@cyclonedx/cdxgen 10.9.10 → 10.10.0

package/README.md

@@ -55,7 +55,7 @@ Sections include:
 ## Installing
 
 ```shell
-npm install -g @cyclonedx/cdxgen@10.9.10
+npm install -g @cyclonedx/cdxgen
 ```
 
 If you are a [Homebrew][homebrew-homepage] user, you can also install [cdxgen][homebrew-cdxgen] via:
@@ -312,7 +312,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Gradle
 - Scala SBT
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
-- .NET (packages.lock.json, project.assets.json, paket.lock)
+- .NET (packages.lock.json, project.assets.json, paket.lock, .nuspec/.nupkg)
 - Go (go.mod)
 - PHP (composer.lock)
 - Ruby (Gemfile.lock)
@@ -403,7 +403,7 @@ To generate test public/private key pairs, you can run cdxgen by passing the arg
 Use the bundled `cdx-verify` command, which supports verifying a single signature added at the bom level.
 
 ```shell
-npm install -g @cyclonedx/cdxgen@10.9.10
+npm install -g @cyclonedx/cdxgen
 cdx-verify -i bom.json --public-key public.key
 ```
 

package/bin/cdxgen.js

@@ -10,6 +10,7 @@ import { findUpSync } from "find-up";
 import globalAgent from "global-agent";
 import { load as _load } from "js-yaml";
 import jws from "jws";
+import { createBom, submitBom } from "../lib/cli/index.js";
 import {
   printCallStack,
   printDependencyTree,
@@ -20,12 +21,11 @@ import {
   printSponsorBanner,
   printSummary,
   printTable,
-} from "../display.js";
-import { createBom, submitBom } from "../index.js";
-import { postProcess } from "../postgen.js";
-import { prepareEnv } from "../pregen.js";
-import { ATOM_DB } from "../utils.js";
-import { validateBom } from "../validator.js";
+} from "../lib/helpers/display.js";
+import { ATOM_DB, dirNameStr } from "../lib/helpers/utils.js";
+import { validateBom } from "../lib/helpers/validator.js";
+import { postProcess } from "../lib/stages/postgen/postgen.js";
+import { prepareEnv } from "../lib/stages/pregen/pregen.js";
 
 // Support for config files
 const configPath = findUpSync([
@@ -51,7 +51,7 @@ let url = import.meta.url;
 if (!url.startsWith("file://")) {
   url = new URL(`file://${import.meta.url}`).toString();
 }
-const dirName = import.meta ? dirname(fileURLToPath(url)) : __dirname;
+const dirName = dirNameStr;
 
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
@@ -493,7 +493,7 @@ const checkPermissions = (filePath) => {
   printSponsorBanner(options);
   // Start SBOM server
   if (options.server) {
-    const serverModule = await import("../server.js");
+    const serverModule = await import("../lib/server/server.js");
     return serverModule.start(options);
   }
   // Check if cdxgen has the required permissions
@@ -666,7 +666,7 @@ const checkPermissions = (filePath) => {
     if (!options.evinseOutput) {
       options.evinseOutput = options.output;
     }
-    const evinserModule = await import("../evinser.js");
+    const evinserModule = await import("../lib/evinser/evinser.js");
     options.projectType = options.projectType || ["java"];
     const evinseOptions = {
       _: args._,
@@ -719,7 +719,7 @@ const checkPermissions = (filePath) => {
   }
   // Protobuf serialization
   if (options.exportProto) {
-    const protobomModule = await import("../protobom.js");
+    const protobomModule = await import("../lib/helpers/protobom.js");
     protobomModule.writeBinary(bomNSData.bomJson, options.protoBinFile);
   }
   if (options.print && bomNSData.bomJson && bomNSData.bomJson.components) {

package/bin/evinse.js

@@ -7,15 +7,19 @@ import { load as _load } from "js-yaml";
 // Evinse (Evinse Verification Is Nearly SBOM Evidence)
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
+import {
+  analyzeProject,
+  createEvinseFile,
+  prepareDB,
+} from "../lib/evinser/evinser.js";
 import {
   printCallStack,
   printOccurrences,
   printReachables,
   printServices,
-} from "../display.js";
-import { analyzeProject, createEvinseFile, prepareDB } from "../evinser.js";
-import { ATOM_DB } from "../utils.js";
-import { validateBom } from "../validator.js";
+} from "../lib/helpers/display.js";
+import { ATOM_DB } from "../lib/helpers/utils.js";
+import { validateBom } from "../lib/helpers/validator.js";
 
 // Support for config files
 const configPath = findUpSync([

package/bin/repl.js

@@ -7,6 +7,7 @@ import process from "node:process";
 import repl from "node:repl";
 import jsonata from "jsonata";
 
+import { createBom } from "../lib/cli/index.js";
 import {
   printCallStack,
   printDependencyTree,
@@ -17,9 +18,8 @@ import {
   printSummary,
   printTable,
   printVulnerabilities,
-} from "../display.js";
-import { createBom } from "../index.js";
-import { validateBom } from "../validator.js";
+} from "../lib/helpers/display.js";
+import { validateBom } from "../lib/helpers/validator.js";
 
 const options = {
   useColors: true,

package/bin/verify.js

@@ -7,12 +7,13 @@ import { URL, fileURLToPath } from "node:url";
 import jws from "jws";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
+import { dirNameStr } from "../lib/helpers/utils.js";
 
 let url = import.meta.url;
 if (!url.startsWith("file://")) {
   url = new URL(`file://${import.meta.url}`).toString();
 }
-const dirName = import.meta ? dirname(fileURLToPath(url)) : __dirname;
+const dirName = dirNameStr;
 
 const args = yargs(hideBin(process.argv))
   .option("input", {

package/{index.js → lib/cli/index.js}

@@ -27,7 +27,7 @@ import {
   getOriginUrl,
   gitTreeHashes,
   listFiles,
-} from "./envcontext.js";
+} from "../helpers/envcontext.js";
 import {
   CARGO_CMD,
   CLJ_CMD,
@@ -52,6 +52,7 @@ import {
   convertJarNSToPackages,
   convertOSQueryResults,
   determineSbtVersion,
+  dirNameStr,
   encodeForPurl,
   executeGradleProperties,
   executeParallelGradleProperties,
@@ -143,34 +144,34 @@ import {
   readZipEntry,
   recomputeScope,
   splitOutputByGradleProjects,
-} from "./utils.js";
+} from "../helpers/utils.js";
 let url = import.meta.url;
 if (!url.startsWith("file://")) {
   url = new URL(`file://${import.meta.url}`).toString();
 }
-const dirName = import.meta ? dirname(fileURLToPath(url)) : __dirname;
+const dirName = dirNameStr;
 
 const selfPJson = JSON.parse(
   readFileSync(join(dirName, "package.json"), "utf-8"),
 );
 const _version = selfPJson.version;
 import { gte, lte } from "semver";
-import { findJSImportsExports } from "./analyzer.js";
+import { findJSImportsExports } from "../helpers/analyzer.js";
+import { collectOSCryptoLibs } from "../helpers/cbomutils.js";
 import {
   executeOsQuery,
   getBinaryBom,
   getCargoAuditableInfo,
   getDotnetSlices,
   getOSPackages,
-} from "./binary.js";
-import { collectOSCryptoLibs } from "./cbomutils.js";
+} from "../managers/binary.js";
 import {
   addSkippedSrcFiles,
   exportArchive,
   exportImage,
   getPkgPathList,
   parseImageName,
-} from "./docker.js";
+} from "../managers/docker.js";
 
 const isWin = _platform() === "win32";
 
@@ -557,6 +558,11 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
       }
     }
     if (parentComponent?.components) {
+      parentComponent.components = listComponents(
+        options,
+        {},
+        parentComponent.components,
+      );
       const parentFullName = componentToSimpleFullName(parentComponent);
       const subComponents = [];
       const addedSubComponents = {};
@@ -591,7 +597,12 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
           }
         }
       } // for
-      parentComponent.components = subComponents;
+      // Avoid creating empty component.components attribute
+      if (subComponents.length) {
+        parentComponent.components = subComponents;
+      } else {
+        parentComponent.components = undefined;
+      }
     }
     metadata.component = parentComponent;
   }
@@ -1457,7 +1468,7 @@ export async function createJavaBom(path, options) {
               );
             } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible. Try running cdxgen with the unofficial JDK11-based image `ghcr.io/appthreat/cdxgen-java:v10`.",
+                "1. Java version requirement: cdxgen container image bundles Java 23 with maven 3.9 which might be incompatible. Try running cdxgen with the unofficial JDK11-based image `ghcr.io/appthreat/cdxgen-java:v10`.",
               );
             }
             console.log(
@@ -1624,7 +1635,7 @@ export async function createJavaBom(path, options) {
     gradleFiles?.length &&
     isPackageManagerAllowed("gradle", ["maven", "bazel", "sbt"], options)
   ) {
-    let retMap = executeGradleProperties(gradleRootPath, null);
+    const retMap = executeGradleProperties(gradleRootPath, null);
     const allProjectsStr = retMap.projects || [];
     const rootProject = retMap.rootProject;
     if (rootProject) {
@@ -1636,65 +1647,31 @@ export async function createJavaBom(path, options) {
     }
     // Get the sub-project properties and set the root dependencies
     if (allProjectsStr?.length) {
-      if (process.env.GRADLE_MULTI_THREADED) {
-        const parallelPropTaskOut = executeParallelGradleProperties(
-          gradleRootPath,
-          allProjectsStr,
-        );
-        const splitPropTaskOut = splitOutputByGradleProjects(
-          parallelPropTaskOut,
-          ["properties"],
-        );
+      const parallelPropTaskOut = executeParallelGradleProperties(
+        gradleRootPath,
+        allProjectsStr,
+      );
+      const splitPropTaskOut = splitOutputByGradleProjects(
+        parallelPropTaskOut,
+        ["properties"],
+      );
 
-        for (const [key, propTaskOut] of splitPropTaskOut.entries()) {
-          let retMap = {};
-          // To optimize performance and reduce errors do not query for properties
-          // beyond the first level. Replicating behaviour from single-threaded Gradle generation.
-          if (key.includes(":")) {
-            retMap = {
-              rootProject: key,
-              projects: [],
-              metadata: {
-                version: "latest",
-              },
-            };
-          } else {
-            retMap = parseGradleProperties(propTaskOut);
-          }
-          const rootSubProject = retMap.rootProject;
-          if (rootSubProject) {
-            const rspName = rootSubProject.replace(/^:/, "");
-            const rootSubProjectObj = await buildObjectForGradleModule(
-              rspName,
-              retMap.metadata,
-            );
-            if (!allProjectsAddedPurls.includes(rootSubProjectObj["purl"])) {
-              allProjects.push(rootSubProjectObj);
-              rootDependsOn.push(rootSubProjectObj["bom-ref"]);
-              allProjectsAddedPurls.push(rootSubProjectObj["purl"]);
-            }
-            gradleModules.set(rspName, rootSubProjectObj);
-          }
-        }
-      } else {
-        for (const spstr of allProjectsStr) {
-          retMap = executeGradleProperties(gradleRootPath, spstr);
-          const rootSubProject = retMap.rootProject;
-          if (rootSubProject) {
-            const rspName = rootSubProject.replace(/^:/, "");
-            const rootSubProjectObj = await buildObjectForGradleModule(
-              rspName,
-              retMap.metadata,
-            );
-            if (!allProjectsAddedPurls.includes(rootSubProjectObj["purl"])) {
-              allProjects.push(rootSubProjectObj);
-              rootDependsOn.push(rootSubProjectObj["bom-ref"]);
-              allProjectsAddedPurls.push(rootSubProjectObj["purl"]);
-            }
-            gradleModules.set(rspName, rootSubProjectObj);
+      for (const [key, propTaskOut] of splitPropTaskOut.entries()) {
+        const retMap = parseGradleProperties(propTaskOut, key);
+        const rootSubProject = retMap.rootProject;
+        if (rootSubProject) {
+          const rootSubProjectObj = await buildObjectForGradleModule(
+            rootSubProject,
+            retMap.metadata,
+          );
+          if (!allProjectsAddedPurls.includes(rootSubProjectObj["purl"])) {
+            allProjects.push(rootSubProjectObj);
+            rootDependsOn.push(rootSubProjectObj["bom-ref"]);
+            allProjectsAddedPurls.push(rootSubProjectObj["purl"]);
           }
+          gradleModules.set(key, rootSubProjectObj);
         }
-      } //end else
+      }
       // Bug #317 fix
       parentComponent.components = allProjects.flatMap((s) => {
         delete s.qualifiers;
@@ -1718,158 +1695,87 @@ export async function createJavaBom(path, options) {
       ? process.env.GRADLE_DEPENDENCY_TASK
       : "dependencies";
 
-    if (process.env.GRADLE_MULTI_THREADED) {
-      const gradleSubCommands = [];
-      const modulesToSkip = process.env.GRADLE_SKIP_MODULES
-        ? process.env.GRADLE_SKIP_MODULES.split(",")
-        : [];
-      if (!modulesToSkip.includes("root")) {
-        gradleSubCommands.push(gradleDepTask);
-      }
-      for (const sp of allProjects) {
-        //create single command for dependencies tasks on all subprojects
-        if (
-          sp.purl !== parentComponent.purl &&
-          !modulesToSkip.includes(sp.name)
-        ) {
-          gradleSubCommands.push(`:${sp.name}:${gradleDepTask}`);
-        }
-      }
-      const gradleArguments = buildGradleCommandArguments(
-        process.env.GRADLE_ARGS ? process.env.GRADLE_ARGS.split(" ") : [],
-        gradleSubCommands,
-        process.env.GRADLE_ARGS_DEPENDENCIES
-          ? process.env.GRADLE_ARGS_DEPENDENCIES.split(" ")
-          : [],
-      );
-      console.log(
-        "Executing",
-        gradleCmd,
-        gradleArguments.join(" "),
-        "in",
-        gradleRootPath,
-      );
-      const sresult = spawnSync(gradleCmd, gradleArguments, {
-        cwd: gradleRootPath,
-        encoding: "utf-8",
-        timeout: TIMEOUT_MS,
-        maxBuffer: MAX_BUFFER,
-      });
+    const gradleSubCommands = [];
+    const modulesToSkip = process.env.GRADLE_SKIP_MODULES
+      ? process.env.GRADLE_SKIP_MODULES.split(",")
+      : [];
+    if (!modulesToSkip.includes("root")) {
+      gradleSubCommands.push(gradleDepTask);
+    }
+    for (const [key, sp] of gradleModules) {
+      //create single command for dependencies tasks on all subprojects
+      if (sp.purl !== parentComponent.purl && !modulesToSkip.includes(key)) {
+        gradleSubCommands.push(`${key}:${gradleDepTask}`);
+      }
+    }
+    const gradleArguments = buildGradleCommandArguments(
+      process.env.GRADLE_ARGS ? process.env.GRADLE_ARGS.split(" ") : [],
+      gradleSubCommands,
+      process.env.GRADLE_ARGS_DEPENDENCIES
+        ? process.env.GRADLE_ARGS_DEPENDENCIES.split(" ")
+        : [],
+    );
+    console.log(
+      "Executing",
+      gradleCmd,
+      gradleArguments.join(" "),
+      "in",
+      gradleRootPath,
+    );
+    const sresult = spawnSync(gradleCmd, gradleArguments, {
+      cwd: gradleRootPath,
+      encoding: "utf-8",
+      timeout: TIMEOUT_MS,
+      maxBuffer: MAX_BUFFER,
+    });
 
-      if (sresult.status !== 0 || sresult.error) {
-        if (options.failOnError || DEBUG_MODE) {
-          console.error(sresult.stdout, sresult.stderr);
-        }
-        options.failOnError && process.exit(1);
+    if (sresult.status !== 0 || sresult.error) {
+      if (options.failOnError || DEBUG_MODE) {
+        console.error(sresult.stdout, sresult.stderr);
       }
-      const sstdout = sresult.stdout;
-      if (sstdout) {
-        const cmdOutput = Buffer.from(sstdout).toString();
-        const perProjectOutput = splitOutputByGradleProjects(cmdOutput, [
-          gradleDepTask,
-        ]);
-        for (const sp of allProjects) {
-          const parsedList = await parseGradleDep(
-            perProjectOutput.has(sp.name) ? perProjectOutput.get(sp.name) : "",
-            sp.name,
-            gradleModules,
-            gradleRootPath,
-          );
-          const dlist = parsedList.pkgList;
-          if (parsedList.dependenciesList && parsedList.dependenciesList) {
-            dependencies = mergeDependencies(
-              dependencies,
-              parsedList.dependenciesList,
-              parentComponent,
-            );
-          }
-          if (dlist?.length) {
-            if (DEBUG_MODE) {
-              console.log(
-                "Found",
-                dlist.length,
-                "packages in gradle project",
-                sp.name,
-              );
-            }
-            pkgList = pkgList.concat(dlist);
-          }
-        }
-      }
-    } else {
-      if (DEBUG_MODE) {
-        console.log(
-          "Try the new multi-threaded mode for gradle. Set the environment variable GRADLE_MULTI_THREADED to true to enable this.",
-        );
-      }
-      for (const sp of allProjects) {
-        const gradleArguments = buildGradleCommandArguments(
-          process.env.GRADLE_ARGS ? process.env.GRADLE_ARGS.split(" ") : [],
-          [
-            sp.purl === parentComponent.purl
-              ? gradleDepTask
-              : `:${sp.name}:${gradleDepTask}`,
-          ],
-          process.env.GRADLE_ARGS_DEPENDENCIES
-            ? process.env.GRADLE_ARGS_DEPENDENCIES.split(" ")
-            : [],
-        );
-
-        console.log(
-          "Executing",
-          gradleCmd,
-          gradleArguments.join(" "),
-          "in",
+      options.failOnError && process.exit(1);
+    }
+    const sstdout = sresult.stdout;
+    if (sstdout) {
+      const cmdOutput = Buffer.from(sstdout).toString();
+      const perProjectOutput = splitOutputByGradleProjects(cmdOutput, [
+        gradleDepTask,
+      ]);
+      for (const [key, sp] of gradleModules) {
+        const parsedList = await parseGradleDep(
+          perProjectOutput.has(key) ? perProjectOutput.get(key) : "",
+          key,
+          gradleModules,
           gradleRootPath,
         );
-        const sresult = spawnSync(gradleCmd, gradleArguments, {
-          cwd: gradleRootPath,
-          encoding: "utf-8",
-          timeout: TIMEOUT_MS,
-          maxBuffer: MAX_BUFFER,
-        });
-        if (sresult.status !== 0 || sresult.error) {
-          if (options.failOnError || DEBUG_MODE) {
-            console.error(sresult.stdout, sresult.stderr);
-          }
-          options.failOnError && process.exit(1);
-        }
-        const sstdout = sresult.stdout;
-        if (sstdout) {
-          const cmdOutput = Buffer.from(sstdout).toString();
-          const parsedList = await parseGradleDep(
-            cmdOutput,
-            sp.name,
-            gradleModules,
-            gradleRootPath,
+        const dlist = parsedList.pkgList;
+        if (parsedList.dependenciesList && parsedList.dependenciesList) {
+          dependencies = mergeDependencies(
+            dependencies,
+            parsedList.dependenciesList,
+            parentComponent,
           );
-          const dlist = parsedList.pkgList;
-          if (parsedList.dependenciesList && parsedList.dependenciesList) {
-            dependencies = mergeDependencies(
-              dependencies,
-              parsedList.dependenciesList,
-              parentComponent,
+        }
+        if (dlist?.length) {
+          if (DEBUG_MODE) {
+            console.log(
+              "Found",
+              dlist.length,
+              "packages in gradle project",
+              key,
             );
           }
-          if (dlist?.length) {
-            if (DEBUG_MODE) {
-              console.log(
-                "Found",
-                dlist.length,
-                "packages in gradle project",
-                sp.name,
-              );
-            }
-            pkgList = pkgList.concat(dlist);
-          }
+          pkgList = pkgList.concat(dlist);
         }
-      } // for
+      }
     }
     if (pkgList.length) {
       if (parentComponent.components?.length) {
         for (const subProj of parentComponent.components) {
           pkgList = pkgList.filter(
-            (pkg) => pkg["bom-ref"] !== subProj["bom-ref"],
+            (pkg) =>
+              pkg["bom-ref"] !== subProj["bom-ref"] &&
+              pkg["bom-ref"] !== parentComponent["bom-ref"],
           );
         }
       }
@@ -1898,7 +1804,7 @@ export async function createJavaBom(path, options) {
   // NOTE: This can match BUILD files used by perl, so could lead to errors in some projects
   const bazelFiles = getAllFiles(
     path,
-    `${options.multiProject ? "**/" : ""}BUILD*`,
+    `${options.multiProject ? "**/" : ""}BUILD{,.bazel}`,
     options,
   );
   if (
@@ -2883,16 +2789,18 @@ export async function createPythonBom(path, options) {
           );
         }
       }
-      const parentDependsOn = [];
-      // Complete the dependency tree by making parent component depend on the first level
-      for (const p of retMap.rootList) {
-        parentDependsOn.push(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
+      if (retMap.rootList) {
+        const parentDependsOn = [];
+        // Complete the dependency tree by making parent component depend on the first level
+        for (const p of retMap.rootList) {
+          parentDependsOn.push(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
+        }
+        const pdependencies = {
+          ref: parentComponent["bom-ref"],
+          dependsOn: parentDependsOn,
+        };
+        dependencies.splice(0, 0, pdependencies);
       }
-      const pdependencies = {
-        ref: parentComponent["bom-ref"],
-        dependsOn: parentDependsOn,
-      };
-      dependencies.splice(0, 0, pdependencies);
     }
     options.parentComponent = parentComponent;
   } // poetryMode

package/{evinser.js → lib/evinser/evinser.js}

@@ -4,8 +4,8 @@ import path from "node:path";
 import process from "node:process";
 import { PackageURL } from "packageurl-js";
 import { Op } from "sequelize";
-import { findCryptoAlgos } from "./cbomutils.js";
-import * as db from "./db.js";
+import { findCryptoAlgos } from "../helpers/cbomutils.js";
+import * as db from "../helpers/db.js";
 import {
   DEBUG_MODE,
   collectGradleDependencies,
@@ -15,7 +15,7 @@ import {
   getGradleCommand,
   getMavenCommand,
   getTimestamp,
-} from "./utils.js";
+} from "../helpers/utils.js";
 const DB_NAME = "evinser.db";
 const typePurlsCache = {};
 

package/{cbomutils.js → lib/helpers/cbomutils.js}

@@ -1,6 +1,6 @@
 import { readFileSync } from "node:fs";
 import { join } from "node:path";
-import { executeOsQuery } from "./binary.js";
+import { executeOsQuery } from "../managers/binary.js";
 import { convertOSQueryResults, dirNameStr } from "./utils.js";
 const cbomosDbQueries = JSON.parse(
   readFileSync(join(dirNameStr, "data", "cbomosdb-queries.json"), "utf-8"),

package/{envcontext.js → lib/helpers/envcontext.js}

@@ -27,6 +27,7 @@ export const SDKMAN_TOOL_ALIASES = {
   java17: "17.0.12-tem",
   java21: "21.0.4-tem",
   java22: "22.0.2-tem",
+  java23: "23-tem",
 };
 
 /**