@cyclonedx/cdxgen 10.2.4 → 10.2.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +6 -4
- package/package.json +1 -1
- package/utils.js +23 -10
package/index.js
CHANGED
|
@@ -4412,7 +4412,7 @@ export async function createCsharpBom(path, options) {
|
|
|
4412
4412
|
}
|
|
4413
4413
|
} else if (pkgLockFiles.length) {
|
|
4414
4414
|
manifestFiles = manifestFiles.concat(pkgLockFiles);
|
|
4415
|
-
|
|
4415
|
+
const parentDependsOn = new Set();
|
|
4416
4416
|
// packages.lock.json from nuget
|
|
4417
4417
|
for (const af of pkgLockFiles) {
|
|
4418
4418
|
if (DEBUG_MODE) {
|
|
@@ -4432,13 +4432,15 @@ export async function createCsharpBom(path, options) {
|
|
|
4432
4432
|
// Keep track of the direct dependencies so that we can construct one complete
|
|
4433
4433
|
// list after processing all lock files
|
|
4434
4434
|
if (rootList && rootList.length) {
|
|
4435
|
-
|
|
4435
|
+
for (const p of rootList) {
|
|
4436
|
+
parentDependsOn.add(p["bom-ref"]);
|
|
4437
|
+
}
|
|
4436
4438
|
}
|
|
4437
4439
|
}
|
|
4438
|
-
if (parentDependsOn.
|
|
4440
|
+
if (parentDependsOn.size) {
|
|
4439
4441
|
dependencies.splice(0, 0, {
|
|
4440
4442
|
ref: parentComponent["bom-ref"],
|
|
4441
|
-
dependsOn:
|
|
4443
|
+
dependsOn: Array.from(parentDependsOn)
|
|
4442
4444
|
});
|
|
4443
4445
|
}
|
|
4444
4446
|
} else if (pkgConfigFiles.length) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "10.2.
|
|
3
|
+
"version": "10.2.5",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
package/utils.js
CHANGED
|
@@ -825,19 +825,25 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
|
|
|
825
825
|
// which isn't installed
|
|
826
826
|
// Bug #795. At times, npm loses the integrity node completely and such packages are getting missed out
|
|
827
827
|
// To keep things safe, we include these packages.
|
|
828
|
-
|
|
829
|
-
|
|
828
|
+
let edgeToIntegrityOrLocation = edge.to ? edge.to.integrity : undefined;
|
|
829
|
+
// Fallback to location based lookups when integrity is missing
|
|
830
|
+
if (!edgeToIntegrityOrLocation && edge.to && edge.to.location) {
|
|
831
|
+
edgeToIntegrityOrLocation = edge.to.location;
|
|
832
|
+
}
|
|
833
|
+
if (!edgeToIntegrityOrLocation) {
|
|
830
834
|
// This hack is required to fix the package name
|
|
831
|
-
targetName =
|
|
832
|
-
|
|
833
|
-
foundMatch = true;
|
|
835
|
+
targetName = edge.name.replace(/-cjs$/, "");
|
|
836
|
+
foundMatch = false;
|
|
834
837
|
} else {
|
|
835
838
|
// the edges don't actually contain a version, so we need to search the root node
|
|
836
839
|
// children to find the correct version. we check the node children first, then
|
|
837
840
|
// we check the root node children
|
|
838
841
|
for (const child of node.children) {
|
|
839
|
-
if (
|
|
840
|
-
if (
|
|
842
|
+
if (edgeToIntegrityOrLocation) {
|
|
843
|
+
if (
|
|
844
|
+
child[1].integrity === edgeToIntegrityOrLocation ||
|
|
845
|
+
child[1].location === edgeToIntegrityOrLocation
|
|
846
|
+
) {
|
|
841
847
|
targetName = child[0].replace(/node_modules\//g, "");
|
|
842
848
|
// The package name could be different from the targetName retrieved
|
|
843
849
|
// Eg: "string-width-cjs": "npm:string-width@^4.2.0",
|
|
@@ -853,7 +859,11 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
|
|
|
853
859
|
}
|
|
854
860
|
if (!foundMatch) {
|
|
855
861
|
for (const child of rootNode.children) {
|
|
856
|
-
if (
|
|
862
|
+
if (
|
|
863
|
+
edgeToIntegrityOrLocation &&
|
|
864
|
+
(child[1].integrity == edgeToIntegrityOrLocation ||
|
|
865
|
+
child[1].location == edgeToIntegrityOrLocation)
|
|
866
|
+
) {
|
|
857
867
|
targetName = child[0].replace(/node_modules\//g, "");
|
|
858
868
|
targetVersion = child[1].version;
|
|
859
869
|
// The package name could be different from the targetName retrieved
|
|
@@ -897,7 +907,6 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
|
|
|
897
907
|
pkgList = pkgList.concat(childPkgList);
|
|
898
908
|
dependenciesList = dependenciesList.concat(childDependenciesList);
|
|
899
909
|
}
|
|
900
|
-
|
|
901
910
|
dependenciesList.push({
|
|
902
911
|
ref: decodeURIComponent(purlString),
|
|
903
912
|
dependsOn: workspaceDependsOn
|
|
@@ -6024,11 +6033,15 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
|
|
|
6024
6033
|
const dependsOn = [];
|
|
6025
6034
|
if (libData.dependencies) {
|
|
6026
6035
|
for (const adep of Object.keys(libData.dependencies)) {
|
|
6036
|
+
// get the resolved version of the dependency
|
|
6037
|
+
const adepResolvedVersion =
|
|
6038
|
+
assetData.dependencies[aversion][adep].resolved;
|
|
6039
|
+
|
|
6027
6040
|
const adpurl = new PackageURL(
|
|
6028
6041
|
"nuget",
|
|
6029
6042
|
"",
|
|
6030
6043
|
adep,
|
|
6031
|
-
|
|
6044
|
+
adepResolvedVersion,
|
|
6032
6045
|
null,
|
|
6033
6046
|
null
|
|
6034
6047
|
).toString();
|