feat: add support for cyclonedx and cyclonedx-json output-formats

.gitignore

@@ -122,3 +122,5 @@ typings/
 results.sarif
 vulnerabilities.json
 results.json
+results.bom
+results.bom.json

README.md

@@ -127,7 +127,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | `registry-username` | The registry username to use when authenticating to an external registry                                                                                                                                                                                         |               |
 | `registry-password` | The registry password to use when authenticating to an external registry                                                                                                                                                                                         |               |
 | `fail-build`        | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `medium` and can be set with `severity-cutoff`.                                                                                                                     | `true`        |
-| `output-format`     | Set the output parameter after successful action execution. Valid choices are `json`, `sarif`, and `table`, where `table` output will print to the console instead of generating a file.                                                                         | `sarif`       |
+| `output-format`     | Set the output parameter after successful action execution. Valid choices are `json`, `sarif`, `cyclonedx`, `cyclonedx-json` and `table`, where `table` output will print to the console instead of generating a file.                                                                         | `sarif`       |
 | `severity-cutoff`   | Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `medium`      |
 | `only-fixed`        | Specify whether to only report vulnerabilities that have a fix available.                                                                                                                                                                                        | `false`       |
 | `add-cpes-if-none`  | Specify whether to autogenerate missing CPEs.                                                                                                                                                                                                                    | `false`       |
@@ -142,6 +142,8 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | ----------- | ------------------------------------------------------------ | ------ |
 | `sarif`     | Path to the SARIF report file, if `output-format` is `sarif` | string |
 | `json`      | Path to the report file , if `output-format` is `json`       | string |
+| `cyclonedx` | Path to the CycloneDX report file, if `output-format` is `cyclonedx` | string |
+| `cyclonedx-json` | Path to the CycloneDX JSON report file, if `output-format` is `cyclonedx-json` | string |
 
 ### Example Workflows
 

action.yml

@@ -18,7 +18,7 @@ inputs:
     required: false
     default: "true"
   output-format:
-    description: 'Set the output parameter after successful action execution. Valid choices are "json", "sarif", and "table".'
+    description: 'Set the output parameter after successful action execution. Valid choices are "json", "sarif", "cyclonedx", "cyclonedx-json" and "table".'
     required: false
     default: "sarif"
   severity-cutoff:

dist/index.js

@@ -326,7 +326,7 @@ async function runScan({
   }
 
   const SEVERITY_LIST = ["negligible", "low", "medium", "high", "critical"];
-  const FORMAT_LIST = ["sarif", "json", "table"];
+  const FORMAT_LIST = ["sarif", "json", "table", "cyclonedx", "cyclonedx-json"];
   let cmdArgs = [];
 
   if (core.isDebug()) {
@@ -418,6 +418,18 @@ async function runScan({
       out.json = REPORT_FILE;
       break;
     }
+    case "cyclonedx": {
+      const CYCLONEDX_FILE = "./results.bom";
+      fs.writeFileSync(CYCLONEDX_FILE, stdout);
+      out.cyclonedx = CYCLONEDX_FILE;
+      break;
+    }
+    case "cyclonedx-json": {
+      const CYCLONEDX_JSON_FILE = "./results.bom.json";
+      fs.writeFileSync(CYCLONEDX_JSON_FILE, stdout);
+      out["cyclonedx-json"] = CYCLONEDX_JSON_FILE;
+      break;
+    }
     default: // e.g. table
       core.info(stdout);
   }

index.js

@@ -312,7 +312,7 @@ async function runScan({
   }
 
   const SEVERITY_LIST = ["negligible", "low", "medium", "high", "critical"];
-  const FORMAT_LIST = ["sarif", "json", "table"];
+  const FORMAT_LIST = ["sarif", "json", "table", "cyclonedx", "cyclonedx-json"];
   let cmdArgs = [];
 
   if (core.isDebug()) {
@@ -404,6 +404,18 @@ async function runScan({
       out.json = REPORT_FILE;
       break;
     }
+    case "cyclonedx": {
+      const CYCLONEDX_FILE = "./results.bom";
+      fs.writeFileSync(CYCLONEDX_FILE, stdout);
+      out.cyclonedx = CYCLONEDX_FILE;
+      break;
+    }
+    case "cyclonedx-json": {
+      const CYCLONEDX_JSON_FILE = "./results.bom.json";
+      fs.writeFileSync(CYCLONEDX_JSON_FILE, stdout);
+      out["cyclonedx-json"] = CYCLONEDX_JSON_FILE;
+      break;
+    }
     default: // e.g. table
       core.info(stdout);
   }

tests/action.test.js

@@ -88,6 +88,36 @@ describe("Github action", () => {
     expect(outputs["json"]).toBeFalsy();
   });
 
+  it("runs with cyclonedx output", async () => {
+    const outputs = mockIO({
+      image: "",
+      path: "tests/fixtures/npm-project",
+      "fail-build": "true",
+      "output-format": "cyclonedx",
+      "severity-cutoff": "medium",
+      "add-cpes-if-none": "true",
+    });
+
+    await run();
+
+    expect(outputs["cyclonedx"]).toBe("./results.bom");
+  });
+
+  it("runs with cyclonedx-json output", async () => {
+    const outputs = mockIO({
+      image: "",
+      path: "tests/fixtures/npm-project",
+      "fail-build": "true",
+      "output-format": "cyclonedx-json",
+      "severity-cutoff": "medium",
+      "add-cpes-if-none": "true",
+    });
+
+    await run();
+
+    expect(outputs["cyclonedx-json"]).toBe("./results.bom.json");
+  });
+
   it("runs with environment variables", async () => {
     mockIO({
       path: "tests/fixtures/npm-project",

tests/grype_command.test.js

@@ -21,6 +21,40 @@ describe("Grype command args", () => {
     expect(args).toEqual(["-o", "sarif", "--fail-on", "high", "dir:."]);
   });
 
+  it("is invoked with cyclonedx output", async () => {
+    const args = await mockRun({
+      source: "dir:.",
+      "fail-build": "false",
+      "output-format": "cyclonedx",
+      "severity-cutoff": "high",
+      version: "0.6.0",
+      "only-fixed": "false",
+      "add-cpes-if-none": "false",
+      "by-cve": "false",
+    });
+    expect(args).toEqual(["-o", "cyclonedx", "--fail-on", "high", "dir:."]);
+  });
+
+  it("is invoked with cyclonedx-json output", async () => {
+    const args = await mockRun({
+      source: "dir:.",
+      "fail-build": "false",
+      "output-format": "cyclonedx-json",
+      "severity-cutoff": "high",
+      version: "0.6.0",
+      "only-fixed": "false",
+      "add-cpes-if-none": "false",
+      "by-cve": "false",
+    });
+    expect(args).toEqual([
+      "-o",
+      "cyclonedx-json",
+      "--fail-on",
+      "high",
+      "dir:.",
+    ]);
+  });
+
   it("is invoked with values", async () => {
     const args = await mockRun({
       image: "asdf",