Fix broken SBOM output

RetireJS · Aug 20, 2024 · dd35dd9 · dd35dd9
1 parent cc17490
commit dd35dd9
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,13 @@
 # Changelog
 
-## 1.5.0
+
+## 1.6.1
+
+### Bugfix
+
+* Broken references in SBOM output
+
+## 1.6.0
 
 ### Enhancement
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "author": "Erlend Oftedal <[email protected]>",
   "name": "retire-site-scanner",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "license": "Apache-2.0",
   "description": "A scanner for checking a web site using retire.js",
   "main": "dist/index.js",

diff --git a/src/log.ts b/src/log.ts
@@ -2,6 +2,7 @@ type LogLevel = "DBG" | "INF" | "ERR" | "WRN" | "TRC";
 import crypto, { randomUUID } from "crypto";
 import { Component } from "retire/lib/types";
 import { unique } from "./utils";
+const pjson = require("../package.json");
 
 const logId = crypto.randomUUID().split("-").slice(-1)[0];
 let color = false;
@@ -83,7 +84,7 @@ type CycloneDXComponent = {
   }>;
 };
 type CycloneDXVulnerability = {
-  "bom-ref": string;
+  "bom-ref"?: string;
   id: string;
   references?: Array<{
     id: string;
@@ -98,6 +99,21 @@ type CycloneDXVulnerability = {
   advisories?: Array<{
     url: string;
   }>;
+  affects: Array<{
+    ref: string;
+    versions: Array<
+      | {
+          version: string;
+          range?: string;
+          status?: "affected" | "unaffected" | "unknown";
+        }
+      | {
+          version?: string;
+          range: string;
+          status?: "affected" | "unaffected" | "unknown";
+        }
+    >;
+  }>;
 };
 
 export type CycloneDXService = {
@@ -235,11 +251,17 @@ export function convertToCycloneDX(resultToConvert: typeof collectedResults) {
               source: { url: `https://nvd.nist.gov/vuln/detail/${i}` },
             }));
           vulnerabilities.push({
-            "bom-ref": comp["bom-ref"],
+            "bom-ref": randomUUID(),
             advisories: v.info.map((u) => ({ url: u })),
             id: id,
             ratings: [{ severity: v.severity }],
             references: otherRefs.length > 0 ? otherRefs : undefined,
+            affects: [
+              {
+                ref: comp["bom-ref"],
+                versions: [{ version: c.version }],
+              },
+            ],
           });
         });
       }
@@ -252,7 +274,7 @@ export function convertToCycloneDX(resultToConvert: typeof collectedResults) {
     version: 1,
     metadata: {
       timestamp: started,
-      tools: [{ name: "retire-scanner" }],
+      tools: [{ name: pjson.name, version: pjson.version }],
       component: {
         type: "application",
         name: resultToConvert.url,
@@ -278,7 +300,6 @@ function mapLicenses(licenses: string[] | undefined) {
   return [{ expression: licenses[0] }];
 }
 
-
 export const jsonLogger: Logger = {
   open: (url: string) => {
     collectedResults.url = url;