feat: add switch --lockfile-only

README.md

@@ -67,6 +67,8 @@ $ yarn cyclonedx
 
 ━━━ Options ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
+  --lockfile-only            Only use the yarn.lock file for dependency information.
+                             No network calls will be made.
   --production,--prod        Exclude development dependencies.
                              (default: true if the NODE_ENV environment variable is set to "production", otherwise false)
   --gather-license-texts     Search for license files in components and include them as license evidence.

src/builders.ts

@@ -53,6 +53,7 @@ interface BomBuilderOptions {
   reproducible?: BomBuilder['reproducible']
   shortPURLs?: BomBuilder['shortPURLs']
   gatherLicenseTexts?: BomBuilder['gatherLicenseTexts']
+  lockfileOnly?: BomBuilder['lockfileOnly']
 }
 
 export class BomBuilder {
@@ -65,6 +66,7 @@ export class BomBuilder {
   readonly reproducible: boolean
   readonly shortPURLs: boolean
   readonly gatherLicenseTexts: boolean
+  readonly lockfileOnly: boolean
 
   readonly console: Console
 
@@ -84,6 +86,7 @@ export class BomBuilder {
     this.reproducible = options.reproducible ?? false
     this.shortPURLs = options.shortPURLs ?? false
     this.gatherLicenseTexts = options.gatherLicenseTexts ?? false
+    this.lockfileOnly = options.lockfileOnly ?? false
 
     this.console = console_
   }
@@ -157,6 +160,16 @@ export class BomBuilder {
   }
 
   private async makeManifestFetcher (project: Project): Promise<ManifestFetcher> {
+    if (this.lockfileOnly) {
+      /* eslint-disable-next-line @typescript-eslint/require-await -- needed for signature */
+      return async function (pkg: Package): Promise<NonNullable<any>> {
+        return {
+          name: pkg.name,
+          version: pkg.version
+        }
+      }
+    }
+
     const fetcher = project.configuration.makeFetcher()
     const fetcherOptions: FetchOptions = {
       project,
@@ -180,6 +193,12 @@ export class BomBuilder {
   }
 
   private async makeLicenseEvidenceFetcher (project: Project): Promise<LicenseEvidenceFetcher> {
+    if (this.lockfileOnly) {
+      return async function * (_pkg: Package): AsyncGenerator<License> {
+        // no-op, yield nothing
+      }
+    }
+
     const fetcher = project.configuration.makeFetcher()
     const fetcherOptions: FetchOptions = {
       project,

src/commands.ts

@@ -25,7 +25,7 @@ import type { Types as SerializeTypes } from '@cyclonedx/cyclonedx-library/Seria
 import { JSON as SerializeJSON, JsonSerializer, XML as SerializeXML, XmlSerializer } from '@cyclonedx/cyclonedx-library/Serialize'
 import { SpecVersionDict, Version as SpecVersion } from '@cyclonedx/cyclonedx-library/Spec'
 import type { CommandContext } from '@yarnpkg/core'
-import { Configuration, Project, YarnVersion } from '@yarnpkg/core'
+import { Configuration, Project, ThrowReport, YarnVersion } from '@yarnpkg/core'
 import { npath, xfs } from '@yarnpkg/fslib'
 import { Command, Option } from 'clipanion'
 import spdxExpressionParse from "spdx-expression-parse"
@@ -76,6 +76,11 @@ export class MakeSbomCommand extends Command<CommandContext> {
     details: 'Recursively scan workspace dependencies and emits them as Software-Bill-of-Materials(SBOM) in CycloneDX format.'
   })
 
+  readonly lockfileOnly = Option.Boolean('--lockfile-only', false, {
+    description: 'Only use the yarn.lock file for dependency information.\n'+
+        'No network calls will be made.'
+  })
+
   /* mimic option from yarn.
     - see  https://classic.yarnpkg.com/lang/en/docs/cli/install/#toc-yarn-install-production-true-false
     - see https://yarnpkg.com/cli/workspaces/focus
@@ -158,6 +163,7 @@ export class MakeSbomCommand extends Command<CommandContext> {
       outputReproducible: this.outputReproducible,
       gatherLicenseTexts: this.gatherLicenseTexts,
       verbosity: this.verbosity,
+      lockfileOnly: this.lockfileOnly,
       projectDir
     })
 
@@ -170,7 +176,13 @@ export class MakeSbomCommand extends Command<CommandContext> {
     }
     myConsole.debug('DEBUG | project:', project.cwd)
     myConsole.debug('DEBUG | workspace:', workspace.cwd)
-    await workspace.project.restoreInstallState()
+
+    if (this.lockfileOnly) {
+      myConsole.info('INFO  | skipping workspace installation state restoration (--lockfile-only)')
+      await workspace.project.resolveEverything({ lockfileOnly: true, report: new ThrowReport() })
+    } else {
+      await workspace.project.restoreInstallState()
+    }
 
     const extRefFactory = new FromNodePackageJsonFactories.ExternalReferenceFactory()
 
@@ -187,7 +199,8 @@ export class MakeSbomCommand extends Command<CommandContext> {
         metaComponentType: this.mcType,
         reproducible: this.outputReproducible,
         shortPURLs: this.shortPURLs,
-        gatherLicenseTexts: this.gatherLicenseTexts
+        gatherLicenseTexts: this.gatherLicenseTexts,
+        lockfileOnly: this.lockfileOnly
       },
       myConsole
     )).buildFromWorkspace(workspace)