Add license information to CycloneDX

Author: eoftedal

node/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [5.2.0]
+
+### Enhancement
+
+- Add license information to SBOM
+
 ## [5.1.4]
 
 ### Bugfix

node/lib/retire.js

@@ -4,7 +4,7 @@
  */
 
 var exports = exports || {};
-exports.version = '5.1.4';
+exports.version = '5.2.0';
 
 function isDefined(o) {
   return typeof o !== 'undefined';
@@ -186,3 +186,5 @@ exports.scanFileContent = function (content, repo, hasher) {
   }
   return check(result, repo);
 };
+
+exports.isAtOrAbove = isAtOrAbove;

node/package-lock.json

@@ -2,7 +2,7 @@
   "author": "Erlend Oftedal <erlend@oftedal.no>",
   "name": "retire",
   "description": "Retire is a tool for detecting use of vulnerable libraries",
-  "version": "5.1.4",
+  "version": "5.2.0",
   "license": "Apache-2.0",
   "repository": {
     "type": "git",
@@ -32,6 +32,7 @@
     "jsonschema": "^1.4.1",
     "mocha": "^10.2.0",
     "prettier": "^3.1.0",
+    "ts-node": "^10.9.2",
     "typescript": "^5.0.4",
     "xsd-schema-validator": "^0.9.0"
   },
@@ -55,6 +56,7 @@
     "software-composition-analysis",
     "sca"
   ],
+  "type": "commonjs",
   "files": [
     "lib/**/*",
     "CHANGELOG.md"

node/package.json

@@ -1,17 +1,18 @@
 {
-	"jquery": {
-		"vulnerabilities" : [
-			{ "atOrAbove": "1.6.0-rc.1", "below" : "1.6.0-rc.1.1", "info" : [ "http://some.url" ] }, 
-			{ "below" : "1.5.0", "info" : [ "http://some.url" ] },
-			{ "atOrAbove": "1.8.0", "below" : "1.9.0", "info" : [ "http://some.url" ] } 
-		],
-		"extractors" : {
-			"uri"			: [ "/([0-9.]+([a-z\\-0-9.]+)?)/jquery(\\.min)?\\.js" ],
-			"filename"    : [ "jquery-([0-9.]+(-rc[0-9.a-zA-Z\\-]+?)?)(.min)?\\.js" ],
-			"filecontent" : [ "/*! jQuery v([0-9.]+(-rc[0-9.]+)?)" ],
-			"hashes": {
-				"abcdelfkjsalkdj":"1.9.10"
-			}
-		}
-	}
+  "jquery": {
+    "vulnerabilities": [
+      { "atOrAbove": "1.6.0-rc.1", "below": "1.6.0-rc.1.1", "info": ["http://some.url"] },
+      { "below": "1.5.0", "info": ["http://some.url"] },
+      { "atOrAbove": "1.8.0", "below": "1.9.0", "info": ["http://some.url"] }
+    ],
+    "extractors": {
+      "uri": ["/([0-9.]+([a-z\\-0-9.]+)?)/jquery(\\.min)?\\.js"],
+      "filename": ["jquery-([0-9.]+(-rc[0-9.a-zA-Z\\-]+?)?)(.min)?\\.js"],
+      "filecontent": ["/*! jQuery v([0-9.]+(-rc[0-9.]+)?)"],
+      "hashes": {
+        "abcdelfkjsalkdj": "1.9.10"
+      }
+    },
+    "licenses": ["MIT >=0"]
+  }
 }

node/spec/repository.json

@@ -36,6 +36,7 @@ describe('cyclonedx-json', () => {
     let logger = reporting.open({});
     jsonLogger.configure(logger, writer, {}, hash);
     let result1 = retire.scanFileContent('/*! jQuery v1.8.1 asdasd ', repo, hash);
+    result1[0].licenses = ['MIT'];
     logger.logVulnerableDependency({ results: result1, file: jqFile });
     logger.close();
     let validator = new Validator();
@@ -58,6 +59,7 @@ describe('cyclonedx-json', () => {
     let logger = reporting.open({});
     jsonLogger1_6.configure(logger, writer, {}, hash);
     let result1 = retire.scanFileContent('/*! jQuery v1.8.1 asdasd ', repo, hash);
+    result1[0].licenses = ['MIT'];
     logger.logVulnerableDependency({ results: result1, file: jqFile });
     logger.close();
     let validator = new Validator();
@@ -81,9 +83,11 @@ describe('cyclonedx-json', () => {
     let logger = reporting.open({});
     xmlLogger.configure(logger, writer, {}, hash);
     let result = retire.scanFileContent('/*! jQuery v1.8.1 asdasd ', repo, hash);
-    logger.logVulnerableDependency(result);
+    result[0].licenses = ['MIT'];
+    logger.logVulnerableDependency({ results: result, file: jqFile });
     logger.close();
     let xml = data.join('');
+    xml.should.contain('pkg:npm/jquery@1.8.1');
     try {
       let xsdResult = await xsdValidator.validateXML(xml, 'spec/schema/bom-1.4.xsd');
       if (!xsdResult.valid) {