@cyclonedx/cdxgen 10.9.2 → 10.9.4

package/bin/cdxgen.js

@@ -13,6 +13,7 @@ import jws from "jws";
 import {
   printCallStack,
   printDependencyTree,
+  printFormulation,
   printOccurrences,
   printReachables,
   printServices,
@@ -22,6 +23,7 @@ import {
 } from "../display.js";
 import { createBom, submitBom } from "../index.js";
 import { postProcess } from "../postgen.js";
+import { prepareEnv } from "../pregen.js";
 import { ATOM_DB } from "../utils.js";
 import { validateBom } from "../validator.js";
 
@@ -502,6 +504,7 @@ const checkPermissions = (filePath) => {
   if (!options.usagesSlicesFile) {
     options.usagesSlicesFile = `${options.projectName}-usages.json`;
   }
+  prepareEnv(filePath, options);
   let bomNSData = (await createBom(filePath, options)) || {};
   // Add extra metadata and annotations with post processing
   bomNSData = postProcess(bomNSData, options);
@@ -721,6 +724,9 @@ const checkPermissions = (filePath) => {
   }
   if (options.print && bomNSData.bomJson && bomNSData.bomJson.components) {
     printSummary(bomNSData.bomJson);
+    if (options.includeFormulation) {
+      printFormulation(bomNSData.bomJson);
+    }
     printDependencyTree(bomNSData.bomJson);
     printTable(bomNSData.bomJson);
     // CBOM related print

package/bin/repl.js

@@ -10,6 +10,7 @@ import jsonata from "jsonata";
 import {
   printCallStack,
   printDependencyTree,
+  printFormulation,
   printOSTable,
   printOccurrences,
   printServices,
@@ -500,6 +501,32 @@ cdxgenRepl.defineCommand("vulnerabilities", {
     this.displayPrompt();
   },
 });
+cdxgenRepl.defineCommand("formulation", {
+  help: "view formulation",
+  async action() {
+    if (sbom) {
+      try {
+        const expression = jsonata("formulation");
+        let formulation = await expression.evaluate(sbom);
+        if (!formulation) {
+          console.log(
+            "No formulation found. Pass the argument --include-formulation to generate SBOM with formulation details.",
+          );
+        } else {
+          if (!Array.isArray(formulation)) {
+            formulation = [formulation];
+          }
+          printFormulation({ formulation });
+        }
+      } catch (e) {
+        console.log(e);
+      }
+    } else {
+      console.log("⚠ No SBOM is loaded. Use .import command to import an SBOM");
+    }
+    this.displayPrompt();
+  },
+});
 cdxgenRepl.defineCommand("osinfocategories", {
   help: "view the category names for the OS info from the obom",
   async action() {

package/display.js

@@ -18,11 +18,11 @@ const highlightStr = (s, highlight) => {
   }
   return s;
 };
-export const printTable = (
+export function printTable(
   bomJson,
   filterTypes = undefined,
   highlight = undefined,
-) => {
+) {
   if (!bomJson || !bomJson.components) {
     return;
   }
@@ -85,7 +85,7 @@ export const printTable = (
   } else {
     console.log(`Components filtered based on type: ${filterTypes.join(", ")}`);
   }
-};
+}
 const formatProps = (props) => {
   const retList = [];
   for (const p of props) {
@@ -93,7 +93,7 @@ const formatProps = (props) => {
   }
   return retList.join("\n");
 };
-export const printOSTable = (bomJson) => {
+export function printOSTable(bomJson) {
   const config = {
     columnDefault: {
       width: 50,
@@ -111,8 +111,8 @@ export const printOSTable = (bomJson) => {
     ]);
   }
   console.log();
-};
-export const printServices = (bomJson) => {
+}
+export function printServices(bomJson) {
   const data = [["Name", "Endpoints", "Authenticated", "X Trust Boundary"]];
   if (!bomJson || !bomJson.services) {
     return;
@@ -134,7 +134,30 @@ export const printServices = (bomJson) => {
   if (data.length > 1) {
     console.log(table(data, config));
   }
-};
+}
+
+export function printFormulation(bomJson) {
+  const data = [["Tyoe", "Name", "Version"]];
+  if (!bomJson || !bomJson.formulation) {
+    return;
+  }
+  for (const aform of bomJson.formulation) {
+    if (aform.components) {
+      for (const acomp of aform.components) {
+        data.push([acomp.type || "", acomp.name || "", acomp.version || ""]);
+      }
+    }
+  }
+  const config = {
+    header: {
+      alignment: "center",
+      content: "Formulation\nGenerated with \u2665  by cdxgen",
+    },
+  };
+  if (data.length > 1) {
+    console.log(table(data, config));
+  }
+}
 
 const locationComparator = (a, b) => {
   if (a && b && a.includes("#") && b.includes("#")) {
@@ -149,7 +172,7 @@ const locationComparator = (a, b) => {
   return a.localeCompare(b);
 };
 
-export const printOccurrences = (bomJson) => {
+export function printOccurrences(bomJson) {
   const data = [["Group", "Name", "Version", "Occurrences"]];
   if (!bomJson || !bomJson.components) {
     return;
@@ -177,8 +200,8 @@ export const printOccurrences = (bomJson) => {
   if (data.length > 1) {
     console.log(table(data, config));
   }
-};
-export const printCallStack = (bomJson) => {
+}
+export function printCallStack(bomJson) {
   const data = [["Group", "Name", "Version", "Call Stack"]];
   if (!bomJson || !bomJson.components) {
     return;
@@ -224,12 +247,12 @@ export const printCallStack = (bomJson) => {
   if (data.length > 1) {
     console.log(table(data, config));
   }
-};
-export const printDependencyTree = (
+}
+export function printDependencyTree(
   bomJson,
   mode = "dependsOn",
   highlight = undefined,
-) => {
+) {
   const dependencies = bomJson.dependencies || [];
   if (!dependencies.length) {
     return;
@@ -264,7 +287,7 @@ export const printDependencyTree = (
   } else {
     console.log(highlightStr(treeGraphics.join("\n"), highlight));
   }
-};
+}
 
 const levelPrefix = (level, isLast) => {
   if (level === 0) {
@@ -324,7 +347,7 @@ const recursePrint = (depMap, subtree, level, shownList, treeGraphics) => {
   }
 };
 
-export const printReachables = (sliceArtefacts) => {
+export function printReachables(sliceArtefacts) {
   const reachablesSlicesFile = sliceArtefacts.reachablesSlicesFile;
   if (!existsSync(reachablesSlicesFile)) {
     return;
@@ -355,7 +378,7 @@ export const printReachables = (sliceArtefacts) => {
   if (data.length > 1) {
     console.log(table(data, config));
   }
-};
+}
 
 export function printVulnerabilities(vulnerabilities) {
   if (!vulnerabilities) {
@@ -407,7 +430,7 @@ export function printSponsorBanner(options) {
   }
 }
 
-export const printSummary = (bomJson) => {
+export function printSummary(bomJson) {
   const config = {
     header: {
       alignment: "center",
@@ -418,8 +441,18 @@ export const printSummary = (bomJson) => {
   if (!metadataProperties) {
     return;
   }
+  const tools = bomJson?.metadata?.tools?.components;
+  let message = "";
   let bomPkgTypes = [];
   let bomPkgNamespaces = [];
+  if (tools) {
+    message = "** Generator Tools **";
+    for (const atool of tools) {
+      if (atool.name && atool.version) {
+        message = `${message}\n${atool.name} (${atool.version})`;
+      }
+    }
+  }
   for (const aprop of metadataProperties) {
     if (aprop.name === "cdx:bom:componentTypes") {
       bomPkgTypes = aprop?.value.split("\\n");
@@ -431,10 +464,10 @@ export const printSummary = (bomJson) => {
   if (!bomPkgTypes.length && !bomPkgNamespaces.length) {
     return;
   }
-  let message = `** Package Types (${bomPkgTypes.length}) **\n${bomPkgTypes.join("\n")}`;
+  message = `${message}\n\n** Package Types (${bomPkgTypes.length}) **\n${bomPkgTypes.join("\n")}`;
   if (bomPkgNamespaces.length) {
     message = `${message}\n\n** Namespaces (${bomPkgNamespaces.length}) **\n${bomPkgNamespaces.join("\n")}`;
   }
   const data = [[message]];
   console.log(table(data, config));
-};
+}

package/envcontext.js

@@ -1,20 +1,33 @@
 import { Buffer } from "node:buffer";
 import { spawnSync } from "node:child_process";
+import { existsSync } from "node:fs";
+import { homedir } from "node:os";
+import { delimiter, join } from "node:path";
 import process from "node:process";
 import {
   CARGO_CMD,
+  DEBUG_MODE,
   DOTNET_CMD,
   GCC_CMD,
   GO_CMD,
-  JAVA_CMD,
   NODE_CMD,
   NPM_CMD,
-  PYTHON_CMD,
   RUSTC_CMD,
+  getJavaCommand,
+  getPythonCommand,
   isWin,
 } from "./utils.js";
 
-const GIT_COMMAND = process.env.GIT_CMD || "git";
+export const GIT_COMMAND = process.env.GIT_CMD || "git";
+
+// sdkman tool aliases
+export const SDKMAN_TOOL_ALIASES = {
+  java8: "8.0.422-tem",
+  java11: "11.0.24-tem",
+  java17: "17.0.12-tem",
+  java21: "21.0.4-tem",
+  java22: "22.0.2-tem",
+};
 
 /**
  * Retrieves a git config item
@@ -23,9 +36,9 @@ const GIT_COMMAND = process.env.GIT_CMD || "git";
  *
  * @returns Output from git config or undefined
  */
-export const getGitConfig = (configKey, dir) => {
+export function getGitConfig(configKey, dir) {
   return execGitCommand(dir, ["config", "--get", configKey]);
-};
+}
 
 /**
  * Retrieves the git origin url
@@ -33,9 +46,9 @@ export const getGitConfig = (configKey, dir) => {
  *
  * @returns Output from git config or undefined
  */
-export const getOriginUrl = (dir) => {
+export function getOriginUrl(dir) {
   return getGitConfig("remote.origin.url", dir);
-};
+}
 
 /**
  * Retrieves the git branch name
@@ -44,9 +57,9 @@ export const getOriginUrl = (dir) => {
  *
  * @returns Output from git config or undefined
  */
-export const getBranch = (configKey, dir) => {
+export function getBranch(configKey, dir) {
   return execGitCommand(dir, ["rev-parse", "--abbrev-ref", "HEAD"]);
-};
+}
 
 /**
  * Retrieves the tree and parent hash for a git repo
@@ -54,7 +67,7 @@ export const getBranch = (configKey, dir) => {
  *
  * @returns Output from git cat-file or undefined
  */
-export const gitTreeHashes = (dir) => {
+export function gitTreeHashes(dir) {
   const treeHashes = {};
   const output = execGitCommand(dir, ["cat-file", "commit", "HEAD"]);
   if (output) {
@@ -72,7 +85,7 @@ export const gitTreeHashes = (dir) => {
     });
   }
   return treeHashes;
-};
+}
 
 /**
  * Retrieves the files list from git
@@ -80,7 +93,7 @@ export const gitTreeHashes = (dir) => {
  *
  * @returns Output from git config or undefined
  */
-export const listFiles = (dir) => {
+export function listFiles(dir) {
   const filesList = [];
   const output = execGitCommand(dir, [
     "ls-tree",
@@ -108,7 +121,7 @@ export const listFiles = (dir) => {
     });
   }
   return filesList;
-};
+}
 
 /**
  * Execute a git command
@@ -118,9 +131,9 @@ export const listFiles = (dir) => {
  *
  * @returns Output from the git command
  */
-export const execGitCommand = (dir, args) => {
+export function execGitCommand(dir, args) {
   return getCommandOutput(GIT_COMMAND, dir, args);
-};
+}
 
 /**
  * Collect Java version and installed modules
@@ -128,9 +141,10 @@ export const execGitCommand = (dir, args) => {
  * @param {string} dir Working directory
  * @returns Object containing the java details
  */
-export const collectJavaInfo = (dir) => {
-  const versionDesc = getCommandOutput(JAVA_CMD, dir, ["--version"]);
-  const moduleDesc = getCommandOutput(JAVA_CMD, dir, ["--list-modules"]) || "";
+export function collectJavaInfo(dir) {
+  const versionDesc = getCommandOutput(getJavaCommand(), dir, ["--version"]);
+  const moduleDesc =
+    getCommandOutput(getJavaCommand(), dir, ["--list-modules"]) || "";
   if (versionDesc) {
     return {
       type: "platform",
@@ -146,7 +160,7 @@ export const collectJavaInfo = (dir) => {
     };
   }
   return undefined;
-};
+}
 
 /**
  * Collect dotnet version
@@ -154,7 +168,7 @@ export const collectJavaInfo = (dir) => {
  * @param {string} dir Working directory
  * @returns Object containing dotnet details
  */
-export const collectDotnetInfo = (dir) => {
+export function collectDotnetInfo(dir) {
   const versionDesc = getCommandOutput(DOTNET_CMD, dir, ["--version"]);
   const moduleDesc =
     getCommandOutput(DOTNET_CMD, dir, ["--list-runtimes"]) || "";
@@ -167,7 +181,7 @@ export const collectDotnetInfo = (dir) => {
     };
   }
   return undefined;
-};
+}
 
 /**
  * Collect python version
@@ -175,10 +189,10 @@ export const collectDotnetInfo = (dir) => {
  * @param {string} dir Working directory
  * @returns Object containing python details
  */
-export const collectPythonInfo = (dir) => {
-  const versionDesc = getCommandOutput(PYTHON_CMD, dir, ["--version"]);
+export function collectPythonInfo(dir) {
+  const versionDesc = getCommandOutput(getPythonCommand(), dir, ["--version"]);
   const moduleDesc =
-    getCommandOutput(PYTHON_CMD, dir, ["-m", "pip", "--version"]) || "";
+    getCommandOutput(getPythonCommand(), dir, ["-m", "pip", "--version"]) || "";
   if (versionDesc) {
     return {
       type: "platform",
@@ -188,7 +202,7 @@ export const collectPythonInfo = (dir) => {
     };
   }
   return undefined;
-};
+}
 
 /**
  * Collect node version
@@ -196,7 +210,7 @@ export const collectPythonInfo = (dir) => {
  * @param {string} dir Working directory
  * @returns Object containing node details
  */
-export const collectNodeInfo = (dir) => {
+export function collectNodeInfo(dir) {
   const versionDesc = getCommandOutput(NODE_CMD, dir, ["--version"]);
   let moduleDesc = getCommandOutput(NPM_CMD, dir, ["--version"]);
   if (moduleDesc) {
@@ -211,7 +225,7 @@ export const collectNodeInfo = (dir) => {
     };
   }
   return undefined;
-};
+}
 
 /**
  * Collect gcc version
@@ -219,7 +233,7 @@ export const collectNodeInfo = (dir) => {
  * @param {string} dir Working directory
  * @returns Object containing gcc details
  */
-export const collectGccInfo = (dir) => {
+export function collectGccInfo(dir) {
   const versionDesc = getCommandOutput(GCC_CMD, dir, ["--version"]);
   const moduleDesc = getCommandOutput(GCC_CMD, dir, ["-print-search-dirs"]);
   if (versionDesc) {
@@ -231,7 +245,7 @@ export const collectGccInfo = (dir) => {
     };
   }
   return undefined;
-};
+}
 
 /**
  * Collect rust version
@@ -239,7 +253,7 @@ export const collectGccInfo = (dir) => {
  * @param {string} dir Working directory
  * @returns Object containing rust details
  */
-export const collectRustInfo = (dir) => {
+export function collectRustInfo(dir) {
   const versionDesc = getCommandOutput(RUSTC_CMD, dir, ["--version"]);
   const moduleDesc = getCommandOutput(CARGO_CMD, dir, ["--version"]);
   if (versionDesc) {
@@ -251,7 +265,7 @@ export const collectRustInfo = (dir) => {
     };
   }
   return undefined;
-};
+}
 
 /**
  * Collect go version
@@ -259,7 +273,7 @@ export const collectRustInfo = (dir) => {
  * @param {string} dir Working directory
  * @returns Object containing go details
  */
-export const collectGoInfo = (dir) => {
+export function collectGoInfo(dir) {
   const versionDesc = getCommandOutput(GO_CMD, dir, ["version"]);
   if (versionDesc) {
     return {
@@ -269,9 +283,9 @@ export const collectGoInfo = (dir) => {
     };
   }
   return undefined;
-};
+}
 
-export const collectEnvInfo = (dir) => {
+export function collectEnvInfo(dir) {
   const infoComponents = [];
   let cmp = collectJavaInfo(dir);
   if (cmp) {
@@ -302,7 +316,7 @@ export const collectEnvInfo = (dir) => {
     infoComponents.push(cmp);
   }
   return infoComponents;
-};
+}
 
 /**
  * Execute any command to retrieve the output
@@ -324,6 +338,162 @@ const getCommandOutput = (cmd, dir, args) => {
   const stdout = result.stdout;
   if (stdout) {
     const cmdOutput = Buffer.from(stdout).toString();
-    return cmdOutput.trim();
+    return cmdOutput.trim().replaceAll("\r", "");
   }
 };
+
+/**
+ * Method to check if sdkman is available.
+ */
+export function isSdkmanAvailable() {
+  let isSdkmanSetup =
+    ["SDKMAN_DIR", "SDKMAN_CANDIDATES_DIR"].filter(
+      (v) => process.env[v] && existsSync(process.env[v]),
+    ).length >= 1;
+  if (!isSdkmanSetup && existsSync(join(homedir(), ".sdkman", "bin"))) {
+    process.env.SDKMAN_DIR = join(homedir(), ".sdkman");
+    process.env.SDKMAN_CANDIDATES_DIR = join(
+      homedir(),
+      ".sdkman",
+      "candidates",
+    );
+    isSdkmanSetup = true;
+  }
+  return isSdkmanSetup;
+}
+
+/**
+ * Method to check if a given sdkman tool is installed and available.
+ *
+ * @param {String} toolType Tool type such as java, gradle, maven etc.
+ * @param {String} toolName Tool name with version. Eg: 22.0.2-tem
+ *
+ * @returns {Boolean} true if the tool is available. false otherwise.
+ */
+export function isSdkmanToolAvailable(toolType, toolName) {
+  toolName = getSdkmanToolFullname(toolName);
+  let isToolAvailable =
+    process.env.SDKMAN_CANDIDATES_DIR &&
+    existsSync(
+      join(process.env.SDKMAN_CANDIDATES_DIR, toolType, toolName, "bin"),
+    );
+  if (
+    !isToolAvailable &&
+    existsSync(
+      join(homedir(), ".sdkman", "candidates", toolType, toolName, "bin"),
+    )
+  ) {
+    process.env.SDKMAN_CANDIDATES_DIR = join(
+      homedir(),
+      ".sdkman",
+      "candidates",
+    );
+    isToolAvailable = true;
+  }
+  return isToolAvailable;
+}
+
+/**
+ * Method to install and use a given sdkman tool.
+ *
+ * @param {String} toolType Tool type such as java, gradle, maven etc.
+ * @param {String} toolName Tool name with version. Eg: 22.0.2-tem
+ *
+ * @returns {Boolean} true if the tool is available. false otherwise.
+ */
+export function installSdkmanTool(toolType, toolName) {
+  if (isWin) {
+    return false;
+  }
+  toolName = getSdkmanToolFullname(toolName);
+  let result = undefined;
+  if (!isSdkmanToolAvailable(toolType, toolName)) {
+    console.log("About to install", toolType, toolName);
+    result = spawnSync(
+      process.env.SHELL || "bash",
+      ["-i", "-c", `"echo -e "no" | sdk install ${toolType} ${toolName}"`],
+      {
+        encoding: "utf-8",
+        shell: process.env.SHELL || true,
+      },
+    );
+    if (DEBUG_MODE) {
+      if (console.stdout) {
+        console.log(result.stdout);
+      }
+      if (console.stderr) {
+        console.log(result.stderr);
+      }
+    }
+    if (result.status === 1 || result.error) {
+      console.log(
+        "Unable to install",
+        toolType,
+        toolName,
+        "due to below errors.",
+      );
+      return false;
+    }
+  }
+  const toolUpper = toolType.toUpperCase();
+  // Set process env variables
+  if (
+    process.env[`${toolUpper}_HOME`] &&
+    process.env[`${toolUpper}_HOME`].includes("current")
+  ) {
+    process.env[`${toolUpper}_HOME`] = process.env[`${toolUpper}_HOME`].replace(
+      "current",
+      toolName,
+    );
+    console.log(
+      `${toolUpper}_HOME`,
+      "set to",
+      process.env[`${toolUpper}_HOME`],
+    );
+  } else if (
+    process.env.SDKMAN_CANDIDATES_DIR &&
+    existsSync(join(process.env.SDKMAN_CANDIDATES_DIR, toolType, toolName))
+  ) {
+    process.env[`${toolUpper}_HOME`] = join(
+      process.env.SDKMAN_CANDIDATES_DIR,
+      toolType,
+      toolName,
+    );
+    console.log(
+      `${toolUpper}_HOME`,
+      "set to",
+      process.env[`${toolUpper}_HOME`],
+    );
+  } else {
+    console.log(
+      "Directory",
+      join(process.env.SDKMAN_CANDIDATES_DIR, toolType, toolName),
+      "is not found",
+    );
+  }
+  const toolCurrentBin = join(toolType, "current", "bin");
+  if (process.env?.PATH.includes(toolCurrentBin)) {
+    process.env.PATH = process.env.PATH.replace(
+      toolCurrentBin,
+      join(toolType, toolName, "bin"),
+    );
+  } else if (process.env.SDKMAN_CANDIDATES_DIR) {
+    const fullToolBinDir = join(
+      process.env.SDKMAN_CANDIDATES_DIR,
+      toolType,
+      toolName,
+      "bin",
+    );
+    if (!process.env?.PATH?.includes(fullToolBinDir)) {
+      process.env.PATH = `${fullToolBinDir}${delimiter}${process.env.PATH}`;
+    }
+  }
+  return true;
+}
+
+/**
+ * Retrieve sdkman tool full name
+ */
+function getSdkmanToolFullname(toolName) {
+  return SDKMAN_TOOL_ALIASES[toolName] || toolName;
+}

package/envcontext.test.js

@@ -1,3 +1,4 @@
+import process from "node:process";
 import { expect, test } from "@jest/globals";
 
 import {
@@ -10,6 +11,8 @@ import {
   collectRustInfo,
   getBranch,
   getOriginUrl,
+  isSdkmanAvailable,
+  isSdkmanToolAvailable,
   listFiles,
 } from "./envcontext.js";
 
@@ -29,3 +32,10 @@ test("tools tests", () => {
   expect(collectRustInfo()).toBeDefined();
   expect(collectGoInfo()).toBeDefined();
 });
+
+test("sdkman tests", () => {
+  if (process.env?.SDKMAN_VERSION) {
+    expect(isSdkmanAvailable()).toBeTruthy();
+    expect(isSdkmanToolAvailable("java", "22.0.1-tem")).toBeTruthy();
+  }
+});

package/evinser.js

@@ -658,7 +658,7 @@ export const parseSliceUsages = async (
     if (purlImportsMap && Object.keys(purlImportsMap).length) {
       for (const apurl of Object.keys(purlImportsMap)) {
         const apurlImports = purlImportsMap[apurl];
-        if (language === "php") {
+        if (["php", "python"].includes(language)) {
           for (const aimp of apurlImports) {
             if (atype.startsWith(aimp)) {
               if (!purlLocationMap[apurl]) {