@cyclonedx/cdxgen 10.0.4 → 10.0.5

package/docker.js

@@ -426,7 +426,14 @@ export const parseImageName = (fullImageName) => {
     return nameObj;
   }
   // ensure it's lowercased
-  fullImageName = fullImageName.toLowerCase();
+  fullImageName = fullImageName.toLowerCase().trim();
+
+  // Extract platform
+  if (fullImageName.startsWith("--platform=")) {
+    const tmpName = fullImageName.replace("--platform=", "").split(" ");
+    nameObj.platform = tmpName[0];
+    fullImageName = tmpName[1];
+  }
 
   // Extract registry name
   if (
@@ -1183,3 +1190,31 @@ export const getCredsFromHelper = (exeSuffix, serverAddress) => {
   }
   return undefined;
 };
+
+export const addSkippedSrcFiles = (skippedImageSrcs, components) => {
+  for (const skippedImage of skippedImageSrcs) {
+    for (const co of components) {
+      let srcFileValues = [];
+      let srcImageValue;
+      co.properties.forEach(function (property) {
+        if (property.name === "oci:SrcImage") {
+          srcImageValue = property.value;
+        }
+
+        if (property.name === "SrcFile") {
+          srcFileValues.push(property.value);
+        }
+      });
+
+      if (
+        srcImageValue === skippedImage.image &&
+        !srcFileValues.includes(skippedImage.src)
+      ) {
+        co.properties = co.properties.concat({
+          name: "SrcFile",
+          value: skippedImage.src
+        });
+      }
+    }
+  }
+};

package/docker.test.js

@@ -4,9 +4,10 @@ import {
   getImage,
   removeImage,
   exportImage,
-  isWin
+  isWin,
+  addSkippedSrcFiles
 } from "./docker.js";
-import { expect, test } from "@jest/globals";
+import { expect, test, describe, beforeEach } from "@jest/globals";
 
 test("docker connection", async () => {
   if (!(isWin && process.env.CI === "true")) {
@@ -84,6 +85,19 @@ test("parseImageName tests", () => {
     group: "docker/library",
     name: "eclipse-temurin"
   });
+  expect(
+    parseImageName(
+      "--platform=linux/amd64 foocorp.jfrog.io/docker/library/eclipse-temurin:latest"
+    )
+  ).toEqual({
+    registry: "foocorp.jfrog.io",
+    repo: "docker/library/eclipse-temurin",
+    tag: "latest",
+    digest: "",
+    platform: "linux/amd64",
+    group: "docker/library",
+    name: "eclipse-temurin"
+  });
   expect(
     parseImageName(
       "quay.io/shiftleft/scan-java@sha256:5d008306a7c5d09ba0161a3408fa3839dc2c9dd991ffb68adecc1040399fe9e1"
@@ -117,3 +131,72 @@ test("docker getImage", async () => {
   const imageData = await exportImage("hello-world:latest");
   expect(imageData);
 }, 120000);
+
+describe("addSkippedSrcFiles tests", () => {
+  let testComponents;
+
+  beforeEach(() => {
+    testComponents = [
+      {
+        name: "node",
+        version: "20",
+        component: "node:20",
+        purl: "pkg:oci/node@20?tag=20",
+        type: "container",
+        "bom-ref": "pkg:oci/node@20?tag=20",
+        properties: [
+          {
+            name: "SrcFile",
+            value: "/some/project/Dockerfile"
+          },
+          {
+            name: "oci:SrcImage",
+            value: "node:20"
+          }
+        ]
+      }
+    ];
+  });
+
+  test("no matching additional src files", () => {
+    addSkippedSrcFiles(
+      [
+        {
+          image: "node:18",
+          src: "/some/project/bitbucket-pipeline.yml"
+        }
+      ],
+      testComponents
+    );
+
+    expect(testComponents[0].properties).toHaveLength(2);
+  });
+
+  test("adds additional src files", () => {
+    addSkippedSrcFiles(
+      [
+        {
+          image: "node:20",
+          src: "/some/project/bitbucket-pipeline.yml"
+        }
+      ],
+      testComponents
+    );
+
+    expect(testComponents[0].properties).toHaveLength(3);
+  });
+
+  test("skips if same src file", () => {
+    addSkippedSrcFiles(
+      [
+        {
+          image: "node:20",
+          src: "/some/project/Dockerfile"
+        }
+      ],
+      testComponents
+    );
+
+    expect(testComponents[0].properties).toHaveLength(2);
+  });
+}, 120000);

package/index.js

@@ -139,7 +139,8 @@ import {
   getPkgPathList,
   parseImageName,
   exportArchive,
-  exportImage
+  exportImage,
+  addSkippedSrcFiles
 } from "./docker.js";
 import {
   getGoBuildInfo,
@@ -3659,6 +3660,7 @@ export const createContainerSpecLikeBom = async (path, options) => {
   let parentComponent = {};
   let dependencies = [];
   const doneimages = [];
+  const skippedImageSrcs = [];
   const doneservices = [];
   const origProjectType = options.projectType;
   let dcFiles = getAllFiles(
@@ -3791,6 +3793,9 @@ export const createContainerSpecLikeBom = async (path, options) => {
               if (DEBUG_MODE) {
                 console.log("Skipping", img.image);
               }
+
+              skippedImageSrcs.push({ image: img.image, src: f });
+
               continue;
             }
             if (DEBUG_MODE) {
@@ -3809,7 +3814,8 @@ export const createContainerSpecLikeBom = async (path, options) => {
               type: "container"
             };
             if (imageObj.registry) {
-              pkg["qualifiers"]["repository_url"] = img.image;
+              pkg["qualifiers"]["repository_url"] =
+                `${imageObj.registry}/${imageObj.repo}`;
             }
             if (imageObj.platform) {
               pkg["qualifiers"]["platform"] = imageObj.platform;
@@ -3845,6 +3851,9 @@ export const createContainerSpecLikeBom = async (path, options) => {
         } // for img
       }
     } // for
+
+    // Add additional SrcFile property to skipped image components
+    addSkippedSrcFiles(skippedImageSrcs, components);
   } // if
   // Parse openapi files
   if (oapiFiles.length) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.0.4",
+  "version": "10.0.5",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",