From b8ff4f7be7be1bb9627477e9a1ff544f3659968b Mon Sep 17 00:00:00 2001 From: Augustus Kling Date: Mon, 26 Feb 2024 17:10:34 +0100 Subject: [PATCH] Add cdx:reproducible=true to SBOM metadata if called with --reproducible. --- package.json | 2 +- sources/sbom.ts | 6 +++++- .../expectation-with-licenses.json | 10 ++++++++-- .../dev-dependency-with-dependencies/expectation.json | 10 ++++++++-- tests/dev-dependency-with-dependencies/expectation.xml | 3 +++ tests/multiple-versions/expectation-with-licenses.json | 8 +++++++- tests/multiple-versions/expectation.json | 8 +++++++- tests/multiple-versions/expectation.xml | 3 +++ tests/no-dependencies/expectation.json | 8 +++++++- tests/no-dependencies/expectation.xml | 3 +++ tests/one-dependency/expectation.json | 10 ++++++++-- tests/one-dependency/expectation.xml | 3 +++ tests/package-aliasing/expectation.json | 10 ++++++++-- tests/package-aliasing/expectation.xml | 3 +++ yarn.lock | 10 +++++----- 15 files changed, 79 insertions(+), 18 deletions(-) diff --git a/package.json b/package.json index 84c4af3e..a141d55c 100644 --- a/package.json +++ b/package.json @@ -4,7 +4,7 @@ "license": "Apache-2.0", "main": "./sources/index.ts", "dependencies": { - "@cyclonedx/cyclonedx-library": "^6.3.2", + "@cyclonedx/cyclonedx-library": "^6.4.0", "@yarnpkg/cli": "^4.0.0", "@yarnpkg/core": "^4.0.0", "@yarnpkg/fslib": "^3.0.2", diff --git a/sources/sbom.ts b/sources/sbom.ts index dcf38602..dc529b23 100644 --- a/sources/sbom.ts +++ b/sources/sbom.ts @@ -37,7 +37,11 @@ export const generateSBOM = async ( outputOptions: OutputOptions ) => { const bom = new CDX.Models.Bom(); - if (!outputOptions.reproducible) { + if (outputOptions.reproducible) { + bom.metadata.properties.add( + new CDX.Models.Property("cdx:reproducible", "true") + ); + } else { bom.metadata.timestamp = new Date(); } diff --git a/tests/dev-dependency-with-dependencies/expectation-with-licenses.json b/tests/dev-dependency-with-dependencies/expectation-with-licenses.json index 01496044..2a82c182 100644 --- a/tests/dev-dependency-with-dependencies/expectation-with-licenses.json +++ b/tests/dev-dependency-with-dependencies/expectation-with-licenses.json @@ -15,7 +15,13 @@ "name": "dev-dependency-with-dependencies", "version": "0.0.1", "bom-ref": "cd56053c0bd49371ba0556d4c29fb53983c397bd2fb297f419f3427e3199b9b4f166eb90f985ea09c71c75b2ff0819b2afa9c21031ac51a28a8f50b8201a7478" - } + }, + "properties": [ + { + "name": "cdx:reproducible", + "value": "true" + } + ] }, "components": [ { @@ -3109,4 +3115,4 @@ ] } ] -} +} \ No newline at end of file diff --git a/tests/dev-dependency-with-dependencies/expectation.json b/tests/dev-dependency-with-dependencies/expectation.json index 5704cbdd..47dc1876 100644 --- a/tests/dev-dependency-with-dependencies/expectation.json +++ b/tests/dev-dependency-with-dependencies/expectation.json @@ -15,7 +15,13 @@ "name": "dev-dependency-with-dependencies", "version": "0.0.1", "bom-ref": "cd56053c0bd49371ba0556d4c29fb53983c397bd2fb297f419f3427e3199b9b4f166eb90f985ea09c71c75b2ff0819b2afa9c21031ac51a28a8f50b8201a7478" - } + }, + "properties": [ + { + "name": "cdx:reproducible", + "value": "true" + } + ] }, "components": [ { @@ -2051,4 +2057,4 @@ ] } ] -} +} \ No newline at end of file diff --git a/tests/dev-dependency-with-dependencies/expectation.xml b/tests/dev-dependency-with-dependencies/expectation.xml index ecfcdb00..99a4f98a 100644 --- a/tests/dev-dependency-with-dependencies/expectation.xml +++ b/tests/dev-dependency-with-dependencies/expectation.xml @@ -11,6 +11,9 @@ dev-dependency-with-dependencies 0.0.1 + + true + diff --git a/tests/multiple-versions/expectation-with-licenses.json b/tests/multiple-versions/expectation-with-licenses.json index 92b2c572..dec4e194 100644 --- a/tests/multiple-versions/expectation-with-licenses.json +++ b/tests/multiple-versions/expectation-with-licenses.json @@ -15,7 +15,13 @@ "name": "multiple-versions", "version": "0.0.1", "bom-ref": "29d9332beec359aba70ccecb2c0ae34e85a609da3cb6af408f24287ce2e2e39265f04706f78a80b6e5c7665a4afa6baba719871de3252a245389b83cbdf4b630" - } + }, + "properties": [ + { + "name": "cdx:reproducible", + "value": "true" + } + ] }, "components": [ { diff --git a/tests/multiple-versions/expectation.json b/tests/multiple-versions/expectation.json index 16b297ec..6c9654f1 100644 --- a/tests/multiple-versions/expectation.json +++ b/tests/multiple-versions/expectation.json @@ -15,7 +15,13 @@ "name": "multiple-versions", "version": "0.0.1", "bom-ref": "29d9332beec359aba70ccecb2c0ae34e85a609da3cb6af408f24287ce2e2e39265f04706f78a80b6e5c7665a4afa6baba719871de3252a245389b83cbdf4b630" - } + }, + "properties": [ + { + "name": "cdx:reproducible", + "value": "true" + } + ] }, "components": [ { diff --git a/tests/multiple-versions/expectation.xml b/tests/multiple-versions/expectation.xml index 14c202a2..eb7a9e67 100644 --- a/tests/multiple-versions/expectation.xml +++ b/tests/multiple-versions/expectation.xml @@ -11,6 +11,9 @@ multiple-versions 0.0.1 + + true + diff --git a/tests/no-dependencies/expectation.json b/tests/no-dependencies/expectation.json index b713e886..57ba5ac9 100644 --- a/tests/no-dependencies/expectation.json +++ b/tests/no-dependencies/expectation.json @@ -15,7 +15,13 @@ "name": "no-dependencies", "version": "0.0.1", "bom-ref": "a15880a930a4e65124c64b72f8a359ae7edcdd7017bcda2e79cb3238f20703ebfce7a183e579a1eeb16a37623d421159d902a0bdea1a00d2851913675b891671" - } + }, + "properties": [ + { + "name": "cdx:reproducible", + "value": "true" + } + ] }, "components": [], "dependencies": [ diff --git a/tests/no-dependencies/expectation.xml b/tests/no-dependencies/expectation.xml index 1629b4d1..75080ef3 100644 --- a/tests/no-dependencies/expectation.xml +++ b/tests/no-dependencies/expectation.xml @@ -11,6 +11,9 @@ no-dependencies 0.0.1 + + true + diff --git a/tests/one-dependency/expectation.json b/tests/one-dependency/expectation.json index 74376072..be06f77d 100644 --- a/tests/one-dependency/expectation.json +++ b/tests/one-dependency/expectation.json @@ -15,7 +15,13 @@ "name": "one-dependency", "version": "0.0.1", "bom-ref": "2969298307f5884d75829e96ec87fceebdb49c246d2e1dc86c85ffc167432d5926ba2921b6ed9dc94e49e727b6d4d0b5dab317bd97bb36e048b234228a6bbd40" - } + }, + "properties": [ + { + "name": "cdx:reproducible", + "value": "true" + } + ] }, "components": [ { @@ -44,4 +50,4 @@ "ref": "b45832dfcec8c690acbfa64af49e90952d9e50ff8682c4d8e88bf5378bff2cb8d4fed04c80512bbbf72f4159ef99f54376f13c0275f870694844469288f7bb6b" } ] -} +} \ No newline at end of file diff --git a/tests/one-dependency/expectation.xml b/tests/one-dependency/expectation.xml index 33fe0c85..8cae1630 100644 --- a/tests/one-dependency/expectation.xml +++ b/tests/one-dependency/expectation.xml @@ -11,6 +11,9 @@ one-dependency 0.0.1 + + true + diff --git a/tests/package-aliasing/expectation.json b/tests/package-aliasing/expectation.json index a69d78a3..abea6589 100644 --- a/tests/package-aliasing/expectation.json +++ b/tests/package-aliasing/expectation.json @@ -15,7 +15,13 @@ "name": "package-aliasing", "version": "0.0.1", "bom-ref": "8f4a5adc26ea39c34e4c77de706e21a3e1d84346c9c8b0546396dcbc69bfcc7e4b07e797b97f5abcdc962fb6ec8cc4f1cbb15f4d7d725adefa09cdf7ae3b076b" - } + }, + "properties": [ + { + "name": "cdx:reproducible", + "value": "true" + } + ] }, "components": [ { @@ -298,4 +304,4 @@ ] } ] -} +} \ No newline at end of file diff --git a/tests/package-aliasing/expectation.xml b/tests/package-aliasing/expectation.xml index 6884214e..a3516448 100644 --- a/tests/package-aliasing/expectation.xml +++ b/tests/package-aliasing/expectation.xml @@ -11,6 +11,9 @@ package-aliasing 0.0.1 + + true + diff --git a/yarn.lock b/yarn.lock index e8ce819d..9350ff41 100644 --- a/yarn.lock +++ b/yarn.lock @@ -146,9 +146,9 @@ __metadata: languageName: node linkType: hard -"@cyclonedx/cyclonedx-library@npm:^6.3.2": - version: 6.3.2 - resolution: "@cyclonedx/cyclonedx-library@npm:6.3.2" +"@cyclonedx/cyclonedx-library@npm:^6.4.0": + version: 6.4.0 + resolution: "@cyclonedx/cyclonedx-library@npm:6.4.0" dependencies: ajv: "npm:^8.12.0" ajv-formats: "npm:^2.1.1" @@ -168,7 +168,7 @@ __metadata: optional: true xmlbuilder2: optional: true - checksum: 10c0/bd57656be8b91f5ebd89eec139d04b087b96de3942267f59eb1eeaa2c22b7c6e8ba0a23593dae4b4677e776d024c689f386b98af2b82690fd7794a48d01c5f19 + checksum: 10c0/1596088c5d5378ec87fbb75d99607dce19ee0325eded0054d4bc1b1751d6fd763cc3bc302827c18be8f359ee5d76a1d9a54051b4e3f5e4a2c289f9ddb9be9f24 languageName: node linkType: hard @@ -3455,7 +3455,7 @@ __metadata: version: 0.0.0-use.local resolution: "yarn-plugin-sbom@workspace:." dependencies: - "@cyclonedx/cyclonedx-library": "npm:^6.3.2" + "@cyclonedx/cyclonedx-library": "npm:^6.4.0" "@types/node": "npm:^20.0.0" "@yarnpkg/builder": "npm:^4.0.0" "@yarnpkg/cli": "npm:^4.0.0"