@cyclonedx/cdxgen 10.9.6 → 10.9.7

package/README.md

@@ -55,7 +55,7 @@ Sections include:
 ## Installing
 
 ```shell
-npm install -g @cyclonedx/cdxgen
+npm install -g @cyclonedx/cdxgen@10.9.6
 ```
 
 If you are a [Homebrew][homebrew-homepage] user, you can also install [cdxgen][homebrew-cdxgen] via:
@@ -72,28 +72,28 @@ deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryIn
 
 You can also use the cdxgen container image with node, deno, or bun runtime versions.
 
-The default version uses Node.js 20
+The default version uses Node.js 22
 
 ```bash
-docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/bom.json
+docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:master -r /app -o /app/bom.json
 ```
 
 To use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.
 
 ```bash
-docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app -o /app/bom.json
+docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno:master -r /app -o /app/bom.json
 ```
 
 For the bun version, use `ghcr.io/cyclonedx/cdxgen-bun` as the image name.
 
 ```bash
-docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun -r /app -o /app/bom.json
+docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun:master -r /app -o /app/bom.json
 ```
 
 In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)
 
 ```ts
-import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
+import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^10.9.6";
 ```
 
 ## Getting Help
@@ -403,7 +403,7 @@ To generate test public/private key pairs, you can run cdxgen by passing the arg
 Use the bundled `cdx-verify` command, which supports verifying a single signature added at the bom level.
 
 ```shell
-npm install -g @cyclonedx/cdxgen
+npm install -g @cyclonedx/cdxgen@10.9.6
 cdx-verify -i bom.json --public-key public.key
 ```
 

package/index.js

@@ -1233,6 +1233,7 @@ export async function createJavaBom(path, options) {
   // For java, this would correctly include the cyclonedx maven plugin.
   let tools = undefined;
   let possible_misses = false;
+  let mavenDepsTreeInfoShown = false;
   // war/ear mode
   if (path.endsWith(".war") || path.endsWith(".jar")) {
     // Check if the file exists
@@ -1324,13 +1325,14 @@ export async function createJavaBom(path, options) {
       }
       // Use the cyclonedx maven plugin if there is no preference for maven deps tree
       if (!PREFER_MAVEN_DEPS_TREE) {
-        if (DEBUG_MODE) {
+        if (!mavenDepsTreeInfoShown && DEBUG_MODE) {
           console.log(
             "cdxgen now supports generating SBOM with only the maven cli without the need for the cyclonedx-maven plugin. This mode works better in enterprise environments and in multi-module projects.",
           );
           console.log(
             "Set the environment variable PREFER_MAVEN_DEPS_TREE to true to enable this.",
           );
+          mavenDepsTreeInfoShown = true;
         }
         console.log(
           `Executing '${mavenCmd} ${mvnArgs.join(" ")}' in`,
@@ -2716,7 +2718,7 @@ export async function createNodejsBom(path, options) {
  * @param {String} path
  * @param {Object} options
  */
-export async function createPixiBom(path, options) {
+export function createPixiBom(path, options) {
   const allImports = {};
   let metadataFilename = "";
   let dependencies = [];
@@ -3398,7 +3400,11 @@ export async function createGoBom(path, options) {
       for (const f of gomodFiles) {
         const basePath = dirname(f);
         // Ignore vendor packages
-        if (basePath.includes("/vendor/") || basePath.includes("/build/")) {
+        if (
+          basePath.includes("/vendor/") ||
+          basePath.includes("/build/") ||
+          basePath.includes("/test-fixtures/")
+        ) {
           continue;
         }
         // First we execute the go list -deps command which gives the correct list of dependencies
@@ -3424,7 +3430,7 @@ export async function createGoBom(path, options) {
         if (result.status !== 0 || result.error) {
           // go list -deps command may not work when private packages are involved
           // So we support a fallback to only operate with go mod graph command output in such instances
-          console.log("go list -deps command has failed.");
+          console.log("go list -deps command has failed for", basePath);
           shouldManuallyParse = true;
           if (DEBUG_MODE && result.stdout) {
             console.log(result.stdout);
@@ -3495,6 +3501,11 @@ export async function createGoBom(path, options) {
                 parentComponent,
               );
             }
+            // Retain the parent component hierarchy
+            if (Object.keys(retMap.parentComponent).length) {
+              parentComponent.components = parentComponent.components || [];
+              parentComponent.components.push(retMap.parentComponent);
+            }
           }
         } else {
           if (DEBUG_MODE) {
@@ -3528,6 +3539,15 @@ export async function createGoBom(path, options) {
                 parentComponent,
               );
             }
+            // Retain the parent component hierarchy
+            if (Object.keys(retMap.parentComponent).length) {
+              if (gomodFiles.length === 1) {
+                parentComponent = retMap.parentComponent;
+              } else {
+                parentComponent.components = parentComponent.components || [];
+                parentComponent.components.push(retMap.parentComponent);
+              }
+            }
           } else {
             shouldManuallyParse = true;
             console.log(
@@ -3566,9 +3586,31 @@ export async function createGoBom(path, options) {
         console.log(`Parsing ${f}`);
       }
       const gomodData = readFileSync(f, { encoding: "utf-8" });
-      const dlist = await parseGoModData(gomodData, gosumMap);
-      if (dlist?.length) {
-        pkgList = pkgList.concat(dlist);
+      const retMap = await parseGoModData(gomodData, gosumMap);
+      if (retMap?.pkgList?.length) {
+        pkgList = pkgList.concat(retMap.pkgList);
+      }
+      // Retain the parent component hierarchy
+      if (Object.keys(retMap.parentComponent).length) {
+        if (gomodFiles.length === 1) {
+          parentComponent = retMap.parentComponent;
+        } else {
+          parentComponent.components = parentComponent.components || [];
+          parentComponent.components.push(retMap.parentComponent);
+        }
+        if (retMap?.rootList?.length) {
+          const thisParentDependsOn = [
+            {
+              ref: retMap.parentComponent["bom-ref"],
+              dependsOn: retMap.rootList.map((c) => c["bom-ref"]),
+            },
+          ];
+          dependencies = mergeDependencies(
+            dependencies,
+            thisParentDependsOn,
+            parentComponent,
+          );
+        }
       }
     }
     return buildBomNSData(options, pkgList, "golang", {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.9.6",
+  "version": "10.9.7",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -61,12 +61,12 @@
     "*": "biome check --fix --no-errors-on-unmatched"
   },
   "dependencies": {
-    "@babel/parser": "^7.24.8",
-    "@babel/traverse": "^7.24.8",
+    "@babel/parser": "^7.25.6",
+    "@babel/traverse": "^7.25.6",
     "@npmcli/arborist": "7.5.4",
-    "ajv": "^8.16.0",
+    "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
-    "cheerio": "^1.0.0-rc.12",
+    "cheerio": "^1.0.0",
     "edn-data": "1.1.2",
     "find-up": "7.0.0",
     "glob": "^11.0.0",
@@ -90,7 +90,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "2.0.17",
+    "@appthreat/atom": "2.0.18",
     "@appthreat/cdx-proto": "1.0.1",
     "@cyclonedx/cdxgen-plugins-bin": "1.6.3",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "1.6.3",

package/types/index.d.ts

@@ -64,7 +64,7 @@ export function createNodejsBom(path: string, options: any): Promise<any>;
  * @param {String} path
  * @param {Object} options
  */
-export function createPixiBom(path: string, options: any): Promise<any>;
+export function createPixiBom(path: string, options: any): any;
 /**
  * Function to create bom string for Python projects
  *

package/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.js"],"names":[],"mappings":"AA6vBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAyUD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BA4/BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA2chB;AAED;;;;;;;;;;GAUG;AACH,wEAyEC;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA2bhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAqWhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BAwFhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAiUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAwJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA6XhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA2CC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BAmclB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAiUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAsOhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CAwHxE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.js"],"names":[],"mappings":"AA6vBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAyUD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BA8/BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA2chB;AAED;;;;;;;;;;GAUG;AACH,+DAyEC;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA2bhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BA6YhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BAwFhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAiUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAwJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA6XhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA2CC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BAmclB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAiUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAsOhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CAwHxE"}

package/types/utils.d.ts

@@ -522,7 +522,15 @@ export function getRepoLicense(repoUrl: string, repoMetadata: any): Promise<stri
  */
 export function getGoPkgLicense(repoMetadata: any): Promise<any>;
 export function getGoPkgComponent(group: any, name: any, version: any, hash: any): Promise<{}>;
-export function parseGoModData(goModData: any, gosumMap: any): Promise<any[]>;
+/**
+ * Method to parse go.mod files
+ *
+ * @param {String} goModData Contents of go.mod file
+ * @param {Object} gosumMap Data from go.sum files
+ *
+ * @returns {Object} Object containing parent component, rootList and packages list
+ */
+export function parseGoModData(goModData: string, gosumMap: any): any;
 /**
  * Parse go list output
  *
@@ -540,15 +548,18 @@ export function parseGoListDep(rawOutput: string, gosumMap: any): Promise<{
  * @param {string} goModFile go.mod file
  * @param {Object} goSumMap Hashes from gosum for lookups
  * @param {Array} epkgList Existing package list
+ * @param {Object} parentComponent Current parent component
  *
  * @returns Object containing List of packages and dependencies
  */
-export function parseGoModGraph(rawOutput: string, goModFile: string, gosumMap: any, epkgList?: any[], parentComponent?: {}): Promise<{
+export function parseGoModGraph(rawOutput: string, goModFile: string, gosumMap: any, epkgList?: any[], parentComponent?: any): Promise<{
     pkgList: any[];
     dependenciesList: {
         ref: string;
         dependsOn: any[];
     }[];
+    parentComponent: any;
+    rootList: any;
 }>;
 /**
  * Parse go mod why output

package/types/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../utils.js"],"names":[],"mappings":"AA2JA,yCAYC;AAED,2CAQC;AAsKD;;;;;;;GAOG;AACH,4EAoBC;AAED;;;;;;GAMG;AACH,mGAkDC;AAED;;;;;;;;GAQG;AACH,yGASC;AAgBD;;;;;GAKG;AACH,qCAHW,MAAM,WACN,MAAM,0BAqBhB;AAED;;;;;;GAMG;AACH,+CAJW,MAAM,WACN,MAAM,+BAoBhB;AAYD;;;;GAIG;AACH,gCAFa,MAAM,CAIlB;AAED;;;;;;IAMI;AACJ,iDAJW,MAAM,GACJ,OAAO,CAiBnB;AAED;;;;;;;;;GASG;AACH,iEA2BC;AAED;;;;;GAKG;AACH,6CAqDC;AAED;;;;;;GAMG;AACH,sEA0DC;AAED;;;;GAIG;AACH,4EAoCC;AAED;;;GAGG;AACH;;EAUC;AAED,sEA0BC;AAED;;;;GAIG;AACH,+DA4CC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,WACN,OAAO,kBAkFjB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,YACN,MAAM;;;GAqVhB;AAED;;;;;;;GAOG;AACH,6CAFW,MAAM,MA2DhB;AAwBD;;;;GAIG;AACH,4CAFW,MAAM;;;GAkOhB;AAED;;;;GAIG;AACH,4CAFW,MAAM,kBAiEhB;AA2BD;;;;;GAKG;AACH,wCAHW,MAAM,oBACN,MAAM;;;;;;;;;GA0ZhB;AAED;;;;GAIG;AACH,8CAFW,MAAM,kBA+ChB;AAED;;;;GAIG;AACH,sCAFW,MAAM,kBAgFhB;AAED;;;;GAIG;AACH;;;;;;;;;;;;;;;;;;;;;;IAqDC;AAED;;;;;;GAMG;AACH,0CALW,MAAM,WACN,MAAM,OAgJhB;AAED;;;;;;GAMG;AACH,0CALW,MAAM,qBACN,MAAM,oBACN,MAAM,uBACN,MAAM;;;;;;;;;;;;;;;;EAkNhB;AAED;;;GAGG;AACH,uCAFW,MAAM,SAoChB;AAED;;;GAGG;AACH,wCAFW,MAAM,OAahB;AAED,yEAwBC;AAED;;;;GAIG;AACH,+CAFW,MAAM;;;EA6ChB;AAED;;;;GAIG;AACH,iDAFW,MAAM;;;;;;;;EAsChB;AAED;;;;;;;;GAQG;AACH,qDANW,MAAM,YACN,MAAM,0BAGJ,MAAM,CAkElB;AAED;;;;;;GAMG;AACH,6CAJW,MAAM,YACN,MAAM,cACN,MAAM,MA2EhB;AAED;;;GAGG;AACH,iDAFW,MAAM,SA4ChB;AAED;;;GAGG;AACH,8CAFW,MAAM,SAsDhB;AAED;;;GAGG;AACH,2CAFW,MAAM,SAiBhB;AAED;;GAEG;AACH,kDAoCC;AAED;;;;GAIG;AACH,oCAFW,MAAM,OAchB;AAED;;;;GAIG;AACH,kDAUC;AAED;;;;;GAKG;AACH,mFAmGC;AAED;;;;;;;;;GASG;AACH,sFAMC;AAED;;;;;;;;;GASG;AACH,gFAFY,MAAO,SAAS,CA8B3B;AAED;;;;;;;;;GASG;AACH,0EAFY,OAAO,QAAQ,CAU1B;AAED;;;;GAIG;AACH,4DAFW,WAAY,SAYtB;AAED;;;;;;;;;GASG;AACH,+FAFY,OAAO,QAAQ,CAc1B;AAED;;;;GAIG;AACH;;;EAqBC;AAED;;;;;GAKG;AACH,iFAFW,GAAC,OA0BX;AAED;;;;;GAKG;AACH,sFAsNC;AAED;;;;GAIG;AACH,qDAmBC;AAED;;;;GAIG;AACH,gEAeC;AAED;;;;GAIG;AACH,6CAFW,MAAM,MAmEhB;AAED;;;;;GAKG;AACH,6DAFW,MAAM;;;;;;;GAqHhB;AAED;;;;;GAKG;AACH,mFAgKC;AAED;;;;;;GAMG;AACH,kCAJW,MAAM;;;;;;;;GA2EhB;AAED;;;;GAIG;AACH,mEAqBC;AAgBD;;;;GAIG;AACH;;;;;;;;;EA8KC;AAED;;;;GAIG;AACH;;;;;;EAcC;AAED;;;;GAIG;AACH,+DAFY,SAAO,SAAS,CAc3B;AAED;;;;GAIG;AACH,sDAoBC;AAED;;;;GAIG;AACH,oDAFY,QAAQ,CASnB;AAED;;;;;GAKG;AACH,oEAFY,SAAO,SAAS,CAc3B;AAED;;;;;;GAMG;AACH,oEAFY,OAAO,QAAQ,CA8D1B;AAED;;;;GAIG;AACH,iEAgDC;AAED,+FA4BC;AAED,8EA2EC;AAED;;;;;GAKG;AACH,0CAHW,MAAM;;;GA0DhB;AA0BD;;;;;;;;;GASG;AACH,2CAPW,MAAM,aACN,MAAM;;;;;;GA6FhB;AAED;;;;GAIG;AACH,yCAHW,MAAM,OAehB;AAED;;;;GAIG;AACH,0CAHW,MAAM,kBAuChB;AAED,+DA+CC;AAED,uEAwBC;AA6BD;;;;GAIG;AACH,oEAmGC;AAED;;;;GAIG;AACH,8CAFW,MAAM,kBAgChB;AAED;;;;;GAKG;AACH,kDAHW,MAAM,YACN,MAAM;;;;;;;;;;;;;;GAuPhB;AAED;;;;GAIG;AACH,kEAqEC;AAED;;;;GAIG;AACH,gEA0DC;AA0BD;;;;;;;;;;;;;;;;;GAiBG;AACH,mEALW,OAAO,4BAiLjB;AAED;;;;;;;;GAQG;AACH,+DALW,OAAO,4BAsIjB;AAED;;;IAwIC;AAED,wEA0BC;AAED,mEAqCC;AAED,0DAkBC;AAED,wDA+DC;AAED,0FAkEC;AAuBD;;IA+DC;AAED;;IA2DC;AAED,2DAiEC;AAED,yDAaC;AAaD,gDA+EC;AAED,yDAkDC;AAED,sDA0BC;AAED,sDAyBC;AAED,6DAwCC;AAED,yDAmCC;AAyCD,qFA2HC;AAED,8DA0BC;AAED,sDAiCC;AAED,yDAgCC;AAED,qDAkDC;AAED;;;;;GAKG;AACH,mDASC;AAED;;;;;;GAMG;AACH,4EA4EC;AAED,kEAoDC;AAED;;;;;;;;GAQG;AACH,kGAwPC;AAED;;;EAoNC;AAED;;;;EAsHC;AAED;;;EA+GC;AAED;;;;;GAKG;AACH,+CAHW,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2IhB;AAED;;;;;;EA+HC;AAED;;;;GAIG;AACH,0CAFW,MAAM;;;;;;;;;;;;;;;;;;;;;IAqDhB;AAmBD;;;;;GAKG;AACH,yCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,wCAHW,MAAM,YAchB;AAED;;;;;GAKG;AACH,wCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,yCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM,YAQhB;AAED;;;;;;;GAOG;AACH;;;;;;;;;;IA2IC;AA2CD;;;;GAIG;AACH,0FAHW,MAAM,WACN,MAAM,UAuDhB;AAED;;;;GAIG;AACH,8CAHW,MAAM,WACN,MAAM;;;;;;EAqBhB;AAED;;;GAGG;AACH,iDAFW,MAAM;;;;;;;;;;;;;;;;;;;;;IAwDhB;AAED;;;;;;;GAOG;AACH,iDALW,MAAM,YACN,MAAM,YACN,OAAO,oBACP,OAAO,eA6DjB;AAED,oIAgCC;AAED;;;;;;;GAOG;AACH,sCALW,MAAM,eACN,MAAM,eA6JhB;AAED;;;;;;;;;;;;;;;;;;;;;;IA6DC;AAED;;;;;;;EA8BC;AAED,uDAeC;AAED,2DAeC;AAED,2CAIC;AAED;;;;;;GAMG;AACH,uDAJW,MAAM,MAgBhB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,QACN,MAAM,GACJ,OAAO,QAAQ,CAU3B;AAED;;;;;;;;GAQG;AACH,2CANW,MAAM,WACN,MAAM,iBACN,MAAM,kBAqThB;AAED;;;;;;;GAOG;AACH,iDAFW,MAAM,OAehB;AAED;;;;;;;;;;;GAWG;AACH,uCAHW,MAAM,UACN,MAAM,UAYhB;AAED;;;;;;GAMG;AACH,2CAHW,MAAM,uBACN,MAAM,WAgBhB;AAED;;;;GAIG;AACH,4CAFW,MAAM,UAIhB;AAED;;;;;;;;GAQG;AACH,sCANW,MAAM,eACN,MAAM,oBACN,MAAM,gBAgChB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,kBA4EhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,YACN,MAAM,UAiChB;AACD;;;;;;GAMG;AAEH,uDALW,MAAM,iBACN,MAAM,EAAE,GACN,GAAG,CAuCf;AACD;;;;;GAKG;AACH,yCAHW,MAAM,YACN,MAAM,UAsEhB;AAED;;GAEG;AACH,sCAmBC;AAED,0DA2EC;AAED;;;;;;;;GAQG;AACH,oCANW,MAAM,YACN,MAAM,gBACN,MAAM,eACN,MAAM,OA6ChB;AAqFD;;;;;;;;;GASG;AACH,2CAPW,MAAM,kBACN,MAAM,eACN,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAyYhB;AAED;;;;;;;;;;;GAWG;AACH,gDAPW,MAAM,+BAEN,MAAM;;;;;;;;;;;;;;;;EA4KhB;AAGD;;;;;EAmBC;AAED;;;;;;GAMG;AACH,kEAHW,MAAM,cACN,MAAM,6BA0IhB;AAED,qDASC;AAED;;;;;;;EA2GC;AAED;;;EA6PC;AAED,sEA6BC;AAED;;;;;;;GAOG;AACH,mCALW,MAAM,WACN,MAAM;;;;;;;EAuQhB;AAED;;;;;;GAMG;AACH,2CAHW,MAAM,OAKhB;AAED,qDA0CC;AA8HD;;;;GAIG;AACH;;;GAkHC;AAED,yEA0GC;AAED;;;;;;GAMG;AACH,mDAkBC;AAED;;;;;;;;;;GAUG;AACH,0DAqBC;AAED;;;;;GAKG;AACH,4DAWC;AAED;;;;;;;GAOG;AACH,2EAgCC;AApyXD,gCAAgF;AAChF,4BAA4C;AAC5C,4BAA6C;AAC7C,2BAAmE;AAsBnE,iCAEE;AAqBF,iCAIyC;AAGzC,gCACmE;AAGnE,gCACsE;AAGtE,8BAA+B;AAK/B,4CAEmE;AAGnE,6CAE6D;AAG7D,oCAEoD;AAGpD,uCAEuD;AAYvD,8BAAyC;AAczC,gCAA6C;AAU7C,8BAAiC;AAIjC,4BAA6B;AAI7B,2BAA2B;AAI3B,4BAA6B;AAI7B,2BAA2B;AAI3B,6BAA+B;AAI/B,0BAAyB;AAIzB,6BAA+B;AAM/B,2BAA2B;AAK3B,4BAA6B;AAK7B,6BAA+B;AAM/B,kDAWE;AAGF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA8FE;;;;AAwHF,8BAQG;AAqiJH,8CAUE"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../utils.js"],"names":[],"mappings":"AA2JA,yCAYC;AAED,2CAQC;AAsKD;;;;;;;GAOG;AACH,4EAoBC;AAED;;;;;;GAMG;AACH,mGAkDC;AAED;;;;;;;;GAQG;AACH,yGASC;AAgBD;;;;;GAKG;AACH,qCAHW,MAAM,WACN,MAAM,0BAqBhB;AAED;;;;;;GAMG;AACH,+CAJW,MAAM,WACN,MAAM,+BAoBhB;AAYD;;;;GAIG;AACH,gCAFa,MAAM,CAIlB;AAED;;;;;;IAMI;AACJ,iDAJW,MAAM,GACJ,OAAO,CAiBnB;AAED;;;;;;;;;GASG;AACH,iEA2BC;AAED;;;;;GAKG;AACH,6CAqDC;AAED;;;;;;GAMG;AACH,sEA0DC;AAED;;;;GAIG;AACH,4EAoCC;AAED;;;GAGG;AACH;;EAUC;AAED,sEA0BC;AAED;;;;GAIG;AACH,+DA4CC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,WACN,OAAO,kBAkFjB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,YACN,MAAM;;;GAqVhB;AAED;;;;;;;GAOG;AACH,6CAFW,MAAM,MA2DhB;AAwBD;;;;GAIG;AACH,4CAFW,MAAM;;;GAkOhB;AAED;;;;GAIG;AACH,4CAFW,MAAM,kBAiEhB;AA2BD;;;;;GAKG;AACH,wCAHW,MAAM,oBACN,MAAM;;;;;;;;;GA0ZhB;AAED;;;;GAIG;AACH,8CAFW,MAAM,kBA+ChB;AAED;;;;GAIG;AACH,sCAFW,MAAM,kBAgFhB;AAED;;;;GAIG;AACH;;;;;;;;;;;;;;;;;;;;;;IAqDC;AAED;;;;;;GAMG;AACH,0CALW,MAAM,WACN,MAAM,OAgJhB;AAED;;;;;;GAMG;AACH,0CALW,MAAM,qBACN,MAAM,oBACN,MAAM,uBACN,MAAM;;;;;;;;;;;;;;;;EAkNhB;AAED;;;GAGG;AACH,uCAFW,MAAM,SAoChB;AAED;;;GAGG;AACH,wCAFW,MAAM,OAahB;AAED,yEAwBC;AAED;;;;GAIG;AACH,+CAFW,MAAM;;;EA6ChB;AAED;;;;GAIG;AACH,iDAFW,MAAM;;;;;;;;EAsChB;AAED;;;;;;;;GAQG;AACH,qDANW,MAAM,YACN,MAAM,0BAGJ,MAAM,CAkElB;AAED;;;;;;GAMG;AACH,6CAJW,MAAM,YACN,MAAM,cACN,MAAM,MA2EhB;AAED;;;GAGG;AACH,iDAFW,MAAM,SA4ChB;AAED;;;GAGG;AACH,8CAFW,MAAM,SAsDhB;AAED;;;GAGG;AACH,2CAFW,MAAM,SAiBhB;AAED;;GAEG;AACH,kDAoCC;AAED;;;;GAIG;AACH,oCAFW,MAAM,OAchB;AAED;;;;GAIG;AACH,kDAUC;AAED;;;;;GAKG;AACH,mFAmGC;AAED;;;;;;;;;GASG;AACH,sFAMC;AAED;;;;;;;;;GASG;AACH,gFAFY,MAAO,SAAS,CA8B3B;AAED;;;;;;;;;GASG;AACH,0EAFY,OAAO,QAAQ,CAU1B;AAED;;;;GAIG;AACH,4DAFW,WAAY,SAYtB;AAED;;;;;;;;;GASG;AACH,+FAFY,OAAO,QAAQ,CAc1B;AAED;;;;GAIG;AACH;;;EAqBC;AAED;;;;;GAKG;AACH,iFAFW,GAAC,OA0BX;AAED;;;;;GAKG;AACH,sFAsNC;AAED;;;;GAIG;AACH,qDAmBC;AAED;;;;GAIG;AACH,gEAeC;AAED;;;;GAIG;AACH,6CAFW,MAAM,MAmEhB;AAED;;;;;GAKG;AACH,6DAFW,MAAM;;;;;;;GAqHhB;AAED;;;;;GAKG;AACH,mFAgKC;AAED;;;;;;GAMG;AACH,kCAJW,MAAM;;;;;;;;GA2EhB;AAED;;;;GAIG;AACH,mEAqBC;AAgBD;;;;GAIG;AACH;;;;;;;;;EA8KC;AAED;;;;GAIG;AACH;;;;;;EAcC;AAED;;;;GAIG;AACH,+DAFY,SAAO,SAAS,CAc3B;AAED;;;;GAIG;AACH,sDAoBC;AAED;;;;GAIG;AACH,oDAFY,QAAQ,CASnB;AAED;;;;;GAKG;AACH,oEAFY,SAAO,SAAS,CAc3B;AAED;;;;;;GAMG;AACH,oEAFY,OAAO,QAAQ,CA8D1B;AAED;;;;GAIG;AACH,iEAgDC;AAED,+FA4BC;AAED;;;;;;;GAOG;AACH,sEA4FC;AAED;;;;;GAKG;AACH,0CAHW,MAAM;;;GA0DhB;AA4BD;;;;;;;;;;GAUG;AACH,2CARW,MAAM,aACN,MAAM;;;;;;;;GAkMhB;AAED;;;;GAIG;AACH,yCAHW,MAAM,OAehB;AAED;;;;GAIG;AACH,0CAHW,MAAM,kBAuChB;AAED,+DA+CC;AAED,uEAwBC;AA6BD;;;;GAIG;AACH,oEAmGC;AAED;;;;GAIG;AACH,8CAFW,MAAM,kBAgChB;AAED;;;;;GAKG;AACH,kDAHW,MAAM,YACN,MAAM;;;;;;;;;;;;;;GAuPhB;AAED;;;;GAIG;AACH,kEAqEC;AAED;;;;GAIG;AACH,gEA0DC;AA0BD;;;;;;;;;;;;;;;;;GAiBG;AACH,mEALW,OAAO,4BAiLjB;AAED;;;;;;;;GAQG;AACH,+DALW,OAAO,4BAsIjB;AAED;;;IAwIC;AAED,wEA0BC;AAED,mEAqCC;AAED,0DAkBC;AAED,wDA+DC;AAED,0FAkEC;AAmBD;;IAiEC;AAED;;IA2DC;AAED,2DAiEC;AAED,yDAaC;AAaD,gDA+EC;AAED,yDAkDC;AAED,sDA0BC;AAED,sDAyBC;AAED,6DAwCC;AAED,yDAmCC;AAyCD,qFA2HC;AAED,8DA0BC;AAED,sDAiCC;AAED,yDAgCC;AAED,qDAkDC;AAED;;;;;GAKG;AACH,mDASC;AAED;;;;;;GAMG;AACH,4EA4EC;AAED,kEAoDC;AAED;;;;;;;;GAQG;AACH,kGAwPC;AAED;;;EAoNC;AAED;;;;EAsHC;AAED;;;EA+GC;AAED;;;;;GAKG;AACH,+CAHW,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2IhB;AAED;;;;;;EA+HC;AAED;;;;GAIG;AACH,0CAFW,MAAM;;;;;;;;;;;;;;;;;;;;;IAqDhB;AAmBD;;;;;GAKG;AACH,yCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,wCAHW,MAAM,YAchB;AAED;;;;;GAKG;AACH,wCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,yCAHW,MAAM,YAQhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM,YAQhB;AAED;;;;;;;GAOG;AACH;;;;;;;;;;IA2IC;AA2CD;;;;GAIG;AACH,0FAHW,MAAM,WACN,MAAM,UAuDhB;AAED;;;;GAIG;AACH,8CAHW,MAAM,WACN,MAAM;;;;;;EAqBhB;AAED;;;GAGG;AACH,iDAFW,MAAM;;;;;;;;;;;;;;;;;;;;;IAwDhB;AAED;;;;;;;GAOG;AACH,iDALW,MAAM,YACN,MAAM,YACN,OAAO,oBACP,OAAO,eA6DjB;AAED,oIAgCC;AAED;;;;;;;GAOG;AACH,sCALW,MAAM,eACN,MAAM,eA6JhB;AAED;;;;;;;;;;;;;;;;;;;;;;IA6DC;AAED;;;;;;;EA8BC;AAED,uDAeC;AAED,2DAeC;AAED,2CAIC;AAED;;;;;;GAMG;AACH,uDAJW,MAAM,MAgBhB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,QACN,MAAM,GACJ,OAAO,QAAQ,CAU3B;AAED;;;;;;;;GAQG;AACH,2CANW,MAAM,WACN,MAAM,iBACN,MAAM,kBAqThB;AAED;;;;;;;GAOG;AACH,iDAFW,MAAM,OAehB;AAED;;;;;;;;;;;GAWG;AACH,uCAHW,MAAM,UACN,MAAM,UAYhB;AAED;;;;;;GAMG;AACH,2CAHW,MAAM,uBACN,MAAM,WAgBhB;AAED;;;;GAIG;AACH,4CAFW,MAAM,UAIhB;AAED;;;;;;;;GAQG;AACH,sCANW,MAAM,eACN,MAAM,oBACN,MAAM,gBAgChB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,kBA4EhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,YACN,MAAM,UAiChB;AACD;;;;;;GAMG;AAEH,uDALW,MAAM,iBACN,MAAM,EAAE,GACN,GAAG,CAuCf;AACD;;;;;GAKG;AACH,yCAHW,MAAM,YACN,MAAM,UAsEhB;AAED;;GAEG;AACH,sCAmBC;AAED,0DA2EC;AAED;;;;;;;;GAQG;AACH,oCANW,MAAM,YACN,MAAM,gBACN,MAAM,eACN,MAAM,OA6ChB;AAqFD;;;;;;;;;GASG;AACH,2CAPW,MAAM,kBACN,MAAM,eACN,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAyYhB;AAED;;;;;;;;;;;GAWG;AACH,gDAPW,MAAM,+BAEN,MAAM;;;;;;;;;;;;;;;;EA4KhB;AAGD;;;;;EAmBC;AAED;;;;;;GAMG;AACH,kEAHW,MAAM,cACN,MAAM,6BA0IhB;AAED,qDASC;AAED;;;;;;;EA2GC;AAED;;;EA6PC;AAED,sEA6BC;AAED;;;;;;;GAOG;AACH,mCALW,MAAM,WACN,MAAM;;;;;;;EAuQhB;AAED;;;;;;GAMG;AACH,2CAHW,MAAM,OAKhB;AAED,qDA0CC;AA8HD;;;;GAIG;AACH;;;GAkHC;AAED,yEA0GC;AAED;;;;;;GAMG;AACH,mDAkBC;AAED;;;;;;;;;;GAUG;AACH,0DAqBC;AAED;;;;;GAKG;AACH,4DAWC;AAED;;;;;;;GAOG;AACH,2EAgCC;AAl6XD,gCAAgF;AAChF,4BAA4C;AAC5C,4BAA6C;AAC7C,2BAAmE;AAsBnE,iCAEE;AAqBF,iCAIyC;AAGzC,gCACmE;AAGnE,gCACsE;AAGtE,8BAA+B;AAK/B,4CAEmE;AAGnE,6CAE6D;AAG7D,oCAEoD;AAGpD,uCAEuD;AAYvD,8BAAyC;AAczC,gCAA6C;AAU7C,8BAAiC;AAIjC,4BAA6B;AAI7B,2BAA2B;AAI3B,4BAA6B;AAI7B,2BAA2B;AAI3B,6BAA+B;AAI/B,0BAAyB;AAIzB,6BAA+B;AAM/B,2BAA2B;AAK3B,4BAA6B;AAK7B,6BAA+B;AAM/B,kDAWE;AAGF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA8FE;;;;AAwHF,8BAQG;AAqqJH,8CAUE"}

package/types/validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../validator.js"],"names":[],"mappings":"AAmBO,qCAFI,MAAM,WA6ChB;AAOM,0CAFI,MAAM,WAiDhB;AAOM,uCAFI,MAAM,WAgEhB;AA6BM,sCAFI,MAAM,WA8ChB"}
+{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../validator.js"],"names":[],"mappings":"AAmBO,qCAFI,MAAM,WA6ChB;AAOM,0CAFI,MAAM,WAqDhB;AAOM,uCAFI,MAAM,WAgEhB;AA6BM,sCAFI,MAAM,WA8ChB"}

package/utils.js

@@ -4707,19 +4707,40 @@ export async function getGoPkgComponent(group, name, version, hash) {
   return pkg;
 }
 
+/**
+ * Method to parse go.mod files
+ *
+ * @param {String} goModData Contents of go.mod file
+ * @param {Object} gosumMap Data from go.sum files
+ *
+ * @returns {Object} Object containing parent component, rootList and packages list
+ */
 export async function parseGoModData(goModData, gosumMap) {
   const pkgComponentsList = [];
+  const parentComponent = {};
+  const rootList = [];
   let isModReplacement = false;
 
   if (!goModData) {
-    return pkgComponentsList;
+    return {};
   }
 
   const pkgs = goModData.split("\n");
   for (let l of pkgs) {
+    // Windows of course
+    l = l.replace("\r", "");
+    // Capture the parent component name from the module
+    if (l.startsWith("module ")) {
+      parentComponent.name = l.split(" ").pop().trim();
+      parentComponent.type = "application";
+      parentComponent["purl"] = PackageURL.fromString(
+        `pkg:golang/${parentComponent.name}`,
+      ).toString();
+      parentComponent["bom-ref"] = decodeURIComponent(parentComponent["purl"]);
+      continue;
+    }
     // Skip go.mod file headers, whitespace, and/or comments
     if (
-      l.startsWith("module ") ||
       l.startsWith("go ") ||
       l.includes(")") ||
       l.trim() === "" ||
@@ -4743,33 +4764,32 @@ export async function parseGoModData(goModData, gosumMap) {
       l = l.replace("replace", "");
       isModReplacement = true;
     }
-
+    // require google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17
+    if (l.startsWith("require ")) {
+      l = l.replace("require ", "");
+      isModReplacement = false;
+    }
     const tmpA = l.trim().split(" ");
-
     if (!isModReplacement) {
       // Add group, name and version component properties for required modules
       const version = tmpA[1];
       const gosumHash = gosumMap[`${tmpA[0]}@${version}`];
-      // The hash for this version was not found in go.sum, so skip as it is most likely being replaced.
-      if (gosumHash === undefined) {
-        continue;
-      }
       const component = await getGoPkgComponent(
         "",
         tmpA[0],
         version,
         gosumHash,
       );
+      if (l.endsWith("// indirect")) {
+        component.scope = "optional";
+      } else {
+        rootList.push(component);
+      }
       pkgComponentsList.push(component);
     } else {
       // Add group, name and version component properties for replacement modules
       const version = tmpA[3];
-
       const gosumHash = gosumMap[`${tmpA[2]}@${version}`];
-      // The hash for this version was not found in go.sum, so skip.
-      if (gosumHash === undefined) {
-        continue;
-      }
       const component = await getGoPkgComponent(
         "",
         tmpA[2],
@@ -4777,11 +4797,16 @@ export async function parseGoModData(goModData, gosumMap) {
         gosumHash,
       );
       pkgComponentsList.push(component);
+      rootList.push(component);
     }
   }
   // Clear the cache
   metadata_cache = {};
-  return pkgComponentsList;
+  return {
+    parentComponent,
+    pkgList: pkgComponentsList.sort((a, b) => a.purl.localeCompare(b.purl)),
+    rootList,
+  };
 }
 
 /**
@@ -4843,31 +4868,33 @@ export async function parseGoListDep(rawOutput, gosumMap) {
   }
   return {
     parentComponent,
-    pkgList: deps,
+    pkgList: deps.sort((a, b) => a.purl.localeCompare(b.purl)),
   };
 }
 
-function _addGoComponentEvidence(component, goModFile) {
-  component.evidence = {
-    identity: {
-      field: "purl",
-      confidence: 1,
-      methods: [
-        {
-          technique: "manifest-analysis",
-          confidence: 1,
-          value: goModFile,
-        },
-      ],
-    },
-  };
-  if (!component.properties) {
-    component.properties = [];
+function _addGoComponentEvidence(component, goModFile, confidence = 0.8) {
+  if (goModFile) {
+    component.evidence = {
+      identity: {
+        field: "purl",
+        confidence,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence,
+            value: goModFile,
+          },
+        ],
+      },
+    };
+    if (!component.properties) {
+      component.properties = [];
+    }
+    component.properties.push({
+      name: "SrcFile",
+      value: goModFile,
+    });
   }
-  component.properties.push({
-    name: "SrcFile",
-    value: goModFile,
-  });
   return component;
 }
 
@@ -4878,6 +4905,7 @@ function _addGoComponentEvidence(component, goModFile) {
  * @param {string} goModFile go.mod file
  * @param {Object} goSumMap Hashes from gosum for lookups
  * @param {Array} epkgList Existing package list
+ * @param {Object} parentComponent Current parent component
  *
  * @returns Object containing List of packages and dependencies
  */
@@ -4892,7 +4920,33 @@ export async function parseGoModGraph(
   const dependenciesList = [];
   const addedPkgs = {};
   const depsMap = {};
+  // Useful for filtering out invalid components
   const existingPkgMap = {};
+  // Package map by manually parsing the go.mod data
+  let goModPkgMap = {};
+  // Direct dependencies by manually parsing the go.mod data
+  const goModDirectDepsMap = {};
+  // Indirect dependencies by manually parsing the go.mod data
+  const goModOptionalDepsMap = {};
+  const excludedRefs = [];
+  if (goModFile) {
+    goModPkgMap = await parseGoModData(
+      readFileSync(goModFile, { encoding: "utf-8" }),
+      gosumMap,
+    );
+    if (goModPkgMap?.rootList) {
+      for (const epkg of goModPkgMap.rootList) {
+        goModDirectDepsMap[epkg["bom-ref"]] = true;
+      }
+    }
+    if (goModPkgMap?.pkgList) {
+      for (const epkg of goModPkgMap.pkgList) {
+        if (epkg?.scope === "optional") {
+          goModOptionalDepsMap[epkg["bom-ref"]] = true;
+        }
+      }
+    }
+  }
   for (const epkg of epkgList) {
     existingPkgMap[epkg["bom-ref"]] = true;
   }
@@ -4924,7 +4978,7 @@ export async function parseGoModGraph(
             continue;
           }
           // Add the source and depends to the pkgList
-          if (!addedPkgs[tmpA[0]]) {
+          if (!addedPkgs[tmpA[0]] && !excludedRefs.includes(sourceRefString)) {
             const component = await getGoPkgComponent(
               "",
               `${sourcePurl.namespace ? `${sourcePurl.namespace}/` : ""}${
@@ -4933,7 +4987,28 @@ export async function parseGoModGraph(
               sourcePurl.version,
               gosumMap[tmpA[0]],
             );
-            pkgList.push(_addGoComponentEvidence(component, goModFile));
+            let confidence = 0.7;
+            if (goModOptionalDepsMap[component["bom-ref"]]) {
+              component.scope = "optional";
+              confidence = 0.5;
+            } else if (goModDirectDepsMap[component["bom-ref"]]) {
+              component.scope = "required";
+            }
+            // These are likely false positives
+            if (
+              goModFile &&
+              !Object.keys(existingPkgMap).length &&
+              goModPkgMap?.parentComponent?.["bom-ref"] !== sourceRefString &&
+              !component.scope
+            ) {
+              continue;
+            }
+            // Don't add the parent component to the package list
+            if (goModPkgMap?.parentComponent?.["bom-ref"] !== sourceRefString) {
+              pkgList.push(
+                _addGoComponentEvidence(component, goModFile, confidence),
+              );
+            }
             addedPkgs[tmpA[0]] = true;
           }
           if (!addedPkgs[tmpA[1]]) {
@@ -4945,7 +5020,46 @@ export async function parseGoModGraph(
               dependsPurl.version,
               gosumMap[tmpA[1]],
             );
-            pkgList.push(component);
+            let confidence = 0.7;
+            if (goModDirectDepsMap[component["bom-ref"]]) {
+              component.scope = "required";
+            }
+            if (goModOptionalDepsMap[component["bom-ref"]]) {
+              component.scope = "optional";
+              confidence = 0.5;
+            }
+            if (
+              goModPkgMap?.parentComponent?.["bom-ref"] !== sourceRefString &&
+              goModDirectDepsMap[sourceRefString] &&
+              component?.scope !== "required"
+            ) {
+              // If the parent is required, then ensure the child doesn't accidentally become optional or excluded
+              component.scope = undefined;
+            }
+            // Mark the go toolchain components as excluded
+            if (
+              dependsRefString.startsWith("pkg:golang/toolchain@") ||
+              dependsRefString.startsWith("pkg:golang/go@")
+            ) {
+              excludedRefs.push(dependsRefString);
+              continue;
+            }
+            // These are likely false positives
+            if (
+              goModFile &&
+              goModPkgMap?.parentComponent?.["bom-ref"] !== sourceRefString &&
+              !Object.keys(existingPkgMap).length &&
+              !component.scope
+            ) {
+              excludedRefs.push(dependsRefString);
+              continue;
+            }
+            // The confidence for the indirect dependencies is lower
+            // This is because go mod graph emits module requirements graph, which could be different to module compile graph
+            // See https://go.dev/ref/mod#glos-module-graph
+            pkgList.push(
+              _addGoComponentEvidence(component, goModFile, confidence),
+            );
             addedPkgs[tmpA[1]] = true;
           }
           if (!depsMap[sourceRefString]) {
@@ -4954,7 +5068,16 @@ export async function parseGoModGraph(
           if (!depsMap[dependsRefString]) {
             depsMap[dependsRefString] = new Set();
           }
-          depsMap[sourceRefString].add(dependsRefString);
+          // Check if the root is really dependent on this component
+          if (
+            goModPkgMap?.parentComponent?.["bom-ref"] === sourceRefString &&
+            Object.keys(goModDirectDepsMap).length &&
+            !goModDirectDepsMap[dependsRefString]
+          ) {
+            // ignore
+          } else if (!excludedRefs.includes(dependsRefString)) {
+            depsMap[sourceRefString].add(dependsRefString);
+          }
         } catch (_e) {
           // pass
         }
@@ -4967,7 +5090,12 @@ export async function parseGoModGraph(
       dependsOn: Array.from(depsMap[adep]).sort(),
     });
   }
-  return { pkgList, dependenciesList };
+  return {
+    pkgList: pkgList.sort((a, b) => a.purl.localeCompare(b.purl)),
+    dependenciesList,
+    parentComponent: goModPkgMap?.parentComponent,
+    rootList: goModPkgMap?.rootList,
+  };
 }
 
 /**
@@ -6397,10 +6525,6 @@ function substituteBuildArgs(statement, buildArgs) {
         statement.slice(0, argIndex) +
         buildArgs.get(argName) +
         statement.slice(argIndex + fullArgName.length);
-    } else {
-      console.warn(
-        `Unable to substitute build argument '${fullArgName}' in '${statement}'.`,
-      );
     }
   }
   return statement;
@@ -6452,9 +6576,11 @@ export function parseContainerFile(fileContents) {
       if (imageStatement.includes("$")) {
         imageStatement = substituteBuildArgs(imageStatement, buildArgs);
         if (imageStatement.includes("$")) {
-          console.warn(
-            `Unable to substitute build arguments in '${line}' statement.`,
-          );
+          if (DEBUG_MODE) {
+            console.log(
+              `Unable to substitute build arguments in '${line}' statement.`,
+            );
+          }
           continue;
         }
       }

package/utils.test.js

@@ -808,67 +808,104 @@ test("get py metadata", async () => {
 }, 240000);
 
 test("parseGoModData", async () => {
-  let dep_list = await parseGoModData(null);
-  expect(dep_list).toEqual([]);
+  let retMap = await parseGoModData(null);
+  expect(retMap).toEqual({});
   const gosumMap = {
     "google.golang.org/grpc@v1.21.0":
       "sha256-oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=",
     "github.com/aws/aws-sdk-go@v1.38.47": "sha256-fake-sha-for-aws-go-sdk=",
     "github.com/spf13/cobra@v1.0.0":
       "sha256-/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=",
-    "github.com/spf13/viper@v1.0.2":
+    "github.com/spf13/viper@v1.3.0":
       "sha256-A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=",
     "github.com/stretchr/testify@v1.6.1":
       "sha256-6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=",
   };
-  dep_list = await parseGoModData(
+  retMap = await parseGoModData(
     readFileSync("./test/gomod/go.mod", { encoding: "utf-8" }),
     gosumMap,
   );
-  expect(dep_list.length).toEqual(4);
-  expect(dep_list[0]).toEqual({
-    group: "",
-    name: "github.com/aws/aws-sdk-go",
-    license: undefined,
-    version: "v1.38.47",
-    _integrity: "sha256-fake-sha-for-aws-go-sdk=",
-    "bom-ref": "pkg:golang/github.com/aws/aws-sdk-go@v1.38.47",
-    purl: "pkg:golang/github.com/aws/aws-sdk-go@v1.38.47",
-  });
-  expect(dep_list[1]).toEqual({
-    group: "",
-    name: "github.com/spf13/cobra",
-    "bom-ref": "pkg:golang/github.com/spf13/cobra@v1.0.0",
-    purl: "pkg:golang/github.com/spf13/cobra@v1.0.0",
-    license: undefined,
-    version: "v1.0.0",
-    _integrity: "sha256-/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=",
-  });
-  expect(dep_list[2]).toEqual({
-    group: "",
-    name: "google.golang.org/grpc",
-    "bom-ref": "pkg:golang/google.golang.org/grpc@v1.21.0",
-    purl: "pkg:golang/google.golang.org/grpc@v1.21.0",
-    license: undefined,
-    version: "v1.21.0",
-    _integrity: "sha256-oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=",
+  expect(retMap.pkgList.length).toEqual(6);
+  expect(retMap.pkgList).toEqual([
+    {
+      group: "",
+      name: "github.com/aws/aws-sdk-go",
+      version: "v1.38.47",
+      _integrity: "sha256-fake-sha-for-aws-go-sdk=",
+      purl: "pkg:golang/github.com/aws/aws-sdk-go@v1.38.47",
+      "bom-ref": "pkg:golang/github.com/aws/aws-sdk-go@v1.38.47",
+    },
+    {
+      group: "",
+      name: "github.com/spf13/cobra",
+      version: "v1.0.0",
+      _integrity: "sha256-/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=",
+      purl: "pkg:golang/github.com/spf13/cobra@v1.0.0",
+      "bom-ref": "pkg:golang/github.com/spf13/cobra@v1.0.0",
+    },
+    {
+      group: "",
+      name: "github.com/spf13/viper",
+      version: "v1.0.2",
+      purl: "pkg:golang/github.com/spf13/viper@v1.0.2",
+      "bom-ref": "pkg:golang/github.com/spf13/viper@v1.0.2",
+    },
+    {
+      group: "",
+      name: "github.com/spf13/viper",
+      version: "v1.3.0",
+      _integrity: "sha256-A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=",
+      purl: "pkg:golang/github.com/spf13/viper@v1.3.0",
+      "bom-ref": "pkg:golang/github.com/spf13/viper@v1.3.0",
+    },
+    {
+      group: "",
+      name: "google.golang.org/grpc",
+      version: "v1.21.0",
+      _integrity: "sha256-oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=",
+      purl: "pkg:golang/google.golang.org/grpc@v1.21.0",
+      "bom-ref": "pkg:golang/google.golang.org/grpc@v1.21.0",
+    },
+    {
+      group: "",
+      name: "google.golang.org/grpc",
+      version: "v1.32.0",
+      purl: "pkg:golang/google.golang.org/grpc@v1.32.0",
+      "bom-ref": "pkg:golang/google.golang.org/grpc@v1.32.0",
+    },
+  ]);
+
+  retMap.pkgList.forEach((d) => {
+    expect(d.license);
   });
-  expect(dep_list[3]).toEqual({
-    group: "",
-    name: "github.com/spf13/viper",
-    "bom-ref": "pkg:golang/github.com/spf13/viper@v1.0.2",
-    purl: "pkg:golang/github.com/spf13/viper@v1.0.2",
-    license: undefined,
-    version: "v1.0.2",
-    _integrity: "sha256-A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=",
+  retMap = await parseGoModData(
+    readFileSync("./test/data/go-dvwa.mod", { encoding: "utf-8" }),
+    {},
+  );
+  expect(retMap.parentComponent).toEqual({
+    "bom-ref": "pkg:golang/github.com/sqreen/go-dvwa",
+    name: "github.com/sqreen/go-dvwa",
+    purl: "pkg:golang/github.com/sqreen/go-dvwa",
+    type: "application",
   });
-  dep_list.forEach((d) => {
-    expect(d.license);
+  expect(retMap.pkgList.length).toEqual(19);
+  expect(retMap.rootList.length).toEqual(4);
+  retMap = await parseGoModData(
+    readFileSync("./test/data/go-syft.mod", { encoding: "utf-8" }),
+    {},
+  );
+  expect(retMap.parentComponent).toEqual({
+    "bom-ref": "pkg:golang/github.com/anchore/syft",
+    name: "github.com/anchore/syft",
+    purl: "pkg:golang/github.com/anchore/syft",
+    type: "application",
   });
+  expect(retMap.pkgList.length).toEqual(239);
+  expect(retMap.rootList.length).toEqual(84);
 }, 120000);
 
 test("parseGoSumData", async () => {
-  let dep_list = await parseGoModData(null);
+  let dep_list = await parseGosumData(null);
   expect(dep_list).toEqual([]);
   dep_list = await parseGosumData(
     readFileSync("./test/gomod/go.sum", { encoding: "utf-8" }),
@@ -938,35 +975,53 @@ test("parse go list dependencies", async () => {
 });
 
 test("parse go mod graph", async () => {
-  const retMap = await parseGoModGraph(
+  let retMap = await parseGoModGraph(
     readFileSync("./test/data/gomod-graph.txt", { encoding: "utf-8" }),
-    "./test/data/gomod-graph.txt",
+    undefined,
     {},
     [],
     {},
   );
-  expect(retMap.pkgList.length).toEqual(537);
+  expect(retMap.pkgList.length).toEqual(536);
   expect(retMap.pkgList[0]).toEqual({
+    _integrity: undefined,
+    "bom-ref": "pkg:golang/cloud.google.com/go@v0.26.0",
     group: "",
+    license: undefined,
+    name: "cloud.google.com/go",
+    purl: "pkg:golang/cloud.google.com/go@v0.26.0",
+    version: "v0.26.0",
+  });
+  retMap = await parseGoModGraph(
+    readFileSync("./test/data/gomod-dvwa-graph.txt", { encoding: "utf-8" }),
+    "./test/data/go-dvwa.mod",
+    {},
+    [],
+    {},
+  );
+  expect(retMap.parentComponent).toEqual({
+    "bom-ref": "pkg:golang/github.com/sqreen/go-dvwa",
     name: "github.com/sqreen/go-dvwa",
-    version: null,
     purl: "pkg:golang/github.com/sqreen/go-dvwa",
-    "bom-ref": "pkg:golang/github.com/sqreen/go-dvwa",
-    evidence: {
-      identity: {
-        field: "purl",
-        confidence: 1,
-        methods: [
-          {
-            technique: "manifest-analysis",
-            confidence: 1,
-            value: "./test/data/gomod-graph.txt",
-          },
-        ],
-      },
-    },
-    properties: [{ name: "SrcFile", value: "./test/data/gomod-graph.txt" }],
+    type: "application",
+  });
+  expect(retMap.pkgList.length).toEqual(19);
+  expect(retMap.rootList.length).toEqual(4);
+  retMap = await parseGoModGraph(
+    readFileSync("./test/data/gomod-syft-graph.txt", { encoding: "utf-8" }),
+    "./test/data/go-syft.mod",
+    {},
+    [],
+    {},
+  );
+  expect(retMap.parentComponent).toEqual({
+    "bom-ref": "pkg:golang/github.com/anchore/syft",
+    name: "github.com/anchore/syft",
+    purl: "pkg:golang/github.com/anchore/syft",
+    type: "application",
   });
+  expect(retMap.pkgList.length).toEqual(235);
+  expect(retMap.rootList.length).toEqual(84);
 });
 
 test("parse go mod why dependencies", () => {
@@ -3033,8 +3088,8 @@ test("parsePnpmLock", async () => {
   expect(parsedList.dependenciesList).toHaveLength(462);
   expect(parsedList.pkgList.filter((pkg) => !pkg.scope)).toHaveLength(3);
   parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-  expect(parsedList.pkgList.length).toEqual(653);
-  expect(parsedList.dependenciesList.length).toEqual(653);
+  expect(parsedList.pkgList.length).toEqual(655);
+  expect(parsedList.dependenciesList.length).toEqual(655);
   expect(parsedList.pkgList[0]).toEqual({
     group: "@ampproject",
     name: "remapping",

package/validator.js

@@ -75,7 +75,9 @@ export const validateMetadata = (bomJson) => {
       !bomJson.metadata.component ||
       !Object.keys(bomJson.metadata.component).length
     ) {
-      warningsList.push("metadata.component is missing.");
+      warningsList.push(
+        "metadata.component is missing. Run cdxgen with both --project-name and --project-version argument.",
+      );
     }
     if (bomJson.metadata.component) {
       // Do we have a purl and bom-ref for metadata.component
@@ -87,7 +89,9 @@ export const validateMetadata = (bomJson) => {
       }
       // Do we have a version for metadata.component
       if (!bomJson.metadata.component.version) {
-        warningsList.push("Version is missing for metadata.component");
+        warningsList.push(
+          "Version is missing for metadata.component. Pass the version using --project-version argument.",
+        );
       }
       // Is the same component getting repeated inside the components block
       if (bomJson.metadata.component.components?.length) {