Can retire generate cyclonedx SBOM for all the js scanned and not just vulnerable js

RetireJS / retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.

https://retirejs.github.io/retire.js/

Other

3.6k stars 412 forks source link

Can retire generate cyclonedx SBOM for all the js scanned and not just vulnerable js #407

Closed rashmimehta300 closed 1 year ago

rashmimehta300 commented 1 year ago

Is your feature request related to a problem? Please describe. When creating cyclonedx SBOM retire only list down vulnerable js. If I upload this sbom to dependency track I will only be able to monitor vulnerable js.

Describe the solution you'd like Can we have a feature where retire can create sbom for all the js scanned and not just vulnerable js

eoftedal commented 1 year ago

It does if you add --verbose, but now that you mention it, I think it should always do that for SBOM formats. I will look into changing the default behavior for those.

eoftedal commented 1 year ago

Fixed in 4.3.1

ashutoshvimal commented 1 year ago

It does if you add --verbose, but now that you mention it, I think it should always do that for SBOM formats. I will look into changing the default behavior for those.

after this change how to get only vulnerable components?

rashmimehta300 commented 1 year ago

@ashutoshvimal The default behavior for generating SBOM has changed. And SBOM should contain all the components. While the other usecase of retire is same i.e by default it will only show vulnerable components.