ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: usr / lib / node_modules / npm / lib / commands

const localeCompare = require('@isaacs/string-locale-compare')('en')
const BaseCommand = require('../base-cmd.js')
const { log, output } = require('proc-log')
const { cyclonedxOutput } = require('../utils/sbom-cyclonedx.js')
const { spdxOutput } = require('../utils/sbom-spdx.js')

const SBOM_FORMATS = ['cyclonedx', 'spdx']

class SBOM extends BaseCommand {
  #response = {} // response is the sbom response

static description = 'Generate a Software Bill of Materials (SBOM)'
  static name = 'sbom'
  static workspaces = true

static params = [
    'omit',
    'package-lock-only',
    'sbom-format',
    'sbom-type',
    'workspace',
    'workspaces',
  ]

async exec () {
    const sbomFormat = this.npm.config.get('sbom-format')
    const packageLockOnly = this.npm.config.get('package-lock-only')

if (!sbomFormat) {
      /* eslint-disable-next-line max-len */
      throw this.usageError(`Must specify --sbom-format flag with one of: ${SBOM_FORMATS.join(', ')}.`)
    }

const opts = {
      ...this.npm.flatOptions,
      path: this.npm.prefix,
      forceActual: true,
    }
    const Arborist = require('@npmcli/arborist')
    const arb = new Arborist(opts)

const tree = packageLockOnly ? await arb.loadVirtual(opts).catch(() => {
      /* eslint-disable-next-line max-len */
      throw this.usageError('A package lock or shrinkwrap file is required in package-lock-only mode')
    }) : await arb.loadActual(opts)

// Collect the list of selected workspaces in the project
    const wsNodes = this.workspaceNames?.length
      ? arb.workspaceNodes(tree, this.workspaceNames)
      : null

// Build the selector and query the tree for the list of nodes
    const selector = this.#buildSelector({ wsNodes })
    log.info('sbom', `Using dependency selector: ${selector}`)
    const items = await tree.querySelectorAll(selector)

const errors = items.flatMap(node => detectErrors(node))
    if (errors.length) {
      throw Object.assign(new Error([...new Set(errors)].join('\n')), {
        code: 'ESBOMPROBLEMS',
      })
    }

// Populate the response with the list of unique nodes (sorted by location)
    this.#buildResponse(items.sort((a, b) => localeCompare(a.location, b.location)))

// TODO(BREAKING_CHANGE): all sbom output is in json mode but setting it before
    // any of the errors will cause those to be thrown in json mode.
    this.npm.config.set('json', true)
    output.buffer(this.#response)
  }

async execWorkspaces (args) {
    await this.setWorkspaces()
    return this.exec(args)
  }

// Build the selector from all of the specified filter options
  #buildSelector ({ wsNodes }) {
    let selector
    const omit = this.npm.flatOptions.omit
    const workspacesEnabled = this.npm.flatOptions.workspacesEnabled

// If omit is specified, omit all nodes and their children which match the
    // specified selectors
    const omits = omit.reduce((acc, o) => `${acc}:not(.${o})`, '')

if (!workspacesEnabled) {
      // If workspaces are disabled, omit all workspace nodes and their children
      selector = `:root > :not(.workspace)${omits},:root > :not(.workspace) *${omits},:extraneous`
    } else if (wsNodes && wsNodes.length > 0) {
      // If one or more workspaces are selected, select only those workspaces and their children
      selector = wsNodes.map(ws => `#${ws.name},#${ws.name} *${omits}`).join(',')
    } else {
      selector = `:root *${omits},:extraneous`
    }

// Always include the root node
    return `:root,${selector}`
  }

// builds a normalized inventory
  #buildResponse (items) {
    const sbomFormat = this.npm.config.get('sbom-format')
    const packageType = this.npm.config.get('sbom-type')
    const packageLockOnly = this.npm.config.get('package-lock-only')

this.#response = sbomFormat === 'cyclonedx'
      ? cyclonedxOutput({ npm: this.npm, nodes: items, packageType, packageLockOnly })
      : spdxOutput({ npm: this.npm, nodes: items, packageType })
  }
}

const detectErrors = (node) => {
  const errors = []

// Look for missing dependencies (that are NOT optional), or invalid dependencies
  for (const edge of node.edgesOut.values()) {
    if (edge.missing && !(edge.type === 'optional' || edge.type === 'peerOptional')) {
      errors.push(`missing: ${edge.name}@${edge.spec}, required by ${edge.from.pkgid}`)
    }

if (edge.invalid) {
      /* istanbul ignore next */
      const spec = edge.spec || '*'
      const from = edge.from.pkgid
      errors.push(`invalid: ${edge.to.pkgid}, ${spec} required by ${from}`)
    }
  }

return errors
}

module.exports = SBOM

[-] audit.js [edit]
[-] diff.js [edit]
[-] fund.js [edit]
[-] prefix.js [edit]
[-] restart.js [edit]
[-] rebuild.js [edit]
[-] unpublish.js [edit]
[-] ci.js [edit]
[-] logout.js [edit]
[-] dist-tag.js [edit]
[-] star.js [edit]
[-] test.js [edit]
[-] deprecate.js [edit]
[-] help-search.js [edit]
[-] get.js [edit]
[-] docs.js [edit]
[-] sbom.js [edit]
[-] doctor.js [edit]
[-] uninstall.js [edit]
[-] stars.js [edit]
[-] link.js [edit]
[-] version.js [edit]
[-] query.js [edit]
[-] whoami.js [edit]
[-] access.js [edit]
[-] adduser.js [edit]
[-] completion.js [edit]
[-] start.js [edit]
[-] install-test.js [edit]
[-] pkg.js [edit]
[-] owner.js [edit]
[-] prune.js [edit]
[-] bugs.js [edit]
[-] dedupe.js [edit]
[-] outdated.js [edit]
[-] publish.js [edit]
[-] token.js [edit]
[+] ..
[-] org.js [edit]
[-] shrinkwrap.js [edit]
[-] root.js [edit]
[-] login.js [edit]
[-] pack.js [edit]
[-] find-dupes.js [edit]
[-] cache.js [edit]
[-] team.js [edit]
[-] repo.js [edit]
[-] exec.js [edit]
[-] search.js [edit]
[-] update.js [edit]
[-] install.js [edit]
[-] ping.js [edit]
[-] ll.js [edit]
[-] explain.js [edit]
[-] ls.js [edit]
[-] profile.js [edit]
[-] init.js [edit]
[-] config.js [edit]
[-] edit.js [edit]
[-] run-script.js [edit]
[-] view.js [edit]
[-] help.js [edit]
[-] stop.js [edit]
[-] explore.js [edit]
[-] hook.js [edit]
[-] install-ci-test.js [edit]
[-] set.js [edit]
[-] unstar.js [edit]