Skip to content

Commit

Permalink
Add cdx:reproducible=true to SBOM metadata if called with --reproduci…
Browse files Browse the repository at this point in the history
…ble.
  • Loading branch information
AugustusKling committed Feb 26, 2024
1 parent 74b9cbd commit b8ff4f7
Show file tree
Hide file tree
Showing 15 changed files with 79 additions and 18 deletions.
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"license": "Apache-2.0",
"main": "./sources/index.ts",
"dependencies": {
"@cyclonedx/cyclonedx-library": "^6.3.2",
"@cyclonedx/cyclonedx-library": "^6.4.0",
"@yarnpkg/cli": "^4.0.0",
"@yarnpkg/core": "^4.0.0",
"@yarnpkg/fslib": "^3.0.2",
Expand Down
6 changes: 5 additions & 1 deletion sources/sbom.ts
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,11 @@ export const generateSBOM = async (
outputOptions: OutputOptions
) => {
const bom = new CDX.Models.Bom();
if (!outputOptions.reproducible) {
if (outputOptions.reproducible) {
bom.metadata.properties.add(
new CDX.Models.Property("cdx:reproducible", "true")
);
} else {
bom.metadata.timestamp = new Date();
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@
"name": "dev-dependency-with-dependencies",
"version": "0.0.1",
"bom-ref": "cd56053c0bd49371ba0556d4c29fb53983c397bd2fb297f419f3427e3199b9b4f166eb90f985ea09c71c75b2ff0819b2afa9c21031ac51a28a8f50b8201a7478"
}
},
"properties": [
{
"name": "cdx:reproducible",
"value": "true"
}
]
},
"components": [
{
Expand Down Expand Up @@ -3109,4 +3115,4 @@
]
}
]
}
}
10 changes: 8 additions & 2 deletions tests/dev-dependency-with-dependencies/expectation.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@
"name": "dev-dependency-with-dependencies",
"version": "0.0.1",
"bom-ref": "cd56053c0bd49371ba0556d4c29fb53983c397bd2fb297f419f3427e3199b9b4f166eb90f985ea09c71c75b2ff0819b2afa9c21031ac51a28a8f50b8201a7478"
}
},
"properties": [
{
"name": "cdx:reproducible",
"value": "true"
}
]
},
"components": [
{
Expand Down Expand Up @@ -2051,4 +2057,4 @@
]
}
]
}
}
3 changes: 3 additions & 0 deletions tests/dev-dependency-with-dependencies/expectation.xml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
<name>dev-dependency-with-dependencies</name>
<version>0.0.1</version>
</component>
<properties>
<property name="cdx:reproducible">true</property>
</properties>
</metadata>
<components>
<component type="library" bom-ref="025792b0ea7c8fca7dcdbd33105be95919b259fb3263a7ecd13ebc51a5c813b8956ae9fa4540ef179a154ec98b408006011b650dfcf15b64c71e1334b04affac">
Expand Down
8 changes: 7 additions & 1 deletion tests/multiple-versions/expectation-with-licenses.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@
"name": "multiple-versions",
"version": "0.0.1",
"bom-ref": "29d9332beec359aba70ccecb2c0ae34e85a609da3cb6af408f24287ce2e2e39265f04706f78a80b6e5c7665a4afa6baba719871de3252a245389b83cbdf4b630"
}
},
"properties": [
{
"name": "cdx:reproducible",
"value": "true"
}
]
},
"components": [
{
Expand Down
8 changes: 7 additions & 1 deletion tests/multiple-versions/expectation.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@
"name": "multiple-versions",
"version": "0.0.1",
"bom-ref": "29d9332beec359aba70ccecb2c0ae34e85a609da3cb6af408f24287ce2e2e39265f04706f78a80b6e5c7665a4afa6baba719871de3252a245389b83cbdf4b630"
}
},
"properties": [
{
"name": "cdx:reproducible",
"value": "true"
}
]
},
"components": [
{
Expand Down
3 changes: 3 additions & 0 deletions tests/multiple-versions/expectation.xml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
<name>multiple-versions</name>
<version>0.0.1</version>
</component>
<properties>
<property name="cdx:reproducible">true</property>
</properties>
</metadata>
<components>
<component type="library" bom-ref="025792b0ea7c8fca7dcdbd33105be95919b259fb3263a7ecd13ebc51a5c813b8956ae9fa4540ef179a154ec98b408006011b650dfcf15b64c71e1334b04affac">
Expand Down
8 changes: 7 additions & 1 deletion tests/no-dependencies/expectation.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@
"name": "no-dependencies",
"version": "0.0.1",
"bom-ref": "a15880a930a4e65124c64b72f8a359ae7edcdd7017bcda2e79cb3238f20703ebfce7a183e579a1eeb16a37623d421159d902a0bdea1a00d2851913675b891671"
}
},
"properties": [
{
"name": "cdx:reproducible",
"value": "true"
}
]
},
"components": [],
"dependencies": [
Expand Down
3 changes: 3 additions & 0 deletions tests/no-dependencies/expectation.xml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
<name>no-dependencies</name>
<version>0.0.1</version>
</component>
<properties>
<property name="cdx:reproducible">true</property>
</properties>
</metadata>
<components/>
<dependencies>
Expand Down
10 changes: 8 additions & 2 deletions tests/one-dependency/expectation.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@
"name": "one-dependency",
"version": "0.0.1",
"bom-ref": "2969298307f5884d75829e96ec87fceebdb49c246d2e1dc86c85ffc167432d5926ba2921b6ed9dc94e49e727b6d4d0b5dab317bd97bb36e048b234228a6bbd40"
}
},
"properties": [
{
"name": "cdx:reproducible",
"value": "true"
}
]
},
"components": [
{
Expand Down Expand Up @@ -44,4 +50,4 @@
"ref": "b45832dfcec8c690acbfa64af49e90952d9e50ff8682c4d8e88bf5378bff2cb8d4fed04c80512bbbf72f4159ef99f54376f13c0275f870694844469288f7bb6b"
}
]
}
}
3 changes: 3 additions & 0 deletions tests/one-dependency/expectation.xml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
<name>one-dependency</name>
<version>0.0.1</version>
</component>
<properties>
<property name="cdx:reproducible">true</property>
</properties>
</metadata>
<components>
<component type="library" bom-ref="b45832dfcec8c690acbfa64af49e90952d9e50ff8682c4d8e88bf5378bff2cb8d4fed04c80512bbbf72f4159ef99f54376f13c0275f870694844469288f7bb6b">
Expand Down
10 changes: 8 additions & 2 deletions tests/package-aliasing/expectation.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@
"name": "package-aliasing",
"version": "0.0.1",
"bom-ref": "8f4a5adc26ea39c34e4c77de706e21a3e1d84346c9c8b0546396dcbc69bfcc7e4b07e797b97f5abcdc962fb6ec8cc4f1cbb15f4d7d725adefa09cdf7ae3b076b"
}
},
"properties": [
{
"name": "cdx:reproducible",
"value": "true"
}
]
},
"components": [
{
Expand Down Expand Up @@ -298,4 +304,4 @@
]
}
]
}
}
3 changes: 3 additions & 0 deletions tests/package-aliasing/expectation.xml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
<name>package-aliasing</name>
<version>0.0.1</version>
</component>
<properties>
<property name="cdx:reproducible">true</property>
</properties>
</metadata>
<components>
<component type="library" bom-ref="025792b0ea7c8fca7dcdbd33105be95919b259fb3263a7ecd13ebc51a5c813b8956ae9fa4540ef179a154ec98b408006011b650dfcf15b64c71e1334b04affac">
Expand Down
10 changes: 5 additions & 5 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -146,9 +146,9 @@ __metadata:
languageName: node
linkType: hard

"@cyclonedx/cyclonedx-library@npm:^6.3.2":
version: 6.3.2
resolution: "@cyclonedx/cyclonedx-library@npm:6.3.2"
"@cyclonedx/cyclonedx-library@npm:^6.4.0":
version: 6.4.0
resolution: "@cyclonedx/cyclonedx-library@npm:6.4.0"
dependencies:
ajv: "npm:^8.12.0"
ajv-formats: "npm:^2.1.1"
Expand All @@ -168,7 +168,7 @@ __metadata:
optional: true
xmlbuilder2:
optional: true
checksum: 10c0/bd57656be8b91f5ebd89eec139d04b087b96de3942267f59eb1eeaa2c22b7c6e8ba0a23593dae4b4677e776d024c689f386b98af2b82690fd7794a48d01c5f19
checksum: 10c0/1596088c5d5378ec87fbb75d99607dce19ee0325eded0054d4bc1b1751d6fd763cc3bc302827c18be8f359ee5d76a1d9a54051b4e3f5e4a2c289f9ddb9be9f24
languageName: node
linkType: hard

Expand Down Expand Up @@ -3455,7 +3455,7 @@ __metadata:
version: 0.0.0-use.local
resolution: "yarn-plugin-sbom@workspace:."
dependencies:
"@cyclonedx/cyclonedx-library": "npm:^6.3.2"
"@cyclonedx/cyclonedx-library": "npm:^6.4.0"
"@types/node": "npm:^20.0.0"
"@yarnpkg/builder": "npm:^4.0.0"
"@yarnpkg/cli": "npm:^4.0.0"
Expand Down

0 comments on commit b8ff4f7

Please sign in to comment.