diff --git a/CHANGELOG.md b/CHANGELOG.md index c1a8cb0..a744ff9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 1.4.0 + +* Add purl to SBOM output + ## 1.3.0 * Add support for color output via --color diff --git a/package-lock.json b/package-lock.json index 33a061b..ed0b268 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "retire-site-scanner", - "version": "1.3.0", + "version": "1.4.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "retire-site-scanner", - "version": "1.3.0", + "version": "1.4.0", "license": "Apache-2.0", "dependencies": { "cacheable-lookup": "^7.0.0", diff --git a/package.json b/package.json index b103f91..515d3dd 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "author": "Erlend Oftedal ", "name": "retire-site-scanner", - "version": "1.3.0", + "version": "1.4.0", "license": "Apache-2.0", "description": "A scanner for checking a web site using retire.js", "main": "dist/index.js", diff --git a/src/log.ts b/src/log.ts index 521ab30..109fc40 100644 --- a/src/log.ts +++ b/src/log.ts @@ -70,6 +70,7 @@ type CycloneDXComponent = { name: string; version: string; "bom-ref": string; + purl?: string; properties: Array<{ name: string; value: string; @@ -164,6 +165,11 @@ function formatContentTypes( .join(" "); } +function generatePURL(component: Component): string { + if (component.basePurl) return component.basePurl + "@" + component.version; + return `pkg:npm/${component.npmname ?? component.component}@${component.version}`; +} + export function convertToCycloneDX(resultToConvert: typeof collectedResults) { const components = new Map(); const vulnerabilities: Array = []; @@ -188,6 +194,7 @@ export function convertToCycloneDX(resultToConvert: typeof collectedResults) { "bom-ref": randomUUID(), name: c.component, version: c.version, + purl: generatePURL(c), properties: [], }; components.set(key, comp);