@cyclonedx/cdxgen 10.9.1 → 10.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/bin/cdxgen.js +5 -0
  2. package/binary.js +7 -0
  3. package/index.js +86 -42
  4. package/package.json +1 -1
  5. package/types/binary.d.ts.map +1 -1
  6. package/types/index.d.ts.map +1 -1
package/bin/cdxgen.js CHANGED
@@ -104,6 +104,11 @@ const args = yargs(hideBin(process.argv))
104
104
  .option("server-url", {
105
105
  description: "Dependency track url. Eg: https://deptrack.cyclonedx.io",
106
106
  })
107
+ .option("skip-dt-tls-check", {
108
+ type: "boolean",
109
+ default: false,
110
+ description: "Skip TLS certificate check when calling Dependency-Track. ",
111
+ })
107
112
  .option("api-key", {
108
113
  description: "Dependency track api key",
109
114
  })
package/binary.js CHANGED
@@ -271,6 +271,9 @@ const OS_DISTRO_ALIAS = {
271
271
  "debian-1.3": "bo",
272
272
  "debian-1.2": "rex",
273
273
  "debian-1.1": "buzz",
274
+ "red hat enterprise linux": "rhel",
275
+ "red hat enterprise linux 8": "rhel-8",
276
+ "red hat enterprise linux 9": "rhel-9",
274
277
  };
275
278
 
276
279
  export function getGoBuildInfo(src) {
@@ -421,9 +424,13 @@ export function getOSPackages(src) {
421
424
  let distro_codename =
422
425
  osReleaseData["VERSION_CODENAME"] ||
423
426
  osReleaseData["CENTOS_MANTISBT_PROJECT"] ||
427
+ osReleaseData["REDHAT_BUGZILLA_PRODUCT"] ||
424
428
  osReleaseData["REDHAT_SUPPORT_PRODUCT"] ||
425
429
  "";
426
430
  distro_codename = distro_codename.toLowerCase();
431
+ if (distro_codename.includes(" ") && OS_DISTRO_ALIAS[distro_codename]) {
432
+ distro_codename = OS_DISTRO_ALIAS[distro_codename];
433
+ }
427
434
  let distro_id = osReleaseData["ID"] || "";
428
435
  const distro_id_like = osReleaseData["ID_LIKE"] || "";
429
436
  let purl_type = "rpm";
package/index.js CHANGED
@@ -1943,6 +1943,7 @@ export async function createJavaBom(path, options) {
1943
1943
 
1944
1944
  // Bazel
1945
1945
  // Look for the BUILD file only in the root directory
1946
+ // NOTE: This can match BUILD files used by perl, so could lead to errors in some projects
1946
1947
  const bazelFiles = getAllFiles(
1947
1948
  path,
1948
1949
  `${options.multiProject ? "**/" : ""}BUILD*`,
@@ -1950,6 +1951,7 @@ export async function createJavaBom(path, options) {
1950
1951
  );
1951
1952
  if (
1952
1953
  bazelFiles?.length &&
1954
+ !hasAnyProjectType(["docker", "oci", "container", "os"], options, false) &&
1953
1955
  !options.projectType?.includes("maven") &&
1954
1956
  !options.projectType?.includes("gradle") &&
1955
1957
  !options.projectType?.includes("scala") &&
@@ -2837,7 +2839,7 @@ export async function createPythonBom(path, options) {
2837
2839
  const parentDependsOn = [];
2838
2840
  // Complete the dependency tree by making parent component depend on the first level
2839
2841
  for (const p of retMap.rootList) {
2840
- parentDependsOn.push(`pkg:pypi/${p.name}@${p.version}`);
2842
+ parentDependsOn.push(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
2841
2843
  }
2842
2844
  const pdependencies = {
2843
2845
  ref: parentComponent["bom-ref"],
@@ -2985,50 +2987,63 @@ export async function createPythonBom(path, options) {
2985
2987
  } else {
2986
2988
  pkgMap = getPipFrozenTree(path, undefined, tempDir, parentComponent);
2987
2989
  }
2990
+
2988
2991
  // Get the imported modules and a dedupe list of packages
2989
2992
  const parentDependsOn = new Set();
2990
- const retMap = await getPyModules(path, pkgList, options);
2991
- // We need to patch the existing package list to add ImportedModules for evinse to work
2992
- if (retMap.modList?.length) {
2993
- const iSymbolsMap = {};
2994
- retMap.modList.forEach((v) => {
2995
- iSymbolsMap[v.name] = v.importedSymbols;
2996
- iSymbolsMap[v.name.replace(/_/g, "-")] = v.importedSymbols;
2997
- });
2998
- for (const apkg of pkgList) {
2999
- if (iSymbolsMap[apkg.name]) {
3000
- apkg.properties = apkg.properties || [];
3001
- apkg.properties.push({
3002
- name: "ImportedModules",
3003
- value: iSymbolsMap[apkg.name],
3004
- });
2993
+
2994
+ // ATOM parsedeps block
2995
+ // Atom parsedeps slices can be used to identify packages that are not declared in manifests
2996
+ // Since it is a slow operation, we only use it as a fallback or in deep mode
2997
+ // This change was made in 10.9.2 release onwards
2998
+ if (options.deep || !pkgList.length) {
2999
+ const retMap = await getPyModules(path, pkgList, options);
3000
+ // We need to patch the existing package list to add ImportedModules for evinse to work
3001
+ if (retMap.modList?.length) {
3002
+ const iSymbolsMap = {};
3003
+ retMap.modList.forEach((v) => {
3004
+ iSymbolsMap[v.name] = v.importedSymbols;
3005
+ iSymbolsMap[v.name.replace(/_/g, "-")] = v.importedSymbols;
3006
+ });
3007
+ for (const apkg of pkgList) {
3008
+ if (iSymbolsMap[apkg.name]) {
3009
+ apkg.properties = apkg.properties || [];
3010
+ apkg.properties.push({
3011
+ name: "ImportedModules",
3012
+ value: iSymbolsMap[apkg.name],
3013
+ });
3014
+ }
3005
3015
  }
3006
3016
  }
3007
- }
3008
- if (retMap.pkgList?.length) {
3009
- pkgList = pkgList.concat(retMap.pkgList);
3010
- for (const p of retMap.pkgList) {
3011
- if (
3012
- !p.version ||
3013
- (parentComponent &&
3014
- p.name === parentComponent.name &&
3015
- (p.version === parentComponent.version || p.version === "latest"))
3016
- ) {
3017
- continue;
3017
+ if (retMap.pkgList?.length) {
3018
+ pkgList = pkgList.concat(retMap.pkgList);
3019
+ for (const p of retMap.pkgList) {
3020
+ if (
3021
+ !p.version ||
3022
+ (parentComponent &&
3023
+ p.name === parentComponent.name &&
3024
+ (p.version === parentComponent.version ||
3025
+ p.version === "latest"))
3026
+ ) {
3027
+ continue;
3028
+ }
3029
+ parentDependsOn.add(
3030
+ `pkg:pypi/${p.name.toLowerCase()}@${p.version}`,
3031
+ );
3018
3032
  }
3019
- parentDependsOn.add(`pkg:pypi/${p.name}@${p.version}`);
3033
+ }
3034
+ if (retMap.dependenciesList) {
3035
+ dependencies = mergeDependencies(
3036
+ dependencies,
3037
+ retMap.dependenciesList,
3038
+ parentComponent,
3039
+ );
3040
+ }
3041
+ if (retMap.allImports) {
3042
+ allImports = { ...allImports, ...retMap.allImports };
3020
3043
  }
3021
3044
  }
3022
- if (retMap.dependenciesList) {
3023
- dependencies = mergeDependencies(
3024
- dependencies,
3025
- retMap.dependenciesList,
3026
- parentComponent,
3027
- );
3028
- }
3029
- if (retMap.allImports) {
3030
- allImports = { ...allImports, ...retMap.allImports };
3031
- }
3045
+ // ATOM parsedeps block
3046
+
3032
3047
  // Complete the dependency tree by making parent component depend on the first level
3033
3048
  for (const p of pkgMap.rootList) {
3034
3049
  if (
@@ -3038,7 +3053,7 @@ export async function createPythonBom(path, options) {
3038
3053
  ) {
3039
3054
  continue;
3040
3055
  }
3041
- parentDependsOn.add(`pkg:pypi/${p.name}@${p.version}`);
3056
+ parentDependsOn.add(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
3042
3057
  }
3043
3058
  if (pkgMap.pkgList?.length) {
3044
3059
  pkgList = pkgList.concat(pkgMap.pkgList);
@@ -6543,8 +6558,18 @@ export async function submitBom(args, bomContents) {
6543
6558
  );
6544
6559
  }
6545
6560
  try {
6561
+ if (DEBUG_MODE && args.skipDtTlsCheck) {
6562
+ console.log(
6563
+ "Calling ",
6564
+ serverUrl,
6565
+ "with --skip-dt-tls-check argument: Skip DT TLS check.",
6566
+ );
6567
+ }
6546
6568
  return await got(serverUrl, {
6547
6569
  method: "PUT",
6570
+ https: {
6571
+ rejectUnauthorized: !args.skipDtTlsCheck,
6572
+ },
6548
6573
  headers: {
6549
6574
  "X-Api-Key": args.apiKey,
6550
6575
  "Content-Type": "application/json",
@@ -6560,10 +6585,16 @@ export async function submitBom(args, bomContents) {
6560
6585
  "Received Unauthorized error. Check the API key used is valid and has necessary permissions to create projects and upload bom.",
6561
6586
  );
6562
6587
  } else if (error.response && error.response.statusCode === 405) {
6588
+ console.log(
6589
+ "Method PUT not allowed on Dependency-Track server. Trying with POST ...",
6590
+ );
6563
6591
  // Method not allowed errors
6564
6592
  try {
6565
6593
  return await got(serverUrl, {
6566
6594
  method: "POST",
6595
+ https: {
6596
+ rejectUnauthorized: !args.skipDtTlsCheck,
6597
+ },
6567
6598
  headers: {
6568
6599
  "X-Api-Key": args.apiKey,
6569
6600
  "Content-Type": "application/json",
@@ -6573,14 +6604,27 @@ export async function submitBom(args, bomContents) {
6573
6604
  responseType: "json",
6574
6605
  }).json();
6575
6606
  } catch (error) {
6607
+ if (DEBUG_MODE) {
6608
+ console.log(
6609
+ "Unable to submit the SBOM to the Dependency-Track server using POST method",
6610
+ error,
6611
+ );
6612
+ } else {
6613
+ console.log(
6614
+ "Unable to submit the SBOM to the Dependency-Track server using POST method",
6615
+ );
6616
+ }
6617
+ }
6618
+ } else {
6619
+ if (DEBUG_MODE) {
6576
6620
  console.log(
6577
6621
  "Unable to submit the SBOM to the Dependency-Track server using POST method",
6622
+ error,
6578
6623
  );
6624
+ } else {
6625
+ console.log("Unable to submit the SBOM to the Dependency-Track server");
6579
6626
  }
6580
- } else {
6581
- console.log("Unable to submit the SBOM to the Dependency-Track server");
6582
6627
  }
6583
- console.log(error.response?.body);
6584
6628
  return error.response?.body;
6585
6629
  }
6586
6630
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cyclonedx/cdxgen",
3
- "version": "10.9.1",
3
+ "version": "10.9.2",
4
4
  "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
5
5
  "homepage": "http://github.com/cyclonedx/cdxgen",
6
6
  "author": "Prabhu Subramanian <prabhu@appthreat.com>",
package/types/binary.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"binary.d.ts","sourceRoot":"","sources":["../binary.js"],"names":[],"mappings":"AAmRA,iDA8BC;AAED,wDAmBC;AAED;;;;;;;EAiXC;AAkCD,gDAoDC;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,cACN,MAAM,WA2BhB;AAED;;;;;;;;GAQG;AACH,kCANW,MAAM,iBACN,MAAM,YACN,OAAO,GAEN,OAAO,CA8BlB"}
1
+ {"version":3,"file":"binary.d.ts","sourceRoot":"","sources":["../binary.js"],"names":[],"mappings":"AAsRA,iDA8BC;AAED,wDAmBC;AAED;;;;;;;EAqXC;AAkCD,gDAoDC;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,cACN,MAAM,WA2BhB;AAED;;;;;;;;GAQG;AACH,kCANW,MAAM,iBACN,MAAM,YACN,OAAO,GAEN,OAAO,CA8BlB"}
package/types/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.js"],"names":[],"mappings":"AAyvBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAyUD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAwgChB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA2chB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAkahB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAkUhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BAwFhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAiUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAwJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA6XhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA2CC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BAmclB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAiUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAsOhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CA2FxE"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.js"],"names":[],"mappings":"AAyvBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAyUD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BA0gChB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA2chB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA+ahB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAkUhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BAwFhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAiUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAwJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA6XhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA2CC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BAmclB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAiUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAsOhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CAwHxE"}