@cyclonedx/cdxgen 10.0.0 → 10.0.2

package/bin/repl.js

@@ -468,6 +468,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
   "docker_volumes",
   "etc_hosts",
   "firefox_addons",
+  "vscode_extensions",
   "homebrew_packages",
   "installed_applications",
   "interface_addresses",
@@ -494,7 +495,6 @@ cdxgenRepl.defineCommand("osinfocategories", {
   "windows_shared_resources",
   "yum_sources",
   "appcompat_shims",
-  "atom_packages",
   "browser_plugins",
   "certificates",
   "chocolatey_packages",

package/binary.js

@@ -40,10 +40,17 @@ switch (arch) {
     arch = "amd64";
     if (platform === "windows") {
       pluginsBinSuffix = "-windows-amd64";
+    } else if (platform === "darwin") {
+      pluginsBinSuffix = "-darwin-amd64";
     }
     break;
   case "arm64":
     pluginsBinSuffix = "-arm64";
+    if (platform === "windows") {
+      pluginsBinSuffix = "-windows-arm64";
+    } else if (platform === "darwin") {
+      pluginsBinSuffix = "-darwin-arm64";
+    }
     break;
   case "ppc64":
     arch = "ppc64le";
@@ -169,18 +176,23 @@ if (existsSync(join(CDXGEN_PLUGINS_DIR, "osquery"))) {
     "osquery",
     "osqueryi-" + platform + "-" + arch + extn
   );
+  // osqueryi-darwin-amd64.app/Contents/MacOS/osqueryd
+  if (platform === "darwin") {
+    OSQUERY_BIN = `${OSQUERY_BIN}.app/Contents/MacOS/osqueryd`;
+  }
 } else if (process.env.OSQUERY_CMD) {
   OSQUERY_BIN = process.env.OSQUERY_CMD;
 }
 let DOSAI_BIN = null;
 if (existsSync(join(CDXGEN_PLUGINS_DIR, "dosai"))) {
+  let platformToUse = platform;
   if (platform === "darwin") {
-    platform = "osx";
+    platformToUse = "osx";
   }
   DOSAI_BIN = join(
     CDXGEN_PLUGINS_DIR,
     "dosai",
-    "dosai-" + platform + "-" + arch + extn
+    "dosai-" + platformToUse + "-" + arch + extn
   );
 } else if (process.env.DOSAI_CMD) {
   DOSAI_BIN = process.env.DOSAI_CMD;
@@ -679,6 +691,13 @@ export const executeOsQuery = (query) => {
       query = query + ";";
     }
     const args = ["--json", query];
+    // On darwin, we need to disable the safety check and run cdxgen with sudo
+    // https://github.com/osquery/osquery/issues/1382
+    if (platform === "darwin") {
+      args.push("--allow_unsafe");
+      args.push("--disable_logging");
+      args.push("--disable_events");
+    }
     if (DEBUG_MODE) {
       console.log("Executing", OSQUERY_BIN, args.join(" "));
     }

package/data/README.md

@@ -15,6 +15,7 @@ Contents of data directory and their purpose.
 | python-stdlib.json    | Standard libraries that can be filtered out in python                     |
 | queries-win.json      | osquery used to generate obom for windows                                 |
 | queries.json          | osquery used to generate obom for linux                                   |
+| queries-darwin.json   | osquery used to generate obom for darwin                                  |
 | spdx-licenses.json    | valid spdx id                                                             |
 | spdx.schema.json      | jsonschema for validation                                                 |
 | vendor-alias.json     | List to correct the group names. Used while parsing .jar files            |

package/data/queries-darwin.json

@@ -0,0 +1,122 @@
+{
+  "os_version": {
+    "query": "select * from os_version;",
+    "description": "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
+    "purlType": "swid",
+    "componentType": "operating-system"
+  },
+  "safari_extensions": {
+    "query": "select safari_extensions.* from users join safari_extensions using (uid);",
+    "description": "Safari browser extension details for all users. This table requires Full Disk Access (FDA) permission.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "chrome_extensions": {
+    "query": "select chrome_extensions.* from users join chrome_extensions using (uid);",
+    "description": "Retrieves the list of extensions for Chrome in the target system.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "firefox_addons": {
+    "query": "select firefox_addons.* from users join firefox_addons using (uid);",
+    "description": "Retrieves the list of addons for Firefox in the target system.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "vscode_extensions": {
+    "query": "select vscode_extensions.* from users join vscode_extensions using (uid);",
+    "description": "Lists all vscode extensions.",
+    "purlType": "vsix",
+    "componentType": "application"
+  },
+  "apps": {
+    "query": "select * from apps;",
+    "description": "macOS applications installed in known search paths (e.g., /Applications).",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "system_extensions": {
+    "query": "select * from system_extensions;",
+    "description": "macOS (>= 10.15) system extension table.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "certificates": {
+    "query": "SELECT * FROM certificates WHERE path != 'Other People';",
+    "description": "List all certificates in the trust store.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "package_bom": {
+    "query": "SELECT * FROM package_bom;",
+    "description": "macOS package bill of materials (BOM) file list.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "package_install_history": {
+    "query": "SELECT * FROM package_install_history;",
+    "description": "macOS package install history.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "package_receipts": {
+    "query": "SELECT * FROM package_receipts;",
+    "description": "macOS package receipt details.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "running_apps": {
+    "query": "SELECT * FROM running_apps;",
+    "description": "macOS applications currently running on the host system.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "sandboxes": {
+    "query": "SELECT * FROM sandboxes;",
+    "description": "macOS application sandboxes container details.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "startup_items": {
+    "query": "SELECT * FROM startup_items;",
+    "description": "List all startup_items.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "listening_ports": {
+    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
+    "description": "List all processes and their listening_ports.",
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "interface_addresses": {
+    "query": "SELECT * FROM interface_addresses;",
+    "description": "List all interface_addresses.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "docker_container_ports": {
+    "query": "SELECT * FROM docker_container_ports;",
+    "description": "List all docker_container_ports.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "docker_containers": {
+    "query": "SELECT * FROM docker_containers;",
+    "description": "List all docker_containers.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "docker_networks": {
+    "query": "SELECT * FROM docker_networks;",
+    "description": "List all docker_networks.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "docker_volumes": {
+    "query": "SELECT * FROM docker_volumes;",
+    "description": "List all docker_volumes.",
+    "purlType": "swid",
+    "componentType": "data"
+  }
+}

package/data/queries-win.json

@@ -15,12 +15,20 @@
   "chrome_extensions": {
     "query": "select chrome_extensions.* from users join chrome_extensions using (uid);",
     "description": "Retrieves the list of extensions for Chrome in the target system.",
-    "purlType": "swid"
+    "purlType": "swid",
+    "componentType": "application"
   },
   "firefox_addons": {
     "query": "select firefox_addons.* from users join firefox_addons using (uid);",
     "description": "Retrieves the list of addons for Firefox in the target system.",
-    "purlType": "swid"
+    "purlType": "swid",
+    "componentType": "application"
+  },
+  "vscode_extensions": {
+    "query": "select vscode_extensions.* from users join vscode_extensions using (uid);",
+    "description": "Lists all vscode extensions.",
+    "purlType": "vsix",
+    "componentType": "application"
   },
   "browser_plugins": {
     "query": "select browser_plugins.* from users join browser_plugins using (uid);",
@@ -144,11 +152,6 @@
     "description": "List all npm_packages.",
     "purlType": "npm"
   },
-  "atom_packages": {
-    "query": "SELECT * FROM atom_packages;",
-    "description": "List all atom_packages.",
-    "purlType": "atom"
-  },
   "startup_items": {
     "query": "SELECT * FROM startup_items;",
     "description": "List all startup_items.",

package/data/queries.json

@@ -24,6 +24,12 @@
     "purlType": "swid",
     "componentType": "application"
   },
+  "vscode_extensions": {
+    "query": "select vscode_extensions.* from users join vscode_extensions using (uid);",
+    "description": "Lists all vscode extensions.",
+    "purlType": "vsix",
+    "componentType": "application"
+  },
   "deb_packages": {
     "query": "select * from deb_packages;",
     "description": "Retrieves all the installed DEB packages in the target Linux system.",
@@ -54,78 +60,18 @@
     "description": "Python packages installed on system.",
     "purlType": "pypi"
   },
-  "windows_programs": {
-    "query": "select * from programs;",
-    "description": "Retrieves the list of products as they are installed by Windows Installer in the target Windows system.",
-    "purlType": "swid",
-    "componentType": "application"
-  },
-  "windows_patches": {
-    "query": "select * from patches;",
-    "description": "Retrieves all the information for the current windows drivers in the target Windows system.",
-    "purlType": "swid",
-    "componentType": "application"
-  },
-  "windows_drivers": {
-    "query": "select * from drivers;",
-    "description": "Retrieves all the information for the current windows drivers in the target Windows system.",
-    "purlType": "swid",
-    "componentType": "device-driver"
-  },
-  "windows_shared_resources": {
-    "query": "select * from shared_resources;",
-    "description": "Retrieves the list of shared resources in the target Windows system.",
-    "purlType": "swid",
-    "componentType": "data"
-  },
   "system_info_snapshot": {
     "query": "SELECT * FROM system_info;",
     "description": "System info snapshot query.",
     "purlType": "swid",
     "componentType": "data"
   },
-  "pipes_snapshot": {
-    "query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);",
-    "description": "Pipes snapshot query.",
-    "purlType": "swid",
-    "componentType": "data"
-  },
-  "services_snapshot": {
-    "query": "SELECT * FROM services;",
-    "description": "Services snapshot query.",
-    "purlType": "swid",
-    "componentType": "data"
-  },
   "etc_hosts": {
     "query": "SELECT * FROM etc_hosts;",
     "description": "List the contents of the Windows hosts file.",
     "purlType": "swid",
     "componentType": "data"
   },
-  "scheduled_tasks": {
-    "query": "SELECT * FROM scheduled_tasks;",
-    "description": "List all scheduled_tasks.",
-    "purlType": "swid",
-    "componentType": "data"
-  },
-  "homebrew_packages": {
-    "query": "SELECT * FROM homebrew_packages;",
-    "description": "List all homebrew_packages.",
-    "purlType": "swid",
-    "componentType": "data"
-  },
-  "installed_applications": {
-    "query": "SELECT * FROM apps;",
-    "description": "List all macos apps.",
-    "purlType": "swid",
-    "componentType": "data"
-  },
-  "kernel_integrity": {
-    "query": "SELECT * FROM kernel_integrity;",
-    "description": "Various Linux kernel integrity checked attributes.",
-    "purlType": "swid",
-    "componentType": "data"
-  },
   "crontab_snapshot": {
     "query": "SELECT * FROM crontab;",
     "description": "Retrieves all the jobs scheduled in crontab in the target system.",

package/docker.js

@@ -684,7 +684,7 @@ export const extractTar = async (fullImageName, dir) => {
         preserveOwner: false,
         noMtime: true,
         noChmod: true,
-        strict: true,
+        strict: false,
         C: dir,
         portable: true,
         onwarn: () => {},
@@ -696,6 +696,9 @@ export const extractTar = async (fullImageName, dir) => {
             path.includes("etc/") ||
             path.includes("logs/") ||
             path.includes("dev/") ||
+            path.includes("usr/share/zoneinfo/") ||
+            path.includes("usr/share/doc/") ||
+            path.includes("usr/share/i18n/") ||
             [
               "BlockDevice",
               "CharacterDevice",
@@ -727,6 +730,12 @@ export const extractTar = async (fullImageName, dir) => {
       console.log("------------");
       console.log(err);
       console.log("------------");
+    } else if (err.code === "TAR_BAD_ARCHIVE") {
+      if (DEBUG_MODE) {
+        console.log(`Archive ${fullImageName} is empty. Skipping.`);
+      }
+    } else {
+      console.log(err);
     }
     return false;
   }
@@ -832,13 +841,30 @@ export const extractFromManifest = async (
     }
     const lastLayer = layers[layers.length - 1];
     for (const layer of layers) {
+      try {
+        if (!lstatSync(join(tempDir, layer)).isFile()) {
+          console.log(
+            `Skipping layer ${layer} since it is not a readable file.`
+          );
+          continue;
+        }
+      } catch (e) {
+        console.log(`Skipping layer ${layer} since it is not a readable file.`);
+        continue;
+      }
       if (DEBUG_MODE) {
         console.log(`Extracting layer ${layer} to ${allLayersExplodedDir}`);
       }
       try {
         await extractTar(join(tempDir, layer), allLayersExplodedDir);
       } catch (err) {
-        console.log(err);
+        if (err.code === "TAR_BAD_ARCHIVE") {
+          if (DEBUG_MODE) {
+            console.log(`Layer ${layer} is empty.`);
+          }
+        } else {
+          console.log(err);
+        }
       }
     }
     if (manifest.Config) {
@@ -1058,15 +1084,23 @@ export const getPkgPathList = (exportData, lastWorkingDir) => {
     }
   }
   if (lastWorkingDir && lastWorkingDir !== "") {
-    knownSysPaths.push(lastWorkingDir);
+    if (
+      !lastWorkingDir.includes("/opt/") &&
+      !lastWorkingDir.includes("/home/")
+    ) {
+      knownSysPaths.push(lastWorkingDir);
+    }
     // Some more common app dirs
-    if (!lastWorkingDir.startsWith("/app")) {
+    if (!lastWorkingDir.includes("/app/")) {
       knownSysPaths.push(join(allLayersExplodedDir, "/app"));
     }
-    if (!lastWorkingDir.startsWith("/data")) {
+    if (!lastWorkingDir.includes("/layers/")) {
+      knownSysPaths.push(join(allLayersExplodedDir, "/layers"));
+    }
+    if (!lastWorkingDir.includes("/data/")) {
       knownSysPaths.push(join(allLayersExplodedDir, "/data"));
     }
-    if (!lastWorkingDir.startsWith("/srv")) {
+    if (!lastWorkingDir.includes("/srv/")) {
       knownSysPaths.push(join(allLayersExplodedDir, "/srv"));
     }
   }

package/index.js

@@ -152,11 +152,24 @@ import { collectOSCryptoLibs } from "./cbomutils.js";
 
 const isWin = _platform() === "win32";
 
-const osQueries = !isWin
-  ? JSON.parse(readFileSync(join(dirName, "data", "queries.json"), "utf-8"))
-  : JSON.parse(
+let osQueries = {};
+switch (_platform()) {
+  case "win32":
+    osQueries = JSON.parse(
       readFileSync(join(dirName, "data", "queries-win.json"), "utf-8")
     );
+    break;
+  case "darwin":
+    osQueries = JSON.parse(
+      readFileSync(join(dirName, "data", "queries-darwin.json"), "utf-8")
+    );
+    break;
+  default:
+    osQueries = JSON.parse(
+      readFileSync(join(dirName, "data", "queries.json"), "utf-8")
+    );
+    break;
+}
 const cosDbQueries = JSON.parse(
   readFileSync(join(dirName, "data", "cosdb-queries.json"), "utf-8")
 );
@@ -948,39 +961,42 @@ export const createJarBom = async (path, options) => {
       false,
       true
     );
+  }
+  if (path.endsWith(".jar")) {
+    jarFiles = [resolve(path)];
   } else {
     jarFiles = getAllFiles(
       path,
       (options.multiProject ? "**/" : "") + "*.[jw]ar",
       options
     );
-    // Jenkins plugins
-    const hpiFiles = getAllFiles(
-      path,
-      (options.multiProject ? "**/" : "") + "*.hpi",
-      options
-    );
-    if (hpiFiles.length) {
-      jarFiles = jarFiles.concat(hpiFiles);
+  }
+  // Jenkins plugins
+  const hpiFiles = getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "*.hpi",
+    options
+  );
+  if (hpiFiles.length) {
+    jarFiles = jarFiles.concat(hpiFiles);
+  }
+  const tempDir = mkdtempSync(join(tmpdir(), "jar-deps-"));
+  for (const jar of jarFiles) {
+    if (DEBUG_MODE) {
+      console.log(`Parsing ${jar}`);
     }
-    const tempDir = mkdtempSync(join(tmpdir(), "jar-deps-"));
-    for (const jar of jarFiles) {
-      if (DEBUG_MODE) {
-        console.log(`Parsing ${jar}`);
-      }
-      const dlist = await extractJarArchive(jar, tempDir);
-      if (dlist && dlist.length) {
-        pkgList = pkgList.concat(dlist);
-      }
-      if (pkgList.length) {
-        pkgList = await getMvnMetadata(pkgList);
-      }
+    const dlist = await extractJarArchive(jar, tempDir);
+    if (dlist && dlist.length) {
+      pkgList = pkgList.concat(dlist);
     }
-    // Clean up
-    if (tempDir && tempDir.startsWith(tmpdir()) && rmSync) {
-      rmSync(tempDir, { recursive: true, force: true });
+    if (pkgList.length) {
+      pkgList = await getMvnMetadata(pkgList);
     }
   }
+  // Clean up
+  if (tempDir && tempDir.startsWith(tmpdir()) && rmSync) {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
   pkgList = pkgList.concat(convertJarNSToPackages(nsMapping));
   return buildBomNSData(options, pkgList, "maven", {
     src: path,
@@ -1002,7 +1018,7 @@ export const createJavaBom = async (path, options) => {
   // This is subsequently referred to in the dependencies list
   let parentComponent = {};
   // war/ear mode
-  if (path.endsWith(".war")) {
+  if (path.endsWith(".war") || path.endsWith(".jar")) {
     // Check if the file exists
     if (existsSync(path)) {
       if (DEBUG_MODE) {
@@ -4800,7 +4816,12 @@ export const createMultiXBom = async (pathList, options) => {
       }
     }
   } // for
-  if (options.lastWorkingDir && options.lastWorkingDir !== "") {
+  if (
+    options.lastWorkingDir &&
+    options.lastWorkingDir !== "" &&
+    !options.lastWorkingDir.includes("/opt/") &&
+    !options.lastWorkingDir.includes("/home/")
+  ) {
     bomData = await createJarBom(options.lastWorkingDir, options);
     if (
       bomData &&

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.0.0",
+  "version": "10.0.2",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -84,10 +84,13 @@
   "optionalDependencies": {
     "@appthreat/atom": "2.0.6",
     "@appthreat/cdx-proto": "^0.0.4",
-    "@cyclonedx/cdxgen-plugins-bin": "^1.5.4",
-    "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "^1.5.4",
-    "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.5.4",
-    "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.5.4",
+    "@cyclonedx/cdxgen-plugins-bin": "^1.5.8",
+    "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "^1.5.8",
+    "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.5.8",
+    "@cyclonedx/cdxgen-plugins-bin-windows-arm64": "^1.5.8",
+    "@cyclonedx/cdxgen-plugins-bin-darwin-arm64": "^1.5.8",
+    "@cyclonedx/cdxgen-plugins-bin-darwin-amd64": "^1.5.8",
+    "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.5.8",
     "body-parser": "^1.20.2",
     "compression": "^1.7.4",
     "connect": "^3.7.0",

package/utils.js

@@ -7026,7 +7026,7 @@ export const extractJarArchive = async function (
     existsSync(manifestname)
   ) {
     tempDir = dirname(jarFile);
-  } else if (!existsSync(join(tempDir, fname))) {
+  } else if (!existsSync(join(tempDir, fname)) && lstatSync(jarFile).isFile()) {
     // Only copy if the file doesn't exist
     copyFileSync(jarFile, join(tempDir, fname), constants.COPYFILE_FICLONE);
   }
@@ -7040,29 +7040,47 @@ export const extractJarArchive = async function (
       "bin"
     )}`;
   }
-  if (jarFile.endsWith(".war") || jarFile.endsWith(".hpi")) {
-    const jarResult = spawnSync("jar", ["-xf", join(tempDir, fname)], {
-      encoding: "utf-8",
-      cwd: tempDir,
-      shell: isWin,
-      env
-    });
-    if (jarResult.status !== 0) {
-      console.error(jarResult.stdout, jarResult.stderr);
-      console.log(
-        "Check if JRE is installed and the jar command is available in the PATH."
-      );
+  if (
+    jarFile.endsWith(".war") ||
+    jarFile.endsWith(".hpi") ||
+    jarFile.endsWith(".jar")
+  ) {
+    try {
+      const zip = new StreamZip.async({ file: join(tempDir, fname) });
+      await zip.extract(null, tempDir);
+      await zip.close();
+    } catch (e) {
+      console.log(`Unable to extract ${join(tempDir, fname)}. Skipping.`);
       return pkgList;
     }
     jarFiles = getAllFiles(join(tempDir, "WEB-INF", "lib"), "**/*.jar");
     if (jarFile.endsWith(".hpi")) {
       jarFiles.push(jarFile);
     }
+    // Some jar files could also have more jar files inside BOOT-INF directory
+    const jarFiles2 = getAllFiles(join(tempDir, "BOOT-INF", "lib"), "**/*.jar");
+    if (jarFiles && jarFiles2.length) {
+      jarFiles = jarFiles.concat(jarFiles2);
+    }
+    // Fallback. If our jar file didn't include any jar
+    if (jarFile.endsWith(".jar") && !jarFiles.length) {
+      jarFiles = [join(tempDir, fname)];
+    }
   } else {
     jarFiles = [join(tempDir, fname)];
   }
+  if (DEBUG_MODE) {
+    console.log(`List of jars: ${jarFiles}`);
+  }
   if (jarFiles && jarFiles.length) {
     for (const jf of jarFiles) {
+      // If the jar file doesn't exist at the point of use, skip it
+      if (!existsSync(jf)) {
+        if (DEBUG_MODE) {
+          console.log(jf, "is not a readable file");
+        }
+        continue;
+      }
       pomname = jf.replace(".jar", ".pom");
       const jarname = basename(jf);
       // Ignore test jars
@@ -7070,6 +7088,9 @@ export const extractJarArchive = async function (
         jarname.endsWith("-tests.jar") ||
         jarname.endsWith("-test-sources.jar")
       ) {
+        if (DEBUG_MODE) {
+          console.log(`Skipping tests jar ${jarname}`);
+        }
         continue;
       }
       const manifestDir = join(tempDir, "META-INF");
@@ -7081,16 +7102,20 @@ export const extractJarArchive = async function (
       if (existsSync(pomname)) {
         jarResult = { status: 0 };
       } else {
-        jarResult = spawnSync("jar", ["-xf", jf, "META-INF"], {
-          encoding: "utf-8",
-          cwd: tempDir,
-          shell: isWin,
-          env
-        });
+        // Unzip natively
+        try {
+          const zip = new StreamZip.async({ file: jf });
+          await zip.extract(null, tempDir);
+          await zip.close();
+          jarResult = { status: 0 };
+        } catch (e) {
+          if (DEBUG_MODE) {
+            console.log(`Unable to extract ${jf}. Skipping.`);
+          }
+          jarResult = { status: 1 };
+        }
       }
-      if (jarResult.status !== 0) {
-        console.error(jarResult.stdout, jarResult.stderr);
-      } else {
+      if (jarResult.status === 0) {
         // When maven descriptor is available take group, name and version from pom.properties
         // META-INF/maven/${groupId}/${artifactId}/pom.properties
         // see https://maven.apache.org/shared/maven-archiver/index.html
@@ -7114,7 +7139,7 @@ export const extractJarArchive = async function (
             const res = await cdxgenAgent.get(searchurl, {
               responseType: "json",
               timeout: {
-                lookup: 200,
+                lookup: 1000,
                 connect: 5000,
                 secureConnect: 5000,
                 socket: 1000,
@@ -7132,7 +7157,11 @@ export const extractJarArchive = async function (
             }
           } catch (err) {
             if (err && err.message && !err.message.includes("404")) {
-              if (DEBUG_MODE) {
+              if (err.message.includes("Timeout")) {
+                console.log(
+                  "Maven search appears to be unavailable. Search will be skipped for all remaining packages."
+                );
+              } else if (DEBUG_MODE) {
                 console.log(err);
               }
               search_maven_org_errors++;
@@ -7266,20 +7295,23 @@ export const extractJarArchive = async function (
             console.log(`Ignored jar ${jarname}`, name, version);
           }
         }
-        try {
-          if (rmSync && existsSync(join(tempDir, "META-INF"))) {
-            // Clean up META-INF
-            rmSync(join(tempDir, "META-INF"), {
-              recursive: true,
-              force: true
-            });
-          }
-        } catch (err) {
-          // ignore cleanup errors
+      }
+      try {
+        if (rmSync && existsSync(join(tempDir, "META-INF"))) {
+          // Clean up META-INF
+          rmSync(join(tempDir, "META-INF"), {
+            recursive: true,
+            force: true
+          });
         }
+      } catch (err) {
+        // ignore cleanup errors
       }
     } // for
   } // if
+  if (jarFiles.length !== pkgList.length) {
+    console.log(`Obtained only ${pkgList.length} from ${jarFiles.length} jars`);
+  }
   return pkgList;
 };
 

package/utils.test.js

@@ -1833,8 +1833,8 @@ test("parsePkgLock v3", async () => {
     projectName: "cdxgen"
   });
   deps = parsedList.pkgList;
-  expect(deps.length).toEqual(1200);
-  expect(parsedList.dependenciesList.length).toEqual(1200);
+  expect(deps.length).toEqual(1203);
+  expect(parsedList.dependenciesList.length).toEqual(1203);
 });
 
 test("parseBowerJson", async () => {