search

CycloneDX / gh-node-module-generatebom

GitHub action to generate a CycloneDX SBOM for Node.js
Apache License 2.0
21 stars 6 forks source link

JSON option throws warning #7

Closed jgadsden closed 1 year ago

jgadsden commented 1 year ago

The json option was removed in commit 151e37abb84ebcbcbb4d2cc780b89fa98f23b1b1 , but only from the README.md and action.yml files

This means that JSON output is still possible, for example using:

      - uses: CycloneDX/gh-node-module-generatebom@v1.0.2
        with:
          json: true

and the JSON output is obtained after displaying a warning: Warning: Unexpected input(s) 'json', valid inputs are ['path', 'output']

Could we reinstate the use of json option and get rid of the warning from action.yml? This would be my preferred outcome rather than removing json option altogether

jkowalleck commented 1 year ago

Feel free to pullrequest the needed changes.

But in general, I'd suggest switching to cyclonedx-npm which has a lot more options, instead of using this rudimentary GH action.

jgadsden commented 1 year ago

good point @jkowalleck , it was just useful to use a simple github action in the release process but I agree it can be done in other ways. I wanted to use the CycloneDX action rather than anchore/sbom-action because CycloneDX is OWASP and so is Threat Dragon

looking at the code I am surprised the json option works because it is not used in index.js, but this shows my limited knowledge of how the github actions actually run - because it does indeed output both json and xml

jkowalleck commented 1 year ago

generating json output is controlled by putting a .json file as the output. nothing more to it.

see the docs: https://www.npmjs.com/package/@cyclonedx/bom/v/3.10.6

jgadsden commented 1 year ago

Thankyou @jkowalleck , this explains it and I will decline my pull request