@cyclonedx/cdxgen 10.4.1 → 10.4.3

package/README.md

@@ -80,7 +80,7 @@ For node.js projects, lock files are parsed initially, so the SBOM would include
 
 This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.
 
-By passing the argument `--required-only`, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
+With the argument `--required-only`, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
 
 For go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).
 
@@ -98,18 +98,18 @@ If you are a [Homebrew](https://brew.sh/) user, you can also install [cdxgen](ht
 $ brew install cdxgen
 ```
 
-Deno install is also supported.
+Deno and bun runtime can be used with limited support.
 
 ```shell
 deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net -n cdxgen "npm:@cyclonedx/cdxgen/cdxgen"
 ```
 
-You can also use the cdxgen container image
+You can also use the cdxgen container image with node, deno, or bun runtime versions.
+
+The default version uses Node.js 20
 
 ```bash
 docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/bom.json
-
-docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:v8.6.0 -r /app -o /app/bom.json
 ```
 
 To use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.
@@ -118,6 +118,12 @@ To use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.
 docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app -o /app/bom.json
 ```
 
+For the bun version, use `ghcr.io/cyclonedx/cdxgen-bun` as the image name.
+
+```bash
+docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun -r /app -o /app/bom.json
+```
+
 In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as library](#integration-as-library)
 
 ```ts

package/analyzer.js

@@ -26,7 +26,6 @@ const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
       "codemods",
       "flow-typed",
       "i18n",
-      "__tests__",
     ];
 
 const IGNORE_FILE_PATTERN = new RegExp(
@@ -54,6 +53,7 @@ const getAllFiles = (deep, dir, extn, files, result, regex) => {
       const dirName = basename(file);
       if (
         dirName.startsWith(".") ||
+        dirName.startsWith("__") ||
         IGNORE_DIRS.includes(dirName.toLowerCase())
       ) {
         continue;
@@ -141,8 +141,8 @@ const setFileRef = (
     exportedModules,
     isExternal: true,
     fileName: fileRelativeLoc,
-    lineNumber: sourceLoc && sourceLoc.line ? sourceLoc.line : undefined,
-    columnNumber: sourceLoc && sourceLoc.column ? sourceLoc.column : undefined,
+    lineNumber: sourceLoc?.line ? sourceLoc.line : undefined,
+    columnNumber: sourceLoc?.column ? sourceLoc.column : undefined,
   };
   // replace relative imports with full path
   let moduleFullPath = pathway;
@@ -167,7 +167,7 @@ const setFileRef = (
     allImports[modPkg] = allImports[modPkg] || new Set();
     allImports[modPkg].add(occurrence);
   }
-  if (exportedModules && exportedModules.length) {
+  if (exportedModules?.length) {
     moduleFullPath = moduleFullPath
       .replace("node_modules/", "")
       .replace("dist/", "")
@@ -192,7 +192,7 @@ const fileToParseableCode = (file) => {
       .replace(vueCommentRegex, (match) => match.replaceAll(/\S/g, " "))
       .replace(
         vueCleaningRegex,
-        (match) => match.replaceAll(/\S/g, " ").substring(1) + ";",
+        (match) => `${match.replaceAll(/\S/g, " ").substring(1)};`,
       )
       .replace(
         vueBindRegex,
@@ -201,7 +201,7 @@ const fileToParseableCode = (file) => {
       )
       .replace(
         vuePropRegex,
-        (match, grA, grB) => " " + grA.replace(/[.:@]/g, " ") + grB,
+        (match, grA, grB) => ` ${grA.replace(/[.:@]/g, " ")}${grB}`,
       )
       .replace(
         vueTemplateRegex,
@@ -220,7 +220,7 @@ const parseFileASTTree = (src, file, allImports, allExports) => {
   const ast = parse(fileToParseableCode(file), babelParserOptions);
   traverse.default(ast, {
     ImportDeclaration: (path) => {
-      if (path && path.node) {
+      if (path?.node) {
         setFileRef(
           allImports,
           allExports,
@@ -234,8 +234,7 @@ const parseFileASTTree = (src, file, allImports, allExports) => {
     // For require('') statements
     Identifier: (path) => {
       if (
-        path &&
-        path.node &&
+        path?.node &&
         path.node.name === "require" &&
         path.parent.type === "CallExpression"
       ) {
@@ -244,7 +243,7 @@ const parseFileASTTree = (src, file, allImports, allExports) => {
     },
     // Use for dynamic imports like routes.jsx
     CallExpression: (path) => {
-      if (path && path.node && path.node.callee.type === "Import") {
+      if (path?.node && path.node.callee.type === "Import") {
         setFileRef(allImports, allExports, src, file, path.node.arguments[0]);
       }
     },
@@ -254,7 +253,7 @@ const parseFileASTTree = (src, file, allImports, allExports) => {
     },
     ExportNamedDeclaration: (path) => {
       // ensure there is a path export
-      if (path && path.node && path.node.source) {
+      if (path?.node?.source) {
         setFileRef(
           allImports,
           allExports,

package/bin/cdxgen.js

@@ -371,10 +371,13 @@ const applyAdvancedOptions = (options) => {
           "aab",
           "go",
           "golang",
+          "rust",
+          "rust-lang",
+          "cargo",
         ].includes(options.projectType)
       ) {
         console.log(
-          "PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, and go projects. Please specify the type using the -t argument.",
+          "PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, go, and Rust projects. Please specify the type using the -t argument.",
         );
         process.exit(1);
       }
@@ -591,7 +594,7 @@ const checkPermissions = (filePath) => {
     }
     // bom ns mapping
     if (bomNSData.nsMapping && Object.keys(bomNSData.nsMapping).length) {
-      const nsFile = jsonFile + ".map";
+      const nsFile = `${jsonFile}.map`;
       fs.writeFileSync(nsFile, JSON.stringify(bomNSData.nsMapping));
     }
   } else if (!options.print) {
@@ -646,6 +649,7 @@ const checkPermissions = (filePath) => {
     }
   }
   // Automatically submit the bom data
+  // biome-ignore lint/suspicious/noDoubleEquals: yargs passes true for empty values
   if (options.serverUrl && options.serverUrl != true && options.apiKey) {
     try {
       const dbody = await submitBom(options, bomNSData.bomJson);

package/bin/repl.js

@@ -58,7 +58,7 @@ if (!process.env.CDXGEN_REPL_HISTORY && !fs.existsSync(historyConfigDir)) {
 }
 
 export const importSbom = (sbomOrPath) => {
-  if (sbomOrPath && sbomOrPath.endsWith(".json") && fs.existsSync(sbomOrPath)) {
+  if (sbomOrPath?.endsWith(".json") && fs.existsSync(sbomOrPath)) {
     try {
       sbom = JSON.parse(fs.readFileSync(sbomOrPath, "utf-8"));
       console.log(`✅ SBOM imported successfully from ${sbomOrPath}`);
@@ -298,12 +298,12 @@ cdxgenRepl.defineCommand("update", {
         return;
       }
       if (!updateSpec.startsWith("|")) {
-        updateSpec = "|" + updateSpec;
+        updateSpec = `|${updateSpec}`;
       }
       if (!updateSpec.endsWith("|")) {
-        updateSpec = updateSpec + "|";
+        updateSpec = `${updateSpec}|`;
       }
-      updateSpec = "$ ~> " + updateSpec;
+      updateSpec = `$ ~> ${updateSpec}`;
       const expression = jsonata(updateSpec);
       const newSbom = await expression.evaluate(sbom);
       if (newSbom && newSbom.components.length <= sbom.components.length) {

package/bin/verify.js

@@ -61,10 +61,9 @@ for (const comp of bomJson.components) {
 if (hasInvalidComp) {
   process.exit(1);
 }
-const bomSignature =
-  bomJson.signature && bomJson.signature.value
-    ? bomJson.signature.value
-    : undefined;
+const bomSignature = bomJson.signature?.value
+  ? bomJson.signature.value
+  : undefined;
 if (!bomSignature) {
   console.log("No signature was found!");
 } else {

package/binary.js

@@ -71,7 +71,7 @@ let CDXGEN_PLUGINS_DIR = process.env.CDXGEN_PLUGINS_DIR;
 if (
   !CDXGEN_PLUGINS_DIR &&
   existsSync(join(dirName, "plugins")) &&
-  existsSync(join(dirName, "plugins", "goversion"))
+  existsSync(join(dirName, "plugins", "trivy"))
 ) {
   CDXGEN_PLUGINS_DIR = join(dirName, "plugins");
 }
@@ -83,7 +83,7 @@ if (
       dirName,
       "node_modules",
       "@cyclonedx",
-      "cdxgen-plugins-bin" + pluginsBinSuffix,
+      `cdxgen-plugins-bin${pluginsBinSuffix}`,
       "plugins",
     ),
   ) &&
@@ -92,9 +92,9 @@ if (
       dirName,
       "node_modules",
       "@cyclonedx",
-      "cdxgen-plugins-bin" + pluginsBinSuffix,
+      `cdxgen-plugins-bin${pluginsBinSuffix}`,
       "plugins",
-      "goversion",
+      "trivy",
     ),
   )
 ) {
@@ -102,7 +102,7 @@ if (
     dirName,
     "node_modules",
     "@cyclonedx",
-    "cdxgen-plugins-bin" + pluginsBinSuffix,
+    `cdxgen-plugins-bin${pluginsBinSuffix}`,
     "plugins",
   );
 }
@@ -120,7 +120,7 @@ if (!CDXGEN_PLUGINS_DIR) {
     if (result) {
       const stdout = result.stdout;
       if (stdout) {
-        globalNodePath = Buffer.from(stdout).toString().trim() + "/";
+        globalNodePath = `${Buffer.from(stdout).toString().trim()}/`;
       }
     }
   }
@@ -128,7 +128,7 @@ if (!CDXGEN_PLUGINS_DIR) {
     const globalPlugins = join(
       globalNodePath,
       "@cyclonedx",
-      "cdxgen-plugins-bin" + pluginsBinSuffix,
+      `cdxgen-plugins-bin${pluginsBinSuffix}`,
       "plugins",
     );
     if (existsSync(globalPlugins)) {
@@ -153,7 +153,7 @@ if (existsSync(join(CDXGEN_PLUGINS_DIR, "goversion"))) {
   GOVERSION_BIN = join(
     CDXGEN_PLUGINS_DIR,
     "goversion",
-    "goversion-" + platform + "-" + arch + extn,
+    `goversion-${platform}-${arch}${extn}`,
   );
 }
 let TRIVY_BIN = null;
@@ -161,7 +161,7 @@ if (existsSync(join(CDXGEN_PLUGINS_DIR, "trivy"))) {
   TRIVY_BIN = join(
     CDXGEN_PLUGINS_DIR,
     "trivy",
-    "trivy-cdxgen-" + platform + "-" + arch + extn,
+    `trivy-cdxgen-${platform}-${arch}${extn}`,
   );
 } else if (process.env.TRIVY_CMD) {
   TRIVY_BIN = process.env.TRIVY_CMD;
@@ -171,7 +171,7 @@ if (existsSync(join(CDXGEN_PLUGINS_DIR, "cargo-auditable"))) {
   CARGO_AUDITABLE_BIN = join(
     CDXGEN_PLUGINS_DIR,
     "cargo-auditable",
-    "cargo-auditable-cdxgen-" + platform + "-" + arch + extn,
+    `cargo-auditable-cdxgen-${platform}-${arch}${extn}`,
   );
 } else if (process.env.CARGO_AUDITABLE_CMD) {
   CARGO_AUDITABLE_BIN = process.env.CARGO_AUDITABLE_CMD;
@@ -181,7 +181,7 @@ if (existsSync(join(CDXGEN_PLUGINS_DIR, "osquery"))) {
   OSQUERY_BIN = join(
     CDXGEN_PLUGINS_DIR,
     "osquery",
-    "osqueryi-" + platform + "-" + arch + extn,
+    `osqueryi-${platform}-${arch}${extn}`,
   );
   // osqueryi-darwin-amd64.app/Contents/MacOS/osqueryd
   if (platform === "darwin") {
@@ -199,7 +199,7 @@ if (existsSync(join(CDXGEN_PLUGINS_DIR, "dosai"))) {
   DOSAI_BIN = join(
     CDXGEN_PLUGINS_DIR,
     "dosai",
-    "dosai-" + platformToUse + "-" + arch + extn,
+    `dosai-${platformToUse}-${arch}${extn}`,
   );
 } else if (process.env.DOSAI_CMD) {
   DOSAI_BIN = process.env.DOSAI_CMD;
@@ -389,7 +389,7 @@ export function getOSPackages(src) {
         // ignore errors
       }
       // Clean up
-      if (tempDir && tempDir.startsWith(tmpdir())) {
+      if (tempDir?.startsWith(tmpdir())) {
         if (DEBUG_MODE) {
           console.log(`Cleaning up ${tempDir}`);
         }
@@ -451,13 +451,13 @@ export function getOSPackages(src) {
           break;
       }
       if (osReleaseData["VERSION_ID"]) {
-        distro_id = distro_id + "-" + osReleaseData["VERSION_ID"];
+        distro_id = `${distro_id}-${osReleaseData["VERSION_ID"]}`;
       }
       const tmpDependencies = {};
       (tmpBom.dependencies || []).forEach((d) => {
         tmpDependencies[d.ref] = d.dependsOn;
       });
-      if (tmpBom && tmpBom.components) {
+      if (tmpBom?.components) {
         for (const comp of tmpBom.components) {
           if (comp.purl) {
             // Retain go components alone from trivy
@@ -497,10 +497,10 @@ export function getOSPackages(src) {
                   purlObj.namespace = group;
                 }
                 purlObj.qualifiers = purlObj.qualifiers || {};
-                if (distro_id && distro_id.length) {
+                if (distro_id?.length) {
                   purlObj.qualifiers["distro"] = distro_id;
                 }
-                if (distro_codename && distro_codename.length) {
+                if (distro_codename?.length) {
                   purlObj.qualifiers["distro_name"] = distro_codename;
                 }
                 // Bug fix for mageia and oracle linux
@@ -509,7 +509,7 @@ export function getOSPackages(src) {
                   purlObj["type"] = purl_type;
                   purlObj["namespace"] = "";
                   comp.group = "";
-                  if (comp.purl && comp.purl.includes(".mga")) {
+                  if (comp.purl?.includes(".mga")) {
                     purlObj["namespace"] = "mageia";
                     comp.group = "mageia";
                     purlObj.qualifiers["distro"] = "mageia";
@@ -529,7 +529,7 @@ export function getOSPackages(src) {
                   allTypes.add(purlObj.type);
                 }
                 // Prefix distro codename for ubuntu
-                if (purlObj.qualifiers && purlObj.qualifiers.distro) {
+                if (purlObj.qualifiers?.distro) {
                   allTypes.add(purlObj.qualifiers.distro);
                   if (OS_DISTRO_ALIAS[purlObj.qualifiers.distro]) {
                     distro_codename =
@@ -537,7 +537,7 @@ export function getOSPackages(src) {
                   } else if (group === "alpine") {
                     const dtmpA = purlObj.qualifiers.distro.split(".");
                     if (dtmpA && dtmpA.length > 2) {
-                      distro_codename = dtmpA[0] + "." + dtmpA[1];
+                      distro_codename = `${dtmpA[0]}.${dtmpA[1]}`;
                     }
                   } else if (group === "photon") {
                     const dtmpA = purlObj.qualifiers.distro.split("-");
@@ -699,7 +699,7 @@ const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
 export function executeOsQuery(query) {
   if (OSQUERY_BIN) {
     if (!query.endsWith(";")) {
-      query = query + ";";
+      query = `${query};`;
     }
     const args = ["--json", query];
     // On darwin, we need to disable the safety check and run cdxgen with sudo

package/cbomutils.js

@@ -26,10 +26,10 @@ export function collectOSCryptoLibs(options) {
       results,
       false,
     );
-    if (dlist && dlist.length) {
+    if (dlist?.length) {
       osPkgsList = osPkgsList.concat(dlist);
       // Should we downgrade from cryptographic-asset to data for < 1.6 spec
-      if (options && options.specVersion && options.specVersion < 1.6) {
+      if (options?.specVersion && options.specVersion < 1.6) {
         for (const apkg of osPkgsList) {
           if (apkg.type === "cryptographic-asset") {
             apkg.type = "data";

package/display.js

@@ -17,8 +17,7 @@ export const printTable = (bomJson) => {
     return;
   }
   if (
-    bomJson.metadata &&
-    bomJson.metadata.component &&
+    bomJson.metadata?.component &&
     ["operating-system", "platform"].includes(bomJson.metadata.component.type)
   ) {
     return printOSTable(bomJson);
@@ -109,7 +108,7 @@ const locationComparator = (a, b) => {
     const tmpA = a.split("#");
     const tmpB = b.split("#");
     if (tmpA.length === 2 && tmpB.length === 2) {
-      if (tmpA[0] == tmpB[0]) {
+      if (tmpA[0] === tmpB[0]) {
         return tmpA[1] - tmpB[1];
       }
     }
@@ -162,7 +161,7 @@ export const printCallStack = (bomJson) => {
     const frames = Array.from(
       new Set(
         comp.evidence.callstack.frames.map(
-          (c) => `${c.fullFilename}${c.line ? "#" + c.line : ""}`,
+          (c) => `${c.fullFilename}${c.line ? `#${c.line}` : ""}`,
         ),
       ),
     ).sort(locationComparator);
@@ -199,7 +198,7 @@ export const printDependencyTree = (bomJson) => {
   }
   const depMap = {};
   for (const d of dependencies) {
-    if (d.dependsOn && d.dependsOn.length) {
+    if (d.dependsOn?.length) {
       depMap[d.ref] = d.dependsOn.sort();
     }
   }
@@ -261,7 +260,7 @@ const recursePrint = (depMap, subtree, level, shownList, treeGraphics) => {
       level > 0
     ) {
       treeGraphics.push(
-        `${levelPrefix(level, i == listToUse.length - 1)}${refStr}`,
+        `${levelPrefix(level, i === listToUse.length - 1)}${refStr}`,
       );
       shownList.push(refStr.toLowerCase());
       if (l && depMap[refStr]) {
@@ -299,7 +298,7 @@ export const printReachables = (sliceArtefacts) => {
   );
   const data = [["Package URL", "Reachable Flows"]];
   for (const apurl of Object.keys(sortedPurls)) {
-    data.push([apurl, "" + sortedPurls[apurl]]);
+    data.push([apurl, `${sortedPurls[apurl]}`]);
   }
   const config = {
     header: {