@cyclonedx/cdxgen 10.3.0 → 10.3.2

package/README.md

@@ -1,8 +1,9 @@
+[![JSR](https://img.shields.io/jsr/v/%40cyclonedx/cdxgen)](https://jsr.io/@cyclonedx/cdxgen) [![NPM](https://img.shields.io/npm/v/%40cyclonedx%2Fcdxgen)](https://www.npmjs.com/package/@cyclonedx/cdxgen) [![GitHub Releases](https://img.shields.io/github/v/release/cyclonedx/cdxgen)](https://github.com/CycloneDX/cdxgen/releases) [![GitHub Downloads - All](https://img.shields.io/github/downloads/cyclonedx/cdxgen/total)](https://github.com/CycloneDX/cdxgen/releases) [![GitHub Downloads - Latest](https://img.shields.io/github/downloads/cyclonedx/cdxgen/latest/total)](https://github.com/CycloneDX/cdxgen/releases) [![GitHub License](https://img.shields.io/github/license/cyclonedx/cdxgen)](./LICENSE.md) [![GitHub Contributors](https://img.shields.io/github/contributors/cyclonedx/cdxgen)](https://github.com/CycloneDX/cdxgen/graphs/contributors)
+
 # CycloneDX Generator
 
 ![cdxgen logo](cdxgen.png)
 
-[![JSR](https://jsr.io/badges/@cyclonedx/cdxgen)](https://jsr.io/@cyclonedx/cdxgen)
 
 cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies for C/C++, Node.js, PHP, Python, Ruby, Rust, Java, .Net, Dart, Haskell, Elixir, and Go projects in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.6.
 
@@ -367,6 +368,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Go (go.mod)
 - PHP (composer.lock)
 - Ruby (Gemfile.lock)
+- Rust (Cargo.lock)
 
 ## Environment variables
 

package/binary.js

@@ -6,7 +6,8 @@ import {
   mkdirSync,
   mkdtempSync,
   readFileSync,
-  rmSync
+  rmSync,
+  lstatSync
 } from "node:fs";
 import { basename, dirname, join, resolve } from "node:path";
 import { spawnSync } from "node:child_process";
@@ -19,12 +20,7 @@ let url = import.meta.url;
 if (!url.startsWith("file://")) {
   url = new URL(`file://${import.meta.url}`).toString();
 }
-let dirName = import.meta ? dirname(fileURLToPath(url)) : __dirname;
-// When cdxgen is used as a library, dirName would be inside the node_modules directory
-// we need to locate the base directory of the dependent project in this case.
-if (dirName.includes("node_modules")) {
-  dirName = dirName.split(join("node_modules", "@cyclonedx"))[0];
-}
+const dirName = import.meta ? dirname(fileURLToPath(url)) : __dirname;
 
 const isWin = _platform() === "win32";
 
@@ -802,10 +798,11 @@ export function getBinaryBom(src, binaryBomFile, deepMode) {
   if (DEBUG_MODE) {
     console.log("Executing", BLINT_BIN, args.join(" "));
   }
+  const cwd = lstatSync(src).isDirectory() ? src : dirname(src);
   const result = spawnSync(BLINT_BIN, args, {
     encoding: "utf-8",
     timeout: TIMEOUT_MS,
-    cwd: src
+    cwd
   });
   if (result.status !== 0 || result.error) {
     if (result.stderr) {

package/index.js

@@ -83,7 +83,6 @@ import {
   parseGoModData,
   parseGoModGraph,
   parseGoModWhy,
-  parseGoVersionData,
   parseGopkgData,
   parseGosumData,
   parseGradleDep,
@@ -149,7 +148,6 @@ import {
   executeOsQuery,
   getCargoAuditableInfo,
   getDotnetSlices,
-  getGoBuildInfo,
   getOSPackages,
   getBinaryBom
 } from "./binary.js";
@@ -2696,25 +2694,8 @@ export async function createGoBom(path, options) {
   } catch (err) {
     maybeBinary = false;
   }
-  if (maybeBinary) {
-    const buildInfoData = getGoBuildInfo(path);
-    const dlist = await parseGoVersionData(buildInfoData);
-    if (dlist && dlist.length) {
-      pkgList = pkgList.concat(dlist);
-    }
-    // Since this pkg list is derived from the binary mark them as used.
-    const allImports = {};
-    for (const mpkg of pkgList) {
-      const pkgFullName = `${mpkg.group}/${mpkg.name}`;
-      allImports[pkgFullName] = true;
-    }
-    return buildBomNSData(options, pkgList, "golang", {
-      allImports,
-      dependencies,
-      parentComponent,
-      src: path,
-      filename: path
-    });
+  if (maybeBinary || options.lifecycle === "post-build") {
+    return createBinaryBom(path, options);
   }
 
   // Read in go.sum and merge all go.sum files.
@@ -4547,7 +4528,13 @@ export async function createCsharpBom(path, options) {
         "1. Create a global.json file in the project directory to specify the required version of the dotnet SDK."
       );
       console.log(
-        "2. If the project uses the legacy .Net Framework 4.6/4.7, it might require Windows."
+        "2. Use the environment variable `DOTNET_ROLL_FORWARD` to roll forward to a closest available SDK such as .Net core or dotnet 6."
+      );
+      console.log(
+        "3. If the project uses the legacy .Net Framework 4.6/4.7, it might require Windows operating system."
+      );
+      console.log(
+        "Alternatively, try using the unofficial `ghcr.io/appthreat/cdxgen-dotnet:v10` container image, which bundles a range of dotnet SDKs."
       );
       options.failOnError && process.exit(1);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.3.0",
+  "version": "10.3.2",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -58,15 +58,15 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.24.1",
+    "@babel/parser": "^7.24.4",
     "@babel/traverse": "^7.24.1",
-    "@npmcli/arborist": "7.4.0",
+    "@npmcli/arborist": "7.4.1",
     "ajv": "^8.12.0",
-    "ajv-formats": "^2.1.1",
+    "ajv-formats": "^3.0.1",
     "cheerio": "^1.0.0-rc.12",
     "edn-data": "1.1.1",
     "find-up": "7.0.0",
-    "glob": "^10.3.10",
+    "glob": "^10.3.12",
     "global-agent": "^3.0.0",
     "got": "14.2.1",
     "iconv-lite": "^0.6.3",
@@ -98,7 +98,7 @@
     "compression": "^1.7.4",
     "connect": "^3.7.0",
     "jsonata": "^2.0.4",
-    "sequelize": "^6.37.1",
+    "sequelize": "^6.37.2",
     "sqlite3": "^5.1.7"
   },
   "files": [
@@ -114,6 +114,6 @@
     "eslint-plugin-prettier": "^5.1.3",
     "jest": "^29.7.0",
     "prettier": "3.2.5",
-    "typescript": "^5.4.3"
+    "typescript": "^5.4.4"
   }
 }

package/types/binary.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"binary.d.ts","sourceRoot":"","sources":["../binary.js"],"names":[],"mappings":"AAkRA,iDA8BC;AAED,wDAmBC;AAED;;;;;;;EAqVC;AAiCD,gDAgDC;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,cACN,MAAM,WA2BhB;AAED;;;;;;;;GAQG;AACH,kCANW,MAAM,iBACN,MAAM,YACN,OAAO,GAEN,OAAO,CA6BlB"}
+{"version":3,"file":"binary.d.ts","sourceRoot":"","sources":["../binary.js"],"names":[],"mappings":"AA8QA,iDA8BC;AAED,wDAmBC;AAED;;;;;;;EAqVC;AAiCD,gDAgDC;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,cACN,MAAM,WA2BhB;AAED;;;;;;;;GAQG;AACH,kCANW,MAAM,iBACN,MAAM,YACN,OAAO,GAEN,OAAO,CA8BlB"}

package/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.js"],"names":[],"mappings":"AA4rBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAwUD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAuvBhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAkZhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAgWhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAiUhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiHhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAgDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAqHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BAwFhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAkUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAwJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAiRhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAmChB;AAED;;;;;;;;KA+DC;AAED,uDAWC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,8BA0chB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAmUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAiRhB;AAED;;;;;GAKG;AACH,qEAyFC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.js"],"names":[],"mappings":"AA0rBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAwUD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAuvBhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAkZhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAgWhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAgThB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiHhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAgDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAqHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BAwFhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAkUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAwJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAuRhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAmChB;AAED;;;;;;;;KA+DC;AAED,uDAWC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,8BA0chB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAmUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAiRhB;AAED;;;;;GAKG;AACH,qEAyFC"}