Add purl to SBOM output

RetireJS · Aug 15, 2024 · 8d17f2a · 8d17f2a
1 parent 5e34e91
commit 8d17f2a
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 1.4.0
+
+* Add purl to SBOM output
+
 ## 1.3.0
 
 * Add support for color output via --color

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "author": "Erlend Oftedal <[email protected]>",
   "name": "retire-site-scanner",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "license": "Apache-2.0",
   "description": "A scanner for checking a web site using retire.js",
   "main": "dist/index.js",

diff --git a/src/log.ts b/src/log.ts
@@ -70,6 +70,7 @@ type CycloneDXComponent = {
   name: string;
   version: string;
   "bom-ref": string;
+  purl?: string;
   properties: Array<{
     name: string;
     value: string;
@@ -164,6 +165,11 @@ function formatContentTypes(
     .join(" ");
 }
 
+function generatePURL(component: Component): string {
+  if (component.basePurl) return component.basePurl + "@" + component.version;
+  return `pkg:npm/${component.npmname ?? component.component}@${component.version}`;
+}
+
 export function convertToCycloneDX(resultToConvert: typeof collectedResults) {
   const components = new Map<string, CycloneDXComponent>();
   const vulnerabilities: Array<CycloneDXVulnerability> = [];
@@ -188,6 +194,7 @@ export function convertToCycloneDX(resultToConvert: typeof collectedResults) {
         "bom-ref": randomUUID(),
         name: c.component,
         version: c.version,
+        purl: generatePURL(c),
         properties: [],
       };
       components.set(key, comp);