@cyclonedx/cdxgen 10.3.4 → 10.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/README.md +2 -4
  2. package/analyzer.js +18 -18
  3. package/bin/cdxgen.js +79 -77
  4. package/bin/evinse.js +26 -26
  5. package/bin/repl.js +56 -62
  6. package/bin/verify.js +9 -9
  7. package/binary.js +55 -54
  8. package/cbomutils.js +6 -6
  9. package/db.js +17 -17
  10. package/display.js +30 -30
  11. package/display.test.js +2 -2
  12. package/docker.js +92 -89
  13. package/docker.test.js +30 -30
  14. package/envcontext.js +15 -15
  15. package/envcontext.test.js +1 -1
  16. package/evinser.js +94 -93
  17. package/evinser.test.js +24 -24
  18. package/index.js +523 -483
  19. package/package.json +8 -16
  20. package/piptree.js +6 -6
  21. package/postgen.js +2 -2
  22. package/postgen.test.js +5 -5
  23. package/protobom.js +37 -7
  24. package/protobom.test.js +6 -6
  25. package/server.js +16 -16
  26. package/types/analyzer.d.ts +7 -4
  27. package/types/binary.d.ts +12 -8
  28. package/types/cbomutils.d.ts +1 -1
  29. package/types/db.d.ts +23 -11
  30. package/types/display.d.ts +1 -1
  31. package/types/docker.d.ts +52 -32
  32. package/types/envcontext.d.ts +40 -40
  33. package/types/evinser.d.ts +3436 -717
  34. package/types/index.d.ts +66 -40
  35. package/types/jest.config.d.ts +2 -2
  36. package/types/piptree.d.ts +6 -2
  37. package/types/postgen.d.ts +1 -1
  38. package/types/protobom.d.ts +7 -3
  39. package/types/protobom.d.ts.map +1 -1
  40. package/types/server.d.ts +1 -1
  41. package/types/utils.d.ts +496 -302
  42. package/types/validator.d.ts +1 -1
  43. package/utils.js +742 -675
  44. package/utils.test.js +716 -674
  45. package/validator.js +20 -17
package/utils.js CHANGED
@@ -1,19 +1,9 @@
1
- import { globSync } from "glob";
2
- import { homedir, platform, tmpdir } from "node:os";
3
- import process from "node:process";
4
1
  import { Buffer } from "node:buffer";
2
+ import { spawnSync } from "node:child_process";
3
+ import { createHash } from "node:crypto";
5
4
  import {
6
- delimiter as _delimiter,
7
- sep as _sep,
8
- basename,
9
- dirname,
10
- extname,
11
- join,
12
- resolve
13
- } from "node:path";
14
- import {
15
- chmodSync,
16
5
  constants,
6
+ chmodSync,
17
7
  copyFileSync,
18
8
  createReadStream,
19
9
  existsSync,
@@ -22,17 +12,30 @@ import {
22
12
  readFileSync,
23
13
  rmSync,
24
14
  unlinkSync,
25
- writeFileSync
15
+ writeFileSync,
26
16
  } from "node:fs";
27
- import { createHash } from "node:crypto";
28
- import got from "got";
29
- import Arborist from "@npmcli/arborist";
17
+ import { homedir, platform, tmpdir } from "node:os";
18
+ import {
19
+ delimiter as _delimiter,
20
+ sep as _sep,
21
+ basename,
22
+ dirname,
23
+ extname,
24
+ join,
25
+ resolve,
26
+ } from "node:path";
30
27
  import path from "node:path";
31
- import { xml2js } from "xml-js";
28
+ import process from "node:process";
32
29
  import { URL, fileURLToPath } from "node:url";
30
+ import Arborist from "@npmcli/arborist";
33
31
  import { load } from "cheerio";
32
+ import { parseEDNString } from "edn-data";
33
+ import { globSync } from "glob";
34
+ import got from "got";
35
+ import iconv from "iconv-lite";
34
36
  import { load as _load } from "js-yaml";
35
- import { spawnSync } from "node:child_process";
37
+ import StreamZip from "node-stream-zip";
38
+ import { PackageURL } from "packageurl-js";
36
39
  import propertiesReader from "properties-reader";
37
40
  import {
38
41
  clean,
@@ -41,13 +44,10 @@ import {
41
44
  maxSatisfying,
42
45
  parse,
43
46
  satisfies,
44
- valid
47
+ valid,
45
48
  } from "semver";
46
- import StreamZip from "node-stream-zip";
47
- import { parseEDNString } from "edn-data";
48
- import { PackageURL } from "packageurl-js";
49
+ import { xml2js } from "xml-js";
49
50
  import { getTreeWithPlugin } from "./piptree.js";
50
- import iconv from "iconv-lite";
51
51
 
52
52
  let url = import.meta.url;
53
53
  if (!url.startsWith("file://")) {
@@ -64,36 +64,36 @@ if (isWin) {
64
64
  }
65
65
 
66
66
  const licenseMapping = JSON.parse(
67
- readFileSync(join(dirNameStr, "data", "lic-mapping.json"), "utf-8")
67
+ readFileSync(join(dirNameStr, "data", "lic-mapping.json"), "utf-8"),
68
68
  );
69
69
  const vendorAliases = JSON.parse(
70
- readFileSync(join(dirNameStr, "data", "vendor-alias.json"), "utf-8")
70
+ readFileSync(join(dirNameStr, "data", "vendor-alias.json"), "utf-8"),
71
71
  );
72
72
  const spdxLicenses = JSON.parse(
73
- readFileSync(join(dirNameStr, "data", "spdx-licenses.json"), "utf-8")
73
+ readFileSync(join(dirNameStr, "data", "spdx-licenses.json"), "utf-8"),
74
74
  );
75
75
  const knownLicenses = JSON.parse(
76
- readFileSync(join(dirNameStr, "data", "known-licenses.json"), "utf-8")
76
+ readFileSync(join(dirNameStr, "data", "known-licenses.json"), "utf-8"),
77
77
  );
78
78
  const mesonWrapDB = JSON.parse(
79
- readFileSync(join(dirNameStr, "data", "wrapdb-releases.json"), "utf-8")
79
+ readFileSync(join(dirNameStr, "data", "wrapdb-releases.json"), "utf-8"),
80
80
  );
81
81
  export const frameworksList = JSON.parse(
82
- readFileSync(join(dirNameStr, "data", "frameworks-list.json"), "utf-8")
82
+ readFileSync(join(dirNameStr, "data", "frameworks-list.json"), "utf-8"),
83
83
  );
84
84
  const selfPJson = JSON.parse(
85
- readFileSync(join(dirNameStr, "package.json"), "utf-8")
85
+ readFileSync(join(dirNameStr, "package.json"), "utf-8"),
86
86
  );
87
87
  const _version = selfPJson.version;
88
88
 
89
89
  // Refer to contrib/py-modules.py for a script to generate this list
90
90
  // The script needs to be used once every few months to update this list
91
91
  const PYTHON_STD_MODULES = JSON.parse(
92
- readFileSync(join(dirNameStr, "data", "python-stdlib.json"), "utf-8")
92
+ readFileSync(join(dirNameStr, "data", "python-stdlib.json"), "utf-8"),
93
93
  );
94
94
  // Mapping between modules and package names
95
95
  const PYPI_MODULE_PACKAGE_MAPPING = JSON.parse(
96
- readFileSync(join(dirNameStr, "data", "pypi-pkg-aliases.json"), "utf-8")
96
+ readFileSync(join(dirNameStr, "data", "pypi-pkg-aliases.json"), "utf-8"),
97
97
  );
98
98
 
99
99
  // Debug mode flag
@@ -105,11 +105,11 @@ export const DEBUG_MODE =
105
105
 
106
106
  // Timeout milliseconds. Default 20 mins
107
107
  export const TIMEOUT_MS =
108
- parseInt(process.env.CDXGEN_TIMEOUT_MS) || 20 * 60 * 1000;
108
+ Number.parseInt(process.env.CDXGEN_TIMEOUT_MS) || 20 * 60 * 1000;
109
109
 
110
110
  // Max buffer for stdout and stderr. Defaults to 100MB
111
111
  export const MAX_BUFFER =
112
- parseInt(process.env.CDXGEN_MAX_BUFFER) || 100 * 1024 * 1024;
112
+ Number.parseInt(process.env.CDXGEN_MAX_BUFFER) || 100 * 1024 * 1024;
113
113
 
114
114
  // Metadata cache
115
115
  export let metadata_cache = {};
@@ -209,8 +209,8 @@ if (process.env.SWIFT_CMD) {
209
209
  // Custom user-agent for cdxgen
210
210
  export const cdxgenAgent = got.extend({
211
211
  headers: {
212
- "user-agent": `@CycloneDX/cdxgen ${_version}`
213
- }
212
+ "user-agent": `@CycloneDX/cdxgen ${_version}`,
213
+ },
214
214
  });
215
215
 
216
216
  /**
@@ -226,7 +226,7 @@ export function getAllFiles(dirPath, pattern, options = {}) {
226
226
  "**/venv/**",
227
227
  "**/docs/**",
228
228
  "**/examples/**",
229
- "**/site-packages/**"
229
+ "**/site-packages/**",
230
230
  ];
231
231
  // Only ignore node_modules if the caller is not looking for package.json
232
232
  if (!pattern.includes("package.json")) {
@@ -254,7 +254,7 @@ export function getAllFilesWithIgnore(dirPath, pattern, ignoreList) {
254
254
  nodir: true,
255
255
  dot: pattern.startsWith(".") ? true : false,
256
256
  follow: false,
257
- ignore: ignoreList
257
+ ignore: ignoreList,
258
258
  });
259
259
  } catch (err) {
260
260
  if (DEBUG_MODE) {
@@ -274,6 +274,71 @@ function toBase64(hexString) {
274
274
  return Buffer.from(hexString, "hex").toString("base64");
275
275
  }
276
276
 
277
+ /**
278
+ * Return the current timestamp in YYYY-MM-DDTHH:MM:SSZ format.
279
+ *
280
+ * @returns {string} ISO formatted timestamp, without milliseconds.
281
+ */
282
+ export function getTimestamp() {
283
+ return new Date().toISOString().split(".")[0] + "Z";
284
+ }
285
+
286
+ /**
287
+ * Method to determine if a license is a valid SPDX license expression
288
+ *
289
+ * @param {string} license License string
290
+ * @returns {boolean} true if the license is a valid SPDX license expression
291
+ * @see https://spdx.dev/learn/handling-license-info/
292
+ **/
293
+ export function isSpdxLicenseExpression(license) {
294
+ if (!license) {
295
+ return false;
296
+ }
297
+
298
+ if (/[(\s]+/g.test(license)) {
299
+ return true;
300
+ }
301
+
302
+ if (license.endsWith("+")) {
303
+ return true; // GPL-2.0+ means GPL-2.0 or any later version, at the licensee’s option.
304
+ }
305
+
306
+ return false;
307
+ }
308
+
309
+ /**
310
+ * Convert the array of licenses to a CycloneDX 1.5 compliant license array.
311
+ * This should return an array containing:
312
+ * - one or more SPDX license if no expression is present
313
+ * - the first license expression if at least one is present
314
+ *
315
+ * @param {Array} licenses Array of licenses
316
+ * @returns {Array} CycloneDX 1.5 compliant license array
317
+ */
318
+ export function adjustLicenseInformation(licenses) {
319
+ if (!licenses || !Array.isArray(licenses)) {
320
+ return [];
321
+ }
322
+
323
+ const expressions = licenses.filter((f) => {
324
+ return f.expression;
325
+ });
326
+ if (expressions.length >= 1) {
327
+ if (expressions.length > 1) {
328
+ console.warn("multiple license expressions found", expressions);
329
+ }
330
+ return [{ expression: expressions[0].expression }];
331
+ } else {
332
+ return licenses.map((l) => {
333
+ if (typeof l.license === "object") {
334
+ return l;
335
+ } else {
336
+ return { license: l };
337
+ }
338
+ });
339
+ }
340
+ }
341
+
277
342
  /**
278
343
  * Performs a lookup + validation of the license specified in the
279
344
  * package. If the license is a valid SPDX license ID, set the 'id'
@@ -286,8 +351,8 @@ export function getLicenses(pkg) {
286
351
  if (!Array.isArray(license)) {
287
352
  license = [license];
288
353
  }
289
- return license
290
- .map((l) => {
354
+ return adjustLicenseInformation(
355
+ license.map((l) => {
291
356
  let licenseContent = {};
292
357
  if (typeof l === "string" || l instanceof String) {
293
358
  if (
@@ -309,6 +374,8 @@ export function getLicenses(pkg) {
309
374
  licenseContent.name = "CUSTOM";
310
375
  }
311
376
  licenseContent.url = l;
377
+ } else if (isSpdxLicenseExpression(l)) {
378
+ licenseContent.expression = l;
312
379
  } else {
313
380
  licenseContent.name = l;
314
381
  }
@@ -321,8 +388,8 @@ export function getLicenses(pkg) {
321
388
  addLicenseText(pkg, l, licenseContent);
322
389
  }
323
390
  return licenseContent;
324
- })
325
- .map((l) => ({ license: l }));
391
+ }),
392
+ );
326
393
  } else {
327
394
  const knownLicense = getKnownLicense(undefined, pkg);
328
395
  if (knownLicense) {
@@ -414,26 +481,26 @@ export function addLicenseText(pkg, l, licenseContent) {
414
481
  "licence",
415
482
  "NOTICE",
416
483
  "Notice",
417
- "notice"
484
+ "notice",
418
485
  ];
419
486
  const licenseContentTypes = {
420
487
  "text/plain": "",
421
488
  "text/txt": ".txt",
422
489
  "text/markdown": ".md",
423
- "text/xml": ".xml"
490
+ "text/xml": ".xml",
424
491
  };
425
492
  /* Loops over different name combinations starting from the license specified
426
493
  naming (e.g., 'LICENSE.Apache-2.0') and proceeding towards more generic names. */
427
494
  for (const licenseName of [`.${l}`, ""]) {
428
495
  for (const licenseFilename of licenseFilenames) {
429
496
  for (const [licenseContentType, fileExtension] of Object.entries(
430
- licenseContentTypes
497
+ licenseContentTypes,
431
498
  )) {
432
499
  const licenseFilepath = `${pkg.realPath}/${licenseFilename}${licenseName}${fileExtension}`;
433
500
  if (existsSync(licenseFilepath)) {
434
501
  licenseContent.text = readLicenseText(
435
502
  licenseFilepath,
436
- licenseContentType
503
+ licenseContentType,
437
504
  );
438
505
  return;
439
506
  }
@@ -472,7 +539,7 @@ export async function getSwiftPackageMetadata(pkgList) {
472
539
  if (DEBUG_MODE) {
473
540
  console.log(
474
541
  p.repository.url,
475
- "is currently not supported to fetch for licenses"
542
+ "is currently not supported to fetch for licenses",
476
543
  );
477
544
  }
478
545
  }
@@ -509,7 +576,7 @@ export async function getNpmMetadata(pkgList) {
509
576
  body = metadata_cache[key];
510
577
  } else {
511
578
  const res = await cdxgenAgent.get(NPM_URL + key, {
512
- responseType: "json"
579
+ responseType: "json",
513
580
  });
514
581
  body = res.body;
515
582
  metadata_cache[key] = body;
@@ -552,7 +619,7 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
552
619
  const name = pkgIdentifier.fullName || pkgData.name;
553
620
  if (DEBUG_MODE && !name && !pkgJsonFile.includes("node_modules")) {
554
621
  console.log(
555
- `${pkgJsonFile} doesn't contain the package name. Consider using the 'npm init' command to create a valid package.json file for this project.`
622
+ `${pkgJsonFile} doesn't contain the package name. Consider using the 'npm init' command to create a valid package.json file for this project.`,
556
623
  );
557
624
  return pkgList;
558
625
  }
@@ -563,7 +630,7 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
563
630
  name,
564
631
  pkgData.version,
565
632
  null,
566
- null
633
+ null,
567
634
  ).toString();
568
635
  const author = pkgData.author;
569
636
  const authorString =
@@ -580,7 +647,7 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
580
647
  purl: purl,
581
648
  "bom-ref": decodeURIComponent(purl),
582
649
  author: authorString,
583
- license: pkgData.license
650
+ license: pkgData.license,
584
651
  };
585
652
  if (pkgData.homepage) {
586
653
  apkg.homepage = { url: pkgData.homepage };
@@ -592,8 +659,8 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
592
659
  apkg.properties = [
593
660
  {
594
661
  name: "SrcFile",
595
- value: pkgJsonFile
596
- }
662
+ value: pkgJsonFile,
663
+ },
597
664
  ];
598
665
  apkg.evidence = {
599
666
  identity: {
@@ -603,10 +670,10 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
603
670
  {
604
671
  technique: "manifest-analysis",
605
672
  confidence: 0.7,
606
- value: pkgJsonFile
607
- }
608
- ]
609
- }
673
+ value: pkgJsonFile,
674
+ },
675
+ ],
676
+ },
610
677
  };
611
678
  }
612
679
  pkgList.push(apkg);
@@ -617,7 +684,7 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
617
684
  if (!simple && FETCH_LICENSE && pkgList && pkgList.length) {
618
685
  if (DEBUG_MODE) {
619
686
  console.log(
620
- `About to fetch license information for ${pkgList.length} packages in parsePkgJson`
687
+ `About to fetch license information for ${pkgList.length} packages in parsePkgJson`,
621
688
  );
622
689
  }
623
690
  return await getNpmMetadata(pkgList);
@@ -641,7 +708,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
641
708
  if (!existsSync(pkgLockFile)) {
642
709
  return {
643
710
  pkgList,
644
- dependenciesList
711
+ dependenciesList,
645
712
  };
646
713
  }
647
714
 
@@ -650,7 +717,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
650
717
  rootNode,
651
718
  parentRef = null,
652
719
  visited = new Set(),
653
- options = {}
720
+ options = {},
654
721
  ) => {
655
722
  if (visited.has(node)) {
656
723
  return { pkgList: [], dependenciesList: [] };
@@ -682,7 +749,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
682
749
  options.projectName || node.packageName,
683
750
  options.projectVersion || node.version,
684
751
  null,
685
- null
752
+ null,
686
753
  )
687
754
  .toString()
688
755
  .replace(/%2F/g, "/");
@@ -693,7 +760,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
693
760
  version: options.projectVersion || node.version,
694
761
  type: "application",
695
762
  purl: purlString,
696
- "bom-ref": decodeURIComponent(purlString)
763
+ "bom-ref": decodeURIComponent(purlString),
697
764
  };
698
765
  } else {
699
766
  purlString = new PackageURL(
@@ -702,13 +769,13 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
702
769
  node.packageName,
703
770
  node.version,
704
771
  null,
705
- null
772
+ null,
706
773
  )
707
774
  .toString()
708
775
  .replace(/%2F/g, "/");
709
776
  const pkgLockFile = join(
710
777
  srcFilePath.replace("/", _sep),
711
- "package-lock.json"
778
+ "package-lock.json",
712
779
  );
713
780
  pkg = {
714
781
  group: "",
@@ -720,8 +787,8 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
720
787
  properties: [
721
788
  {
722
789
  name: "SrcFile",
723
- value: pkgLockFile
724
- }
790
+ value: pkgLockFile,
791
+ },
725
792
  ],
726
793
  evidence: {
727
794
  identity: {
@@ -731,25 +798,25 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
731
798
  {
732
799
  technique: "manifest-analysis",
733
800
  confidence: 1,
734
- value: pkgLockFile
735
- }
736
- ]
737
- }
801
+ value: pkgLockFile,
802
+ },
803
+ ],
804
+ },
738
805
  },
739
806
  type: parentRef ? "npm" : "application",
740
807
  purl: purlString,
741
- "bom-ref": decodeURIComponent(purlString)
808
+ "bom-ref": decodeURIComponent(purlString),
742
809
  };
743
810
  if (node.resolved) {
744
811
  pkg.properties.push({
745
812
  name: "ResolvedUrl",
746
- value: node.resolved
813
+ value: node.resolved,
747
814
  });
748
815
  }
749
816
  if (node.location) {
750
817
  pkg.properties.push({
751
818
  name: "LocalNodeModulesPath",
752
- value: node.location
819
+ value: node.location,
753
820
  });
754
821
  }
755
822
  }
@@ -766,7 +833,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
766
833
  for (const workspaceNode of node.fsChildren) {
767
834
  const {
768
835
  pkgList: childPkgList,
769
- dependenciesList: childDependenciesList
836
+ dependenciesList: childDependenciesList,
770
837
  } = parseArboristNode(workspaceNode, rootNode, purlString, visited);
771
838
  pkgList = pkgList.concat(childPkgList);
772
839
  dependenciesList = dependenciesList.concat(childDependenciesList);
@@ -777,10 +844,10 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
777
844
  workspaceNode.name,
778
845
  workspaceNode.version,
779
846
  null,
780
- null
847
+ null,
781
848
  )
782
849
  .toString()
783
- .replace(/%2F/g, "/")
850
+ .replace(/%2F/g, "/"),
784
851
  );
785
852
  if (decodeURIComponent(purlString) !== depWorkspacePurlString) {
786
853
  workspaceDependsOn.push(depWorkspacePurlString);
@@ -796,12 +863,12 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
796
863
  const childNode = child[1];
797
864
  const {
798
865
  pkgList: childPkgList,
799
- dependenciesList: childDependenciesList
866
+ dependenciesList: childDependenciesList,
800
867
  } = parseArboristNode(
801
868
  childNode,
802
869
  rootNode,
803
870
  decodeURIComponent(purlString),
804
- visited
871
+ visited,
805
872
  );
806
873
  pkgList = pkgList.concat(childPkgList);
807
874
  dependenciesList = dependenciesList.concat(childDependenciesList);
@@ -812,10 +879,10 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
812
879
  childNode.name,
813
880
  childNode.version,
814
881
  null,
815
- null
882
+ null,
816
883
  )
817
884
  .toString()
818
- .replace(/%2F/g, "/")
885
+ .replace(/%2F/g, "/"),
819
886
  );
820
887
  if (decodeURIComponent(purlString) !== depChildString) {
821
888
  childrenDependsOn.push(depChildString);
@@ -892,7 +959,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
892
959
  const depPurlString = decodeURIComponent(
893
960
  new PackageURL("npm", "", targetName, targetVersion, null, null)
894
961
  .toString()
895
- .replace(/%2F/g, "/")
962
+ .replace(/%2F/g, "/"),
896
963
  );
897
964
  if (decodeURIComponent(purlString) !== depPurlString) {
898
965
  pkgDependsOn.push(depPurlString);
@@ -905,7 +972,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
905
972
  edge.to,
906
973
  rootNode,
907
974
  decodeURIComponent(purlString),
908
- visited
975
+ visited,
909
976
  );
910
977
  pkgList = pkgList.concat(childPkgList);
911
978
  dependenciesList = dependenciesList.concat(childDependenciesList);
@@ -914,7 +981,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
914
981
  ref: decodeURIComponent(purlString),
915
982
  dependsOn: workspaceDependsOn
916
983
  .concat(childrenDependsOn)
917
- .concat(pkgDependsOn)
984
+ .concat(pkgDependsOn),
918
985
  });
919
986
 
920
987
  return { pkgList, dependenciesList };
@@ -923,24 +990,24 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
923
990
  let arb = new Arborist({
924
991
  path: path.dirname(pkgLockFile),
925
992
  // legacyPeerDeps=false enables npm >v3 package dependency resolution
926
- legacyPeerDeps: false
993
+ legacyPeerDeps: false,
927
994
  });
928
995
  let tree = undefined;
929
996
  try {
930
997
  tree = await arb.loadVirtual();
931
998
  } catch (e) {
932
999
  console.log(
933
- `Unable to parse ${pkgLockFile} without legacy peer dependencies. Retrying ...`
1000
+ `Unable to parse ${pkgLockFile} without legacy peer dependencies. Retrying ...`,
934
1001
  );
935
1002
  try {
936
1003
  arb = new Arborist({
937
1004
  path: path.dirname(pkgLockFile),
938
- legacyPeerDeps: true
1005
+ legacyPeerDeps: true,
939
1006
  });
940
1007
  tree = await arb.loadVirtual();
941
1008
  } catch (e) {
942
1009
  console.log(
943
- `Unable to parse ${pkgLockFile} in legacy and non-legacy mode. The resulting SBOM would be incomplete.`
1010
+ `Unable to parse ${pkgLockFile} in legacy and non-legacy mode. The resulting SBOM would be incomplete.`,
944
1011
  );
945
1012
  return { pkgList, dependenciesList };
946
1013
  }
@@ -953,13 +1020,13 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
953
1020
  tree,
954
1021
  null,
955
1022
  new Set(),
956
- options
1023
+ options,
957
1024
  ));
958
1025
 
959
1026
  if (FETCH_LICENSE && pkgList && pkgList.length) {
960
1027
  if (DEBUG_MODE) {
961
1028
  console.log(
962
- `About to fetch license information for ${pkgList.length} packages in parsePkgLock`
1029
+ `About to fetch license information for ${pkgList.length} packages in parsePkgLock`,
963
1030
  );
964
1031
  }
965
1032
  pkgList = await getNpmMetadata(pkgList);
@@ -967,7 +1034,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
967
1034
  }
968
1035
  return {
969
1036
  pkgList,
970
- dependenciesList
1037
+ dependenciesList,
971
1038
  };
972
1039
  }
973
1040
 
@@ -1105,7 +1172,7 @@ export async function parseYarnLock(yarnLockFile) {
1105
1172
  name,
1106
1173
  version,
1107
1174
  null,
1108
- null
1175
+ null,
1109
1176
  ).toString();
1110
1177
  // Trim duplicates
1111
1178
  if (!pkgAddedMap[purlString]) {
@@ -1120,8 +1187,8 @@ export async function parseYarnLock(yarnLockFile) {
1120
1187
  properties: [
1121
1188
  {
1122
1189
  name: "SrcFile",
1123
- value: yarnLockFile
1124
- }
1190
+ value: yarnLockFile,
1191
+ },
1125
1192
  ],
1126
1193
  evidence: {
1127
1194
  identity: {
@@ -1131,11 +1198,11 @@ export async function parseYarnLock(yarnLockFile) {
1131
1198
  {
1132
1199
  technique: "manifest-analysis",
1133
1200
  confidence: 1,
1134
- value: yarnLockFile
1135
- }
1136
- ]
1137
- }
1138
- }
1201
+ value: yarnLockFile,
1202
+ },
1203
+ ],
1204
+ },
1205
+ },
1139
1206
  });
1140
1207
  }
1141
1208
  }
@@ -1150,7 +1217,7 @@ export async function parseYarnLock(yarnLockFile) {
1150
1217
  // Create an entry for dependencies
1151
1218
  dependenciesList.push({
1152
1219
  ref: decodeURIComponent(purlString),
1153
- dependsOn: deplist
1220
+ dependsOn: deplist,
1154
1221
  });
1155
1222
  depKeys[purlString] = true;
1156
1223
  deplist = [];
@@ -1179,7 +1246,7 @@ export async function parseYarnLock(yarnLockFile) {
1179
1246
  ) {
1180
1247
  name_aliases.push({
1181
1248
  group: parsedline.group,
1182
- name: parsedline.name
1249
+ name: parsedline.name,
1183
1250
  });
1184
1251
  }
1185
1252
  }
@@ -1207,7 +1274,7 @@ export async function parseYarnLock(yarnLockFile) {
1207
1274
  dgroupname,
1208
1275
  resolvedVersion,
1209
1276
  null,
1210
- null
1277
+ null,
1211
1278
  ).toString();
1212
1279
  deplist.push(decodeURIComponent(depPurlString));
1213
1280
  }
@@ -1244,18 +1311,18 @@ export async function parseYarnLock(yarnLockFile) {
1244
1311
  if (FETCH_LICENSE && pkgList && pkgList.length) {
1245
1312
  if (DEBUG_MODE) {
1246
1313
  console.log(
1247
- `About to fetch license information for ${pkgList.length} packages in parseYarnLock`
1314
+ `About to fetch license information for ${pkgList.length} packages in parseYarnLock`,
1248
1315
  );
1249
1316
  }
1250
1317
  pkgList = await getNpmMetadata(pkgList);
1251
1318
  return {
1252
1319
  pkgList,
1253
- dependenciesList
1320
+ dependenciesList,
1254
1321
  };
1255
1322
  }
1256
1323
  return {
1257
1324
  pkgList,
1258
- dependenciesList
1325
+ dependenciesList,
1259
1326
  };
1260
1327
  }
1261
1328
 
@@ -1298,8 +1365,8 @@ export async function parseNodeShrinkwrap(swFile) {
1298
1365
  properties: [
1299
1366
  {
1300
1367
  name: "SrcFile",
1301
- value: swFile
1302
- }
1368
+ value: swFile,
1369
+ },
1303
1370
  ],
1304
1371
  evidence: {
1305
1372
  identity: {
@@ -1309,11 +1376,11 @@ export async function parseNodeShrinkwrap(swFile) {
1309
1376
  {
1310
1377
  technique: "manifest-analysis",
1311
1378
  confidence: 1,
1312
- value: swFile
1313
- }
1314
- ]
1315
- }
1316
- }
1379
+ value: swFile,
1380
+ },
1381
+ ],
1382
+ },
1383
+ },
1317
1384
  });
1318
1385
  }
1319
1386
  }
@@ -1321,7 +1388,7 @@ export async function parseNodeShrinkwrap(swFile) {
1321
1388
  if (FETCH_LICENSE && pkgList && pkgList.length) {
1322
1389
  if (DEBUG_MODE) {
1323
1390
  console.log(
1324
- `About to fetch license information for ${pkgList.length} packages in parseNodeShrinkwrap`
1391
+ `About to fetch license information for ${pkgList.length} packages in parseNodeShrinkwrap`,
1325
1392
  );
1326
1393
  }
1327
1394
  return await getNpmMetadata(pkgList);
@@ -1348,7 +1415,7 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
1348
1415
  parentComponent.name,
1349
1416
  parentComponent.version,
1350
1417
  null,
1351
- null
1418
+ null,
1352
1419
  ).toString();
1353
1420
  }
1354
1421
  if (existsSync(pnpmLock)) {
@@ -1375,18 +1442,18 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
1375
1442
  dk,
1376
1443
  version,
1377
1444
  null,
1378
- null
1445
+ null,
1379
1446
  ).toString();
1380
1447
  ddeplist.push(decodeURIComponent(dpurl));
1381
1448
  }
1382
1449
  dependenciesList.push({
1383
1450
  ref: decodeURIComponent(ppurl),
1384
- dependsOn: ddeplist
1451
+ dependsOn: ddeplist,
1385
1452
  });
1386
1453
  }
1387
1454
  let lockfileVersion = yamlObj.lockfileVersion;
1388
1455
  try {
1389
- lockfileVersion = parseInt(lockfileVersion, 10);
1456
+ lockfileVersion = Number.parseInt(lockfileVersion, 10);
1390
1457
  } catch (e) {
1391
1458
  // ignore parse errors
1392
1459
  }
@@ -1430,7 +1497,7 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
1430
1497
  // Let's have some warnings till we fully support pnpm 8
1431
1498
  if (!name) {
1432
1499
  console.warn(
1433
- `Unable to extract name and version for string ${pkgKeys[k]}`
1500
+ `Unable to extract name and version for string ${pkgKeys[k]}`,
1434
1501
  );
1435
1502
  continue;
1436
1503
  }
@@ -1441,7 +1508,7 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
1441
1508
  name,
1442
1509
  version,
1443
1510
  null,
1444
- null
1511
+ null,
1445
1512
  ).toString();
1446
1513
  const deplist = [];
1447
1514
  for (const dpkgName of Object.keys(deps)) {
@@ -1451,13 +1518,13 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
1451
1518
  dpkgName,
1452
1519
  deps[dpkgName],
1453
1520
  null,
1454
- null
1521
+ null,
1455
1522
  ).toString();
1456
1523
  deplist.push(decodeURIComponent(dpurlString));
1457
1524
  }
1458
1525
  dependenciesList.push({
1459
1526
  ref: decodeURIComponent(purlString),
1460
- dependsOn: deplist
1527
+ dependsOn: deplist,
1461
1528
  });
1462
1529
  pkgList.push({
1463
1530
  group: group,
@@ -1470,8 +1537,8 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
1470
1537
  properties: [
1471
1538
  {
1472
1539
  name: "SrcFile",
1473
- value: pnpmLock
1474
- }
1540
+ value: pnpmLock,
1541
+ },
1475
1542
  ],
1476
1543
  evidence: {
1477
1544
  identity: {
@@ -1481,11 +1548,11 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
1481
1548
  {
1482
1549
  technique: "manifest-analysis",
1483
1550
  confidence: 1,
1484
- value: pnpmLock
1485
- }
1486
- ]
1487
- }
1488
- }
1551
+ value: pnpmLock,
1552
+ },
1553
+ ],
1554
+ },
1555
+ },
1489
1556
  });
1490
1557
  }
1491
1558
  }
@@ -1494,18 +1561,18 @@ export async function parsePnpmLock(pnpmLock, parentComponent = null) {
1494
1561
  if (FETCH_LICENSE && pkgList && pkgList.length) {
1495
1562
  if (DEBUG_MODE) {
1496
1563
  console.log(
1497
- `About to fetch license information for ${pkgList.length} packages in parsePnpmLock`
1564
+ `About to fetch license information for ${pkgList.length} packages in parsePnpmLock`,
1498
1565
  );
1499
1566
  }
1500
1567
  pkgList = await getNpmMetadata(pkgList);
1501
1568
  return {
1502
1569
  pkgList,
1503
- dependenciesList
1570
+ dependenciesList,
1504
1571
  };
1505
1572
  }
1506
1573
  return {
1507
1574
  pkgList,
1508
- dependenciesList
1575
+ dependenciesList,
1509
1576
  };
1510
1577
  }
1511
1578
 
@@ -1529,8 +1596,8 @@ export async function parseBowerJson(bowerJsonFile) {
1529
1596
  properties: [
1530
1597
  {
1531
1598
  name: "SrcFile",
1532
- value: bowerJsonFile
1533
- }
1599
+ value: bowerJsonFile,
1600
+ },
1534
1601
  ],
1535
1602
  evidence: {
1536
1603
  identity: {
@@ -1540,11 +1607,11 @@ export async function parseBowerJson(bowerJsonFile) {
1540
1607
  {
1541
1608
  technique: "manifest-analysis",
1542
1609
  confidence: 1,
1543
- value: bowerJsonFile
1544
- }
1545
- ]
1546
- }
1547
- }
1610
+ value: bowerJsonFile,
1611
+ },
1612
+ ],
1613
+ },
1614
+ },
1548
1615
  });
1549
1616
  } catch (err) {
1550
1617
  // continue regardless of error
@@ -1553,7 +1620,7 @@ export async function parseBowerJson(bowerJsonFile) {
1553
1620
  if (FETCH_LICENSE && pkgList && pkgList.length) {
1554
1621
  if (DEBUG_MODE) {
1555
1622
  console.log(
1556
- `About to fetch license information for ${pkgList.length} packages in parseBowerJson`
1623
+ `About to fetch license information for ${pkgList.length} packages in parseBowerJson`,
1557
1624
  );
1558
1625
  }
1559
1626
  return await getNpmMetadata(pkgList);
@@ -1610,8 +1677,8 @@ export async function parseMinJs(minJsFile) {
1610
1677
  properties: [
1611
1678
  {
1612
1679
  name: "SrcFile",
1613
- value: minJsFile
1614
- }
1680
+ value: minJsFile,
1681
+ },
1615
1682
  ],
1616
1683
  evidence: {
1617
1684
  identity: {
@@ -1621,11 +1688,11 @@ export async function parseMinJs(minJsFile) {
1621
1688
  {
1622
1689
  technique: "filename",
1623
1690
  confidence: 0.25,
1624
- value: minJsFile
1625
- }
1626
- ]
1627
- }
1628
- }
1691
+ value: minJsFile,
1692
+ },
1693
+ ],
1694
+ },
1695
+ },
1629
1696
  });
1630
1697
  }
1631
1698
  }
@@ -1638,7 +1705,7 @@ export async function parseMinJs(minJsFile) {
1638
1705
  if (FETCH_LICENSE && pkgList && pkgList.length) {
1639
1706
  if (DEBUG_MODE) {
1640
1707
  console.log(
1641
- `About to fetch license information for ${pkgList.length} packages in parseMinJs`
1708
+ `About to fetch license information for ${pkgList.length} packages in parseMinJs`,
1642
1709
  );
1643
1710
  }
1644
1711
  return await getNpmMetadata(pkgList);
@@ -1659,7 +1726,7 @@ export function parsePom(pomFile) {
1659
1726
  spaces: 4,
1660
1727
  textKey: "_",
1661
1728
  attributesKey: "$",
1662
- commentKey: "value"
1729
+ commentKey: "value",
1663
1730
  }).project;
1664
1731
  if (project && project.dependencies) {
1665
1732
  let dependencies = project.dependencies.dependency;
@@ -1683,8 +1750,8 @@ export function parsePom(pomFile) {
1683
1750
  properties: [
1684
1751
  {
1685
1752
  name: "SrcFile",
1686
- value: pomFile
1687
- }
1753
+ value: pomFile,
1754
+ },
1688
1755
  ],
1689
1756
  evidence: {
1690
1757
  identity: {
@@ -1694,11 +1761,11 @@ export function parsePom(pomFile) {
1694
1761
  {
1695
1762
  technique: "manifest-analysis",
1696
1763
  confidence: 1,
1697
- value: pomFile
1698
- }
1699
- ]
1700
- }
1701
- }
1764
+ value: pomFile,
1765
+ },
1766
+ ],
1767
+ },
1768
+ },
1702
1769
  });
1703
1770
  }
1704
1771
  }
@@ -1749,14 +1816,14 @@ export function parseMavenTree(rawOutput) {
1749
1816
  pkgArr[1],
1750
1817
  versionStr,
1751
1818
  { type: pkgArr[2] },
1752
- null
1819
+ null,
1753
1820
  ).toString();
1754
1821
  purlString = decodeURIComponent(purlString);
1755
1822
  deps.push({
1756
1823
  group: pkgArr[0],
1757
1824
  name: pkgArr[1],
1758
1825
  version: versionStr,
1759
- qualifiers: { type: pkgArr[2] }
1826
+ qualifiers: { type: pkgArr[2] },
1760
1827
  });
1761
1828
  if (!level_trees[purlString]) {
1762
1829
  level_trees[purlString] = [];
@@ -1789,12 +1856,12 @@ export function parseMavenTree(rawOutput) {
1789
1856
  for (const lk of Object.keys(level_trees)) {
1790
1857
  dependenciesList.push({
1791
1858
  ref: lk,
1792
- dependsOn: level_trees[lk]
1859
+ dependsOn: level_trees[lk],
1793
1860
  });
1794
1861
  }
1795
1862
  return {
1796
1863
  pkgList: deps,
1797
- dependenciesList
1864
+ dependenciesList,
1798
1865
  };
1799
1866
  }
1800
1867
 
@@ -1809,7 +1876,7 @@ export function parseGradleDep(
1809
1876
  rawOutput,
1810
1877
  rootProjectGroup = "",
1811
1878
  rootProjectName = "root",
1812
- rootProjectVersion = "latest"
1879
+ rootProjectVersion = "latest",
1813
1880
  ) {
1814
1881
  if (typeof rawOutput === "string") {
1815
1882
  // Bug: 249. Get any sub-projects refered here
@@ -1831,7 +1898,7 @@ export function parseGradleDep(
1831
1898
  name: rootProjectName,
1832
1899
  version: rootProjectVersion,
1833
1900
  type: "maven",
1834
- qualifiers: { type: "jar" }
1901
+ qualifiers: { type: "jar" },
1835
1902
  };
1836
1903
  const deps = [];
1837
1904
  const dependenciesList = [];
@@ -1845,8 +1912,8 @@ export function parseGradleDep(
1845
1912
  rootProject.name,
1846
1913
  rootProject.version,
1847
1914
  rootProject.qualifiers,
1848
- null
1849
- ).toString()
1915
+ null,
1916
+ ).toString(),
1850
1917
  );
1851
1918
  const first_purl = last_purl;
1852
1919
  let last_project_purl = first_purl;
@@ -1865,9 +1932,9 @@ export function parseGradleDep(
1865
1932
  sd.replace(":", ""),
1866
1933
  rootProject.version,
1867
1934
  rootProject.qualifiers,
1868
- null
1869
- ).toString()
1870
- )
1935
+ null,
1936
+ ).toString(),
1937
+ ),
1871
1938
  );
1872
1939
  }
1873
1940
  level_trees[last_purl] = subDependsOn;
@@ -1915,7 +1982,7 @@ export function parseGradleDep(
1915
1982
  versionspecified,
1916
1983
  groupoverride,
1917
1984
  nameoverride,
1918
- versionoverride
1985
+ versionoverride,
1919
1986
  ] = match;
1920
1987
  let group = groupoverride || groupspecified;
1921
1988
  let name = nameoverride || namespecified;
@@ -1938,7 +2005,7 @@ export function parseGradleDep(
1938
2005
  name,
1939
2006
  version !== undefined ? version : rootProjectVersion,
1940
2007
  { type: "jar" },
1941
- null
2008
+ null,
1942
2009
  ).toString();
1943
2010
  purlString = decodeURIComponent(purlString);
1944
2011
  keys_cache[purlString + "_" + last_purl] = true;
@@ -1949,7 +2016,7 @@ export function parseGradleDep(
1949
2016
  group: group !== "project" ? group : rootProjectGroup,
1950
2017
  name: name,
1951
2018
  version: version !== undefined ? version : rootProjectVersion,
1952
- qualifiers: { type: "jar" }
2019
+ qualifiers: { type: "jar" },
1953
2020
  };
1954
2021
  adep["purl"] = purlString;
1955
2022
  adep["bom-ref"] = decodeURIComponent(purlString);
@@ -1960,8 +2027,8 @@ export function parseGradleDep(
1960
2027
  adep.properties = [
1961
2028
  {
1962
2029
  name: "GradleProfileName",
1963
- value: profileName
1964
- }
2030
+ value: profileName,
2031
+ },
1965
2032
  ];
1966
2033
  }
1967
2034
  deps.push(adep);
@@ -2004,12 +2071,12 @@ export function parseGradleDep(
2004
2071
  for (const lk of Object.keys(level_trees)) {
2005
2072
  dependenciesList.push({
2006
2073
  ref: lk,
2007
- dependsOn: level_trees[lk]
2074
+ dependsOn: level_trees[lk],
2008
2075
  });
2009
2076
  }
2010
2077
  return {
2011
2078
  pkgList: deps,
2012
- dependenciesList
2079
+ dependenciesList,
2013
2080
  };
2014
2081
  }
2015
2082
  return {};
@@ -2044,7 +2111,7 @@ export function parseCljDep(rawOutput) {
2044
2111
  deps.push({
2045
2112
  group,
2046
2113
  name,
2047
- version
2114
+ version,
2048
2115
  });
2049
2116
  }
2050
2117
  }
@@ -2144,7 +2211,7 @@ export function parseGradleProjects(rawOutput) {
2144
2211
  }
2145
2212
  return {
2146
2213
  rootProject,
2147
- projects: Array.from(projects)
2214
+ projects: Array.from(projects),
2148
2215
  };
2149
2216
  }
2150
2217
 
@@ -2187,7 +2254,7 @@ export function parseGradleProperties(rawOutput) {
2187
2254
  return {
2188
2255
  rootProject,
2189
2256
  projects: Array.from(projects),
2190
- metadata
2257
+ metadata,
2191
2258
  };
2192
2259
  }
2193
2260
 
@@ -2203,8 +2270,8 @@ export function executeGradleProperties(dir, rootPath, subProject) {
2203
2270
  rootProject: subProject,
2204
2271
  projects: [],
2205
2272
  metadata: {
2206
- version: "latest"
2207
- }
2273
+ version: "latest",
2274
+ },
2208
2275
  };
2209
2276
  // To optimize performance and reduce errors do not query for properties
2210
2277
  // beyond the first level
@@ -2216,7 +2283,7 @@ export function executeGradleProperties(dir, rootPath, subProject) {
2216
2283
  "-q",
2217
2284
  "--console",
2218
2285
  "plain",
2219
- "--build-cache"
2286
+ "--build-cache",
2220
2287
  ];
2221
2288
  const gradleCmd = getGradleCommand(dir, rootPath);
2222
2289
  // common gradle args, used for all tasks
@@ -2234,12 +2301,12 @@ export function executeGradleProperties(dir, rootPath, subProject) {
2234
2301
  gradleCmd,
2235
2302
  gradlePropertiesArgs.join(" "),
2236
2303
  "in",
2237
- dir
2304
+ dir,
2238
2305
  );
2239
2306
  const result = spawnSync(gradleCmd, gradlePropertiesArgs, {
2240
2307
  cwd: dir,
2241
2308
  encoding: "utf-8",
2242
- shell: isWin
2309
+ shell: isWin,
2243
2310
  });
2244
2311
  if (result.status !== 0 || result.error) {
2245
2312
  if (result.stderr) {
@@ -2248,12 +2315,12 @@ export function executeGradleProperties(dir, rootPath, subProject) {
2248
2315
  } else {
2249
2316
  console.error(result.stdout, result.stderr);
2250
2317
  console.log(
2251
- "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 21 with gradle 8 which might be incompatible."
2318
+ "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 21 with gradle 8 which might be incompatible.",
2252
2319
  );
2253
2320
  }
2254
2321
  if (result.stderr.includes("not get unknown property")) {
2255
2322
  console.log(
2256
- "2. Check if the SBOM is generated for the correct root project for your application."
2323
+ "2. Check if the SBOM is generated for the correct root project for your application.",
2257
2324
  );
2258
2325
  }
2259
2326
  }
@@ -2275,7 +2342,7 @@ export function parseBazelActionGraph(rawOutput) {
2275
2342
  `^.*v1/https/[^/]*(?:${
2276
2343
  process.env.BAZEL_STRIP_MAVEN_PREFIX || "/maven2/"
2277
2344
  })?(.*)/(.*)/(.*)/(.*.jar)(?:"| \\\\)?$`,
2278
- "g"
2345
+ "g",
2279
2346
  );
2280
2347
 
2281
2348
  if (typeof rawOutput === "string") {
@@ -2303,7 +2370,7 @@ export function parseBazelActionGraph(rawOutput) {
2303
2370
  group,
2304
2371
  name,
2305
2372
  version,
2306
- qualifiers: { type: "jar" }
2373
+ qualifiers: { type: "jar" },
2307
2374
  });
2308
2375
  }
2309
2376
  }
@@ -2360,7 +2427,7 @@ export function parseBazelSkyframe(rawOutput) {
2360
2427
  group,
2361
2428
  name,
2362
2429
  version,
2363
- qualifiers: { type: "jar" }
2430
+ qualifiers: { type: "jar" },
2364
2431
  });
2365
2432
  }
2366
2433
  }
@@ -2419,14 +2486,14 @@ export function parseKVDep(rawOutput) {
2419
2486
  name,
2420
2487
  version,
2421
2488
  { type: "jar" },
2422
- null
2489
+ null,
2423
2490
  ).toString();
2424
2491
  deps.push({
2425
2492
  group,
2426
2493
  name,
2427
2494
  version,
2428
2495
  purl: purlString,
2429
- "bom-ref": decodeURIComponent(purlString)
2496
+ "bom-ref": decodeURIComponent(purlString),
2430
2497
  });
2431
2498
  });
2432
2499
  return deps;
@@ -2500,10 +2567,10 @@ export async function getMvnMetadata(pkgList, jarNSMapping = {}) {
2500
2567
  {
2501
2568
  technique: "binary-analysis",
2502
2569
  confidence: 0.8,
2503
- value: jarNSMapping[p.purl].jarFile
2504
- }
2505
- ]
2506
- }
2570
+ value: jarNSMapping[p.purl].jarFile,
2571
+ },
2572
+ ],
2573
+ },
2507
2574
  };
2508
2575
  }
2509
2576
  if (
@@ -2515,7 +2582,7 @@ export async function getMvnMetadata(pkgList, jarNSMapping = {}) {
2515
2582
  }
2516
2583
  p.properties.push({
2517
2584
  name: "Namespaces",
2518
- value: jarNSMapping[p.purl].namespaces.join("\n")
2585
+ value: jarNSMapping[p.purl].namespaces.join("\n"),
2519
2586
  });
2520
2587
  }
2521
2588
  }
@@ -2539,12 +2606,12 @@ export async function getMvnMetadata(pkgList, jarNSMapping = {}) {
2539
2606
  urlPrefix: urlPrefix,
2540
2607
  group: group,
2541
2608
  name: p.name,
2542
- version: p.version
2609
+ version: p.version,
2543
2610
  };
2544
2611
  try {
2545
2612
  if (DEBUG_MODE) {
2546
2613
  console.log(
2547
- `Querying ${pomMetadata} from ${composePomXmlUrl(pomMetadata)}`
2614
+ `Querying ${pomMetadata} from ${composePomXmlUrl(pomMetadata)}`,
2548
2615
  );
2549
2616
  }
2550
2617
  const bodyJson = await fetchPomXmlAsJson(pomMetadata);
@@ -2564,7 +2631,7 @@ export async function getMvnMetadata(pkgList, jarNSMapping = {}) {
2564
2631
  if (DEBUG_MODE) {
2565
2632
  console.log(
2566
2633
  `An error occurred when trying to fetch metadata ${pomMetadata}`,
2567
- err
2634
+ err,
2568
2635
  );
2569
2636
  }
2570
2637
  } finally {
@@ -2618,7 +2685,7 @@ export async function fetchPomXmlAsJson({ urlPrefix, group, name, version }) {
2618
2685
  spaces: 4,
2619
2686
  textKey: "_",
2620
2687
  attributesKey: "$",
2621
- commentKey: "value"
2688
+ commentKey: "value",
2622
2689
  };
2623
2690
  const pomJson = xml2js(pomXml, options).project;
2624
2691
  if (pomJson?.parent) {
@@ -2626,7 +2693,7 @@ export async function fetchPomXmlAsJson({ urlPrefix, group, name, version }) {
2626
2693
  urlPrefix,
2627
2694
  group: pomJson.parent.groupId?._,
2628
2695
  name: pomJson.parent.artifactId?._,
2629
- version: pomJson.parent.version?._
2696
+ version: pomJson.parent.version?._,
2630
2697
  });
2631
2698
  const parentJson = xml2js(parentXml, options).project;
2632
2699
  const result = { ...parentJson, ...pomJson };
@@ -2681,7 +2748,7 @@ export async function extractLicenseCommentFromPomXml({
2681
2748
  urlPrefix,
2682
2749
  group,
2683
2750
  name,
2684
- version
2751
+ version,
2685
2752
  }) {
2686
2753
  const pom_xml = await fetchPomXml({ urlPrefix, group, name, version });
2687
2754
  const licenseRegex = /<!--([\s\S]*?)-->[\s\n]*<project/m;
@@ -2714,7 +2781,7 @@ export function parsePyRequiresDist(dist_string) {
2714
2781
  }
2715
2782
  return {
2716
2783
  name,
2717
- version
2784
+ version,
2718
2785
  };
2719
2786
  }
2720
2787
 
@@ -2774,12 +2841,12 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
2774
2841
  let res = undefined;
2775
2842
  try {
2776
2843
  res = await cdxgenAgent.get(PYPI_URL + p.name + "/json", {
2777
- responseType: "json"
2844
+ responseType: "json",
2778
2845
  });
2779
2846
  } catch (err) {
2780
2847
  // retry by prefixing django- to the package name
2781
2848
  res = await cdxgenAgent.get(PYPI_URL + "django-" + p.name + "/json", {
2782
- responseType: "json"
2849
+ responseType: "json",
2783
2850
  });
2784
2851
  p.name = "django-" + p.name;
2785
2852
  }
@@ -2844,7 +2911,7 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
2844
2911
  if (versionSpecifiers) {
2845
2912
  p.version = guessPypiMatchingVersion(
2846
2913
  Object.keys(body.releases || {}),
2847
- versionSpecifiers
2914
+ versionSpecifiers,
2848
2915
  );
2849
2916
  // Indicate the confidence with our guess
2850
2917
  p.evidence = {
@@ -2855,10 +2922,10 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
2855
2922
  {
2856
2923
  technique: "manifest-analysis",
2857
2924
  confidence: 0.75,
2858
- value: `Version specifiers: ${versionSpecifiers}`
2859
- }
2860
- ]
2861
- }
2925
+ value: `Version specifiers: ${versionSpecifiers}`,
2926
+ },
2927
+ ],
2928
+ },
2862
2929
  };
2863
2930
  }
2864
2931
  // If we have reached here, it means we have not solved the version
@@ -2874,10 +2941,10 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
2874
2941
  {
2875
2942
  technique: "source-code-analysis",
2876
2943
  confidence: 0.5,
2877
- value: `PyPI package: ${p.name}`
2878
- }
2879
- ]
2880
- }
2944
+ value: `PyPI package: ${p.name}`,
2945
+ },
2946
+ ],
2947
+ },
2881
2948
  };
2882
2949
  }
2883
2950
  } else if (p.version !== body.info.version) {
@@ -2886,11 +2953,11 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
2886
2953
  }
2887
2954
  p.properties.push({
2888
2955
  name: "cdx:pypi:latest_version",
2889
- value: body.info.version
2956
+ value: body.info.version,
2890
2957
  });
2891
2958
  p.properties.push({
2892
2959
  name: "cdx:pypi:resolved_from",
2893
- value: origName
2960
+ value: origName,
2894
2961
  });
2895
2962
  }
2896
2963
  if (
@@ -2911,7 +2978,7 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
2911
2978
  p.name,
2912
2979
  p.version,
2913
2980
  null,
2914
- null
2981
+ null,
2915
2982
  ).toString();
2916
2983
  p.purl = purlString;
2917
2984
  p["bom-ref"] = decodeURIComponent(purlString);
@@ -2920,16 +2987,16 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
2920
2987
  if (DEBUG_MODE) {
2921
2988
  console.error(p.name, "is not found on PyPI.");
2922
2989
  console.log(
2923
- "If this package is available from PyPI or a registry, its name might be different from the module name. Raise a ticket at https://github.com/CycloneDX/cdxgen/issues so that this can be added to the mapping file pypi-pkg-aliases.json"
2990
+ "If this package is available from PyPI or a registry, its name might be different from the module name. Raise a ticket at https://github.com/CycloneDX/cdxgen/issues so that this can be added to the mapping file pypi-pkg-aliases.json",
2924
2991
  );
2925
2992
  console.log(
2926
- "Alternatively, if this is a package that gets installed directly in your environment and offers a python binding, then track such packages manually."
2993
+ "Alternatively, if this is a package that gets installed directly in your environment and offers a python binding, then track such packages manually.",
2927
2994
  );
2928
2995
  }
2929
2996
  if (!p.version) {
2930
2997
  if (DEBUG_MODE) {
2931
2998
  console.log(
2932
- `Assuming the version as latest for the package ${p.name}`
2999
+ `Assuming the version as latest for the package ${p.name}`,
2933
3000
  );
2934
3001
  }
2935
3002
  p.version = "latest";
@@ -2942,10 +3009,10 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
2942
3009
  {
2943
3010
  technique: "source-code-analysis",
2944
3011
  confidence: 0,
2945
- value: `Module ${p.name}`
2946
- }
2947
- ]
2948
- }
3012
+ value: `Module ${p.name}`,
3013
+ },
3014
+ ],
3015
+ },
2949
3016
  };
2950
3017
  }
2951
3018
  const purlString = new PackageURL(
@@ -2954,7 +3021,7 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
2954
3021
  p.name,
2955
3022
  p.version,
2956
3023
  null,
2957
- null
3024
+ null,
2958
3025
  ).toString();
2959
3026
  p.purl = purlString;
2960
3027
  p["bom-ref"] = decodeURIComponent(purlString);
@@ -3103,7 +3170,7 @@ export async function parsePoetrylockData(lockData, lockFile) {
3103
3170
  pkg.name,
3104
3171
  pkg.version,
3105
3172
  null,
3106
- null
3173
+ null,
3107
3174
  ).toString();
3108
3175
  pkg.purl = purlString;
3109
3176
  pkg["bom-ref"] = decodeURIComponent(purlString);
@@ -3115,10 +3182,10 @@ export async function parsePoetrylockData(lockData, lockFile) {
3115
3182
  {
3116
3183
  technique: "manifest-analysis",
3117
3184
  confidence: 1,
3118
- value: lockFile
3119
- }
3120
- ]
3121
- }
3185
+ value: lockFile,
3186
+ },
3187
+ ],
3188
+ },
3122
3189
  };
3123
3190
  // This would help look
3124
3191
  if (!existingPkgMap[pkg.name.toLowerCase()]) {
@@ -3177,13 +3244,13 @@ export async function parsePoetrylockData(lockData, lockFile) {
3177
3244
  }
3178
3245
  dependenciesList.push({
3179
3246
  ref: key,
3180
- dependsOn: dependsOnList
3247
+ dependsOn: dependsOnList,
3181
3248
  });
3182
3249
  }
3183
3250
  return {
3184
3251
  pkgList,
3185
3252
  rootList: pkgList,
3186
- dependenciesList
3253
+ dependenciesList,
3187
3254
  };
3188
3255
  }
3189
3256
 
@@ -3241,14 +3308,14 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
3241
3308
  const apkg = {
3242
3309
  name,
3243
3310
  version: versionStr,
3244
- scope: compScope
3311
+ scope: compScope,
3245
3312
  };
3246
3313
  if (markers) {
3247
3314
  apkg.properties = [
3248
3315
  {
3249
3316
  name: "cdx:pip:markers",
3250
- value: markers
3251
- }
3317
+ value: markers,
3318
+ },
3252
3319
  ];
3253
3320
  }
3254
3321
  pkgList.push(apkg);
@@ -3266,9 +3333,9 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
3266
3333
  properties: [
3267
3334
  {
3268
3335
  name: "cdx:pypi:versionSpecifiers",
3269
- value: versionSpecifiers
3270
- }
3271
- ]
3336
+ value: versionSpecifiers,
3337
+ },
3338
+ ],
3272
3339
  });
3273
3340
  }
3274
3341
  } else if (/[>|[|@]/.test(l)) {
@@ -3287,9 +3354,9 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
3287
3354
  properties: [
3288
3355
  {
3289
3356
  name: "cdx:pypi:versionSpecifiers",
3290
- value: versionSpecifiers
3291
- }
3292
- ]
3357
+ value: versionSpecifiers,
3358
+ },
3359
+ ],
3293
3360
  });
3294
3361
  }
3295
3362
  }
@@ -3310,9 +3377,9 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
3310
3377
  properties: [
3311
3378
  {
3312
3379
  name: "cdx:pypi:versionSpecifiers",
3313
- value: versionSpecifiers
3314
- }
3315
- ]
3380
+ value: versionSpecifiers,
3381
+ },
3382
+ ],
3316
3383
  });
3317
3384
  }
3318
3385
  } else if (!l.includes(" ")) {
@@ -3326,9 +3393,9 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
3326
3393
  properties: [
3327
3394
  {
3328
3395
  name: "cdx:pypi:versionSpecifiers",
3329
- value: versionSpecifiers
3330
- }
3331
- ]
3396
+ value: versionSpecifiers,
3397
+ },
3398
+ ],
3332
3399
  });
3333
3400
  }
3334
3401
  }
@@ -3350,7 +3417,7 @@ export async function getPyModules(src, epkgList, options) {
3350
3417
  const dependenciesList = [];
3351
3418
  let modList = [];
3352
3419
  const slicesFile = resolve(
3353
- options.depsSlicesFile || options.usagesSlicesFile
3420
+ options.depsSlicesFile || options.usagesSlicesFile,
3354
3421
  );
3355
3422
  // Issue: 615 fix. Reuse existing slices file
3356
3423
  if (slicesFile && existsSync(slicesFile)) {
@@ -3368,7 +3435,7 @@ export async function getPyModules(src, epkgList, options) {
3368
3435
  (x) =>
3369
3436
  !pyDefaultModules.has(x.name.toLowerCase()) &&
3370
3437
  !x.name.startsWith("_") &&
3371
- !x.name.startsWith(".")
3438
+ !x.name.startsWith("."),
3372
3439
  );
3373
3440
  let pkgList = modList.map((p) => {
3374
3441
  const apkg = {
@@ -3381,20 +3448,20 @@ export async function getPyModules(src, epkgList, options) {
3381
3448
  properties: [
3382
3449
  {
3383
3450
  name: "cdx:pypi:versionSpecifiers",
3384
- value: p.versionSpecifiers
3385
- }
3386
- ]
3451
+ value: p.versionSpecifiers,
3452
+ },
3453
+ ],
3387
3454
  };
3388
3455
  if (p.importedSymbols) {
3389
3456
  apkg.properties.push({
3390
3457
  name: "ImportedModules",
3391
- value: p.importedSymbols
3458
+ value: p.importedSymbols,
3392
3459
  });
3393
3460
  }
3394
3461
  return apkg;
3395
3462
  });
3396
3463
  pkgList = pkgList.filter(
3397
- (obj, index) => pkgList.findIndex((i) => i.name === obj.name) === index
3464
+ (obj, index) => pkgList.findIndex((i) => i.name === obj.name) === index,
3398
3465
  );
3399
3466
  if (epkgList && epkgList.length) {
3400
3467
  const pkgMaps = epkgList.map((p) => p.name);
@@ -3411,7 +3478,7 @@ export async function getPyModules(src, epkgList, options) {
3411
3478
  if (p.version) {
3412
3479
  dependenciesList.push({
3413
3480
  ref: `pkg:pypi/${p.name.replace(/_/g, "-")}@${p.version}`.toLowerCase(),
3414
- dependsOn: []
3481
+ dependsOn: [],
3415
3482
  });
3416
3483
  }
3417
3484
  }
@@ -3496,7 +3563,7 @@ export function toGitHubApiUrl(repoUrl, repoMetadata) {
3496
3563
  } else {
3497
3564
  return repoMetadataToGitHubApiUrl({
3498
3565
  group: parts[3],
3499
- name: parts[4]
3566
+ name: parts[4],
3500
3567
  });
3501
3568
  }
3502
3569
  }
@@ -3520,18 +3587,18 @@ export async function getRepoLicense(repoUrl, repoMetadata) {
3520
3587
  try {
3521
3588
  const res = await cdxgenAgent.get(licenseUrl, {
3522
3589
  responseType: "json",
3523
- headers: headers
3590
+ headers: headers,
3524
3591
  });
3525
3592
  if (res && res.body) {
3526
3593
  const license = res.body.license;
3527
3594
  let licenseId = license.spdx_id;
3528
3595
  const licObj = {
3529
- url: res.body.html_url
3596
+ url: res.body.html_url,
3530
3597
  };
3531
3598
  if (license.spdx_id === "NOASSERTION") {
3532
3599
  if (res.body.content) {
3533
3600
  const content = Buffer.from(res.body.content, "base64").toString(
3534
- "ascii"
3601
+ "ascii",
3535
3602
  );
3536
3603
  licenseId = guessLicenseId(content);
3537
3604
  }
@@ -3555,7 +3622,7 @@ export async function getRepoLicense(repoUrl, repoMetadata) {
3555
3622
  console.log(
3556
3623
  "Rate limit exceeded for REST API of github.com. " +
3557
3624
  "Please ensure GITHUB_TOKEN is set as environment variable. " +
3558
- "See: https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api"
3625
+ "See: https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api",
3559
3626
  );
3560
3627
  get_repo_license_errors++;
3561
3628
  } else if (!err.message.includes("404")) {
@@ -3629,12 +3696,12 @@ export async function getGoPkgComponent(group, name, version, hash) {
3629
3696
  if (FETCH_LICENSE) {
3630
3697
  if (DEBUG_MODE) {
3631
3698
  console.log(
3632
- `About to fetch go package license information for ${group}:${name}`
3699
+ `About to fetch go package license information for ${group}:${name}`,
3633
3700
  );
3634
3701
  }
3635
3702
  license = await getGoPkgLicense({
3636
3703
  group: group,
3637
- name: name
3704
+ name: name,
3638
3705
  });
3639
3706
  }
3640
3707
  // By replacing %2F with /, we make the purl compatible with the spec.
@@ -3648,7 +3715,7 @@ export async function getGoPkgComponent(group, name, version, hash) {
3648
3715
  _integrity: hash,
3649
3716
  license: license,
3650
3717
  purl: purlString,
3651
- "bom-ref": decodeURIComponent(purlString)
3718
+ "bom-ref": decodeURIComponent(purlString),
3652
3719
  };
3653
3720
  return pkg;
3654
3721
  }
@@ -3702,7 +3769,7 @@ export async function parseGoModData(goModData, gosumMap) {
3702
3769
  "",
3703
3770
  tmpA[0],
3704
3771
  version,
3705
- gosumHash
3772
+ gosumHash,
3706
3773
  );
3707
3774
  pkgComponentsList.push(component);
3708
3775
  } else {
@@ -3718,7 +3785,7 @@ export async function parseGoModData(goModData, gosumMap) {
3718
3785
  "",
3719
3786
  tmpA[2],
3720
3787
  version,
3721
- gosumHash
3788
+ gosumHash,
3722
3789
  );
3723
3790
  pkgComponentsList.push(component);
3724
3791
  }
@@ -3741,7 +3808,7 @@ export async function parseGoListDep(rawOutput, gosumMap) {
3741
3808
  const keys_cache = {};
3742
3809
  const pkgs = rawOutput.split("\n");
3743
3810
  for (const l of pkgs) {
3744
- const verArr = l.trim().replace(new RegExp("[\"']", "g"), "").split(" ");
3811
+ const verArr = l.trim().replace(/[\"']/g, "").split(" ");
3745
3812
 
3746
3813
  if (verArr && verArr.length >= 5) {
3747
3814
  const key = verArr[0] + "-" + verArr[1];
@@ -3754,7 +3821,7 @@ export async function parseGoListDep(rawOutput, gosumMap) {
3754
3821
  "",
3755
3822
  verArr[0],
3756
3823
  version,
3757
- gosumHash
3824
+ gosumHash,
3758
3825
  );
3759
3826
  if (verArr[2] === "false") {
3760
3827
  component.scope = "required";
@@ -3764,12 +3831,12 @@ export async function parseGoListDep(rawOutput, gosumMap) {
3764
3831
  component.properties = [
3765
3832
  {
3766
3833
  name: "SrcGoMod",
3767
- value: verArr[3] || ""
3834
+ value: verArr[3] || "",
3768
3835
  },
3769
3836
  {
3770
3837
  name: "ModuleGoVersion",
3771
- value: verArr[4] || ""
3772
- }
3838
+ value: verArr[4] || "",
3839
+ },
3773
3840
  ];
3774
3841
  if (verArr.length > 5 && verArr[5] === "true") {
3775
3842
  parentComponent = component;
@@ -3782,7 +3849,7 @@ export async function parseGoListDep(rawOutput, gosumMap) {
3782
3849
  }
3783
3850
  return {
3784
3851
  parentComponent,
3785
- pkgList: deps
3852
+ pkgList: deps,
3786
3853
  };
3787
3854
  }
3788
3855
 
@@ -3795,17 +3862,17 @@ function _addGoComponentEvidence(component, goModFile) {
3795
3862
  {
3796
3863
  technique: "manifest-analysis",
3797
3864
  confidence: 1,
3798
- value: goModFile
3799
- }
3800
- ]
3801
- }
3865
+ value: goModFile,
3866
+ },
3867
+ ],
3868
+ },
3802
3869
  };
3803
3870
  if (!component.properties) {
3804
3871
  component.properties = [];
3805
3872
  }
3806
3873
  component.properties.push({
3807
3874
  name: "SrcFile",
3808
- value: goModFile
3875
+ value: goModFile,
3809
3876
  });
3810
3877
  return component;
3811
3878
  }
@@ -3825,7 +3892,7 @@ export async function parseGoModGraph(
3825
3892
  goModFile,
3826
3893
  gosumMap,
3827
3894
  epkgList = [],
3828
- parentComponent = {}
3895
+ parentComponent = {},
3829
3896
  ) {
3830
3897
  const pkgList = [];
3831
3898
  const dependenciesList = [];
@@ -3870,7 +3937,7 @@ export async function parseGoModGraph(
3870
3937
  sourcePurl.name
3871
3938
  }`,
3872
3939
  sourcePurl.version,
3873
- gosumMap[tmpA[0]]
3940
+ gosumMap[tmpA[0]],
3874
3941
  );
3875
3942
  pkgList.push(_addGoComponentEvidence(component, goModFile));
3876
3943
  addedPkgs[tmpA[0]] = true;
@@ -3882,7 +3949,7 @@ export async function parseGoModGraph(
3882
3949
  dependsPurl.name
3883
3950
  }`,
3884
3951
  dependsPurl.version,
3885
- gosumMap[tmpA[1]]
3952
+ gosumMap[tmpA[1]],
3886
3953
  );
3887
3954
  pkgList.push(component);
3888
3955
  addedPkgs[tmpA[1]] = true;
@@ -3903,7 +3970,7 @@ export async function parseGoModGraph(
3903
3970
  for (const adep of Object.keys(depsMap).sort()) {
3904
3971
  dependenciesList.push({
3905
3972
  ref: adep,
3906
- dependsOn: Array.from(depsMap[adep]).sort()
3973
+ dependsOn: Array.from(depsMap[adep]).sort(),
3907
3974
  });
3908
3975
  }
3909
3976
  return { pkgList, dependenciesList };
@@ -3951,12 +4018,12 @@ export async function parseGosumData(gosumData) {
3951
4018
  if (FETCH_LICENSE) {
3952
4019
  if (DEBUG_MODE) {
3953
4020
  console.log(
3954
- `About to fetch go package license information for ${name}`
4021
+ `About to fetch go package license information for ${name}`,
3955
4022
  );
3956
4023
  }
3957
4024
  license = await getGoPkgLicense({
3958
4025
  group: "",
3959
- name: name
4026
+ name: name,
3960
4027
  });
3961
4028
  }
3962
4029
  pkgList.push({
@@ -3964,7 +4031,7 @@ export async function parseGosumData(gosumData) {
3964
4031
  name: name,
3965
4032
  version: version,
3966
4033
  _integrity: hash,
3967
- license: license
4034
+ license: license,
3968
4035
  });
3969
4036
  }
3970
4037
  }
@@ -4003,7 +4070,7 @@ export async function parseGopkgData(gopkgData) {
4003
4070
  if (FETCH_LICENSE) {
4004
4071
  pkg.license = await getGoPkgLicense({
4005
4072
  group: pkg.group,
4006
- name: pkg.name
4073
+ name: pkg.name,
4007
4074
  });
4008
4075
  }
4009
4076
  break;
@@ -4055,7 +4122,7 @@ export const RUBY_PLATFORM_PREFIXES = [
4055
4122
  "-ruby",
4056
4123
  "-universal",
4057
4124
  "-java",
4058
- "-truffle"
4125
+ "-truffle",
4059
4126
  ];
4060
4127
 
4061
4128
  /**
@@ -4085,11 +4152,11 @@ export async function getRubyGemsMetadata(pkgList) {
4085
4152
  process.env.RUBYGEMS_V1_URL || "https://rubygems.org/api/v1/gems/";
4086
4153
  const rdepList = [];
4087
4154
  const apiOptions = {
4088
- responseType: "json"
4155
+ responseType: "json",
4089
4156
  };
4090
4157
  if (process.env.GEM_HOST_API_KEY) {
4091
4158
  apiOptions.headers = {
4092
- Authorization: process.env.GEM_HOST_API_KEY
4159
+ Authorization: process.env.GEM_HOST_API_KEY,
4093
4160
  };
4094
4161
  }
4095
4162
  for (const p of pkgList) {
@@ -4099,7 +4166,7 @@ export async function getRubyGemsMetadata(pkgList) {
4099
4166
  }
4100
4167
  const fullUrl = p.version
4101
4168
  ? `${RUBYGEMS_V2_URL}${p.name}/versions/${simplifyRubyVersion(
4102
- p.version
4169
+ p.version,
4103
4170
  )}.json`
4104
4171
  : `${RUBYGEMS_V1_URL}${p.name}.json`;
4105
4172
  const res = await cdxgenAgent.get(fullUrl, apiOptions);
@@ -4137,31 +4204,31 @@ export async function getRubyGemsMetadata(pkgList) {
4137
4204
  if (!platformPresent && body.platform && body.platform !== "ruby") {
4138
4205
  p.properties.push({
4139
4206
  name: "cdx:gem:platform",
4140
- value: body.platform
4207
+ value: body.platform,
4141
4208
  });
4142
4209
  }
4143
4210
  if (body.ruby_version) {
4144
4211
  p.properties.push({
4145
4212
  name: "cdx:gem:rubyVersionSpecifiers",
4146
- value: body.ruby_version
4213
+ value: body.ruby_version,
4147
4214
  });
4148
4215
  }
4149
4216
  if (body.gem_uri) {
4150
4217
  p.properties.push({
4151
4218
  name: "cdx:gem:gemUri",
4152
- value: body.gem_uri
4219
+ value: body.gem_uri,
4153
4220
  });
4154
4221
  }
4155
4222
  if (body.yanked) {
4156
4223
  p.properties.push({
4157
4224
  name: "cdx:gem:yanked",
4158
- value: "" + body.yanked
4225
+ value: "" + body.yanked,
4159
4226
  });
4160
4227
  }
4161
4228
  if (body.prerelease) {
4162
4229
  p.properties.push({
4163
4230
  name: "cdx:gem:prerelease",
4164
- value: "" + body.prerelease
4231
+ value: "" + body.prerelease,
4165
4232
  });
4166
4233
  }
4167
4234
  // Use the latest version if none specified
@@ -4378,7 +4445,7 @@ export async function parseGemfileLockData(gemLockData, lockFile) {
4378
4445
  name,
4379
4446
  version,
4380
4447
  null,
4381
- null
4448
+ null,
4382
4449
  ).toString();
4383
4450
  const bomRef = decodeURIComponent(purlString);
4384
4451
  if (level === 1) {
@@ -4388,37 +4455,37 @@ export async function parseGemfileLockData(gemLockData, lockFile) {
4388
4455
  const properties = [
4389
4456
  {
4390
4457
  name: "SrcFile",
4391
- value: lockFile
4392
- }
4458
+ value: lockFile,
4459
+ },
4393
4460
  ];
4394
4461
  if (lastRemote) {
4395
4462
  properties.push({
4396
4463
  name: "cdx:gem:remote",
4397
- value: lastRemote
4464
+ value: lastRemote,
4398
4465
  });
4399
4466
  }
4400
4467
  if (lastRevision) {
4401
4468
  properties.push({
4402
4469
  name: "cdx:gem:remoteRevision",
4403
- value: lastRevision
4470
+ value: lastRevision,
4404
4471
  });
4405
4472
  }
4406
4473
  if (lastBranch) {
4407
4474
  properties.push({
4408
4475
  name: "cdx:gem:remoteBranch",
4409
- value: lastBranch
4476
+ value: lastBranch,
4410
4477
  });
4411
4478
  }
4412
4479
  if (lastTag) {
4413
4480
  properties.push({
4414
4481
  name: "cdx:gem:remoteTag",
4415
- value: lastTag
4482
+ value: lastTag,
4416
4483
  });
4417
4484
  }
4418
4485
  if (lastParentPlatform) {
4419
4486
  properties.push({
4420
4487
  name: "cdx:gem:platform",
4421
- value: lastParentPlatform
4488
+ value: lastParentPlatform,
4422
4489
  });
4423
4490
  }
4424
4491
  const apkg = {
@@ -4435,11 +4502,11 @@ export async function parseGemfileLockData(gemLockData, lockFile) {
4435
4502
  {
4436
4503
  technique: "manifest-analysis",
4437
4504
  confidence: 0.8,
4438
- value: lockFile
4439
- }
4440
- ]
4441
- }
4442
- }
4505
+ value: lockFile,
4506
+ },
4507
+ ],
4508
+ },
4509
+ },
4443
4510
  };
4444
4511
  if (lastParent && lastParent !== bomRef) {
4445
4512
  if (!dependenciesMap[lastParent]) {
@@ -4460,7 +4527,7 @@ export async function parseGemfileLockData(gemLockData, lockFile) {
4460
4527
  for (const k of Object.keys(dependenciesMap)) {
4461
4528
  dependenciesList.push({
4462
4529
  ref: k,
4463
- dependsOn: Array.from(dependenciesMap[k])
4530
+ dependsOn: Array.from(dependenciesMap[k]),
4464
4531
  });
4465
4532
  }
4466
4533
  if (FETCH_LICENSE) {
@@ -4484,7 +4551,7 @@ export async function getCratesMetadata(pkgList) {
4484
4551
  console.log(`Querying crates.io for ${p.name}`);
4485
4552
  }
4486
4553
  const res = await cdxgenAgent.get(CRATES_URL + p.name, {
4487
- responseType: "json"
4554
+ responseType: "json",
4488
4555
  });
4489
4556
  const body = res.body.crate;
4490
4557
  p.description = body.description;
@@ -4531,8 +4598,8 @@ export async function getDartMetadata(pkgList) {
4531
4598
  const res = await cdxgenAgent.get(PUB_PACKAGES_URL + p.name, {
4532
4599
  responseType: RESPONSE_TYPE,
4533
4600
  headers: {
4534
- Accept: HEADER_ACCEPT
4535
- }
4601
+ Accept: HEADER_ACCEPT,
4602
+ },
4536
4603
  });
4537
4604
  if (res && res.body) {
4538
4605
  const version = res.body.versions.find((v) => p.version === v.version);
@@ -4550,9 +4617,9 @@ export async function getDartMetadata(pkgList) {
4550
4617
  {
4551
4618
  responseType: RESPONSE_TYPE,
4552
4619
  headers: {
4553
- Accept: HEADER_ACCEPT
4554
- }
4555
- }
4620
+ Accept: HEADER_ACCEPT,
4621
+ },
4622
+ },
4556
4623
  );
4557
4624
  if (res2 && res2.body) {
4558
4625
  const tags = res2.body.tags;
@@ -4561,7 +4628,7 @@ export async function getDartMetadata(pkgList) {
4561
4628
  p.license = spdxLicenses.find(
4562
4629
  (spdxLicense) =>
4563
4630
  spdxLicense.toLowerCase() ===
4564
- license.replace(PUB_LICENSE_REGEX, "").toLowerCase()
4631
+ license.replace(PUB_LICENSE_REGEX, "").toLowerCase(),
4565
4632
  );
4566
4633
  }
4567
4634
  }
@@ -4606,8 +4673,8 @@ export async function parseCargoTomlData(cargoTomlFile, simple = false) {
4606
4673
  pkg.properties = [
4607
4674
  {
4608
4675
  name: "SrcFile",
4609
- value: cargoTomlFile
4610
- }
4676
+ value: cargoTomlFile,
4677
+ },
4611
4678
  ];
4612
4679
  pkg.evidence = {
4613
4680
  identity: {
@@ -4617,10 +4684,10 @@ export async function parseCargoTomlData(cargoTomlFile, simple = false) {
4617
4684
  {
4618
4685
  technique: "manifest-analysis",
4619
4686
  confidence: 0.5,
4620
- value: cargoTomlFile
4621
- }
4622
- ]
4623
- }
4687
+ value: cargoTomlFile,
4688
+ },
4689
+ ],
4690
+ },
4624
4691
  };
4625
4692
  }
4626
4693
  const ppurl = new PackageURL(
@@ -4629,7 +4696,7 @@ export async function parseCargoTomlData(cargoTomlFile, simple = false) {
4629
4696
  pkg.name,
4630
4697
  pkg.version,
4631
4698
  null,
4632
- null
4699
+ null,
4633
4700
  ).toString();
4634
4701
  pkg.purl = ppurl;
4635
4702
  pkg["bom-ref"] = decodeURIComponent(ppurl);
@@ -4675,7 +4742,7 @@ export async function parseCargoTomlData(cargoTomlFile, simple = false) {
4675
4742
  // component unreliable.
4676
4743
  if (l.startsWith("[workspace]") && DEBUG_MODE) {
4677
4744
  console.log(
4678
- `Found [workspace] section in ${cargoTomlFile}. Workspaces are currently not fully supported. Verify that the parent component is correct.`
4745
+ `Found [workspace] section in ${cargoTomlFile}. Workspaces are currently not fully supported. Verify that the parent component is correct.`,
4679
4746
  );
4680
4747
  }
4681
4748
 
@@ -4742,8 +4809,8 @@ export async function parseCargoTomlData(cargoTomlFile, simple = false) {
4742
4809
  version = tmpA[1];
4743
4810
  }
4744
4811
  if (name && version) {
4745
- name = name.replace(new RegExp("[\"']", "g"), "");
4746
- version = version.replace(new RegExp("[\"']", "g"), "");
4812
+ name = name.replace(/[\"']/g, "");
4813
+ version = version.replace(/[\"']/g, "");
4747
4814
  const apkg = { name, version };
4748
4815
  addPackageToList(pkgList, apkg, { packageMode, simple });
4749
4816
  }
@@ -4779,7 +4846,7 @@ export async function parseCargoData(cargoLockFile, simple = false) {
4779
4846
  newPackage.name,
4780
4847
  newPackage.version,
4781
4848
  null,
4782
- null
4849
+ null,
4783
4850
  ).toString();
4784
4851
  const component = {
4785
4852
  type: "library",
@@ -4787,15 +4854,15 @@ export async function parseCargoData(cargoLockFile, simple = false) {
4787
4854
  "bom-ref": purl,
4788
4855
  purl: purl,
4789
4856
  name: newPackage.name,
4790
- version: newPackage.version
4857
+ version: newPackage.version,
4791
4858
  };
4792
4859
 
4793
4860
  if (newPackage._integrity) {
4794
4861
  component.hashes = [
4795
4862
  {
4796
4863
  alg: "SHA-384",
4797
- content: pkg._integrity
4798
- }
4864
+ content: pkg._integrity,
4865
+ },
4799
4866
  ];
4800
4867
  }
4801
4868
 
@@ -4815,18 +4882,18 @@ export async function parseCargoData(cargoLockFile, simple = false) {
4815
4882
  {
4816
4883
  technique: "manifest-analysis",
4817
4884
  confidence: 0.6,
4818
- value: cargoLockFile
4819
- }
4820
- ]
4821
- }
4885
+ value: cargoLockFile,
4886
+ },
4887
+ ],
4888
+ },
4822
4889
  };
4823
4890
 
4824
4891
  // Evidence information for CyclondDX specification version < 1.5.
4825
4892
  component.properties = [
4826
4893
  {
4827
4894
  name: "SrcFile",
4828
- value: cargoLockFile
4829
- }
4895
+ value: cargoLockFile,
4896
+ },
4830
4897
  ];
4831
4898
  }
4832
4899
  packageList.push(component);
@@ -4910,7 +4977,7 @@ export function parseCargoDependencyData(cargoLockData) {
4910
4977
 
4911
4978
  const purlFromPackageInfo = (pkg) =>
4912
4979
  decodeURIComponent(
4913
- new PackageURL("cargo", "", pkg.name, pkg.version, null, null).toString()
4980
+ new PackageURL("cargo", "", pkg.name, pkg.version, null, null).toString(),
4914
4981
  );
4915
4982
 
4916
4983
  // The dependency list may appear as a single-line list:
@@ -4950,7 +5017,7 @@ export function parseCargoDependencyData(cargoLockData) {
4950
5017
  const [name, version] = dependencyName.split(" ");
4951
5018
  return {
4952
5019
  name,
4953
- version
5020
+ version,
4954
5021
  };
4955
5022
  })
4956
5023
  );
@@ -4991,7 +5058,7 @@ export function parseCargoDependencyData(cargoLockData) {
4991
5058
  if (!pkg.dependencies) {
4992
5059
  return {
4993
5060
  ref: purlFromPackageInfo(pkg),
4994
- dependsOn: []
5061
+ dependsOn: [],
4995
5062
  };
4996
5063
  }
4997
5064
  return {
@@ -5013,7 +5080,7 @@ export function parseCargoDependencyData(cargoLockData) {
5013
5080
  // and continue.
5014
5081
  if (DEBUG_MODE) {
5015
5082
  console.warn(
5016
- `The package "${dependency.name}" appears as a dependency to "${pkg.name}" but is not itself listed in the Cargo.lock-file. The Cargo.lock-file is invalid! The produced SBOM will not list ${dependency.name} as a dependency.`
5083
+ `The package "${dependency.name}" appears as a dependency to "${pkg.name}" but is not itself listed in the Cargo.lock-file. The Cargo.lock-file is invalid! The produced SBOM will not list ${dependency.name} as a dependency.`,
5017
5084
  );
5018
5085
  }
5019
5086
  return undefined;
@@ -5023,7 +5090,7 @@ export function parseCargoDependencyData(cargoLockData) {
5023
5090
  // version known from the package table.
5024
5091
  return purlFromPackageInfo(lockfileInventory[dependency.name]);
5025
5092
  })
5026
- .filter((pkg) => pkg) // Filter undefined entries, which should only happen when packages listed as a dependency are not defined as packages.
5093
+ .filter((pkg) => pkg), // Filter undefined entries, which should only happen when packages listed as a dependency are not defined as packages.
5027
5094
  };
5028
5095
  });
5029
5096
  }
@@ -5046,7 +5113,7 @@ export async function parseCargoAuditableData(cargoData) {
5046
5113
  pkgList.push({
5047
5114
  group,
5048
5115
  name,
5049
- version
5116
+ version,
5050
5117
  });
5051
5118
  }
5052
5119
  });
@@ -5072,7 +5139,7 @@ export async function parsePubLockData(pubLockData) {
5072
5139
  }
5073
5140
  if (l.startsWith(" ") && !l.startsWith(" ")) {
5074
5141
  pkg = {
5075
- name: l.trim().replace(":", "")
5142
+ name: l.trim().replace(":", ""),
5076
5143
  };
5077
5144
  }
5078
5145
  if (l.startsWith(" ")) {
@@ -5112,7 +5179,7 @@ export function parsePubYamlData(pubYamlData) {
5112
5179
  name: yamlObj.name,
5113
5180
  description: yamlObj.description,
5114
5181
  version: yamlObj.version,
5115
- homepage: { url: yamlObj.homepage }
5182
+ homepage: { url: yamlObj.homepage },
5116
5183
  });
5117
5184
  return pkgList;
5118
5185
  }
@@ -5132,7 +5199,7 @@ export function parseHelmYamlData(helmData) {
5132
5199
  const pkg = {
5133
5200
  name: yamlObj.name,
5134
5201
  description: yamlObj.description || "",
5135
- version: yamlObj.version
5202
+ version: yamlObj.version,
5136
5203
  };
5137
5204
  if (yamlObj.home) {
5138
5205
  pkg["homepage"] = { url: yamlObj.home };
@@ -5143,7 +5210,7 @@ export function parseHelmYamlData(helmData) {
5143
5210
  for (const hd of yamlObj.dependencies) {
5144
5211
  const pkg = {
5145
5212
  name: hd.name,
5146
- version: hd.version // This could have * so not precise
5213
+ version: hd.version, // This could have * so not precise
5147
5214
  };
5148
5215
  if (hd.repository) {
5149
5216
  pkg["repository"] = { url: hd.repository };
@@ -5159,7 +5226,7 @@ export function parseHelmYamlData(helmData) {
5159
5226
  const pkg = {
5160
5227
  name: hd.name,
5161
5228
  version: hd.version,
5162
- description: hd.description || ""
5229
+ description: hd.description || "",
5163
5230
  };
5164
5231
  if (hd.sources && Array.isArray(hd.sources) && hd.sources.length) {
5165
5232
  pkg["repository"] = { url: hd.sources[0] };
@@ -5265,14 +5332,14 @@ export function parseContainerFile(fileContents) {
5265
5332
  if (buildStageNames.includes(imageStatement)) {
5266
5333
  if (DEBUG_MODE) {
5267
5334
  console.log(
5268
- `Skipping image ${imageStatement} which uses previously seen build stage name.`
5335
+ `Skipping image ${imageStatement} which uses previously seen build stage name.`,
5269
5336
  );
5270
5337
  }
5271
5338
  continue;
5272
5339
  }
5273
5340
 
5274
5341
  imgList.push({
5275
- image: imageStatement
5342
+ image: imageStatement,
5276
5343
  });
5277
5344
 
5278
5345
  if (buildStageName) {
@@ -5300,7 +5367,7 @@ export function parseBitbucketPipelinesFile(fileContents) {
5300
5367
  const imageName = line.split("name:").pop().trim();
5301
5368
 
5302
5369
  imgList.push({
5303
- image: imageName
5370
+ image: imageName,
5304
5371
  });
5305
5372
 
5306
5373
  privateImageBlockFound = false;
@@ -5324,7 +5391,7 @@ export function parseBitbucketPipelinesFile(fileContents) {
5324
5391
  */
5325
5392
 
5326
5393
  imgList.push({
5327
- image: imageName
5394
+ image: imageName,
5328
5395
  });
5329
5396
  }
5330
5397
  }
@@ -5338,7 +5405,7 @@ export function parseBitbucketPipelinesFile(fileContents) {
5338
5405
  }
5339
5406
 
5340
5407
  imgList.push({
5341
- image: pipeName
5408
+ image: pipeName,
5342
5409
  });
5343
5410
  }
5344
5411
  }
@@ -5369,23 +5436,23 @@ export function parseContainerSpecData(dcData) {
5369
5436
  if (yamlObj.services) {
5370
5437
  for (const serv of Object.keys(yamlObj.services)) {
5371
5438
  pkgList.push({
5372
- service: serv
5439
+ service: serv,
5373
5440
  });
5374
5441
  const aservice = yamlObj.services[serv];
5375
5442
  // Track locally built images
5376
5443
  if (aservice.build) {
5377
5444
  if (Object.keys(aservice.build).length && aservice.build.dockerfile) {
5378
5445
  pkgList.push({
5379
- ociSpec: aservice.build.dockerfile
5446
+ ociSpec: aservice.build.dockerfile,
5380
5447
  });
5381
5448
  } else {
5382
5449
  if (aservice.build === "." || aservice.build === "./") {
5383
5450
  pkgList.push({
5384
- ociSpec: "Dockerfile"
5451
+ ociSpec: "Dockerfile",
5385
5452
  });
5386
5453
  } else {
5387
5454
  pkgList.push({
5388
- ociSpec: aservice.build
5455
+ ociSpec: aservice.build,
5389
5456
  });
5390
5457
  }
5391
5458
  }
@@ -5398,7 +5465,7 @@ export function parseContainerSpecData(dcData) {
5398
5465
  .replace("}", "");
5399
5466
  }
5400
5467
  pkgList.push({
5401
- image: imgFullName
5468
+ image: imgFullName,
5402
5469
  });
5403
5470
  imgList.push(imgFullName);
5404
5471
  }
@@ -5433,7 +5500,7 @@ function convertProcessing(processing_list) {
5433
5500
  for (const p of processing_list) {
5434
5501
  data_list.push({
5435
5502
  classification: p.sourceId || p.sinkId,
5436
- flow: identifyFlow(p)
5503
+ flow: identifyFlow(p),
5437
5504
  });
5438
5505
  }
5439
5506
  return data_list;
@@ -5450,42 +5517,42 @@ export function parsePrivadoFile(f) {
5450
5517
  "x-trust-boundary": false,
5451
5518
  properties: [],
5452
5519
  data: [],
5453
- endpoints: []
5520
+ endpoints: [],
5454
5521
  };
5455
5522
  if (jsonData.repoName) {
5456
5523
  aservice.name = jsonData.repoName;
5457
5524
  aservice.properties = [
5458
5525
  {
5459
5526
  name: "SrcFile",
5460
- value: f
5461
- }
5527
+ value: f,
5528
+ },
5462
5529
  ];
5463
5530
  // Capture git metadata info
5464
5531
  if (jsonData.gitMetadata) {
5465
5532
  aservice.version = jsonData.gitMetadata.commitId || "";
5466
5533
  aservice.properties.push({
5467
5534
  name: "privadoCoreVersion",
5468
- value: jsonData.privadoCoreVersion || ""
5535
+ value: jsonData.privadoCoreVersion || "",
5469
5536
  });
5470
5537
  aservice.properties.push({
5471
5538
  name: "privadoCLIVersion",
5472
- value: jsonData.privadoCLIVersion || ""
5539
+ value: jsonData.privadoCLIVersion || "",
5473
5540
  });
5474
5541
  aservice.properties.push({
5475
5542
  name: "localScanPath",
5476
- value: jsonData.localScanPath || ""
5543
+ value: jsonData.localScanPath || "",
5477
5544
  });
5478
5545
  }
5479
5546
  // Capture processing
5480
5547
  if (jsonData.processing && jsonData.processing.length) {
5481
5548
  aservice.data = aservice.data.concat(
5482
- convertProcessing(jsonData.processing)
5549
+ convertProcessing(jsonData.processing),
5483
5550
  );
5484
5551
  }
5485
5552
  // Capture sink processing
5486
5553
  if (jsonData.sinkProcessing && jsonData.sinkProcessing.length) {
5487
5554
  aservice.data = aservice.data.concat(
5488
- convertProcessing(jsonData.sinkProcessing)
5555
+ convertProcessing(jsonData.sinkProcessing),
5489
5556
  );
5490
5557
  }
5491
5558
  // Find endpoints
@@ -5507,7 +5574,7 @@ export function parsePrivadoFile(f) {
5507
5574
  for (const v of jsonData.violations) {
5508
5575
  aservice.properties.push({
5509
5576
  name: "privado_violations",
5510
- value: v.policyId
5577
+ value: v.policyId,
5511
5578
  });
5512
5579
  }
5513
5580
  }
@@ -5549,7 +5616,7 @@ export function parseOpenapiSpecData(oaData) {
5549
5616
  "bom-ref": `urn:service:${name}:${version}`,
5550
5617
  name,
5551
5618
  description: oaData.description || "",
5552
- version
5619
+ version,
5553
5620
  };
5554
5621
  let serverName = [];
5555
5622
  if (oaData.servers && oaData.servers.length && oaData.servers[0].url) {
@@ -5598,7 +5665,7 @@ export function parseCabalData(cabalData) {
5598
5665
  if (name && version) {
5599
5666
  pkgList.push({
5600
5667
  name,
5601
- version
5668
+ version,
5602
5669
  });
5603
5670
  }
5604
5671
  }
@@ -5624,7 +5691,7 @@ export function parseMixLockData(mixData) {
5624
5691
  if (name && version) {
5625
5692
  pkgList.push({
5626
5693
  name,
5627
- version
5694
+ version,
5628
5695
  });
5629
5696
  }
5630
5697
  }
@@ -5664,7 +5731,7 @@ export function parseGitHubWorkflowData(ghwData) {
5664
5731
  pkgList.push({
5665
5732
  group,
5666
5733
  name,
5667
- version
5734
+ version,
5668
5735
  });
5669
5736
  }
5670
5737
  }
@@ -5702,7 +5769,7 @@ export function parseCloudBuildData(cbwData) {
5702
5769
  pkgList.push({
5703
5770
  group,
5704
5771
  name,
5705
- version
5772
+ version,
5706
5773
  });
5707
5774
  }
5708
5775
  }
@@ -5738,13 +5805,13 @@ export function parseConanLockData(conanLockData) {
5738
5805
  tmpA[0],
5739
5806
  version,
5740
5807
  null,
5741
- null
5808
+ null,
5742
5809
  ).toString();
5743
5810
  pkgList.push({
5744
5811
  name: tmpA[0],
5745
5812
  version,
5746
5813
  purl: purlString,
5747
- "bom-ref": decodeURIComponent(purlString)
5814
+ "bom-ref": decodeURIComponent(purlString),
5748
5815
  });
5749
5816
  }
5750
5817
  }
@@ -5792,14 +5859,14 @@ export function parseConanData(conanData) {
5792
5859
  tmpA[0],
5793
5860
  version,
5794
5861
  qualifiers,
5795
- null
5862
+ null,
5796
5863
  ).toString();
5797
5864
  pkgList.push({
5798
5865
  name: tmpA[0],
5799
5866
  version,
5800
5867
  purl: purlString,
5801
5868
  "bom-ref": decodeURIComponent(purlString),
5802
- scope
5869
+ scope,
5803
5870
  });
5804
5871
  }
5805
5872
  }
@@ -5915,7 +5982,7 @@ export function parseNuspecData(nupkgFile, nuspecData) {
5915
5982
  spaces: 4,
5916
5983
  textKey: "_",
5917
5984
  attributesKey: "$",
5918
- commentKey: "value"
5985
+ commentKey: "value",
5919
5986
  }).package;
5920
5987
  } catch (e) {
5921
5988
  // If we are parsing with invalid encoding, unicode replacement character is used
@@ -5923,7 +5990,7 @@ export function parseNuspecData(nupkgFile, nuspecData) {
5923
5990
  console.log(`Unable to parse ${nupkgFile} in utf-8 mode`);
5924
5991
  } else {
5925
5992
  console.log(
5926
- "Unable to parse this package. Tried utf-8 and ucs2 encoding."
5993
+ "Unable to parse this package. Tried utf-8 and ucs2 encoding.",
5927
5994
  );
5928
5995
  }
5929
5996
  }
@@ -5937,8 +6004,8 @@ export function parseNuspecData(nupkgFile, nuspecData) {
5937
6004
  pkg.properties = [
5938
6005
  {
5939
6006
  name: "SrcFile",
5940
- value: nupkgFile
5941
- }
6007
+ value: nupkgFile,
6008
+ },
5942
6009
  ];
5943
6010
  pkg.evidence = {
5944
6011
  identity: {
@@ -5948,10 +6015,10 @@ export function parseNuspecData(nupkgFile, nuspecData) {
5948
6015
  {
5949
6016
  technique: "binary-analysis",
5950
6017
  confidence: 1,
5951
- value: nupkgFile
5952
- }
5953
- ]
5954
- }
6018
+ value: nupkgFile,
6019
+ },
6020
+ ],
6021
+ },
5955
6022
  };
5956
6023
  pkgList.push(pkg);
5957
6024
  return pkgList;
@@ -5968,7 +6035,7 @@ export function parseCsPkgData(pkgData) {
5968
6035
  spaces: 4,
5969
6036
  textKey: "_",
5970
6037
  attributesKey: "$",
5971
- commentKey: "value"
6038
+ commentKey: "value",
5972
6039
  }).packages;
5973
6040
  if (!packages || packages.length == 0) {
5974
6041
  return pkgList;
@@ -5995,7 +6062,7 @@ export function parseCsProjData(csProjData, projFile) {
5995
6062
  spaces: 4,
5996
6063
  textKey: "_",
5997
6064
  attributesKey: "$",
5998
- commentKey: "value"
6065
+ commentKey: "value",
5999
6066
  }).Project;
6000
6067
  if (!projects || projects.length == 0) {
6001
6068
  return pkgList;
@@ -6017,8 +6084,8 @@ export function parseCsProjData(csProjData, projFile) {
6017
6084
  pkg.properties = [
6018
6085
  {
6019
6086
  name: "SrcFile",
6020
- value: projFile
6021
- }
6087
+ value: projFile,
6088
+ },
6022
6089
  ];
6023
6090
  pkg.evidence = {
6024
6091
  identity: {
@@ -6028,10 +6095,10 @@ export function parseCsProjData(csProjData, projFile) {
6028
6095
  {
6029
6096
  technique: "manifest-analysis",
6030
6097
  confidence: 0.7,
6031
- value: projFile
6032
- }
6033
- ]
6034
- }
6098
+ value: projFile,
6099
+ },
6100
+ ],
6101
+ },
6035
6102
  };
6036
6103
  }
6037
6104
  pkgList.push(pkg);
@@ -6052,8 +6119,8 @@ export function parseCsProjData(csProjData, projFile) {
6052
6119
  pkg.properties = [
6053
6120
  {
6054
6121
  name: "SrcFile",
6055
- value: projFile
6056
- }
6122
+ value: projFile,
6123
+ },
6057
6124
  ];
6058
6125
  pkg.evidence = {
6059
6126
  identity: {
@@ -6063,10 +6130,10 @@ export function parseCsProjData(csProjData, projFile) {
6063
6130
  {
6064
6131
  technique: "manifest-analysis",
6065
6132
  confidence: 0.7,
6066
- value: projFile
6067
- }
6068
- ]
6069
- }
6133
+ value: projFile,
6134
+ },
6135
+ ],
6136
+ },
6070
6137
  };
6071
6138
  }
6072
6139
  pkgList.push(pkg);
@@ -6087,7 +6154,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6087
6154
  return {
6088
6155
  name: match[1],
6089
6156
  operator: match[2],
6090
- version: match[3]
6157
+ version: match[3],
6091
6158
  };
6092
6159
  } else {
6093
6160
  return null;
@@ -6111,7 +6178,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6111
6178
  csProjData.project.restore.projectName,
6112
6179
  csProjData.project.version || "latest",
6113
6180
  null,
6114
- null
6181
+ null,
6115
6182
  ).toString();
6116
6183
  rootPkg = {
6117
6184
  group: "",
@@ -6119,7 +6186,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6119
6186
  version: csProjData.project.version || "latest",
6120
6187
  type: "application",
6121
6188
  purl: purlString,
6122
- "bom-ref": decodeURIComponent(purlString)
6189
+ "bom-ref": decodeURIComponent(purlString),
6123
6190
  };
6124
6191
  pkgList.push(rootPkg);
6125
6192
  const rootPkgDeps = new Set();
@@ -6148,8 +6215,8 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6148
6215
  nameOperatorVersion.name,
6149
6216
  nameOperatorVersion.version,
6150
6217
  null,
6151
- null
6152
- ).toString()
6218
+ null,
6219
+ ).toString(),
6153
6220
  );
6154
6221
  rootPkgDeps.add(dpurl);
6155
6222
  }
@@ -6157,7 +6224,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6157
6224
 
6158
6225
  dependenciesList.push({
6159
6226
  ref: purlString,
6160
- dependsOn: Array.from(rootPkgDeps)
6227
+ dependsOn: Array.from(rootPkgDeps),
6161
6228
  });
6162
6229
  }
6163
6230
 
@@ -6176,7 +6243,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6176
6243
  name,
6177
6244
  version,
6178
6245
  null,
6179
- null
6246
+ null,
6180
6247
  ).toString();
6181
6248
  const pkg = {
6182
6249
  group: "",
@@ -6185,7 +6252,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6185
6252
  description: "",
6186
6253
  type: csProjData.targets[framework][rootDep].type,
6187
6254
  purl: dpurl,
6188
- "bom-ref": decodeURIComponent(dpurl)
6255
+ "bom-ref": decodeURIComponent(dpurl),
6189
6256
  };
6190
6257
  if (lib[rootDep]) {
6191
6258
  if (lib[rootDep].sha512) {
@@ -6207,12 +6274,12 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6207
6274
  pkg.properties = [
6208
6275
  {
6209
6276
  name: "SrcFile",
6210
- value: assetsJsonFile
6277
+ value: assetsJsonFile,
6211
6278
  },
6212
6279
  {
6213
6280
  name: "PackageFiles",
6214
- value: Array.from(dllFiles).join(", ")
6215
- }
6281
+ value: Array.from(dllFiles).join(", "),
6282
+ },
6216
6283
  ];
6217
6284
  }
6218
6285
  }
@@ -6225,10 +6292,10 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6225
6292
  {
6226
6293
  technique: "manifest-analysis",
6227
6294
  confidence: 1,
6228
- value: assetsJsonFile
6229
- }
6230
- ]
6231
- }
6295
+ value: assetsJsonFile,
6296
+ },
6297
+ ],
6298
+ },
6232
6299
  };
6233
6300
  }
6234
6301
  pkgList.push(pkg);
@@ -6242,7 +6309,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6242
6309
  const depList = new Set();
6243
6310
  const [name, version] = rootDep.split("/");
6244
6311
  const dpurl = decodeURIComponent(
6245
- new PackageURL("nuget", "", name, version, null, null).toString()
6312
+ new PackageURL("nuget", "", name, version, null, null).toString(),
6246
6313
  );
6247
6314
  const dependencies =
6248
6315
  csProjData.targets[framework][rootDep].dependencies;
@@ -6259,7 +6326,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6259
6326
  p,
6260
6327
  dversion,
6261
6328
  null,
6262
- null
6329
+ null,
6263
6330
  ).toString();
6264
6331
  depList.add(ipurl);
6265
6332
  if (!pkgAddedMap[p]) {
@@ -6269,7 +6336,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6269
6336
  version: dversion,
6270
6337
  description: "",
6271
6338
  purl: ipurl,
6272
- "bom-ref": decodeURIComponent(ipurl)
6339
+ "bom-ref": decodeURIComponent(ipurl),
6273
6340
  });
6274
6341
  pkgAddedMap[p] = true;
6275
6342
  }
@@ -6277,14 +6344,14 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
6277
6344
  }
6278
6345
  dependenciesList.push({
6279
6346
  ref: dpurl,
6280
- dependsOn: Array.from(depList)
6347
+ dependsOn: Array.from(depList),
6281
6348
  });
6282
6349
  }
6283
6350
  }
6284
6351
  }
6285
6352
  return {
6286
6353
  pkgList,
6287
- dependenciesList
6354
+ dependenciesList,
6288
6355
  };
6289
6356
  }
6290
6357
 
@@ -6297,7 +6364,7 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
6297
6364
  return {
6298
6365
  pkgList,
6299
6366
  dependenciesList,
6300
- rootList
6367
+ rootList,
6301
6368
  };
6302
6369
  }
6303
6370
  const assetData = JSON.parse(csLockData);
@@ -6305,7 +6372,7 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
6305
6372
  return {
6306
6373
  pkgList,
6307
6374
  dependenciesList,
6308
- rootList
6375
+ rootList,
6309
6376
  };
6310
6377
  }
6311
6378
  for (const aversion of Object.keys(assetData.dependencies)) {
@@ -6317,7 +6384,7 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
6317
6384
  alib,
6318
6385
  libData.resolved,
6319
6386
  null,
6320
- null
6387
+ null,
6321
6388
  ).toString();
6322
6389
  pkg = {
6323
6390
  group: "",
@@ -6331,8 +6398,8 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
6331
6398
  properties: [
6332
6399
  {
6333
6400
  name: "SrcFile",
6334
- value: pkgLockFile
6335
- }
6401
+ value: pkgLockFile,
6402
+ },
6336
6403
  ],
6337
6404
  evidence: {
6338
6405
  identity: {
@@ -6342,11 +6409,11 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
6342
6409
  {
6343
6410
  technique: "manifest-analysis",
6344
6411
  confidence: 1,
6345
- value: pkgLockFile
6346
- }
6347
- ]
6348
- }
6349
- }
6412
+ value: pkgLockFile,
6413
+ },
6414
+ ],
6415
+ },
6416
+ },
6350
6417
  };
6351
6418
  pkgList.push(pkg);
6352
6419
  if (["Direct", "Project"].includes(libData.type)) {
@@ -6387,7 +6454,7 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
6387
6454
  adep = adep.toLowerCase();
6388
6455
  } else if (DEBUG_MODE) {
6389
6456
  console.warn(
6390
- `Unable to find the resolved version for ${adep} ${aversion}. Using ${adepResolvedVersion} which may be incorrect.`
6457
+ `Unable to find the resolved version for ${adep} ${aversion}. Using ${adepResolvedVersion} which may be incorrect.`,
6391
6458
  );
6392
6459
  }
6393
6460
  const adpurl = new PackageURL(
@@ -6396,21 +6463,21 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
6396
6463
  adep,
6397
6464
  adepResolvedVersion,
6398
6465
  null,
6399
- null
6466
+ null,
6400
6467
  ).toString();
6401
6468
  dependsOn.push(decodeURIComponent(adpurl));
6402
6469
  }
6403
6470
  }
6404
6471
  dependenciesList.push({
6405
6472
  ref: decodeURIComponent(purl),
6406
- dependsOn
6473
+ dependsOn,
6407
6474
  });
6408
6475
  }
6409
6476
  }
6410
6477
  return {
6411
6478
  pkgList,
6412
6479
  dependenciesList,
6413
- rootList
6480
+ rootList,
6414
6481
  };
6415
6482
  }
6416
6483
 
@@ -6448,7 +6515,7 @@ export function parsePaketLockData(paketLockData, pkgLockFile) {
6448
6515
  name,
6449
6516
  version,
6450
6517
  null,
6451
- null
6518
+ null,
6452
6519
  ).toString();
6453
6520
  pkg = {
6454
6521
  group: "",
@@ -6459,8 +6526,8 @@ export function parsePaketLockData(paketLockData, pkgLockFile) {
6459
6526
  properties: [
6460
6527
  {
6461
6528
  name: "SrcFile",
6462
- value: pkgLockFile
6463
- }
6529
+ value: pkgLockFile,
6530
+ },
6464
6531
  ],
6465
6532
  evidence: {
6466
6533
  identity: {
@@ -6470,11 +6537,11 @@ export function parsePaketLockData(paketLockData, pkgLockFile) {
6470
6537
  {
6471
6538
  technique: "manifest-analysis",
6472
6539
  confidence: 1,
6473
- value: pkgLockFile
6474
- }
6475
- ]
6476
- }
6477
- }
6540
+ value: pkgLockFile,
6541
+ },
6542
+ ],
6543
+ },
6544
+ },
6478
6545
  };
6479
6546
  pkgList.push(pkg);
6480
6547
  dependenciesMap[purl] = new Set();
@@ -6498,7 +6565,7 @@ export function parsePaketLockData(paketLockData, pkgLockFile) {
6498
6565
  const pkgName = match[1];
6499
6566
  const pkgVersion = match[2];
6500
6567
  purl = decodeURIComponent(
6501
- new PackageURL("nuget", "", pkgName, pkgVersion, null, null).toString()
6568
+ new PackageURL("nuget", "", pkgName, pkgVersion, null, null).toString(),
6502
6569
  );
6503
6570
  return;
6504
6571
  }
@@ -6508,7 +6575,7 @@ export function parsePaketLockData(paketLockData, pkgLockFile) {
6508
6575
  const depName = match[1];
6509
6576
  const depVersion = pkgNameVersionMap[depName + group];
6510
6577
  const dpurl = decodeURIComponent(
6511
- new PackageURL("nuget", "", depName, depVersion, null, null).toString()
6578
+ new PackageURL("nuget", "", depName, depVersion, null, null).toString(),
6512
6579
  );
6513
6580
  dependenciesMap[purl].add(dpurl);
6514
6581
  }
@@ -6517,13 +6584,13 @@ export function parsePaketLockData(paketLockData, pkgLockFile) {
6517
6584
  for (const ref in dependenciesMap) {
6518
6585
  dependenciesList.push({
6519
6586
  ref: ref,
6520
- dependsOn: Array.from(dependenciesMap[ref])
6587
+ dependsOn: Array.from(dependenciesMap[ref]),
6521
6588
  });
6522
6589
  }
6523
6590
 
6524
6591
  return {
6525
6592
  pkgList,
6526
- dependenciesList
6593
+ dependenciesList,
6527
6594
  };
6528
6595
  }
6529
6596
 
@@ -6581,7 +6648,7 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
6581
6648
  name,
6582
6649
  pkg.version,
6583
6650
  null,
6584
- null
6651
+ null,
6585
6652
  ).toString();
6586
6653
  const apkg = {
6587
6654
  group: group,
@@ -6596,8 +6663,8 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
6596
6663
  properties: [
6597
6664
  {
6598
6665
  name: "SrcFile",
6599
- value: pkgLockFile
6600
- }
6666
+ value: pkgLockFile,
6667
+ },
6601
6668
  ],
6602
6669
  evidence: {
6603
6670
  identity: {
@@ -6607,11 +6674,11 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
6607
6674
  {
6608
6675
  technique: "manifest-analysis",
6609
6676
  confidence: 1,
6610
- value: pkgLockFile
6611
- }
6612
- ]
6613
- }
6614
- }
6677
+ value: pkgLockFile,
6678
+ },
6679
+ ],
6680
+ },
6681
+ },
6615
6682
  };
6616
6683
  if (pkg.autoload && Object.keys(pkg.autoload).length) {
6617
6684
  const namespaces = [];
@@ -6625,7 +6692,7 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
6625
6692
  if (namespaces.length) {
6626
6693
  apkg.properties.push({
6627
6694
  name: "Namespaces",
6628
- value: namespaces.join(", ")
6695
+ value: namespaces.join(", "),
6629
6696
  });
6630
6697
  }
6631
6698
  }
@@ -6661,13 +6728,13 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
6661
6728
  for (const ref in dependenciesMap) {
6662
6729
  dependenciesList.push({
6663
6730
  ref: ref,
6664
- dependsOn: Array.from(dependenciesMap[ref])
6731
+ dependsOn: Array.from(dependenciesMap[ref]),
6665
6732
  });
6666
6733
  }
6667
6734
  return {
6668
6735
  pkgList,
6669
6736
  dependenciesList,
6670
- rootList
6737
+ rootList,
6671
6738
  };
6672
6739
  }
6673
6740
 
@@ -6726,7 +6793,7 @@ export function parseSbtTree(sbtTreeFile) {
6726
6793
  name,
6727
6794
  version,
6728
6795
  { type: "jar" },
6729
- null
6796
+ null,
6730
6797
  ).toString();
6731
6798
  // Filter duplicates
6732
6799
  if (!keys_cache[purlString]) {
@@ -6744,11 +6811,11 @@ export function parseSbtTree(sbtTreeFile) {
6744
6811
  {
6745
6812
  technique: "manifest-analysis",
6746
6813
  confidence: 1,
6747
- value: sbtTreeFile
6748
- }
6749
- ]
6750
- }
6751
- }
6814
+ value: sbtTreeFile,
6815
+ },
6816
+ ],
6817
+ },
6818
+ },
6752
6819
  };
6753
6820
  if (isLibrary) {
6754
6821
  adep["type"] = "library";
@@ -6794,7 +6861,7 @@ export function parseSbtTree(sbtTreeFile) {
6794
6861
  for (const lk of Object.keys(level_trees)) {
6795
6862
  dependenciesList.push({
6796
6863
  ref: lk,
6797
- dependsOn: level_trees[lk]
6864
+ dependsOn: level_trees[lk],
6798
6865
  });
6799
6866
  }
6800
6867
  return { pkgList, dependenciesList };
@@ -6809,7 +6876,7 @@ export function parseSbtLock(pkgLockFile) {
6809
6876
  const pkgList = [];
6810
6877
  if (existsSync(pkgLockFile)) {
6811
6878
  const lockData = JSON.parse(
6812
- readFileSync(pkgLockFile, { encoding: "utf-8" })
6879
+ readFileSync(pkgLockFile, { encoding: "utf-8" }),
6813
6880
  );
6814
6881
  if (lockData && lockData.dependencies) {
6815
6882
  for (const pkg of lockData.dependencies) {
@@ -6835,8 +6902,8 @@ export function parseSbtLock(pkgLockFile) {
6835
6902
  properties: [
6836
6903
  {
6837
6904
  name: "SrcFile",
6838
- value: pkgLockFile
6839
- }
6905
+ value: pkgLockFile,
6906
+ },
6840
6907
  ],
6841
6908
  evidence: {
6842
6909
  identity: {
@@ -6846,11 +6913,11 @@ export function parseSbtLock(pkgLockFile) {
6846
6913
  {
6847
6914
  technique: "manifest-analysis",
6848
6915
  confidence: 1,
6849
- value: pkgLockFile
6850
- }
6851
- ]
6852
- }
6853
- }
6916
+ value: pkgLockFile,
6917
+ },
6918
+ ],
6919
+ },
6920
+ },
6854
6921
  });
6855
6922
  }
6856
6923
  }
@@ -6883,7 +6950,7 @@ function convertStdoutToList(result) {
6883
6950
  */
6884
6951
  export function executeDpkgList(pkgName) {
6885
6952
  const result = spawnSync("dpkg", ["--listfiles", "--no-pager", pkgName], {
6886
- encoding: "utf-8"
6953
+ encoding: "utf-8",
6887
6954
  });
6888
6955
  return convertStdoutToList(result);
6889
6956
  }
@@ -6896,12 +6963,12 @@ export function executeDpkgList(pkgName) {
6896
6963
  */
6897
6964
  export function executeRpmList(pkgName) {
6898
6965
  let result = spawnSync("dnf", ["repoquery", "-l", pkgName], {
6899
- encoding: "utf-8"
6966
+ encoding: "utf-8",
6900
6967
  });
6901
6968
  // Fallback to rpm
6902
6969
  if (result.status !== 0 || result.error) {
6903
6970
  result = spawnSync("rpm", ["-ql", pkgName], {
6904
- encoding: "utf-8"
6971
+ encoding: "utf-8",
6905
6972
  });
6906
6973
  }
6907
6974
  return convertStdoutToList(result);
@@ -6915,7 +6982,7 @@ export function executeRpmList(pkgName) {
6915
6982
  */
6916
6983
  export function executeApkList(pkgName) {
6917
6984
  const result = spawnSync("apk", ["-L", "info", pkgName], {
6918
- encoding: "utf-8"
6985
+ encoding: "utf-8",
6919
6986
  });
6920
6987
  return convertStdoutToList(result);
6921
6988
  }
@@ -6928,7 +6995,7 @@ export function executeApkList(pkgName) {
6928
6995
  */
6929
6996
  export function executeAlpmList(pkgName) {
6930
6997
  const result = spawnSync("pacman", ["-Ql", pkgName], {
6931
- encoding: "utf-8"
6998
+ encoding: "utf-8",
6932
6999
  });
6933
7000
  return convertStdoutToList(result);
6934
7001
  }
@@ -6941,7 +7008,7 @@ export function executeAlpmList(pkgName) {
6941
7008
  */
6942
7009
  export function executeEqueryList(pkgName) {
6943
7010
  const result = spawnSync("equery", ["files", pkgName], {
6944
- encoding: "utf-8"
7011
+ encoding: "utf-8",
6945
7012
  });
6946
7013
  return convertStdoutToList(result);
6947
7014
  }
@@ -6958,7 +7025,7 @@ export function convertOSQueryResults(
6958
7025
  queryCategory,
6959
7026
  queryObj,
6960
7027
  results,
6961
- enhance = false
7028
+ enhance = false,
6962
7029
  ) {
6963
7030
  const pkgList = [];
6964
7031
  if (results && results.length) {
@@ -7018,7 +7085,7 @@ export function convertOSQueryResults(
7018
7085
  let qualifiers = undefined;
7019
7086
  if (res.identifying_number && res.identifying_number.length) {
7020
7087
  qualifiers = {
7021
- tag_id: res.identifying_number.replace("{", "").replace("}", "")
7088
+ tag_id: res.identifying_number.replace("{", "").replace("}", ""),
7022
7089
  };
7023
7090
  }
7024
7091
  if (name) {
@@ -7038,7 +7105,7 @@ export function convertOSQueryResults(
7038
7105
  name,
7039
7106
  version || "",
7040
7107
  qualifiers,
7041
- subpath
7108
+ subpath,
7042
7109
  ).toString();
7043
7110
  const props = [{ name: "cdx:osquery:category", value: queryCategory }];
7044
7111
  let providesList = undefined;
@@ -7075,15 +7142,15 @@ export function convertOSQueryResults(
7075
7142
  "bom-ref": decodeURIComponent(purl),
7076
7143
  purl,
7077
7144
  scope,
7078
- type: queryObj.componentType
7145
+ type: queryObj.componentType,
7079
7146
  };
7080
7147
  for (const k of Object.keys(res).filter(
7081
- (p) => !["name", "version", "description", "publisher"].includes(p)
7148
+ (p) => !["name", "version", "description", "publisher"].includes(p),
7082
7149
  )) {
7083
7150
  if (res[k] && res[k] !== "null") {
7084
7151
  props.push({
7085
7152
  name: k,
7086
- value: res[k]
7153
+ value: res[k],
7087
7154
  });
7088
7155
  }
7089
7156
  }
@@ -7145,7 +7212,7 @@ export function parseSwiftJsonTreeObject(
7145
7212
  pkgList,
7146
7213
  dependenciesList,
7147
7214
  jsonObject,
7148
- pkgFile
7215
+ pkgFile,
7149
7216
  ) {
7150
7217
  const urlOrPath = jsonObject.url || jsonObject.path;
7151
7218
  const version = jsonObject.version;
@@ -7156,7 +7223,7 @@ export function parseSwiftJsonTreeObject(
7156
7223
  group: purl.namespace,
7157
7224
  version: purl.version,
7158
7225
  purl: purlString,
7159
- "bom-ref": purlString
7226
+ "bom-ref": purlString,
7160
7227
  };
7161
7228
  if (urlOrPath) {
7162
7229
  if (urlOrPath.startsWith("http")) {
@@ -7165,12 +7232,12 @@ export function parseSwiftJsonTreeObject(
7165
7232
  const properties = [];
7166
7233
  properties.push({
7167
7234
  name: "SrcPath",
7168
- value: urlOrPath
7235
+ value: urlOrPath,
7169
7236
  });
7170
7237
  if (pkgFile) {
7171
7238
  properties.push({
7172
7239
  name: "SrcFile",
7173
- value: pkgFile
7240
+ value: pkgFile,
7174
7241
  });
7175
7242
  }
7176
7243
  rootPkg.properties = properties;
@@ -7184,14 +7251,14 @@ export function parseSwiftJsonTreeObject(
7184
7251
  pkgList,
7185
7252
  dependenciesList,
7186
7253
  dependency,
7187
- pkgFile
7254
+ pkgFile,
7188
7255
  );
7189
7256
  depList.push(res);
7190
7257
  }
7191
7258
  }
7192
7259
  dependenciesList.push({
7193
7260
  ref: purlString,
7194
- dependsOn: depList
7261
+ dependsOn: depList,
7195
7262
  });
7196
7263
  return purlString;
7197
7264
  }
@@ -7218,7 +7285,7 @@ export function parseSwiftJsonTree(rawOutput, pkgFile) {
7218
7285
  }
7219
7286
  return {
7220
7287
  pkgList,
7221
- dependenciesList
7288
+ dependenciesList,
7222
7289
  };
7223
7290
  }
7224
7291
 
@@ -7231,7 +7298,7 @@ export function parseSwiftResolved(resolvedFile) {
7231
7298
  if (existsSync(resolvedFile)) {
7232
7299
  try {
7233
7300
  const pkgData = JSON.parse(
7234
- readFileSync(resolvedFile, { encoding: "utf-8" })
7301
+ readFileSync(resolvedFile, { encoding: "utf-8" }),
7235
7302
  );
7236
7303
  let resolvedList = [];
7237
7304
  if (pkgData.pins) {
@@ -7253,8 +7320,8 @@ export function parseSwiftResolved(resolvedFile) {
7253
7320
  properties: [
7254
7321
  {
7255
7322
  name: "SrcFile",
7256
- value: resolvedFile
7257
- }
7323
+ value: resolvedFile,
7324
+ },
7258
7325
  ],
7259
7326
  evidence: {
7260
7327
  identity: {
@@ -7264,11 +7331,11 @@ export function parseSwiftResolved(resolvedFile) {
7264
7331
  {
7265
7332
  technique: "manifest-analysis",
7266
7333
  confidence: 1,
7267
- value: resolvedFile
7268
- }
7269
- ]
7270
- }
7271
- }
7334
+ value: resolvedFile,
7335
+ },
7336
+ ],
7337
+ },
7338
+ },
7272
7339
  };
7273
7340
  if (locationOrUrl) {
7274
7341
  rootPkg.repository = { url: locationOrUrl };
@@ -7294,7 +7361,7 @@ export async function collectMvnDependencies(
7294
7361
  mavenCmd,
7295
7362
  basePath,
7296
7363
  cleanup = true,
7297
- includeCacheDir = false
7364
+ includeCacheDir = false,
7298
7365
  ) {
7299
7366
  let jarNSMapping = {};
7300
7367
  const MAVEN_CACHE_DIR =
@@ -7308,7 +7375,7 @@ export async function collectMvnDependencies(
7308
7375
  "-Dmdep.useRepositoryLayout=true",
7309
7376
  "-Dmdep.includeScope=compile",
7310
7377
  "-Dmdep.prependGroupId=" + (process.env.MAVEN_PREPEND_GROUP || "false"),
7311
- "-Dmdep.stripVersion=" + (process.env.MAVEN_STRIP_VERSION || "false")
7378
+ "-Dmdep.stripVersion=" + (process.env.MAVEN_STRIP_VERSION || "false"),
7312
7379
  ];
7313
7380
  if (process.env.MVN_ARGS) {
7314
7381
  const addArgs = process.env.MVN_ARGS.split(" ");
@@ -7319,21 +7386,21 @@ export async function collectMvnDependencies(
7319
7386
  const result = spawnSync(mavenCmd, copyArgs, {
7320
7387
  cwd: basePath,
7321
7388
  encoding: "utf-8",
7322
- shell: isWin
7389
+ shell: isWin,
7323
7390
  });
7324
7391
  if (result.status !== 0 || result.error) {
7325
7392
  console.error(result.stdout, result.stderr);
7326
7393
  console.log(
7327
- "Resolve the above maven error. You can try the following remediation tips:\n"
7394
+ "Resolve the above maven error. You can try the following remediation tips:\n",
7328
7395
  );
7329
7396
  console.log(
7330
- "1. Check if the correct version of maven is installed and available in the PATH."
7397
+ "1. Check if the correct version of maven is installed and available in the PATH.",
7331
7398
  );
7332
7399
  console.log(
7333
- "2. Perform 'mvn compile package' before invoking this command. Fix any errors found during this invocation."
7400
+ "2. Perform 'mvn compile package' before invoking this command. Fix any errors found during this invocation.",
7334
7401
  );
7335
7402
  console.log(
7336
- "3. Ensure the temporary directory is available and has sufficient disk space to copy all the artifacts."
7403
+ "3. Ensure the temporary directory is available and has sufficient disk space to copy all the artifacts.",
7337
7404
  );
7338
7405
  } else {
7339
7406
  jarNSMapping = await collectJarNS(tempDir);
@@ -7355,7 +7422,7 @@ export async function collectGradleDependencies(
7355
7422
  gradleCmd,
7356
7423
  basePath,
7357
7424
  cleanup = true, // eslint-disable-line no-unused-vars
7358
- includeCacheDir = false // eslint-disable-line no-unused-vars
7425
+ includeCacheDir = false, // eslint-disable-line no-unused-vars
7359
7426
  ) {
7360
7427
  // HELP WANTED: We need an init script that mimics maven copy-dependencies that only collects the project specific jars and poms
7361
7428
  // Construct gradle cache directory
@@ -7367,13 +7434,13 @@ export async function collectGradleDependencies(
7367
7434
  process.env.GRADLE_USER_HOME,
7368
7435
  "caches",
7369
7436
  "modules-2",
7370
- "files-2.1"
7437
+ "files-2.1",
7371
7438
  );
7372
7439
  }
7373
7440
  if (DEBUG_MODE) {
7374
7441
  console.log("Collecting jars from", GRADLE_CACHE_DIR);
7375
7442
  console.log(
7376
- "To improve performance, ensure only the project dependencies are present in this cache location."
7443
+ "To improve performance, ensure only the project dependencies are present in this cache location.",
7377
7444
  );
7378
7445
  }
7379
7446
  const pomPathMap = {};
@@ -7396,16 +7463,16 @@ export async function collectGradleDependencies(
7396
7463
  export async function collectJarNS(jarPath, pomPathMap = {}) {
7397
7464
  const jarNSMapping = {};
7398
7465
  console.log(
7399
- `About to identify class names for all jars in the path ${jarPath}`
7466
+ `About to identify class names for all jars in the path ${jarPath}`,
7400
7467
  );
7401
7468
  const env = {
7402
- ...process.env
7469
+ ...process.env,
7403
7470
  };
7404
7471
  // jar command usually would not be available in the PATH for windows
7405
7472
  if (isWin && env.JAVA_HOME) {
7406
7473
  env.PATH = `${env.PATH || env.Path}${_delimiter}${join(
7407
7474
  env.JAVA_HOME,
7408
- "bin"
7475
+ "bin",
7409
7476
  )}`;
7410
7477
  }
7411
7478
  // Parse jar files to get class names
@@ -7440,7 +7507,7 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
7440
7507
  pomData.artifactId,
7441
7508
  pomData.version,
7442
7509
  { type: "jar" },
7443
- null
7510
+ null,
7444
7511
  );
7445
7512
  purl = purlObj.toString();
7446
7513
  }
@@ -7486,7 +7553,7 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
7486
7553
  jarFileName.replace(`-${jarVersion}`, ""),
7487
7554
  jarVersion,
7488
7555
  { type: qualifierType },
7489
- null
7556
+ null,
7490
7557
  );
7491
7558
  purl = purlObj.toString();
7492
7559
  }
@@ -7515,7 +7582,7 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
7515
7582
  pkgName,
7516
7583
  jarVersion,
7517
7584
  { type: "jar" },
7518
- null
7585
+ null,
7519
7586
  );
7520
7587
  purl = purlObj.toString();
7521
7588
  }
@@ -7531,7 +7598,7 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
7531
7598
  jarNSMapping[purl || jf] = {
7532
7599
  jarFile: jf,
7533
7600
  pom: pomData,
7534
- namespaces: nsList
7601
+ namespaces: nsList,
7535
7602
  };
7536
7603
  // Retain in the global cache to speed up future lookups
7537
7604
  if (purl) {
@@ -7565,7 +7632,7 @@ export function convertJarNSToPackages(jarNSMapping) {
7565
7632
  const name = pom.artifactId || purlObj.name;
7566
7633
  if (!name) {
7567
7634
  console.warn(
7568
- `Unable to identify the metadata for ${purl}. This will be skipped.`
7635
+ `Unable to identify the metadata for ${purl}. This will be skipped.`,
7569
7636
  );
7570
7637
  continue;
7571
7638
  }
@@ -7584,21 +7651,21 @@ export function convertJarNSToPackages(jarNSMapping) {
7584
7651
  {
7585
7652
  technique: "filename",
7586
7653
  confidence: 1,
7587
- value: jarFile
7588
- }
7589
- ]
7590
- }
7654
+ value: jarFile,
7655
+ },
7656
+ ],
7657
+ },
7591
7658
  },
7592
7659
  properties: [
7593
7660
  {
7594
7661
  name: "SrcFile",
7595
- value: jarFile
7662
+ value: jarFile,
7596
7663
  },
7597
7664
  {
7598
7665
  name: "Namespaces",
7599
- value: namespaces.join("\n")
7600
- }
7601
- ]
7666
+ value: namespaces.join("\n"),
7667
+ },
7668
+ ],
7602
7669
  };
7603
7670
  if (pom.url) {
7604
7671
  apackage["homepage"] = { url: pom.url };
@@ -7620,7 +7687,7 @@ export function parsePomXml(pomXmlData) {
7620
7687
  spaces: 4,
7621
7688
  textKey: "_",
7622
7689
  attributesKey: "$",
7623
- commentKey: "value"
7690
+ commentKey: "value",
7624
7691
  }).project;
7625
7692
  if (project) {
7626
7693
  let version = project.version ? project.version._ : undefined;
@@ -7637,7 +7704,7 @@ export function parsePomXml(pomXmlData) {
7637
7704
  version,
7638
7705
  description: project.description ? project.description._ : "",
7639
7706
  url: project.url ? project.url._ : "",
7640
- scm: project.scm && project.scm.url ? project.scm.url._ : ""
7707
+ scm: project.scm && project.scm.url ? project.scm.url._ : "",
7641
7708
  };
7642
7709
  }
7643
7710
  return undefined;
@@ -7696,7 +7763,7 @@ export function getPomPropertiesFromMavenDir(mavenDir) {
7696
7763
  const pomPropertiesFiles = getAllFiles(mavenDir, "**/pom.properties");
7697
7764
  if (pomPropertiesFiles && pomPropertiesFiles.length) {
7698
7765
  const pomPropertiesString = readFileSync(pomPropertiesFiles[0], {
7699
- encoding: "utf-8"
7766
+ encoding: "utf-8",
7700
7767
  });
7701
7768
  pomProperties = parsePomProperties(pomPropertiesString);
7702
7769
  }
@@ -7758,13 +7825,13 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
7758
7825
  copyFileSync(jarFile, join(tempDir, fname), constants.COPYFILE_FICLONE);
7759
7826
  }
7760
7827
  const env = {
7761
- ...process.env
7828
+ ...process.env,
7762
7829
  };
7763
7830
  // jar command usually would not be available in the PATH for windows
7764
7831
  if (isWin && env.JAVA_HOME) {
7765
7832
  env.PATH = `${env.PATH || env.Path}${_delimiter}${join(
7766
7833
  env.JAVA_HOME,
7767
- "bin"
7834
+ "bin",
7768
7835
  )}`;
7769
7836
  }
7770
7837
  if (
@@ -7824,7 +7891,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
7824
7891
  const manifestFile = join(manifestDir, "MANIFEST.MF");
7825
7892
  const mavenDir = join(manifestDir, "maven");
7826
7893
  let jarResult = {
7827
- status: 1
7894
+ status: 1,
7828
7895
  };
7829
7896
  if (existsSync(pomname)) {
7830
7897
  jarResult = { status: 0 };
@@ -7871,8 +7938,8 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
7871
7938
  secureConnect: 5000,
7872
7939
  socket: 1000,
7873
7940
  send: 10000,
7874
- response: 1000
7875
- }
7941
+ response: 1000,
7942
+ },
7876
7943
  });
7877
7944
  const data = res && res.body ? res.body["response"] : undefined;
7878
7945
  if (data && data["numFound"] == 1) {
@@ -7886,7 +7953,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
7886
7953
  if (err && err.message && !err.message.includes("404")) {
7887
7954
  if (err.message.includes("Timeout")) {
7888
7955
  console.log(
7889
- "Maven search appears to be unavailable. Search will be skipped for all remaining packages."
7956
+ "Maven search appears to be unavailable. Search will be skipped for all remaining packages.",
7890
7957
  );
7891
7958
  } else if (DEBUG_MODE) {
7892
7959
  console.log(err);
@@ -7899,8 +7966,8 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
7899
7966
  confidence = 0.8;
7900
7967
  const jarMetadata = parseJarManifest(
7901
7968
  readFileSync(manifestFile, {
7902
- encoding: "utf-8"
7903
- })
7969
+ encoding: "utf-8",
7970
+ }),
7904
7971
  );
7905
7972
  group =
7906
7973
  group ||
@@ -7954,12 +8021,12 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
7954
8021
  if (group.includes("." + name.toLowerCase().replace(/-/g, "."))) {
7955
8022
  group = group.replace(
7956
8023
  new RegExp("." + name.toLowerCase().replace(/-/g, ".") + "$"),
7957
- ""
8024
+ "",
7958
8025
  );
7959
8026
  } else if (group.includes("." + name.toLowerCase())) {
7960
8027
  group = group.replace(
7961
8028
  new RegExp("." + name.toLowerCase() + "$"),
7962
- ""
8029
+ "",
7963
8030
  );
7964
8031
  }
7965
8032
  }
@@ -7984,7 +8051,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
7984
8051
  name,
7985
8052
  version,
7986
8053
  { type: "jar" },
7987
- null
8054
+ null,
7988
8055
  ).toString(),
7989
8056
  evidence: {
7990
8057
  identity: {
@@ -7994,17 +8061,17 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
7994
8061
  {
7995
8062
  technique: technique,
7996
8063
  confidence: confidence,
7997
- value: jarname
7998
- }
7999
- ]
8000
- }
8064
+ value: jarname,
8065
+ },
8066
+ ],
8067
+ },
8001
8068
  },
8002
8069
  properties: [
8003
8070
  {
8004
8071
  name: "SrcFile",
8005
- value: jarname
8006
- }
8007
- ]
8072
+ value: jarname,
8073
+ },
8074
+ ],
8008
8075
  };
8009
8076
  if (
8010
8077
  jarNSMapping &&
@@ -8013,7 +8080,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
8013
8080
  ) {
8014
8081
  apkg.properties.push({
8015
8082
  name: "Namespaces",
8016
- value: jarNSMapping[apkg.purl].namespaces.join("\n")
8083
+ value: jarNSMapping[apkg.purl].namespaces.join("\n"),
8017
8084
  });
8018
8085
  }
8019
8086
  pkgList.push(apkg);
@@ -8028,7 +8095,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
8028
8095
  // Clean up META-INF
8029
8096
  rmSync(join(tempDir, "META-INF"), {
8030
8097
  recursive: true,
8031
- force: true
8098
+ force: true,
8032
8099
  });
8033
8100
  }
8034
8101
  } catch (err) {
@@ -8108,7 +8175,7 @@ export function cleanupPlugin(projectPath, originalPluginsFile) {
8108
8175
  copyFileSync(
8109
8176
  originalPluginsFile,
8110
8177
  pluginsFile,
8111
- constants.COPYFILE_FICLONE
8178
+ constants.COPYFILE_FICLONE,
8112
8179
  );
8113
8180
  unlinkSync(originalPluginsFile);
8114
8181
  return true;
@@ -8139,7 +8206,7 @@ export function sbtPluginsPath(projectPath) {
8139
8206
  export async function readZipEntry(
8140
8207
  zipFile,
8141
8208
  filePattern,
8142
- contentEncoding = "utf-8"
8209
+ contentEncoding = "utf-8",
8143
8210
  ) {
8144
8211
  let retData = undefined;
8145
8212
  try {
@@ -8200,7 +8267,7 @@ export async function getJarClasses(jarFile) {
8200
8267
  .replace("\r", "")
8201
8268
  .replace(/.(class|java|kt|scala|groovy)/g, "")
8202
8269
  .replace(/\/$/, "")
8203
- .replace(/\//g, ".")
8270
+ .replace(/\//g, "."),
8204
8271
  );
8205
8272
  }
8206
8273
  }
@@ -8298,14 +8365,14 @@ export function getMavenCommand(srcPath, rootPath) {
8298
8365
  if (isWrapperFound) {
8299
8366
  if (DEBUG_MODE) {
8300
8367
  console.log(
8301
- "Testing the wrapper script by invoking wrapper:wrapper task"
8368
+ "Testing the wrapper script by invoking wrapper:wrapper task",
8302
8369
  );
8303
8370
  }
8304
8371
  const result = spawnSync(mavenWrapperCmd, ["wrapper:wrapper"], {
8305
8372
  encoding: "utf-8",
8306
8373
  cwd: rootPath,
8307
8374
  timeout: TIMEOUT_MS,
8308
- shell: isWin
8375
+ shell: isWin,
8309
8376
  });
8310
8377
  if (!result.error && !result.status) {
8311
8378
  isWrapperReady = true;
@@ -8313,7 +8380,7 @@ export function getMavenCommand(srcPath, rootPath) {
8313
8380
  } else {
8314
8381
  if (DEBUG_MODE) {
8315
8382
  console.log(
8316
- "Maven wrapper script test has failed. Will use the installed version of maven."
8383
+ "Maven wrapper script test has failed. Will use the installed version of maven.",
8317
8384
  );
8318
8385
  }
8319
8386
  }
@@ -8344,7 +8411,7 @@ export function getAtomCommand() {
8344
8411
  "node_modules",
8345
8412
  "@appthreat",
8346
8413
  "atom",
8347
- "index.js"
8414
+ "index.js",
8348
8415
  );
8349
8416
  if (existsSync(localAtom)) {
8350
8417
  return `${NODE_CMD} ${localAtom}`;
@@ -8368,20 +8435,20 @@ export function executeAtom(src, args) {
8368
8435
  console.log("Executing", ATOM_BIN, args.join(" "));
8369
8436
  }
8370
8437
  const env = {
8371
- ...process.env
8438
+ ...process.env,
8372
8439
  };
8373
8440
 
8374
8441
  if (isWin) {
8375
8442
  env.PATH = `${env.PATH || env.Path}${_delimiter}${join(
8376
8443
  dirNameStr,
8377
8444
  "node_modules",
8378
- ".bin"
8445
+ ".bin",
8379
8446
  )}`;
8380
8447
  } else {
8381
8448
  env.PATH = `${env.PATH}${_delimiter}${join(
8382
8449
  dirNameStr,
8383
8450
  "node_modules",
8384
- ".bin"
8451
+ ".bin",
8385
8452
  )}`;
8386
8453
  }
8387
8454
  const result = spawnSync(ATOM_BIN, args, {
@@ -8391,22 +8458,22 @@ export function executeAtom(src, args) {
8391
8458
  detached: !isWin && !process.env.CI,
8392
8459
  shell: isWin,
8393
8460
  killSignal: "SIGKILL",
8394
- env
8461
+ env,
8395
8462
  });
8396
8463
  if (result.stderr) {
8397
8464
  if (
8398
8465
  result.stderr.includes(
8399
- "has been compiled by a more recent version of the Java Runtime"
8466
+ "has been compiled by a more recent version of the Java Runtime",
8400
8467
  ) ||
8401
8468
  result.stderr.includes("Error: Could not create the Java Virtual Machine")
8402
8469
  ) {
8403
8470
  console.log(
8404
- "Atom requires Java 21 or above. To improve the SBOM accuracy, please install a suitable version, set the JAVA_HOME environment variable, and re-run cdxgen.\nAlternatively, use the cdxgen container image."
8471
+ "Atom requires Java 21 or above. To improve the SBOM accuracy, please install a suitable version, set the JAVA_HOME environment variable, and re-run cdxgen.\nAlternatively, use the cdxgen container image.",
8405
8472
  );
8406
8473
  console.log(`Current JAVA_HOME: ${env["JAVA_HOME"] || ""}`);
8407
8474
  } else if (result.stderr.includes("astgen")) {
8408
8475
  console.warn(
8409
- "WARN: Unable to locate astgen command. Install atom globally using sudo npm install -g @appthreat/atom to resolve this issue."
8476
+ "WARN: Unable to locate astgen command. Install atom globally using sudo npm install -g @appthreat/atom to resolve this issue.",
8410
8477
  );
8411
8478
  }
8412
8479
  }
@@ -8440,7 +8507,7 @@ export function findAppModules(
8440
8507
  src,
8441
8508
  language,
8442
8509
  methodology = "usages",
8443
- slicesFile = undefined
8510
+ slicesFile = undefined,
8444
8511
  ) {
8445
8512
  const tempDir = mkdtempSync(join(tmpdir(), "atom-deps-"));
8446
8513
  const atomFile = join(tempDir, "app.atom");
@@ -8456,12 +8523,12 @@ export function findAppModules(
8456
8523
  resolve(atomFile),
8457
8524
  "--slice-outfile",
8458
8525
  resolve(slicesFile),
8459
- resolve(src)
8526
+ resolve(src),
8460
8527
  ];
8461
8528
  executeAtom(src, args);
8462
8529
  if (existsSync(slicesFile)) {
8463
8530
  const slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"), {
8464
- encoding: "utf-8"
8531
+ encoding: "utf-8",
8465
8532
  });
8466
8533
  if (slicesData && Object.keys(slicesData) && slicesData.modules) {
8467
8534
  retList = slicesData.modules;
@@ -8470,10 +8537,10 @@ export function findAppModules(
8470
8537
  }
8471
8538
  } else {
8472
8539
  console.log(
8473
- "Slicing was not successful. For large projects (> 1 million lines of code), try running atom cli externally in Java mode. Please refer to the instructions in https://github.com/CycloneDX/cdxgen/blob/master/ADVANCED.md."
8540
+ "Slicing was not successful. For large projects (> 1 million lines of code), try running atom cli externally in Java mode. Please refer to the instructions in https://github.com/CycloneDX/cdxgen/blob/master/ADVANCED.md.",
8474
8541
  );
8475
8542
  console.log(
8476
- "NOTE: Atom is in detached mode and will continue to run in the background with max CPU and memory unless it's killed."
8543
+ "NOTE: Atom is in detached mode and will continue to run in the background with max CPU and memory unless it's killed.",
8477
8544
  );
8478
8545
  }
8479
8546
  // Clean up
@@ -8502,7 +8569,7 @@ function flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t) {
8502
8569
  d.name,
8503
8570
  d.version,
8504
8571
  null,
8505
- null
8572
+ null,
8506
8573
  ).toString();
8507
8574
  pkgList.push({
8508
8575
  name: d.name,
@@ -8512,8 +8579,8 @@ function flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t) {
8512
8579
  properties: [
8513
8580
  {
8514
8581
  name: "SrcFile",
8515
- value: reqOrSetupFile
8516
- }
8582
+ value: reqOrSetupFile,
8583
+ },
8517
8584
  ],
8518
8585
  evidence: {
8519
8586
  identity: {
@@ -8523,11 +8590,11 @@ function flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t) {
8523
8590
  {
8524
8591
  technique: "manifest-analysis",
8525
8592
  confidence: 0.8,
8526
- value: reqOrSetupFile
8527
- }
8528
- ]
8529
- }
8530
- }
8593
+ value: reqOrSetupFile,
8594
+ },
8595
+ ],
8596
+ },
8597
+ },
8531
8598
  });
8532
8599
  // Recurse and flatten
8533
8600
  if (d.dependencies && d.dependencies) {
@@ -8554,7 +8621,7 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8554
8621
  let result = undefined;
8555
8622
  let frozen = true;
8556
8623
  const env = {
8557
- ...process.env
8624
+ ...process.env,
8558
8625
  };
8559
8626
  /**
8560
8627
  * Let's start with an attempt to create a new temporary virtual environment in case we aren't in one
@@ -8569,7 +8636,7 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8569
8636
  ) {
8570
8637
  result = spawnSync(PYTHON_CMD, ["-m", "venv", tempVenvDir], {
8571
8638
  encoding: "utf-8",
8572
- shell: isWin
8639
+ shell: isWin,
8573
8640
  });
8574
8641
  if (result.status !== 0 || result.error) {
8575
8642
  frozen = false;
@@ -8580,12 +8647,12 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8580
8647
  result.stderr.includes("spawnSync python ENOENT")
8581
8648
  ) {
8582
8649
  console.log(
8583
- "Install suitable version of python or set the environment variable PYTHON_CMD."
8650
+ "Install suitable version of python or set the environment variable PYTHON_CMD.",
8584
8651
  );
8585
8652
  }
8586
8653
  if (!result.stderr) {
8587
8654
  console.log(
8588
- "Ensure the virtualenv package is installed using pip. `python -m pip install virtualenv`"
8655
+ "Ensure the virtualenv package is installed using pip. `python -m pip install virtualenv`",
8589
8656
  );
8590
8657
  }
8591
8658
  }
@@ -8596,7 +8663,7 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8596
8663
  env.VIRTUAL_ENV = tempVenvDir;
8597
8664
  env.PATH = `${join(
8598
8665
  tempVenvDir,
8599
- platform() === "win32" ? "Scripts" : "bin"
8666
+ platform() === "win32" ? "Scripts" : "bin",
8600
8667
  )}${_delimiter}${process.env.PATH || ""}`;
8601
8668
  }
8602
8669
  }
@@ -8617,13 +8684,13 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8617
8684
  "config",
8618
8685
  "virtualenvs.options.no-setuptools",
8619
8686
  "true",
8620
- "--local"
8687
+ "--local",
8621
8688
  ];
8622
8689
  result = spawnSync(PYTHON_CMD, poetryConfigArgs, {
8623
8690
  cwd: basePath,
8624
8691
  encoding: "utf-8",
8625
8692
  timeout: TIMEOUT_MS,
8626
- shell: isWin
8693
+ shell: isWin,
8627
8694
  });
8628
8695
  let poetryInstallArgs = ["-m", "poetry", "install", "-n", "--no-root"];
8629
8696
  // Attempt to perform poetry install
@@ -8631,7 +8698,7 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8631
8698
  cwd: basePath,
8632
8699
  encoding: "utf-8",
8633
8700
  timeout: TIMEOUT_MS,
8634
- shell: isWin
8701
+ shell: isWin,
8635
8702
  });
8636
8703
  if (result.status !== 0 || result.error) {
8637
8704
  if (result.stderr && result.stderr.includes("No module named poetry")) {
@@ -8642,7 +8709,7 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8642
8709
  encoding: "utf-8",
8643
8710
  timeout: TIMEOUT_MS,
8644
8711
  shell: isWin,
8645
- env
8712
+ env,
8646
8713
  });
8647
8714
  if (result.status !== 0 || result.error) {
8648
8715
  frozen = false;
@@ -8651,19 +8718,19 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8651
8718
  }
8652
8719
  console.log("poetry install has failed.");
8653
8720
  console.log(
8654
- "1. Install the poetry command using python -m pip install poetry."
8721
+ "1. Install the poetry command using python -m pip install poetry.",
8655
8722
  );
8656
8723
  console.log(
8657
- "2. Check the version of python supported by the project. Poetry is strict about the version used."
8724
+ "2. Check the version of python supported by the project. Poetry is strict about the version used.",
8658
8725
  );
8659
8726
  console.log(
8660
- "3. Setup and activate the poetry virtual environment and re-run cdxgen."
8727
+ "3. Setup and activate the poetry virtual environment and re-run cdxgen.",
8661
8728
  );
8662
8729
  }
8663
8730
  } else {
8664
8731
  frozen = false;
8665
8732
  console.log(
8666
- "Poetry install has failed. Setup and activate the poetry virtual environment and re-run cdxgen."
8733
+ "Poetry install has failed. Setup and activate the poetry virtual environment and re-run cdxgen.",
8667
8734
  );
8668
8735
  if (DEBUG_MODE) {
8669
8736
  if (result.error) {
@@ -8681,14 +8748,14 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8681
8748
  encoding: "utf-8",
8682
8749
  timeout: TIMEOUT_MS,
8683
8750
  shell: isWin,
8684
- env
8751
+ env,
8685
8752
  });
8686
8753
  tempVenvDir = result.stdout.replaceAll(/[\r\n]+/g, "");
8687
8754
  if (tempVenvDir && tempVenvDir.length) {
8688
8755
  env.VIRTUAL_ENV = tempVenvDir;
8689
8756
  env.PATH = `${join(
8690
8757
  tempVenvDir,
8691
- platform() === "win32" ? "Scripts" : "bin"
8758
+ platform() === "win32" ? "Scripts" : "bin",
8692
8759
  )}${_delimiter}${process.env.PATH || ""}`;
8693
8760
  }
8694
8761
  }
@@ -8697,7 +8764,7 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8697
8764
  "-m",
8698
8765
  "pip",
8699
8766
  "install",
8700
- "--disable-pip-version-check"
8767
+ "--disable-pip-version-check",
8701
8768
  ];
8702
8769
  // Requirements.txt could be called with any name so best to check for not setup.py and not pyproject.toml
8703
8770
  if (
@@ -8715,7 +8782,7 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8715
8782
  encoding: "utf-8",
8716
8783
  timeout: TIMEOUT_MS,
8717
8784
  shell: isWin,
8718
- env
8785
+ env,
8719
8786
  });
8720
8787
  if (result.status !== 0 || result.error) {
8721
8788
  frozen = false;
@@ -8723,13 +8790,13 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8723
8790
  if (
8724
8791
  result.stderr &&
8725
8792
  (result.stderr.includes(
8726
- "Could not find a version that satisfies the requirement"
8793
+ "Could not find a version that satisfies the requirement",
8727
8794
  ) ||
8728
8795
  result.stderr.includes("No matching distribution found for"))
8729
8796
  ) {
8730
8797
  versionRelatedError = true;
8731
8798
  console.log(
8732
- "The version or the version specifiers used for a dependency is invalid. Resolve the below error to improve SBOM accuracy."
8799
+ "The version or the version specifiers used for a dependency is invalid. Resolve the below error to improve SBOM accuracy.",
8733
8800
  );
8734
8801
  console.log(result.stderr);
8735
8802
  }
@@ -8740,29 +8807,29 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8740
8807
  console.log(result.stderr);
8741
8808
  }
8742
8809
  console.log(
8743
- "Possible build errors detected. The resulting list in the SBOM would therefore be incomplete.\nTry installing any missing build tools or development libraries to improve the accuracy."
8810
+ "Possible build errors detected. The resulting list in the SBOM would therefore be incomplete.\nTry installing any missing build tools or development libraries to improve the accuracy.",
8744
8811
  );
8745
8812
  if (platform() === "win32") {
8746
8813
  console.log(
8747
- "- Install the appropriate compilers and build tools on Windows by following this documentation - https://wiki.python.org/moin/WindowsCompilers"
8814
+ "- Install the appropriate compilers and build tools on Windows by following this documentation - https://wiki.python.org/moin/WindowsCompilers",
8748
8815
  );
8749
8816
  } else {
8750
8817
  console.log(
8751
- "- For example, you may have to install gcc, gcc-c++ compiler, make tools and additional development libraries using apt-get or yum package manager."
8818
+ "- For example, you may have to install gcc, gcc-c++ compiler, make tools and additional development libraries using apt-get or yum package manager.",
8752
8819
  );
8753
8820
  }
8754
8821
  console.log(
8755
- "- Certain projects would only build with specific versions of python and OS. Data science and ML related projects might require a conda/anaconda distribution."
8822
+ "- Certain projects would only build with specific versions of python and OS. Data science and ML related projects might require a conda/anaconda distribution.",
8756
8823
  );
8757
8824
  console.log(
8758
- "- Check if any git submodules have to be initialized."
8825
+ "- Check if any git submodules have to be initialized.",
8759
8826
  );
8760
8827
  console.log(
8761
- "- If the application has its own Dockerfile, look for additional clues in there. You can also run cdxgen npm package during the container build step."
8828
+ "- If the application has its own Dockerfile, look for additional clues in there. You can also run cdxgen npm package during the container build step.",
8762
8829
  );
8763
8830
  } else {
8764
8831
  console.log(
8765
- "Possible build errors detected. Set the environment variable CDXGEN_DEBUG_MODE=debug to troubleshoot."
8832
+ "Possible build errors detected. Set the environment variable CDXGEN_DEBUG_MODE=debug to troubleshoot.",
8766
8833
  );
8767
8834
  }
8768
8835
  }
@@ -8780,14 +8847,14 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8780
8847
  */
8781
8848
  if (DEBUG_MODE) {
8782
8849
  console.log(
8783
- "About to construct the pip dependency tree. Please wait ..."
8850
+ "About to construct the pip dependency tree. Please wait ...",
8784
8851
  );
8785
8852
  }
8786
8853
  // This is a slow step that ideally needs to be invoked only once per venv
8787
8854
  const tree = getTreeWithPlugin(env, PYTHON_CMD, basePath);
8788
8855
  if (DEBUG_MODE && !tree.length) {
8789
8856
  console.log(
8790
- "Dependency tree generation has failed. Please check for any errors or version incompatibilities reported in the logs."
8857
+ "Dependency tree generation has failed. Please check for any errors or version incompatibilities reported in the logs.",
8791
8858
  );
8792
8859
  }
8793
8860
  const dependenciesMap = {};
@@ -8809,7 +8876,7 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8809
8876
  name,
8810
8877
  version,
8811
8878
  null,
8812
- null
8879
+ null,
8813
8880
  ).toString();
8814
8881
  pkgList.push({
8815
8882
  name,
@@ -8824,15 +8891,15 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8824
8891
  {
8825
8892
  technique: "instrumentation",
8826
8893
  confidence: 1,
8827
- value: env.VIRTUAL_ENV || env.CONDA_PREFIX
8828
- }
8829
- ]
8830
- }
8831
- }
8894
+ value: env.VIRTUAL_ENV || env.CONDA_PREFIX,
8895
+ },
8896
+ ],
8897
+ },
8898
+ },
8832
8899
  });
8833
8900
  rootList.push({
8834
8901
  name,
8835
- version
8902
+ version,
8836
8903
  });
8837
8904
  flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t);
8838
8905
  }
@@ -8845,7 +8912,7 @@ export function getPipFrozenTree(basePath, reqOrSetupFile, tempVenvDir) {
8845
8912
  pkgList,
8846
8913
  rootList,
8847
8914
  dependenciesList,
8848
- frozen
8915
+ frozen,
8849
8916
  };
8850
8917
  }
8851
8918
 
@@ -8856,10 +8923,10 @@ export function parsePackageJsonName(name) {
8856
8923
  scope: null,
8857
8924
  fullName: "",
8858
8925
  projectName: "",
8859
- moduleName: ""
8926
+ moduleName: "",
8860
8927
  };
8861
8928
  const match = (typeof name === "object" ? name.name || "" : name || "").match(
8862
- nameRegExp
8929
+ nameRegExp,
8863
8930
  );
8864
8931
  if (match) {
8865
8932
  returnObject.scope =
@@ -8882,7 +8949,7 @@ export async function addEvidenceForImports(
8882
8949
  pkgList,
8883
8950
  allImports,
8884
8951
  allExports,
8885
- deep
8952
+ deep,
8886
8953
  ) {
8887
8954
  const impPkgs = Object.keys(allImports);
8888
8955
  const exportedPkgs = Object.keys(allExports);
@@ -8904,10 +8971,10 @@ export async function addEvidenceForImports(
8904
8971
  const all_includes = impPkgs.filter(
8905
8972
  (find_pkg) =>
8906
8973
  find_pkg.startsWith(alias) &&
8907
- (find_pkg.length === alias.length || find_pkg[alias.length] === "/")
8974
+ (find_pkg.length === alias.length || find_pkg[alias.length] === "/"),
8908
8975
  );
8909
8976
  const all_exports = exportedPkgs.filter((find_pkg) =>
8910
- find_pkg.startsWith(alias)
8977
+ find_pkg.startsWith(alias),
8911
8978
  );
8912
8979
  if (all_exports && all_exports.length) {
8913
8980
  let exportedModules = new Set(all_exports);
@@ -8930,7 +8997,7 @@ export async function addEvidenceForImports(
8930
8997
  exportedModules.add(aexpsubm);
8931
8998
  }
8932
8999
  exportedModules.add(
8933
- `${evidence.importedAs.replace("./", "")}/${aexpsubm}`
9000
+ `${evidence.importedAs.replace("./", "")}/${aexpsubm}`,
8934
9001
  );
8935
9002
  }
8936
9003
  }
@@ -8942,7 +9009,7 @@ export async function addEvidenceForImports(
8942
9009
  if (exportedModules.length) {
8943
9010
  pkg.properties.push({
8944
9011
  name: "ExportedModules",
8945
- value: exportedModules.join(",")
9012
+ value: exportedModules.join(","),
8946
9013
  });
8947
9014
  }
8948
9015
  }
@@ -8959,7 +9026,7 @@ export async function addEvidenceForImports(
8959
9026
  pkg.evidence.occurrences.push({
8960
9027
  location: `${evidence.fileName}${
8961
9028
  evidence.lineNumber ? "#" + evidence.lineNumber : ""
8962
- }`
9029
+ }`,
8963
9030
  });
8964
9031
  importedModules.add(evidence.importedAs);
8965
9032
  for (const importedSm of evidence.importedModules || []) {
@@ -8980,7 +9047,7 @@ export async function addEvidenceForImports(
8980
9047
  pkg.properties = pkg.properties || [];
8981
9048
  pkg.properties.push({
8982
9049
  name: "ImportedModules",
8983
- value: importedModules.join(",")
9050
+ value: importedModules.join(","),
8984
9051
  });
8985
9052
  }
8986
9053
  break;
@@ -9011,7 +9078,7 @@ export async function addEvidenceForImports(
9011
9078
  } // for alias
9012
9079
  // Trim the properties
9013
9080
  pkg.properties = pkg.properties.filter(
9014
- (p) => p.name !== "LocalNodeModulesPath"
9081
+ (p) => p.name !== "LocalNodeModulesPath",
9015
9082
  );
9016
9083
  } // for pkg
9017
9084
  return pkgList;
@@ -9093,7 +9160,7 @@ export function parseCmakeDotFile(dotFile, pkgType, options = {}) {
9093
9160
  group: options.projectGroup || "",
9094
9161
  name: options.projectName || name,
9095
9162
  version: options.projectVersion || "",
9096
- type: "application"
9163
+ type: "application",
9097
9164
  };
9098
9165
  parentComponent["purl"] = new PackageURL(
9099
9166
  pkgType,
@@ -9101,7 +9168,7 @@ export function parseCmakeDotFile(dotFile, pkgType, options = {}) {
9101
9168
  parentComponent.name,
9102
9169
  parentComponent.version,
9103
9170
  null,
9104
- path
9171
+ path,
9105
9172
  ).toString();
9106
9173
  parentComponent["bom-ref"] = decodeURIComponent(parentComponent["purl"]);
9107
9174
  } else if (name) {
@@ -9114,8 +9181,8 @@ export function parseCmakeDotFile(dotFile, pkgType, options = {}) {
9114
9181
  name,
9115
9182
  version,
9116
9183
  null,
9117
- path
9118
- ).toString()
9184
+ path,
9185
+ ).toString(),
9119
9186
  };
9120
9187
  apkg["bom-ref"] = decodeURIComponent(apkg["purl"]);
9121
9188
  pkgList.push(apkg);
@@ -9127,13 +9194,13 @@ export function parseCmakeDotFile(dotFile, pkgType, options = {}) {
9127
9194
  const dependsOn = Array.from(dependenciesMap[pk] || []);
9128
9195
  dependenciesList.push({
9129
9196
  ref: pk,
9130
- dependsOn
9197
+ dependsOn,
9131
9198
  });
9132
9199
  }
9133
9200
  return {
9134
9201
  parentComponent,
9135
9202
  pkgList,
9136
- dependenciesList
9203
+ dependenciesList,
9137
9204
  };
9138
9205
  }
9139
9206
 
@@ -9195,7 +9262,7 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
9195
9262
  group: options.projectGroup || "",
9196
9263
  name: parentName,
9197
9264
  version: parentVersion || options.projectVersion || "",
9198
- type: "application"
9265
+ type: "application",
9199
9266
  };
9200
9267
  parentComponent["purl"] = new PackageURL(
9201
9268
  pkgType,
@@ -9203,10 +9270,10 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
9203
9270
  parentComponent.name,
9204
9271
  parentComponent.version,
9205
9272
  null,
9206
- path
9273
+ path,
9207
9274
  ).toString();
9208
9275
  parentComponent["bom-ref"] = decodeURIComponent(
9209
- parentComponent["purl"]
9276
+ parentComponent["purl"],
9210
9277
  );
9211
9278
  }
9212
9279
  }
@@ -9217,7 +9284,7 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
9217
9284
  "find_library(",
9218
9285
  "find_dependency(",
9219
9286
  "find_file(",
9220
- "FetchContent_MakeAvailable("
9287
+ "FetchContent_MakeAvailable(",
9221
9288
  ]) {
9222
9289
  if (l.startsWith(fm)) {
9223
9290
  tmpA = l.split(fm);
@@ -9236,12 +9303,12 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
9236
9303
  "PATHS",
9237
9304
  "ENV",
9238
9305
  "NO_MODULE",
9239
- "NO_DEFAULT_PATH"
9306
+ "NO_DEFAULT_PATH",
9240
9307
  ].includes(v) &&
9241
9308
  !v.includes("$") &&
9242
9309
  !v.includes("LIB") &&
9243
9310
  !v.startsWith("CMAKE_") &&
9244
- v.length
9311
+ v.length,
9245
9312
  );
9246
9313
  // find_package(Catch2)
9247
9314
  // find_package(GTest REQUIRED)
@@ -9338,7 +9405,7 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
9338
9405
  name: eprop,
9339
9406
  value: Array.isArray(awrap[eprop])
9340
9407
  ? awrap[eprop].join(", ")
9341
- : awrap[eprop]
9408
+ : awrap[eprop],
9342
9409
  });
9343
9410
  }
9344
9411
  // Our confidence has improved from 0 since there is a matching wrap so we know the correct name
@@ -9350,7 +9417,7 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
9350
9417
  if (versionSpecifiersMap[n]) {
9351
9418
  props.push({
9352
9419
  name: "cdx:build:versionSpecifiers",
9353
- value: versionSpecifiersMap[n]
9420
+ value: versionSpecifiersMap[n],
9354
9421
  });
9355
9422
  }
9356
9423
  const apkg = {
@@ -9363,7 +9430,7 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
9363
9430
  n,
9364
9431
  versionsMap[n] || "",
9365
9432
  null,
9366
- path
9433
+ path,
9367
9434
  ).toString(),
9368
9435
  evidence: {
9369
9436
  identity: {
@@ -9373,12 +9440,12 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
9373
9440
  {
9374
9441
  technique: "source-code-analysis",
9375
9442
  confidence: 0.5,
9376
- value: `Filename ${cmakeListFile}`
9377
- }
9378
- ]
9379
- }
9443
+ value: `Filename ${cmakeListFile}`,
9444
+ },
9445
+ ],
9446
+ },
9380
9447
  },
9381
- properties: props
9448
+ properties: props,
9382
9449
  };
9383
9450
  apkg["bom-ref"] = decodeURIComponent(apkg["purl"]);
9384
9451
  pkgList.push(apkg);
@@ -9388,7 +9455,7 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
9388
9455
  });
9389
9456
  return {
9390
9457
  parentComponent,
9391
- pkgList
9458
+ pkgList,
9392
9459
  };
9393
9460
  }
9394
9461
 
@@ -9411,10 +9478,10 @@ export function getOSPackageForFile(afile, osPkgsList) {
9411
9478
  {
9412
9479
  technique: "filename",
9413
9480
  confidence: 0.8,
9414
- value: `PkgProvides ${afile}`
9415
- }
9416
- ]
9417
- }
9481
+ value: `PkgProvides ${afile}`,
9482
+ },
9483
+ ],
9484
+ },
9418
9485
  };
9419
9486
  return ospkg;
9420
9487
  }
@@ -9447,7 +9514,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9447
9514
  // users can use this file to give us a clue even if they do not use vcpkg library manager
9448
9515
  if (existsSync(join(src, "vcpkg.json"))) {
9449
9516
  const vcPkgData = JSON.parse(
9450
- readFileSync(join(src, "vcpkg.json"), { encoding: "utf-8" })
9517
+ readFileSync(join(src, "vcpkg.json"), { encoding: "utf-8" }),
9451
9518
  );
9452
9519
  if (vcPkgData && Object.keys(vcPkgData).length && vcPkgData.name) {
9453
9520
  const parentPurl = new PackageURL(
@@ -9456,7 +9523,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9456
9523
  vcPkgData.name,
9457
9524
  vcPkgData.version || "",
9458
9525
  null,
9459
- null
9526
+ null,
9460
9527
  ).toString();
9461
9528
  parentComponent = {
9462
9529
  name: vcPkgData.name,
@@ -9465,7 +9532,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9465
9532
  license: vcPkgData.license,
9466
9533
  purl: parentPurl,
9467
9534
  type: "application",
9468
- "bom-ref": decodeURIComponent(parentPurl)
9535
+ "bom-ref": decodeURIComponent(parentPurl),
9469
9536
  };
9470
9537
  if (vcPkgData.homepage) {
9471
9538
  parentComponent.homepage = { url: vcPkgData.homepage };
@@ -9496,7 +9563,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9496
9563
  avcpkgName,
9497
9564
  "",
9498
9565
  null,
9499
- null
9566
+ null,
9500
9567
  ).toString();
9501
9568
  const apkg = {
9502
9569
  group: "",
@@ -9514,11 +9581,11 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9514
9581
  {
9515
9582
  technique: "source-code-analysis",
9516
9583
  confidence: 0.5,
9517
- value: `Filename ${join(src, "vcpkg.json")}`
9518
- }
9519
- ]
9520
- }
9521
- }
9584
+ value: `Filename ${join(src, "vcpkg.json")}`,
9585
+ },
9586
+ ],
9587
+ },
9588
+ },
9522
9589
  };
9523
9590
  if (!pkgAddedMap[avcpkgName]) {
9524
9591
  pkgList.push(apkg);
@@ -9539,7 +9606,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9539
9606
  group: options.projectGroup || "",
9540
9607
  name: options.projectName || "",
9541
9608
  version: "" + options.projectVersion || "latest",
9542
- type: "application"
9609
+ type: "application",
9543
9610
  };
9544
9611
  const parentPurl = new PackageURL(
9545
9612
  pkgType,
@@ -9547,14 +9614,14 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9547
9614
  parentComponent.name,
9548
9615
  parentComponent.version,
9549
9616
  null,
9550
- null
9617
+ null,
9551
9618
  ).toString();
9552
9619
  parentComponent.purl = parentPurl;
9553
9620
  parentComponent["bom-ref"] = decodeURIComponent(parentPurl);
9554
9621
  }
9555
9622
  if (options.usagesSlicesFile && existsSync(options.usagesSlicesFile)) {
9556
9623
  sliceData = JSON.parse(
9557
- readFileSync(options.usagesSlicesFile, { encoding: "utf-8" })
9624
+ readFileSync(options.usagesSlicesFile, { encoding: "utf-8" }),
9558
9625
  );
9559
9626
  if (DEBUG_MODE) {
9560
9627
  console.log("Re-using existing slices file", options.usagesSlicesFile);
@@ -9564,7 +9631,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9564
9631
  src,
9565
9632
  options.deep ? "c" : "h",
9566
9633
  "usages",
9567
- options.usagesSlicesFile
9634
+ options.usagesSlicesFile,
9568
9635
  );
9569
9636
  }
9570
9637
  const usageData = parseCUsageSlice(sliceData);
@@ -9593,7 +9660,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9593
9660
  name,
9594
9661
  group,
9595
9662
  version: "",
9596
- type: pkgType
9663
+ type: pkgType,
9597
9664
  };
9598
9665
  // If this is a relative file, there is a good chance we can reuse the project group
9599
9666
  if (!afile.startsWith(_sep) && !group.length) {
@@ -9606,7 +9673,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9606
9673
  name,
9607
9674
  version,
9608
9675
  null,
9609
- afile
9676
+ afile,
9610
9677
  ).toString();
9611
9678
  apkg.evidence = {
9612
9679
  identity: {
@@ -9616,10 +9683,10 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9616
9683
  {
9617
9684
  technique: "source-code-analysis",
9618
9685
  confidence: 0,
9619
- value: `Filename ${afile}`
9620
- }
9621
- ]
9622
- }
9686
+ value: `Filename ${afile}`,
9687
+ },
9688
+ ],
9689
+ },
9623
9690
  };
9624
9691
  apkg["bom-ref"] = decodeURIComponent(apkg["purl"]);
9625
9692
  }
@@ -9631,12 +9698,12 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9631
9698
  !v.startsWith("__") &&
9632
9699
  v !== "main" &&
9633
9700
  !v.includes("anonymous_") &&
9634
- !v.includes(afile)
9701
+ !v.includes(afile),
9635
9702
  )
9636
9703
  .sort();
9637
9704
  if (!apkg["properties"] && usymbols.length) {
9638
9705
  apkg["properties"] = [
9639
- { name: "ImportedSymbols", value: usymbols.join(", ") }
9706
+ { name: "ImportedSymbols", value: usymbols.join(", ") },
9640
9707
  ];
9641
9708
  } else {
9642
9709
  apkg["properties"] = [];
@@ -9655,7 +9722,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9655
9722
  if (!symbolsPropertyFound && usymbols.length) {
9656
9723
  apkg["properties"].push({
9657
9724
  name: "ImportedSymbols",
9658
- value: usymbols.join(", ")
9725
+ value: usymbols.join(", "),
9659
9726
  });
9660
9727
  }
9661
9728
  apkg["properties"] = newProps;
@@ -9674,14 +9741,14 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
9674
9741
  ? [
9675
9742
  {
9676
9743
  ref: parentComponent["bom-ref"],
9677
- dependsOn
9678
- }
9744
+ dependsOn,
9745
+ },
9679
9746
  ]
9680
9747
  : [];
9681
9748
  return {
9682
9749
  parentComponent,
9683
9750
  pkgList: pkgList.sort((a, b) => a.purl.localeCompare(b.purl)),
9684
- dependenciesList
9751
+ dependenciesList,
9685
9752
  };
9686
9753
  }
9687
9754
 
@@ -9743,7 +9810,7 @@ export function parseCUsageSlice(sliceData) {
9743
9810
  async function getNugetUrl() {
9744
9811
  const req = "https://api.nuget.org/v3/index.json";
9745
9812
  const res = await cdxgenAgent.get(req, {
9746
- responseType: "json"
9813
+ responseType: "json",
9747
9814
  });
9748
9815
  const urls = res.body.resources;
9749
9816
  for (const resource of urls) {
@@ -9801,7 +9868,7 @@ async function queryNuget(p, NUGET_URL) {
9801
9868
  const newBody = [];
9802
9869
  let res = await cdxgenAgent.get(
9803
9870
  NUGET_URL + np.name.toLowerCase() + "/index.json",
9804
- { responseType: "json" }
9871
+ { responseType: "json" },
9805
9872
  );
9806
9873
  const items = res.body.items;
9807
9874
  if (!items || !items[0]) {
@@ -9890,8 +9957,8 @@ export async function getNugetMetadata(pkgList, dependencies = undefined) {
9890
9957
  np.name,
9891
9958
  np.version,
9892
9959
  null,
9893
- null
9894
- ).toString()
9960
+ null,
9961
+ ).toString(),
9895
9962
  );
9896
9963
  depRepList[oldRef] = p["bom-ref"];
9897
9964
  p.version = np.version;
@@ -9932,7 +9999,7 @@ export async function getNugetMetadata(pkgList, dependencies = undefined) {
9932
9999
  p.name +
9933
10000
  "/" +
9934
10001
  p.version +
9935
- "/"
10002
+ "/",
9936
10003
  };
9937
10004
  if (
9938
10005
  (!p.license || typeof p.license === "string") &&
@@ -9978,7 +10045,7 @@ export async function getNugetMetadata(pkgList, dependencies = undefined) {
9978
10045
  }
9979
10046
  return {
9980
10047
  pkgList: cdepList,
9981
- dependencies: newDependencies
10048
+ dependencies: newDependencies,
9982
10049
  };
9983
10050
  }
9984
10051
 
@@ -10044,7 +10111,7 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
10044
10111
  purlMethodsMap[modPurl] = new Set();
10045
10112
  }
10046
10113
  purlLocationMap[modPurl].add(
10047
- `${amethodCall.Path}#${amethodCall.LineNumber}`
10114
+ `${amethodCall.Path}#${amethodCall.LineNumber}`,
10048
10115
  );
10049
10116
  purlModulesMap[modPurl].add(amethodCall.ClassName);
10050
10117
  purlMethodsMap[modPurl].add(amethodCall.CalledMethod);
@@ -10056,25 +10123,25 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
10056
10123
  for (const apkg of pkgList) {
10057
10124
  if (purlLocationMap[apkg.purl]) {
10058
10125
  const locationOccurrences = Array.from(
10059
- purlLocationMap[apkg.purl]
10126
+ purlLocationMap[apkg.purl],
10060
10127
  ).sort();
10061
10128
  // Add the occurrences evidence
10062
10129
  apkg.evidence.occurrences = locationOccurrences.map((l) => ({
10063
- location: l
10130
+ location: l,
10064
10131
  }));
10065
10132
  }
10066
10133
  // Add the imported modules to properties
10067
10134
  if (purlModulesMap[apkg.purl]) {
10068
10135
  apkg.properties.push({
10069
10136
  name: "ImportedModules",
10070
- value: Array.from(purlModulesMap[apkg.purl]).sort().join(", ")
10137
+ value: Array.from(purlModulesMap[apkg.purl]).sort().join(", "),
10071
10138
  });
10072
10139
  }
10073
10140
  // Add the called methods to properties
10074
10141
  if (purlMethodsMap[apkg.purl]) {
10075
10142
  apkg.properties.push({
10076
10143
  name: "CalledMethods",
10077
- value: Array.from(purlMethodsMap[apkg.purl]).sort().join(", ")
10144
+ value: Array.from(purlMethodsMap[apkg.purl]).sort().join(", "),
10078
10145
  });
10079
10146
  }
10080
10147
  }