@cyclonedx/cdxgen 10.4.2 → 10.5.0

package/README.md

@@ -1,5 +1,7 @@
 [![JSR](https://img.shields.io/jsr/v/%40cyclonedx/cdxgen)](https://jsr.io/@cyclonedx/cdxgen) [![NPM](https://img.shields.io/npm/v/%40cyclonedx%2Fcdxgen)](https://www.npmjs.com/package/@cyclonedx/cdxgen) [![GitHub Releases](https://img.shields.io/github/v/release/cyclonedx/cdxgen)](https://github.com/CycloneDX/cdxgen/releases) [![NPM Downloads](https://img.shields.io/npm/dy/%40cyclonedx%2Fcdxgen)](<(https://www.npmjs.com/package/@cyclonedx/cdxgen)>) [![GitHub License](https://img.shields.io/github/license/cyclonedx/cdxgen)](./LICENSE.md) [![GitHub Contributors](https://img.shields.io/github/contributors/cyclonedx/cdxgen)](https://github.com/CycloneDX/cdxgen/graphs/contributors)
 
+[![SWH](https://archive.softwareheritage.org/badge/origin/https://github.com/CycloneDX/cdxgen/)](https://archive.softwareheritage.org/browse/origin/?origin_url=https://github.com/CycloneDX/cdxgen)
+
 # CycloneDX Generator
 
 ![cdxgen logo](cdxgen.png)
@@ -9,7 +11,7 @@ cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a val
 When used with plugins:
 
 - cdxgen could generate an OBOM for Linux docker images and even VMs running Linux or Windows operating systems
-- cdxgen also includes an evinse tool to generate component evidence, CBOM and SaaSBOM for some languages
+- cdxgen also includes an evinse tool to generate component evidence, CBOM, and SaaSBOM for some languages
 
 ## Why cdxgen?
 
@@ -80,7 +82,7 @@ For node.js projects, lock files are parsed initially, so the SBOM would include
 
 This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.
 
-By passing the argument `--required-only`, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
+With the argument `--required-only`, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
 
 For go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).
 
@@ -98,18 +100,18 @@ If you are a [Homebrew](https://brew.sh/) user, you can also install [cdxgen](ht
 $ brew install cdxgen
 ```
 
-Deno install is also supported.
+Deno and bun runtime can be used with limited support.
 
 ```shell
 deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net -n cdxgen "npm:@cyclonedx/cdxgen/cdxgen"
 ```
 
-You can also use the cdxgen container image
+You can also use the cdxgen container image with node, deno, or bun runtime versions.
+
+The default version uses Node.js 20
 
 ```bash
 docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/bom.json
-
-docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:v8.6.0 -r /app -o /app/bom.json
 ```
 
 To use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.
@@ -118,7 +120,13 @@ To use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.
 docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app -o /app/bom.json
 ```
 
-In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as library](#integration-as-library)
+For the bun version, use `ghcr.io/cyclonedx/cdxgen-bun` as the image name.
+
+```bash
+docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun -r /app -o /app/bom.json
+```
+
+In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)
 
 ```ts
 import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
@@ -195,6 +203,13 @@ Options:
                                                       [boolean] [default: false]
       --include-crypto         Include crypto libraries found under formulation.
                                                       [boolean] [default: false]
+      --standard               The list of standards which may consist of regula
+                               tions, industry or organizational-specific standa
+                               rds, maturity models, best practices, or any othe
+                               r requirements which can be evaluated against or
+                               attested to.
+  [array] [choices: "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "
+                     pcissc-secure-slc-1.1", "scvs-1.0.0", "ssaf-DRAFT-2023-11"]
       --auto-compositions      Automatically set compositions when the BOM was f
                                iltered. Defaults to true
                                                        [boolean] [default: true]

package/analyzer.js

@@ -26,7 +26,7 @@ const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
       "codemods",
       "flow-typed",
       "i18n",
-      "__tests__",
+      "coverage",
     ];
 
 const IGNORE_FILE_PATTERN = new RegExp(
@@ -54,6 +54,7 @@ const getAllFiles = (deep, dir, extn, files, result, regex) => {
       const dirName = basename(file);
       if (
         dirName.startsWith(".") ||
+        dirName.startsWith("__") ||
         IGNORE_DIRS.includes(dirName.toLowerCase())
       ) {
         continue;

package/bin/cdxgen.js

@@ -244,11 +244,25 @@ const args = yargs(hideBin(process.argv))
     default: false,
     description: "Include crypto libraries found under formulation.",
   })
+  .option("standard", {
+    description:
+      "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.",
+    choices: [
+      "asvs-4.0.3",
+      "bsimm-v13",
+      "masvs-2.0.0",
+      "nist_ssdf-1.1",
+      "pcissc-secure-slc-1.1",
+      "scvs-1.0.0",
+      "ssaf-DRAFT-2023-11",
+    ],
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("filter")
   .array("only")
   .array("author")
   .array("exclude")
+  .array("standard")
   .option("auto-compositions", {
     type: "boolean",
     default: true,
@@ -318,7 +332,9 @@ if (process.argv[1].includes("cbom")) {
   options.specVersion = 1.6;
   options.deep = true;
 }
-
+if (options.standard) {
+  options.specVersion = 1.6;
+}
 /**
  * Method to apply advanced options such as profile and lifecycles
  *
@@ -371,10 +387,13 @@ const applyAdvancedOptions = (options) => {
           "aab",
           "go",
           "golang",
+          "rust",
+          "rust-lang",
+          "cargo",
         ].includes(options.projectType)
       ) {
         console.log(
-          "PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, and go projects. Please specify the type using the -t argument.",
+          "PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, go, and Rust projects. Please specify the type using the -t argument.",
         );
         process.exit(1);
       }
@@ -439,7 +458,12 @@ const checkPermissions = (filePath) => {
     options.usagesSlicesFile = `${options.projectName}-usages.json`;
   }
   let bomNSData = (await createBom(filePath, options)) || {};
-  if (options.requiredOnly || options["filter"] || options["only"]) {
+  if (
+    options.requiredOnly ||
+    options["filter"] ||
+    options["only"] ||
+    options.standard
+  ) {
     bomNSData = postProcess(bomNSData, options);
   }
   if (
@@ -663,5 +687,11 @@ const checkPermissions = (filePath) => {
   if (options.print && bomNSData.bomJson && bomNSData.bomJson.components) {
     printDependencyTree(bomNSData.bomJson);
     printTable(bomNSData.bomJson);
+    // CBOM related print
+    if (options.includeCrypto) {
+      console.log("*** Cryptography BOM ***");
+      printTable(bomNSData.bomJson, ["cryptographic-asset"]);
+      printDependencyTree(bomNSData.bomJson, "provides");
+    }
   }
 })();

package/bin/repl.js

@@ -244,6 +244,32 @@ cdxgenRepl.defineCommand("print", {
     this.displayPrompt();
   },
 });
+cdxgenRepl.defineCommand("cryptos", {
+  help: "print the components of type cryptographic-asset as a table",
+  action() {
+    if (sbom) {
+      printTable(sbom, ["cryptographic-asset"]);
+    } else {
+      console.log(
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM",
+      );
+    }
+    this.displayPrompt();
+  },
+});
+cdxgenRepl.defineCommand("frameworks", {
+  help: "print the components of type framework as a table",
+  action() {
+    if (sbom) {
+      printTable(sbom, ["framework"]);
+    } else {
+      console.log(
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM",
+      );
+    }
+    this.displayPrompt();
+  },
+});
 cdxgenRepl.defineCommand("tree", {
   help: "display the dependency tree",
   action() {
@@ -257,6 +283,19 @@ cdxgenRepl.defineCommand("tree", {
     this.displayPrompt();
   },
 });
+cdxgenRepl.defineCommand("provides", {
+  help: "display the provides tree",
+  action() {
+    if (sbom) {
+      printDependencyTree(sbom, "provides");
+    } else {
+      console.log(
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM",
+      );
+    }
+    this.displayPrompt();
+  },
+});
 cdxgenRepl.defineCommand("validate", {
   help: "validate the bom using jsonschema",
   action() {

package/binary.js

@@ -71,7 +71,7 @@ let CDXGEN_PLUGINS_DIR = process.env.CDXGEN_PLUGINS_DIR;
 if (
   !CDXGEN_PLUGINS_DIR &&
   existsSync(join(dirName, "plugins")) &&
-  existsSync(join(dirName, "plugins", "goversion"))
+  existsSync(join(dirName, "plugins", "trivy"))
 ) {
   CDXGEN_PLUGINS_DIR = join(dirName, "plugins");
 }
@@ -94,7 +94,7 @@ if (
       "@cyclonedx",
       `cdxgen-plugins-bin${pluginsBinSuffix}`,
       "plugins",
-      "goversion",
+      "trivy",
     ),
   )
 ) {
@@ -245,6 +245,8 @@ const OS_DISTRO_ALIAS = {
   "ubuntu-20.10": "groovy",
   "ubuntu-22.04": "jammy",
   "ubuntu-23.04": "lunar",
+  "ubuntu-23.10": "mantic",
+  "ubuntu-24.04": "noble",
   "debian-14": "forky",
   "debian-14.5": "forky",
   "debian-13": "trixie",

package/data/crypto-oid.json

@@ -1946,5 +1946,37 @@
   "sm2sign_with_": {
     "oid": "1.2.156.10197.1.501",
     "description": "Chinese Cryptography Standardization Technology Committee (CCSTC)"
+  },
+  "PBKDF2": {
+    "oid": "1.2.840.113549.1.5.12",
+    "description": "PBKDF2 key derivation algorithm"
+  },
+  "pbeWithMD2AndDES-CBC": {
+    "oid": "1.2.840.113549.1.5.1",
+    "description": "Password Based Encryption Algorithm"
+  },
+  "pbeWithMD5AndDES-CBC": {
+    "oid": "1.2.840.113549.1.5.3",
+    "description": "Password Based Encryption Algorithm"
+  },
+  "pbeWithMD2AndRC2-CBC": {
+    "oid": "1.2.840.113549.1.5.4",
+    "description": "Password Based Encryption Algorithm. Uses RC2 in Cipher Block Chaining Mode (RC2-CBC)"
+  },
+  "pbeWithMD5AndRC2-CBC": {
+    "oid": "1.2.840.113549.1.5.6",
+    "description": "Password Based Encryption Algorithm. Uses RC2 in Cipher Block Chaining Mode (RC2-CBC)"
+  },
+  "pbeWithMD5AndXOR": {
+    "oid": "1.2.840.113549.1.5.9",
+    "description": "Password Based Encryption Algorithm. Uses XOR. Uses MD5 to hash a password & salt to get Key and IV."
+  },
+  "pbeWithSHA1AndDES-CBC": {
+    "oid": "1.2.840.113549.1.5.10",
+    "description": "Password Based Encryption Algorithm. Uses Data Encryption Standard in Cipher Block Chaining Mode (DES-CBC)"
+  },
+  "pbeWithSHA1AndRC2-CBC": {
+    "oid": "1.2.840.113549.1.5.11",
+    "description": "Password Based Encryption Algorithm. Uses RC2 in Cipher Block Chaining Mode (RC2-CBC)."
   }
 }

package/data/lic-mapping.json

@@ -174,7 +174,8 @@
       "GNU Lesser General Public License",
       "GNU Lesser General Public License Version 2.1",
       "GNU Lesser General Public License Version 2.1, February 1999",
-      "GNU Library or Lesser General Public License (LGPL) V2.1"
+      "GNU Library or Lesser General Public License (LGPL) V2.1",
+      "GNU Library or Lesser General Public License (LGPL)"
     ]
   },
   {
@@ -192,6 +193,7 @@
       "LGPL v3.0",
       "LGPL-3.0",
       "LGPL3.0",
+      "LGPL 3",
       "GNU Lesser General Public License (LGPL), version 3",
       "GNU Lesser General Public License (LGPL), version 3.0",
       "GNU Lesser General Public License v3.0",
@@ -203,9 +205,15 @@
     "names": [
       "GNU Lesser General Public License (LGPL), version 3 or later",
       "GNU Lesser General Public License (LGPL), version 3.0 or later",
-      "GNU Lesser General Public License v3.0 or later"
+      "GNU Lesser General Public License v3.0 or later",
+      "GNU Lesser General Public License v3 or later (LGPLv3+)",
+      "LGPLv3+"
     ]
   },
+  {
+    "exp": "GPL-1.0-only",
+    "names": ["GNU General Public License (GPL)"]
+  },
   {
     "exp": "GPL-2.0-only",
     "names": [
@@ -217,7 +225,8 @@
       "GNU General Public License v2.0",
       "GNU General Public License Version 2",
       "GNU General Public License, version 2",
-      "GNU General Public License as published by the Free Software Foundation; version 2."
+      "GNU General Public License as published by the Free Software Foundation; version 2.",
+      "GNU General Public License v2 (GPLv2)"
     ]
   },
   {
@@ -251,7 +260,8 @@
       "GNU General Public License v3.0",
       "GNU General Public License as published by the Free Software Foundation, version 3.",
       "GPL-3",
-      "GPL-3.0"
+      "GPL-3.0",
+      "GNU GPL 3"
     ]
   },
   {

package/data/templates/README.md

@@ -0,0 +1,3 @@
+Content copied from https://github.com/CycloneDX/official-3rd-party-standards available under CC0-1.0
+
+Individual templates use a range of licenses. Refer to the `metadata.licenses` attribute.