fix: CycloneDX Inhouse Implementation (#160)

💥

package.json

@@ -46,6 +46,7 @@
     "@types/mock-fs": "^4.10.0",
     "@types/rimraf": "^2.0.3",
     "@types/sinon": "^7.5.1",
+    "@types/ssri": "^6.0.1",
     "chai": "4.2.0",
     "chai-as-promised": "7.1.1",
     "mocha": "6.2.2",
@@ -57,12 +58,12 @@
     "typescript": "^3.7.3"
   },
   "dependencies": {
-    "@cyclonedx/bom": "~1.0.4",
     "@types/figlet": "^1.2.0",
     "@types/js-yaml": "^3.12.1",
     "@types/node": "^12.12.17",
     "@types/node-fetch": "^2.5.4",
     "@types/node-persist": "^3.0.0",
+    "@types/uuid": "^3.4.7",
     "@types/yargs": "^13.0.3",
     "@types/yarnpkg__lockfile": "^1.1.3",
     "@yarnpkg/lockfile": "^1.1.0",
@@ -73,9 +74,16 @@
     "node-fetch": "^2.6.0",
     "node-persist": "^3.0.5",
     "ora": "^4.0.3",
+    "packageurl-js": "^0.0.1",
+    "parse-packagejson-name": "^1.0.1",
+    "prettify-xml": "^1.2.0",
     "read-installed": "~4.0.3",
+    "spdx-license-ids": "^3.0.5",
+    "ssri": "^6.0.0",
+    "uuid": "^3.3.2",
     "winston": "^3.2.1",
     "xmlbuilder": "^13.0.2",
+    "xmldom": "^0.2.1",
     "yargs": "^15.0.2"
   }
 }

src/CycloneDX/CycloneDXSbomCreator.spec.ts

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2019-present Sonatype, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { CycloneDXSbomCreator } from './CycloneDXSbomCreator';
+import expect from '../Tests/TestHelper';
+
+// Test object with circular dependency, scoped dependency, dependency with dependency
+const object = {
+  'name': 'testproject',
+  'version': '1.0.0',
+  'description': 'Test Description',
+  'dependencies': {
+    'testdependency': {
+      'name': 'testdependency',
+      'version': '1.0.1',
+      'dependencies': {
+        'testdependency': {
+          'name': 'testdependency',
+          'version': '1.0.1',
+        }
+      }
+    },
+    'testdependency2': {
+      'name': 'testdependency2',
+      'version': '1.0.2',
+      'dependencies': {
+        'testdependency': {
+          'name': 'testdependency',
+          'version': '1.0.0',
+        }
+      }
+    },
+    '@scope/testdependency3': {
+      'name': '@scope/testdependency3',
+      'version': '1.0.2'
+    }
+  }
+}
+
+const expectedResponse = `<?xml version="1.0" encoding="utf-8"?><bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1"><components><component type="library" bom-ref="pkg:npm/[email protected]"><name>testdependency</name><version>1.0.1</version><description/><purl>pkg:npm/[email protected]</purl></component><component type="library" bom-ref="pkg:npm/[email protected]"><name>testdependency2</name><version>1.0.2</version><description/><purl>pkg:npm/[email protected]</purl></component><component type="library" bom-ref="pkg:npm/[email protected]"><name>testdependency</name><version>1.0.0</version><description/><purl>pkg:npm/[email protected]</purl></component><component type="library" bom-ref="pkg:npm/%40scope/[email protected]"><group>@scope</group><name>testdependency3</name><version>1.0.2</version><description/><purl>pkg:npm/%40scope/[email protected]</purl></component></components></bom>`;
+
+describe("CycloneDXSbomCreator", async () => {
+  it("should create an sbom string given a minimal valid object", async () => {
+    let sbomCreator = new CycloneDXSbomCreator(process.cwd());
+
+    let string = await sbomCreator.createBom(object);
+
+    expect(string).to.eq(expectedResponse);
+  });
+});