feat: add support for targetting specific workspaces

Signed-off-by: MalickBurger <[email protected]>

Author: MalickBurger

CONTRIBUTING.md

@@ -47,5 +47,5 @@ Please sign off your commits, to show that you agree to publish your changes und
 , and to indicate agreement with [Developer Certificate of Origin (DCO)](https://developercertificate.org/).
 
 ```shell
-git commit --signed-off ...
+git commit --signoff ...
 ```

README.md

@@ -74,44 +74,45 @@ Usage: cyclonedx-npm [options] [--] [<package-manifest>]
 Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
 
 Arguments:
-  <package-manifest>        Path to project's manifest file.
-                            (default: "package.json" file in current working directory)
+  <package-manifest>            Path to project's manifest file.
+                                (default: "package.json" file in current working directory)
 
 Options:
-  --ignore-npm-errors       Whether to ignore errors of NPM.
-                            This might be used, if "npm install" was run with "--force" or "--legacy-peer-deps".
-                            (default: false)
-  --package-lock-only       Whether to only use the lock file, ignoring "node_modules".
-                            This means the output will be based only on the few details in and the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory.
-                            (default: false)
-  --omit <type...>          Dependency types to omit from the installation tree.
-                            (can be set multiple times)
-                            (choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty)
-  --flatten-components      Whether to flatten the components.
-                            This means the actual nesting of node packages is not represented in the SBOM result.
-                            (default: false)
-  --short-PURLs             Omit all qualifiers from PackageURLs.
-                            This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
-                            (default: false)
-  --spec-version <version>  Which version of CycloneDX spec to use.
-                            (choices: "1.2", "1.3", "1.4", "1.5", "1.6", default: "1.4")
-  --output-reproducible     Whether to go the extra mile and make the output reproducible.
-                            This requires more resources, and might result in loss of time- and random-based-values.
-                            (env: BOM_REPRODUCIBLE)
-  --output-format <format>  Which output format to use.
-                            (choices: "JSON", "XML", default: "JSON")
-  --output-file <file>      Path to the output file.
-                            Set to "-" to write to STDOUT.
-                            (default: write to STDOUT)
-  --validate                Validate resulting BOM before outputting.
-                            Validation is skipped, if requirements not met. See the README.
-  --no-validate             Disable validation of resulting BOM.
-  --mc-type <type>          Type of the main component.
-                            (choices: "application", "firmware", "library", default: "application")
-  -v, --verbose             Increase the verbosity of messages.
-                            Use multiple times to increase the verbosity even more.
-  -V, --version             output the version number
-  -h, --help                display help for command
+  --ignore-npm-errors           Whether to ignore errors of NPM.
+                                This might be used, if "npm install" was run with "--force" or "--legacy-peer-deps".
+                                (default: false)
+  --package-lock-only           Whether to only use the lock file, ignoring "node_modules".
+                                This means the output will be based only on the few details in and the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory.
+                                (default: false)
+  --omit <type...>              Dependency types to omit from the installation tree.
+                                (can be set multiple times)
+                                (choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty)
+  --flatten-components          Whether to flatten the components.
+                                This means the actual nesting of node packages is not represented in the SBOM result.
+                                (default: false)
+  --short-PURLs                 Omit all qualifiers from PackageURLs.
+                                This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
+                                (default: false)
+  --spec-version <version>      Which version of CycloneDX spec to use.
+                                (choices: "1.2", "1.3", "1.4", "1.5", "1.6", default: "1.4")
+  --output-reproducible         Whether to go the extra mile and make the output reproducible.
+                                This requires more resources, and might result in loss of time- and random-based-values.
+                                (env: BOM_REPRODUCIBLE)
+  --output-format <format>      Which output format to use.
+                                (choices: "JSON", "XML", default: "JSON")
+  --output-file <file>          Path to the output file.
+                                Set to "-" to write to STDOUT.
+                                (default: write to STDOUT)
+  --validate                    Validate resulting BOM before outputting.
+                                Validation is skipped, if requirements not met. See the README.
+  --no-validate                 Disable validation of resulting BOM.
+  --mc-type <type>              Type of the main component.
+                                (choices: "application", "firmware", "library", default: "application")
+  --workspaces <workspace...>   Whether to only include dependencies for specific workspaces. (can be set multiple times) (default: empty)
+  -v, --verbose                 Increase the verbosity of messages.
+                                Use multiple times to increase the verbosity even more.
+  -V, --version                 output the version number
+  -h, --help                    display help for command
 ```
 
 ## Demo

src/builders.ts

@@ -38,6 +38,7 @@ interface BomBuilderOptions {
   reproducible?: BomBuilder['reproducible']
   flattenComponents?: BomBuilder['flattenComponents']
   shortPURLs?: BomBuilder['shortPURLs']
+  workspaces?: BomBuilder['workspaces']
 }
 
 type cPath = string
@@ -57,6 +58,7 @@ export class BomBuilder {
   reproducible: boolean
   flattenComponents: boolean
   shortPURLs: boolean
+  workspaces: string[]
 
   console: Console
 
@@ -80,6 +82,7 @@ export class BomBuilder {
     this.reproducible = options.reproducible ?? false
     this.flattenComponents = options.flattenComponents ?? false
     this.shortPURLs = options.shortPURLs ?? false
+    this.workspaces = options.workspaces ?? []
 
     this.console = console_
   }
@@ -166,6 +169,10 @@ export class BomBuilder {
       }
     }
 
+    for (const workspace of this.workspaces) {
+      args.push(`--workspace=${workspace}`)
+    }
+
     this.console.info('INFO  | gathering dependency tree ...')
     this.console.debug('DEBUG | npm-ls: run npm with %j in %j', args, projectDir)
     let npmLsReturns: Buffer

src/cli.ts

@@ -51,6 +51,7 @@ interface CommandOptions {
   outputFile: string
   validate: boolean | undefined
   mcType: Enums.ComponentType
+  workspace: string[] | undefined
   verbose: number
 }
 
@@ -166,6 +167,12 @@ function makeCommand (process: NodeJS.Process): Command {
     ).default(
       Enums.ComponentType.Application
     )
+  ).addOption(
+    new Option(
+      '--workspaces <workspace...>',
+      'Whether to only include dependencies for specific workspaces. ' +
+      '(can be set multiple times)'
+    ).default([], 'empty')
   ).addOption(
     new Option(
       '-v, --verbose',
@@ -249,7 +256,8 @@ export async function run (process: NodeJS.Process): Promise<number> {
       omitDependencyTypes: options.omit,
       reproducible: options.outputReproducible,
       flattenComponents: options.flattenComponents,
-      shortPURLs: options.shortPURLs
+      shortPURLs: options.shortPURLs,
+      workspaces: options.workspace
     },
     myConsole
   ).buildFromProjectDir(projectDir, process)