@cyclonedx/cdxgen 11.0.10 → 11.1.1

package/README.md

@@ -64,6 +64,12 @@ If you are a [Homebrew][homebrew-homepage] user, you can also install [cdxgen][h
 $ brew install cdxgen
 ```
 
+If you are a [Winget][winget-homepage] user on windows, you can also install cdxgen via:
+
+```shell
+$ winget install cdxgen
+```
+
 Deno and bun runtime can be used with limited support.
 
 ```shell
@@ -456,7 +462,9 @@ Use the [CycloneDX CLI][cyclonedx-cli-github] tool for advanced use cases such a
 
 ## Including .NET Global Assembly Cache dependencies in the results
 
-Global Assembly Cache (GAC) dependencies must be made available in the build output of the project for cdxgen in order for it to inspect and include in the results. A cdxgen scan with the `--deep` flag will look for additional dependencies in the form of dll files. A simple way to have the dotnet build copy the GAC dependencies into the build directory is to place the file `Directory.Build.props` into the root of the project and ensure the contents include the following:
+For `dotnet` and `dotnet-framework`, SBOM could include components without a version number. Often, these components begin with the prefix `System.`.
+
+Global Assembly Cache (GAC) dependencies (System Runtime dependencies) must be made available in the build output of the project for version detection. A simple way to have the dotnet build copy the GAC dependencies into the build directory is to place the file `Directory.Build.props` into the root of the project and ensure the contents include the following:
 
 ```
 <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
@@ -468,6 +476,8 @@ Global Assembly Cache (GAC) dependencies must be made available in the build out
 </Project>
 ```
 
+Then, run cdxgen cli with the `--deep` argument.
+
 ## License
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE][github-license] file for the full license.
@@ -509,6 +519,10 @@ pnpm run lint
 pnpm test
 ```
 
+## Sponsors
+
+<img src="./docs/_media/LevoLogo-LightBg.jpg" width="200" height="auto">
+
 <!-- LINK LABELS -->
 <!-- Badges -->
 
@@ -548,6 +562,7 @@ pnpm test
 [github-rate-limit]: https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api#primary-rate-limit-for-github_token-in-github-actions
 [homebrew-homepage]: https://brew.sh
 [homebrew-cdxgen]: https://formulae.brew.sh/formula/cdxgen
+[winget-homepage]: https://learn.microsoft.com/en-us/windows/package-manager/winget/
 [jsr-cdxgen]: https://jsr.io/@cyclonedx/cdxgen
 [jwt-homepage]: https://jwt.io
 [jwt-libraries]: https://jwt.io/libraries

package/bin/cdxgen.js

@@ -2,7 +2,6 @@
 
 import crypto from "node:crypto";
 import fs from "node:fs";
-import { tmpdir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
 import process from "node:process";
 import { URL } from "node:url";
@@ -22,7 +21,7 @@ import {
   printSummary,
   printTable,
 } from "../lib/helpers/display.js";
-import { ATOM_DB, dirNameStr } from "../lib/helpers/utils.js";
+import { ATOM_DB, dirNameStr, getTmpDir } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/helpers/validator.js";
 import { postProcess } from "../lib/stages/postgen/postgen.js";
 import { prepareEnv } from "../lib/stages/pregen/pregen.js";
@@ -168,6 +167,7 @@ const args = yargs(hideBin(process.argv))
   })
   .option("install-deps", {
     type: "boolean",
+    default: true,
     description:
       "Install dependencies automatically for some projects. Defaults to true but disabled for containers and oci scans. Use --no-install-deps to disable this feature.",
   })
@@ -296,7 +296,7 @@ const args = yargs(hideBin(process.argv))
   .option("feature-flags", {
     description: "Experimental feature flags to enable. Advanced users only.",
     hidden: true,
-    choices: ["safe-pip-install", "suggest-build-tools"],
+    choices: ["safe-pip-install", "suggest-build-tools", "ruby-docker-install"],
   })
   .option("min-confidence", {
     description:
@@ -507,7 +507,6 @@ const applyAdvancedOptions = (options) => {
       options.installDeps = true;
       break;
     default:
-      options.installDeps = true;
       break;
   }
   // When the user specifies source-code-analysis as a technique, then enable deep and evidence mode.
@@ -541,9 +540,9 @@ const checkPermissions = (filePath) => {
     );
     return false;
   }
-  if (!process.permission.has("fs.write", tmpdir())) {
+  if (!process.permission.has("fs.write", getTmpDir())) {
     console.log(
-      `FileSystemWrite permission required. Please invoke with the argument --allow-fs-write="${tmpdir()}"`,
+      `FileSystemWrite permission required. Please invoke with the argument --allow-fs-write="${getTmpDir()}"`,
     );
     return false;
   }

package/bin/evinse.js

@@ -72,6 +72,7 @@ const args = yargs(hideBin(process.argv))
       "php",
       "swift",
       "ios",
+      "ruby",
     ],
   })
   .option("db-path", {

package/bin/repl.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import fs from "node:fs";
-import { homedir, tmpdir } from "node:os";
+import { homedir } from "node:os";
 import { join } from "node:path";
 import process from "node:process";
 import repl from "node:repl";
@@ -19,6 +19,7 @@ import {
   printTable,
   printVulnerabilities,
 } from "../lib/helpers/display.js";
+import { getTmpDir } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/helpers/validator.js";
 
 const options = {
@@ -107,7 +108,7 @@ cdxgenRepl.defineCommand("create", {
   help: "create an SBOM for the given path",
   async action(sbomOrPath) {
     this.clearBufferedCommand();
-    const tempDir = fs.mkdtempSync(join(tmpdir(), "cdxgen-repl-"));
+    const tempDir = fs.mkdtempSync(join(getTmpDir(), "cdxgen-repl-"));
     const bomFile = join(tempDir, "bom.json");
     const bomNSData = await createBom(sbomOrPath, {
       multiProject: true,

package/data/README.md

@@ -3,7 +3,7 @@
 Contents of data directory and their purpose.
 
 | Filename              | Purpose                                                                                                  |
-| --------------------- | -------------------------------------------------------------------------------------------------------- |
+| --------------------- |----------------------------------------------------------------------------------------------------------|
 | bom-1.4.schema.json   | CycloneDX 1.4 jsonschema for validation                                                                  |
 | bom-1.5.schema.json   | CycloneDX 1.5 jsonschema for validation                                                                  |
 | cosdb-queries.json    | osquery useful for identifying OS packages for C                                                         |
@@ -24,3 +24,4 @@ Contents of data directory and their purpose.
 | crypto-oid.json       | Peter Gutmann's crypto oid [mapping](https://www.cs.auckland.ac.nz/~pgut001). GPL, BSD, or CC BY license |
 | glibc-stdlib.json     | Standard libraries that can be filtered out in C++                                                       |
 | component-tags.json   | List of tags to extract from component description text for easy classification.                         |
+| ruby-known-modules.json | Module names for certain known gems. Example: rails                                                    | 

package/data/component-tags.json

@@ -125,7 +125,6 @@
   "properties": {
     "all": [
       "sql",
-      "http",
       "xml",
       "cloud",
       "middleware",

package/data/frameworks-list.json

@@ -191,6 +191,16 @@
     "pkg:composer/roducks",
     "pkg:composer/queryphp",
     "pkg:composer/silex",
-    "pkg:composer/psr"
+    "pkg:composer/psr",
+    "pkg:gem/rails",
+    "pkg:gem/sinatra",
+    "pkg:gem/hanami",
+    "pkg:gem/padrino",
+    "pkg:gem/cuba",
+    "pkg:gem/grape",
+    "pkg:gem/volt",
+    "pkg:gem/trailblazer",
+    "pkg:gem/ramaze",
+    "pkg:gem/scorched"
   ]
 }

package/data/ruby-known-modules.json

@@ -0,0 +1,281 @@
+{
+  "abstractcontroller": [
+    "AbstractController",
+    "AbstractController::Caching",
+    "AbstractController::Callbacks",
+    "AbstractController::Collector",
+    "AbstractController::Helpers",
+    "AbstractController::Railties",
+    "AbstractController::Rendering",
+    "AbstractController::Translation",
+    "AbstractController::UrlFor"
+  ],
+  "actioncable": [
+    "ActionCable",
+    "ActionCable::Channel",
+    "ActionCable::Connection",
+    "ActionCable::Helpers",
+    "ActionCable::Server",
+    "ActionCable::SubscriptionAdapter",
+    "ActionCable::TestHelper",
+    "ActionCable::VERSION"
+  ],
+  "actioncontroller": [
+    "ActionController",
+    "ActionController::AllowBrowser",
+    "ActionController::ApiRendering",
+    "ActionController::Caching",
+    "ActionController::ConditionalGet",
+    "ActionController::ContentSecurityPolicy",
+    "ActionController::Cookies",
+    "ActionController::DataStreaming",
+    "ActionController::DefaultHeaders",
+    "ActionController::EtagWithFlash",
+    "ActionController::EtagWithTemplateDigest",
+    "ActionController::Flash",
+    "ActionController::FormBuilder",
+    "ActionController::Head",
+    "ActionController::Helpers",
+    "ActionController::HttpAuthentication",
+    "ActionController::ImplicitRender",
+    "ActionController::Instrumentation",
+    "ActionController::Live",
+    "ActionController::Logging",
+    "ActionController::MimeResponds",
+    "ActionController::ParameterEncoding",
+    "ActionController::ParamsWrapper",
+    "ActionController::PermissionsPolicy",
+    "ActionController::Railties",
+    "ActionController::RateLimiting",
+    "ActionController::Redirecting",
+    "ActionController::Renderers",
+    "ActionController::Rendering",
+    "ActionController::RequestForgeryProtection",
+    "ActionController::Rescue",
+    "ActionController::Streaming",
+    "ActionController::StrongParameters",
+    "ActionController::Testing",
+    "ActionController::UrlFor"
+  ],
+  "actiondispatch": [
+    "ActionDispatch",
+    "ActionDispatch::Assertions",
+    "ActionDispatch::Constants",
+    "ActionDispatch::Http",
+    "ActionDispatch::Integration",
+    "ActionDispatch::Journey",
+    "ActionDispatch::RequestCookieMethods",
+    "ActionDispatch::Routing",
+    "ActionDispatch::Session",
+    "ActionDispatch::SystemTesting",
+    "ActionDispatch::TestHelpers",
+    "ActionDispatch::TestProcess"
+  ],
+  "actionmailbox": [
+    "ActionMailbox",
+    "ActionMailbox::Callbacks",
+    "ActionMailbox::Ingresses",
+    "ActionMailbox::Routing",
+    "ActionMailbox::TestHelper",
+    "ActionMailbox::VERSION"
+  ],
+  "actionmailer": [
+    "ActionMailer",
+    "ActionMailer::Callbacks",
+    "ActionMailer::DeliveryMethods",
+    "ActionMailer::FormBuilder",
+    "ActionMailer::MailHelper",
+    "ActionMailer::Parameterized",
+    "ActionMailer::Previews",
+    "ActionMailer::QueuedDelivery",
+    "ActionMailer::Rescuable",
+    "ActionMailer::TestHelper",
+    "ActionMailer::VERSION"
+  ],
+  "actionpack": ["ActionPack"],
+  "actiontext": [
+    "ActionText",
+    "ActionText::Attachable",
+    "ActionText::Attachables",
+    "ActionText::Attachments",
+    "ActionText::Attribute",
+    "ActionText::ContentHelper",
+    "ActionText::Encryption",
+    "ActionText::HtmlConversion",
+    "ActionText::PlainTextConversion",
+    "ActionText::Serialization",
+    "ActionText::SystemTestHelper",
+    "ActionText::TagHelper",
+    "ActionText::VERSION"
+  ],
+  "actionview": [
+    "ActionView",
+    "ActionView::CacheExpiry",
+    "ActionView::Context",
+    "ActionView::Helpers",
+    "ActionView::Layouts",
+    "ActionView::RecordIdentifier",
+    "ActionView::RenderParser",
+    "ActionView::Rendering",
+    "ActionView::RoutingUrlFor",
+    "ActionView::VERSION",
+    "ActionView::ViewPaths"
+  ],
+  "activejob": [
+    "ActiveJob",
+    "ActiveJob::Arguments",
+    "ActiveJob::Callbacks",
+    "ActiveJob::Core",
+    "ActiveJob::Enqueuing",
+    "ActiveJob::Exceptions",
+    "ActiveJob::Execution",
+    "ActiveJob::Logging",
+    "ActiveJob::QueueAdapter",
+    "ActiveJob::QueueAdapters",
+    "ActiveJob::QueueName",
+    "ActiveJob::QueuePriority",
+    "ActiveJob::Serializers",
+    "ActiveJob::TestHelper",
+    "ActiveJob::VERSION"
+  ],
+  "activemodel": [
+    "ActiveModel",
+    "ActiveModel::API",
+    "ActiveModel::AttributeAssignment",
+    "ActiveModel::AttributeMethods",
+    "ActiveModel::Attributes",
+    "ActiveModel::Callbacks",
+    "ActiveModel::Conversion",
+    "ActiveModel::Dirty",
+    "ActiveModel::Lint",
+    "ActiveModel::Model",
+    "ActiveModel::Naming",
+    "ActiveModel::SecurePassword",
+    "ActiveModel::Serialization",
+    "ActiveModel::Serializers",
+    "ActiveModel::Translation",
+    "ActiveModel::Type",
+    "ActiveModel::VERSION",
+    "ActiveModel::Validations"
+  ],
+  "activerecord": [
+    "ActiveRecord",
+    "ActiveRecord::Aggregations",
+    "ActiveRecord::Assertions",
+    "ActiveRecord::Associations",
+    "ActiveRecord::AttributeAssignment",
+    "ActiveRecord::AttributeMethods",
+    "ActiveRecord::Attributes",
+    "ActiveRecord::AutosaveAssociation",
+    "ActiveRecord::Batches",
+    "ActiveRecord::Calculations",
+    "ActiveRecord::Callbacks",
+    "ActiveRecord::Coders",
+    "ActiveRecord::ConnectionAdapters",
+    "ActiveRecord::ConnectionHandling",
+    "ActiveRecord::Core",
+    "ActiveRecord::CounterCache",
+    "ActiveRecord::DelegatedType",
+    "ActiveRecord::DynamicMatchers",
+    "ActiveRecord::Encryption",
+    "ActiveRecord::Enum",
+    "ActiveRecord::Explain",
+    "ActiveRecord::FinderMethods",
+    "ActiveRecord::Inheritance",
+    "ActiveRecord::Integration",
+    "ActiveRecord::Locking",
+    "ActiveRecord::Marshalling",
+    "ActiveRecord::MessagePack",
+    "ActiveRecord::Middleware",
+    "ActiveRecord::ModelSchema",
+    "ActiveRecord::NestedAttributes",
+    "ActiveRecord::NoTouching",
+    "ActiveRecord::Normalization",
+    "ActiveRecord::Persistence",
+    "ActiveRecord::QueryLogs",
+    "ActiveRecord::QueryMethods",
+    "ActiveRecord::Querying",
+    "ActiveRecord::ReadonlyAttributes",
+    "ActiveRecord::Reflection",
+    "ActiveRecord::Sanitization",
+    "ActiveRecord::Scoping",
+    "ActiveRecord::SecurePassword",
+    "ActiveRecord::SecureToken",
+    "ActiveRecord::Serialization",
+    "ActiveRecord::SignedId",
+    "ActiveRecord::SpawnMethods",
+    "ActiveRecord::Store",
+    "ActiveRecord::Suppressor",
+    "ActiveRecord::Tasks",
+    "ActiveRecord::TestFixtures",
+    "ActiveRecord::Timestamp",
+    "ActiveRecord::TokenFor",
+    "ActiveRecord::Transactions",
+    "ActiveRecord::Translation",
+    "ActiveRecord::Type",
+    "ActiveRecord::VERSION",
+    "ActiveRecord::Validations"
+  ],
+  "activestorage": [
+    "ActiveStorage",
+    "ActiveStorage::Blobs",
+    "ActiveStorage::DisableSession",
+    "ActiveStorage::Reflection",
+    "ActiveStorage::Representations",
+    "ActiveStorage::SetCurrent",
+    "ActiveStorage::Streaming",
+    "ActiveStorage::Transformers",
+    "ActiveStorage::VERSION"
+  ],
+  "activesupport": [
+    "ActiveSupport",
+    "ActiveSupport::ActionableError",
+    "ActiveSupport::Autoload",
+    "ActiveSupport::Benchmarkable",
+    "ActiveSupport::Cache",
+    "ActiveSupport::Callbacks",
+    "ActiveSupport::CompareWithRange",
+    "ActiveSupport::Concern",
+    "ActiveSupport::Concurrency",
+    "ActiveSupport::Configurable",
+    "ActiveSupport::CoreExt",
+    "ActiveSupport::Dependencies",
+    "ActiveSupport::DescendantsTracker",
+    "ActiveSupport::EnumerableCoreExt",
+    "ActiveSupport::ForkTracker",
+    "ActiveSupport::Gzip",
+    "ActiveSupport::Inflector",
+    "ActiveSupport::JSON",
+    "ActiveSupport::LazyLoadHooks",
+    "ActiveSupport::LoggerSilence",
+    "ActiveSupport::MessagePack",
+    "ActiveSupport::Messages",
+    "ActiveSupport::Multibyte",
+    "ActiveSupport::Notifications",
+    "ActiveSupport::NumberHelper",
+    "ActiveSupport::NumericWithFormat",
+    "ActiveSupport::RaiseWarnings",
+    "ActiveSupport::RangeWithFormat",
+    "ActiveSupport::Rescuable",
+    "ActiveSupport::SecurityUtils",
+    "ActiveSupport::TaggedLogging",
+    "ActiveSupport::Testing",
+    "ActiveSupport::VERSION",
+    "ActiveSupport::XmlMini",
+    "ActiveSupport::XmlMini_LibXMLSAX",
+    "ActiveSupport::XmlMini_NokogiriSAX"
+  ],
+  "mail": ["Mail"],
+  "mime": ["Mime"],
+  "minitest": ["Minitest"],
+  "rails": ["Rails"],
+  "railties": ["Railtie"],
+  "mini_portile2": ["MiniPortile"],
+  "rubocop": ["RuboCop"],
+  "rubyzip": ["Zip"],
+  "solid_cable": ["SolidCable"],
+  "solid_cache": ["SolidCache"],
+  "solid_queue": ["SolidQueue"],
+  "globalid": ["GlobalID"],
+  "tzinfo": ["TZInfo"]
+}