diff --git a/docs/ENV.md b/docs/ENV.md index f0b2044690..1e1d29f91d 100644 --- a/docs/ENV.md +++ b/docs/ENV.md @@ -6,6 +6,7 @@ The following environment variables are available to configure the bom generatio | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CDXGEN_DEBUG_MODE | Set to `debug` to enable debug messages | | GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information | +| MULTI_BOM_COMPONENT_REF | When building a multi-language BOM, choose how the references between the components is handled. This can be useful if other tooling used to eg visualize the dependency-tree only uses 'dependsOn' (as the name dependency-tree more or less implies). Possible values: `dependsOn`, `provides`. Default: `provides`. | | MVN_CMD | Set to override maven command | | MVN_ARGS | Set to pass additional arguments such as profile or settings to maven | | MAVEN_HOME | Specify maven home | @@ -28,6 +29,7 @@ The following environment variables are available to configure the bom generatio | GRADLE_RESOLVE_FROM_NODE | If some of your gradle modules are included from node (eg when using expo or react-native), set this to true to use the npm-packages as your dependencies. The big advantage of this, is that the generated purls will be of actually known components (eg in OSS Index) instead of generic names for the packages. | | GRADLE_SKIP_MODULE_DEPENDENCIES | Comma-separated list of modules to skip during the "dependencies" task. This can be useful if you have modules that would fail the gradle build, eg when they do not have dependencies in the given configuration. Use "root" if the top most module should be skipped, use their gradle-name (so WITH leading ":") for all others. | | GRADLE_SKIP_MODULES | Comma-separated list of modules to skip for both "properties" and "dependencies" task. Use the gradle-name (so WITH leading ":"). NOTICE: when using this, neither the configured ID (group, name & version) nor the dependencies of these modules will be available! | +| GRADLE_USER_HOME | Specifies the directory for the Gradle user home, which typically contains cache files, build dependencies, and other configuration files used by Gradle. | | SBT_CACHE_DIR | Specify sbt cache directory. Useful for class name resolving | | FETCH_LICENSE | Set this variable to `true` or `1` to fetch license information from the registry. npm and golang | | SEARCH_MAVEN_ORG | If maven metadata is missing in jar file, a search is performed on search.maven.org. Set to `false` or `0` to disable search. (defaults to `true`) | @@ -82,8 +84,6 @@ The following environment variables are available to configure the bom generatio | PIP_TARGET | Specifies the target directory for pip installations, often used when dependencies are installed into temporary or isolated directories. | | NODE_NO_READLINE | Set to `1` to disable canonical terminal settings and enable custom readline behavior for Node.js REPL or command-line tools. | | CDXGEN_REPL_HISTORY | Specifies the path to save REPL command history. If not set and the default directory does not exist, REPL history will not be saved. | -| GRADLE_USER_HOME | Specifies the directory for the Gradle user home, which typically contains cache files, build dependencies, and other configuration files used by Gradle. | -| GRADLE_ARGS | A space-separated list of additional arguments passed to Gradle commands. Useful for providing custom profiles, configurations, or settings for builds. | | SDKMAN_VERSION | Specifies the version of SDKMAN to use. Useful for managing SDKs and ensuring compatibility with tools and environments. | | NVM_DIR | Defines the directory where Node Version Manager (NVM) is installed. Used to locate and manage Node.js versions in environments where NVM is utilized. | | RBENV_CMD | rbenv command to use | diff --git a/lib/cli/index.js b/lib/cli/index.js index 826a744b36..58aa887b5a 100644 --- a/lib/cli/index.js +++ b/lib/cli/index.js @@ -6507,6 +6507,22 @@ export async function createMultiXBom(pathList, options) { parentComponent = parentComponent.components[0]; delete parentComponent.components; } + // Add references between the multiple sub-boms + // Default is 'provides', but since some tools only generate a tree for 'dependsOn', + // this can be configured with an EnvVar + const multiBomComponentRef = + "dependsOn" === process.env.MULTI_BOM_COMPONENT_REF + ? "dependsOn" + : "provides"; + const parentDependencies = dependencies.find( + (d) => d["ref"] === parentComponent["bom-ref"], + ); + if (!parentDependencies[multiBomComponentRef]) { + parentDependencies[multiBomComponentRef] = []; + } + for (const parentSub of parentSubComponents) { + parentDependencies[multiBomComponentRef].push(parentSub["bom-ref"]); + } } // some cleanup, but not complete for (const path of pathList) {