fix(npm): Update npm cyclonedx/bom to cyclonedx-npm (#4342)

* fix(npm): Update npm cycloneDx to cyclonedx-npm * Remove --no-validate and fix ut * remove global * Change to npm * Apply suggestions from code review --------- Co-authored-by: Christopher Fenner <[email protected]>
SAP · May 11, 2023 · f476e8d · f476e8d
1 parent 019ef17
commit f476e8d
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 13 deletions.
diff --git a/pkg/npm/npm.go b/pkg/npm/npm.go
@@ -14,7 +14,9 @@ import (
 )
 
 const (
-	npmBomFilename = "bom-npm.xml"
+	npmBomFilename          = "bom-npm.xml"
+	cycloneDxPackageVersion = "@cyclonedx/[email protected]"
+	cycloneDxSchemaVersion  = "1.4"
 )
 
 // Execute struct holds utils to enable mocking and common parameters
@@ -354,23 +356,28 @@ func (exec *Execute) checkIfLockFilesExist() (bool, bool, error) {
 // CreateBOM generates BOM file using CycloneDX from all package.json files
 func (exec *Execute) CreateBOM(packageJSONFiles []string) error {
 	execRunner := exec.Utils.GetExecRunner()
-	// Install CycloneDX Node.js module locally without saving in package.json
-	err := execRunner.RunExecutable("npm", "install", "@cyclonedx/bom@^3.10.6", "--no-save")
+	// Install CycloneDX Node.js module via npx without saving in package.json / polluting globals
+	// See https://github.com/CycloneDX/cyclonedx-node-npm#installation
+	err := execRunner.RunExecutable("npx", "--package", cycloneDxPackageVersion, "--call", "exit")
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to install CycloneDX package: %w", err)
 	}
 
 	if len(packageJSONFiles) > 0 {
 		for _, packageJSONFile := range packageJSONFiles {
 			path := filepath.Dir(packageJSONFile)
 			params := []string{
-				"cyclonedx-bom",
-				path,
-				"--output", filepath.Join(path, npmBomFilename),
+				cycloneDxPackageVersion,
+				"--output-format",
+				"XML",
+				"--spec-version",
+				cycloneDxSchemaVersion,
+				"--output-file", filepath.Join(path, npmBomFilename),
+				packageJSONFile,
 			}
 			err := execRunner.RunExecutable("npx", params...)
 			if err != nil {
-				return err
+				return fmt.Errorf("failed to generate CycloneDX BOM: %w", err)
 			}
 		}
 	}

diff --git a/pkg/npm/npm_test.go b/pkg/npm/npm_test.go
@@ -360,12 +360,19 @@ func TestNpm(t *testing.T) {
 
 		if assert.NoError(t, err) {
 			if assert.Equal(t, 3, len(utils.execRunner.Calls)) {
-				assert.Equal(t, mock.ExecCall{Exec: "npm", Params: []string{"install", "@cyclonedx/bom@^3.10.6", "--no-save"}}, utils.execRunner.Calls[0])
-				assert.Equal(t, mock.ExecCall{Exec: "npx", Params: []string{"cyclonedx-bom", ".",
-					"--output", "bom-npm.xml"}}, utils.execRunner.Calls[1])
-				assert.Equal(t, mock.ExecCall{Exec: "npx", Params: []string{"cyclonedx-bom", "src",
-					"--output", filepath.Join("src", "bom-npm.xml")}}, utils.execRunner.Calls[2])
+				assert.Equal(t, mock.ExecCall{Exec: "npx", Params: []string{"--package", "@cyclonedx/[email protected]", "--call", "exit"}}, utils.execRunner.Calls[0])
+				assert.Equal(t, mock.ExecCall{Exec: "npx", Params: []string{"@cyclonedx/[email protected]", "--output-format",
+					"XML",
+					"--spec-version",
+					"1.4",
+					"--output-file", "bom-npm.xml", "package.json"}}, utils.execRunner.Calls[1])
+				assert.Equal(t, mock.ExecCall{Exec: "npx", Params: []string{"@cyclonedx/[email protected]", "--output-format",
+					"XML",
+					"--spec-version",
+					"1.4",
+					"--output-file", filepath.Join("src", "bom-npm.xml"), filepath.Join("src", "package.json")}}, utils.execRunner.Calls[2])
 			}
+
 		}
 	})
 }