@cyclonedx/cdxgen 10.5.1 → 10.5.2

package/data/spdx.schema.json

@@ -1,15 +1,18 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "http://cyclonedx.org/schema/spdx.schema.json",
-  "$comment": "v1.0-3.21",
+  "$comment": "v1.0-3.24.0",
   "type": "string",
   "enum": [
     "0BSD",
+    "3D-Slicer-1.0",
     "AAL",
     "Abstyles",
     "AdaCore-doc",
     "Adobe-2006",
+    "Adobe-Display-PostScript",
     "Adobe-Glyph",
+    "Adobe-Utopia",
     "ADSL",
     "AFL-1.1",
     "AFL-1.2",
@@ -24,11 +27,14 @@
     "AGPL-3.0-only",
     "AGPL-3.0-or-later",
     "Aladdin",
+    "AMD-newlib",
     "AMDPLPA",
     "AML",
+    "AML-glslang",
     "AMPAS",
     "ANTLR-PD",
     "ANTLR-PD-fallback",
+    "any-OSI",
     "Apache-1.0",
     "Apache-1.1",
     "Apache-2.0",
@@ -49,6 +55,7 @@
     "Baekmuk",
     "Bahyph",
     "Barr",
+    "bcrypt-Solar-Designer",
     "Beerware",
     "Bitstream-Charter",
     "Bitstream-Vera",
@@ -58,16 +65,22 @@
     "BlueOak-1.0.0",
     "Boehm-GC",
     "Borceux",
+    "Brian-Gladman-2-Clause",
     "Brian-Gladman-3-Clause",
     "BSD-1-Clause",
     "BSD-2-Clause",
+    "BSD-2-Clause-Darwin",
+    "BSD-2-Clause-first-lines",
     "BSD-2-Clause-FreeBSD",
     "BSD-2-Clause-NetBSD",
     "BSD-2-Clause-Patent",
     "BSD-2-Clause-Views",
     "BSD-3-Clause",
+    "BSD-3-Clause-acpica",
     "BSD-3-Clause-Attribution",
     "BSD-3-Clause-Clear",
+    "BSD-3-Clause-flex",
+    "BSD-3-Clause-HP",
     "BSD-3-Clause-LBNL",
     "BSD-3-Clause-Modification",
     "BSD-3-Clause-No-Military-License",
@@ -75,6 +88,7 @@
     "BSD-3-Clause-No-Nuclear-License-2014",
     "BSD-3-Clause-No-Nuclear-Warranty",
     "BSD-3-Clause-Open-MPI",
+    "BSD-3-Clause-Sun",
     "BSD-4-Clause",
     "BSD-4-Clause-Shortened",
     "BSD-4-Clause-UC",
@@ -82,8 +96,12 @@
     "BSD-4.3TAHOE",
     "BSD-Advertising-Acknowledgement",
     "BSD-Attribution-HPND-disclaimer",
+    "BSD-Inferno-Nettverk",
     "BSD-Protection",
+    "BSD-Source-beginning-file",
     "BSD-Source-Code",
+    "BSD-Systemics",
+    "BSD-Systemics-W3Works",
     "BSL-1.0",
     "BUSL-1.1",
     "bzip2-1.0.5",
@@ -92,6 +110,8 @@
     "CAL-1.0",
     "CAL-1.0-Combined-Work-Exception",
     "Caldera",
+    "Caldera-no-preamble",
+    "Catharon",
     "CATOSL-1.1",
     "CC-BY-1.0",
     "CC-BY-2.0",
@@ -99,6 +119,7 @@
     "CC-BY-2.5-AU",
     "CC-BY-3.0",
     "CC-BY-3.0-AT",
+    "CC-BY-3.0-AU",
     "CC-BY-3.0-DE",
     "CC-BY-3.0-IGO",
     "CC-BY-3.0-NL",
@@ -163,10 +184,12 @@
     "CERN-OHL-S-2.0",
     "CERN-OHL-W-2.0",
     "CFITSIO",
+    "check-cvs",
     "checkmk",
     "ClArtistic",
     "Clips",
     "CMU-Mach",
+    "CMU-Mach-nodoc",
     "CNRI-Jython",
     "CNRI-Python",
     "CNRI-Python-GPL-Compatible",
@@ -179,17 +202,22 @@
     "CPAL-1.0",
     "CPL-1.0",
     "CPOL-1.02",
+    "Cronyx",
     "Crossword",
     "CrystalStacker",
     "CUA-OPL-1.0",
     "Cube",
     "curl",
+    "cve-tou",
     "D-FSL-1.0",
+    "DEC-3-Clause",
     "diffmark",
     "DL-DE-BY-2.0",
+    "DL-DE-ZERO-2.0",
     "DOC",
     "Dotseqn",
     "DRL-1.0",
+    "DRL-1.1",
     "DSDP",
     "dtoa",
     "dvipdfm",
@@ -212,15 +240,21 @@
     "EUPL-1.2",
     "Eurosym",
     "Fair",
+    "FBM",
     "FDK-AAC",
+    "Ferguson-Twofish",
     "Frameworx-1.0",
     "FreeBSD-DOC",
     "FreeImage",
     "FSFAP",
+    "FSFAP-no-warranty-disclaimer",
     "FSFUL",
     "FSFULLR",
     "FSFULLRWD",
     "FTL",
+    "Furuseth",
+    "fwlw",
+    "GCR-docs",
     "GD",
     "GFDL-1.1",
     "GFDL-1.1-invariants-only",
@@ -270,14 +304,36 @@
     "GPL-3.0-with-GCC-exception",
     "Graphics-Gems",
     "gSOAP-1.3b",
+    "gtkbook",
+    "Gutmann",
     "HaskellReport",
+    "hdparm",
     "Hippocratic-2.1",
     "HP-1986",
+    "HP-1989",
     "HPND",
+    "HPND-DEC",
+    "HPND-doc",
+    "HPND-doc-sell",
     "HPND-export-US",
+    "HPND-export-US-acknowledgement",
+    "HPND-export-US-modify",
+    "HPND-export2-US",
+    "HPND-Fenneberg-Livingston",
+    "HPND-INRIA-IMAG",
+    "HPND-Intel",
+    "HPND-Kevlin-Henney",
     "HPND-Markus-Kuhn",
+    "HPND-merchantability-variant",
+    "HPND-MIT-disclaimer",
+    "HPND-Pbmplus",
+    "HPND-sell-MIT-disclaimer-xserver",
+    "HPND-sell-regexpr",
     "HPND-sell-variant",
     "HPND-sell-variant-MIT-disclaimer",
+    "HPND-sell-variant-MIT-disclaimer-rev",
+    "HPND-UC",
+    "HPND-UC-export-US",
     "HTMLTIDY",
     "IBM-pibs",
     "ICU",
@@ -295,11 +351,13 @@
     "IPA",
     "IPL-1.0",
     "ISC",
+    "ISC-Veillard",
     "Jam",
     "JasPer-2.0",
     "JPL-image",
     "JPNIC",
     "JSON",
+    "Kastrup",
     "Kazlib",
     "Knuth-CTAN",
     "LAL-1.2",
@@ -334,6 +392,7 @@
     "Linux-man-pages-copyleft-var",
     "Linux-OpenIB",
     "LOOP",
+    "LPD-document",
     "LPL-1.0",
     "LPL-1.02",
     "LPPL-1.0",
@@ -341,10 +400,17 @@
     "LPPL-1.2",
     "LPPL-1.3a",
     "LPPL-1.3c",
+    "lsof",
+    "Lucida-Bitmap-Fonts",
     "LZMA-SDK-9.11-to-9.20",
     "LZMA-SDK-9.22",
+    "Mackerras-3-Clause",
+    "Mackerras-3-Clause-acknowledgment",
+    "magaz",
+    "mailprio",
     "MakeIndex",
     "Martin-Birgmeier",
+    "McPhee-slideshow",
     "metamail",
     "Minpack",
     "MirOS",
@@ -355,11 +421,15 @@
     "MIT-enna",
     "MIT-feh",
     "MIT-Festival",
+    "MIT-Khronos-old",
     "MIT-Modern-Variant",
     "MIT-open-group",
+    "MIT-testregex",
     "MIT-Wu",
     "MITNFA",
+    "MMIXware",
     "Motosoto",
+    "MPEG-SSG",
     "mpi-permissive",
     "mpich2",
     "MPL-1.0",
@@ -379,7 +449,9 @@
     "NASA-1.3",
     "Naumen",
     "NBPL-1.0",
+    "NCBI-PD",
     "NCGL-UK-2.0",
+    "NCL",
     "NCSA",
     "Net-SNMP",
     "NetCDF",
@@ -403,6 +475,7 @@
     "NTP-0",
     "Nunit",
     "O-UDA-1.0",
+    "OAR",
     "OCCT-PL",
     "OCLC-2.0",
     "ODbL-1.0",
@@ -441,6 +514,8 @@
     "OML",
     "OpenPBS-2.3",
     "OpenSSL",
+    "OpenSSL-standalone",
+    "OpenVision",
     "OPL-1.0",
     "OPL-UK-3.0",
     "OPUBL-1.0",
@@ -450,23 +525,30 @@
     "OSL-2.0",
     "OSL-2.1",
     "OSL-3.0",
+    "PADL",
     "Parity-6.0.0",
     "Parity-7.0.0",
     "PDDL-1.0",
     "PHP-3.0",
     "PHP-3.01",
+    "Pixar",
+    "pkgconf",
     "Plexus",
+    "pnmstitch",
     "PolyForm-Noncommercial-1.0.0",
     "PolyForm-Small-Business-1.0.0",
     "PostgreSQL",
+    "PPL",
     "PSF-2.0",
     "psfrag",
     "psutils",
     "Python-2.0",
     "Python-2.0.1",
+    "python-ldap",
     "Qhull",
     "QPL-1.0",
     "QPL-1.0-INRIA-2004",
+    "radvd",
     "Rdisc",
     "RHeCos-1.1",
     "RPL-1.1",
@@ -476,6 +558,7 @@
     "RSCPL",
     "Ruby",
     "SAX-PD",
+    "SAX-PD-2.0",
     "Saxpath",
     "SCEA",
     "SchemeReport",
@@ -484,49 +567,65 @@
     "SGI-B-1.0",
     "SGI-B-1.1",
     "SGI-B-2.0",
+    "SGI-OpenGL",
     "SGP4",
     "SHL-0.5",
     "SHL-0.51",
     "SimPL-2.0",
     "SISSL",
     "SISSL-1.2",
+    "SL",
     "Sleepycat",
     "SMLNJ",
     "SMPPL",
     "SNIA",
     "snprintf",
+    "softSurfer",
+    "Soundex",
     "Spencer-86",
     "Spencer-94",
     "Spencer-99",
     "SPL-1.0",
+    "ssh-keyscan",
     "SSH-OpenSSH",
     "SSH-short",
+    "SSLeay-standalone",
     "SSPL-1.0",
     "StandardML-NJ",
     "SugarCRM-1.1.3",
+    "Sun-PPP",
+    "Sun-PPP-2000",
     "SunPro",
     "SWL",
+    "swrule",
     "Symlinks",
     "TAPR-OHL-1.0",
     "TCL",
     "TCP-wrappers",
     "TermReadKey",
+    "TGPPL-1.0",
+    "threeparttable",
     "TMate",
     "TORQUE-1.1",
     "TOSL",
     "TPDL",
     "TPL-1.0",
     "TTWL",
+    "TTYP0",
     "TU-Berlin-1.0",
     "TU-Berlin-2.0",
     "UCAR",
     "UCL-1.0",
+    "ulem",
+    "UMich-Merit",
+    "Unicode-3.0",
     "Unicode-DFS-2015",
     "Unicode-DFS-2016",
     "Unicode-TOU",
     "UnixCrypt",
     "Unlicense",
     "UPL-1.0",
+    "URT-RLE",
     "Vim",
     "VOSTROM",
     "VSL-1.0",
@@ -546,13 +645,16 @@
     "Xfig",
     "XFree86-1.1",
     "xinetd",
+    "xkeyboard-config-Zinoviev",
     "xlock",
     "Xnet",
     "xpp",
     "XSkat",
+    "xzoom",
     "YPL-1.0",
     "YPL-1.1",
     "Zed",
+    "Zeeff",
     "Zend-2.0",
     "Zimbra-1.3",
     "Zimbra-1.4",
@@ -563,10 +665,13 @@
     "ZPL-2.1",
     "389-exception",
     "Asterisk-exception",
+    "Asterisk-linking-protocols-exception",
     "Autoconf-exception-2.0",
     "Autoconf-exception-3.0",
     "Autoconf-exception-generic",
+    "Autoconf-exception-generic-3.0",
     "Autoconf-exception-macro",
+    "Bison-exception-1.24",
     "Bison-exception-2.2",
     "Bootloader-exception",
     "Classpath-exception-2.0",
@@ -576,11 +681,16 @@
     "eCos-exception-2.0",
     "Fawkes-Runtime-exception",
     "FLTK-exception",
+    "fmt-exception",
     "Font-exception-2.0",
     "freertos-exception-2.0",
     "GCC-exception-2.0",
+    "GCC-exception-2.0-note",
     "GCC-exception-3.1",
+    "Gmsh-exception",
     "GNAT-exception",
+    "GNOME-examples-exception",
+    "GNU-compiler-exception",
     "gnu-javamail-exception",
     "GPL-3.0-interface-exception",
     "GPL-3.0-linking-exception",
@@ -603,16 +713,22 @@
     "OCCT-exception-1.0",
     "OpenJDK-assembly-exception-1.0",
     "openvpn-openssl-exception",
+    "PCRE2-exception",
     "PS-or-PDF-font-exception-20170817",
     "QPL-1.0-INRIA-2004-exception",
     "Qt-GPL-exception-1.0",
     "Qt-LGPL-exception-1.1",
     "Qwt-exception-1.0",
+    "RRDtool-FLOSS-exception-2.0",
+    "SANE-exception",
     "SHL-2.0",
     "SHL-2.1",
+    "stunnel-exception",
     "SWI-exception",
     "Swift-exception",
+    "Texinfo-exception",
     "u-boot-exception-2.0",
+    "UBDL-exception",
     "Universal-FOSS-exception-1.0",
     "vsftpd-openssl-exception",
     "WxWindows-exception-3.1",

package/display.js

@@ -340,3 +340,31 @@ export const printReachables = (sliceArtefacts) => {
     console.log(table(data, config));
   }
 };
+
+export function printVulnerabilities(vulnerabilities) {
+  if (!vulnerabilities) {
+    return;
+  }
+  const data = [["Ref", "Ratings", "State", "Justification"]];
+  for (const avuln of vulnerabilities) {
+    const arow = [
+      avuln["bom-ref"],
+      `${avuln?.ratings
+        .map((r) => r?.severity?.toUpperCase())
+        .join("\n")}\n${avuln?.ratings.map((r) => r?.score).join("\n")}`,
+      avuln?.analysis?.state || "",
+      avuln?.analysis?.justification || "",
+    ];
+    data.push(arow);
+  }
+  const config = {
+    header: {
+      alignment: "center",
+      content: "Vulnerabilities\nGenerated with \u2665  by cdxgen",
+    },
+  };
+  if (data.length > 1) {
+    console.log(table(data, config));
+  }
+  console.log(`${vulnerabilities.length} vulnerabilities found.`);
+}

package/docker.js

@@ -17,7 +17,7 @@ import {
   homedir,
   tmpdir,
 } from "node:os";
-import { join } from "node:path";
+import { basename, join } from "node:path";
 import process from "node:process";
 import stream from "node:stream/promises";
 import { parse } from "node:url";
@@ -27,6 +27,7 @@ import { x } from "tar";
 import { DEBUG_MODE, getAllFiles } from "./utils.js";
 
 export const isWin = _platform() === "win32";
+export const DOCKER_HUB_REGISTRY = "docker.io";
 
 let dockerConn = undefined;
 let isPodman = false;
@@ -114,8 +115,8 @@ export const getOnlyDirs = (srcpath, dirName) => {
 
 const getDefaultOptions = (forRegistry) => {
   let authTokenSet = false;
-  if (!forRegistry && process.env.DOCKER_SERVER_ADDRESS) {
-    forRegistry = process.env.DOCKER_SERVER_ADDRESS;
+  if (!forRegistry) {
+    forRegistry = process.env.DOCKER_SERVER_ADDRESS ?? DOCKER_HUB_REGISTRY;
   }
   if (forRegistry) {
     forRegistry = forRegistry.replace("http://", "").replace("https://", "");
@@ -517,7 +518,7 @@ export const getImage = async (fullImageName) => {
   let pullData = undefined;
   const { registry, repo, tag, digest } = parseImageName(fullImageName);
   const repoWithTag =
-    registry && registry !== "docker.io"
+    registry && registry !== DOCKER_HUB_REGISTRY
       ? fullImageName
       : `${repo}:${tag !== "" ? tag : ":latest"}`;
   // Fetch only the latest tag if none is specified
@@ -712,6 +713,7 @@ export const extractTar = async (fullImageName, dir) => {
             path.includes("usr/share/zoneinfo/") ||
             path.includes("usr/share/doc/") ||
             path.includes("usr/share/i18n/") ||
+            basename(path).startsWith(".") ||
             path.includes("usr/share/licenses/device-mapper-libs") ||
             [
               "BlockDevice",
@@ -738,7 +740,15 @@ export const extractTar = async (fullImageName, dir) => {
       );
       console.log(err);
     } else if (
-      !["TAR_BAD_ARCHIVE", "TAR_ENTRY_INFO", "EACCES"].includes(err.code)
+      ![
+        "TAR_BAD_ARCHIVE",
+        "TAR_ENTRY_INFO",
+        "TAR_ENTRY_INVALID",
+        "TAR_ENTRY_ERROR",
+        "TAR_ENTRY_UNSUPPORTED",
+        "TAR_ABORT",
+        "EACCES",
+      ].includes(err.code)
     ) {
       console.log(
         `Error while extracting image ${fullImageName} to ${dir}. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues`,
@@ -752,7 +762,12 @@ export const extractTar = async (fullImageName, dir) => {
       }
     } else if (["EACCES"].includes(err.code)) {
       console.log(err);
-    } else {
+      /*
+       * We do not display errors messages for errors:
+       * 1) TAR_ENTRY_INFO is an informative error indicating that an entry is being modified.
+       * 2) TAR_ENTRY_INVALID indicates that a given entry is not valid tar archive entry and will be skipped.
+       */
+    } else if (!["TAR_ENTRY_INFO", "TAR_ENTRY_INVALID"].includes(err.code)) {
       console.log(err);
     }
     return false;