feat: Dependency track tags reporting

Günter Schafranek · Günter Schafranek · commit 7c34e740ee35 · 2025-10-13T16:30:53.000+02:00
- Allow providing (multiple) tags for dependency track reporting

Signed-off-by: Günter Schafranek &lt;gschafra@web.de&gt;
diff --git a/README.md b/README.md
@@ -132,6 +132,7 @@ Options:
       --project-group             Dependency track project group
       --project-name              Dependency track project name. Default use the directory name
       --project-version           Dependency track project version                                [string] [default: ""]
+      --project-tag               Dependency track project tag. Multiple values allowed.                         [array]
       --project-id                Dependency track project id. Either provide the id or the project name and version tog
                                   ether                                                                         [string]
       --parent-project-id         Dependency track parent project id                                            [string]
diff --git a/bin/cdxgen.js b/bin/cdxgen.js
@@ -136,6 +136,9 @@ const args = _yargs
     default: "",
     type: "string",
   })
+  .option("project-tag", {
+    description: "Dependency track project tag. Multiple values allowed.",
+  })
   .option("project-id", {
     description:
       "Dependency track project id. Either provide the id or the project name and version together",
diff --git a/docs/CLI.md b/docs/CLI.md
@@ -81,6 +81,7 @@ Options:
       --project-group             Dependency track project group
       --project-name              Dependency track project name. Default use the directory name
       --project-version           Dependency track project version                                [string] [default: ""]
+      --project-tag               Dependency track project tags. Multiple values allowed.                        [array]
       --project-id                Dependency track project id. Either provide the id or the project name and version tog
                                   ether                                                                         [string]
       --parent-project-id         Dependency track parent project id                                            [string]
diff --git a/docs/README.md b/docs/README.md
@@ -133,6 +133,8 @@ Invoke cdxgen with the below arguments to automatically submit the BOM to your o
       --project-name           Dependency track project name. Default use the di
                                rectory name
       --project-version        Dependency track project version    [default: ""]
+      --project-tag            Dependency track project tag. Multiple values all
+                               owed.                                     [array]
       --project-id             Dependency track project id. Either provide the i
                                d or the project name and version together
       --parent-project-id      Dependency track parent project id
diff --git a/lib/cli/index.js b/lib/cli/index.js
@@ -8677,6 +8677,14 @@ export async function submitBom(args, bomContents) {
   ) {
     bomPayload.parentUUID = args.parentProjectId || args.parentUUID;
   }
+  if (typeof args.projectTag !== "undefined") {
+    // If args.projectTag is not an array, convert it to an array
+    // Attention, array items should be of form { name: "tagName " }
+    // see https://yoursky.blue/documentation/rest-api#tag/bom/operation/UploadBomBase64Encoded
+    bomPayload.projectTags = (
+      Array.isArray(args.projectTag) ? args.projectTag : [args.projectTag]
+    ).map((tag) => ({ name: tag }));
+  }
   if (DEBUG_MODE) {
     console.log(
       "Submitting BOM to",
diff --git a/lib/server/server.js b/lib/server/server.js
@@ -34,6 +34,7 @@ const ALLOWED_PARAMS = [
   "projectId",
   "projectName",
   "projectGroup",
+  "projectTag",
   "projectVersion",
   "parentUUID",
   "serverUrl",
