|
| 1 | +import path from 'node:path' |
| 2 | + |
| 3 | +import { describe, expect } from 'vitest' |
| 4 | + |
| 5 | +import constants from '../../../dist/constants.js' |
| 6 | +import { cmdit, invokeNpm } from '../../../test/utils' |
| 7 | + |
| 8 | +const { CLI } = constants |
| 9 | + |
| 10 | +describe('socket cdxgen', async () => { |
| 11 | + // Lazily access constants.rootBinPath. |
| 12 | + const entryPath = path.join(constants.rootBinPath, `${CLI}.js`) |
| 13 | + |
| 14 | + cmdit(['cdxgen', '--help'], 'should support --help', async cmd => { |
| 15 | + const { code, stderr, stdout } = await invokeNpm(entryPath, cmd) |
| 16 | + expect(stdout).toMatchInlineSnapshot( |
| 17 | + ` |
| 18 | + "cdxgen [command] |
| 19 | +
|
| 20 | + Commands: |
| 21 | + cdxgen completion Generate bash/zsh completion |
| 22 | +
|
| 23 | + Options: |
| 24 | + -o, --output Output file. Default bom.json [default: "bom.json"] |
| 25 | + -t, --type Project type. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for supported languages/platforms. [array] |
| 26 | + --exclude-type Project types to exclude. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for supported languages/platforms. |
| 27 | + -r, --recurse Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable. [boolean] [default: true] |
| 28 | + -p, --print Print the SBOM as a table with tree. [boolean] |
| 29 | + -c, --resolve-class Resolve class names for packages. jars only for now. [boolean] |
| 30 | + --deep Perform deep searches for components. Useful while scanning C/C++ apps, live OS and oci images. [boolean] |
| 31 | + --server-url Dependency track url. Eg: https://deptrack.cyclonedx.io |
| 32 | + --skip-dt-tls-check Skip TLS certificate check when calling Dependency-Track. [boolean] [default: false] |
| 33 | + --api-key Dependency track api key |
| 34 | + --project-group Dependency track project group |
| 35 | + --project-name Dependency track project name. Default use the directory name |
| 36 | + --project-version Dependency track project version [string] [default: ""] |
| 37 | + --project-id Dependency track project id. Either provide the id or the project name and version together [string] |
| 38 | + --parent-project-id Dependency track parent project id [string] |
| 39 | + --required-only Include only the packages with required scope on the SBOM. Would set compositions.aggregate to incomplete unless --no-auto-compositions is passed. [boolean] |
| 40 | + --fail-on-error Fail if any dependency extractor fails. [boolean] |
| 41 | + --no-babel Do not use babel to perform usage analysis for JavaScript/TypeScript projects. [boolean] |
| 42 | + --generate-key-and-sign Generate an RSA public/private key pair and then sign the generated SBOM using JSON Web Signatures. [boolean] |
| 43 | + --server Run cdxgen as a server [boolean] |
| 44 | + --server-host Listen address [default: "127.0.0.1"] |
| 45 | + --server-port Listen port [default: "9090"] |
| 46 | + --install-deps Install dependencies automatically for some projects. Defaults to true but disabled for containers and oci scans. Use --no-install-deps to disable this feature. [boolean] [default: true] |
| 47 | + --validate Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to disable. [boolean] [default: true] |
| 48 | + --evidence Generate SBOM with evidence for supported languages. [boolean] [default: false] |
| 49 | + --spec-version CycloneDX Specification version to use. Defaults to 1.6 [number] [default: 1.6] |
| 50 | + --filter Filter components containing this word in purl or component.properties.value. Multiple values allowed. [array] |
| 51 | + --only Include components only containing this word in purl. Useful to generate BOM with first party components alone. Multiple values allowed. [array] |
| 52 | + --author The person(s) who created the BOM. Set this value if you're intending the modify the BOM and claim authorship. [array] [default: "OWASP Foundation"] |
| 53 | + --profile BOM profile to use for generation. Default generic. [choices: "appsec", "research", "operational", "threat-modeling", "license-compliance", "generic", "machine-learning", "ml", "deep-learning", "ml-deep", "ml-tiny"] [default: "generic"] |
| 54 | + --exclude Additional glob pattern(s) to ignore [array] |
| 55 | + --include-formulation Generate formulation section with git metadata and build tools. Defaults to false. [boolean] [default: false] |
| 56 | + --include-crypto Include crypto libraries as components. [boolean] [default: false] |
| 57 | + --standard The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. [array] [choices: "asvs-5.0", "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "pcissc-secure-slc-1.1", "scvs-1.0.0", "ssaf-DRAFT-2023-11"] |
| 58 | + --min-confidence Minimum confidence needed for the identity of a component from 0 - 1, where 1 is 100% confidence. [number] [default: 0] |
| 59 | + --technique Analysis technique to use [array] [choices: "auto", "source-code-analysis", "binary-analysis", "manifest-analysis", "hash-comparison", "instrumentation", "filename"] |
| 60 | + --auto-compositions Automatically set compositions when the BOM was filtered. Defaults to true [boolean] [default: true] |
| 61 | + -h, --help Show help [boolean] |
| 62 | + -v, --version Show version number [boolean] |
| 63 | +
|
| 64 | + Examples: |
| 65 | + cdxgen -t java . Generate a Java SBOM for the current directory |
| 66 | + cdxgen -t java -t js . Generate a SBOM for Java and JavaScript in the current directory |
| 67 | + cdxgen -t java --profile ml . Generate a Java SBOM for machine learning purposes. |
| 68 | + cdxgen -t python --profile research . Generate a Python SBOM for appsec research. |
| 69 | + cdxgen --server Run cdxgen as a server |
| 70 | +
|
| 71 | + for documentation, visit https://cyclonedx.github.io/cdxgen" |
| 72 | + ` |
| 73 | + ) |
| 74 | + expect(`\n ${stderr}`).toMatchInlineSnapshot(` |
| 75 | + " |
| 76 | + _____ _ _ /--------------- |
| 77 | + | __|___ ___| |_ ___| |_ | Socket.dev CLI ver <redacted> |
| 78 | + |__ | . | _| '_| -_| _| | Node: <redacted>, API token set: <redacted> |
| 79 | + |_____|___|___|_,_|___|_|.dev | Command: \`socket cdxgen\`, cwd: <redacted>" |
| 80 | + `) |
| 81 | + |
| 82 | + // expect(code, 'help should exit with code 2').toBe(2) |
| 83 | + expect(code, 'help should exit with code 2').toBe(0) // cdxgen special case |
| 84 | + expect(stderr, 'header should include command (without params)').toContain( |
| 85 | + '`socket cdxgen`' |
| 86 | + ) |
| 87 | + }) |
| 88 | + |
| 89 | + // cdxgen does not support --dry-run |
| 90 | + // cmdit( |
| 91 | + // ['cdxgen', '--dry-run'], |
| 92 | + // 'should require args with just dry-run', |
| 93 | + // async cmd => { |
| 94 | + // const { code, stderr, stdout } = await invokeNpm(entryPath, cmd) |
| 95 | + // expect(stdout).toMatchInlineSnapshot(`""`) |
| 96 | + // expect(`\n ${stderr}`).toMatchInlineSnapshot(` |
| 97 | + // " |
| 98 | + // _____ _ _ /--------------- |
| 99 | + // | __|___ ___| |_ ___| |_ | Socket.dev CLI ver <redacted> |
| 100 | + // |__ | . | _| '_| -_| _| | Node: <redacted>, API token set: <redacted> |
| 101 | + // |_____|___|___|_,_|___|_|.dev | Command: \`socket cdxgen\`, cwd: <redacted> |
| 102 | + // |
| 103 | + // \\x1b[31m\\xd7\\x1b[39m Unknown argument: --dry-run" |
| 104 | + // `) |
| 105 | + // |
| 106 | + // expect(code, 'dry-run should exit with code 0 if input ok').toBe(0) |
| 107 | + // } |
| 108 | + // ) |
| 109 | +}) |
0 commit comments