEach(dependency => {
let indexDependsOn = dependency.dependsOn.findIndex(theDep => theDep.includes(dep));
if (indexDependsOn > -1) {
dependency.dependsOn.splice(indexDependsOn, 1)
}
})
})
return this
}
/**
* This method gets an array of dependencies with versions( purl string format) to be ignored, and remove all of them from CycloneDx Sbom
* @param {Array} dependencies to be removed from sbom
* @return {CycloneDxSbom} without ignored dependencies
*/
filterIgnoredDepsIncludingVersion(deps) {
deps.forEach(dep => {
let index = this.components.findIndex(component => component.purl === dep);
if (index >= 0) {
this.components.splice(index, 1)
}
index = this.dependencies.findIndex(dependency => dependency.ref === dep);
if (index >= 0) {
this.dependencies.splice(index, 1)
}
this.dependencies.forEach(dependency => {
let indexDependsOn = dependency.dependsOn.findIndex(theDep => theDep === dep);
if (indexDependsOn > -1) {
dependency.dependsOn.splice(indexDependsOn, 1)
}
})
})
return this
}
/** This method gets a component object, and a string name, and checks if the name is a substring of the component' purl.
* @param {} component to search in its dependencies
* @param {String} name to be checked.
*
* @return {boolean}
*/
checkIfPackageInsideDependsOnList(component, name) {
let dependencyIndex = this.getDependencyIndex(component.purl)
if (dependencyIndex < 0) {
return false
}
//Only if the dependency doesn't exists on the dependency list of dependency, then add it to this list.
if (this.dependencies[dependencyIndex].dependsOn.findIndex(dep => dep.includes(name)) >= 0) {
return true;
} else {
return false
}
}
/** Removes the root component from the sbom
*/
removeRootComponent() {
let compIndex = this.getComponentIndex(this.rootComponent)
let depIndex = this.getDependencyIndex(this.rootComponent.purl)
this.components.splice(compIndex, 1)
this.dependencies.splice(depIndex, 1)
this.rootComponent = undefined
}
setSourceManifest(manifestData) {
this.sourceManifestForAuditTrail = manifestData
}
}