Bump version to 3.0.0 (#14)

* Merged in PIPES-11_FixGitHubActions (pull request #19)

PIPES-11: fix docker build action

* PIPES-11: fix docker build action

* Merged in feb_2024_updates (pull request #20)

Feb 2024 updates

* Feb 2024 updates

* Feb 2024 updates

* Feb 2024 updates

* merge with github

* Merged in optimizeDockerImage (pull request #22)

OptimizeDockerImage

* optimize Dockerfile

* optimize Dockerfile & pipeline

* Merged in May2024_Updates (pull request #23)

June 2024 Updates

* fix code coverage

* fix code coverage

* update version in README.md

* Merged in dec_2024_updates (pull request #24)

Update @cyclonedx/cyclonedx-npm to 1.19.3

* Update @cyclonedx/cyclonedx-npm to 1.19.3

* Update sbom gen pipeline

* v1.6.0 release

* Merged in addSonarIntegration (pull request #25)

add support for sonarcloud

* add support for sonarcloud

* add support for sonarcloud

* Merged in addBadges (pull request #26)

add badges to README

* add badges to README

* Merged in Jan2024Updates (pull request #27)

January 2024 Updates

* January 2024 Updates

* Merged in rel-v2.0.0 (pull request #28)

Bump version to 2.0.0

* Bump version to 2.0.0

* Merged in useOSSFNaming (pull request #29)

Standardize SBOM naming per OSSF guidelines

* Standardize SBOM naming per OSSF guidelines

* Standardize SBOM naming per OSSF guidelines

* bump version to 3.0.0

---------

Co-authored-by: Cosimo Commisso <[email protected]>
Co-authored-by: Cosimo Commisso <[email protected]>

Author: 3 people

Dockerfile

@@ -5,7 +5,7 @@ ARG ARCH
 # hadolint ignore=DL3018
 RUN apk update \
     && apk upgrade \
-    && apk --no-cache add bash
+    && apk --no-cache add bash jq
 
 SHELL ["/bin/bash", "-c"]
 

Makefile

@@ -9,14 +9,14 @@ test:
 	$(DOCKER) run --rm -it \
 		-v $(PWD):/build \
 		--workdir /build \
-		bats/bats:1.9.0 test/**.bats --timing --show-output-of-passing-tests --verbose-run
+		bats/bats:1.11.0 test/**.bats --timing --show-output-of-passing-tests --verbose-run
 
 .PHONY: shellcheck
 shellcheck:
 	$(DOCKER) run --rm -it \
 		-v $(PWD):/build \
 		--workdir /build \
-		koalaman/shellcheck-alpine:v0.9.0 shellcheck -x ./*.sh ./**/*.bats
+		koalaman/shellcheck-alpine:v0.10.0 shellcheck -x ./*.sh ./**/*.bats
 
 .PHONY: clean
 clean:

README.md

@@ -6,7 +6,6 @@
 [![Code Smells](https://sonarcloud.io/api/project_badges/measure?project=ccideas1_cyclonedx-npm-pipe&metric=code_smells)](https://sonarcloud.io/summary/new_code?id=ccideas1_cyclonedx-npm-pipe)
 [![Duplicated Lines (%)](https://sonarcloud.io/api/project_badges/measure?project=ccideas1_cyclonedx-npm-pipe&metric=duplicated_lines_density)](https://sonarcloud.io/summary/new_code?id=ccideas1_cyclonedx-npm-pipe)
 
-
 ![Build Badge](https://img.shields.io/bitbucket/pipelines/ccideas1/cyclonedx-npm-pipe/main)
 ![GitHub release (latest by date)](https://img.shields.io/github/v/release/shiftleftcyber/cyclonedx-npm-pipe)
 
@@ -47,8 +46,7 @@ pipelines:
         caches:
           - node
         script:
-
-          - pipe: docker://ccideas/cyclonedx-npm-pipe:2.0.0
+          - pipe: docker://ccideas/cyclonedx-npm-pipe:3.0.0
             variables:
               IGNORE_NPM_ERRORS: 'true' # optional
               NPM_SHORT_PURLS: 'true' # optional
@@ -73,7 +71,7 @@ pipelines:
 | NPM_OMIT                  | Used to omit specific dependency types                              | dev, optional, peer             | none          |
 | NPM_OUTPUT_FORMAT         | Used to specify output format of the sBOM                           | json, xml                       | json          |
 | NPM_PACKAGE_LOCK_ONLY     | Used to use only the package-lock.json file to find dependencies    | true, false                     | false         |
-| OUTPUT_DIRECTORY          | Used to specify the directory to place all output in                | directory name                  | sbom_output   |
+| OUTPUT_DIRECTORY          | Used to specify the directory to place all output im                | directory name                  | sbom_output   |
 
 ## Details
 

gen_sbom_functions.sh

@@ -1,4 +1,8 @@
 #!/usr/bin/env bash
+
+# shellcheck disable=SC2002
+# SC2002 (style): the cat command is used inside of jq
+
 set -e
 
 # Statics
@@ -25,13 +29,14 @@ check_output_directory() {
 
 set_sbom_filename() {
   check_output_directory
+  get_package_version
 
   if [ -n "${SBOM_FILENAME}" ]; then
     OUTPUT_FILENAME="${OUTPUT_DIR}/${SBOM_FILENAME}"
   elif [ -n "${BITBUCKET_REPO_SLUG}" ]; then
-    OUTPUT_FILENAME="${OUTPUT_DIR}/${BITBUCKET_REPO_SLUG}"
+    OUTPUT_FILENAME="${OUTPUT_DIR}/${BITBUCKET_REPO_SLUG}-${PACKAGE_VERSION}.cdx"
   else
-    OUTPUT_FILENAME="${OUTPUT_DIR}/sbom"
+    OUTPUT_FILENAME="${OUTPUT_DIR}/sbom-${PACKAGE_VERSION}.cdx"
   fi
 
   # set the file extension
@@ -45,6 +50,19 @@ set_sbom_filename() {
   SWITCHES+=("--output-file" "${OUTPUT_FILENAME}")
 }
 
+get_package_version() {
+  get_version
+  echo "package verison is is set to: ${PACKAGE_VERSION}"
+  if [ "${PACKAGE_VERSION}" == "null" ]; then
+    echo "WARNING: version field is not set in package.json"
+    PACKAGE_VERSION=0.0.0
+  fi
+}
+
+get_version() (
+  PACKAGE_VERSION=$(cat package.json | jq --raw-output .version)
+)
+
 help() {
   echo "Generates a CycloneDX sBOM file for the given project"
 }

pipe.yml

@@ -1,5 +1,5 @@
 name: CycloneDX node/npm sBOM Generator
-image: shiftleftcyber/cyclonedx-npm-pipe:2.0.0
+image: shiftleftcyber/cyclonedx-npm-pipe:3.0.0
 category: Security
 description: Generates a CycloneDX compliant Software Bill of Materials for a node/npm project
 repository: https://bitbucket.org/ccideas1/cyclonedx-npm-pipe/src/main/

sample.json

@@ -1,6 +1,11 @@
 {
-    "dependencies": {
-      "axios": "^1.6.5"
-    }
+  "name": "ShiftSBOMGen-Node",
+  "version": "0.0.1",
+  "description": "Sample Project",
+  "license": "MIT",
+  "author": "ShiftLeftCyber",
+
+  "dependencies": {
+    "axios": "^1.6.5"
   }
-  
+}

sonar-project.properties

@@ -1,5 +1,5 @@
 sonar.host.url=https://sonarcloud.io
 sonar.orginization=ccideas
 sonar.projectKey=ccideas1_cyclonedx-npm-pipe
-sonar.projectVersion=v2.0.0
+sonar.projectVersion=v3.0.0
 sonar.sources=.

test/gen_sbom.bats

@@ -22,6 +22,10 @@ generate_cyclonedx_sbom_for_npm_project() {
   echo "mock of generate_cyclonedx_sbom_for_npm_project()"
 }
 
+get_version() {
+  export PACKAGE_VERSION=0.0.0
+}
+
 #--------------------------------------------------------------------------------
 #---------------------------------------Tests------------------------------------
 #--------------------------------------------------------------------------------
@@ -80,7 +84,7 @@ generate_cyclonedx_sbom_for_npm_project() {
   unset OUTPUT_DIRECTORY
   run set_sbom_filename
 
-  [ "${lines[2]}" = "sBOM will be written to sbom_output/sbom.json" ]
+  [ "${lines[3]}" = "sBOM will be written to sbom_output/sbom-0.0.0.cdx.json" ]
   [ "$status" -eq 0 ]
 }
 
@@ -91,7 +95,7 @@ generate_cyclonedx_sbom_for_npm_project() {
 
   run set_sbom_filename
 
-  [ "${lines[2]}" = "sBOM will be written to sbom_output/${BITBUCKET_REPO_SLUG}.json" ]
+  [ "${lines[3]}" = "sBOM will be written to sbom_output/${BITBUCKET_REPO_SLUG}-0.0.0.cdx.json" ]
   [ "$status" -eq 0 ]
 }
 
@@ -102,7 +106,7 @@ generate_cyclonedx_sbom_for_npm_project() {
 
   run set_sbom_filename
 
-  [ "${lines[2]}" = "sBOM will be written to sbom_output/${SBOM_FILENAME}.json" ]
+  [ "${lines[3]}" = "sBOM will be written to sbom_output/${SBOM_FILENAME}.json" ]
   [ "$status" -eq 0 ]
 }
 
@@ -112,7 +116,7 @@ generate_cyclonedx_sbom_for_npm_project() {
 
   run set_sbom_filename
 
-  [ "${lines[2]}" = "sBOM will be written to sbom_output/${BITBUCKET_REPO_SLUG}.xml" ]
+  [ "${lines[3]}" = "sBOM will be written to sbom_output/${BITBUCKET_REPO_SLUG}-0.0.0.cdx.xml" ]
   [ "$status" -eq 0 ]
 }
 
@@ -123,7 +127,7 @@ generate_cyclonedx_sbom_for_npm_project() {
 
   run set_sbom_filename
 
-  [ "${lines[2]}" = "sBOM will be written to build/${BITBUCKET_REPO_SLUG}.xml" ]
+  [ "${lines[3]}" = "sBOM will be written to build/${BITBUCKET_REPO_SLUG}-0.0.0.cdx.xml" ]
   [ "$status" -eq 0 ]
 }