Add vulnerabilities to BOM

Adds known vulnerabilities to BOM

This is still beta software, do NOT rely on it for critical security.

Install

Install globally if you want to use the CLI.

yarn global add add-vulnerabilities-to-bom
# or
npm i -g add-vulnerabilities-to-bom

Install locally if you want to use it as a library.

yarn add add-vulnerabilities-to-bom
# or
npm i --save add-vulnerabilities-to-bom

Usage

Expects a BOM generated by @cyclonedx/bom, e.g.

$ cyclonedx-bom -o bom.json --include-dev

CLI

$ add-vulnerabilities-to-bom --help
Options:
      --version  Show version number                                   [boolean]
  -f, --file     path to bom.json                 [string] [default: "bom.json"]
      --help     Show help                                             [boolean]

$ add-vulnerabilities-to-bom -f my-bom.json > bom-with-vulns.json

As a library

import { addVulnerabilitiesToBom, BomFile } from 'add-vulnerabilities-to-bom'

const bom: BomFile = require('./bom.json')

addVulnerabilitiesToBom(bom)
  .then(console.log)
  .catch(console.error)

Developing

1. Clone the repo
2. Run yarn install
3. Run yarn test-watch to run the tests while deving
4. Run git add . && git commit -m some-message to commit changes
5. Run yarn release to create a new version using standard-version

Lint checks and tests are run automatically on commit and built by the pipeline on push.

License

add-vulnerabilities-to-bom is licensed under the terms of the MIT license.