gh-node-module-generatebom icon indicating copy to clipboard operation
gh-node-module-generatebom copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

[IDEA] make universal

Open jkowalleck opened this issue 2 years ago • 2 comments
trafficstars

current implementation utilizes https://github.com/CycloneDX/cyclonedx-node-module/ in version @<4 v3 is deprecated. v4 became a meta package, utilizing special implmentations for npm, pnpm, yarn, ...

GOAL: rework this GH action:

  • input (intended to be as much backward compatible as possible, to not break users of @master version to much)
    • path to the project dir - default to ./
    • cyclonedx-version: {1.4, 1.3, ...} - default to latest`
    • output: output file - default to ./bom.xml
    • package-manager: {npm, pnpm, yarn, yarn2}
  • it is expected that the env anlready has a node env setup and the packagemanager is installed.
  • auto-detection: based on lock file type
    • it could detect existence of {npm,pnpm,yarn}-lockfile
  • process:
    • if the tools are not yet available in the current target env, then the needed appropriate tools are installed with the according eco system (npx i/pnpm add,yarn add) in a temp dir
    • the appropriate application is run from that temp dir
    • if there is no appropriate application (yet) the GH action exists with an error, prints a info message.

internally

  • [ ] utilize https://github.com/CycloneDX/cyclonedx-node-npm
  • [ ] utilize https://github.com/CycloneDX/cyclonedx-node-pnpm
  • [ ] utilize https://github.com/CycloneDX/cyclonedx-node-yarn

change process:

  • [x] write the docs with: use @v1 - instead of @master
  • [ ] current master becomes available as git branch 1.x
  • [ ] next version is properly tagged as v2 and so on ...
  • :warning: since there might be uses that run directly on @master - the master branch must be working all the time - do development in a dedicated temp branch !

jkowalleck avatar Feb 06 '23 03:02 jkowalleck

https://github.com/CycloneDX/cyclonedx-node-npm is working, but neither https://github.com/CycloneDX/cyclonedx-node-pnpm nor https://github.com/CycloneDX/cyclonedx-node-yarn is.

This feature development is postponed, until at least two NPM based implementations are working.

jkowalleck avatar Feb 16 '23 14:02 jkowalleck

update: https://github.com/CycloneDX/cyclonedx-node-yarn is working as expected

jkowalleck avatar Jul 08 '24 17:07 jkowalleck