jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-01-18 05:18:24 +02:00
Code Issues Releases Activity

fix(npm): don't consider dev dependencies for sbom (#4690)

Browse Source 
* fix(npm): don't consider dev dependencies for sbom

* chore: update test

* fiy typo

---------

Co-authored-by: Anil Keshav <anil.keshav@sap.com>
This commit is contained in:
Oliver Nocon 2024-02-28 16:05:13 +01:00 committed by GitHub
parent 04028a647c
commit 69a01b935a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/npm/npm.go
View File

@ -359,7 +359,7 @@ func (exec *Execute) checkIfLockFilesExist() (bool, bool, error) {
func (exec *Execute) CreateBOM(packageJSONFiles []string) error {
// Install cyclonedx-npm in a new folder (to avoid extraneous errors) and generate BOM
cycloneDxNpmInstallParams := []string{"install", "--no-save", cycloneDxNpmPackageVersion, "--prefix", cycloneDxNpmInstallationFolder}
cycloneDxNpmRunParams := []string{"--output-format", "XML", "--spec-version", cycloneDxSchemaVersion, "--output-file"}
cycloneDxNpmRunParams := []string{"--output-format", "XML", "--spec-version", cycloneDxSchemaVersion, "--omit", "dev", "--output-file"}
// Install cyclonedx/bom with --nosave and generate BOM.
cycloneDxBomInstallParams := []string{"install", cycloneDxBomPackageVersion, "--no-save"}
@ -387,7 +387,6 @@ func (exec *Execute) createBOMWithParams(packageInstallParams []string, packageR
// Install package
err := execRunner.RunExecutable("npm", packageInstallParams...)
if err != nil {
return fmt.Errorf("failed to install CycloneDX BOM %w", err)
}
@ -399,7 +398,7 @@ func (exec *Execute) createBOMWithParams(packageInstallParams []string, packageR
executable := "npx"
params := append(packageRunParams, filepath.Join(path, npmBomFilename))
//Below code needed as to adjust according to needs of cyclonedx-npm and fallback cyclonedx/bom@^3.10.6
// Below code needed as to adjust according to needs of cyclonedx-npm and fallback cyclonedx/bom@^3.10.6
if !fallback {
params = append(params, packageJSONFile)
executable = cycloneDxNpmInstallationFolder + "/node_modules/.bin/cyclonedx-npm"

5
pkg/npm/npm_test.go
View File

@ -41,7 +41,6 @@ func TestNpm(t *testing.T) {
packageJSONFiles := exec.FindPackageJSONFiles()
assert.Equal(t, []string{"package.json"}, packageJSONFiles)
})
t.Run("find package.json files with two package.json and default filter", func(t *testing.T) {
@ -364,6 +363,8 @@ func TestNpm(t *testing.T) {
"XML",
"--spec-version",
cycloneDxSchemaVersion,
"--omit",
"dev",
"--output-file",
}
@ -373,7 +374,6 @@ func TestNpm(t *testing.T) {
assert.Equal(t, mock.ExecCall{Exec: "./tmp/node_modules/.bin/cyclonedx-npm", Params: append(cycloneDxNpmRunParams, "bom-npm.xml", "package.json")}, utils.execRunner.Calls[1])
assert.Equal(t, mock.ExecCall{Exec: "./tmp/node_modules/.bin/cyclonedx-npm", Params: append(cycloneDxNpmRunParams, filepath.Join("src", "bom-npm.xml"), filepath.Join("src", "package.json"))}, utils.execRunner.Calls[2])
}
}
})
@ -408,7 +408,6 @@ func TestNpm(t *testing.T) {
assert.Equal(t, mock.ExecCall{Exec: "npx", Params: append(cycloneDxBomRunParams, "bom-npm.xml", ".")}, utils.execRunner.Calls[2])
assert.Equal(t, mock.ExecCall{Exec: "npx", Params: append(cycloneDxBomRunParams, filepath.Join("src", "bom-npm.xml"), filepath.Join("src"))}, utils.execRunner.Calls[3])
}
}
})
}