@cyclonedx/cdxgen 11.0.6 → 11.0.7

package/lib/cli/index.js

@@ -2366,6 +2366,19 @@ export async function createNodejsBom(path, options) {
         installArgs = installArgs.concat(addArgs);
       }
       const basePath = dirname(apkgJson);
+      // juice-shop mode
+      // Projects such as juice-shop prevent lockfile creations using .npmrc files
+      // Plus, they might require specific npm install args such as --legacy-peer-deps that could lead to strange node_modules structure
+      // To keep life simple, let's look for any .npmrc file that has package-lock=false to toggle before npm install
+      if (pkgMgr === "npm" && existsSync(join(basePath, ".npmrc"))) {
+        const npmrcData = readFileSync(join(basePath, ".npmrc"));
+        if (
+          npmrcData?.includes("package-lock=false") &&
+          !installArgs.includes("--package-lock")
+        ) {
+          installArgs.push("--package-lock");
+        }
+      }
       console.log(
         `Executing '${pkgMgr} ${installArgs.join(" ")}' in`,
         basePath,
@@ -2384,6 +2397,16 @@ export async function createNodejsBom(path, options) {
           console.log(result.stdout);
         }
         if (result.stderr) {
+          if (result.stderr.includes("--legacy-peer-deps")) {
+            console.log(
+              "Set the environment variable `NPM_INSTALL_ARGS=--legacy-peer-deps` to resolve the dependency resolution issue reported.",
+            );
+          }
+          if (result.stderr.includes("EBADENGINE Unsupported engine")) {
+            console.log(
+              "Try using the custom `ghcr.io/cyclonedx/cdxgen-node20:v11` container image, which bundles node.js 20.",
+            );
+          }
           console.log(result.stderr);
         }
         options.failOnError && process.exit(1);
@@ -2678,9 +2701,10 @@ export async function createNodejsBom(path, options) {
   // We might reach here if the project has no lock files
   // Eg: juice-shop
   if (!pkgList.length && existsSync(join(path, "node_modules"))) {
+    // Collect all package.json files from all node_modules directory
     const pkgJsonFiles = getAllFiles(
-      join(path, "node_modules"),
-      "**/package.json",
+      path,
+      "**/node_modules/**/package.json",
       options,
     );
     manifestFiles = manifestFiles.concat(pkgJsonFiles);

package/lib/helpers/utils.test.js

@@ -3298,8 +3298,8 @@ test("parsePnpmLock", async () => {
   expect(parsedList.dependenciesList).toHaveLength(462);
   expect(parsedList.pkgList.filter((pkg) => !pkg.scope)).toHaveLength(3);
   parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-  expect(parsedList.pkgList.length).toEqual(620);
-  expect(parsedList.dependenciesList.length).toEqual(620);
+  expect(parsedList.pkgList.length).toEqual(627);
+  expect(parsedList.dependenciesList.length).toEqual(627);
   expect(parsedList.pkgList[0]).toEqual({
     group: "@ampproject",
     name: "remapping",
@@ -3326,7 +3326,7 @@ test("parsePnpmLock", async () => {
   expect(parsedList.dependenciesList[0]).toEqual({
     ref: "pkg:npm/@ampproject/remapping@2.3.0",
     dependsOn: [
-      "pkg:npm/@jridgewell/gen-mapping@0.3.5",
+      "pkg:npm/@jridgewell/gen-mapping@0.3.8",
       "pkg:npm/@jridgewell/trace-mapping@0.3.25",
     ],
   });

package/lib/stages/pregen/pregen.js

@@ -78,29 +78,28 @@ export function preparePythonEnv(_filePath, options) {
       );
     }
   }
-  for (const pt of options.projectType) {
-    for (const pyversion of [
-      "python36",
-      "python38",
-      "python39",
-      "python310",
-      "python311",
-      "python312",
-    ]) {
-      if (
-        options.projectType.includes(pyversion) &&
-        !process.env.PIP_INSTALL_ARGS
-      ) {
-        const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-pip-"));
-        const py_version_number = pyversion.replace("python3", "3.");
-        process.env.PIP_INSTALL_ARGS = `--python-version ${py_version_number} --ignore-requires-python --no-warn-conflicts --only-binary=:all:`;
-        process.env.PIP_TARGET = tempDir;
-        if (DEBUG_MODE) {
-          console.log("PIP_INSTALL_ARGS set to", process.env.PIP_INSTALL_ARGS);
-          console.log("PIP_TARGET set to", process.env.PIP_TARGET);
-        }
-        break;
+  for (const pyversion of [
+    "python36",
+    "python38",
+    "python39",
+    "python310",
+    "python311",
+    "python312",
+    "python313",
+  ]) {
+    if (
+      options.projectType.includes(pyversion) &&
+      !process.env.PIP_INSTALL_ARGS
+    ) {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-pip-"));
+      const py_version_number = pyversion.replace("python3", "3.");
+      process.env.PIP_INSTALL_ARGS = `--python-version ${py_version_number} --ignore-requires-python --no-warn-conflicts --only-binary=:all:`;
+      process.env.PIP_TARGET = tempDir;
+      if (DEBUG_MODE) {
+        console.log("PIP_INSTALL_ARGS set to", process.env.PIP_INSTALL_ARGS);
+        console.log("PIP_TARGET set to", process.env.PIP_TARGET);
       }
+      break;
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.0.6",
+  "version": "11.0.7",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -61,8 +61,8 @@
     "*": "biome check --fix --no-errors-on-unmatched"
   },
   "dependencies": {
-    "@babel/parser": "^7.26.2",
-    "@babel/traverse": "^7.25.7",
+    "@babel/parser": "^7.26.3",
+    "@babel/traverse": "^7.26.4",
     "@npmcli/arborist": "8.0.0",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
@@ -81,7 +81,7 @@
     "properties-reader": "^2.3.0",
     "semver": "^7.6.3",
     "ssri": "^12.0.0",
-    "table": "^6.8.2",
+    "table": "^6.9.0",
     "tar": "^7.4.3",
     "uuid": "^11.0.2",
     "validate-iri": "^1.0.1",

package/types/lib/cli/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/cli/index.js"],"names":[],"mappings":"AA4wBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AA8WD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAs7BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAwfhB;AAED;;;;;;;;;;GAUG;AACH,+DAsEC;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA6bhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BA+YhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BA6FhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAiUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAiJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA4XhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA4EC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BAqdlB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAgUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAqOhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CAwHxE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/cli/index.js"],"names":[],"mappings":"AA4wBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AA8WD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAs7BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAghBhB;AAED;;;;;;;;;;GAUG;AACH,+DAsEC;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA6bhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BA+YhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAiDhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BA6FhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAiUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAiJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAmFhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA4XhB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA4EC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BAqdlB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAgUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBAqOhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CAwHxE"}

package/types/lib/stages/pregen/pregen.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pregen.d.ts","sourceRoot":"","sources":["../../../../lib/stages/pregen/pregen.js"],"names":[],"mappings":"AAoBA;;;;;GAKG;AACH,iEAiBC;AAED;;;;GAIG;AACH,iEASC;AAED;;;;;GAKG;AACH,wEAsCC;AAED;;;;;GAKG;AACH,qEAyDC;AAED;;;;;;;;GAQG;AACH,uEAmBC;AAED;;;;;GAKG;AACH,0EAqCC;AAED;;;;;GAKG;AACH,sEA4EC"}
+{"version":3,"file":"pregen.d.ts","sourceRoot":"","sources":["../../../../lib/stages/pregen/pregen.js"],"names":[],"mappings":"AAoBA;;;;;GAKG;AACH,iEAiBC;AAED;;;;GAIG;AACH,iEASC;AAED;;;;;GAKG;AACH,wEAqCC;AAED;;;;;GAKG;AACH,qEAyDC;AAED;;;;;;;;GAQG;AACH,uEAmBC;AAED;;;;;GAKG;AACH,0EAqCC;AAED;;;;;GAKG;AACH,sEA4EC"}