feat: option for shorter PURLs (#226)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

HISTORY.md

@@ -4,10 +4,14 @@ All notable changes to this project will be documented in this file.
 
 ## unreleased
 
+* Added
+  * CLI got a new switch `--short-PURLs` ([#225] via [#226]) 
 * Build
   * Use _TypeScript_ `v4.8.4` now, was `v4.8.3` (via [#164])
 
 [#164]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/164
+[#225]: https://github.com/CycloneDX/cyclonedx-node-npm/issues/225
+[#226]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/226
 
 ## 1.0.0 - 2022-09-24
 

README.md

@@ -80,6 +80,9 @@ Options:
                             (choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty)
   --flatten-components      Whether to flatten the components.
                             This means the actual nesting of node packages is not represented in the SBOM result.
+  --short-PURLs             Omit all qualifiers from PackageURLs.
+                            This causes information loss in trade of shorter PURLs, which might improve digesting these strings. 
+                            (default: false)
   --spec-version <version>  Which version of CycloneDX spec to use.
                             (choices: "1.2", "1.3", "1.4", default: "1.4")
   --output-reproducible     Whether to go the extra mile and make the output reproducible.

src/builders.ts

@@ -35,6 +35,7 @@ interface BomBuilderOptions {
   omitDependencyTypes?: Iterable<OmittableDependencyTypes>
   reproducible?: BomBuilder['reproducible']
   flattenComponents?: BomBuilder['flattenComponents']
+  shortPURLs?: BomBuilder['shortPURLs']
 }
 
 interface SpawnSyncResultError extends Error {
@@ -59,6 +60,7 @@ export class BomBuilder {
   omitDependencyTypes: Set<OmittableDependencyTypes>
   reproducible: boolean
   flattenComponents: boolean
+  shortPURLs: boolean
 
   console: Console
 
@@ -97,6 +99,7 @@ export class BomBuilder {
     this.omitDependencyTypes = new Set(options.omitDependencyTypes ?? [])
     this.reproducible = options.reproducible ?? false
     this.flattenComponents = options.flattenComponents ?? false
+    this.shortPURLs = options.shortPURLs ?? false
 
     this.console = console_
   }
@@ -429,10 +432,10 @@ export class BomBuilder {
       return undefined
     }
 
-    /* @TODO: detect non-standard registry (not "npmjs.org")
-       const qualifiers: PackageURL['qualifiers'] = purl.qualifiers ?? {}
-       qualifiers.repository_url = ...
-     */
+    if (this.shortPURLs) {
+      purl.qualifiers = undefined
+      purl.subpath = undefined
+    }
 
     return purl
   }

src/cli.ts

@@ -43,6 +43,7 @@ interface CommandOptions {
   omit: Omittable[]
   specVersion: Spec.Version
   flattenComponents: boolean
+  shortPURLs: boolean
   outputReproducible: boolean
   outputFormat: OutputFormat
   outputFile: string
@@ -87,6 +88,12 @@ function makeCommand (process: NodeJS.Process): Command {
       'Whether to flatten the components.\n' +
       'This means the actual nesting of node packages is not represented in the SBOM result.'
     ).default(false)
+  ).addOption(
+    new Option(
+      '--short-PURLs',
+      'Omit all qualifiers from PackageURLs.\n' +
+      'This causes information loss in trade of shorter PURLs, which might improve digesting these strings.'
+    ).default(false)
   ).addOption(
     new Option(
       '--spec-version <version>',
@@ -216,7 +223,8 @@ export function run (process: NodeJS.Process): void {
       packageLockOnly: options.packageLockOnly,
       omitDependencyTypes: options.omit,
       reproducible: options.outputReproducible,
-      flattenComponents: options.flattenComponents
+      flattenComponents: options.flattenComponents,
+      shortPURLs: options.shortPURLs
     },
     myConsole
   ).buildFromLockFile(lockFile, process)