npm - @cyclonedx/cdxgen - Versions diffs - 10.2.3 → 10.2.5 - Mend

@cyclonedx/cdxgen 10.2.3 → 10.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/bin/cdxgen.js CHANGED Viewed

@@ -348,11 +348,13 @@ const applyAdvancedOptions = (options) => {
           "oci",
           "android",
           "apk",
-          "aab"
+          "aab",
+          "go",
+          "golang"
         ].includes(options.projectType)
       ) {
         console.log(
-          "PREVIEW: post-build lifecycle SBOM generation is supported only for android and dotnet projects. Please specify the type using the -t argument."
+          "PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, and go projects. Please specify the type using the -t argument."
         );
         process.exit(1);
       }

package/index.js CHANGED Viewed

@@ -4412,7 +4412,7 @@ export async function createCsharpBom(path, options) {
     }
   } else if (pkgLockFiles.length) {
     manifestFiles = manifestFiles.concat(pkgLockFiles);
-    let parentDependsOn = [];
+    const parentDependsOn = new Set();
     // packages.lock.json from nuget
     for (const af of pkgLockFiles) {
       if (DEBUG_MODE) {
@@ -4432,13 +4432,15 @@ export async function createCsharpBom(path, options) {
       // Keep track of the direct dependencies so that we can construct one complete
       // list after processing all lock files
       if (rootList && rootList.length) {
-        parentDependsOn = parentDependsOn.concat(rootList);
+        for (const p of rootList) {
+          parentDependsOn.add(p["bom-ref"]);
+        }
       }
     }
-    if (parentDependsOn.length) {
+    if (parentDependsOn.size) {
       dependencies.splice(0, 0, {
         ref: parentComponent["bom-ref"],
-        dependsOn: parentDependsOn.map((p) => p["bom-ref"])
+        dependsOn: Array.from(parentDependsOn)
       });
     }
   } else if (pkgConfigFiles.length) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.2.3",
+  "version": "10.2.5",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -57,8 +57,8 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.24.0",
-    "@babel/traverse": "^7.24.0",
+    "@babel/parser": "^7.24.1",
+    "@babel/traverse": "^7.24.1",
     "@npmcli/arborist": "7.4.0",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
@@ -84,7 +84,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "2.0.8",
+    "@appthreat/atom": "2.0.9",
     "@appthreat/cdx-proto": "^0.0.4",
     "@cyclonedx/cdxgen-plugins-bin": "^1.5.8",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.5.8",

package/utils.js CHANGED Viewed

@@ -825,19 +825,25 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       // which isn't installed
       // Bug #795. At times, npm loses the integrity node completely and such packages are getting missed out
       // To keep things safe, we include these packages.
-      const edgeToIntegrity = edge.to ? edge.to.integrity : undefined;
-      if (!edgeToIntegrity) {
+      let edgeToIntegrityOrLocation = edge.to ? edge.to.integrity : undefined;
+      // Fallback to location based lookups when integrity is missing
+      if (!edgeToIntegrityOrLocation && edge.to && edge.to.location) {
+        edgeToIntegrityOrLocation = edge.to.location;
+      }
+      if (!edgeToIntegrityOrLocation) {
         // This hack is required to fix the package name
-        targetName = node.name.replace(/-cjs$/, "");
-        targetVersion = node.version;
-        foundMatch = true;
+        targetName = edge.name.replace(/-cjs$/, "");
+        foundMatch = false;
       } else {
         // the edges don't actually contain a version, so we need to search the root node
         // children to find the correct version. we check the node children first, then
         // we check the root node children
         for (const child of node.children) {
-          if (edgeToIntegrity) {
-            if (child[1].integrity == edgeToIntegrity) {
+          if (edgeToIntegrityOrLocation) {
+            if (
+              child[1].integrity === edgeToIntegrityOrLocation ||
+              child[1].location === edgeToIntegrityOrLocation
+            ) {
               targetName = child[0].replace(/node_modules\//g, "");
               // The package name could be different from the targetName retrieved
               // Eg: "string-width-cjs": "npm:string-width@^4.2.0",
@@ -853,7 +859,11 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       }
       if (!foundMatch) {
         for (const child of rootNode.children) {
-          if (child[1].integrity == edgeToIntegrity) {
+          if (
+            edgeToIntegrityOrLocation &&
+            (child[1].integrity == edgeToIntegrityOrLocation ||
+              child[1].location == edgeToIntegrityOrLocation)
+          ) {
             targetName = child[0].replace(/node_modules\//g, "");
             targetVersion = child[1].version;
             // The package name could be different from the targetName retrieved
@@ -897,7 +907,6 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       pkgList = pkgList.concat(childPkgList);
       dependenciesList = dependenciesList.concat(childDependenciesList);
     }
     dependenciesList.push({
       ref: decodeURIComponent(purlString),
       dependsOn: workspaceDependsOn
@@ -6024,11 +6033,15 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
       const dependsOn = [];
       if (libData.dependencies) {
         for (const adep of Object.keys(libData.dependencies)) {
+          // get the resolved version of the dependency
+          const adepResolvedVersion =
+            assetData.dependencies[aversion][adep].resolved;
           const adpurl = new PackageURL(
             "nuget",
             "",
             adep,
-            libData.dependencies[adep],
+            adepResolvedVersion,
             null,
             null
           ).toString();
@@ -6746,7 +6759,16 @@ function purlFromUrlString(type, repoUrl, version) {
     const pathnameLastElement = pathnameParts.pop();
     name = pathnameLastElement.replace(".git", "");
     const urlpath = pathnameParts.join("/");
-    namespace = hostname + ":" + urlpath;
+    namespace = hostname + "/" + urlpath;
+  } else if (repoUrl && repoUrl.startsWith("ssh://git@bitbucket")) {
+    repoUrl = repoUrl.replace("ssh://git@", "");
+    const parts = repoUrl.split(":");
+    const hostname = parts[0];
+    const pathnameParts = parts[1].split("/").slice(1);
+    const pathnameLastElement = pathnameParts.pop();
+    name = pathnameLastElement.replace(".git", "");
+    const urlpath = pathnameParts.join("/");
+    namespace = hostname + "/" + urlpath;
   } else if (repoUrl && repoUrl.startsWith("/")) {
     const parts = repoUrl.split("/");
     name = parts[parts.length - 1];

package/utils.test.js CHANGED Viewed

@@ -3257,7 +3257,7 @@ test("parse swift deps files", () => {
     repository: { url: "https://github.com/apple/swift-argument-parser" }
   });
   pkgList = parseSwiftResolved("./test/data/Package2.resolved");
-  expect(pkgList.length).toEqual(6);
+  expect(pkgList.length).toEqual(7);
   expect(pkgList[0]).toEqual({
     name: "swift-argument-parser",
     group: "github.com/apple",
@@ -3280,6 +3280,54 @@ test("parse swift deps files", () => {
     "bom-ref": "pkg:swift/github.com/apple/swift-argument-parser@1.2.2",
     repository: { url: "https://github.com/apple/swift-argument-parser.git" }
   });
+  expect(pkgList[4]).toEqual({
+    name: "swift-http-server",
+    group: "github.com/swift",
+    version: "0.7.4",
+    purl: "pkg:swift/github.com/swift/swift-http-server@0.7.4",
+    properties: [{ name: "SrcFile", value: "./test/data/Package2.resolved" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 1,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 1,
+            value: "./test/data/Package2.resolved"
+          }
+        ]
+      }
+    },
+    "bom-ref": "pkg:swift/github.com/swift/swift-http-server@0.7.4",
+    repository: {
+      url: "git@github.com:swift/swift-http-server.git"
+    }
+  });
+  expect(pkgList[5]).toEqual({
+    name: "swift-http-server",
+    group: "bitbucket.org/swift",
+    version: "0.7.4",
+    purl: "pkg:swift/bitbucket.org/swift/swift-http-server@0.7.4",
+    properties: [{ name: "SrcFile", value: "./test/data/Package2.resolved" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 1,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 1,
+            value: "./test/data/Package2.resolved"
+          }
+        ]
+      }
+    },
+    "bom-ref": "pkg:swift/bitbucket.org/swift/swift-http-server@0.7.4",
+    repository: {
+      url: "ssh://git@bitbucket.org:7999/swift/swift-http-server.git"
+    }
+  });
 });
 test("pypi version solver tests", () => {