@cyclonedx/cdxgen 10.2.4 → 10.2.6

package/index.js

@@ -4312,6 +4312,13 @@ export async function createCsharpBom(path, options) {
   csProjFiles = csProjFiles.concat(
     getAllFiles(path, (options.multiProject ? "**/" : "") + "*.vbproj", options)
   );
+  csProjFiles = csProjFiles.concat(
+    getAllFiles(
+      path,
+      (options.multiProject ? "**/" : "") + "*.vcxproj",
+      options
+    )
+  );
   csProjFiles = csProjFiles.concat(
     getAllFiles(path, (options.multiProject ? "**/" : "") + "*.fsproj", options)
   );
@@ -4412,7 +4419,7 @@ export async function createCsharpBom(path, options) {
     }
   } else if (pkgLockFiles.length) {
     manifestFiles = manifestFiles.concat(pkgLockFiles);
-    let parentDependsOn = [];
+    const parentDependsOn = new Set();
     // packages.lock.json from nuget
     for (const af of pkgLockFiles) {
       if (DEBUG_MODE) {
@@ -4432,13 +4439,15 @@ export async function createCsharpBom(path, options) {
       // Keep track of the direct dependencies so that we can construct one complete
       // list after processing all lock files
       if (rootList && rootList.length) {
-        parentDependsOn = parentDependsOn.concat(rootList);
+        for (const p of rootList) {
+          parentDependsOn.add(p["bom-ref"]);
+        }
       }
     }
-    if (parentDependsOn.length) {
+    if (parentDependsOn.size) {
       dependencies.splice(0, 0, {
         ref: parentComponent["bom-ref"],
-        dependsOn: parentDependsOn.map((p) => p["bom-ref"])
+        dependsOn: Array.from(parentDependsOn)
       });
     }
   } else if (pkgConfigFiles.length) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.2.4",
+  "version": "10.2.6",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -825,19 +825,25 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       // which isn't installed
       // Bug #795. At times, npm loses the integrity node completely and such packages are getting missed out
       // To keep things safe, we include these packages.
-      const edgeToIntegrity = edge.to ? edge.to.integrity : undefined;
-      if (!edgeToIntegrity) {
+      let edgeToIntegrityOrLocation = edge.to ? edge.to.integrity : undefined;
+      // Fallback to location based lookups when integrity is missing
+      if (!edgeToIntegrityOrLocation && edge.to && edge.to.location) {
+        edgeToIntegrityOrLocation = edge.to.location;
+      }
+      if (!edgeToIntegrityOrLocation) {
         // This hack is required to fix the package name
-        targetName = node.name.replace(/-cjs$/, "");
-        targetVersion = node.version;
-        foundMatch = true;
+        targetName = edge.name.replace(/-cjs$/, "");
+        foundMatch = false;
       } else {
         // the edges don't actually contain a version, so we need to search the root node
         // children to find the correct version. we check the node children first, then
         // we check the root node children
         for (const child of node.children) {
-          if (edgeToIntegrity) {
-            if (child[1].integrity == edgeToIntegrity) {
+          if (edgeToIntegrityOrLocation) {
+            if (
+              child[1].integrity === edgeToIntegrityOrLocation ||
+              child[1].location === edgeToIntegrityOrLocation
+            ) {
               targetName = child[0].replace(/node_modules\//g, "");
               // The package name could be different from the targetName retrieved
               // Eg: "string-width-cjs": "npm:string-width@^4.2.0",
@@ -853,7 +859,11 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       }
       if (!foundMatch) {
         for (const child of rootNode.children) {
-          if (child[1].integrity == edgeToIntegrity) {
+          if (
+            edgeToIntegrityOrLocation &&
+            (child[1].integrity == edgeToIntegrityOrLocation ||
+              child[1].location == edgeToIntegrityOrLocation)
+          ) {
             targetName = child[0].replace(/node_modules\//g, "");
             targetVersion = child[1].version;
             // The package name could be different from the targetName retrieved
@@ -897,7 +907,6 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       pkgList = pkgList.concat(childPkgList);
       dependenciesList = dependenciesList.concat(childDependenciesList);
     }
-
     dependenciesList.push({
       ref: decodeURIComponent(purlString),
       dependsOn: workspaceDependsOn
@@ -6018,17 +6027,84 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
         }
       };
       pkgList.push(pkg);
-      if (libData.type === "Direct") {
+      if (["Direct", "Project"].includes(libData.type)) {
         rootList.push(pkg);
       }
       const dependsOn = [];
       if (libData.dependencies) {
-        for (const adep of Object.keys(libData.dependencies)) {
+        for (let adep of Object.keys(libData.dependencies)) {
+          let adepResolvedVersion = libData.dependencies[adep];
+          const aversionNoRuntime = aversion.split("/")[0];
+          let isProjectType = false;
+          // Try to get the resolved version of the dependency. See #930 and #937
+          if (
+            assetData.dependencies[aversion] &&
+            assetData.dependencies[aversion][adep] &&
+            assetData.dependencies[aversion][adep].resolved
+          ) {
+            adepResolvedVersion =
+              assetData.dependencies[aversion][adep].resolved;
+          } else if (
+            aversion.includes("/") &&
+            assetData.dependencies[aversionNoRuntime] &&
+            assetData.dependencies[aversionNoRuntime][adep] &&
+            assetData.dependencies[aversionNoRuntime][adep].resolved
+          ) {
+            adepResolvedVersion =
+              assetData.dependencies[aversionNoRuntime][adep].resolved;
+          } else if (DEBUG_MODE) {
+            // Only Microsoft can call a lock file that uses version ranges as a "lock file" for "reproducible" builds.
+            if (adepResolvedVersion.startsWith("[")) {
+              const versionToUse = adepResolvedVersion.replace(/[[, )]/g, "");
+              if (
+                (assetData.dependencies[aversion] &&
+                  assetData.dependencies[aversion][adep] &&
+                  assetData.dependencies[aversion][adep].type === "Project") ||
+                (assetData.dependencies[aversionNoRuntime] &&
+                  assetData.dependencies[aversionNoRuntime][adep] &&
+                  assetData.dependencies[aversionNoRuntime][adep].type ===
+                    "Project")
+              ) {
+                isProjectType = true;
+              }
+              // To make matters worse, the name of the project could be all lowercased
+              // Eg: In react-native-windows repo, folly and Folly are used for the project name
+              else if (
+                (assetData.dependencies[aversion] &&
+                  assetData.dependencies[aversion][adep.toLowerCase()] &&
+                  assetData.dependencies[aversion][adep.toLowerCase()].type ===
+                    "Project") ||
+                (assetData.dependencies[aversionNoRuntime] &&
+                  assetData.dependencies[aversionNoRuntime][
+                    adep.toLowerCase()
+                  ] &&
+                  assetData.dependencies[aversionNoRuntime][adep.toLowerCase()]
+                    .type === "Project")
+              ) {
+                isProjectType = true;
+                adep = adep.toLowerCase();
+              }
+              // If this component is a project type, the version information would be often missing.
+              // So we remove the version to match based on name alone
+              if (isProjectType) {
+                adepResolvedVersion = undefined;
+              } else {
+                console.warn(
+                  `The version used for ${adep} is a range - ${adepResolvedVersion}. Using the min version ${versionToUse} which may be incorrect.`
+                );
+                adepResolvedVersion = versionToUse;
+              }
+            } else {
+              console.warn(
+                `Unable to find the resolved version for ${adep} ${aversion}. Using ${adepResolvedVersion} which may be incorrect.`
+              );
+            }
+          }
           const adpurl = new PackageURL(
             "nuget",
             "",
             adep,
-            libData.dependencies[adep],
+            adepResolvedVersion,
             null,
             null
           ).toString();

package/utils.test.js

@@ -1230,9 +1230,9 @@ test("parse github actions workflow data", () => {
   expect(dep_list.length).toEqual(3);
 });
 
-test("parse cs pkg data", async () => {
-  expect(await parseCsPkgData(null)).toEqual([]);
-  const dep_list = await parseCsPkgData(
+test("parse cs pkg data", () => {
+  expect(parseCsPkgData(null)).toEqual([]);
+  const dep_list = parseCsPkgData(
     readFileSync("./test/data/packages.config", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(21);
@@ -1243,9 +1243,9 @@ test("parse cs pkg data", async () => {
   });
 });
 
-test("parse cs pkg data 2", async () => {
-  expect(await parseCsPkgData(null)).toEqual([]);
-  const dep_list = await parseCsPkgData(
+test("parse cs pkg data 2", () => {
+  expect(parseCsPkgData(null)).toEqual([]);
+  const dep_list = parseCsPkgData(
     readFileSync("./test/data/packages2.config", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(1);
@@ -1256,9 +1256,9 @@ test("parse cs pkg data 2", async () => {
   });
 });
 
-test("parse cs proj", async () => {
-  expect(await parseCsProjData(null)).toEqual([]);
-  const dep_list = await parseCsProjData(
+test("parse cs proj", () => {
+  expect(parseCsProjData(null)).toEqual([]);
+  const dep_list = parseCsProjData(
     readFileSync("./test/sample.csproj", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(5);
@@ -1269,12 +1269,12 @@ test("parse cs proj", async () => {
   });
 });
 
-test("parse project.assets.json", async () => {
-  expect(await parseCsProjAssetsData(null)).toEqual({
+test("parse project.assets.json", () => {
+  expect(parseCsProjAssetsData(null)).toEqual({
     dependenciesList: [],
     pkgList: []
   });
-  let dep_list = await parseCsProjAssetsData(
+  let dep_list = parseCsProjAssetsData(
     readFileSync("./test/data/project.assets.json", { encoding: "utf-8" }),
     "./test/data/project.assets.json"
   );
@@ -1312,7 +1312,7 @@ test("parse project.assets.json", async () => {
     ],
     ref: "pkg:nuget/Castle.Core.Tests@0.0.0"
   });
-  dep_list = await parseCsProjAssetsData(
+  dep_list = parseCsProjAssetsData(
     readFileSync("./test/data/project.assets1.json", { encoding: "utf-8" }),
     "./test/data/project.assets1.json"
   );
@@ -1334,13 +1334,13 @@ test("parse project.assets.json", async () => {
   */
 });
 
-test("parse packages.lock.json", async () => {
-  expect(await parseCsPkgLockData(null)).toEqual({
+test("parse packages.lock.json", () => {
+  expect(parseCsPkgLockData(null)).toEqual({
     dependenciesList: [],
     pkgList: [],
     rootList: []
   });
-  let dep_list = await parseCsPkgLockData(
+  let dep_list = parseCsPkgLockData(
     readFileSync("./test/data/packages.lock.json", { encoding: "utf-8" }),
     "./test/data/packages.lock.json"
   );
@@ -1368,7 +1368,7 @@ test("parse packages.lock.json", async () => {
       }
     }
   });
-  dep_list = await parseCsPkgLockData(
+  dep_list = parseCsPkgLockData(
     readFileSync("./test/data/packages2.lock.json", { encoding: "utf-8" }),
     "./test/data/packages2.lock.json"
   );
@@ -1405,20 +1405,43 @@ test("parse packages.lock.json", async () => {
       "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@6.0.0"
     ]
   });
-  dep_list = await parseCsPkgLockData(
+  dep_list = parseCsPkgLockData(
     readFileSync("./test/data/packages3.lock.json", { encoding: "utf-8" }),
     "./test/data/packages3.lock.json"
   );
   expect(dep_list["pkgList"].length).toEqual(15);
+  expect(dep_list["pkgList"][1]).toEqual({
+    group: "",
+    name: "FSharp.Core",
+    version: "4.5.2",
+    purl: "pkg:nuget/FSharp.Core@4.5.2",
+    "bom-ref": "pkg:nuget/FSharp.Core@4.5.2",
+    _integrity:
+      "sha512-apbdQOjzsjQ637kTWQuW29jqwY18jsHMyNC5A+TPJZKFEIE2cIfQWf3V7+mXrxlbX69BueYkv293/g70wuXuRw==",
+    properties: [{ name: "SrcFile", value: "./test/data/packages3.lock.json" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 1,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 1,
+            value: "./test/data/packages3.lock.json"
+          }
+        ]
+      }
+    }
+  });
   expect(dep_list["dependenciesList"].length).toEqual(15);
 });
 
-test("parse paket.lock", async () => {
-  expect(await parsePaketLockData(null)).toEqual({
+test("parse paket.lock", () => {
+  expect(parsePaketLockData(null)).toEqual({
     pkgList: [],
     dependenciesList: []
   });
-  const dep_list = await parsePaketLockData(
+  const dep_list = parsePaketLockData(
     readFileSync("./test/data/paket.lock", { encoding: "utf-8" }),
     "./test/data/paket.lock"
   );
@@ -1454,9 +1477,9 @@ test("parse paket.lock", async () => {
   });
 });
 
-test("parse .net cs proj", async () => {
-  expect(await parseCsProjData(null)).toEqual([]);
-  const dep_list = await parseCsProjData(
+test("parse .net cs proj", () => {
+  expect(parseCsProjData(null)).toEqual([]);
+  const dep_list = parseCsProjData(
     readFileSync("./test/data/sample-dotnet.csproj", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(19);
@@ -2835,7 +2858,7 @@ test("parse nupkg file", async () => {
   );
   expect(deps.length).toEqual(1);
   expect(deps[0].name).toEqual("Microsoft.Web.Infrastructure");
-  deps = await parseNuspecData(
+  deps = parseNuspecData(
     "./test/data/Microsoft.Web.Infrastructure.1.0.0.0.nuspec",
     readFileSync(
       "./test/data/Microsoft.Web.Infrastructure.1.0.0.0.nuspec",