npm - @cyclonedx/cdxgen - Versions diffs - 10.0.6 → 10.1.0 - Mend

@cyclonedx/cdxgen 10.0.6 → 10.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -350,6 +350,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - .NET (packages.lock.json, project.assets.json, paket.lock)
 - Go (go.mod)
 - PHP (composer.lock)
+- Ruby (Gemfile.lock)
 ## Environment variables

package/bin/cdxgen.js CHANGED Viewed

@@ -404,7 +404,15 @@ const checkPermissions = (filePath) => {
         fs.writeFileSync(jsonFile, bomNSData.bomJson);
         jsonPayload = bomNSData.bomJson;
       } else {
-        jsonPayload = JSON.stringify(bomNSData.bomJson, null, 2);
+        jsonPayload = JSON.stringify(
+          bomNSData.bomJson,
+          null,
+          options.deep ||
+            ["os", "docker", "universal"].includes(options.projectType) ||
+            process.env.CI
+            ? null
+            : 2
+        );
         fs.writeFileSync(jsonFile, jsonPayload);
       }
       if (
@@ -499,7 +507,7 @@ const checkPermissions = (filePath) => {
             bomJsonUnsignedObj.signature = signatureBlock;
             fs.writeFileSync(
               jsonFile,
-              JSON.stringify(bomJsonUnsignedObj, null, 2)
+              JSON.stringify(bomJsonUnsignedObj, null, null)
             );
             if (publicKeyFile) {
               // Verifying this signature

package/bin/repl.js CHANGED Viewed

@@ -284,7 +284,7 @@ cdxgenRepl.defineCommand("save", {
       if (!saveToFile) {
         saveToFile = "bom.json";
       }
-      fs.writeFileSync(saveToFile, JSON.stringify(sbom, null, 2));
+      fs.writeFileSync(saveToFile, JSON.stringify(sbom, null, null));
       console.log(`BOM saved successfully to ${saveToFile}`);
     } else {
       console.log(

package/docker.js CHANGED Viewed

@@ -1194,7 +1194,7 @@ export const getCredsFromHelper = (exeSuffix, serverAddress) => {
 export const addSkippedSrcFiles = (skippedImageSrcs, components) => {
   for (const skippedImage of skippedImageSrcs) {
     for (const co of components) {
-      let srcFileValues = [];
+      const srcFileValues = [];
       let srcImageValue;
       co.properties.forEach(function (property) {
         if (property.name === "oci:SrcImage") {

package/evinser.js CHANGED Viewed

@@ -132,7 +132,7 @@ export const catalogMavenDeps = async (
               namespaces: jarNSMapping[purl].namespaces
             },
             null,
-            2
+            null
           )
         }
       });
@@ -165,7 +165,7 @@ export const catalogGradleDeps = async (dirPath, purlsJars, Namespaces) => {
               namespaces: jarNSMapping[purl].namespaces
             },
             null,
-            2
+            null
           )
         }
       });
@@ -1066,7 +1066,7 @@ export const createEvinseFile = (sliceArtefacts, options) => {
   // Set the current timestamp to indicate this is newer
   bomJson.metadata.timestamp = new Date().toISOString();
   delete bomJson.signature;
-  fs.writeFileSync(evinseOutFile, JSON.stringify(bomJson, null, 2));
+  fs.writeFileSync(evinseOutFile, JSON.stringify(bomJson, null, null));
   if (occEvidencePresent || csEvidencePresent || servicesPresent) {
     console.log(evinseOutFile, "created successfully.");
   } else {

package/index.js CHANGED Viewed

@@ -1452,7 +1452,10 @@ export const createJavaBom = async (path, options) => {
       }
       // Should we attempt to resolve class names
       if (options.resolveClass || options.deep) {
-        jarNSMapping = await collectJarNS(GRADLE_CACHE_DIR);
+        const tmpjarNSMapping = await collectJarNS(GRADLE_CACHE_DIR);
+        if (tmpjarNSMapping && Object.keys(tmpjarNSMapping).length) {
+          jarNSMapping = { ...jarNSMapping, ...tmpjarNSMapping };
+        }
       }
       pkgList = await getMvnMetadata(pkgList, jarNSMapping);
       return buildBomNSData(options, pkgList, "maven", {
@@ -1749,7 +1752,10 @@ export const createJavaBom = async (path, options) => {
       }
       // Should we attempt to resolve class names
       if (options.resolveClass || options.deep) {
-        jarNSMapping = await collectJarNS(SBT_CACHE_DIR);
+        const tmpjarNSMapping = await collectJarNS(SBT_CACHE_DIR);
+        if (tmpjarNSMapping && Object.keys(tmpjarNSMapping).length) {
+          jarNSMapping = { ...jarNSMapping, ...tmpjarNSMapping };
+        }
       }
       pkgList = await getMvnMetadata(pkgList, jarNSMapping);
       return buildBomNSData(options, pkgList, "maven", {
@@ -4145,10 +4151,13 @@ export const createRubyBom = async (path, options) => {
   );
   let gemLockFiles = getAllFiles(
     path,
-    (options.multiProject ? "**/" : "") + "Gemfile.lock",
+    (options.multiProject ? "**/" : "") + "Gemfile*.lock",
     options
   );
   let pkgList = [];
+  let dependencies = [];
+  let rootList = [];
+  const parentComponent = createDefaultParentComponent(path, "gem", options);
   const gemFileMode = gemFiles.length;
   const gemLockMode = gemLockFiles.length;
   if (gemFileMode && !gemLockMode && options.installDeps) {
@@ -4170,7 +4179,7 @@ export const createRubyBom = async (path, options) => {
   }
   gemLockFiles = getAllFiles(
     path,
-    (options.multiProject ? "**/" : "") + "Gemfile.lock",
+    (options.multiProject ? "**/" : "") + "Gemfile*.lock",
     options
   );
   if (gemLockFiles.length) {
@@ -4179,17 +4188,41 @@ export const createRubyBom = async (path, options) => {
         console.log(`Parsing ${f}`);
       }
       const gemLockData = readFileSync(f, { encoding: "utf-8" });
-      const dlist = await parseGemfileLockData(gemLockData);
-      if (dlist && dlist.length) {
-        pkgList = pkgList.concat(dlist);
+      const retMap = await parseGemfileLockData(gemLockData, f);
+      if (retMap.pkgList && retMap.pkgList.length) {
+        pkgList = pkgList.concat(retMap.pkgList);
+        pkgList = trimComponents(pkgList);
+      }
+      if (retMap.dependenciesList && retMap.dependenciesList.length) {
+        dependencies = mergeDependencies(
+          dependencies,
+          retMap.dependenciesList,
+          parentComponent
+        );
+      }
+      if (retMap.rootList && retMap.rootList.length) {
+        rootList = rootList.concat(retMap.rootList);
       }
     }
-    return buildBomNSData(options, pkgList, "gem", {
-      src: path,
-      filename: gemLockFiles.join(", ")
-    });
   }
-  return {};
+  if (rootList.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      [
+        {
+          ref: parentComponent["bom-ref"],
+          dependsOn: rootList
+        }
+      ],
+      parentComponent
+    );
+  }
+  return buildBomNSData(options, pkgList, "gem", {
+    src: path,
+    dependencies,
+    parentComponent,
+    filename: gemLockFiles.join(", ")
+  });
 };
 /**
@@ -4674,7 +4707,11 @@ export const createMultiXBom = async (pathList, options) => {
         );
       }
       components = components.concat(bomData.bomJson.components);
-      dependencies = dependencies.concat(bomData.bomJson.dependencies);
+      dependencies = mergeDependencies(
+        dependencies,
+        bomData.bomJson.dependencies,
+        bomData.parentComponent
+      );
       if (
         bomData.parentComponent &&
         Object.keys(bomData.parentComponent).length
@@ -5039,7 +5076,7 @@ export const createXBom = async (path, options) => {
   );
   const gemLockFiles = getAllFiles(
     path,
-    (options.multiProject ? "**/" : "") + "Gemfile.lock",
+    (options.multiProject ? "**/" : "") + "Gemfile*.lock",
     options
   );
   if (gemFiles.length || gemLockFiles.length) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.0.6",
+  "version": "10.1.0",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/server.js CHANGED Viewed

@@ -152,7 +152,7 @@ const start = (options) => {
       ) {
         res.write(bomNSData.bomJson);
       } else {
-        res.write(JSON.stringify(bomNSData.bomJson, null, 2));
+        res.write(JSON.stringify(bomNSData.bomJson, null, null));
       }
     }
     if (reqOptions.serverUrl && reqOptions.apiKey) {

package/utils.js CHANGED Viewed

@@ -544,7 +544,7 @@ export const parsePkgJson = async (pkgJsonFile, simple = false) => {
       const pkgData = JSON.parse(readFileSync(pkgJsonFile, "utf8"));
       const pkgIdentifier = parsePackageJsonName(pkgData.name);
       const name = pkgIdentifier.fullName || pkgData.name;
-      if (!name && !pkgJsonFile.includes("node_modules")) {
+      if (DEBUG_MODE && !name && !pkgJsonFile.includes("node_modules")) {
         console.log(
           `${pkgJsonFile} doesn't contain the package name. Consider using the 'npm init' command to create a valid package.json file for this project.`
         );
@@ -4034,16 +4034,28 @@ export const parseGoVersionData = async function (buildInfoData) {
  * @param {*} pkgList List of packages with metadata
  */
 export const getRubyGemsMetadata = async function (pkgList) {
-  const RUBYGEMS_URL = "https://rubygems.org/api/v1/versions/";
+  const RUBYGEMS_V2_URL =
+    process.env.RUBYGEMS_V2_URL || "https://rubygems.org/api/v2/rubygems/";
+  const RUBYGEMS_V1_URL =
+    process.env.RUBYGEMS_V1_URL || "https://rubygems.org/api/v1/gems/";
   const rdepList = [];
+  const apiOptions = {
+    responseType: "json"
+  };
+  if (process.env.GEM_HOST_API_KEY) {
+    apiOptions.headers = {
+      Authorization: process.env.GEM_HOST_API_KEY
+    };
+  }
   for (const p of pkgList) {
     try {
       if (DEBUG_MODE) {
         console.log(`Querying rubygems.org for ${p.name}`);
       }
-      const res = await cdxgenAgent.get(RUBYGEMS_URL + p.name + ".json", {
-        responseType: "json"
-      });
+      const fullUrl = p.version
+        ? `${RUBYGEMS_V2_URL}${p.name}/versions/${p.version}.json`
+        : `${RUBYGEMS_V1_URL}${p.name}.json`;
+      const res = await cdxgenAgent.get(fullUrl, apiOptions);
       let body = res.body;
       if (body && body.length) {
         body = body[0];
@@ -4055,14 +4067,54 @@ export const getRubyGemsMetadata = async function (pkgList) {
       if (body.metadata) {
         if (body.metadata.source_code_uri) {
           p.repository = { url: body.metadata.source_code_uri };
+          if (
+            body.homepage_uri &&
+            body.homepage_uri !== body.metadata.source_code_uri
+          ) {
+            p.homepage = { url: body.homepage_uri };
+          }
         }
         if (body.metadata.bug_tracker_uri) {
-          p.homepage = { url: body.metadata.bug_tracker_uri };
+          p.bugs = { url: body.metadata.bug_tracker_uri };
         }
       }
       if (body.sha) {
         p._integrity = "sha256-" + body.sha;
       }
+      if (body.authors) {
+        p.author = body.authors;
+      }
+      // Track the platform such as java
+      if (body.platform && body.platform !== "ruby") {
+        p.properties.push({
+          name: "cdx:gem:platform",
+          value: body.platform
+        });
+      }
+      if (body.ruby_version) {
+        p.properties.push({
+          name: "cdx:gem:rubyVersionSpecifiers",
+          value: body.ruby_version
+        });
+      }
+      if (body.gem_uri) {
+        p.properties.push({
+          name: "cdx:gem:gemUri",
+          value: body.gem_uri
+        });
+      }
+      if (body.yanked) {
+        p.properties.push({
+          name: "cdx:gem:yanked",
+          value: "" + body.yanked
+        });
+      }
+      if (body.prerelease) {
+        p.properties.push({
+          name: "cdx:gem:prerelease",
+          value: "" + body.prerelease
+        });
+      }
       // Use the latest version if none specified
       if (!p.version) {
         p.version = body.number;
@@ -4119,15 +4171,22 @@ export const parseGemspecData = async function (gemspecData) {
 /**
  * Method to parse Gemfile.lock
  *
- * @param {*} gemLockData Gemfile.lock data
+ * @param {object} gemLockData Gemfile.lock data
+ * @param {string} lockFile Lock file
  */
-export const parseGemfileLockData = async function (gemLockData) {
-  const pkgList = [];
+export const parseGemfileLockData = async (gemLockData, lockFile) => {
+  let pkgList = [];
   const pkgnames = {};
+  const dependenciesList = [];
+  const dependenciesMap = {};
+  const pkgVersionMap = {};
+  const rootList = [];
   if (!gemLockData) {
     return pkgList;
   }
   let specsFound = false;
+  // We need two passes to identify components and resolve dependencies
+  // In the first pass, we capture package name and version
   gemLockData.split("\n").forEach((l) => {
     l = l.trim();
     l = l.replace("\r", "");
@@ -4138,35 +4197,106 @@ export const parseGemfileLockData = async function (gemLockData) {
         if (name === "remote:") {
           return;
         }
+        let version = tmpA[1];
+        // We only allow bracket characters ()
+        if (version.search(/[,><~ ]/) < 0) {
+          version = version.replace(/[=()]/g, "");
+          pkgVersionMap[name] = version;
+        }
+      }
+    }
+    if (l === "specs:") {
+      specsFound = true;
+    }
+    if (l === l.toUpperCase()) {
+      specsFound = false;
+    }
+  });
+  specsFound = false;
+  let lastParent = undefined;
+  // In the second pass, we use the space in the prefix to figure out the dependency tree
+  gemLockData.split("\n").forEach((l) => {
+    l = l.replace("\r", "");
+    if (specsFound) {
+      const tmpA = l.split(" (");
+      if (tmpA && tmpA.length == 2) {
+        const nameWithPrefix = tmpA[0];
+        const name = tmpA[0].trim();
+        if (name === "remote:") {
+          return;
+        }
+        const level = nameWithPrefix.replace(name, "").split("  ").length % 2;
+        const purlString = new PackageURL(
+          "gem",
+          "",
+          name,
+          pkgVersionMap[name],
+          null,
+          null
+        ).toString();
+        const bomRef = decodeURIComponent(purlString);
+        if (level === 1) {
+          lastParent = bomRef;
+          rootList.push(bomRef);
+        }
+        const apkg = {
+          name,
+          version: pkgVersionMap[name],
+          purl: purlString,
+          "bom-ref": bomRef,
+          properties: [
+            {
+              name: "SrcFile",
+              value: lockFile
+            }
+          ],
+          evidence: {
+            identity: {
+              field: "purl",
+              confidence: 0.8,
+              methods: [
+                {
+                  technique: "manifest-analysis",
+                  confidence: 0.8,
+                  value: lockFile
+                }
+              ]
+            }
+          }
+        };
+        if (lastParent && lastParent !== bomRef) {
+          if (!dependenciesMap[lastParent]) {
+            dependenciesMap[lastParent] = new Set();
+          }
+          dependenciesMap[lastParent].add(bomRef);
+        }
+        if (!dependenciesMap[bomRef]) {
+          dependenciesMap[bomRef] = new Set();
+        }
         if (!pkgnames[name]) {
-          let version = tmpA[1].split(", ")[0];
-          version = version.replace(/[(>=<)~ ]/g, "");
-          pkgList.push({
-            name,
-            version
-          });
+          pkgList.push(apkg);
           pkgnames[name] = true;
         }
       }
     }
-    if (l === "specs:") {
+    if (l.trim() === "specs:") {
       specsFound = true;
     }
-    if (
-      l === "PLATFORMS" ||
-      l === "DEPENDENCIES" ||
-      l === "RUBY VERSION" ||
-      l === "BUNDLED WITH" ||
-      l === "PATH"
-    ) {
+    if (l.trim() == l.trim().toUpperCase()) {
       specsFound = false;
     }
   });
+  for (const k of Object.keys(dependenciesMap)) {
+    dependenciesList.push({
+      ref: k,
+      dependsOn: Array.from(dependenciesMap[k])
+    });
+  }
   if (FETCH_LICENSE) {
-    return await getRubyGemsMetadata(pkgList);
-  } else {
-    return pkgList;
+    pkgList = await getRubyGemsMetadata(pkgList);
+    return { pkgList, dependenciesList };
   }
+  return { pkgList, dependenciesList, rootList };
 };
 /**
@@ -6728,7 +6858,13 @@ export const collectJarNS = async (jarPath, pomPathMap = {}) => {
       let purl = undefined;
       // In some cases, the pom name might be slightly different to the jar name
       if (!existsSync(pomname)) {
-        const pomSearch = getAllFiles(dirname(jf), "*.pom");
+        let searchDir = dirname(jf);
+        // in case of gradle, there would be hash directory that is different for jar vs pom
+        // so we need to start search from a level up
+        if (searchDir.includes(join(".gradle", "caches"))) {
+          searchDir = join(searchDir, "..");
+        }
+        const pomSearch = getAllFiles(searchDir, "**/*.pom");
         if (pomSearch && pomSearch.length === 1) {
           pomname = pomSearch[0];
         }
@@ -6805,12 +6941,16 @@ export const collectJarNS = async (jarPath, pomPathMap = {}) => {
           tmpDirParts.pop();
           // Retrieve the version
           const jarVersion = tmpDirParts.pop();
+          const pkgName = jarFileName.replace(`-${jarVersion}`, "");
           // The result would form the group name
-          const jarGroupName = tmpDirParts.join(".").replace(/^\./, "");
+          let jarGroupName = tmpDirParts.join(".").replace(/^\./, "");
+          if (jarGroupName.includes(pkgName)) {
+            jarGroupName = jarGroupName.replace("." + pkgName, "");
+          }
           const purlObj = new PackageURL(
             "maven",
             jarGroupName,
-            jarFileName.replace(`-${jarVersion}`, ""),
+            pkgName,
             jarVersion,
             { type: "jar" },
             null

package/utils.test.js CHANGED Viewed

@@ -2581,14 +2581,44 @@ test("parseComposerLock", () => {
 });
 test("parseGemfileLockData", async () => {
-  const deps = await parseGemfileLockData(
-    readFileSync("./test/data/Gemfile.lock", { encoding: "utf-8" })
+  let retMap = await parseGemfileLockData(
+    readFileSync("./test/data/Gemfile.lock", { encoding: "utf-8" }),
+    "./test/data/Gemfile.lock"
   );
-  expect(deps.length).toEqual(140);
-  expect(deps[0]).toEqual({
+  expect(retMap.pkgList.length).toEqual(141);
+  expect(retMap.dependenciesList.length).toEqual(141);
+  expect(retMap.pkgList[0]).toEqual({
     name: "actioncable",
-    version: "6.0.0"
+    version: "6.0.0",
+    purl: "pkg:gem/actioncable@6.0.0",
+    "bom-ref": "pkg:gem/actioncable@6.0.0",
+    properties: [{ name: "SrcFile", value: "./test/data/Gemfile.lock" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 0.8,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 0.8,
+            value: "./test/data/Gemfile.lock"
+          }
+        ]
+      }
+    }
   });
+  retMap = await parseGemfileLockData(
+    readFileSync("./test/data/Gemfile1.lock", { encoding: "utf-8" }),
+    "./test/data/Gemfile1.lock"
+  );
+  expect(retMap.pkgList.length).toEqual(36);
+  expect(retMap.dependenciesList.length).toEqual(36);
+  retMap = await parseGemfileLockData(
+    readFileSync("./test/data/Gemfile2.lock", { encoding: "utf-8" }),
+    "./test/data/Gemfile2.lock"
+  );
+  expect(retMap.pkgList.length).toEqual(90);
+  expect(retMap.dependenciesList.length).toEqual(90);
 });
 test("parseGemspecData", async () => {