Skip to content

Commit

Permalink
Force package lock creation for stubborn projects with .npmrc (#1488)
Browse files Browse the repository at this point in the history 
* Force package lock creation for stubborn projects with .npmrc

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>
  • Loading branch information
@prabhu
prabhu authored Dec 12, 2024
1 parent 2c9113b commit a47c1d8
Show file tree
Hide file tree
Showing 10 changed files with 348 additions and 250 deletions.
8 changes: 4 additions & 4 deletions deno.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cyclonedx/cdxgen",
"version": "11.0.6",
"version": "11.0.7",
"exports": "./lib/cli/index.js",
"compilerOptions": {
"lib": ["deno.window"],
Expand Down Expand Up @@ -50,8 +50,8 @@
"imports": {
"@appthreat/atom": "npm:@appthreat/[email protected]",
"@appthreat/cdx-proto": "npm:@appthreat/[email protected]",
"@babel/parser": "npm:@babel/parser@^7.26.2",
"@babel/traverse": "npm:@babel/traverse@^7.25.7",
"@babel/parser": "npm:@babel/parser@^7.26.3",
"@babel/traverse": "npm:@babel/traverse@^7.26.4",
"@npmcli/arborist": "npm:@npmcli/[email protected]",
"ajv": "npm:ajv@^8.16.0",
"ajv-formats": "npm:ajv-formats@^3.0.1",
Expand All @@ -70,7 +70,7 @@
"properties-reader": "npm:properties-reader@^2.3.0",
"semver": "npm:semver@^7.6.3",
"ssri": "npm:ssri@^12.0.0",
"table": "npm:table@^6.8.2",
"table": "npm:table@^6.9.0",
"tar": "npm:tar@^7.4.3",
"uuid": "npm:uuid@^11.0.2",
"xml-js": "npm:xml-js@^1.6.11",
Expand Down
4 changes: 2 additions & 2 deletions docs/ENV.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
The following environment variables are available to configure the bom generation behavior.

| Variable | Description |
| ------------------------------- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| CDXGEN_DEBUG_MODE | Set to `debug` to enable debug messages |
| GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information |
| MVN_CMD | Set to override maven command |
Expand Down Expand Up @@ -61,7 +61,7 @@ The following environment variables are available to configure the bom generatio
| DOCKER_CERT_PATH | Path to the certs directory containing cert.pem and key.pem |
| DOCKER_TLS_VERIFY | Set to empty value to disable tls for insecure registries |
| NODE_OPTIONS | If you are experiencing Out Of Memory issues, consider increase the node heap (ie: `--max-old-space-size=8192`) |
| NPM_INSTALL_ARGS | Set to pass additional arguments such as `--package-lock-only` or `--legacy-peer-deps` to the npm install command |
| NPM_INSTALL_ARGS | Set to pass additional arguments such as `--package-lock` or `--legacy-peer-deps` to the npm install command |
| NPM_INSTALL_COUNT | Limit the number of automatic npm install to this count. Default: 2. Since cdxgen 11.0.5 |
| SWIFT_COMPILER_ARGS | Full compiler arguments string to use for semantic analysis. Eg: -sdk <path> -F <path> -Xcc -I <path> |
| SWIFT_SDK_ARGS | Swift sdk arguments. Eg: -sdk <path> |
Expand Down
2 changes: 1 addition & 1 deletion jsr.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cyclonedx/cdxgen",
"version": "11.0.6",
"version": "11.0.7",
"exports": "./lib/cli/index.js",
"include": ["*.js", "lib/**", "bin/**", "data/**", "types/**"],
"exclude": [
Expand Down
28 changes: 26 additions & 2 deletions lib/cli/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2366,6 +2366,19 @@ export async function createNodejsBom(path, options) {
installArgs = installArgs.concat(addArgs);
}
const basePath = dirname(apkgJson);
// juice-shop mode
// Projects such as juice-shop prevent lockfile creations using .npmrc files
// Plus, they might require specific npm install args such as --legacy-peer-deps that could lead to strange node_modules structure
// To keep life simple, let's look for any .npmrc file that has package-lock=false to toggle before npm install
if (pkgMgr === "npm" && existsSync(join(basePath, ".npmrc"))) {
const npmrcData = readFileSync(join(basePath, ".npmrc"));
if (
npmrcData?.includes("package-lock=false") &&
!installArgs.includes("--package-lock")
) {
installArgs.push("--package-lock");
}
}
console.log(
`Executing '${pkgMgr} ${installArgs.join(" ")}' in`,
basePath,
Expand All @@ -2384,6 +2397,16 @@ export async function createNodejsBom(path, options) {
console.log(result.stdout);
}
if (result.stderr) {
if (result.stderr.includes("--legacy-peer-deps")) {
console.log(
"Set the environment variable `NPM_INSTALL_ARGS=--legacy-peer-deps` to resolve the dependency resolution issue reported.",
);
}
if (result.stderr.includes("EBADENGINE Unsupported engine")) {
console.log(
"Try using the custom `ghcr.io/cyclonedx/cdxgen-node20:v11` container image, which bundles node.js 20.",
);
}
console.log(result.stderr);
}
options.failOnError && process.exit(1);
Expand Down Expand Up @@ -2678,9 +2701,10 @@ export async function createNodejsBom(path, options) {
// We might reach here if the project has no lock files
// Eg: juice-shop
if (!pkgList.length && existsSync(join(path, "node_modules"))) {
// Collect all package.json files from all node_modules directory
const pkgJsonFiles = getAllFiles(
join(path, "node_modules"),
"**/package.json",
path,
"**/node_modules/**/package.json",
options,
);
manifestFiles = manifestFiles.concat(pkgJsonFiles);
Expand Down
6 changes: 3 additions & 3 deletions lib/helpers/utils.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3298,8 +3298,8 @@ test("parsePnpmLock", async () => {
expect(parsedList.dependenciesList).toHaveLength(462);
expect(parsedList.pkgList.filter((pkg) => !pkg.scope)).toHaveLength(3);
parsedList = await parsePnpmLock("./pnpm-lock.yaml");
expect(parsedList.pkgList.length).toEqual(620);
expect(parsedList.dependenciesList.length).toEqual(620);
expect(parsedList.pkgList.length).toEqual(627);
expect(parsedList.dependenciesList.length).toEqual(627);
expect(parsedList.pkgList[0]).toEqual({
group: "@ampproject",
name: "remapping",
Expand All @@ -3326,7 +3326,7 @@ test("parsePnpmLock", async () => {
expect(parsedList.dependenciesList[0]).toEqual({
ref: "pkg:npm/@ampproject/[email protected]",
dependsOn: [
"pkg:npm/@jridgewell/[email protected].5",
"pkg:npm/@jridgewell/[email protected].8",
"pkg:npm/@jridgewell/[email protected]",
],
});
Expand Down
43 changes: 21 additions & 22 deletions lib/stages/pregen/pregen.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,29 +78,28 @@ export function preparePythonEnv(_filePath, options) {
);
}
}
for (const pt of options.projectType) {
for (const pyversion of [
"python36",
"python38",
"python39",
"python310",
"python311",
"python312",
]) {
if (
options.projectType.includes(pyversion) &&
!process.env.PIP_INSTALL_ARGS
) {
const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-pip-"));
const py_version_number = pyversion.replace("python3", "3.");
process.env.PIP_INSTALL_ARGS = `--python-version ${py_version_number} --ignore-requires-python --no-warn-conflicts --only-binary=:all:`;
process.env.PIP_TARGET = tempDir;
if (DEBUG_MODE) {
console.log("PIP_INSTALL_ARGS set to", process.env.PIP_INSTALL_ARGS);
console.log("PIP_TARGET set to", process.env.PIP_TARGET);
}
break;
for (const pyversion of [
"python36",
"python38",
"python39",
"python310",
"python311",
"python312",
"python313",
]) {
if (
options.projectType.includes(pyversion) &&
!process.env.PIP_INSTALL_ARGS
) {
const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-pip-"));
const py_version_number = pyversion.replace("python3", "3.");
process.env.PIP_INSTALL_ARGS = `--python-version ${py_version_number} --ignore-requires-python --no-warn-conflicts --only-binary=:all:`;
process.env.PIP_TARGET = tempDir;
if (DEBUG_MODE) {
console.log("PIP_INSTALL_ARGS set to", process.env.PIP_INSTALL_ARGS);
console.log("PIP_TARGET set to", process.env.PIP_TARGET);
}
break;
}
}
}
Expand Down
8 changes: 4 additions & 4 deletions package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cyclonedx/cdxgen",
"version": "11.0.6",
"version": "11.0.7",
"description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
"homepage": "http://github.com/cyclonedx/cdxgen",
"author": "Prabhu Subramanian <[email protected]>",
Expand Down Expand Up @@ -70,8 +70,8 @@
"*": "biome check --fix --no-errors-on-unmatched"
},
"dependencies": {
"@babel/parser": "^7.26.2",
"@babel/traverse": "^7.25.7",
"@babel/parser": "^7.26.3",
"@babel/traverse": "^7.26.4",
"@npmcli/arborist": "8.0.0",
"ajv": "^8.17.1",
"ajv-formats": "^3.0.1",
Expand All @@ -90,7 +90,7 @@
"properties-reader": "^2.3.0",
"semver": "^7.6.3",
"ssri": "^12.0.0",
"table": "^6.8.2",
"table": "^6.9.0",
"tar": "^7.4.3",
"uuid": "^11.0.2",
"validate-iri": "^1.0.1",
Expand Down
Loading

0 comments on commit a47c1d8

Please sign in to comment.