fix(npm): Update npm cycloneDx to cyclonedx-npm

SAP · May 3, 2023 · f2ae6c0 · f2ae6c0
1 parent fbb27b2
commit f2ae6c0
Showing 1 changed file with 15 additions and 9 deletions.
diff --git a/pkg/npm/npm.go b/pkg/npm/npm.go
@@ -14,7 +14,9 @@ import (
 )
 
 const (
-	npmBomFilename = "bom-npm.xml"
+	npmBomFilename          = "bom-npm.xml"
+	cycloneDxPackageVersion = "@cyclonedx/[email protected]"
+	cycloneDxSchemaVersion  = "1.4"
 )
 
 // Execute struct holds utils to enable mocking and common parameters
@@ -355,22 +357,26 @@ func (exec *Execute) checkIfLockFilesExist() (bool, bool, error) {
 func (exec *Execute) CreateBOM(packageJSONFiles []string) error {
 	execRunner := exec.Utils.GetExecRunner()
 	// Install CycloneDX Node.js module locally without saving in package.json
-	err := execRunner.RunExecutable("npm", "install", "@cyclonedx/bom@^3.10.6", "--no-save")
+	err := execRunner.RunExecutable("npm", "install", "--global", cycloneDxPackageVersion, "--no-save")
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to install cycloneDx package: %w", err)
 	}
 
 	if len(packageJSONFiles) > 0 {
 		for _, packageJSONFile := range packageJSONFiles {
-			path := filepath.Dir(packageJSONFile)
+			//path := filepath.Dir(packageJSONFile)
 			params := []string{
-				"cyclonedx-bom",
-				path,
-				"--output", filepath.Join(path, npmBomFilename),
+				"--output-format",
+				"XML",
+				"--spec-version",
+				cycloneDxSchemaVersion,
+				"--no-validate",
+				"--output-file", filepath.Join(filepath.Dir(packageJSONFile), npmBomFilename),
+				packageJSONFile,
 			}
-			err := execRunner.RunExecutable("npx", params...)
+			err := execRunner.RunExecutable("cyclonedx-npm", params...)
 			if err != nil {
-				return err
+				return fmt.Errorf("failed to generate cycloneDx BOM: %w", err)
 			}
 		}
 	}