Disable formulation collection by default (#1250)

Disable formulation collection by default. Do not capture origin and CI variables

Signed-off-by: Prabhu Subramanian <[email protected]>

bin/cdxgen.js

@@ -246,9 +246,9 @@ const args = yargs(hideBin(process.argv))
   })
   .option("include-formulation", {
     type: "boolean",
-    default: true,
+    default: false,
     description:
-      "Generate formulation section with git metadata and build tools. Defaults to true. Invoke with --no-include-formulation to disable.",
+      "Generate formulation section with git metadata and build tools. Defaults to false.",
   })
   .option("include-crypto", {
     type: "boolean",
@@ -352,17 +352,17 @@ const options = Object.assign({}, args, {
 
 if (process.argv[1].includes("cbom")) {
   options.includeCrypto = true;
-  options.includeFormulation = true;
   options.evidence = true;
   options.specVersion = 1.6;
   options.deep = true;
 }
 if (options.standard) {
   options.specVersion = 1.6;
-  options.includeFormulation = true;
 }
-if (options.deep && options.specVersion >= 1.5) {
-  options.includeFormulation = true;
+if (options.includeFormulation) {
+  console.log(
+    "NOTE: Formulation section could include sensitive data such as emails and secrets.\nPlease review the generated SBOM before distribution.\n",
+  );
 }
 /**
  * Method to apply advanced options such as profile and lifecycles
@@ -373,12 +373,10 @@ const applyAdvancedOptions = (options) => {
   switch (options.profile) {
     case "appsec":
       options.deep = true;
-      options.includeFormulation = true;
       break;
     case "research":
       options.deep = true;
       options.evidence = true;
-      options.includeFormulation = true;
       options.includeCrypto = true;
       process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE = "true";
       process.env.ASTGEN_IGNORE_DIRS = "";

deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.8.4",
+  "version": "10.8.5",
   "exports": "./index.js",
   "compilerOptions": {
     "allowJs": true,

index.js

@@ -431,7 +431,7 @@ const addFormulationSection = (options, context) => {
     });
   }
   // Collect git related components
-  if (gitBranch && originUrl && gitFiles) {
+  if (gitBranch && gitFiles) {
     const gitFileComponents = gitFiles.map((f) =>
       options.specVersion >= 1.6
         ? {
@@ -469,14 +469,13 @@ const addFormulationSection = (options, context) => {
     }
   }
   aformulation["bom-ref"] = uuidv4();
-  aformulation.components = components;
+  aformulation.components = trimComponents(components);
   let environmentVars = gitBranch?.length
     ? [{ name: "GIT_BRANCH", value: gitBranch }]
     : [];
   for (const aevar of Object.keys(process.env)) {
     if (
       (aevar.startsWith("GIT") ||
-        aevar.startsWith("CI_") ||
         aevar.startsWith("ANDROID") ||
         aevar.startsWith("DENO") ||
         aevar.startsWith("DOTNET") ||
@@ -489,6 +488,8 @@ const addFormulationSection = (options, context) => {
       !aevar.toLowerCase().includes("token") &&
       !aevar.toLowerCase().includes("pass") &&
       !aevar.toLowerCase().includes("secret") &&
+      !aevar.toLowerCase().includes("user") &&
+      !aevar.toLowerCase().includes("email") &&
       process.env[aevar] &&
       process.env[aevar].length
     ) {
@@ -504,9 +505,6 @@ const addFormulationSection = (options, context) => {
   let sourceInput = undefined;
   if (environmentVars) {
     sourceInput = { environmentVars };
-    if (originUrl) {
-      sourceInput.source = { ref: originUrl };
-    }
   }
   const sourceWorkflow = {
     "bom-ref": uuidv4(),

jsr.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.8.4",
+  "version": "10.8.5",
   "exports": "./index.js",
   "include": ["*.js", "bin/**", "data/**", "types/**"],
   "exclude": ["test/", "docs/", "contrib/", "ci/", "tools_config/"]

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.8.4",
+  "version": "10.8.5",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <[email protected]>",