@cyclonedx/cdxgen 11.0.3 → 11.0.5

package/lib/cli/index.js

@@ -92,6 +92,7 @@ import {
   parseCljDep,
   parseCloudBuildData,
   parseCmakeLikeFile,
+  parseComposerJson,
   parseComposerLock,
   parseConanData,
   parseConanLockData,
@@ -240,11 +241,12 @@ const createDefaultParentComponent = (
       : dirname(path);
   const tmpA = dirNameStr.split(sep);
   dirNameStr = tmpA[tmpA.length - 1];
+  const compName = options.projectName || dirNameStr;
   const parentComponent = {
     group: options.projectGroup || "",
-    name: options.projectName || dirNameStr,
+    name: compName,
     version: `${options.projectVersion}` || "latest",
-    type: "application",
+    type: compName.endsWith(".tar") ? "container" : "application",
   };
   const ppurl = new PackageURL(
     type,
@@ -816,6 +818,7 @@ function addComponent(
   if (!isRootPkg) {
     const pkgIdentifier = parsePackageJsonName(pkg.name);
     const author = pkg.author || undefined;
+    const authors = pkg.authors || undefined;
     const publisher = pkg.publisher || undefined;
     let group = pkg.group || pkgIdentifier.scope;
     // Create empty group
@@ -868,6 +871,7 @@ function addComponent(
     }
     const component = {
       author,
+      authors,
       publisher,
       group,
       name,
@@ -879,7 +883,14 @@ function addComponent(
       purl: purlString,
       externalReferences: addExternalReferences(pkg),
     };
-
+    if (options.specVersion >= 1.5) {
+      component.pedigree = pkg.pedigree || undefined;
+    }
+    if (options.specVersion >= 1.6) {
+      component.releaseNotes = pkg.releaseNotes || undefined;
+      component.modelCard = pkg.modelCard || undefined;
+      component.data = pkg.data || undefined;
+    }
     component["type"] = determinePackageType(pkg);
     component["bom-ref"] = decodeURIComponent(purlString);
     if (
@@ -919,6 +930,15 @@ function addComponent(
       component.authors = authorsList;
       delete component.author;
     }
+    // Downgrade authors section for < 1.5 :(
+    if (options.specVersion < 1.6) {
+      if (component?.authors?.length) {
+        component.author = component.authors
+          .map((a) => (a.email ? `${a.name} <${a.email}>` : a.name))
+          .join(",");
+      }
+      delete component.authors;
+    }
     // Retain any tags
     if (
       options.specVersion >= 1.6 &&
@@ -957,7 +977,6 @@ function determinePackageType(pkg) {
   // Retain the exact component type in certain cases.
   if (
     [
-      "application",
       "container",
       "platform",
       "operating-system",
@@ -972,6 +991,12 @@ function determinePackageType(pkg) {
   ) {
     return pkg.type;
   }
+  if (pkg.type === "application") {
+    if (pkg?.name?.endsWith(".tar")) {
+      return "container";
+    }
+    return pkg.type;
+  }
   if (pkg.purl) {
     try {
       const purl = PackageURL.fromString(pkg.purl);
@@ -1246,7 +1271,6 @@ export async function createJavaBom(path, options) {
   // For java, this would correctly include the cyclonedx maven plugin.
   let tools = undefined;
   let possible_misses = false;
-  let mavenDepsTreeInfoShown = false;
   // war/ear mode
   if (path.endsWith(".war") || path.endsWith(".jar")) {
     // Check if the file exists
@@ -1276,6 +1300,11 @@ export async function createJavaBom(path, options) {
       parentComponent,
     });
   }
+  // -t quarkus is supported
+  let isQuarkus = options?.projectType?.includes("quarkus");
+  let useMavenDepsTree = isQuarkus ? false : PREFER_MAVEN_DEPS_TREE;
+  // Is this a multi-module project
+  let rootModules;
   // maven - pom.xml
   const pomFiles = getAllFiles(
     path,
@@ -1287,37 +1316,72 @@ export async function createJavaBom(path, options) {
     pomFiles?.length &&
     isPackageManagerAllowed("maven", ["bazel", "sbt", "gradle"], options)
   ) {
-    let result = undefined;
-    const cdxMavenPlugin =
-      process.env.CDX_MAVEN_PLUGIN ||
-      "org.cyclonedx:cyclonedx-maven-plugin:2.8.0";
-    const cdxMavenGoal = process.env.CDX_MAVEN_GOAL || "makeAggregateBom";
-    let mvnArgs = [
-      "-fn",
-      `${cdxMavenPlugin}:${cdxMavenGoal}`,
-      "-DoutputName=bom",
-    ];
-    if (includeMavenTestScope) {
-      mvnArgs.push("-DincludeTestScope=true");
-    }
-    // By using quiet mode we can reduce the maxBuffer used and avoid crashes
-    if (!DEBUG_MODE) {
-      mvnArgs.push("-q");
-    }
-    // Support for passing additional settings and profile to maven
-    if (process.env.MVN_ARGS) {
-      const addArgs = process.env.MVN_ARGS.split(" ");
-      mvnArgs = mvnArgs.concat(addArgs);
+    if (!isQuarkus) {
+      // Quarkus projects require special treatment. To detect quarkus, we parse the first 3 maven file to look for a hit
+      for (const pf of pomFiles.slice(0, 3)) {
+        const pomMap = parsePom(pf);
+        if (!rootModules && pomMap?.modules?.length) {
+          rootModules = pomMap.modules;
+        }
+        // In quarkus mode, we cannot use the maven deps tree
+        if (pomMap.isQuarkus) {
+          isQuarkus = true;
+          useMavenDepsTree = false;
+          break;
+        }
+      }
     }
-    // specVersion 1.4 doesn't support externalReferences.type=disribution-intake
-    // so we need to run the plugin with the correct version
-    if (options.specVersion === 1.4) {
-      mvnArgs = mvnArgs.concat("-DschemaVersion=1.4");
+    let result = undefined;
+    let mvnArgs;
+    if (isQuarkus) {
+      // disable analytics. See: https://quarkus.io/usage/
+      mvnArgs = [
+        "-fn",
+        "quarkus:dependency-sbom",
+        "-Dquarkus.analytics.disabled=true",
+      ];
+    } else {
+      const cdxMavenPlugin =
+        process.env.CDX_MAVEN_PLUGIN ||
+        "org.cyclonedx:cyclonedx-maven-plugin:2.9.1";
+      const cdxMavenGoal = process.env.CDX_MAVEN_GOAL || "makeAggregateBom";
+      mvnArgs = [
+        "-fn",
+        `${cdxMavenPlugin}:${cdxMavenGoal}`,
+        "-DoutputName=bom",
+      ];
+      if (includeMavenTestScope) {
+        mvnArgs.push("-DincludeTestScope=true");
+      }
+      // By using quiet mode we can reduce the maxBuffer used and avoid crashes
+      if (!DEBUG_MODE) {
+        mvnArgs.push("-q");
+      }
+      // Support for passing additional settings and profile to maven
+      if (process.env.MVN_ARGS) {
+        const addArgs = process.env.MVN_ARGS.split(" ");
+        mvnArgs = mvnArgs.concat(addArgs);
+      }
+      // specVersion 1.4 doesn't support externalReferences.type=disribution-intake
+      // so we need to run the plugin with the correct version
+      if (options.specVersion === 1.4) {
+        mvnArgs = mvnArgs.concat("-DschemaVersion=1.4");
+      }
     }
     const firstPom = pomFiles.length ? pomFiles[0] : undefined;
     let mavenCmd = getMavenCommand(path, path);
     for (const f of pomFiles) {
       const basePath = dirname(f);
+      if (
+        isQuarkus &&
+        !options.deep &&
+        rootModules?.includes(basename(basePath))
+      ) {
+        if (DEBUG_MODE) {
+          console.log("Skipped sub-module", basePath);
+        }
+        continue;
+      }
       const settingsXml = join(basePath, "settings.xml");
       if (existsSync(settingsXml)) {
         console.log(
@@ -1340,16 +1404,7 @@ export async function createJavaBom(path, options) {
         }
       }
       // Use the cyclonedx maven plugin if there is no preference for maven deps tree
-      if (!PREFER_MAVEN_DEPS_TREE) {
-        if (!mavenDepsTreeInfoShown && DEBUG_MODE) {
-          console.log(
-            "cdxgen now supports generating SBOM with only the maven cli without the need for the cyclonedx-maven plugin. This mode works better in enterprise environments and in multi-module projects.",
-          );
-          console.log(
-            "Set the environment variable PREFER_MAVEN_DEPS_TREE to true to enable this.",
-          );
-          mavenDepsTreeInfoShown = true;
-        }
+      if (!useMavenDepsTree) {
         console.log(
           `Executing '${mavenCmd} ${mvnArgs.join(" ")}' in`,
           basePath,
@@ -1363,19 +1418,23 @@ export async function createJavaBom(path, options) {
         });
         // Check if the cyclonedx plugin created the required bom.json file
         // Sometimes the plugin fails silently for complex maven projects
-        bomJsonFiles = getAllFiles(path, "**/target/*.json", options);
+        bomJsonFiles = getAllFiles(
+          path,
+          "**/target/*{cdx,bom,cyclonedx}*.json",
+          options,
+        );
         // Check if the bom json files got created in a directory other than target
         if (!bomJsonFiles.length) {
           bomJsonFiles = getAllFiles(
             path,
-            "target/**/*{cdx,bom}*.json",
+            "target/**/*{cdx,bom,cyclonedx}*.json",
             options,
           );
         }
       }
       // Also check if the user has a preference for maven deps tree command
       if (
-        PREFER_MAVEN_DEPS_TREE ||
+        useMavenDepsTree ||
         !bomJsonFiles.length ||
         result?.status !== 0 ||
         result?.error
@@ -1521,7 +1580,7 @@ export async function createJavaBom(path, options) {
       }
     } // for
     // Locate and parse all bom.json files from the maven plugin
-    if (!PREFER_MAVEN_DEPS_TREE) {
+    if (!useMavenDepsTree) {
       for (const abjson of bomJsonFiles) {
         let bomJsonObj = undefined;
         try {
@@ -1538,7 +1597,9 @@ export async function createJavaBom(path, options) {
               !tools &&
               bomJsonObj.metadata &&
               bomJsonObj.metadata.tools &&
-              Array.isArray(bomJsonObj.metadata.tools)
+              (Array.isArray(bomJsonObj.metadata.tools) ||
+                bomJsonObj.metadata.tools.components ||
+                bomJsonObj.metadata.tools.services)
             ) {
               tools = bomJsonObj.metadata.tools;
             }
@@ -1603,10 +1664,6 @@ export async function createJavaBom(path, options) {
         console.warn(
           "Multiple errors occurred while building this project with maven. The SBOM is therefore incomplete!",
         );
-      } else if (!PREFER_MAVEN_DEPS_TREE) {
-        console.log(
-          "Try generating an SBOM with the maven dependency tree plugin. Set the environment variable PREFER_MAVEN_DEPS_TREE to true to enable this.",
-        );
       }
     }
   }
@@ -2253,7 +2310,11 @@ export async function createNodejsBom(path, options) {
     }
   }
   const pkgJsonLockFile = getAllFiles(path, "package-lock.json", options);
-  const pkgJsonFile = getAllFiles(path, "package.json", options);
+  const pkgJsonFile = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}package.json`,
+    options,
+  );
   const yarnLockFile = getAllFiles(path, "yarn.lock", options);
   const pnpmLockFile = getAllFiles(path, "pnpm-lock.yaml", options);
   if (
@@ -2265,7 +2326,7 @@ export async function createNodejsBom(path, options) {
   ) {
     let pkgMgr = "npm";
     const supPkgMgrs = ["npm", "yarn", "yarnpkg", "pnpm", "pnpx"];
-    const pkgData = JSON.parse(readFileSync(`${path}/package.json`, "utf8"));
+    const pkgData = JSON.parse(readFileSync(pkgJsonFile[0], "utf8"));
     const mgrData = pkgData.packageManager;
     let mgr = "";
     let installArgs = ["install"];
@@ -2281,9 +2342,10 @@ export async function createNodejsBom(path, options) {
         process.env[`${pkgMgr.toUpperCase()}_INSTALL_ARGS`].split(" ");
       installArgs = installArgs.concat(addArgs);
     }
-    console.log(`Executing '${pkgMgr} ${installArgs.join(" ")}' in`, path);
+    const basePath = dirname(pkgJsonFile[0]);
+    console.log(`Executing '${pkgMgr} ${installArgs.join(" ")}' in`, basePath);
     const result = spawnSync(pkgMgr, installArgs, {
-      cwd: path,
+      cwd: basePath,
       encoding: "utf-8",
       timeout: TIMEOUT_MS,
       maxBuffer: MAX_BUFFER,
@@ -4844,57 +4906,46 @@ export function createPHPBom(path, options) {
     options,
   );
   if (composerLockFiles.length) {
+    // Look for any root composer.json to capture the parentComponent
+    if (existsSync(join(path, "composer.json"))) {
+      const { moduleParent } = parseComposerJson(join(path, "composer.json"));
+      parentComponent = moduleParent;
+    }
     for (const f of composerLockFiles) {
       const basePath = dirname(f);
+      let moduleParent;
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
-      let rootRequires = [];
-      // Is there a composer.json to find the parent component
-      if (
-        !Object.keys(parentComponent).length &&
-        existsSync(join(basePath, "composer.json"))
-      ) {
-        const composerData = JSON.parse(
-          readFileSync(join(basePath, "composer.json"), { encoding: "utf-8" }),
-        );
-        rootRequires = composerData.require;
-        const pkgName = composerData.name;
-        if (pkgName) {
-          parentComponent.group = dirname(pkgName);
-          if (parentComponent.group === ".") {
-            parentComponent.group = "";
-          }
-          parentComponent.name = basename(pkgName);
-          parentComponent.type = "application";
-          parentComponent.version = composerData.version || "latest";
-          parentComponent["bom-ref"] = decodeURIComponent(
-            new PackageURL(
-              "composer",
-              parentComponent.group,
-              parentComponent.name,
-              parentComponent.version,
-              null,
-              null,
-            ).toString(),
-          );
+      const rootRequires = [];
+      // Is there a composer.json to find the module parent component
+      if (existsSync(join(basePath, "composer.json"))) {
+        const retMap = parseComposerJson(join(basePath, "composer.json"));
+        moduleParent = retMap.moduleParent;
+        const rootRequires = retMap.rootRequires;
+        // Track all the modules in a mono-repo
+        if (!Object.keys(parentComponent).length) {
+          parentComponent = moduleParent;
+        } else {
+          parentComponent.components = parentComponent.components || [];
+          parentComponent.components.push(moduleParent);
         }
       }
       const retMap = parseComposerLock(f, rootRequires);
       if (retMap.pkgList?.length) {
         pkgList = pkgList.concat(retMap.pkgList);
       }
+      if (!moduleParent) {
+        moduleParent = createDefaultParentComponent(
+          basePath,
+          "composer",
+          options,
+        );
+      }
       if (retMap.dependenciesList) {
-        if (!Object.keys(parentComponent).length) {
-          parentComponent = createDefaultParentComponent(
-            path,
-            "composer",
-            options,
-          );
-        }
         // Complete the dependency tree by making parent component depend on the first level
         const pdependencies = {
-          ref: parentComponent["bom-ref"],
+          ref: moduleParent["bom-ref"],
           dependsOn: [
             ...new Set(retMap.rootList.map((p) => p["bom-ref"])),
           ].sort(),
@@ -4906,6 +4957,17 @@ export function createPHPBom(path, options) {
         );
       }
     }
+    // Complete the root dependency tree
+    if (parentComponent?.components?.length) {
+      const parentDependsOn = parentComponent.components.map(
+        (d) => d["bom-ref"],
+      );
+      dependencies = mergeDependencies(
+        [{ ref: parentComponent["bom-ref"], dependsOn: parentDependsOn }],
+        dependencies,
+        parentComponent,
+      );
+    }
     return buildBomNSData(options, pkgList, "composer", {
       src: path,
       filename: composerLockFiles.join(", "),
@@ -6052,7 +6114,6 @@ export async function createXBom(path, options) {
   } catch (err) {
     return undefined;
   }
-  // node.js - package.json
   if (
     existsSync(join(path, "package.json")) ||
     existsSync(join(path, "rush.json")) ||