├── .eslintignore ├── .eslintrc.json ├── .gitattributes ├── .github ├── codeql │ └── codeql-config.yml └── workflows │ ├── check-dist.yml │ ├── codeql-analysis.yml │ └── test.yml ├── .gitignore ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── SECURITY.md ├── SUPPORT.md ├── action.yml ├── dist ├── index.js ├── index.js.map ├── licenses.txt └── sourcemap-register.js ├── package-lock.json ├── package.json └── src ├── index.js ├── index.test.js └── schemas └── spdx2.3.json /.eslintignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | -------------------------------------------------------------------------------- /.eslintrc.json: -------------------------------------------------------------------------------- 1 | { 2 | "env": { 3 | "commonjs": true, 4 | "es6": true, 5 | "jest": true, 6 | "node": true 7 | }, 8 | "extends": "eslint:recommended", 9 | "globals": { 10 | "Atomics": "readonly", 11 | "SharedArrayBuffer": "readonly" 12 | }, 13 | "parserOptions": { 14 | "ecmaVersion": 2018 15 | }, 16 | "rules": { 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | dist/** -diff linguist-generated=true -------------------------------------------------------------------------------- /.github/codeql/codeql-config.yml: -------------------------------------------------------------------------------- 1 | name: "javascript-action CodeQL config" 2 | 3 | paths-ignore: 4 | - node_modules 5 | - dist 6 | -------------------------------------------------------------------------------- /.github/workflows/check-dist.yml: -------------------------------------------------------------------------------- 1 | # `dist/index.js` is a special file in Actions. 2 | # When you reference an action with `uses:` in a workflow, 3 | # `index.js` is the code that will run. 4 | # For our project, we generate this file through a build process from other source files. 5 | # We need to make sure the checked-in `index.js` actually matches what we expect it to be. 6 | name: Check dist/ 7 | 8 | on: 9 | push: 10 | branches: 11 | - main 12 | paths-ignore: 13 | - '**.md' 14 | pull_request: 15 | paths-ignore: 16 | - '**.md' 17 | workflow_dispatch: 18 | 19 | jobs: 20 | check-dist: 21 | runs-on: ubuntu-latest 22 | 23 | steps: 24 | - uses: actions/checkout@v3 25 | 26 | - name: Set Node.js 16.x 27 | uses: actions/setup-node@v3.4.1 28 | with: 29 | node-version: 16.x 30 | 31 | - name: Install dependencies 32 | run: npm ci 33 | 34 | - name: Rebuild the dist/ directory 35 | run: npm run prepare 36 | 37 | - name: Compare the expected and actual dist/ directories 38 | run: | 39 | if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then 40 | echo "Detected uncommitted changes after build. See status below:" 41 | git diff 42 | exit 1 43 | fi 44 | id: diff 45 | 46 | # If index.js was different than expected, upload the expected version as an artifact 47 | - uses: actions/upload-artifact@v3 48 | if: ${{ failure() && steps.diff.conclusion == 'failure' }} 49 | with: 50 | name: dist 51 | path: dist/ 52 | -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | # For most projects, this workflow file will not need changing; you simply need 2 | # to commit it to your repository. 3 | # 4 | # You may wish to alter this file to override the set of languages analyzed, 5 | # or to provide custom queries or build logic. 6 | # 7 | # ******** NOTE ******** 8 | # We have attempted to detect the languages in your repository. Please check 9 | # the `language` matrix defined below to confirm you have the correct set of 10 | # supported CodeQL languages. 11 | # 12 | name: "CodeQL" 13 | 14 | on: 15 | push: 16 | branches: [ main ] 17 | pull_request: 18 | # The branches below must be a subset of the branches above 19 | branches: [ main ] 20 | schedule: 21 | - cron: '24 5 * * 6' 22 | 23 | jobs: 24 | analyze: 25 | name: Analyze 26 | runs-on: ubuntu-latest 27 | permissions: 28 | actions: read 29 | contents: read 30 | security-events: write 31 | 32 | strategy: 33 | fail-fast: false 34 | matrix: 35 | language: [ 'javascript' ] 36 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] 37 | # Learn more about CodeQL language support at https://git.io/codeql-language-support 38 | 39 | steps: 40 | - name: Checkout repository 41 | uses: actions/checkout@v3 42 | 43 | # Initializes the CodeQL tools for scanning. 44 | - name: Initialize CodeQL 45 | uses: github/codeql-action/init@v1 46 | with: 47 | languages: ${{ matrix.language }} 48 | config-file: ./.github/codeql/codeql-config.yml 49 | # If you wish to specify custom queries, you can do so here or in a config file. 50 | # By default, queries listed here will override any specified in a config file. 51 | # Prefix the list here with "+" to use these queries and those in the config file. 52 | # queries: ./path/to/local/query, your-org/your-repo/queries@main 53 | 54 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 55 | # If this step fails, then you should remove it and run the build manually (see below) 56 | - name: Autobuild 57 | uses: github/codeql-action/autobuild@v1 58 | 59 | # ℹ️ Command-line programs to run using the OS shell. 60 | # 📚 https://git.io/JvXDl 61 | 62 | # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines 63 | # and modify them (or add more) to build your code if your project 64 | # uses a compiled language 65 | 66 | #- run: | 67 | # make bootstrap 68 | # make release 69 | 70 | - name: Perform CodeQL Analysis 71 | uses: github/codeql-action/analyze@v1 72 | -------------------------------------------------------------------------------- /.github/workflows/test.yml: -------------------------------------------------------------------------------- 1 | name: "Tests" 2 | on: 3 | pull_request: 4 | push: 5 | branches: 6 | - main 7 | - 'releases/*' 8 | workflow_dispatch: 9 | 10 | permissions: read-all 11 | 12 | jobs: 13 | # unit tests 14 | units: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - uses: actions/checkout@v3 18 | - run: npm ci 19 | - run: npm test 20 | env: 21 | GITHUB_TOKEN: ${{ github.token }} 22 | 23 | 24 | # test action works running from the graph 25 | test: 26 | runs-on: ubuntu-latest 27 | steps: 28 | - uses: actions/checkout@v3 29 | - uses: ./ 30 | env: 31 | GITHUB_TOKEN: ${{ github.token }} 32 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | node_modules/ 2 | 3 | # Editors 4 | .vscode/ 5 | .idea/ 6 | *.iml 7 | 8 | # Logs 9 | logs 10 | *.log 11 | npm-debug.log* 12 | yarn-debug.log* 13 | yarn-error.log* 14 | 15 | # Runtime data 16 | pids 17 | *.pid 18 | *.seed 19 | *.pid.lock 20 | 21 | # Directory for instrumented libs generated by jscoverage/JSCover 22 | lib-cov 23 | 24 | # Coverage directory used by tools like istanbul 25 | coverage 26 | 27 | # nyc test coverage 28 | .nyc_output 29 | 30 | # Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 31 | .grunt 32 | 33 | # Bower dependency directory (https://bower.io/) 34 | bower_components 35 | 36 | # node-waf configuration 37 | .lock-wscript 38 | 39 | # Compiled binary addons (https://nodejs.org/api/addons.html) 40 | build/Release 41 | 42 | # Other Dependency directories 43 | jspm_packages/ 44 | 45 | # TypeScript v1 declaration files 46 | typings/ 47 | 48 | # Optional npm cache directory 49 | .npm 50 | 51 | # Optional eslint cache 52 | .eslintcache 53 | 54 | # Optional REPL history 55 | .node_repl_history 56 | 57 | # Output of 'npm pack' 58 | *.tgz 59 | 60 | # Yarn Integrity file 61 | .yarn-integrity 62 | 63 | # dotenv environment variables file 64 | .env 65 | 66 | # next.js build output 67 | .next 68 | 69 | .env -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @jhutchings1 @courtneycl @lseppala 2 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | nationality, personal appearance, race, religion, or sexual identity and 10 | orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at opensource@github.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at [http://contributor-covenant.org/version/1/4][version] 72 | 73 | [homepage]: http://contributor-covenant.org 74 | [version]: http://contributor-covenant.org/version/1/4/ -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Contributing 2 | 3 | [fork]: https://github.com/advanced-security/component-detection-action/fork 4 | [pr]: https://github.com/advanced-security/component-detection-action/compare 5 | [code-of-conduct]: CODE_OF_CONDUCT.md 6 | 7 | Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great. 8 | 9 | Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE.md). 10 | 11 | Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms. 12 | 13 | ## Submitting a pull request 14 | 15 | 1. [Fork][fork] and clone the repository 16 | 1. Configure and install the dependencies: `script/bootstrap` 17 | 1. Make sure the tests pass on your machine: `npm run test` 18 | 1. Create a new branch: `git checkout -b my-branch-name` 19 | 1. Make your change, add tests, and make sure the tests still pass 20 | 1. Update the distribution: `npm run prepare` 21 | 1. Push to your fork and [submit a pull request][pr] 22 | 1. Pat your self on the back and wait for your pull request to be reviewed and merged. 23 | 24 | Here are a few things you can do that will increase the likelihood of your pull request being accepted: 25 | 26 | - Write tests. 27 | - Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests. 28 | - Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html). 29 | 30 | ## Resources 31 | 32 | - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/) 33 | - [Using Pull Requests](https://help.github.com/articles/about-pull-requests/) 34 | - [GitHub Help](https://help.github.com) -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 GitHub 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SBOM Generator 2 | 3 | ## Deprecated: please use the REST API 4 | 5 | The [REST API for Dependency Graph to generate an SPDX SBOM](https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28#export-a-software-bill-of-materials-sbom-for-a-repository) is much easier to use and has had many improvements over time, so it should be used instead of this action. 6 | 7 | ## Old content follows 8 | 9 | This repository uses GitHub's dependency graph to automatically build an SBOM in SPDX 2.3 format. It supports the same [ecosystems](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) as the dependency graph. If you need support for a different set of formats, we recommend having a look at the [Microsoft SBOM Tool](https://github.com/microsoft/sbom-tool), or Anchore's [Syft](https://github.com/anchore/syft). 10 | 11 | ## Usage 12 | ### GitHub Actions 13 | 14 | You can add this Action to a GitHub Actions workflow by adding the following YAML to a workflow file. This publishes the SBOM as an artifact in the Actions workflow run. 15 | 16 | ```yaml 17 | name: SBOM Generator 18 | 19 | on: 20 | push: 21 | branches: [ "main" ] 22 | 23 | workflow_dispatch: 24 | 25 | permissions: read-all 26 | 27 | jobs: 28 | build: 29 | runs-on: ubuntu-latest 30 | 31 | steps: 32 | - uses: actions/checkout@v3 33 | 34 | - uses: advanced-security/sbom-generator-action@v0.0.1 35 | id: sbom 36 | env: 37 | GITHUB_TOKEN: ${{ github.token }} 38 | - uses: actions/upload-artifact@v3.1.0 39 | with: 40 | path: ${{steps.sbom.outputs.fileName }} 41 | name: "SBOM" 42 | ``` 43 | 44 | ### As a CLI 45 | 46 | 1. Clone this repository to your local machine. 47 | 2. Change to that directory and run `npm install -g .` to install this CLI locally 48 | 2. Run `sbom-generator "githubtoken" "owner/name"` where githubtoken is a legacy GitHub token with repository read permission and owner/name matches a GitHub repository. Alternatively, this script will automatically populate those values from the `GITHUB_TOKEN` and `GITHUB_REPOSITORY` environment variables. 49 | 50 | # License 51 | This project is licensed under the terms of the MIT open source license. Please refer to [MIT](LICENSE.md) for the full terms. 52 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security 2 | 3 | GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). 4 | 5 | Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. 6 | 7 | ## Reporting Security Issues 8 | 9 | If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure. 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** 12 | 13 | Instead, please send an email to opensource-security[@]github.com. 14 | 15 | Please include as much of the information listed below as you can to help us better understand and resolve the issue: 16 | 17 | * The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting) 18 | * Full paths of source file(s) related to the manifestation of the issue 19 | * The location of the affected source code (tag/branch/commit or direct URL) 20 | * Any special configuration required to reproduce the issue 21 | * Step-by-step instructions to reproduce the issue 22 | * Proof-of-concept or exploit code (if possible) 23 | * Impact of the issue, including how an attacker might exploit the issue 24 | 25 | This information will help us triage your report more quickly. 26 | 27 | ## Policy 28 | 29 | See [GitHub's Safe Harbor Policy](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms) -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | ## How to file issues and get help 4 | 5 | This project uses GitHub issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new issue. 6 | 7 | For help or questions about using this project, please use GitHub Discussions 8 | 9 | Component detection action is not actively developed but is maintained by GitHub staff. We will do our best to respond to support and community questions in a timely manner. 10 | 11 | ## GitHub Support Policy 12 | 13 | Support for this project is limited to the resources listed above. -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: 'SBOM-generator-action' 2 | description: 'Generates an SBOM from your repository dependency graph' 3 | outputs: 4 | fileName: # output will be available to future steps 5 | description: 'The generated sbom file path' 6 | runs: 7 | using: 'node16' 8 | main: 'dist/index.js' 9 | -------------------------------------------------------------------------------- /dist/licenses.txt: -------------------------------------------------------------------------------- 1 | @actions/core 2 | MIT 3 | The MIT License (MIT) 4 | 5 | Copyright 2019 GitHub 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 8 | 9 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 10 | 11 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 12 | 13 | @actions/http-client 14 | MIT 15 | Actions Http Client for Node.js 16 | 17 | Copyright (c) GitHub, Inc. 18 | 19 | All rights reserved. 20 | 21 | MIT License 22 | 23 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 24 | associated documentation files (the "Software"), to deal in the Software without restriction, 25 | including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, 26 | and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, 27 | subject to the following conditions: 28 | 29 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 30 | 31 | THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT 32 | LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN 33 | NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 34 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 35 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 36 | 37 | 38 | @octokit/auth-token 39 | MIT 40 | The MIT License 41 | 42 | Copyright (c) 2019 Octokit contributors 43 | 44 | Permission is hereby granted, free of charge, to any person obtaining a copy 45 | of this software and associated documentation files (the "Software"), to deal 46 | in the Software without restriction, including without limitation the rights 47 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 48 | copies of the Software, and to permit persons to whom the Software is 49 | furnished to do so, subject to the following conditions: 50 | 51 | The above copyright notice and this permission notice shall be included in 52 | all copies or substantial portions of the Software. 53 | 54 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 55 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 56 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 57 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 58 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 59 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 60 | THE SOFTWARE. 61 | 62 | 63 | @octokit/core 64 | MIT 65 | The MIT License 66 | 67 | Copyright (c) 2019 Octokit contributors 68 | 69 | Permission is hereby granted, free of charge, to any person obtaining a copy 70 | of this software and associated documentation files (the "Software"), to deal 71 | in the Software without restriction, including without limitation the rights 72 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 73 | copies of the Software, and to permit persons to whom the Software is 74 | furnished to do so, subject to the following conditions: 75 | 76 | The above copyright notice and this permission notice shall be included in 77 | all copies or substantial portions of the Software. 78 | 79 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 80 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 81 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 82 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 83 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 84 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 85 | THE SOFTWARE. 86 | 87 | 88 | @octokit/endpoint 89 | MIT 90 | The MIT License 91 | 92 | Copyright (c) 2018 Octokit contributors 93 | 94 | Permission is hereby granted, free of charge, to any person obtaining a copy 95 | of this software and associated documentation files (the "Software"), to deal 96 | in the Software without restriction, including without limitation the rights 97 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 98 | copies of the Software, and to permit persons to whom the Software is 99 | furnished to do so, subject to the following conditions: 100 | 101 | The above copyright notice and this permission notice shall be included in 102 | all copies or substantial portions of the Software. 103 | 104 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 105 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 106 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 107 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 108 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 109 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 110 | THE SOFTWARE. 111 | 112 | 113 | @octokit/graphql 114 | MIT 115 | The MIT License 116 | 117 | Copyright (c) 2018 Octokit contributors 118 | 119 | Permission is hereby granted, free of charge, to any person obtaining a copy 120 | of this software and associated documentation files (the "Software"), to deal 121 | in the Software without restriction, including without limitation the rights 122 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 123 | copies of the Software, and to permit persons to whom the Software is 124 | furnished to do so, subject to the following conditions: 125 | 126 | The above copyright notice and this permission notice shall be included in 127 | all copies or substantial portions of the Software. 128 | 129 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 130 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 131 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 132 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 133 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 134 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 135 | THE SOFTWARE. 136 | 137 | 138 | @octokit/request 139 | MIT 140 | The MIT License 141 | 142 | Copyright (c) 2018 Octokit contributors 143 | 144 | Permission is hereby granted, free of charge, to any person obtaining a copy 145 | of this software and associated documentation files (the "Software"), to deal 146 | in the Software without restriction, including without limitation the rights 147 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 148 | copies of the Software, and to permit persons to whom the Software is 149 | furnished to do so, subject to the following conditions: 150 | 151 | The above copyright notice and this permission notice shall be included in 152 | all copies or substantial portions of the Software. 153 | 154 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 155 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 156 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 157 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 158 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 159 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 160 | THE SOFTWARE. 161 | 162 | 163 | @octokit/request-error 164 | MIT 165 | The MIT License 166 | 167 | Copyright (c) 2019 Octokit contributors 168 | 169 | Permission is hereby granted, free of charge, to any person obtaining a copy 170 | of this software and associated documentation files (the "Software"), to deal 171 | in the Software without restriction, including without limitation the rights 172 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 173 | copies of the Software, and to permit persons to whom the Software is 174 | furnished to do so, subject to the following conditions: 175 | 176 | The above copyright notice and this permission notice shall be included in 177 | all copies or substantial portions of the Software. 178 | 179 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 180 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 181 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 182 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 183 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 184 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 185 | THE SOFTWARE. 186 | 187 | 188 | @vercel/ncc 189 | MIT 190 | Copyright 2018 ZEIT, Inc. 191 | 192 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 193 | 194 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 195 | 196 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 197 | 198 | before-after-hook 199 | Apache-2.0 200 | Apache License 201 | Version 2.0, January 2004 202 | http://www.apache.org/licenses/ 203 | 204 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 205 | 206 | 1. Definitions. 207 | 208 | "License" shall mean the terms and conditions for use, reproduction, 209 | and distribution as defined by Sections 1 through 9 of this document. 210 | 211 | "Licensor" shall mean the copyright owner or entity authorized by 212 | the copyright owner that is granting the License. 213 | 214 | "Legal Entity" shall mean the union of the acting entity and all 215 | other entities that control, are controlled by, or are under common 216 | control with that entity. For the purposes of this definition, 217 | "control" means (i) the power, direct or indirect, to cause the 218 | direction or management of such entity, whether by contract or 219 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 220 | outstanding shares, or (iii) beneficial ownership of such entity. 221 | 222 | "You" (or "Your") shall mean an individual or Legal Entity 223 | exercising permissions granted by this License. 224 | 225 | "Source" form shall mean the preferred form for making modifications, 226 | including but not limited to software source code, documentation 227 | source, and configuration files. 228 | 229 | "Object" form shall mean any form resulting from mechanical 230 | transformation or translation of a Source form, including but 231 | not limited to compiled object code, generated documentation, 232 | and conversions to other media types. 233 | 234 | "Work" shall mean the work of authorship, whether in Source or 235 | Object form, made available under the License, as indicated by a 236 | copyright notice that is included in or attached to the work 237 | (an example is provided in the Appendix below). 238 | 239 | "Derivative Works" shall mean any work, whether in Source or Object 240 | form, that is based on (or derived from) the Work and for which the 241 | editorial revisions, annotations, elaborations, or other modifications 242 | represent, as a whole, an original work of authorship. For the purposes 243 | of this License, Derivative Works shall not include works that remain 244 | separable from, or merely link (or bind by name) to the interfaces of, 245 | the Work and Derivative Works thereof. 246 | 247 | "Contribution" shall mean any work of authorship, including 248 | the original version of the Work and any modifications or additions 249 | to that Work or Derivative Works thereof, that is intentionally 250 | submitted to Licensor for inclusion in the Work by the copyright owner 251 | or by an individual or Legal Entity authorized to submit on behalf of 252 | the copyright owner. For the purposes of this definition, "submitted" 253 | means any form of electronic, verbal, or written communication sent 254 | to the Licensor or its representatives, including but not limited to 255 | communication on electronic mailing lists, source code control systems, 256 | and issue tracking systems that are managed by, or on behalf of, the 257 | Licensor for the purpose of discussing and improving the Work, but 258 | excluding communication that is conspicuously marked or otherwise 259 | designated in writing by the copyright owner as "Not a Contribution." 260 | 261 | "Contributor" shall mean Licensor and any individual or Legal Entity 262 | on behalf of whom a Contribution has been received by Licensor and 263 | subsequently incorporated within the Work. 264 | 265 | 2. Grant of Copyright License. Subject to the terms and conditions of 266 | this License, each Contributor hereby grants to You a perpetual, 267 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 268 | copyright license to reproduce, prepare Derivative Works of, 269 | publicly display, publicly perform, sublicense, and distribute the 270 | Work and such Derivative Works in Source or Object form. 271 | 272 | 3. Grant of Patent License. Subject to the terms and conditions of 273 | this License, each Contributor hereby grants to You a perpetual, 274 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 275 | (except as stated in this section) patent license to make, have made, 276 | use, offer to sell, sell, import, and otherwise transfer the Work, 277 | where such license applies only to those patent claims licensable 278 | by such Contributor that are necessarily infringed by their 279 | Contribution(s) alone or by combination of their Contribution(s) 280 | with the Work to which such Contribution(s) was submitted. If You 281 | institute patent litigation against any entity (including a 282 | cross-claim or counterclaim in a lawsuit) alleging that the Work 283 | or a Contribution incorporated within the Work constitutes direct 284 | or contributory patent infringement, then any patent licenses 285 | granted to You under this License for that Work shall terminate 286 | as of the date such litigation is filed. 287 | 288 | 4. Redistribution. You may reproduce and distribute copies of the 289 | Work or Derivative Works thereof in any medium, with or without 290 | modifications, and in Source or Object form, provided that You 291 | meet the following conditions: 292 | 293 | (a) You must give any other recipients of the Work or 294 | Derivative Works a copy of this License; and 295 | 296 | (b) You must cause any modified files to carry prominent notices 297 | stating that You changed the files; and 298 | 299 | (c) You must retain, in the Source form of any Derivative Works 300 | that You distribute, all copyright, patent, trademark, and 301 | attribution notices from the Source form of the Work, 302 | excluding those notices that do not pertain to any part of 303 | the Derivative Works; and 304 | 305 | (d) If the Work includes a "NOTICE" text file as part of its 306 | distribution, then any Derivative Works that You distribute must 307 | include a readable copy of the attribution notices contained 308 | within such NOTICE file, excluding those notices that do not 309 | pertain to any part of the Derivative Works, in at least one 310 | of the following places: within a NOTICE text file distributed 311 | as part of the Derivative Works; within the Source form or 312 | documentation, if provided along with the Derivative Works; or, 313 | within a display generated by the Derivative Works, if and 314 | wherever such third-party notices normally appear. The contents 315 | of the NOTICE file are for informational purposes only and 316 | do not modify the License. You may add Your own attribution 317 | notices within Derivative Works that You distribute, alongside 318 | or as an addendum to the NOTICE text from the Work, provided 319 | that such additional attribution notices cannot be construed 320 | as modifying the License. 321 | 322 | You may add Your own copyright statement to Your modifications and 323 | may provide additional or different license terms and conditions 324 | for use, reproduction, or distribution of Your modifications, or 325 | for any such Derivative Works as a whole, provided Your use, 326 | reproduction, and distribution of the Work otherwise complies with 327 | the conditions stated in this License. 328 | 329 | 5. Submission of Contributions. Unless You explicitly state otherwise, 330 | any Contribution intentionally submitted for inclusion in the Work 331 | by You to the Licensor shall be under the terms and conditions of 332 | this License, without any additional terms or conditions. 333 | Notwithstanding the above, nothing herein shall supersede or modify 334 | the terms of any separate license agreement you may have executed 335 | with Licensor regarding such Contributions. 336 | 337 | 6. Trademarks. This License does not grant permission to use the trade 338 | names, trademarks, service marks, or product names of the Licensor, 339 | except as required for reasonable and customary use in describing the 340 | origin of the Work and reproducing the content of the NOTICE file. 341 | 342 | 7. Disclaimer of Warranty. Unless required by applicable law or 343 | agreed to in writing, Licensor provides the Work (and each 344 | Contributor provides its Contributions) on an "AS IS" BASIS, 345 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 346 | implied, including, without limitation, any warranties or conditions 347 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 348 | PARTICULAR PURPOSE. You are solely responsible for determining the 349 | appropriateness of using or redistributing the Work and assume any 350 | risks associated with Your exercise of permissions under this License. 351 | 352 | 8. Limitation of Liability. In no event and under no legal theory, 353 | whether in tort (including negligence), contract, or otherwise, 354 | unless required by applicable law (such as deliberate and grossly 355 | negligent acts) or agreed to in writing, shall any Contributor be 356 | liable to You for damages, including any direct, indirect, special, 357 | incidental, or consequential damages of any character arising as a 358 | result of this License or out of the use or inability to use the 359 | Work (including but not limited to damages for loss of goodwill, 360 | work stoppage, computer failure or malfunction, or any and all 361 | other commercial damages or losses), even if such Contributor 362 | has been advised of the possibility of such damages. 363 | 364 | 9. Accepting Warranty or Additional Liability. While redistributing 365 | the Work or Derivative Works thereof, You may choose to offer, 366 | and charge a fee for, acceptance of support, warranty, indemnity, 367 | or other liability obligations and/or rights consistent with this 368 | License. However, in accepting such obligations, You may act only 369 | on Your own behalf and on Your sole responsibility, not on behalf 370 | of any other Contributor, and only if You agree to indemnify, 371 | defend, and hold each Contributor harmless for any liability 372 | incurred by, or claims asserted against, such Contributor by reason 373 | of your accepting any such warranty or additional liability. 374 | 375 | END OF TERMS AND CONDITIONS 376 | 377 | APPENDIX: How to apply the Apache License to your work. 378 | 379 | To apply the Apache License to your work, attach the following 380 | boilerplate notice, with the fields enclosed by brackets "{}" 381 | replaced with your own identifying information. (Don't include 382 | the brackets!) The text should be enclosed in the appropriate 383 | comment syntax for the file format. We also recommend that a 384 | file or class name and description of purpose be included on the 385 | same "printed page" as the copyright notice for easier 386 | identification within third-party archives. 387 | 388 | Copyright 2018 Gregor Martynus and other contributors. 389 | 390 | Licensed under the Apache License, Version 2.0 (the "License"); 391 | you may not use this file except in compliance with the License. 392 | You may obtain a copy of the License at 393 | 394 | http://www.apache.org/licenses/LICENSE-2.0 395 | 396 | Unless required by applicable law or agreed to in writing, software 397 | distributed under the License is distributed on an "AS IS" BASIS, 398 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 399 | See the License for the specific language governing permissions and 400 | limitations under the License. 401 | 402 | 403 | deprecation 404 | ISC 405 | The ISC License 406 | 407 | Copyright (c) Gregor Martynus and contributors 408 | 409 | Permission to use, copy, modify, and/or distribute this software for any 410 | purpose with or without fee is hereby granted, provided that the above 411 | copyright notice and this permission notice appear in all copies. 412 | 413 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 414 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 415 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 416 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 417 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 418 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR 419 | IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 420 | 421 | 422 | dotenv 423 | BSD-2-Clause 424 | Copyright (c) 2015, Scott Motte 425 | All rights reserved. 426 | 427 | Redistribution and use in source and binary forms, with or without 428 | modification, are permitted provided that the following conditions are met: 429 | 430 | * Redistributions of source code must retain the above copyright notice, this 431 | list of conditions and the following disclaimer. 432 | 433 | * Redistributions in binary form must reproduce the above copyright notice, 434 | this list of conditions and the following disclaimer in the documentation 435 | and/or other materials provided with the distribution. 436 | 437 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 438 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 439 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 440 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 441 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 442 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 443 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 444 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 445 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 446 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 447 | 448 | 449 | is-plain-object 450 | MIT 451 | The MIT License (MIT) 452 | 453 | Copyright (c) 2014-2017, Jon Schlinkert. 454 | 455 | Permission is hereby granted, free of charge, to any person obtaining a copy 456 | of this software and associated documentation files (the "Software"), to deal 457 | in the Software without restriction, including without limitation the rights 458 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 459 | copies of the Software, and to permit persons to whom the Software is 460 | furnished to do so, subject to the following conditions: 461 | 462 | The above copyright notice and this permission notice shall be included in 463 | all copies or substantial portions of the Software. 464 | 465 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 466 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 467 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 468 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 469 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 470 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 471 | THE SOFTWARE. 472 | 473 | 474 | node-fetch 475 | MIT 476 | The MIT License (MIT) 477 | 478 | Copyright (c) 2016 David Frank 479 | 480 | Permission is hereby granted, free of charge, to any person obtaining a copy 481 | of this software and associated documentation files (the "Software"), to deal 482 | in the Software without restriction, including without limitation the rights 483 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 484 | copies of the Software, and to permit persons to whom the Software is 485 | furnished to do so, subject to the following conditions: 486 | 487 | The above copyright notice and this permission notice shall be included in all 488 | copies or substantial portions of the Software. 489 | 490 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 491 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 492 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 493 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 494 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 495 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 496 | SOFTWARE. 497 | 498 | 499 | 500 | once 501 | ISC 502 | The ISC License 503 | 504 | Copyright (c) Isaac Z. Schlueter and Contributors 505 | 506 | Permission to use, copy, modify, and/or distribute this software for any 507 | purpose with or without fee is hereby granted, provided that the above 508 | copyright notice and this permission notice appear in all copies. 509 | 510 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 511 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 512 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 513 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 514 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 515 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR 516 | IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 517 | 518 | 519 | tr46 520 | MIT 521 | 522 | tunnel 523 | MIT 524 | The MIT License (MIT) 525 | 526 | Copyright (c) 2012 Koichi Kobayashi 527 | 528 | Permission is hereby granted, free of charge, to any person obtaining a copy 529 | of this software and associated documentation files (the "Software"), to deal 530 | in the Software without restriction, including without limitation the rights 531 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 532 | copies of the Software, and to permit persons to whom the Software is 533 | furnished to do so, subject to the following conditions: 534 | 535 | The above copyright notice and this permission notice shall be included in 536 | all copies or substantial portions of the Software. 537 | 538 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 539 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 540 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 541 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 542 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 543 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 544 | THE SOFTWARE. 545 | 546 | 547 | universal-user-agent 548 | ISC 549 | # [ISC License](https://spdx.org/licenses/ISC) 550 | 551 | Copyright (c) 2018, Gregor Martynus (https://github.com/gr2m) 552 | 553 | Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. 554 | 555 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 556 | 557 | 558 | uuid 559 | MIT 560 | The MIT License (MIT) 561 | 562 | Copyright (c) 2010-2020 Robert Kieffer and other contributors 563 | 564 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 565 | 566 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 567 | 568 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 569 | 570 | 571 | webidl-conversions 572 | BSD-2-Clause 573 | # The BSD 2-Clause License 574 | 575 | Copyright (c) 2014, Domenic Denicola 576 | All rights reserved. 577 | 578 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 579 | 580 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 581 | 582 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 583 | 584 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 585 | 586 | 587 | whatwg-url 588 | MIT 589 | The MIT License (MIT) 590 | 591 | Copyright (c) 2015–2016 Sebastian Mayr 592 | 593 | Permission is hereby granted, free of charge, to any person obtaining a copy 594 | of this software and associated documentation files (the "Software"), to deal 595 | in the Software without restriction, including without limitation the rights 596 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 597 | copies of the Software, and to permit persons to whom the Software is 598 | furnished to do so, subject to the following conditions: 599 | 600 | The above copyright notice and this permission notice shall be included in 601 | all copies or substantial portions of the Software. 602 | 603 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 604 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 605 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 606 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 607 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 608 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 609 | THE SOFTWARE. 610 | 611 | 612 | wrappy 613 | ISC 614 | The ISC License 615 | 616 | Copyright (c) Isaac Z. Schlueter and Contributors 617 | 618 | Permission to use, copy, modify, and/or distribute this software for any 619 | purpose with or without fee is hereby granted, provided that the above 620 | copyright notice and this permission notice appear in all copies. 621 | 622 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 623 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 624 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 625 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 626 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 627 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR 628 | IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 629 | -------------------------------------------------------------------------------- /dist/sourcemap-register.js: -------------------------------------------------------------------------------- 1 | (()=>{var e={650:e=>{var r=Object.prototype.toString;var n=typeof Buffer.alloc==="function"&&typeof Buffer.allocUnsafe==="function"&&typeof Buffer.from==="function";function isArrayBuffer(e){return r.call(e).slice(8,-1)==="ArrayBuffer"}function fromArrayBuffer(e,r,t){r>>>=0;var o=e.byteLength-r;if(o<0){throw new RangeError("'offset' is out of bounds")}if(t===undefined){t=o}else{t>>>=0;if(t>o){throw new RangeError("'length' is out of bounds")}}return n?Buffer.from(e.slice(r,r+t)):new Buffer(new Uint8Array(e.slice(r,r+t)))}function fromString(e,r){if(typeof r!=="string"||r===""){r="utf8"}if(!Buffer.isEncoding(r)){throw new TypeError('"encoding" must be a valid string encoding')}return n?Buffer.from(e,r):new Buffer(e,r)}function bufferFrom(e,r,t){if(typeof e==="number"){throw new TypeError('"value" argument must not be a number')}if(isArrayBuffer(e)){return fromArrayBuffer(e,r,t)}if(typeof e==="string"){return fromString(e,r)}return n?Buffer.from(e):new Buffer(e)}e.exports=bufferFrom},274:(e,r,n)=>{var t=n(339);var o=Object.prototype.hasOwnProperty;var i=typeof Map!=="undefined";function ArraySet(){this._array=[];this._set=i?new Map:Object.create(null)}ArraySet.fromArray=function ArraySet_fromArray(e,r){var n=new ArraySet;for(var t=0,o=e.length;t=0){return r}}else{var n=t.toSetString(e);if(o.call(this._set,n)){return this._set[n]}}throw new Error('"'+e+'" is not in the set.')};ArraySet.prototype.at=function ArraySet_at(e){if(e>=0&&e{var t=n(190);var o=5;var i=1<>1;return r?-n:n}r.encode=function base64VLQ_encode(e){var r="";var n;var i=toVLQSigned(e);do{n=i&a;i>>>=o;if(i>0){n|=u}r+=t.encode(n)}while(i>0);return r};r.decode=function base64VLQ_decode(e,r,n){var i=e.length;var s=0;var l=0;var c,p;do{if(r>=i){throw new Error("Expected more digits in base 64 VLQ value.")}p=t.decode(e.charCodeAt(r++));if(p===-1){throw new Error("Invalid base64 digit: "+e.charAt(r-1))}c=!!(p&u);p&=a;s=s+(p<{var n="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".split("");r.encode=function(e){if(0<=e&&e{r.GREATEST_LOWER_BOUND=1;r.LEAST_UPPER_BOUND=2;function recursiveSearch(e,n,t,o,i,a){var u=Math.floor((n-e)/2)+e;var s=i(t,o[u],true);if(s===0){return u}else if(s>0){if(n-u>1){return recursiveSearch(u,n,t,o,i,a)}if(a==r.LEAST_UPPER_BOUND){return n1){return recursiveSearch(e,u,t,o,i,a)}if(a==r.LEAST_UPPER_BOUND){return u}else{return e<0?-1:e}}}r.search=function search(e,n,t,o){if(n.length===0){return-1}var i=recursiveSearch(-1,n.length,e,n,t,o||r.GREATEST_LOWER_BOUND);if(i<0){return-1}while(i-1>=0){if(t(n[i],n[i-1],true)!==0){break}--i}return i}},680:(e,r,n)=>{var t=n(339);function generatedPositionAfter(e,r){var n=e.generatedLine;var o=r.generatedLine;var i=e.generatedColumn;var a=r.generatedColumn;return o>n||o==n&&a>=i||t.compareByGeneratedPositionsInflated(e,r)<=0}function MappingList(){this._array=[];this._sorted=true;this._last={generatedLine:-1,generatedColumn:0}}MappingList.prototype.unsortedForEach=function MappingList_forEach(e,r){this._array.forEach(e,r)};MappingList.prototype.add=function MappingList_add(e){if(generatedPositionAfter(this._last,e)){this._last=e;this._array.push(e)}else{this._sorted=false;this._array.push(e)}};MappingList.prototype.toArray=function MappingList_toArray(){if(!this._sorted){this._array.sort(t.compareByGeneratedPositionsInflated);this._sorted=true}return this._array};r.H=MappingList},758:(e,r)=>{function swap(e,r,n){var t=e[r];e[r]=e[n];e[n]=t}function randomIntInRange(e,r){return Math.round(e+Math.random()*(r-e))}function doQuickSort(e,r,n,t){if(n{var t;var o=n(339);var i=n(345);var a=n(274).I;var u=n(449);var s=n(758).U;function SourceMapConsumer(e,r){var n=e;if(typeof e==="string"){n=o.parseSourceMapInput(e)}return n.sections!=null?new IndexedSourceMapConsumer(n,r):new BasicSourceMapConsumer(n,r)}SourceMapConsumer.fromSourceMap=function(e,r){return BasicSourceMapConsumer.fromSourceMap(e,r)};SourceMapConsumer.prototype._version=3;SourceMapConsumer.prototype.__generatedMappings=null;Object.defineProperty(SourceMapConsumer.prototype,"_generatedMappings",{configurable:true,enumerable:true,get:function(){if(!this.__generatedMappings){this._parseMappings(this._mappings,this.sourceRoot)}return this.__generatedMappings}});SourceMapConsumer.prototype.__originalMappings=null;Object.defineProperty(SourceMapConsumer.prototype,"_originalMappings",{configurable:true,enumerable:true,get:function(){if(!this.__originalMappings){this._parseMappings(this._mappings,this.sourceRoot)}return this.__originalMappings}});SourceMapConsumer.prototype._charIsMappingSeparator=function SourceMapConsumer_charIsMappingSeparator(e,r){var n=e.charAt(r);return n===";"||n===","};SourceMapConsumer.prototype._parseMappings=function SourceMapConsumer_parseMappings(e,r){throw new Error("Subclasses must implement _parseMappings")};SourceMapConsumer.GENERATED_ORDER=1;SourceMapConsumer.ORIGINAL_ORDER=2;SourceMapConsumer.GREATEST_LOWER_BOUND=1;SourceMapConsumer.LEAST_UPPER_BOUND=2;SourceMapConsumer.prototype.eachMapping=function SourceMapConsumer_eachMapping(e,r,n){var t=r||null;var i=n||SourceMapConsumer.GENERATED_ORDER;var a;switch(i){case SourceMapConsumer.GENERATED_ORDER:a=this._generatedMappings;break;case SourceMapConsumer.ORIGINAL_ORDER:a=this._originalMappings;break;default:throw new Error("Unknown order of iteration.")}var u=this.sourceRoot;a.map((function(e){var r=e.source===null?null:this._sources.at(e.source);r=o.computeSourceURL(u,r,this._sourceMapURL);return{source:r,generatedLine:e.generatedLine,generatedColumn:e.generatedColumn,originalLine:e.originalLine,originalColumn:e.originalColumn,name:e.name===null?null:this._names.at(e.name)}}),this).forEach(e,t)};SourceMapConsumer.prototype.allGeneratedPositionsFor=function SourceMapConsumer_allGeneratedPositionsFor(e){var r=o.getArg(e,"line");var n={source:o.getArg(e,"source"),originalLine:r,originalColumn:o.getArg(e,"column",0)};n.source=this._findSourceIndex(n.source);if(n.source<0){return[]}var t=[];var a=this._findMapping(n,this._originalMappings,"originalLine","originalColumn",o.compareByOriginalPositions,i.LEAST_UPPER_BOUND);if(a>=0){var u=this._originalMappings[a];if(e.column===undefined){var s=u.originalLine;while(u&&u.originalLine===s){t.push({line:o.getArg(u,"generatedLine",null),column:o.getArg(u,"generatedColumn",null),lastColumn:o.getArg(u,"lastGeneratedColumn",null)});u=this._originalMappings[++a]}}else{var l=u.originalColumn;while(u&&u.originalLine===r&&u.originalColumn==l){t.push({line:o.getArg(u,"generatedLine",null),column:o.getArg(u,"generatedColumn",null),lastColumn:o.getArg(u,"lastGeneratedColumn",null)});u=this._originalMappings[++a]}}}return t};r.SourceMapConsumer=SourceMapConsumer;function BasicSourceMapConsumer(e,r){var n=e;if(typeof e==="string"){n=o.parseSourceMapInput(e)}var t=o.getArg(n,"version");var i=o.getArg(n,"sources");var u=o.getArg(n,"names",[]);var s=o.getArg(n,"sourceRoot",null);var l=o.getArg(n,"sourcesContent",null);var c=o.getArg(n,"mappings");var p=o.getArg(n,"file",null);if(t!=this._version){throw new Error("Unsupported version: "+t)}if(s){s=o.normalize(s)}i=i.map(String).map(o.normalize).map((function(e){return s&&o.isAbsolute(s)&&o.isAbsolute(e)?o.relative(s,e):e}));this._names=a.fromArray(u.map(String),true);this._sources=a.fromArray(i,true);this._absoluteSources=this._sources.toArray().map((function(e){return o.computeSourceURL(s,e,r)}));this.sourceRoot=s;this.sourcesContent=l;this._mappings=c;this._sourceMapURL=r;this.file=p}BasicSourceMapConsumer.prototype=Object.create(SourceMapConsumer.prototype);BasicSourceMapConsumer.prototype.consumer=SourceMapConsumer;BasicSourceMapConsumer.prototype._findSourceIndex=function(e){var r=e;if(this.sourceRoot!=null){r=o.relative(this.sourceRoot,r)}if(this._sources.has(r)){return this._sources.indexOf(r)}var n;for(n=0;n1){v.source=l+_[1];l+=_[1];v.originalLine=i+_[2];i=v.originalLine;v.originalLine+=1;v.originalColumn=a+_[3];a=v.originalColumn;if(_.length>4){v.name=c+_[4];c+=_[4]}}m.push(v);if(typeof v.originalLine==="number"){d.push(v)}}}s(m,o.compareByGeneratedPositionsDeflated);this.__generatedMappings=m;s(d,o.compareByOriginalPositions);this.__originalMappings=d};BasicSourceMapConsumer.prototype._findMapping=function SourceMapConsumer_findMapping(e,r,n,t,o,a){if(e[n]<=0){throw new TypeError("Line must be greater than or equal to 1, got "+e[n])}if(e[t]<0){throw new TypeError("Column must be greater than or equal to 0, got "+e[t])}return i.search(e,r,o,a)};BasicSourceMapConsumer.prototype.computeColumnSpans=function SourceMapConsumer_computeColumnSpans(){for(var e=0;e=0){var t=this._generatedMappings[n];if(t.generatedLine===r.generatedLine){var i=o.getArg(t,"source",null);if(i!==null){i=this._sources.at(i);i=o.computeSourceURL(this.sourceRoot,i,this._sourceMapURL)}var a=o.getArg(t,"name",null);if(a!==null){a=this._names.at(a)}return{source:i,line:o.getArg(t,"originalLine",null),column:o.getArg(t,"originalColumn",null),name:a}}}return{source:null,line:null,column:null,name:null}};BasicSourceMapConsumer.prototype.hasContentsOfAllSources=function BasicSourceMapConsumer_hasContentsOfAllSources(){if(!this.sourcesContent){return false}return this.sourcesContent.length>=this._sources.size()&&!this.sourcesContent.some((function(e){return e==null}))};BasicSourceMapConsumer.prototype.sourceContentFor=function SourceMapConsumer_sourceContentFor(e,r){if(!this.sourcesContent){return null}var n=this._findSourceIndex(e);if(n>=0){return this.sourcesContent[n]}var t=e;if(this.sourceRoot!=null){t=o.relative(this.sourceRoot,t)}var i;if(this.sourceRoot!=null&&(i=o.urlParse(this.sourceRoot))){var a=t.replace(/^file:\/\//,"");if(i.scheme=="file"&&this._sources.has(a)){return this.sourcesContent[this._sources.indexOf(a)]}if((!i.path||i.path=="/")&&this._sources.has("/"+t)){return this.sourcesContent[this._sources.indexOf("/"+t)]}}if(r){return null}else{throw new Error('"'+t+'" is not in the SourceMap.')}};BasicSourceMapConsumer.prototype.generatedPositionFor=function SourceMapConsumer_generatedPositionFor(e){var r=o.getArg(e,"source");r=this._findSourceIndex(r);if(r<0){return{line:null,column:null,lastColumn:null}}var n={source:r,originalLine:o.getArg(e,"line"),originalColumn:o.getArg(e,"column")};var t=this._findMapping(n,this._originalMappings,"originalLine","originalColumn",o.compareByOriginalPositions,o.getArg(e,"bias",SourceMapConsumer.GREATEST_LOWER_BOUND));if(t>=0){var i=this._originalMappings[t];if(i.source===n.source){return{line:o.getArg(i,"generatedLine",null),column:o.getArg(i,"generatedColumn",null),lastColumn:o.getArg(i,"lastGeneratedColumn",null)}}}return{line:null,column:null,lastColumn:null}};t=BasicSourceMapConsumer;function IndexedSourceMapConsumer(e,r){var n=e;if(typeof e==="string"){n=o.parseSourceMapInput(e)}var t=o.getArg(n,"version");var i=o.getArg(n,"sections");if(t!=this._version){throw new Error("Unsupported version: "+t)}this._sources=new a;this._names=new a;var u={line:-1,column:0};this._sections=i.map((function(e){if(e.url){throw new Error("Support for url field in sections not implemented.")}var n=o.getArg(e,"offset");var t=o.getArg(n,"line");var i=o.getArg(n,"column");if(t{var t=n(449);var o=n(339);var i=n(274).I;var a=n(680).H;function SourceMapGenerator(e){if(!e){e={}}this._file=o.getArg(e,"file",null);this._sourceRoot=o.getArg(e,"sourceRoot",null);this._skipValidation=o.getArg(e,"skipValidation",false);this._sources=new i;this._names=new i;this._mappings=new a;this._sourcesContents=null}SourceMapGenerator.prototype._version=3;SourceMapGenerator.fromSourceMap=function SourceMapGenerator_fromSourceMap(e){var r=e.sourceRoot;var n=new SourceMapGenerator({file:e.file,sourceRoot:r});e.eachMapping((function(e){var t={generated:{line:e.generatedLine,column:e.generatedColumn}};if(e.source!=null){t.source=e.source;if(r!=null){t.source=o.relative(r,t.source)}t.original={line:e.originalLine,column:e.originalColumn};if(e.name!=null){t.name=e.name}}n.addMapping(t)}));e.sources.forEach((function(t){var i=t;if(r!==null){i=o.relative(r,t)}if(!n._sources.has(i)){n._sources.add(i)}var a=e.sourceContentFor(t);if(a!=null){n.setSourceContent(t,a)}}));return n};SourceMapGenerator.prototype.addMapping=function SourceMapGenerator_addMapping(e){var r=o.getArg(e,"generated");var n=o.getArg(e,"original",null);var t=o.getArg(e,"source",null);var i=o.getArg(e,"name",null);if(!this._skipValidation){this._validateMapping(r,n,t,i)}if(t!=null){t=String(t);if(!this._sources.has(t)){this._sources.add(t)}}if(i!=null){i=String(i);if(!this._names.has(i)){this._names.add(i)}}this._mappings.add({generatedLine:r.line,generatedColumn:r.column,originalLine:n!=null&&n.line,originalColumn:n!=null&&n.column,source:t,name:i})};SourceMapGenerator.prototype.setSourceContent=function SourceMapGenerator_setSourceContent(e,r){var n=e;if(this._sourceRoot!=null){n=o.relative(this._sourceRoot,n)}if(r!=null){if(!this._sourcesContents){this._sourcesContents=Object.create(null)}this._sourcesContents[o.toSetString(n)]=r}else if(this._sourcesContents){delete this._sourcesContents[o.toSetString(n)];if(Object.keys(this._sourcesContents).length===0){this._sourcesContents=null}}};SourceMapGenerator.prototype.applySourceMap=function SourceMapGenerator_applySourceMap(e,r,n){var t=r;if(r==null){if(e.file==null){throw new Error("SourceMapGenerator.prototype.applySourceMap requires either an explicit source file, "+'or the source map\'s "file" property. Both were omitted.')}t=e.file}var a=this._sourceRoot;if(a!=null){t=o.relative(a,t)}var u=new i;var s=new i;this._mappings.unsortedForEach((function(r){if(r.source===t&&r.originalLine!=null){var i=e.originalPositionFor({line:r.originalLine,column:r.originalColumn});if(i.source!=null){r.source=i.source;if(n!=null){r.source=o.join(n,r.source)}if(a!=null){r.source=o.relative(a,r.source)}r.originalLine=i.line;r.originalColumn=i.column;if(i.name!=null){r.name=i.name}}}var l=r.source;if(l!=null&&!u.has(l)){u.add(l)}var c=r.name;if(c!=null&&!s.has(c)){s.add(c)}}),this);this._sources=u;this._names=s;e.sources.forEach((function(r){var t=e.sourceContentFor(r);if(t!=null){if(n!=null){r=o.join(n,r)}if(a!=null){r=o.relative(a,r)}this.setSourceContent(r,t)}}),this)};SourceMapGenerator.prototype._validateMapping=function SourceMapGenerator_validateMapping(e,r,n,t){if(r&&typeof r.line!=="number"&&typeof r.column!=="number"){throw new Error("original.line and original.column are not numbers -- you probably meant to omit "+"the original mapping entirely and only map the generated position. If so, pass "+"null for the original mapping instead of an object with empty or null values.")}if(e&&"line"in e&&"column"in e&&e.line>0&&e.column>=0&&!r&&!n&&!t){return}else if(e&&"line"in e&&"column"in e&&r&&"line"in r&&"column"in r&&e.line>0&&e.column>=0&&r.line>0&&r.column>=0&&n){return}else{throw new Error("Invalid mapping: "+JSON.stringify({generated:e,source:n,original:r,name:t}))}};SourceMapGenerator.prototype._serializeMappings=function SourceMapGenerator_serializeMappings(){var e=0;var r=1;var n=0;var i=0;var a=0;var u=0;var s="";var l;var c;var p;var f;var g=this._mappings.toArray();for(var h=0,d=g.length;h0){if(!o.compareByGeneratedPositionsInflated(c,g[h-1])){continue}l+=","}}l+=t.encode(c.generatedColumn-e);e=c.generatedColumn;if(c.source!=null){f=this._sources.indexOf(c.source);l+=t.encode(f-u);u=f;l+=t.encode(c.originalLine-1-i);i=c.originalLine-1;l+=t.encode(c.originalColumn-n);n=c.originalColumn;if(c.name!=null){p=this._names.indexOf(c.name);l+=t.encode(p-a);a=p}}s+=l}return s};SourceMapGenerator.prototype._generateSourcesContent=function SourceMapGenerator_generateSourcesContent(e,r){return e.map((function(e){if(!this._sourcesContents){return null}if(r!=null){e=o.relative(r,e)}var n=o.toSetString(e);return Object.prototype.hasOwnProperty.call(this._sourcesContents,n)?this._sourcesContents[n]:null}),this)};SourceMapGenerator.prototype.toJSON=function SourceMapGenerator_toJSON(){var e={version:this._version,sources:this._sources.toArray(),names:this._names.toArray(),mappings:this._serializeMappings()};if(this._file!=null){e.file=this._file}if(this._sourceRoot!=null){e.sourceRoot=this._sourceRoot}if(this._sourcesContents){e.sourcesContent=this._generateSourcesContent(e.sources,e.sourceRoot)}return e};SourceMapGenerator.prototype.toString=function SourceMapGenerator_toString(){return JSON.stringify(this.toJSON())};r.h=SourceMapGenerator},351:(e,r,n)=>{var t;var o=n(591).h;var i=n(339);var a=/(\r?\n)/;var u=10;var s="$$$isSourceNode$$$";function SourceNode(e,r,n,t,o){this.children=[];this.sourceContents={};this.line=e==null?null:e;this.column=r==null?null:r;this.source=n==null?null:n;this.name=o==null?null:o;this[s]=true;if(t!=null)this.add(t)}SourceNode.fromStringWithSourceMap=function SourceNode_fromStringWithSourceMap(e,r,n){var t=new SourceNode;var o=e.split(a);var u=0;var shiftNextLine=function(){var e=getNextLine();var r=getNextLine()||"";return e+r;function getNextLine(){return u=0;r--){this.prepend(e[r])}}else if(e[s]||typeof e==="string"){this.children.unshift(e)}else{throw new TypeError("Expected a SourceNode, string, or an array of SourceNodes and strings. Got "+e)}return this};SourceNode.prototype.walk=function SourceNode_walk(e){var r;for(var n=0,t=this.children.length;n0){r=[];for(n=0;n{function getArg(e,r,n){if(r in e){return e[r]}else if(arguments.length===3){return n}else{throw new Error('"'+r+'" is a required argument.')}}r.getArg=getArg;var n=/^(?:([\w+\-.]+):)?\/\/(?:(\w+:\w+)@)?([\w.-]*)(?::(\d+))?(.*)$/;var t=/^data:.+\,.+$/;function urlParse(e){var r=e.match(n);if(!r){return null}return{scheme:r[1],auth:r[2],host:r[3],port:r[4],path:r[5]}}r.urlParse=urlParse;function urlGenerate(e){var r="";if(e.scheme){r+=e.scheme+":"}r+="//";if(e.auth){r+=e.auth+"@"}if(e.host){r+=e.host}if(e.port){r+=":"+e.port}if(e.path){r+=e.path}return r}r.urlGenerate=urlGenerate;function normalize(e){var n=e;var t=urlParse(e);if(t){if(!t.path){return e}n=t.path}var o=r.isAbsolute(n);var i=n.split(/\/+/);for(var a,u=0,s=i.length-1;s>=0;s--){a=i[s];if(a==="."){i.splice(s,1)}else if(a===".."){u++}else if(u>0){if(a===""){i.splice(s+1,u);u=0}else{i.splice(s,2);u--}}}n=i.join("/");if(n===""){n=o?"/":"."}if(t){t.path=n;return urlGenerate(t)}return n}r.normalize=normalize;function join(e,r){if(e===""){e="."}if(r===""){r="."}var n=urlParse(r);var o=urlParse(e);if(o){e=o.path||"/"}if(n&&!n.scheme){if(o){n.scheme=o.scheme}return urlGenerate(n)}if(n||r.match(t)){return r}if(o&&!o.host&&!o.path){o.host=r;return urlGenerate(o)}var i=r.charAt(0)==="/"?r:normalize(e.replace(/\/+$/,"")+"/"+r);if(o){o.path=i;return urlGenerate(o)}return i}r.join=join;r.isAbsolute=function(e){return e.charAt(0)==="/"||n.test(e)};function relative(e,r){if(e===""){e="."}e=e.replace(/\/$/,"");var n=0;while(r.indexOf(e+"/")!==0){var t=e.lastIndexOf("/");if(t<0){return r}e=e.slice(0,t);if(e.match(/^([^\/]+:\/)?\/*$/)){return r}++n}return Array(n+1).join("../")+r.substr(e.length+1)}r.relative=relative;var o=function(){var e=Object.create(null);return!("__proto__"in e)}();function identity(e){return e}function toSetString(e){if(isProtoString(e)){return"$"+e}return e}r.toSetString=o?identity:toSetString;function fromSetString(e){if(isProtoString(e)){return e.slice(1)}return e}r.fromSetString=o?identity:fromSetString;function isProtoString(e){if(!e){return false}var r=e.length;if(r<9){return false}if(e.charCodeAt(r-1)!==95||e.charCodeAt(r-2)!==95||e.charCodeAt(r-3)!==111||e.charCodeAt(r-4)!==116||e.charCodeAt(r-5)!==111||e.charCodeAt(r-6)!==114||e.charCodeAt(r-7)!==112||e.charCodeAt(r-8)!==95||e.charCodeAt(r-9)!==95){return false}for(var n=r-10;n>=0;n--){if(e.charCodeAt(n)!==36){return false}}return true}function compareByOriginalPositions(e,r,n){var t=strcmp(e.source,r.source);if(t!==0){return t}t=e.originalLine-r.originalLine;if(t!==0){return t}t=e.originalColumn-r.originalColumn;if(t!==0||n){return t}t=e.generatedColumn-r.generatedColumn;if(t!==0){return t}t=e.generatedLine-r.generatedLine;if(t!==0){return t}return strcmp(e.name,r.name)}r.compareByOriginalPositions=compareByOriginalPositions;function compareByGeneratedPositionsDeflated(e,r,n){var t=e.generatedLine-r.generatedLine;if(t!==0){return t}t=e.generatedColumn-r.generatedColumn;if(t!==0||n){return t}t=strcmp(e.source,r.source);if(t!==0){return t}t=e.originalLine-r.originalLine;if(t!==0){return t}t=e.originalColumn-r.originalColumn;if(t!==0){return t}return strcmp(e.name,r.name)}r.compareByGeneratedPositionsDeflated=compareByGeneratedPositionsDeflated;function strcmp(e,r){if(e===r){return 0}if(e===null){return 1}if(r===null){return-1}if(e>r){return 1}return-1}function compareByGeneratedPositionsInflated(e,r){var n=e.generatedLine-r.generatedLine;if(n!==0){return n}n=e.generatedColumn-r.generatedColumn;if(n!==0){return n}n=strcmp(e.source,r.source);if(n!==0){return n}n=e.originalLine-r.originalLine;if(n!==0){return n}n=e.originalColumn-r.originalColumn;if(n!==0){return n}return strcmp(e.name,r.name)}r.compareByGeneratedPositionsInflated=compareByGeneratedPositionsInflated;function parseSourceMapInput(e){return JSON.parse(e.replace(/^\)]}'[^\n]*\n/,""))}r.parseSourceMapInput=parseSourceMapInput;function computeSourceURL(e,r,n){r=r||"";if(e){if(e[e.length-1]!=="/"&&r[0]!=="/"){e+="/"}r=e+r}if(n){var t=urlParse(n);if(!t){throw new Error("sourceMapURL could not be parsed")}if(t.path){var o=t.path.lastIndexOf("/");if(o>=0){t.path=t.path.substring(0,o+1)}}r=join(urlGenerate(t),r)}return normalize(r)}r.computeSourceURL=computeSourceURL},997:(e,r,n)=>{n(591).h;r.SourceMapConsumer=n(952).SourceMapConsumer;n(351)},284:(e,r,n)=>{e=n.nmd(e);var t=n(997).SourceMapConsumer;var o=n(17);var i;try{i=n(147);if(!i.existsSync||!i.readFileSync){i=null}}catch(e){}var a=n(650);function dynamicRequire(e,r){return e.require(r)}var u=false;var s=false;var l=false;var c="auto";var p={};var f={};var g=/^data:application\/json[^,]+base64,/;var h=[];var d=[];function isInBrowser(){if(c==="browser")return true;if(c==="node")return false;return typeof window!=="undefined"&&typeof XMLHttpRequest==="function"&&!(window.require&&window.module&&window.process&&window.process.type==="renderer")}function hasGlobalProcessEventEmitter(){return typeof process==="object"&&process!==null&&typeof process.on==="function"}function globalProcessVersion(){if(typeof process==="object"&&process!==null){return process.version}else{return""}}function globalProcessStderr(){if(typeof process==="object"&&process!==null){return process.stderr}}function globalProcessExit(e){if(typeof process==="object"&&process!==null&&typeof process.exit==="function"){return process.exit(e)}}function handlerExec(e){return function(r){for(var n=0;n"}var n=this.getLineNumber();if(n!=null){r+=":"+n;var t=this.getColumnNumber();if(t){r+=":"+t}}}var o="";var i=this.getFunctionName();var a=true;var u=this.isConstructor();var s=!(this.isToplevel()||u);if(s){var l=this.getTypeName();if(l==="[object Object]"){l="null"}var c=this.getMethodName();if(i){if(l&&i.indexOf(l)!=0){o+=l+"."}o+=i;if(c&&i.indexOf("."+c)!=i.length-c.length-1){o+=" [as "+c+"]"}}else{o+=l+"."+(c||"")}}else if(u){o+="new "+(i||"")}else if(i){o+=i}else{o+=r;a=false}if(a){o+=" ("+r+")"}return o}function cloneCallSite(e){var r={};Object.getOwnPropertyNames(Object.getPrototypeOf(e)).forEach((function(n){r[n]=/^(?:is|get)/.test(n)?function(){return e[n].call(e)}:e[n]}));r.toString=CallSiteToString;return r}function wrapCallSite(e,r){if(r===undefined){r={nextPosition:null,curPosition:null}}if(e.isNative()){r.curPosition=null;return e}var n=e.getFileName()||e.getScriptNameOrSourceURL();if(n){var t=e.getLineNumber();var o=e.getColumnNumber()-1;var i=/^v(10\.1[6-9]|10\.[2-9][0-9]|10\.[0-9]{3,}|1[2-9]\d*|[2-9]\d|\d{3,}|11\.11)/;var a=i.test(globalProcessVersion())?0:62;if(t===1&&o>a&&!isInBrowser()&&!e.isEval()){o-=a}var u=mapSourcePosition({source:n,line:t,column:o});r.curPosition=u;e=cloneCallSite(e);var s=e.getFunctionName;e.getFunctionName=function(){if(r.nextPosition==null){return s()}return r.nextPosition.name||s()};e.getFileName=function(){return u.source};e.getLineNumber=function(){return u.line};e.getColumnNumber=function(){return u.column+1};e.getScriptNameOrSourceURL=function(){return u.source};return e}var l=e.isEval()&&e.getEvalOrigin();if(l){l=mapEvalOrigin(l);e=cloneCallSite(e);e.getEvalOrigin=function(){return l};return e}return e}function prepareStackTrace(e,r){if(l){p={};f={}}var n=e.name||"Error";var t=e.message||"";var o=n+": "+t;var i={nextPosition:null,curPosition:null};var a=[];for(var u=r.length-1;u>=0;u--){a.push("\n at "+wrapCallSite(r[u],i));i.nextPosition=i.curPosition}i.curPosition=i.nextPosition=null;return o+a.reverse().join("")}function getErrorSource(e){var r=/\n at [^(]+ \((.*):(\d+):(\d+)\)/.exec(e.stack);if(r){var n=r[1];var t=+r[2];var o=+r[3];var a=p[n];if(!a&&i&&i.existsSync(n)){try{a=i.readFileSync(n,"utf8")}catch(e){a=""}}if(a){var u=a.split(/(?:\r\n|\r|\n)/)[t-1];if(u){return n+":"+t+"\n"+u+"\n"+new Array(o).join(" ")+"^"}}}return null}function printErrorAndExit(e){var r=getErrorSource(e);var n=globalProcessStderr();if(n&&n._handle&&n._handle.setBlocking){n._handle.setBlocking(true)}if(r){console.error();console.error(r)}console.error(e.stack);globalProcessExit(1)}function shimEmitUncaughtException(){var e=process.emit;process.emit=function(r){if(r==="uncaughtException"){var n=arguments[1]&&arguments[1].stack;var t=this.listeners(r).length>0;if(n&&!t){return printErrorAndExit(arguments[1])}}return e.apply(this,arguments)}}var S=h.slice(0);var _=d.slice(0);r.wrapCallSite=wrapCallSite;r.getErrorSource=getErrorSource;r.mapSourcePosition=mapSourcePosition;r.retrieveSourceMap=v;r.install=function(r){r=r||{};if(r.environment){c=r.environment;if(["node","browser","auto"].indexOf(c)===-1){throw new Error("environment "+c+" was unknown. Available options are {auto, browser, node}")}}if(r.retrieveFile){if(r.overrideRetrieveFile){h.length=0}h.unshift(r.retrieveFile)}if(r.retrieveSourceMap){if(r.overrideRetrieveSourceMap){d.length=0}d.unshift(r.retrieveSourceMap)}if(r.hookRequire&&!isInBrowser()){var n=dynamicRequire(e,"module");var t=n.prototype._compile;if(!t.__sourceMapSupport){n.prototype._compile=function(e,r){p[r]=e;f[r]=undefined;return t.call(this,e,r)};n.prototype._compile.__sourceMapSupport=true}}if(!l){l="emptyCacheBetweenOperations"in r?r.emptyCacheBetweenOperations:false}if(!u){u=true;Error.prepareStackTrace=prepareStackTrace}if(!s){var o="handleUncaughtExceptions"in r?r.handleUncaughtExceptions:true;try{var i=dynamicRequire(e,"worker_threads");if(i.isMainThread===false){o=false}}catch(e){}if(o&&hasGlobalProcessEventEmitter()){s=true;shimEmitUncaughtException()}}};r.resetRetrieveHandlers=function(){h.length=0;d.length=0;h=S.slice(0);d=_.slice(0);v=handlerExec(d);m=handlerExec(h)}},147:e=>{"use strict";e.exports=require("fs")},17:e=>{"use strict";e.exports=require("path")}};var r={};function __webpack_require__(n){var t=r[n];if(t!==undefined){return t.exports}var o=r[n]={id:n,loaded:false,exports:{}};var i=true;try{e[n](o,o.exports,__webpack_require__);i=false}finally{if(i)delete r[n]}o.loaded=true;return o.exports}(()=>{__webpack_require__.nmd=e=>{e.paths=[];if(!e.children)e.children=[];return e}})();if(typeof __webpack_require__!=="undefined")__webpack_require__.ab=__dirname+"/";var n={};(()=>{__webpack_require__(284).install()})();module.exports=n})(); -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "javascript-action", 3 | "version": "1.0.0", 4 | "description": "JavaScript Action Template", 5 | "main": "src/index.js", 6 | "scripts": { 7 | "prepare": "ncc build src/index.js -o dist --source-map --license licenses.txt", 8 | "test": "jest", 9 | "all": "npm run prepare && npm run test" 10 | }, 11 | "repository": { 12 | "type": "git", 13 | "url": "git+https://github.com/advanced-security/sbom-generator-action.git" 14 | }, 15 | "keywords": [ 16 | "GitHub", 17 | "Actions", 18 | "JavaScript" 19 | ], 20 | "author": "", 21 | "license": "MIT", 22 | "bugs": { 23 | "url": "https://github.com/advanced-security/sbom-generator-action/issues" 24 | }, 25 | "homepage": "https://github.com/advanced-security/sbom-generator-action#readme", 26 | "dependencies": { 27 | "@actions/core": "^1.2.5", 28 | "@octokit/core": "^4.0.5", 29 | "dotenv": "^16.0.1" 30 | }, 31 | "devDependencies": { 32 | "@vercel/ncc": "^0.36.1", 33 | "ajv": "^8.11.0", 34 | "eslint": "^8.0.0", 35 | "jest": "^28.1.3", 36 | "fs": "^0.0.1-security" 37 | }, 38 | "bin": { 39 | "sbom-generator": "./dist/index.js" 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/index.js: -------------------------------------------------------------------------------- 1 | const core = require('@actions/core'); 2 | const { Octokit } = require('@octokit/core'); 3 | const { randomUUID } = require('crypto'); 4 | const fs = require('fs'); 5 | require('dotenv').config(); 6 | 7 | // For local usage without GitHub Actions, we can accept the token and repository nwo from the command line. 8 | const token = process.env.GITHUB_TOKEN ? process.env.GITHUB_TOKEN : process.argv[2]; 9 | const repository = process.env.GITHUB_REPOSITORY ? process.env.GITHUB_REPOSITORY : process.argv[3]; 10 | const baseUrl = process.env.GITHUB_API_URL ? process.env.GITHUB_API_URL : "https://api.github.com"; 11 | 12 | const octokit = new Octokit({ auth: token, baseUrl: baseUrl}); 13 | 14 | // most @actions toolkit packages have async methods 15 | async function run() { 16 | const fileName = createFileName('spdx'); 17 | let sbom = await buildSBOM(await getDependencyGraph(), fileName); 18 | 19 | await writeFile(sbom, fileName); 20 | core.setOutput("fileName", fileName); 21 | } 22 | 23 | function createFileName(name) { 24 | const directory = process.env.GITHUB_WORKSPACE ?? "."; 25 | return `${directory}/${name}-${randomUUID()}.spdx.json`; 26 | } 27 | 28 | // Writes the given contents to a file and returns the file name. 29 | async function writeFile(contents, filePath) { 30 | //open a file called filePath and write contents to it 31 | fs.writeFile(filePath, contents, function (err) { 32 | if (err) { 33 | return console.log(err); 34 | } 35 | core.info("Wrote file to " + filePath); 36 | }); 37 | } 38 | 39 | // Builds a SPDX license file from the given dependency graph. 40 | async function buildSBOM(dependencyGraph, fileName) { 41 | core.debug("Building SPDX file"); 42 | let spdx = { 43 | "spdxVersion": "SPDX-2.3", 44 | "SPDXID": "SPDXRef-DOCUMENT", 45 | "dataLicense": "CC0-1.0", 46 | "name": fileName, 47 | "creationInfo": { 48 | "created": new Date(Date.now()).toISOString(), 49 | "creators": [ 50 | "Tool: github.com/advanced-security/sbom-generator-action" 51 | ] 52 | }, 53 | "packages": [] 54 | }; 55 | 56 | dependencyGraph?.repository?.dependencyGraphManifests?.nodes?.forEach(function (manifest){ 57 | manifest?.dependencies?.nodes?.forEach(function(dependency) { 58 | let pkg = { 59 | "SPDXID": "SPDXRef-" + dependency.packageName.replace(/[^a-zA-Z0-9]/g, "_").toUpperCase(), 60 | "name" : dependency.packageName, 61 | "versionInfo": getPackageVersion(dependency.requirements), 62 | "filesAnalyzed": "false", 63 | "licenseDeclared": "NOASSERTION", 64 | "licenseConcluded": "NOASSERTION", 65 | "downloadLocation": "NOASSERTION", 66 | "filesAnalyzed": false, 67 | "externalRefs" : [ 68 | { 69 | "referenceCategory": "PACKAGE-MANAGER", 70 | "referenceLocator": getPurl(dependency), 71 | "referenceType": "purl", 72 | }, 73 | ] 74 | } 75 | spdx.packages.push(pkg); 76 | }) 77 | }); 78 | 79 | return JSON.stringify(spdx); 80 | } 81 | 82 | // Returns the PURL for the given dependency. 83 | function getPurl(dependency) { 84 | let version = getPackageVersion(dependency.requirements); 85 | return `pkg:${dependency.packageManager}/${dependency.packageName}@${version}`; 86 | } 87 | // Returns the package version for the given requirements. 88 | function getPackageVersion(version) { 89 | // requirements strings are formatted like '= 1.1.0' 90 | 91 | try { 92 | return version.match('= (.*)')[1]; 93 | } catch (err ) { 94 | return version; //TODO, handle other cases better 95 | } 96 | } 97 | 98 | // Returns the dependency graph for the repository. 99 | async function getDependencyGraph() { 100 | core.debug("Getting repository dependency graph"); 101 | var dependencyGraph = await octokit.graphql(`query($name: String!, $owner: String! ) { 102 | repository (owner: $owner, name: $name) { 103 | dependencyGraphManifests { 104 | nodes { 105 | filename 106 | dependencies { 107 | nodes { 108 | packageManager 109 | packageName 110 | requirements 111 | } 112 | } 113 | } 114 | } 115 | } 116 | }`, 117 | { 118 | owner: repository.split('/')[0], 119 | name: repository.split('/')[1], 120 | mediaType: { 121 | previews: ["hawkgirl"], 122 | } 123 | }); 124 | 125 | return dependencyGraph; 126 | } 127 | 128 | run(); 129 | -------------------------------------------------------------------------------- /src/index.test.js: -------------------------------------------------------------------------------- 1 | const process = require('process'); 2 | const cp = require('child_process'); 3 | const path = require('path'); 4 | const { default: Ajv } = require('ajv'); 5 | const fs = require('fs'); 6 | const ajv = new Ajv(); 7 | const glob = require('glob'); 8 | const index = require('./index'); 9 | 10 | // shows how the runner will run a javascript action with env / stdout protocol 11 | test('Test runs and validates', async () => { 12 | process.env['INPUT_MILLISECONDS'] = 100; 13 | const ip = path.join(__dirname, 'index.js'); 14 | const result = cp.execSync(`node ${ip}`, {env: process.env}).toString(); 15 | console.log(result); 16 | 17 | // Get a file matching ".spdx.json" and validate it against the SPDX 2.3 schema. 18 | var output = null; 19 | glob.sync("*.spdx.json").forEach(function(file) { 20 | output = JSON.parse(fs.readFileSync(file)); 21 | }); 22 | 23 | var spdxSchema = {}; 24 | console.log(__dirname); 25 | spdxSchema = JSON.parse(fs.readFileSync(path.resolve(__dirname, './schemas/spdx2.3.json'))); 26 | 27 | 28 | const validationResult = ajv.validate(spdxSchema, output); 29 | if (!validationResult) { 30 | console.log(ajv.errors); 31 | } 32 | expect(validationResult).toEqual(true); 33 | }) 34 | -------------------------------------------------------------------------------- /src/schemas/spdx2.3.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema" : "http://json-schema.org/draft-07/schema#", 3 | "$id" : "http://spdx.org/rdf/terms/2.3", 4 | "title" : "SPDX 2.3", 5 | "type" : "object", 6 | "properties" : { 7 | "SPDXID" : { 8 | "type" : "string", 9 | "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." 10 | }, 11 | "annotations" : { 12 | "description" : "Provide additional information about an SpdxElement.", 13 | "type" : "array", 14 | "items" : { 15 | "type" : "object", 16 | "properties" : { 17 | "annotationDate" : { 18 | "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", 19 | "type" : "string" 20 | }, 21 | "annotationType" : { 22 | "description" : "Type of the annotation.", 23 | "type" : "string", 24 | "enum" : [ "OTHER", "REVIEW" ] 25 | }, 26 | "annotator" : { 27 | "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", 28 | "type" : "string" 29 | }, 30 | "comment" : { 31 | "type" : "string" 32 | } 33 | }, 34 | "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], 35 | "additionalProperties" : false, 36 | "description" : "An Annotation is a comment on an SpdxItem by an agent." 37 | } 38 | }, 39 | "comment" : { 40 | "type" : "string" 41 | }, 42 | "creationInfo" : { 43 | "type" : "object", 44 | "properties" : { 45 | "comment" : { 46 | "type" : "string" 47 | }, 48 | "created" : { 49 | "description" : "Identify when the SPDX document was originally created. The date is to be specified according to combined date and time in UTC format as specified in ISO 8601 standard.", 50 | "type" : "string" 51 | }, 52 | "creators" : { 53 | "description" : "Identify who (or what, in the case of a tool) created the SPDX document. If the SPDX document was created by an individual, indicate the person's name. If the SPDX document was created on behalf of a company or organization, indicate the entity name. If the SPDX document was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", 54 | "minItems" : 1, 55 | "type" : "array", 56 | "items" : { 57 | "description" : "Identify who (or what, in the case of a tool) created the SPDX document. If the SPDX document was created by an individual, indicate the person's name. If the SPDX document was created on behalf of a company or organization, indicate the entity name. If the SPDX document was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", 58 | "type" : "string" 59 | } 60 | }, 61 | "licenseListVersion" : { 62 | "description" : "An optional field for creators of the SPDX file to provide the version of the SPDX License List used when the SPDX file was created.", 63 | "type" : "string" 64 | } 65 | }, 66 | "required" : [ "created", "creators" ], 67 | "additionalProperties" : false, 68 | "description" : "One instance is required for each SPDX file produced. It provides the necessary information for forward and backward compatibility for processing tools." 69 | }, 70 | "dataLicense" : { 71 | "description" : "License expression for dataLicense. See SPDX Annex D for the license expression syntax. Compliance with the SPDX specification includes populating the SPDX fields therein with data related to such fields (\"SPDX-Metadata\"). The SPDX specification contains numerous fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without opining on the lawfulness of \"database rights\" (in jurisdictions where applicable), such explanatory text is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you \"as-is\" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.", 72 | "type" : "string" 73 | }, 74 | "externalDocumentRefs" : { 75 | "description" : "Identify any external SPDX documents referenced within this SPDX document.", 76 | "type" : "array", 77 | "items" : { 78 | "type" : "object", 79 | "properties" : { 80 | "checksum" : { 81 | "type" : "object", 82 | "properties" : { 83 | "algorithm" : { 84 | "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", 85 | "type" : "string", 86 | "enum" : [ "SHA1", "BLAKE3", "SHA3-384", "SHA256", "SHA384", "BLAKE2b-512", "BLAKE2b-256", "SHA3-512", "MD2", "ADLER32", "MD4", "SHA3-256", "BLAKE2b-384", "SHA512", "MD6", "MD5", "SHA224" ] 87 | }, 88 | "checksumValue" : { 89 | "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", 90 | "type" : "string" 91 | } 92 | }, 93 | "required" : [ "algorithm", "checksumValue" ], 94 | "additionalProperties" : false, 95 | "description" : "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." 96 | }, 97 | "externalDocumentId" : { 98 | "description" : "externalDocumentId is a string containing letters, numbers, ., - and/or + which uniquely identifies an external document within this document.", 99 | "type" : "string" 100 | }, 101 | "spdxDocument" : { 102 | "description" : "SPDX ID for SpdxDocument. A property containing an SPDX document.", 103 | "type" : "string" 104 | } 105 | }, 106 | "required" : [ "checksum", "externalDocumentId", "spdxDocument" ], 107 | "additionalProperties" : false, 108 | "description" : "Information about an external SPDX document reference including the checksum. This allows for verification of the external references." 109 | } 110 | }, 111 | "hasExtractedLicensingInfos" : { 112 | "description" : "Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.", 113 | "type" : "array", 114 | "items" : { 115 | "type" : "object", 116 | "properties" : { 117 | "comment" : { 118 | "type" : "string" 119 | }, 120 | "crossRefs" : { 121 | "description" : "Cross Reference Detail for a license SeeAlso URL", 122 | "type" : "array", 123 | "items" : { 124 | "type" : "object", 125 | "properties" : { 126 | "isLive" : { 127 | "description" : "Indicate a URL is still a live accessible location on the public internet", 128 | "type" : "boolean" 129 | }, 130 | "isValid" : { 131 | "description" : "True if the URL is a valid well formed URL", 132 | "type" : "boolean" 133 | }, 134 | "isWayBackLink" : { 135 | "description" : "True if the License SeeAlso URL points to a Wayback archive", 136 | "type" : "boolean" 137 | }, 138 | "match" : { 139 | "description" : "Status of a License List SeeAlso URL reference if it refers to a website that matches the license text.", 140 | "type" : "string" 141 | }, 142 | "order" : { 143 | "description" : "The ordinal order of this element within a list", 144 | "type" : "integer" 145 | }, 146 | "timestamp" : { 147 | "description" : "Timestamp", 148 | "type" : "string" 149 | }, 150 | "url" : { 151 | "description" : "URL Reference", 152 | "type" : "string" 153 | } 154 | }, 155 | "required" : [ "url" ], 156 | "additionalProperties" : false, 157 | "description" : "Cross reference details for the a URL reference" 158 | } 159 | }, 160 | "extractedText" : { 161 | "description" : "Provide a copy of the actual text of the license reference extracted from the package, file or snippet that is associated with the License Identifier to aid in future analysis.", 162 | "type" : "string" 163 | }, 164 | "licenseId" : { 165 | "description" : "A human readable short form license identifier for a license. The license ID is either on the standard license list or the form \"LicenseRef-[idString]\" where [idString] is a unique string containing letters, numbers, \".\" or \"-\". When used within a license expression, the license ID can optionally include a reference to an external document in the form \"DocumentRef-[docrefIdString]:LicenseRef-[idString]\" where docRefIdString is an ID for an external document reference.", 166 | "type" : "string" 167 | }, 168 | "name" : { 169 | "description" : "Identify name of this SpdxElement.", 170 | "type" : "string" 171 | }, 172 | "seeAlsos" : { 173 | "type" : "array", 174 | "items" : { 175 | "type" : "string" 176 | } 177 | } 178 | }, 179 | "required" : [ "extractedText", "licenseId" ], 180 | "additionalProperties" : false, 181 | "description" : "An ExtractedLicensingInfo represents a license or licensing notice that was found in a package, file or snippet. Any license text that is recognized as a license may be represented as a License rather than an ExtractedLicensingInfo." 182 | } 183 | }, 184 | "name" : { 185 | "description" : "Identify name of this SpdxElement.", 186 | "type" : "string" 187 | }, 188 | "revieweds" : { 189 | "description" : "Reviewed", 190 | "type" : "array", 191 | "items" : { 192 | "type" : "object", 193 | "properties" : { 194 | "comment" : { 195 | "type" : "string" 196 | }, 197 | "reviewDate" : { 198 | "description" : "The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.", 199 | "type" : "string" 200 | }, 201 | "reviewer" : { 202 | "description" : "The name and, optionally, contact information of the person who performed the review. Values of this property must conform to the agent and tool syntax. The reviewer property is deprecated in favor of Annotation with an annotationType review.", 203 | "type" : "string" 204 | } 205 | }, 206 | "required" : [ "reviewDate" ], 207 | "additionalProperties" : false, 208 | "description" : "This class has been deprecated in favor of an Annotation with an Annotation type of review." 209 | } 210 | }, 211 | "spdxVersion" : { 212 | "description" : "Provide a reference number that can be used to understand how to parse and interpret the rest of the file. It will enable both future changes to the specification and to support backward compatibility. The version number consists of a major and minor version indicator. The major field will be incremented when incompatible changes between versions are made (one or more sections are created, modified or deleted). The minor field will be incremented when backwards compatible changes are made.", 213 | "type" : "string" 214 | }, 215 | "documentNamespace" : { 216 | "type" : "string", 217 | "description" : "The URI provides an unambiguous mechanism for other SPDX documents to reference SPDX elements within this SPDX document." 218 | }, 219 | "documentDescribes" : { 220 | "description" : "Packages, files and/or Snippets described by this SPDX document", 221 | "type" : "array", 222 | "items" : { 223 | "type" : "string", 224 | "description" : "SPDX ID for each Package, File, or Snippet." 225 | } 226 | }, 227 | "packages" : { 228 | "description" : "Packages referenced in the SPDX document", 229 | "type" : "array", 230 | "items" : { 231 | "type" : "object", 232 | "properties" : { 233 | "SPDXID" : { 234 | "type" : "string", 235 | "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." 236 | }, 237 | "annotations" : { 238 | "description" : "Provide additional information about an SpdxElement.", 239 | "type" : "array", 240 | "items" : { 241 | "type" : "object", 242 | "properties" : { 243 | "annotationDate" : { 244 | "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", 245 | "type" : "string" 246 | }, 247 | "annotationType" : { 248 | "description" : "Type of the annotation.", 249 | "type" : "string", 250 | "enum" : [ "OTHER", "REVIEW" ] 251 | }, 252 | "annotator" : { 253 | "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", 254 | "type" : "string" 255 | }, 256 | "comment" : { 257 | "type" : "string" 258 | } 259 | }, 260 | "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], 261 | "additionalProperties" : false, 262 | "description" : "An Annotation is a comment on an SpdxItem by an agent." 263 | } 264 | }, 265 | "attributionTexts" : { 266 | "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", 267 | "type" : "array", 268 | "items" : { 269 | "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", 270 | "type" : "string" 271 | } 272 | }, 273 | "builtDate" : { 274 | "description" : "This field provides a place for recording the actual date the package was built.", 275 | "type" : "string" 276 | }, 277 | "checksums" : { 278 | "description" : "The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.", 279 | "type" : "array", 280 | "items" : { 281 | "type" : "object", 282 | "properties" : { 283 | "algorithm" : { 284 | "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", 285 | "type" : "string", 286 | "enum" : [ "SHA1", "BLAKE3", "SHA3-384", "SHA256", "SHA384", "BLAKE2b-512", "BLAKE2b-256", "SHA3-512", "MD2", "ADLER32", "MD4", "SHA3-256", "BLAKE2b-384", "SHA512", "MD6", "MD5", "SHA224" ] 287 | }, 288 | "checksumValue" : { 289 | "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", 290 | "type" : "string" 291 | } 292 | }, 293 | "required" : [ "algorithm", "checksumValue" ], 294 | "additionalProperties" : false, 295 | "description" : "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." 296 | } 297 | }, 298 | "comment" : { 299 | "type" : "string" 300 | }, 301 | "copyrightText" : { 302 | "description" : "The text of copyright declarations recited in the package, file or snippet.\n\nIf the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.", 303 | "type" : "string" 304 | }, 305 | "description" : { 306 | "description" : "Provides a detailed description of the package.", 307 | "type" : "string" 308 | }, 309 | "downloadLocation" : { 310 | "description" : "The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are acceptable as values of this property. The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#noassertion may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.", 311 | "type" : "string" 312 | }, 313 | "externalRefs" : { 314 | "description" : "An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package.", 315 | "type" : "array", 316 | "items" : { 317 | "type" : "object", 318 | "properties" : { 319 | "comment" : { 320 | "type" : "string" 321 | }, 322 | "referenceCategory" : { 323 | "description" : "Category for the external reference", 324 | "type" : "string", 325 | "enum" : [ "OTHER", "PERSISTENT-ID", "SECURITY", "PACKAGE-MANAGER" ] 326 | }, 327 | "referenceLocator" : { 328 | "description" : "The unique string with no spaces necessary to access the package-specific information, metadata, or content within the target location. The format of the locator is subject to constraints defined by the .", 329 | "type" : "string" 330 | }, 331 | "referenceType" : { 332 | "description" : "Type of the external reference. These are definined in an appendix in the SPDX specification.", 333 | "type" : "string" 334 | } 335 | }, 336 | "required" : [ "referenceCategory", "referenceLocator", "referenceType" ], 337 | "additionalProperties" : false, 338 | "description" : "An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package." 339 | } 340 | }, 341 | "filesAnalyzed" : { 342 | "description" : "Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If set to false, the package must not contain any files.", 343 | "type" : "boolean" 344 | }, 345 | "hasFiles" : { 346 | "description" : "Indicates that a particular file belongs to a package.", 347 | "type" : "array", 348 | "items" : { 349 | "description" : "SPDX ID for File. Indicates that a particular file belongs to a package.", 350 | "type" : "string" 351 | } 352 | }, 353 | "homepage" : { 354 | "type" : "string" 355 | }, 356 | "licenseComments" : { 357 | "description" : "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", 358 | "type" : "string" 359 | }, 360 | "licenseConcluded" : { 361 | "description" : "License expression for licenseConcluded. See SPDX Annex D for the license expression syntax. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.\n\nIf the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.", 362 | "type" : "string" 363 | }, 364 | "licenseDeclared" : { 365 | "description" : "License expression for licenseDeclared. See SPDX Annex D for the license expression syntax. The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.", 366 | "type" : "string" 367 | }, 368 | "licenseInfoFromFiles" : { 369 | "description" : "The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.\n\nIf the licenseInfoFromFiles field is not present for a package and filesAnalyzed property for that same pacakge is true or omitted, it implies an equivalent meaning to NOASSERTION.", 370 | "type" : "array", 371 | "items" : { 372 | "description" : "License expression for licenseInfoFromFiles. See SPDX Annex D for the license expression syntax. The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.\n\nIf the licenseInfoFromFiles field is not present for a package and filesAnalyzed property for that same pacakge is true or omitted, it implies an equivalent meaning to NOASSERTION.", 373 | "type" : "string" 374 | } 375 | }, 376 | "name" : { 377 | "description" : "Identify name of this SpdxElement.", 378 | "type" : "string" 379 | }, 380 | "originator" : { 381 | "description" : "The name and, optionally, contact information of the person or organization that originally created the package. Values of this property must conform to the agent and tool syntax.", 382 | "type" : "string" 383 | }, 384 | "packageFileName" : { 385 | "description" : "The base name of the package file name. For example, zlib-1.2.5.tar.gz.", 386 | "type" : "string" 387 | }, 388 | "packageVerificationCode" : { 389 | "type" : "object", 390 | "properties" : { 391 | "packageVerificationCodeExcludedFiles" : { 392 | "description" : "A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.", 393 | "type" : "array", 394 | "items" : { 395 | "description" : "A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.", 396 | "type" : "string" 397 | } 398 | }, 399 | "packageVerificationCodeValue" : { 400 | "description" : "The actual package verification code as a hex encoded value.", 401 | "type" : "string" 402 | } 403 | }, 404 | "required" : [ "packageVerificationCodeValue" ], 405 | "additionalProperties" : false, 406 | "description" : "A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the SPDX Item. This allows consumers of this data and/or database to determine if an SPDX item they have in hand is identical to the SPDX item from which the data was produced. This algorithm works even if the SPDX document is included in the SPDX item." 407 | }, 408 | "primaryPackagePurpose" : { 409 | "description" : "This field provides information about the primary purpose of the identified package. Package Purpose is intrinsic to how the package is being used rather than the content of the package.", 410 | "type" : "string", 411 | "enum" : [ "OTHER", "INSTALL", "ARCHIVE", "FIRMWARE", "APPLICATION", "FRAMEWORK", "LIBRARY", "CONTAINER", "SOURCE", "DEVICE", "OPERATING_SYSTEM", "FILE" ] 412 | }, 413 | "releaseDate" : { 414 | "description" : "This field provides a place for recording the date the package was released.", 415 | "type" : "string" 416 | }, 417 | "sourceInfo" : { 418 | "description" : "Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.", 419 | "type" : "string" 420 | }, 421 | "summary" : { 422 | "description" : "Provides a short description of the package.", 423 | "type" : "string" 424 | }, 425 | "supplier" : { 426 | "description" : "The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than originator when the software has been repackaged. Values of this property must conform to the agent and tool syntax.", 427 | "type" : "string" 428 | }, 429 | "validUntilDate" : { 430 | "description" : "This field provides a place for recording the end of the support period for a package from the supplier.", 431 | "type" : "string" 432 | }, 433 | "versionInfo" : { 434 | "description" : "Provides an indication of the version of the package that is described by this SpdxDocument.", 435 | "type" : "string" 436 | } 437 | }, 438 | "required" : [ "SPDXID", "downloadLocation", "name" ], 439 | "additionalProperties" : false 440 | } 441 | }, 442 | "files" : { 443 | "description" : "Files referenced in the SPDX document", 444 | "type" : "array", 445 | "items" : { 446 | "type" : "object", 447 | "properties" : { 448 | "SPDXID" : { 449 | "type" : "string", 450 | "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." 451 | }, 452 | "annotations" : { 453 | "description" : "Provide additional information about an SpdxElement.", 454 | "type" : "array", 455 | "items" : { 456 | "type" : "object", 457 | "properties" : { 458 | "annotationDate" : { 459 | "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", 460 | "type" : "string" 461 | }, 462 | "annotationType" : { 463 | "description" : "Type of the annotation.", 464 | "type" : "string", 465 | "enum" : [ "OTHER", "REVIEW" ] 466 | }, 467 | "annotator" : { 468 | "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", 469 | "type" : "string" 470 | }, 471 | "comment" : { 472 | "type" : "string" 473 | } 474 | }, 475 | "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], 476 | "additionalProperties" : false, 477 | "description" : "An Annotation is a comment on an SpdxItem by an agent." 478 | } 479 | }, 480 | "artifactOfs" : { 481 | "description" : "Indicates the project in which the SpdxElement originated. Tools must preserve doap:homepage and doap:name properties and the URI (if one is known) of doap:Project resources that are values of this property. All other properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.", 482 | "type" : "array", 483 | "items" : { 484 | "type" : "object" 485 | } 486 | }, 487 | "attributionTexts" : { 488 | "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", 489 | "type" : "array", 490 | "items" : { 491 | "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", 492 | "type" : "string" 493 | } 494 | }, 495 | "checksums" : { 496 | "description" : "The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.", 497 | "minItems" : 1, 498 | "type" : "array", 499 | "items" : { 500 | "type" : "object", 501 | "properties" : { 502 | "algorithm" : { 503 | "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", 504 | "type" : "string", 505 | "enum" : [ "SHA1", "BLAKE3", "SHA3-384", "SHA256", "SHA384", "BLAKE2b-512", "BLAKE2b-256", "SHA3-512", "MD2", "ADLER32", "MD4", "SHA3-256", "BLAKE2b-384", "SHA512", "MD6", "MD5", "SHA224" ] 506 | }, 507 | "checksumValue" : { 508 | "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", 509 | "type" : "string" 510 | } 511 | }, 512 | "required" : [ "algorithm", "checksumValue" ], 513 | "additionalProperties" : false, 514 | "description" : "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." 515 | } 516 | }, 517 | "comment" : { 518 | "type" : "string" 519 | }, 520 | "copyrightText" : { 521 | "description" : "The text of copyright declarations recited in the package, file or snippet.\n\nIf the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.", 522 | "type" : "string" 523 | }, 524 | "fileContributors" : { 525 | "description" : "This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.", 526 | "type" : "array", 527 | "items" : { 528 | "description" : "This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.", 529 | "type" : "string" 530 | } 531 | }, 532 | "fileDependencies" : { 533 | "description" : "This field is deprecated since SPDX 2.0 in favor of using Section 7 which provides more granularity about relationships.", 534 | "type" : "array", 535 | "items" : { 536 | "description" : "SPDX ID for File. This field is deprecated since SPDX 2.0 in favor of using Section 7 which provides more granularity about relationships.", 537 | "type" : "string" 538 | } 539 | }, 540 | "fileName" : { 541 | "description" : "The name of the file relative to the root of the package.", 542 | "type" : "string" 543 | }, 544 | "fileTypes" : { 545 | "description" : "The type of the file.", 546 | "type" : "array", 547 | "items" : { 548 | "description" : "The type of the file.", 549 | "type" : "string", 550 | "enum" : [ "OTHER", "DOCUMENTATION", "IMAGE", "VIDEO", "ARCHIVE", "SPDX", "APPLICATION", "SOURCE", "BINARY", "TEXT", "AUDIO" ] 551 | } 552 | }, 553 | "licenseComments" : { 554 | "description" : "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", 555 | "type" : "string" 556 | }, 557 | "licenseConcluded" : { 558 | "description" : "License expression for licenseConcluded. See SPDX Annex D for the license expression syntax. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.\n\nIf the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.", 559 | "type" : "string" 560 | }, 561 | "licenseInfoInFiles" : { 562 | "description" : "Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.\n\nIf the licenseInfoInFile field is not present for a file, it implies an equivalent meaning to NOASSERTION.", 563 | "type" : "array", 564 | "items" : { 565 | "description" : "License expression for licenseInfoInFile. See SPDX Annex D for the license expression syntax. Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.\n\nIf the licenseInfoInFile field is not present for a file, it implies an equivalent meaning to NOASSERTION.", 566 | "type" : "string" 567 | } 568 | }, 569 | "noticeText" : { 570 | "description" : "This field provides a place for the SPDX file creator to record potential legal notices found in the file. This may or may not include copyright statements.", 571 | "type" : "string" 572 | } 573 | }, 574 | "required" : [ "SPDXID", "checksums", "fileName" ], 575 | "additionalProperties" : false 576 | } 577 | }, 578 | "snippets" : { 579 | "description" : "Snippets referenced in the SPDX document", 580 | "type" : "array", 581 | "items" : { 582 | "type" : "object", 583 | "properties" : { 584 | "SPDXID" : { 585 | "type" : "string", 586 | "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." 587 | }, 588 | "annotations" : { 589 | "description" : "Provide additional information about an SpdxElement.", 590 | "type" : "array", 591 | "items" : { 592 | "type" : "object", 593 | "properties" : { 594 | "annotationDate" : { 595 | "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", 596 | "type" : "string" 597 | }, 598 | "annotationType" : { 599 | "description" : "Type of the annotation.", 600 | "type" : "string", 601 | "enum" : [ "OTHER", "REVIEW" ] 602 | }, 603 | "annotator" : { 604 | "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", 605 | "type" : "string" 606 | }, 607 | "comment" : { 608 | "type" : "string" 609 | } 610 | }, 611 | "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], 612 | "additionalProperties" : false, 613 | "description" : "An Annotation is a comment on an SpdxItem by an agent." 614 | } 615 | }, 616 | "attributionTexts" : { 617 | "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", 618 | "type" : "array", 619 | "items" : { 620 | "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", 621 | "type" : "string" 622 | } 623 | }, 624 | "comment" : { 625 | "type" : "string" 626 | }, 627 | "copyrightText" : { 628 | "description" : "The text of copyright declarations recited in the package, file or snippet.\n\nIf the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.", 629 | "type" : "string" 630 | }, 631 | "licenseComments" : { 632 | "description" : "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", 633 | "type" : "string" 634 | }, 635 | "licenseConcluded" : { 636 | "description" : "License expression for licenseConcluded. See SPDX Annex D for the license expression syntax. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.\n\nIf the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.", 637 | "type" : "string" 638 | }, 639 | "licenseInfoInSnippets" : { 640 | "description" : "Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.\n\nIf the licenseInfoInSnippet field is not present for a snippet, it implies an equivalent meaning to NOASSERTION.", 641 | "type" : "array", 642 | "items" : { 643 | "description" : "License expression for licenseInfoInSnippet. See SPDX Annex D for the license expression syntax. Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.\n\nIf the licenseInfoInSnippet field is not present for a snippet, it implies an equivalent meaning to NOASSERTION.", 644 | "type" : "string" 645 | } 646 | }, 647 | "name" : { 648 | "description" : "Identify name of this SpdxElement.", 649 | "type" : "string" 650 | }, 651 | "ranges" : { 652 | "description" : "This field defines the byte range in the original host file (in X.2) that the snippet information applies to", 653 | "minItems" : 1, 654 | "type" : "array", 655 | "items" : { 656 | "type" : "object", 657 | "properties" : { 658 | "endPointer" : { 659 | "type" : "object", 660 | "properties" : { 661 | "reference" : { 662 | "description" : "SPDX ID for File", 663 | "type" : "string" 664 | }, 665 | "offset" : { 666 | "type" : "integer", 667 | "description" : "Byte offset in the file" 668 | }, 669 | "lineNumber" : { 670 | "type" : "integer", 671 | "description" : "line number offset in the file" 672 | } 673 | }, 674 | "required" : [ "reference" ], 675 | "additionalProperties" : false 676 | }, 677 | "startPointer" : { 678 | "type" : "object", 679 | "properties" : { 680 | "reference" : { 681 | "description" : "SPDX ID for File", 682 | "type" : "string" 683 | }, 684 | "offset" : { 685 | "type" : "integer", 686 | "description" : "Byte offset in the file" 687 | }, 688 | "lineNumber" : { 689 | "type" : "integer", 690 | "description" : "line number offset in the file" 691 | } 692 | }, 693 | "required" : [ "reference" ], 694 | "additionalProperties" : false 695 | } 696 | }, 697 | "required" : [ "endPointer", "startPointer" ], 698 | "additionalProperties" : false 699 | } 700 | }, 701 | "snippetFromFile" : { 702 | "description" : "SPDX ID for File. File containing the SPDX element (e.g. the file contaning a snippet).", 703 | "type" : "string" 704 | } 705 | }, 706 | "required" : [ "SPDXID", "name", "ranges", "snippetFromFile" ], 707 | "additionalProperties" : false 708 | } 709 | }, 710 | "relationships" : { 711 | "description" : "Relationships referenced in the SPDX document", 712 | "type" : "array", 713 | "items" : { 714 | "type" : "object", 715 | "properties" : { 716 | "spdxElementId" : { 717 | "type" : "string", 718 | "description" : "Id to which the SPDX element is related" 719 | }, 720 | "comment" : { 721 | "type" : "string" 722 | }, 723 | "relatedSpdxElement" : { 724 | "description" : "SPDX ID for SpdxElement. A related SpdxElement.", 725 | "type" : "string" 726 | }, 727 | "relationshipType" : { 728 | "description" : "Describes the type of relationship between two SPDX elements.", 729 | "type" : "string", 730 | "enum" : [ "VARIANT_OF", "COPY_OF", "PATCH_FOR", "TEST_DEPENDENCY_OF", "CONTAINED_BY", "DATA_FILE_OF", "OPTIONAL_COMPONENT_OF", "ANCESTOR_OF", "GENERATES", "CONTAINS", "OPTIONAL_DEPENDENCY_OF", "FILE_ADDED", "REQUIREMENT_DESCRIPTION_FOR", "DEV_DEPENDENCY_OF", "DEPENDENCY_OF", "BUILD_DEPENDENCY_OF", "DESCRIBES", "PREREQUISITE_FOR", "HAS_PREREQUISITE", "PROVIDED_DEPENDENCY_OF", "DYNAMIC_LINK", "DESCRIBED_BY", "METAFILE_OF", "DEPENDENCY_MANIFEST_OF", "PATCH_APPLIED", "RUNTIME_DEPENDENCY_OF", "TEST_OF", "TEST_TOOL_OF", "DEPENDS_ON", "SPECIFICATION_FOR", "FILE_MODIFIED", "DISTRIBUTION_ARTIFACT", "AMENDS", "DOCUMENTATION_OF", "GENERATED_FROM", "STATIC_LINK", "OTHER", "BUILD_TOOL_OF", "TEST_CASE_OF", "PACKAGE_OF", "DESCENDANT_OF", "FILE_DELETED", "EXPANDED_FROM_ARCHIVE", "DEV_TOOL_OF", "EXAMPLE_OF" ] 731 | } 732 | }, 733 | "required" : [ "spdxElementId", "relatedSpdxElement", "relationshipType" ], 734 | "additionalProperties" : false 735 | } 736 | } 737 | }, 738 | "required" : [ "SPDXID", "creationInfo", "dataLicense", "name", "spdxVersion" ], 739 | "additionalProperties" : false 740 | } --------------------------------------------------------------------------------