@cyclonedx/cdxgen 11.2.0 → 11.2.1

package/lib/cli/index.js

@@ -3,6 +3,7 @@ import { spawnSync } from "node:child_process";
 import {
   constants,
   accessSync,
+  existsSync,
   lstatSync,
   mkdtempSync,
   readFileSync,
@@ -16,6 +17,7 @@ import { basename, dirname, join, relative, resolve, sep } from "node:path";
 import process from "node:process";
 import { URL } from "node:url";
 import got from "got";
+import { load as loadYaml } from "js-yaml";
 import { PackageURL } from "packageurl-js";
 import { gte, lte } from "semver";
 import { parse } from "ssri";
@@ -47,6 +49,7 @@ import {
   addEvidenceForImports,
   addPlugin,
   buildGradleCommandArguments,
+  buildObjectForCocoaPod,
   buildObjectForGradleModule,
   checksumFile,
   cleanupPlugin,
@@ -61,6 +64,7 @@ import {
   dirNameStr,
   encodeForPurl,
   executeParallelGradleProperties,
+  executePodCommand,
   extractJarArchive,
   frameworksList,
   generatePixiLockFile,
@@ -98,6 +102,7 @@ import {
   parseCljDep,
   parseCloudBuildData,
   parseCmakeLikeFile,
+  parseCocoaDependency,
   parseComposerJson,
   parseComposerLock,
   parseConanData,
@@ -139,6 +144,8 @@ import {
   parsePkgLock,
   parsePnpmLock,
   parsePnpmWorkspace,
+  parsePodfileLock,
+  parsePodfileTargets,
   parsePom,
   parsePrivadoFile,
   parsePubLockData,
@@ -5012,6 +5019,158 @@ export async function createSwiftBom(path, options) {
   });
 }
 
+/**
+ * Function to create bom string for cocoa projects
+ *
+ * @param {string} path to the project
+ * @param {Object} options Parse options from the cli
+ */
+export async function createCocoaBom(path, options) {
+  const cocoaFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}Podfile`,
+    options,
+  );
+  if (cocoaFiles.length > 1) {
+    thoughtLog(
+      `There are ${cocoaFiles.length} pod files. I will carefully process each one.`,
+    );
+  }
+  let excludeMessageShown = false;
+  for (const podFile of cocoaFiles) {
+    const projectPath = dirname(podFile);
+    const lockFile = `${podFile}.lock`;
+    if (!existsSync(lockFile) || options.deep) {
+      if (options.installDeps) {
+        executePodCommand(["install"], projectPath, options);
+      } else {
+        console.log(
+          "No 'Podfile.lock' found and '--no-install-deps' is set -- A Podfile.lock is needed to parse dependencies!",
+        );
+        options.failOnError && process.exit(1);
+      }
+    }
+    const parentComponent = await buildObjectForCocoaPod(
+      {
+        name: basename(projectPath),
+        version: "latest",
+      },
+      undefined,
+      "application",
+    );
+    const podfileLock = loadYaml(readFileSync(lockFile, "utf-8"));
+    const pods = await parsePodfileLock(podfileLock, projectPath);
+    const allObjects = new Map();
+    for (const [name, pod] of pods) {
+      allObjects.set(name, await buildObjectForCocoaPod(pod.metadata, options));
+    }
+    const allDependencies = new Map();
+    for (const [name, pod] of pods) {
+      const podDependencies = new Set();
+      if (pod.dependencies) {
+        for (const podDependency of pod.dependencies) {
+          podDependencies.add(podDependency.name);
+        }
+      }
+      allDependencies.set(name, podDependencies);
+    }
+    const targetDependencies = new Map();
+    if (
+      !process.env.COCOA_INCLUDED_TARGETS &&
+      !process.env.COCOA_EXCLUDED_TARGETS
+    ) {
+      targetDependencies.set("Pods", podfileLock["DEPENDENCIES"]);
+    } else {
+      const result = executePodCommand(
+        ["ipc", "podfile-json", "--silent", podFile],
+        projectPath,
+        options,
+      );
+      const resolvedPodFile = JSON.parse(result.stdout);
+      parsePodfileTargets(
+        resolvedPodFile["target_definitions"][0],
+        targetDependencies,
+      );
+    }
+    const usedTargets = new Set(
+      process.env.COCOA_INCLUDED_TARGETS
+        ? process.env.COCOA_INCLUDED_TARGETS.split(",")
+        : targetDependencies.keys(),
+    );
+    if (process.env.COCOA_EXCLUDED_TARGETS) {
+      process.env.COCOA_EXCLUDED_TARGETS.split(",").forEach((excludedTarget) =>
+        usedTargets.delete(excludedTarget),
+      );
+      if (!excludeMessageShown) {
+        thoughtLog(
+          "Wait, the user wants me to exclude certain targets from this CocoaPods project. Perhaps they don't want dev and test projects included in the SBOM 🤔?",
+        );
+        excludeMessageShown = true;
+      }
+    }
+    let addedObjects = new Set();
+    for (const target of usedTargets) {
+      if (targetDependencies.has(target)) {
+        for (const dependency of targetDependencies.get(target)) {
+          let dependencyName = parseCocoaDependency(dependency, false).name;
+          if (!["false", "0"].includes(process.env.COCOA_MERGE_SUBSPECS)) {
+            dependencyName = dependencyName.split("/")[0];
+          }
+          addedObjects.add(dependencyName);
+        }
+      }
+    }
+    let includedDependencies = [
+      {
+        ref: parentComponent["bom-ref"],
+        dependsOn: [
+          ...new Set(
+            [...addedObjects].map((obj) => allObjects.get(obj)["bom-ref"]),
+          ),
+        ],
+      },
+    ];
+    const includedObjects = new Set(addedObjects);
+    while (addedObjects.size !== 0) {
+      const newlyAddedObjects = new Set();
+      for (const addedObject of addedObjects) {
+        for (const dependency of allDependencies.get(addedObject)) {
+          if (!includedObjects.has(dependency)) {
+            includedObjects.add(dependency);
+            newlyAddedObjects.add(dependency);
+          }
+        }
+      }
+      addedObjects = newlyAddedObjects;
+    }
+    for (const object of includedObjects) {
+      includedDependencies = mergeDependencies(includedDependencies, [
+        {
+          ref: allObjects.get(object)["bom-ref"],
+          dependsOn: [
+            ...new Set(
+              [...allDependencies.get(object)].map(
+                (obj) => allObjects.get(obj)["bom-ref"],
+              ),
+            ),
+          ],
+        },
+      ]);
+    }
+    return buildBomNSData(
+      options,
+      [...includedObjects].map((obj) => allObjects.get(obj)),
+      "cocoapods",
+      {
+        src: path,
+        filename: lockFile,
+        dependencies: includedDependencies,
+        parentComponent,
+      },
+    );
+  }
+}
+
 /**
  * Function to create bom string for docker compose
  *
@@ -5727,20 +5886,11 @@ export async function createCsharpBom(path, options) {
     `${options.multiProject ? "**/" : ""}*.sln`,
     options,
   );
-  let csProjFiles = getAllFiles(
+  const csProjFiles = getAllFiles(
     path,
-    `${options.multiProject ? "**/" : ""}*.csproj`,
+    `${options.multiProject ? "**/" : ""}*.{cs,vb,fs,ts,hmi,plc}proj`,
     options,
   );
-  csProjFiles = csProjFiles.concat(
-    getAllFiles(path, `${options.multiProject ? "**/" : ""}*.vbproj`, options),
-  );
-  csProjFiles = csProjFiles.concat(
-    getAllFiles(path, `${options.multiProject ? "**/" : ""}*.vcxproj`, options),
-  );
-  csProjFiles = csProjFiles.concat(
-    getAllFiles(path, `${options.multiProject ? "**/" : ""}*.fsproj`, options),
-  );
   const pkgConfigFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}packages.config`,
@@ -6095,6 +6245,9 @@ export async function createCsharpBom(path, options) {
       );
       // Create the slices file if it doesn't exist
       if (!safeExistsSync(slicesFile)) {
+        thoughtLog(
+          "Alright, the next step is to invoke the dosai command to identify evidence of occurrences for various components.",
+        );
         const sliceResult = getDotnetSlices(resolve(path), resolve(slicesFile));
         if (!sliceResult && DEBUG_MODE) {
           console.log(
@@ -6523,7 +6676,7 @@ export async function createMultiXBom(pathList, options) {
         // and removing them from metadata.component.components -- the components are merged later
         if (bomData.parentComponent.components?.length) {
           let bomSubComponents = bomData.parentComponent.components;
-          if (["true", "1"].includes(process.env.GRADLE_RESOLVE_FROM_NODE)) {
+          if (!["false", "0"].includes(process.env.GRADLE_RESOLVE_FROM_NODE)) {
             thoughtLog(
               "Wait, the user wants me to resolve gradle projects from npm.",
             );
@@ -6977,6 +7130,24 @@ export async function createMultiXBom(pathList, options) {
         }
       }
     }
+    if (hasAnyProjectType(["oci", "cocoa"], options)) {
+      bomData = await createCocoaBom(path, options);
+      if (bomData?.bomJson?.components?.length) {
+        if (DEBUG_MODE) {
+          console.log(
+            `Found ${bomData.bomJson.components.length} Cocoa packages at ${path}`,
+          );
+        }
+        components = components.concat(bomData.bomJson.components);
+        dependencies = dependencies.concat(bomData.bomJson.dependencies);
+        if (
+          bomData.parentComponent &&
+          Object.keys(bomData.parentComponent).length
+        ) {
+          parentSubComponents.push(bomData.parentComponent);
+        }
+      }
+    }
     // Collect any crypto keys
     if (options.specVersion >= 1.6 && options.includeCrypto) {
       thoughtLog(
@@ -7207,17 +7378,11 @@ export async function createXBom(path, options) {
   }
 
   // .Net
-  let csProjFiles = getAllFiles(
+  const csProjFiles = getAllFiles(
     path,
-    `${options.multiProject ? "**/" : ""}*.csproj`,
+    `${options.multiProject ? "**/" : ""}*.{cs,vb,fs,ts,hmi,plc}proj`,
     options,
   );
-  csProjFiles = csProjFiles.concat(
-    getAllFiles(path, `${options.multiProject ? "**/" : ""}*.vbproj`, options),
-  );
-  csProjFiles = csProjFiles.concat(
-    getAllFiles(path, `${options.multiProject ? "**/" : ""}*.fsproj`, options),
-  );
   if (csProjFiles.length) {
     return await createCsharpBom(path, options);
   }
@@ -7397,6 +7562,16 @@ export async function createXBom(path, options) {
   if (swiftFiles.length || pkgResolvedFiles.length) {
     return await createSwiftBom(path, options);
   }
+
+  // Cocoa
+  const cocoaFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}Podfile`,
+    options,
+  );
+  if (cocoaFiles.length) {
+    return await createCocoaBom(path, options);
+  }
 }
 
 /**
@@ -7550,7 +7725,7 @@ export async function createBom(path, options) {
       );
     } else {
       thoughtLog(
-        `The user wants me to focus on a single type, '${projectType}'. Could there be an issue with auto-detection, or might they use another tool like cyclonedx-cli to merge all the generated BOMs later?`,
+        `The user wants me to focus on a single type, '${projectType}'.`,
       );
     }
   }
@@ -7636,6 +7811,9 @@ export async function createBom(path, options) {
   if (PROJECT_TYPE_ALIASES["binary"].includes(projectType[0])) {
     return createBinaryBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["cocoa"].includes(projectType[0])) {
+    return await createCocoaBom(path, options);
+  }
   switch (projectType[0]) {
     case "jar":
       return createJarBom(path, options);

package/lib/evinser/evinser.js

@@ -619,6 +619,13 @@ export async function parseSliceUsages(
   const typesToLookup = new Set();
   const lKeyOverrides = {};
   const usages = slice.usages || [];
+  // What should be the line number to use. slice.lineNumber would be quite coarse and could lead to reports such as
+  // #1670. Line numbers under targetObj and definedBy is a safe bet for dynamic languages, but occassionally leads to
+  // confusion when inter-procedural tracking works better than expected.
+  let sliceLineNumber;
+  if (["java", "jar"].includes(language)) {
+    sliceLineNumber = slice.lineNumber;
+  }
   // Annotations from usages
   if (slice.signature?.startsWith("@") && !usages.length) {
     typesToLookup.add(slice.fullName);
@@ -631,7 +638,9 @@ export async function parseSliceUsages(
   }
   for (const ausage of usages) {
     const ausageLine =
-      ausage?.targetObj?.lineNumber || ausage?.definedBy?.lineNumber;
+      sliceLineNumber ||
+      ausage?.targetObj?.lineNumber ||
+      ausage?.definedBy?.lineNumber;
     // First capture the types in the targetObj and definedBy
     for (const atype of [
       [ausage?.targetObj?.isExternal, ausage?.targetObj?.typeFullName],

package/lib/evinser/swiftsem.js

@@ -585,6 +585,9 @@ export function createSemanticsSlices(basePath, options) {
       console.log(
         "TIP: Unable to detect the swift sdk needed to build this project. Try running the swift build command to check if this project builds successfully.",
       );
+      console.log(
+        "Check whether the project requires xcodebuild to build. Such projects are currently unsupported.",
+      );
       return;
     }
   }

package/lib/helpers/logger.js

@@ -31,6 +31,7 @@ export function thoughtLog(s, args) {
   if (!s?.endsWith(".") && !s?.endsWith("?") && !s?.endsWith("!")) {
     s = `${s}.`;
   }
+  s = s.replaceAll("'.'", "'<project dir>'");
   if (args) {
     tlogger.log(colorizeText(`${s}`), args);
   } else {