@cyclonedx/cdxgen 10.8.9 → 10.9.0

package/bin/cdxgen.js

@@ -275,6 +275,11 @@ const args = yargs(hideBin(process.argv))
     description:
       "Do not show the donation banner. Set this attribute if you are an active sponsor for OWASP CycloneDX.",
   })
+  .option("feature-flags", {
+    description: "Experimental feature flags to enable. Advanced users only.",
+    hidden: true,
+    choices: ["safe-pip-install"],
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("type")
   .array("excludeType")
@@ -283,6 +288,7 @@ const args = yargs(hideBin(process.argv))
   .array("author")
   .array("exclude")
   .array("standard")
+  .array("feature-flags")
   .option("auto-compositions", {
     type: "boolean",
     default: true,
@@ -438,7 +444,6 @@ const applyAdvancedOptions = (options) => {
   }
   return options;
 };
-
 applyAdvancedOptions(options);
 
 /**

package/binary.js

@@ -350,7 +350,7 @@ export function getOSPackages(src) {
       "--skip-java-db-update",
       "--offline-scan",
       "--skip-files",
-      "**/*.jar",
+      "**/*.jar,**/*.war,**/*.par,**/*.ear",
       "--no-progress",
       "--exit-code",
       "0",

package/index.js

@@ -63,12 +63,15 @@ import {
   getMvnMetadata,
   getNugetMetadata,
   getPipFrozenTree,
+  getPipTreeForPackages,
   getPyMetadata,
   getPyModules,
   getSwiftPackageMetadata,
   getTimestamp,
   hasAnyProjectType,
   includeMavenTestScope,
+  isFeatureEnabled,
+  isPartialTree,
   isValidIriReference,
   parseBazelActionGraph,
   parseBazelSkyframe,
@@ -2749,6 +2752,10 @@ export async function createPythonBom(path, options) {
   if (pyProjectMode) {
     const tmpParentComponent = parsePyProjectToml(pyProjectFile);
     if (tmpParentComponent?.name) {
+      // Bug fix. Version could be missing in pyproject.toml
+      if (!tmpParentComponent.version && parentComponent.version) {
+        tmpParentComponent.version = parentComponent.version;
+      }
       parentComponent = tmpParentComponent;
       delete parentComponent.homepage;
       delete parentComponent.repository;
@@ -2815,6 +2822,7 @@ export async function createPythonBom(path, options) {
       };
       dependencies.splice(0, 0, pdependencies);
     }
+    options.parentComponent = parentComponent;
     return buildBomNSData(options, pkgList, "pypi", {
       src: path,
       filename: poetryFiles.join(", "),
@@ -2822,7 +2830,7 @@ export async function createPythonBom(path, options) {
       parentComponent,
       formulationList,
     });
-  }
+  } // poetryMode
   if (metadataFiles?.length) {
     // dist-info directories
     for (const mf of metadataFiles) {
@@ -3049,6 +3057,45 @@ export async function createPythonBom(path, options) {
       pkgList = pkgList.concat(dlist);
     }
   }
+  // Check and complete the dependency tree
+  if (
+    isFeatureEnabled(options, "safe-pip-install") &&
+    pkgList.length &&
+    isPartialTree(dependencies)
+  ) {
+    // Trim the current package list first
+    pkgList = trimComponents(pkgList);
+    console.log(
+      `Attempting to recover the pip dependency tree from ${pkgList.length} packages. Please wait ...`,
+    );
+    const newPkgMap = getPipTreeForPackages(
+      path,
+      pkgList,
+      tempDir,
+      parentComponent,
+    );
+    if (DEBUG_MODE && newPkgMap.failedPkgList.length) {
+      if (newPkgMap.failedPkgList.length < pkgList.length) {
+        console.log(
+          `${newPkgMap.failedPkgList.length} packages failed to install.`,
+        );
+      }
+    }
+    if (newPkgMap?.pkgList?.length) {
+      pkgList = pkgList.concat(newPkgMap.pkgList);
+      pkgList = trimComponents(pkgList);
+    }
+    if (newPkgMap.dependenciesList) {
+      dependencies = mergeDependencies(
+        dependencies,
+        newPkgMap.dependenciesList,
+        parentComponent,
+      );
+      if (DEBUG_MODE && dependencies.length > 1) {
+        console.log("Recovered", dependencies.length, "dependencies.");
+      }
+    }
+  }
   // Clean up
   if (tempDir?.startsWith(tmpdir()) && rmSync) {
     rmSync(tempDir, { recursive: true, force: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.8.9",
+  "version": "10.9.0",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -68,7 +68,7 @@
     "find-up": "7.0.0",
     "glob": "^11.0.0",
     "global-agent": "^3.0.0",
-    "got": "14.4.1",
+    "got": "14.4.2",
     "iconv-lite": "^0.6.3",
     "js-yaml": "^4.1.0",
     "jws": "^4.0.0",
@@ -111,7 +111,7 @@
   "devDependencies": {
     "@biomejs/biome": "1.8.3",
     "jest": "^29.7.0",
-    "typescript": "^5.5.3"
+    "typescript": "^5.5.4"
   },
   "scripts": {
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false docker.test.js utils.test.js display.test.js postgen.test.js",

package/server.js

@@ -178,14 +178,17 @@ const start = (options) => {
     let bomNSData = (await createBom(srcDir, reqOptions)) || {};
     bomNSData = postProcess(bomNSData, reqOptions);
     if (reqOptions.serverUrl && reqOptions.apiKey) {
-      console.log("Publishing SBOM to Dependency Track");
+      console.log(
+        `Publishing SBOM ${reqOptions.projectName} to Dependency Track`,
+        reqOptions.serverUrl,
+      );
       const response = await submitBom(reqOptions, bomNSData.bomJson);
       const errorMessages = response?.errors;
       if (errorMessages) {
         res.writeHead(500, { "Content-Type": "application/json" });
         return res.end(
           JSON.stringify({
-            error: "Unable to submit the SBOM to the Dependency-Track server",
+            error: `Unable to submit the SBOM ${reqOptions.projectName} to the Dependency Track server ${reqOptions.serverUrl}`,
             details: errorMessages,
           }),
         );

package/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.js"],"names":[],"mappings":"AAsvBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAyUD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAi/BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA2chB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAsXhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAkUhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BAwFhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAiUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAwJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAyWhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA2CC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BAmclB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAiUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAsOhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CA2FxE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.js"],"names":[],"mappings":"AAyvBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAyUD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAi/BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA2chB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAkahB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAkUhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BAwFhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAiUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAwJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAyWhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA2CC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BAmclB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAiUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAsOhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CA2FxE"}

package/types/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../server.js"],"names":[],"mappings":"AAuIA,yDAKC;AAED,0CAoEC"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../server.js"],"names":[],"mappings":"AAuIA,yDAKC;AAED,0CAuEC"}

package/types/utils.d.ts

@@ -1,3 +1,12 @@
+/**
+ * Method to check if a given feature flag is enabled.
+ *
+ * @param {Object} cliOptions CLI options
+ * @param {String} feature Feature flag
+ *
+ * @returns {Boolean} True if the feature is enabled
+ */
+export function isFeatureEnabled(cliOptions: any, feature: string): boolean;
 /**
  * Method to check if the given project types are allowed by checking against include and exclude types passed from the CLI arguments.
  *
@@ -607,6 +616,7 @@ export function parseCabalData(cabalData: any): any[];
 export function parseMixLockData(mixData: any): any[];
 export function parseGitHubWorkflowData(ghwData: any): any[];
 export function parseCloudBuildData(cbwData: any): any[];
+export function mapConanPkgRefToPurlStringAndNameAndVersion(conanPkgRef: any): any[];
 export function parseConanLockData(conanLockData: any): any[];
 export function parseConanData(conanData: any): any[];
 export function parseLeiningenData(leinData: any): any[];
@@ -1076,6 +1086,8 @@ export function getPipFrozenTree(basePath: string, reqOrSetupFile: string, tempV
     rootList: {
         name: any;
         version: any;
+        purl: string;
+        "bom-ref": string;
     }[];
     dependenciesList: {
         ref: string;
@@ -1083,6 +1095,35 @@ export function getPipFrozenTree(basePath: string, reqOrSetupFile: string, tempV
     }[];
     frozen: boolean;
 };
+/**
+ * The problem: pip installation can fail for a number of reasons such as missing OS dependencies and devel packages.
+ * When it fails, we don't get any dependency tree. As a workaroud, this method would attempt to install one package at a time to the same virtual environment and then attempts to obtain a dependency tree.
+ * Such a tree could be incorrect or quite approximate, but some users might still find it useful to know the names of the indirect dependencies.
+ *
+ * @param {string} basePath Base path
+ * @param {Array} pkgList Existing package list
+ * @param {string} tempVenvDir Temp venv dir
+ * @param {Object} parentComponent Parent component
+ *
+ * @returns List of packages from the virtual env
+ */
+export function getPipTreeForPackages(basePath: string, pkgList: any[], tempVenvDir: string, parentComponent: any): {
+    failedPkgList?: undefined;
+    rootList?: undefined;
+    dependenciesList?: undefined;
+} | {
+    failedPkgList: any[];
+    rootList: {
+        name: any;
+        version: any;
+        purl: string;
+        "bom-ref": string;
+    }[];
+    dependenciesList: {
+        ref: string;
+        dependsOn: any;
+    }[];
+};
 export function parsePackageJsonName(name: any): {
     scope: any;
     fullName: string;
@@ -1166,6 +1207,13 @@ export function parseMakeDFile(dfile: string): any;
  *
  */
 export function isValidIriReference(iri: string): boolean;
+/**
+ * Method to check if a given dependency tree is partial or not.
+ *
+ * @param {Array} dependencies List of dependencies
+ * @returns {Boolean} True if the dependency tree lacks any non-root parents without children. False otherwise.
+ */
+export function isPartialTree(dependencies: any[]): boolean;
 export const dirNameStr: string;
 export const isWin: boolean;
 export const isMac: boolean;

package/types/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../utils.js"],"names":[],"mappings":"AAsSA;;;;;;GAMG;AACH,mGAkDC;AAgBD;;;;;GAKG;AACH,qCAHW,MAAM,WACN,MAAM,0BAqBhB;AAED;;;;;;GAMG;AACH,+CAJW,MAAM,WACN,MAAM,+BAoBhB;AAYD;;;;GAIG;AACH,gCAFa,MAAM,CAIlB;AAED;;;;;;IAMI;AACJ,iDAJW,MAAM,GACJ,OAAO,CAiBnB;AAED;;;;;;;;;GASG;AACH,iEA2BC;AAED;;;;;GAKG;AACH,6CAqDC;AAED;;;;;;GAMG;AACH,sEA0DC;AAED;;;;GAIG;AACH,4EAoCC;AAED;;;GAGG;AACH;;EAUC;AAED,sEA0BC;AAED;;;;GAIG;AACH,+DA4CC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,WACN,OAAO,kBAkFjB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,YACN,MAAM;;;GAqVhB;AAED;;;;;;;GAOG;AACH,6CAFW,MAAM,MAwDhB;AAwBD;;;;GAIG;AACH,4CAFW,MAAM;;;GAqNhB;AAED;;;;GAIG;AACH,4CAFW,MAAM,kBAiEhB;AA2BD;;;;;GAKG;AACH,wCAHW,MAAM,oBACN,MAAM;;;;;;;;;GA0ZhB;AAED;;;;GAIG;AACH,8CAFW,MAAM,kBA+ChB;AAED;;;;GAIG;AACH,sCAFW,MAAM,kBAgFhB;AAED;;;;GAIG;AACH;;;;;;;;;;;;;;;;;;;;;;IAqDC;AAED;;;;;;GAMG;AACH,0CALW,MAAM,WACN,MAAM,OAgJhB;AAED;;;;;;GAMG;AACH,0CALW,MAAM,qBACN,MAAM,oBACN,MAAM,uBACN,MAAM;;;;;;;;;;;;;;;;EAkNhB;AAED;;;GAGG;AACH,uCAFW,MAAM,SAoChB;AAED;;;GAGG;AACH,wCAFW,MAAM,OAahB;AAED,yEAwBC;AAED;;;;GAIG;AACH,+CAFW,MAAM;;;EA6ChB;AAED;;;;GAIG;AACH,iDAFW,MAAM;;;;;;;;EAsChB;AAED;;;;;;;;GAQG;AACH,qDANW,MAAM,YACN,MAAM,0BAGJ,MAAM,CA2DlB;AAED;;;;;;GAMG;AACH,6CAJW,MAAM,YACN,MAAM,cACN,MAAM,MA2EhB;AAED;;;GAGG;AACH,iDAFW,MAAM,SA4ChB;AAED;;;GAGG;AACH,8CAFW,MAAM,SAsDhB;AAED;;;GAGG;AACH,2CAFW,MAAM,SAiBhB;AAED;;GAEG;AACH,kDAoCC;AAED;;;;GAIG;AACH,oCAFW,MAAM,OAchB;AAED;;;;GAIG;AACH,kDAUC;AAED;;;;;GAKG;AACH,mFAmGC;AAED;;;;;;;;;GASG;AACH,sFAMC;AAED;;;;;;;;;GASG;AACH,gFAFY,MAAO,SAAS,CA8B3B;AAED;;;;;;;;;GASG;AACH,0EAFY,OAAO,QAAQ,CAU1B;AAED;;;;GAIG;AACH,4DAFW,WAAY,SAYtB;AAED;;;;;;;;;GASG;AACH,+FAFY,OAAO,QAAQ,CAc1B;AAED;;;;GAIG;AACH;;;EAqBC;AAED;;;;;GAKG;AACH,iFAFW,GAAC,OA0BX;AAED;;;;;GAKG;AACH,sFAsNC;AAED;;;;GAIG;AACH,qDAmBC;AAED;;;;GAIG;AACH,gEAeC;AAED;;;;GAIG;AACH,6CAFW,MAAM,MAmEhB;AAED;;;;;GAKG;AACH,6DAFW,MAAM;;;;;;;GAqHhB;AAED;;;;;GAKG;AACH,mFAgKC;AAED;;;;;;GAMG;AACH,kCAJW,MAAM;;;;;;;;GA2EhB;AAED;;;;GAIG;AACH,mEAqBC;AAED;;;;GAIG;AACH,+DAFY,SAAO,SAAS,CAc3B;AAED;;;;GAIG;AACH,oDAFY,QAAQ,CASnB;AAED;;;;;GAKG;AACH,oEAFY,SAAO,SAAS,CAc3B;AAED;;;;;;GAMG;AACH,oEAFY,OAAO,QAAQ,CA8D1B;AAED;;;;GAIG;AACH,iEAgDC;AAED,+FA4BC;AAED,8EA2EC;AAED;;;;;GAKG;AACH,0CAHW,MAAM;;;GA0DhB;AA0BD;;;;;;;;;GASG;AACH,2CAPW,MAAM,aACN,MAAM;;;;;;GA6FhB;AAED;;;;GAIG;AACH,yCAHW,MAAM,OAehB;AAED;;;;GAIG;AACH,0CAHW,MAAM,kBAuChB;AAED,+DA+CC;AAED,uEAwBC;AA6BD;;;;GAIG;AACH,oEAmGC;AAED;;;;GAIG;AACH,8CAFW,MAAM,kBAgChB;AAED;;;;;GAKG;AACH,kDAHW,MAAM,YACN,MAAM;;;;;;;;;;;;;;GAuPhB;AAED;;;;GAIG;AACH,kEAqEC;AAED;;;;GAIG;AACH,gEA0DC;AA0BD;;;;;;;;;;;;;;;;;GAiBG;AACH,mEALW,OAAO,4BAiLjB;AAED;;;;;;;;GAQG;AACH,+DALW,OAAO,4BAsIjB;AAED;;;IAwIC;AAED,wEA0BC;AAED,mEAqCC;AAED,0DAkBC;AAED,wDA+DC;AAED,0FAkEC;AAED;;IAsCC;AAED;;IA2DC;AAED,2DAiEC;AAED,yDAaC;AAaD,gDA+EC;AAED,yDAkDC;AAED,sDA0BC;AAED,sDAyBC;AAED,6DAwCC;AAED,yDAmCC;AAED,8DAsCC;AAED,sDAqDC;AAED,yDAgCC;AAED,qDAkDC;AAED;;;;;GAKG;AACH,mDASC;AAED;;;;;;GAMG;AACH,4EA4EC;AAED,kEAgDC;AAED;;;;;;;;GAQG;AACH,kGA0MC;AAED;;;EAiNC;AAED;;;;EAsHC;AAED;;;EA+GC;AAED;;;;;GAKG;AACH,+CAHW,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2IhB;AAED;;;;;;EA+HC;AAED;;;;GAIG;AACH,0CAFW,MAAM;;;;;;;;;;;;;;;;;;;;;IAqDhB;AAmBD;;;;;GAKG;AACH,yCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,wCAHW,MAAM,YAchB;AAED;;;;;GAKG;AACH,wCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,yCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM,YAQhB;AAED;;;;;;;GAOG;AACH;;;;;;;;;;IA2IC;AA2CD;;;;GAIG;AACH,0FAHW,MAAM,WACN,MAAM,UAuDhB;AAED;;;;GAIG;AACH,8CAHW,MAAM,WACN,MAAM;;;;;;EAqBhB;AAED;;;GAGG;AACH,iDAFW,MAAM;;;;;;;;;;;;;;;;;;;;;IAwDhB;AAED;;;;;;;GAOG;AACH,iDALW,MAAM,YACN,MAAM,YACN,OAAO,oBACP,OAAO,eA6DjB;AAED,oIAgCC;AAED;;;;;;;GAOG;AACH,sCALW,MAAM,eACN,MAAM,eA6JhB;AAED;;;;;;;;;;;;;;;;;;;;;;IA6DC;AAED;;;;;;;EA8BC;AAED,uDAeC;AAED,2DAeC;AAED,2CAIC;AAED;;;;;;GAMG;AACH,uDAJW,MAAM,MAgBhB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,QACN,MAAM,GACJ,OAAO,QAAQ,CAU3B;AAED;;;;;;;;GAQG;AACH,2CANW,MAAM,WACN,MAAM,iBACN,MAAM,kBAqThB;AAED;;;;;;;GAOG;AACH,iDAFW,MAAM,OAehB;AAED;;;;;;;;;;;GAWG;AACH,uCAHW,MAAM,UACN,MAAM,UAYhB;AAED;;;;;;GAMG;AACH,2CAHW,MAAM,uBACN,MAAM,WAgBhB;AAED;;;;GAIG;AACH,4CAFW,MAAM,UAIhB;AAED;;;;;;;;GAQG;AACH,sCANW,MAAM,eACN,MAAM,oBACN,MAAM,gBAgChB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,kBA4EhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,YACN,MAAM,UAiChB;AACD;;;;;;GAMG;AAEH,uDALW,MAAM,iBACN,MAAM,EAAE,GACN,GAAG,CAuCf;AACD;;;;;GAKG;AACH,yCAHW,MAAM,YACN,MAAM,UAsEhB;AAED;;GAEG;AACH,sCAmBC;AAED,0DA2EC;AAED;;;;;;;;GAQG;AACH,oCANW,MAAM,YACN,MAAM,gBACN,MAAM,eACN,MAAM,OA6ChB;AAkFD;;;;;;;;;GASG;AACH,2CAPW,MAAM,kBACN,MAAM,eACN,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiWhB;AAGD;;;;;EAmBC;AAED;;;;;;GAMG;AACH,kEAHW,MAAM,cACN,MAAM,6BA0IhB;AAED,qDASC;AAED;;;;;;;EA2GC;AAED;;;EA6PC;AAED,sEA6BC;AAED;;;;;;;GAOG;AACH,mCALW,MAAM,WACN,MAAM;;;;;;;EAgQhB;AAED;;;;;;GAMG;AACH,2CAHW,MAAM,OAKhB;AAED,qDA0CC;AA8HD;;;;GAIG;AACH;;;GAkHC;AAED,yEA0GC;AAED;;;;;;GAMG;AACH,mDAkBC;AAED;;;;;;;;;;GAUG;AACH,0DAqBC;AA76VD,gCAAgF;AAChF,4BAA4C;AAC5C,4BAA6C;AAC7C,2BAAmE;AAsBnE,iCAEE;AAiBF,iCAIyC;AAGzC,gCACmE;AAGnE,gCACsE;AAGtE,8BAA+B;AAK/B,4CAEmE;AAGnE,6CAE6D;AAG7D,oCAEoD;AAGpD,uCAEuD;AAYvD,4BAA6B;AAU7B,8BAAiC;AAMjC,8BAAiC;AAIjC,4BAA6B;AAI7B,2BAA2B;AAI3B,4BAA6B;AAI7B,2BAA2B;AAI3B,6BAA+B;AAI/B,0BAAyB;AAIzB,6BAA+B;AAM/B,2BAA2B;AAK3B,4BAA6B;AAK7B,6BAA+B;AAM/B,kDAWE;AAGF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+DE;AAiEF,8BAQG;AA2xIH,8CAUE"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../utils.js"],"names":[],"mappings":"AAsSA;;;;;;;GAOG;AACH,4EAoBC;AAED;;;;;;GAMG;AACH,mGAkDC;AAgBD;;;;;GAKG;AACH,qCAHW,MAAM,WACN,MAAM,0BAqBhB;AAED;;;;;;GAMG;AACH,+CAJW,MAAM,WACN,MAAM,+BAoBhB;AAYD;;;;GAIG;AACH,gCAFa,MAAM,CAIlB;AAED;;;;;;IAMI;AACJ,iDAJW,MAAM,GACJ,OAAO,CAiBnB;AAED;;;;;;;;;GASG;AACH,iEA2BC;AAED;;;;;GAKG;AACH,6CAqDC;AAED;;;;;;GAMG;AACH,sEA0DC;AAED;;;;GAIG;AACH,4EAoCC;AAED;;;GAGG;AACH;;EAUC;AAED,sEA0BC;AAED;;;;GAIG;AACH,+DA4CC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,WACN,OAAO,kBAkFjB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,YACN,MAAM;;;GAqVhB;AAED;;;;;;;GAOG;AACH,6CAFW,MAAM,MA2DhB;AAwBD;;;;GAIG;AACH,4CAFW,MAAM;;;GAkOhB;AAED;;;;GAIG;AACH,4CAFW,MAAM,kBAiEhB;AA2BD;;;;;GAKG;AACH,wCAHW,MAAM,oBACN,MAAM;;;;;;;;;GA0ZhB;AAED;;;;GAIG;AACH,8CAFW,MAAM,kBA+ChB;AAED;;;;GAIG;AACH,sCAFW,MAAM,kBAgFhB;AAED;;;;GAIG;AACH;;;;;;;;;;;;;;;;;;;;;;IAqDC;AAED;;;;;;GAMG;AACH,0CALW,MAAM,WACN,MAAM,OAgJhB;AAED;;;;;;GAMG;AACH,0CALW,MAAM,qBACN,MAAM,oBACN,MAAM,uBACN,MAAM;;;;;;;;;;;;;;;;EAkNhB;AAED;;;GAGG;AACH,uCAFW,MAAM,SAoChB;AAED;;;GAGG;AACH,wCAFW,MAAM,OAahB;AAED,yEAwBC;AAED;;;;GAIG;AACH,+CAFW,MAAM;;;EA6ChB;AAED;;;;GAIG;AACH,iDAFW,MAAM;;;;;;;;EAsChB;AAED;;;;;;;;GAQG;AACH,qDANW,MAAM,YACN,MAAM,0BAGJ,MAAM,CAkElB;AAED;;;;;;GAMG;AACH,6CAJW,MAAM,YACN,MAAM,cACN,MAAM,MA2EhB;AAED;;;GAGG;AACH,iDAFW,MAAM,SA4ChB;AAED;;;GAGG;AACH,8CAFW,MAAM,SAsDhB;AAED;;;GAGG;AACH,2CAFW,MAAM,SAiBhB;AAED;;GAEG;AACH,kDAoCC;AAED;;;;GAIG;AACH,oCAFW,MAAM,OAchB;AAED;;;;GAIG;AACH,kDAUC;AAED;;;;;GAKG;AACH,mFAmGC;AAED;;;;;;;;;GASG;AACH,sFAMC;AAED;;;;;;;;;GASG;AACH,gFAFY,MAAO,SAAS,CA8B3B;AAED;;;;;;;;;GASG;AACH,0EAFY,OAAO,QAAQ,CAU1B;AAED;;;;GAIG;AACH,4DAFW,WAAY,SAYtB;AAED;;;;;;;;;GASG;AACH,+FAFY,OAAO,QAAQ,CAc1B;AAED;;;;GAIG;AACH;;;EAqBC;AAED;;;;;GAKG;AACH,iFAFW,GAAC,OA0BX;AAED;;;;;GAKG;AACH,sFAsNC;AAED;;;;GAIG;AACH,qDAmBC;AAED;;;;GAIG;AACH,gEAeC;AAED;;;;GAIG;AACH,6CAFW,MAAM,MAmEhB;AAED;;;;;GAKG;AACH,6DAFW,MAAM;;;;;;;GAqHhB;AAED;;;;;GAKG;AACH,mFAgKC;AAED;;;;;;GAMG;AACH,kCAJW,MAAM;;;;;;;;GA2EhB;AAED;;;;GAIG;AACH,mEAqBC;AAED;;;;GAIG;AACH,+DAFY,SAAO,SAAS,CAc3B;AAED;;;;GAIG;AACH,oDAFY,QAAQ,CASnB;AAED;;;;;GAKG;AACH,oEAFY,SAAO,SAAS,CAc3B;AAED;;;;;;GAMG;AACH,oEAFY,OAAO,QAAQ,CA8D1B;AAED;;;;GAIG;AACH,iEAgDC;AAED,+FA4BC;AAED,8EA2EC;AAED;;;;;GAKG;AACH,0CAHW,MAAM;;;GA0DhB;AA0BD;;;;;;;;;GASG;AACH,2CAPW,MAAM,aACN,MAAM;;;;;;GA6FhB;AAED;;;;GAIG;AACH,yCAHW,MAAM,OAehB;AAED;;;;GAIG;AACH,0CAHW,MAAM,kBAuChB;AAED,+DA+CC;AAED,uEAwBC;AA6BD;;;;GAIG;AACH,oEAmGC;AAED;;;;GAIG;AACH,8CAFW,MAAM,kBAgChB;AAED;;;;;GAKG;AACH,kDAHW,MAAM,YACN,MAAM;;;;;;;;;;;;;;GAuPhB;AAED;;;;GAIG;AACH,kEAqEC;AAED;;;;GAIG;AACH,gEA0DC;AA0BD;;;;;;;;;;;;;;;;;GAiBG;AACH,mEALW,OAAO,4BAiLjB;AAED;;;;;;;;GAQG;AACH,+DALW,OAAO,4BAsIjB;AAED;;;IAwIC;AAED,wEA0BC;AAED,mEAqCC;AAED,0DAkBC;AAED,wDA+DC;AAED,0FAkEC;AAED;;IAsCC;AAED;;IA2DC;AAED,2DAiEC;AAED,yDAaC;AAaD,gDA+EC;AAED,yDAkDC;AAED,sDA0BC;AAED,sDAyBC;AAED,6DAwCC;AAED,yDAmCC;AAyCD,qFA2HC;AAED,8DA0BC;AAED,sDAiCC;AAED,yDAgCC;AAED,qDAkDC;AAED;;;;;GAKG;AACH,mDASC;AAED;;;;;;GAMG;AACH,4EA4EC;AAED,kEAgDC;AAED;;;;;;;;GAQG;AACH,kGA0MC;AAED;;;EAiNC;AAED;;;;EAsHC;AAED;;;EA+GC;AAED;;;;;GAKG;AACH,+CAHW,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2IhB;AAED;;;;;;EA+HC;AAED;;;;GAIG;AACH,0CAFW,MAAM;;;;;;;;;;;;;;;;;;;;;IAqDhB;AAmBD;;;;;GAKG;AACH,yCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,wCAHW,MAAM,YAchB;AAED;;;;;GAKG;AACH,wCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,yCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM,YAQhB;AAED;;;;;;;GAOG;AACH;;;;;;;;;;IA2IC;AA2CD;;;;GAIG;AACH,0FAHW,MAAM,WACN,MAAM,UAuDhB;AAED;;;;GAIG;AACH,8CAHW,MAAM,WACN,MAAM;;;;;;EAqBhB;AAED;;;GAGG;AACH,iDAFW,MAAM;;;;;;;;;;;;;;;;;;;;;IAwDhB;AAED;;;;;;;GAOG;AACH,iDALW,MAAM,YACN,MAAM,YACN,OAAO,oBACP,OAAO,eA6DjB;AAED,oIAgCC;AAED;;;;;;;GAOG;AACH,sCALW,MAAM,eACN,MAAM,eA6JhB;AAED;;;;;;;;;;;;;;;;;;;;;;IA6DC;AAED;;;;;;;EA8BC;AAED,uDAeC;AAED,2DAeC;AAED,2CAIC;AAED;;;;;;GAMG;AACH,uDAJW,MAAM,MAgBhB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,QACN,MAAM,GACJ,OAAO,QAAQ,CAU3B;AAED;;;;;;;;GAQG;AACH,2CANW,MAAM,WACN,MAAM,iBACN,MAAM,kBAqThB;AAED;;;;;;;GAOG;AACH,iDAFW,MAAM,OAehB;AAED;;;;;;;;;;;GAWG;AACH,uCAHW,MAAM,UACN,MAAM,UAYhB;AAED;;;;;;GAMG;AACH,2CAHW,MAAM,uBACN,MAAM,WAgBhB;AAED;;;;GAIG;AACH,4CAFW,MAAM,UAIhB;AAED;;;;;;;;GAQG;AACH,sCANW,MAAM,eACN,MAAM,oBACN,MAAM,gBAgChB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,kBA4EhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,YACN,MAAM,UAiChB;AACD;;;;;;GAMG;AAEH,uDALW,MAAM,iBACN,MAAM,EAAE,GACN,GAAG,CAuCf;AACD;;;;;GAKG;AACH,yCAHW,MAAM,YACN,MAAM,UAsEhB;AAED;;GAEG;AACH,sCAmBC;AAED,0DA2EC;AAED;;;;;;;;GAQG;AACH,oCANW,MAAM,YACN,MAAM,gBACN,MAAM,eACN,MAAM,OA6ChB;AAqFD;;;;;;;;;GASG;AACH,2CAPW,MAAM,kBACN,MAAM,eACN,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAmWhB;AAED;;;;;;;;;;;GAWG;AACH,gDAPW,MAAM,+BAEN,MAAM;;;;;;;;;;;;;;;;EA+KhB;AAGD;;;;;EAmBC;AAED;;;;;;GAMG;AACH,kEAHW,MAAM,cACN,MAAM,6BA0IhB;AAED,qDASC;AAED;;;;;;;EA2GC;AAED;;;EA6PC;AAED,sEA6BC;AAED;;;;;;;GAOG;AACH,mCALW,MAAM,WACN,MAAM;;;;;;;EAgQhB;AAED;;;;;;GAMG;AACH,2CAHW,MAAM,OAKhB;AAED,qDA0CC;AA8HD;;;;GAIG;AACH;;;GAkHC;AAED,yEA0GC;AAED;;;;;;GAMG;AACH,mDAkBC;AAED;;;;;;;;;;GAUG;AACH,0DAqBC;AAED;;;;;GAKG;AACH,4DAWC;AAtzWD,gCAAgF;AAChF,4BAA4C;AAC5C,4BAA6C;AAC7C,2BAAmE;AAsBnE,iCAEE;AAiBF,iCAIyC;AAGzC,gCACmE;AAGnE,gCACsE;AAGtE,8BAA+B;AAK/B,4CAEmE;AAGnE,6CAE6D;AAG7D,oCAEoD;AAGpD,uCAEuD;AAYvD,4BAA6B;AAU7B,8BAAiC;AAMjC,8BAAiC;AAIjC,4BAA6B;AAI7B,2BAA2B;AAI3B,4BAA6B;AAI7B,2BAA2B;AAI3B,6BAA+B;AAI/B,0BAAyB;AAIzB,6BAA+B;AAM/B,2BAA2B;AAK3B,4BAA6B;AAK7B,6BAA+B;AAM/B,kDAWE;AAGF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+DE;AA+FF,8BAQG;AAkzIH,8CAUE"}

package/types/validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../validator.js"],"names":[],"mappings":"AAmBO,qCAFI,MAAM,WA6ChB;AAOM,0CAFI,MAAM,WAiDhB;AAOM,uCAFI,MAAM,WAgEhB;AA6BM,sCAFI,MAAM,WA2ChB"}
+{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../validator.js"],"names":[],"mappings":"AAmBO,qCAFI,MAAM,WA6ChB;AAOM,0CAFI,MAAM,WAiDhB;AAOM,uCAFI,MAAM,WAgEhB;AA6BM,sCAFI,MAAM,WA8ChB"}

package/utils.js

@@ -292,6 +292,36 @@ export const PROJECT_TYPE_ALIASES = {
   oci: ["docker", "oci", "container", "podman"],
 };
 
+/**
+ * Method to check if a given feature flag is enabled.
+ *
+ * @param {Object} cliOptions CLI options
+ * @param {String} feature Feature flag
+ *
+ * @returns {Boolean} True if the feature is enabled
+ */
+export function isFeatureEnabled(cliOptions, feature) {
+  if (cliOptions?.featureFlags?.includes(feature)) {
+    return true;
+  }
+  if (
+    process.env[feature.toUpperCase()] &&
+    ["true", "1"].includes(process.env[feature.toUpperCase()])
+  ) {
+    return true;
+  }
+  // Retry by replacing hyphens with underscore
+  if (
+    process.env[feature.replaceAll("-", "_").toUpperCase()] &&
+    ["true", "1"].includes(
+      process.env[feature.replaceAll("-", "_").toUpperCase()],
+    )
+  ) {
+    return true;
+  }
+  return false;
+}
+
 /**
  * Method to check if the given project types are allowed by checking against include and exclude types passed from the CLI arguments.
  *
@@ -1252,8 +1282,11 @@ export function yarnLockToIdentMap(lockData) {
           }
         }
       }
-    } else if (l.startsWith("  version") && currentIdents.length) {
-      const tmpA = l.replace(/["']/g, "").split(" ");
+    } else if (
+      (l.startsWith("  version") || l.startsWith('  "version')) &&
+      currentIdents.length
+    ) {
+      const tmpA = l.replace(/"/g, "").split(" ");
       const version = tmpA[tmpA.length - 1].trim();
       for (const id of currentIdents) {
         identMap[id] = version;
@@ -1418,9 +1451,14 @@ export async function parseYarnLock(yarnLockFile) {
       } else if (
         name !== "" &&
         (l.startsWith("  dependencies:") ||
-          l.startsWith("  optionalDependencies:"))
+          l.startsWith('  "dependencies:') ||
+          l.startsWith("  optionalDependencies:") ||
+          l.startsWith('  "optionalDependencies:'))
       ) {
-        if (l.startsWith("  dependencies:")) {
+        if (
+          l.startsWith("  dependencies:") ||
+          l.startsWith('  "dependencies:')
+        ) {
           depsMode = true;
           optionalDepsMode = false;
         } else {
@@ -1432,9 +1470,17 @@ export async function parseYarnLock(yarnLockFile) {
         // We need the resolved version from identMap
         // Deal with values with space within the quotes. Eg: minimatch "2 || 3"
         // vinyl-sourcemaps-apply ">=0.1.1 <0.2.0-0"
-        const tmpA = l.trim().split(' "');
+        l = l.trim();
+        let splitPattern = ' "';
+        // yarn v7 has a different split pattern
+        if (l.includes('": ')) {
+          splitPattern = '": ';
+        } else if (l.includes(": ")) {
+          splitPattern = ": ";
+        }
+        const tmpA = l.trim().split(splitPattern);
         if (tmpA && tmpA.length === 2) {
-          let dgroupname = tmpA[0];
+          let dgroupname = tmpA[0].replace(/"/g, "");
           if (dgroupname.endsWith(":")) {
             dgroupname = dgroupname.substring(0, dgroupname.length - 1);
           }
@@ -1459,7 +1505,7 @@ export async function parseYarnLock(yarnLockFile) {
           depsMode = false;
           optionalDepsMode = false;
         }
-        l = l.trim();
+        l = l.replace(/"/g, "").trim();
         const parts = l.split(" ");
         if (l.startsWith("version")) {
           version = parts[1].replace(/"/g, "");
@@ -2764,6 +2810,13 @@ export function parseGradleProperties(rawOutput) {
  * @returns {string} The combined output for all subprojects of the Gradle properties task
  */
 export function executeParallelGradleProperties(dir, rootPath, allProjectsStr) {
+  const defaultProps = {
+    rootProject: subProject,
+    projects: [],
+    metadata: {
+      version: "latest",
+    },
+  };
   let parallelPropTaskArgs = ["properties"];
   for (const spstr of allProjectsStr) {
     parallelPropTaskArgs.push(`${spstr}:properties`);
@@ -6481,6 +6534,170 @@ export function parseCloudBuildData(cbwData) {
   return pkgList;
 }
 
+function createConanPurlString(name, version, user, channel, rrev, prev) {
+  // https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#conan
+
+  const qualifiers = {};
+
+  if (user) qualifiers["user"] = user;
+  if (channel) qualifiers["channel"] = channel;
+  if (rrev) qualifiers["rrev"] = rrev;
+  if (prev) qualifiers["prev"] = prev;
+
+  return new PackageURL(
+    "conan",
+    "",
+    name,
+    version,
+    Object.keys(qualifiers).length ? qualifiers : null,
+    null,
+  ).toString();
+}
+
+function untilFirst(separator, inputStr) {
+  // untilFirst("/", "a/b") -> ["/", "a", "b"]
+  // untilFirst("/", "abc") -> ["/", "abc", null]
+
+  if (!inputStr || inputStr.length === 0) {
+    return [null, null, null];
+  }
+
+  const separatorIndex = inputStr.search(separator);
+  if (separatorIndex === -1) {
+    return ["", inputStr, null];
+  }
+  return [
+    inputStr[separatorIndex],
+    inputStr.substring(0, separatorIndex),
+    inputStr.substring(separatorIndex + 1),
+  ];
+}
+
+export function mapConanPkgRefToPurlStringAndNameAndVersion(conanPkgRef) {
+  // A full Conan package reference may be composed of the following segments:
+  // conanPkgRef = "name/version@user/channel#recipe_revision:package_id#package_revision"
+  // See also https://docs.conan.io/1/cheatsheet.html#package-terminology
+
+  // The components 'package_id' and 'package_revision' do not appear in any files processed by cdxgen.
+  // The components 'user' and 'channel' are not mandatory.
+  // 'name/version' is a valid Conan package reference, so is 'name/version@user/channel' or 'name/version@user/channel#recipe_revision'.
+  // pURL for Conan does not recognize 'package_id'.
+
+  const UNABLE_TO_PARSE_CONAN_PKG_REF = [null, null, null];
+
+  if (!conanPkgRef) {
+    if (DEBUG_MODE)
+      console.warn(
+        `Could not parse Conan package reference '${conanPkgRef}', input does not seem valid.`,
+      );
+
+    return UNABLE_TO_PARSE_CONAN_PKG_REF;
+  }
+
+  const separatorRegex = /[@#:\/]/;
+
+  const info = {
+    name: null,
+    version: null,
+    user: null,
+    channel: null,
+    recipe_revision: null,
+    package_id: null,
+    package_revision: null,
+    phase_history: [],
+  };
+
+  const transitions = {
+    ["name"]: {
+      "/": "version",
+      "#": "recipe_revision",
+      "": "end",
+    },
+    ["version"]: {
+      "@": "user",
+      "#": "recipe_revision",
+      "": "end",
+    },
+    ["user"]: {
+      "/": "channel",
+    },
+    ["channel"]: {
+      "#": "recipe_revision",
+      "": "end",
+    },
+    ["recipe_revision"]: {
+      ":": "package_id",
+      "": "end",
+    },
+    ["package_id"]: {
+      "#": "package_revision",
+    },
+    ["package_revision"]: {
+      "": "end",
+    },
+  };
+
+  let phase = "name";
+  let remainder = conanPkgRef;
+  let separator;
+  let item;
+
+  while (remainder) {
+    [separator, item, remainder] = untilFirst(separatorRegex, remainder);
+
+    if (!item) {
+      if (DEBUG_MODE)
+        console.warn(
+          `Could not parse Conan package reference '${conanPkgRef}', empty item in phase '${phase}', separator=${separator}, remainder=${remainder}, info=${JSON.stringify(info)}`,
+        );
+      return UNABLE_TO_PARSE_CONAN_PKG_REF;
+    }
+
+    info[phase] = item;
+    info.phase_history.push(phase);
+
+    if (!(phase in transitions)) {
+      if (DEBUG_MODE)
+        console.warn(
+          `Could not parse Conan package reference '${conanPkgRef}', no transition from '${phase}', separator=${separator}, item=${item}, remainder=${remainder}, info=${JSON.stringify(info)}`,
+        );
+      return UNABLE_TO_PARSE_CONAN_PKG_REF;
+    }
+
+    const possibleTransitions = transitions[phase];
+    if (!(separator in possibleTransitions)) {
+      if (DEBUG_MODE)
+        console.warn(
+          `Could not parse Conan package reference '${conanPkgRef}', transition '${separator}' not allowed from '${phase}', item=${item}, remainder=${remainder}, info=${JSON.stringify(info)}`,
+        );
+      return UNABLE_TO_PARSE_CONAN_PKG_REF;
+    }
+
+    phase = possibleTransitions[separator];
+  }
+
+  if (phase !== "end") {
+    if (DEBUG_MODE)
+      console.warn(
+        `Could not parse Conan package reference '${conanPkgRef}', end of input string reached unexpectedly in phase '${phase}', info=${JSON.stringify(info)}.`,
+      );
+    return UNABLE_TO_PARSE_CONAN_PKG_REF;
+  }
+
+  if (!info.version) info.version = "latest";
+
+  const purl = createConanPurlString(
+    info.name,
+    info.version,
+    info.user,
+    info.channel,
+    info.recipe_revision,
+    info.package_revision,
+  );
+
+  return [purl, info.name, info.version];
+}
+
 export function parseConanLockData(conanLockData) {
   const pkgList = [];
   if (!conanLockData) {
@@ -6493,27 +6710,15 @@ export function parseConanLockData(conanLockData) {
   const nodes = graphLock.graph_lock.nodes;
   for (const nk of Object.keys(nodes)) {
     if (nodes[nk].ref) {
-      const tmpA = nodes[nk].ref.split("/");
-      if (tmpA.length === 2) {
-        let version = tmpA[1] || "latest";
-        if (tmpA[1].includes("@")) {
-          version = version.split("@")[0];
-        } else if (tmpA[1].includes("#")) {
-          version = version.split("#")[0];
-        }
-        const purlString = new PackageURL(
-          "conan",
-          "",
-          tmpA[0],
-          version,
-          null,
-          null,
-        ).toString();
+      const [purl, name, version] = mapConanPkgRefToPurlStringAndNameAndVersion(
+        nodes[nk].ref,
+      );
+      if (purl !== null) {
         pkgList.push({
-          name: tmpA[0],
+          name,
           version,
-          purl: purlString,
-          "bom-ref": decodeURIComponent(purlString),
+          purl,
+          "bom-ref": decodeURIComponent(purl),
         });
       }
     }
@@ -6535,39 +6740,19 @@ export function parseConanData(conanData) {
     if (l.includes("[requires]")) {
       scope = "required";
     }
-    if (!l.includes("/")) {
-      return;
-    }
-    if (l.includes("/")) {
-      const tmpA = l.trim().split("#")[0].split("/");
-      if (tmpA.length >= 2 && /^\d+/.test(tmpA[1])) {
-        let version = tmpA[1] || "latest";
-        let qualifiers = undefined;
-        if (tmpA[1].includes("#")) {
-          const tmpB = version.split("#");
-          version = tmpB[0];
-          qualifiers = { revision: tmpB[1] };
-        }
-        if (l.includes("#")) {
-          const tmpB = l.split("#");
-          qualifiers = { revision: tmpB[1] };
-        }
-        if (tmpA[1].includes("@")) {
-          version = version.split("@")[0];
-        }
-        const purlString = new PackageURL(
-          "conan",
-          "",
-          tmpA[0],
-          version,
-          qualifiers,
-          null,
-        ).toString();
+
+    // The line must start with sequence non-whitespace characters, followed by a slash,
+    // followed by at least one more non-whitespace character.
+    // Provides a heuristic for locating Conan package references inside conanfile.txt files.
+    if (l.match(/^[^\s\/]+\/\S+/)) {
+      const [purl, name, version] =
+        mapConanPkgRefToPurlStringAndNameAndVersion(l);
+      if (purl !== null) {
         pkgList.push({
-          name: tmpA[0],
+          name,
           version,
-          purl: purlString,
-          "bom-ref": decodeURIComponent(purlString),
+          purl,
+          "bom-ref": decodeURIComponent(purl),
           scope,
         });
       }
@@ -9514,18 +9699,20 @@ function flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t) {
       null,
       null,
     ).toString();
-    pkgList.push({
+    const apkg = {
       name: d.name,
       version: d.version,
       purl: purlString,
       "bom-ref": decodeURIComponent(purlString),
-      properties: [
+    };
+    if (reqOrSetupFile) {
+      apkg.properties = [
         {
           name: "SrcFile",
           value: reqOrSetupFile,
         },
-      ],
-      evidence: {
+      ];
+      apkg.evidence = {
         identity: {
           field: "purl",
           confidence: 0.8,
@@ -9537,8 +9724,9 @@ function flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t) {
             },
           ],
         },
-      },
-    });
+      };
+    }
+    pkgList.push(apkg);
     // Recurse and flatten
     if (d.dependencies && d.dependencies) {
       flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, d);
@@ -9914,6 +10102,8 @@ export function getPipFrozenTree(
         rootList.push({
           name,
           version,
+          purl: purlString,
+          "bom-ref": decodeURIComponent(purlString),
         });
         flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t);
       } else {
@@ -9933,6 +10123,190 @@ export function getPipFrozenTree(
   };
 }
 
+/**
+ * The problem: pip installation can fail for a number of reasons such as missing OS dependencies and devel packages.
+ * When it fails, we don't get any dependency tree. As a workaroud, this method would attempt to install one package at a time to the same virtual environment and then attempts to obtain a dependency tree.
+ * Such a tree could be incorrect or quite approximate, but some users might still find it useful to know the names of the indirect dependencies.
+ *
+ * @param {string} basePath Base path
+ * @param {Array} pkgList Existing package list
+ * @param {string} tempVenvDir Temp venv dir
+ * @param {Object} parentComponent Parent component
+ *
+ * @returns List of packages from the virtual env
+ */
+export function getPipTreeForPackages(
+  basePath,
+  pkgList,
+  tempVenvDir,
+  parentComponent,
+) {
+  const failedPkgList = [];
+  const rootList = [];
+  const dependenciesList = [];
+  let result = undefined;
+  const env = {
+    ...process.env,
+  };
+  if (!process.env.VIRTUAL_ENV && !process.env.CONDA_PREFIX) {
+    // Create a virtual environment
+    result = spawnSync(PYTHON_CMD, ["-m", "venv", tempVenvDir], {
+      encoding: "utf-8",
+      shell: isWin,
+    });
+    if (result.status !== 0 || result.error) {
+      console.log("Virtual env creation has failed. Unable to continue.");
+      return {};
+    }
+    if (DEBUG_MODE) {
+      console.log("Using the virtual environment", tempVenvDir);
+    }
+    env.VIRTUAL_ENV = tempVenvDir;
+    env.PATH = `${join(
+      tempVenvDir,
+      platform() === "win32" ? "Scripts" : "bin",
+    )}${_delimiter}${process.env.PATH || ""}`;
+    // When cdxgen is invoked with the container image, we seem to be including unnecessary packages from the image.
+    // This workaround, unsets PYTHONPATH to suppress the pre-installed packages
+    if (
+      env?.PYTHONPATH === "/opt/pypi" &&
+      env?.CDXGEN_IN_CONTAINER === "true"
+    ) {
+      env.PYTHONPATH = undefined;
+    }
+  }
+  const python_cmd_for_tree = get_python_command_from_env(env);
+  let pipInstallArgs = ["-m", "pip", "install", "--disable-pip-version-check"];
+  // Support for passing additional arguments to pip
+  // Eg: --python-version 3.10 --ignore-requires-python --no-warn-conflicts
+  if (process?.env?.PIP_INSTALL_ARGS) {
+    const addArgs = process.env.PIP_INSTALL_ARGS.split(" ");
+    pipInstallArgs = pipInstallArgs.concat(addArgs);
+  } else {
+    pipInstallArgs = pipInstallArgs.concat([
+      "--ignore-requires-python",
+      "--no-compile",
+      "--no-warn-script-location",
+      "--no-warn-conflicts",
+    ]);
+  }
+  if (DEBUG_MODE) {
+    console.log(
+      "Installing",
+      pkgList.length,
+      "using the command",
+      python_cmd_for_tree,
+      pipInstallArgs.join(" "),
+    );
+  }
+  for (const apkg of pkgList) {
+    let pkgSpecifier = apkg.name;
+    if (apkg.version && apkg.version !== "latest") {
+      pkgSpecifier = `${apkg.name}==${apkg.version}`;
+    } else if (apkg.properties) {
+      let versionSpecifierFound = false;
+      for (const aprop of apkg.properties) {
+        if (aprop.name === "cdx:pypi:versionSpecifiers") {
+          pkgSpecifier = `${apkg.name}${aprop.value}`;
+          versionSpecifierFound = true;
+          break;
+        }
+      }
+      if (!versionSpecifierFound) {
+        failedPkgList.push(apkg);
+        continue;
+      }
+    } else {
+      failedPkgList.push(apkg);
+      continue;
+    }
+    if (DEBUG_MODE) {
+      console.log("Installing", pkgSpecifier);
+    }
+    // Attempt to perform pip install for pkgSpecifier
+    const result = spawnSync(
+      python_cmd_for_tree,
+      [...pipInstallArgs, pkgSpecifier],
+      {
+        cwd: basePath,
+        encoding: "utf-8",
+        timeout: TIMEOUT_MS,
+        shell: isWin,
+        env,
+      },
+    );
+    if (result.status !== 0 || result.error) {
+      failedPkgList.push(apkg);
+      if (DEBUG_MODE) {
+        console.log(apkg.name, "failed to install.");
+      }
+    }
+  }
+  // Did any package get installed successfully?
+  if (failedPkgList.length < pkgList.length) {
+    const dependenciesMap = {};
+    const tree = getTreeWithPlugin(env, python_cmd_for_tree, basePath);
+    for (const t of tree) {
+      const name = t.name.replace(/_/g, "-").toLowerCase();
+      // We can ignore excluded components such as build tools
+      if (PYTHON_EXCLUDED_COMPONENTS.includes(name)) {
+        continue;
+      }
+      if (parentComponent && parentComponent.name === t.name) {
+        t.version = parentComponent.version;
+      } else if (t.version && t.version === "latest") {
+        continue;
+      }
+      const version = t.version;
+      const purlString = new PackageURL(
+        "pypi",
+        "",
+        name,
+        version,
+        null,
+        null,
+      ).toString();
+      const apkg = {
+        name,
+        version,
+        purl: purlString,
+        type: "library",
+        "bom-ref": decodeURIComponent(purlString),
+        evidence: {
+          identity: {
+            field: "purl",
+            confidence: 0.5,
+            methods: [
+              {
+                technique: "instrumentation",
+                confidence: 0.5,
+                value: env.VIRTUAL_ENV,
+              },
+            ],
+          },
+        },
+      };
+      // These packages have lower confidence
+      pkgList.push(apkg);
+      rootList.push({
+        name,
+        version,
+        purl: purlString,
+        "bom-ref": decodeURIComponent(purlString),
+      });
+      flattenDeps(dependenciesMap, pkgList, undefined, t);
+    } // end for
+    for (const k of Object.keys(dependenciesMap)) {
+      dependenciesList.push({ ref: k, dependsOn: dependenciesMap[k] });
+    }
+  } // end if
+  return {
+    failedPkgList,
+    rootList,
+    dependenciesList,
+  };
+}
+
 // taken from a very old package https://github.com/keithamus/parse-packagejson-name/blob/master/index.js
 export function parsePackageJsonName(name) {
   const nameRegExp = /^(?:@([^/]+)\/)?(([^.]+)(?:\.(.*))?)$/;
@@ -11236,3 +11610,22 @@ export function isValidIriReference(iri) {
   }
   return false;
 }
+
+/**
+ * Method to check if a given dependency tree is partial or not.
+ *
+ * @param {Array} dependencies List of dependencies
+ * @returns {Boolean} True if the dependency tree lacks any non-root parents without children. False otherwise.
+ */
+export function isPartialTree(dependencies) {
+  if (dependencies?.length <= 1) {
+    return true;
+  }
+  let parentsWithChildsCount = 0;
+  for (const adep of dependencies) {
+    if (adep?.dependsOn.length > 0) {
+      parentsWithChildsCount++;
+    }
+  }
+  return parentsWithChildsCount <= 1;
+}

package/utils.test.js

@@ -16,7 +16,9 @@ import {
   getRepoLicense,
   guessPypiMatchingVersion,
   hasAnyProjectType,
+  isPartialTree,
   isValidIriReference,
+  mapConanPkgRefToPurlStringAndNameAndVersion,
   parseBazelActionGraph,
   parseBazelBuild,
   parseBazelSkyframe,
@@ -1552,17 +1554,147 @@ test("parse conan data", () => {
   dep_list = parseConanData(
     readFileSync("./test/data/cmakes/conanfile1.txt", { encoding: "utf-8" }),
   );
-  expect(dep_list.length).toEqual(42);
+  expect(dep_list.length).toEqual(43);
   expect(dep_list[0]).toEqual({
     "bom-ref":
-      "pkg:conan/7-Zip@19.00?revision=bb67aa9bc0da3feddc68ca9f334f4c8b",
+      "pkg:conan/7-Zip@19.00?channel=stable&rrev=bb67aa9bc0da3feddc68ca9f334f4c8b&user=iw",
     name: "7-Zip",
-    purl: "pkg:conan/7-Zip@19.00?revision=bb67aa9bc0da3feddc68ca9f334f4c8b",
+    purl: "pkg:conan/7-Zip@19.00?channel=stable&rrev=bb67aa9bc0da3feddc68ca9f334f4c8b&user=iw",
     scope: "required",
     version: "19.00",
   });
 });
 
+test("conan package reference mapper to pURL", () => {
+  const checkParseResult = (inputPkgRef, expectedPurl) => {
+    const [purl, name, version] =
+      mapConanPkgRefToPurlStringAndNameAndVersion(inputPkgRef);
+    expect(purl).toEqual(expectedPurl);
+
+    const expectedPurlPrefix = `pkg:conan/${name}@${version}`;
+    expect(purl.substring(0, expectedPurlPrefix.length)).toEqual(
+      expectedPurlPrefix,
+    );
+  };
+
+  checkParseResult("testpkg", "pkg:conan/testpkg@latest");
+
+  checkParseResult("testpkg/1.2.3", "pkg:conan/testpkg@1.2.3");
+
+  checkParseResult(
+    "testpkg/1.2.3#recipe_revision",
+    "pkg:conan/testpkg@1.2.3?rrev=recipe_revision",
+  );
+
+  checkParseResult(
+    "testpkg/1.2.3@someuser/somechannel",
+    "pkg:conan/testpkg@1.2.3?channel=somechannel&user=someuser",
+  );
+
+  checkParseResult(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision",
+    "pkg:conan/testpkg@1.2.3?channel=somechannel&rrev=recipe_revision&user=someuser",
+  );
+
+  checkParseResult(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id#package_revision",
+    "pkg:conan/testpkg@1.2.3" +
+      "?channel=somechannel" +
+      "&prev=package_revision" +
+      "&rrev=recipe_revision" +
+      "&user=someuser",
+  );
+
+  const expectParseError = (pkgRef) => {
+    const result = mapConanPkgRefToPurlStringAndNameAndVersion(pkgRef);
+    expect(result[0]).toBe(null);
+    expect(result[1]).toBe(null);
+    expect(result[2]).toBe(null);
+  };
+
+  expectParseError("testpkg/"); // empty version
+  expectParseError("testpkg/1.2.3@"); // empty user
+  expectParseError("testpkg/1.2.3@someuser"); // pkg ref is not allowed to stop here
+  expectParseError("testpkg/1.2.3@someuser/"); // empty channel
+  expectParseError("testpkg/1.2.3@someuser/somechannel#"); // empty recipe revision
+  expectParseError("testpkg/1.2.3@someuser/somechannel#recipe_revision:"); // empty package id
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id",
+  ); // pkg ref is not allowed to stop here
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id#",
+  ); // empty package revision
+  expectParseError("testpkg/1.2.3/unexpected"); // unexpected pkg ref segment separator
+  expectParseError("testpkg/1.2.3@someuser/somechannel/unexpected"); // unexpected pkg ref segment separator
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision/unexpected",
+  ); // unexpected pkg ref segment separator
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id/unexpected",
+  ); // unexpected pkg ref segment separator
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id#package_revision/unexpected",
+  ); // unexpected pkg ref segment separator
+});
+
+test("parse conan data where packages use custom user/channel", () => {
+  let dep_list = parseConanLockData(
+    readFileSync("./test/data/conan.with_custom_pkg_user_channel.lock", {
+      encoding: "utf-8",
+    }),
+  );
+  expect(dep_list.length).toEqual(4);
+  expect(dep_list[0]).toEqual({
+    name: "libcurl",
+    version: "8.1.2",
+    "bom-ref":
+      "pkg:conan/libcurl@8.1.2?channel=stable&rrev=25215c550633ef0224152bc2c0556698&user=internal",
+    purl: "pkg:conan/libcurl@8.1.2?channel=stable&rrev=25215c550633ef0224152bc2c0556698&user=internal",
+  });
+  expect(dep_list[1]).toEqual({
+    name: "openssl",
+    version: "3.1.0",
+    "bom-ref":
+      "pkg:conan/openssl@3.1.0?channel=stable&rrev=c9c6ab43aa40bafacf8b37c5948cdb1f&user=internal",
+    purl: "pkg:conan/openssl@3.1.0?channel=stable&rrev=c9c6ab43aa40bafacf8b37c5948cdb1f&user=internal",
+  });
+  expect(dep_list[2]).toEqual({
+    name: "zlib",
+    version: "1.2.13",
+    "bom-ref":
+      "pkg:conan/zlib@1.2.13?channel=stable&rrev=aee6a56ff7927dc7261c55eb2db4fc5b&user=internal",
+    purl: "pkg:conan/zlib@1.2.13?channel=stable&rrev=aee6a56ff7927dc7261c55eb2db4fc5b&user=internal",
+  });
+  expect(dep_list[3]).toEqual({
+    name: "fmt",
+    version: "10.0.0",
+    purl: "pkg:conan/fmt@10.0.0?channel=stable&rrev=79e7cc169695bc058fb606f20df6bb10&user=internal",
+    "bom-ref":
+      "pkg:conan/fmt@10.0.0?channel=stable&rrev=79e7cc169695bc058fb606f20df6bb10&user=internal",
+  });
+
+  dep_list = parseConanData(
+    readFileSync("./test/data/conanfile.with_custom_pkg_user_channel.txt", {
+      encoding: "utf-8",
+    }),
+  );
+  expect(dep_list.length).toEqual(2);
+  expect(dep_list[0]).toEqual({
+    name: "libcurl",
+    version: "8.1.2",
+    "bom-ref": "pkg:conan/libcurl@8.1.2?channel=stable&user=internal",
+    purl: "pkg:conan/libcurl@8.1.2?channel=stable&user=internal",
+    scope: "required",
+  });
+  expect(dep_list[1]).toEqual({
+    name: "fmt",
+    version: "10.0.0",
+    purl: "pkg:conan/fmt@10.0.0?channel=stable&user=internal",
+    "bom-ref": "pkg:conan/fmt@10.0.0?channel=stable&user=internal",
+    scope: "optional",
+  });
+});
+
 test("parse clojure data", () => {
   expect(parseLeiningenData(null)).toEqual([]);
   let dep_list = parseLeiningenData(
@@ -2249,6 +2381,8 @@ test("parsePomMetadata", async () => {
   expect(data.length).toEqual(deps.length);
 });
 
+// These tests are disabled because they are returning undefined
+/*
 test("get repo license", async () => {
   let license = await getRepoLicense(
     "https://github.com/ShiftLeftSecurity/sast-scan",
@@ -2271,8 +2405,6 @@ test("get repo license", async () => {
     url: "https://github.com/CycloneDX/cdxgen/blob/master/LICENSE",
   });
 
-  // These tests are disabled because they are returning undefined
-  /*
   license = await getRepoLicense("https://cloud.google.com/go", {
     group: "cloud.google.com",
     name: "go"
@@ -2287,8 +2419,8 @@ test("get repo license", async () => {
     id: "MIT",
     url: "https://github.com/ugorji/go/blob/master/LICENSE"
   });
-  */
 });
+*/
 
 test("get go pkg license", async () => {
   let license = await getGoPkgLicense({
@@ -2852,8 +2984,8 @@ test("parsePnpmLock", async () => {
   expect(parsedList.dependenciesList).toHaveLength(462);
   expect(parsedList.pkgList.filter((pkg) => !pkg.scope)).toHaveLength(3);
   parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-  expect(parsedList.pkgList.length).toEqual(653);
-  expect(parsedList.dependenciesList.length).toEqual(653);
+  expect(parsedList.pkgList.length).toEqual(652);
+  expect(parsedList.dependenciesList.length).toEqual(652);
   expect(parsedList.pkgList[0]).toEqual({
     group: "@ampproject",
     name: "remapping",
@@ -2919,6 +3051,7 @@ test("parseYarnLock", async () => {
     },
   });
   expect(parsedList.dependenciesList.length).toEqual(56);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   identMap = yarnLockToIdentMap(
     readFileSync("./test/data/yarn_locks/yarn.lock", "utf8"),
   );
@@ -2962,6 +3095,7 @@ test("parseYarnLock", async () => {
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarn-multi.lock");
   expect(parsedList.pkgList.length).toEqual(1909);
   expect(parsedList.dependenciesList.length).toEqual(1909);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-zpruxnFMz6K94gs2pqc3sidzFDbQpKT5D6P/J/I9s8ekHZ5eczgnRp6pqXC86Bh7+44j/btpmOT0kwiboyqTnA==",
@@ -2994,6 +3128,7 @@ test("parseYarnLock", async () => {
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarn-light.lock");
   expect(parsedList.pkgList.length).toEqual(315);
   expect(parsedList.dependenciesList.length).toEqual(315);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-rZ1k9kQvJX21Vwgx1L6kSQ6yeXo9cCMyqURSnjG+MRoJn+Mr3LblxmVdzScHXRzv0N9yzy49oG7Bqxp9Knyv/g==",
@@ -3026,6 +3161,7 @@ test("parseYarnLock", async () => {
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarn3.lock");
   expect(parsedList.pkgList.length).toEqual(5);
   expect(parsedList.dependenciesList.length).toEqual(5);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   expect(parsedList.pkgList[1]).toEqual({
     _integrity:
       "sha512-+X9Jn4mPI+RYV0ITiiLyJSYlT9um111BocJSaztsxXR+9ZxWErpzdfQqyk+EYZUOklugjJkerQZRtJGLfJeClw==",
@@ -3058,6 +3194,7 @@ test("parseYarnLock", async () => {
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarnv2.lock");
   expect(parsedList.pkgList.length).toEqual(1088);
   expect(parsedList.dependenciesList.length).toEqual(1088);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-G0U5NjBUYIs39l1J1ckgpVfVX2IxpzRAIT4/2An86O2Mcri3k5xNu7/RRkfObo12wN9s7BmnREAMhH7252oZiA==",
@@ -3089,6 +3226,7 @@ test("parseYarnLock", async () => {
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarnv3.lock");
   expect(parsedList.pkgList.length).toEqual(363);
   expect(parsedList.dependenciesList.length).toEqual(363);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-vtU+q0TmdIDmezU7lKub73vObN6nmd3lkcKWz7R9hyNI8gz5o7grDb+FML9nykOLW+09gGIup2xyJ86j5vBKpg==",
@@ -3120,6 +3258,7 @@ test("parseYarnLock", async () => {
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarn4.lock");
   expect(parsedList.pkgList.length).toEqual(1);
   expect(parsedList.dependenciesList.length).toEqual(1);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeTruthy();
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarn-at.lock");
   expect(parsedList.pkgList.length).toEqual(4);
   expect(parsedList.dependenciesList.length).toEqual(4);
@@ -3151,30 +3290,51 @@ test("parseYarnLock", async () => {
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarn5.lock");
   expect(parsedList.pkgList.length).toEqual(1962);
   expect(parsedList.dependenciesList.length).toEqual(1962);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   expect(parsedList.pkgList[0].purl).toEqual(
     "pkg:npm/%40ampproject/remapping@2.2.0",
   );
   expect(parsedList.pkgList[0]["bom-ref"]).toEqual(
     "pkg:npm/@ampproject/remapping@2.2.0",
   );
+  expect(parsedList.dependenciesList[1]).toEqual({
+    ref: "pkg:npm/@babel/code-frame@7.12.11",
+    dependsOn: ["pkg:npm/@babel/highlight@7.18.6"],
+  });
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarn6.lock");
   expect(parsedList.pkgList.length).toEqual(1472);
   expect(parsedList.dependenciesList.length).toEqual(1472);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   expect(parsedList.pkgList[0].purl).toEqual(
     "pkg:npm/%40aashutoshrathi/word-wrap@1.2.6",
   );
   expect(parsedList.pkgList[0]["bom-ref"]).toEqual(
     "pkg:npm/@aashutoshrathi/word-wrap@1.2.6",
   );
+  expect(parsedList.dependenciesList[1]).toEqual({
+    ref: "pkg:npm/@ampproject/remapping@2.2.1",
+    dependsOn: [
+      "pkg:npm/@jridgewell/gen-mapping@0.3.3",
+      "pkg:npm/@jridgewell/trace-mapping@0.3.19",
+    ],
+  });
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarn7.lock");
   expect(parsedList.pkgList.length).toEqual(1350);
   expect(parsedList.dependenciesList.length).toEqual(1347);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   expect(parsedList.pkgList[0].purl).toEqual(
     "pkg:npm/%40aashutoshrathi/word-wrap@1.2.6",
   );
   expect(parsedList.pkgList[0]["bom-ref"]).toEqual(
     "pkg:npm/@aashutoshrathi/word-wrap@1.2.6",
   );
+  expect(parsedList.dependenciesList[1]).toEqual({
+    ref: "pkg:npm/@ampproject/remapping@2.2.1",
+    dependsOn: [
+      "pkg:npm/@jridgewell/gen-mapping@0.3.3",
+      "pkg:npm/@jridgewell/trace-mapping@0.3.19",
+    ],
+  });
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarnv4.lock");
   expect(parsedList.pkgList.length).toEqual(1851);
   expect(parsedList.dependenciesList.length).toEqual(1851);
@@ -3184,6 +3344,11 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]["bom-ref"]).toEqual(
     "pkg:npm/@aashutoshrathi/word-wrap@1.2.6",
   );
+  expect(parsedList.dependenciesList[1]).toEqual({
+    ref: "pkg:npm/@actions/core@1.2.6",
+    dependsOn: [],
+  });
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarnv4.1.lock");
   expect(parsedList.pkgList.length).toEqual(861);
   expect(parsedList.dependenciesList.length).toEqual(858);
@@ -3196,11 +3361,27 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]._integrity).toEqual(
     "sha512-U8KyMaYaRnkrOaDUO8T093a7RUKqV+4EkwZ2gC5VASgsL8iqwU5M0fESD/i1Jha2/1q1Oa0wqiJ31yZES3Fhnw==",
   );
-
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
   parsedList = await parseYarnLock("./test/data/yarn_locks/yarnv1-fs.lock");
   expect(parsedList.pkgList.length).toEqual(882);
   expect(parsedList.dependenciesList.length).toEqual(882);
   expect(parsedList.pkgList[0].purl).toEqual("pkg:npm/abbrev@1.0.9");
+  expect(parsedList.dependenciesList[1]).toEqual({
+    ref: "pkg:npm/accepts@1.3.3",
+    dependsOn: ["pkg:npm/mime-types@2.1.12", "pkg:npm/negotiator@0.6.1"],
+  });
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
+  parsedList = await parseYarnLock("./test/data/yarn_locks/yarnv1-empty.lock");
+  expect(parsedList.pkgList.length).toEqual(770);
+  expect(parsedList.dependenciesList.length).toEqual(770);
+  expect(isPartialTree(parsedList.dependenciesList)).toBeFalsy();
+  expect(parsedList.pkgList[0].purl).toEqual(
+    "pkg:npm/%40ampproject/remapping@2.2.0",
+  );
+  expect(parsedList.dependenciesList[1]).toEqual({
+    ref: "pkg:npm/@aws-sdk/shared-ini-file-loader@3.188.0",
+    dependsOn: ["pkg:npm/@aws-sdk/types@3.188.0", "pkg:npm/tslib@2.4.0"],
+  });
 });
 
 test("parseComposerLock", () => {

package/validator.js

@@ -3,7 +3,7 @@ import { dirname, join } from "node:path";
 import Ajv from "ajv";
 import addFormats from "ajv-formats";
 import { PackageURL } from "packageurl-js";
-import { DEBUG_MODE } from "./utils.js";
+import { DEBUG_MODE, isPartialTree } from "./utils.js";
 
 import { URL, fileURLToPath } from "node:url";
 let url = import.meta.url;
@@ -217,6 +217,9 @@ export const validateRefs = (bomJson) => {
   const warningsList = [];
   const refMap = buildRefs(bomJson);
   if (bomJson?.dependencies) {
+    if (isPartialTree(bomJson.dependencies)) {
+      warningsList.push("Dependency tree is partial lacking child nodes.");
+    }
     for (const dep of bomJson.dependencies) {
       if (
         dep.ref.includes("%40") ||