File Explorer

/var/lang/lib/node_modules/npm/lib/commands
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
1 dir
67 files
sbom.js4.5 KB · 133 lines
1const localeCompare = require('@isaacs/string-locale-compare')('en')2const BaseCommand = require('../base-cmd.js')3const { log, output, META } = require('proc-log')4const { cyclonedxOutput } = require('../utils/sbom-cyclonedx.js')5const { spdxOutput } = require('../utils/sbom-spdx.js')6 7const SBOM_FORMATS = ['cyclonedx', 'spdx']8 9class SBOM extends BaseCommand {10  #response = {} // response is the sbom response11 12  static description = 'Generate a Software Bill of Materials (SBOM)'13  static name = 'sbom'14  static workspaces = true15 16  static params = [17    'omit',18    'package-lock-only',19    'sbom-format',20    'sbom-type',21    'workspace',22    'workspaces',23  ]24 25  async exec () {26    const sbomFormat = this.npm.config.get('sbom-format')27    const packageLockOnly = this.npm.config.get('package-lock-only')28 29    if (!sbomFormat) {30      throw this.usageError(`Must specify --sbom-format flag with one of: ${SBOM_FORMATS.join(', ')}.`)31    }32 33    const opts = {34      ...this.npm.flatOptions,35      path: this.npm.prefix,36      forceActual: true,37    }38    const Arborist = require('@npmcli/arborist')39    const arb = new Arborist(opts)40 41    const tree = packageLockOnly ? await arb.loadVirtual(opts).catch(() => {42      throw this.usageError('A package lock or shrinkwrap file is required in package-lock-only mode')43    }) : await arb.loadActual(opts)44 45    // Collect the list of selected workspaces in the project46    const wsNodes = this.workspaceNames?.length47      ? arb.workspaceNodes(tree, this.workspaceNames)48      : null49 50    // Build the selector and query the tree for the list of nodes51    const selector = this.#buildSelector({ wsNodes })52    log.info('sbom', `Using dependency selector: ${selector}`)53    const items = await tree.querySelectorAll(selector)54 55    const errors = items.flatMap(node => detectErrors(node))56    if (errors.length) {57      throw Object.assign(new Error([...new Set(errors)].join('\n')), {58        code: 'ESBOMPROBLEMS',59      })60    }61 62    // Populate the response with the list of unique nodes (sorted by location)63    this.#buildResponse(items.sort((a, b) => localeCompare(a.location, b.location)))64 65    // TODO(BREAKING_CHANGE): all sbom output is in json mode but setting it before66    // any of the errors will cause those to be thrown in json mode.67    this.npm.config.set('json', true)68    output.standard(JSON.stringify(this.#response, null, 2), { [META]: true, redact: false })69  }70 71  async execWorkspaces (args) {72    await this.setWorkspaces()73    return this.exec(args)74  }75 76  // Build the selector from all of the specified filter options77  #buildSelector ({ wsNodes }) {78    let selector79    const omit = this.npm.flatOptions.omit80    const workspacesEnabled = this.npm.flatOptions.workspacesEnabled81 82    // If omit is specified, omit all nodes and their children which match the83    // specified selectors84    const omits = omit.reduce((acc, o) => `${acc}:not(.${o})`, '')85 86    if (!workspacesEnabled) {87      // If workspaces are disabled, omit all workspace nodes and their children88      selector = `:root > :not(.workspace)${omits},:root > :not(.workspace) *${omits},:extraneous`89    } else if (wsNodes && wsNodes.length > 0) {90      // If one or more workspaces are selected, select only those workspaces and their children91      selector = wsNodes.map(ws => `#${ws.name},#${ws.name} *${omits}`).join(',')92    } else {93      selector = `:root *${omits},:extraneous`94    }95 96    // Always include the root node97    return `:root,${selector}`98  }99 100  // builds a normalized inventory101  #buildResponse (items) {102    const sbomFormat = this.npm.config.get('sbom-format')103    const packageType = this.npm.config.get('sbom-type')104    const packageLockOnly = this.npm.config.get('package-lock-only')105 106    this.#response = sbomFormat === 'cyclonedx'107      ? cyclonedxOutput({ npm: this.npm, nodes: items, packageType, packageLockOnly })108      : spdxOutput({ npm: this.npm, nodes: items, packageType })109  }110}111 112const detectErrors = (node) => {113  const errors = []114 115  // Look for missing dependencies (that are NOT optional), or invalid dependencies116  for (const edge of node.edgesOut.values()) {117    if (edge.missing && !(edge.type === 'optional' || edge.type === 'peerOptional')) {118      errors.push(`missing: ${edge.name}@${edge.spec}, required by ${edge.from.pkgid}`)119    }120 121    if (edge.invalid) {122      /* istanbul ignore next */123      const spec = edge.spec || '*'124      const from = edge.from.pkgid125      errors.push(`invalid: ${edge.to.pkgid}, ${spec} required by ${from}`)126    }127  }128 129  return errors130}131 132module.exports = SBOM133