@cyclonedx/cdxgen 11.2.1 → 11.2.2

package/lib/helpers/utils.js

@@ -614,12 +614,21 @@ export function isPackageManagerAllowed(name, conflictingManagers, options) {
 // HTTP cache
 const gotHttpCache = new Map();
 
+function isCacheDisabled() {
+  return (
+    process.env.CDXGEN_NO_CACHE &&
+    ["true", "1"].includes(process.env.CDXGEN_NO_CACHE)
+  );
+}
+
+const cache = isCacheDisabled() ? undefined : gotHttpCache;
+
 // Custom user-agent for cdxgen
 export const cdxgenAgent = got.extend({
   headers: {
     "user-agent": `@CycloneDX/cdxgen ${_version}`,
   },
-  cache: gotHttpCache,
+  cache,
   retry: {
     limit: 0,
   },
@@ -4189,7 +4198,10 @@ export async function getMvnMetadata(
     }
     const group = p.group || "";
     // If the package already has key metadata skip querying maven
-    if (group && p.name && p.version && !shouldFetchLicense() && !force) {
+    if (
+      !p.version ||
+      (group && p.name && p.version && !shouldFetchLicense() && !force)
+    ) {
       cdepList.push(p);
       continue;
     }
@@ -6969,8 +6981,11 @@ export async function parseGemspecData(gemspecData, gemspecFile) {
         if (["name", "version"].includes(aprop)) {
           value = value.replace(/["']/g, "");
         }
-        pkg[aprop] = value;
-        return;
+        // Do not set name=name or version=version
+        if (value !== aprop) {
+          pkg[aprop] = value;
+          break;
+        }
       }
     }
     // Handle common problems
@@ -7635,11 +7650,11 @@ export async function parseCargoTomlData(
       pkg.evidence = {
         identity: {
           field: "purl",
-          confidence: 0.5,
+          confidence: pkg.version ? 0.5 : 0,
           methods: [
             {
               technique: "manifest-analysis",
-              confidence: 0.5,
+              confidence: pkg.version ? 0.5 : 0,
               value: cargoTomlFile,
             },
           ],
@@ -11505,9 +11520,10 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
             }
           }
         }
+        let jarMetadata;
         if ((!group || !name || !version) && safeExistsSync(manifestFile)) {
           confidence = 0.8;
-          const jarMetadata = parseJarManifest(
+          jarMetadata = parseJarManifest(
             readFileSync(manifestFile, {
               encoding: "utf-8",
             }),
@@ -11580,7 +11596,10 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
           // if group is empty use name as group
           group = group === "." ? name : group || name;
         }
-        if (name && version) {
+        if (name) {
+          if (!version) {
+            confidence = 0;
+          }
           const apkg = {
             group: group ? encodeForPurl(group) : "",
             name: name ? encodeForPurl(name) : "",
@@ -11609,7 +11628,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
             properties: [
               {
                 name: "SrcFile",
-                value: jarname,
+                value: jf,
               },
             ],
           };
@@ -15093,3 +15112,168 @@ export function recomputeScope(pkgList, dependencies) {
   }
   return pkgList;
 }
+
+/**
+ * Function to parse a list of environment variables to identify the paths containing executable binaries
+ *
+ * @param envValues {Array[String]} Environment variables list
+ * @returns {Array[String]} Binary Paths identified from the environment variables
+ */
+export function extractPathEnv(envValues) {
+  if (!envValues) {
+    return [];
+  }
+  let binPaths = new Set();
+  const shellVariables = {};
+  // Let's focus only on linux container images for now
+  for (const env of envValues) {
+    if (env.startsWith("PATH=")) {
+      binPaths = new Set(env.replace("PATH=", "").split(":"));
+    } else {
+      const tmpA = env.split("=");
+      if (tmpA.length === 2) {
+        shellVariables[`$${tmpA[0]}`] = tmpA[1];
+        shellVariables[`\${${tmpA[0]}}`] = tmpA[1];
+      }
+    }
+  }
+  binPaths = Array.from(binPaths);
+  const expandedBinPaths = [];
+  for (let apath of binPaths) {
+    // Filter empty paths
+    if (!apath.length) {
+      continue;
+    }
+    if (apath.includes("$")) {
+      for (const k of Object.keys(shellVariables)) {
+        apath = apath.replace(k, shellVariables[k]);
+      }
+    }
+    // We're here, but not all paths got substituted
+    // Let's ignore them for now instead of risking substitution based on host values.
+    // Eg: ${GITHUB_TOKEN} could get expanded with the values from the host
+    if (apath.length && !apath.includes("$")) {
+      expandedBinPaths.push(apath);
+    }
+  }
+  return expandedBinPaths;
+}
+
+/**
+ * Collect all executable files from the given list of binary paths
+ *
+ * @param basePath Base directory
+ * @param binPaths {Array[String]} Paths containing potential binaries
+ * @return {Array[String]} List of executables
+ */
+export function collectExecutables(basePath, binPaths) {
+  if (!binPaths) {
+    return [];
+  }
+  let executables = [];
+  const ignoreList = [
+    "**/*.{h,c,cpp,hpp,man,txt,md,htm,html,jar,ear,war,zip,tar,egg,keepme,gitignore,json,js,py,pyc}",
+    "[",
+  ];
+  for (const apath of binPaths) {
+    try {
+      const files = globSync(`**${apath}/*`, {
+        cwd: basePath,
+        absolute: false,
+        nocase: true,
+        nodir: true,
+        dot: true,
+        follow: true,
+        ignore: ignoreList,
+      });
+      executables = executables.concat(files);
+    } catch (err) {
+      // ignore
+    }
+  }
+  return Array.from(new Set(executables)).sort();
+}
+
+/**
+ * Collect all shared library files from the given list of paths
+ *
+ * @param basePath Base directory
+ * @param libPaths {Array[String]} Paths containing potential libraries
+ * @param ldConf {String} Config file used by ldconfig to locate additional paths
+ * @param ldConfDirPattern {String} Config directory that can contain more .conf files for ldconfig
+ *
+ * @return {Array[String]} List of executables
+ */
+export function collectSharedLibs(
+  basePath,
+  libPaths,
+  ldConf,
+  ldConfDirPattern,
+) {
+  if (!libPaths) {
+    return [];
+  }
+  let sharedLibs = [];
+  const ignoreList = [
+    "**/*.{h,c,cpp,hpp,man,txt,md,htm,html,jar,ear,war,zip,tar,egg,keepme,gitignore,json,js,py,pyc}",
+  ];
+  const allLdConfDirs = ldConfDirPattern ? [ldConfDirPattern] : [];
+  collectAllLdConfs(basePath, ldConf, allLdConfDirs, libPaths);
+  if (allLdConfDirs.length) {
+    for (const aldconfPattern of allLdConfDirs) {
+      const confFiles = globSync(aldconfPattern, {
+        cwd: basePath,
+        absolute: false,
+        nocase: true,
+        nodir: true,
+        dot: true,
+        follow: false,
+      });
+      for (const moreConf of confFiles) {
+        collectAllLdConfs(basePath, moreConf, allLdConfDirs, libPaths);
+      }
+    }
+  }
+  for (const apath of Array.from(new Set(libPaths))) {
+    try {
+      const files = globSync(`**${apath}/*.{so,so.*,a,lib,dll}`, {
+        cwd: basePath,
+        absolute: false,
+        nocase: true,
+        nodir: true,
+        dot: true,
+        follow: true,
+        ignore: ignoreList,
+      });
+      sharedLibs = sharedLibs.concat(files);
+    } catch (err) {
+      // ignore
+    }
+  }
+  return Array.from(new Set(sharedLibs)).sort();
+}
+
+function collectAllLdConfs(basePath, ldConf, allLdConfDirs, libPaths) {
+  if (ldConf && existsSync(join(basePath, ldConf))) {
+    const ldConfData = readFileSync(join(basePath, ldConf), "utf-8");
+    for (let line of ldConfData.split("\n")) {
+      line = line.replace("\r", "").trim();
+      if (!line.length || line.startsWith("#")) {
+        continue;
+      }
+      if (line.startsWith("include ")) {
+        let apattern = line.replace("include ", "");
+        if (!apattern.includes("*")) {
+          apattern = `${apattern}/*.conf`;
+        }
+        if (!allLdConfDirs.includes(apattern)) {
+          allLdConfDirs.push(apattern);
+        }
+      } else if (line.startsWith("/")) {
+        if (!libPaths.includes(line)) {
+          libPaths.push(line);
+        }
+      }
+    }
+  }
+}

package/lib/helpers/validator.js

@@ -273,7 +273,9 @@ export const validateRefs = (bomJson) => {
       if (dep.dependsOn) {
         for (const don of dep.dependsOn) {
           if (!refMap[don]) {
-            warningsList.push(`Invalid ref in dependencies.dependsOn ${don}`);
+            warningsList.push(
+              `Invalid ref in dependencies.dependsOn ${don}. Parent: ${dep.ref}`,
+            );
           }
           let childPurlType;
           try {
@@ -329,6 +331,13 @@ export function validateProps(bomJson) {
   let lacksProperties = false;
   let lacksEvidence = false;
   let lacksRelativePath = false;
+  if (
+    !["application", "framework", "library"].includes(
+      bomJson?.metadata?.component?.type,
+    )
+  ) {
+    return true;
+  }
   if (bomJson?.components) {
     for (const comp of bomJson.components) {
       if (!["library", "framework"].includes(comp.type)) {

package/lib/managers/binary.js

@@ -16,7 +16,10 @@ import {
   MAX_BUFFER,
   TIMEOUT_MS,
   adjustLicenseInformation,
+  collectExecutables,
+  collectSharedLibs,
   dirNameStr,
+  extractPathEnv,
   findLicenseId,
   getTmpDir,
   isSpdxLicenseExpression,
@@ -278,6 +281,36 @@ const OS_DISTRO_ALIAS = {
   "red hat enterprise linux 9": "rhel-9",
 };
 
+// TODO: Move the lists to a config file
+const COMMON_RUNTIMES = [
+  "java",
+  "node",
+  "nodejs",
+  "nodejs-current",
+  "deno",
+  "bun",
+  "python",
+  "python3",
+  "ruby",
+  "php",
+  "php7",
+  "php8",
+  "perl",
+  "openjdk",
+  "openjdk8",
+  "openjdk11",
+  "openjdk17",
+  "openjdk21",
+  "openjdk8-jdk",
+  "openjdk11-jdk",
+  "openjdk17-jdk",
+  "openjdk21-jdk",
+  "openjdk8-jre",
+  "openjdk11-jre",
+  "openjdk17-jre",
+  "openjdk21-jre",
+];
+
 export function getGoBuildInfo(src) {
   if (GOVERSION_BIN) {
     let result = spawnSync(GOVERSION_BIN, [src], {
@@ -356,10 +389,21 @@ export function executeSourcekitten(args) {
   return undefined;
 }
 
-export function getOSPackages(src) {
+/**
+ * Get the packages installed in the container image filesystem.
+ *
+ * @param src {String} Source directory containing the extracted filesystem.
+ * @param imageConfig {Object} Image configuration containing environment variables, command, entrypoints etc
+ *
+ * @returns {Object} Metadata containing packages, dependencies, etc
+ */
+export function getOSPackages(src, imageConfig) {
   const pkgList = [];
   const dependenciesList = [];
   const allTypes = new Set();
+  const bundledSdks = new Set();
+  const bundledRuntimes = new Set();
+  const binPaths = extractPathEnv(imageConfig?.Env);
   if (TRIVY_BIN) {
     let imageType = "image";
     const trivyCacheDir = join(homedir(), ".cache", "trivy");
@@ -467,6 +511,11 @@ export function getOSPackages(src) {
         case "pop":
           purl_type = "deb";
           break;
+        case "sles":
+        case "suse":
+        case "opensuse":
+          purl_type = "rpm";
+          break;
         case "alpine":
           purl_type = "apk";
           if (osReleaseData.VERSION_ID) {
@@ -503,19 +552,9 @@ export function getOSPackages(src) {
           if (comp.purl) {
             // Retain go components alone from trivy
             if (
-              comp.purl.startsWith("pkg:npm") ||
-              comp.purl.startsWith("pkg:maven") ||
-              comp.purl.startsWith("pkg:pypi") ||
-              comp.purl.startsWith("pkg:cargo") ||
-              comp.purl.startsWith("pkg:composer") ||
-              comp.purl.startsWith("pkg:gem") ||
-              comp.purl.startsWith("pkg:nuget") ||
-              comp.purl.startsWith("pkg:pub") ||
-              comp.purl.startsWith("pkg:hackage") ||
-              comp.purl.startsWith("pkg:hex") ||
-              comp.purl.startsWith("pkg:conan") ||
-              comp.purl.startsWith("pkg:clojars") ||
-              comp.purl.startsWith("pkg:github")
+              /^pkg:(npm|maven|pypi|cargo|composer|gem|nuget|pub|hackage|hex|conan|clojars|github)/.test(
+                comp.purl,
+              )
             ) {
               continue;
             }
@@ -544,8 +583,6 @@ export function getOSPackages(src) {
                 if (distro_codename?.length) {
                   purlObj.qualifiers["distro_name"] = distro_codename;
                 }
-                // Remove any epoch values
-                delete purlObj.qualifiers.epoch;
                 // Bug fix for mageia and oracle linux
                 // Type is being returned as none for ubuntu as well!
                 if (purlObj.type === "none") {
@@ -624,7 +661,6 @@ export function getOSPackages(src) {
                 if (distro_codename?.length) {
                   purlObj.qualifiers["distro_name"] = distro_codename;
                 }
-                delete purlObj.qualifiers.epoch;
                 allTypes.add(purlObj.namespace);
                 comp.purl = new PackageURL(
                   purlObj.type,
@@ -695,7 +731,16 @@ export function getOSPackages(src) {
               }
             }
             delete comp.properties;
+            // Bug fix: We can get bom-ref like this: pkg:rpm/sles/libstdc%2B%2B6@14.2.0+git10526-150000.1.6.1?arch=x86_64&distro=sles-15.5
+            if (
+              comp["bom-ref"] &&
+              comp.purl &&
+              comp["bom-ref"] !== decodeURIComponent(comp.purl)
+            ) {
+              comp["bom-ref"] = decodeURIComponent(comp.purl);
+            }
             pkgList.push(comp);
+            detectSdksRuntimes(comp, bundledSdks, bundledRuntimes);
             const compDeps = retrieveDependencies(
               tmpDependencies,
               origBomRef,
@@ -721,19 +766,79 @@ export function getOSPackages(src) {
               }
               newComp["bom-ref"] = decodeURIComponent(newComp.purl);
               pkgList.push(newComp);
+              detectSdksRuntimes(newComp, bundledSdks, bundledRuntimes);
             }
           }
         }
       }
     }
   }
+  let executables = [];
+  if (binPaths?.length) {
+    executables = fileComponents(
+      collectExecutables(src, binPaths),
+      "executable",
+    );
+  }
+  // Directories containing shared libraries
+  const defaultLibPaths = [
+    "/lib",
+    "/lib64",
+    "/usr/lib",
+    "/usr/lib64",
+    "/usr/local/lib64",
+    "/usr/local/lib",
+    "/lib/x86_64-linux-gnu",
+    "/usr/lib/x86_64-linux-gnu",
+    "/lib/i386-linux-gnu",
+    "/usr/lib/i386-linux-gnu",
+    "/lib/arm-linux-gnueabihf",
+    "/usr/lib/arm-linux-gnueabihf",
+    "/opt/**/lib",
+    "/root/**/lib",
+  ];
+  const sharedLibs = fileComponents(
+    collectSharedLibs(
+      src,
+      defaultLibPaths,
+      "/etc/ld.so.conf",
+      "/etc/ld.so.conf.d/*.conf",
+    ),
+    "shared_library",
+  );
   return {
     osPackages: pkgList,
     dependenciesList,
-    allTypes: Array.from(allTypes),
+    allTypes: Array.from(allTypes).sort(),
+    bundledSdks: Array.from(bundledSdks).sort(),
+    bundledRuntimes: Array.from(bundledRuntimes).sort(),
+    binPaths,
+    executables,
+    sharedLibs,
   };
 }
 
+// Detect common sdks and runtimes from the name
+function detectSdksRuntimes(comp, bundledSdks, bundledRuntimes) {
+  if (!comp?.name) {
+    return;
+  }
+  if (/dotnet[6-9]?-sdk/.test(comp.name)) {
+    bundledSdks.add(comp.purl);
+  }
+  if (
+    /dotnet[6-9]?-runtime/.test(comp.name) ||
+    comp.name.includes("aspnet-runtime") ||
+    /aspnetcore[6-9]?-runtime/.test(comp.name)
+  ) {
+    bundledRuntimes.add(comp.purl);
+  }
+  // TODO: Need to test this for a range of base images
+  if (COMMON_RUNTIMES.includes(comp.name)) {
+    bundledRuntimes.add(comp.name);
+  }
+}
+
 const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
   try {
     const tmpDependsOn = tmpDependencies[origBomRef] || [];
@@ -752,7 +857,6 @@ const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
           if (compPurl.qualifiers.distro) {
             tmpPurl.qualifiers.distro = compPurl.qualifiers.distro;
           }
-          delete tmpPurl.qualifiers.epoch;
         }
         dependsOn.add(decodeURIComponent(tmpPurl.toString()));
       } catch (e) {
@@ -906,3 +1010,40 @@ export function getBinaryBom(src, binaryBomFile, deepMode) {
   }
   return true;
 }
+
+function fileComponents(fileList, fileType) {
+  const components = [];
+  for (let f of fileList) {
+    // Collect methods returns relative paths from the extracted directory.
+    // We make them absolute by prefixing / here
+    if (!f.startsWith("/")) {
+      f = `/${f}`;
+    }
+    const name = basename(f);
+    const purl = `pkg:generic/${name}`;
+    components.push({
+      name,
+      type: "file",
+      purl,
+      "bom-ref": purl,
+      properties: [
+        { name: "SrcFile", value: f },
+        { name: `internal:is_${fileType}`, value: "true" },
+      ],
+      evidence: {
+        identity: {
+          field: "purl",
+          confidence: 0,
+          methods: [
+            {
+              technique: "filename",
+              confidence: 0,
+              value: f,
+            },
+          ],
+        },
+      },
+    });
+  }
+  return components;
+}

package/lib/managers/docker.js

@@ -19,6 +19,7 @@ import got from "got";
 import { x } from "tar";
 import {
   DEBUG_MODE,
+  extractPathEnv,
   getAllFiles,
   getTmpDir,
   safeExistsSync,
@@ -556,6 +557,7 @@ export const parseImageName = (fullImageName) => {
     fullImageName.includes("/") &&
     (fullImageName.includes(".") || fullImageName.includes(":"))
   ) {
+    // TODO: Change to URL
     const urlObj = parse(fullImageName);
     const tmpA = fullImageName.split("/");
     if (
@@ -742,7 +744,7 @@ export const getImage = async (fullImageName) => {
         if (DEBUG_MODE) {
           console.log(`Re-trying the pull with the name ${repoWithTag}.`);
         }
-        pullData = await makeRequest(
+        await makeRequest(
           `images/create?fromImage=${repoWithTag}`,
           "POST",
           registry,
@@ -1078,6 +1080,7 @@ export const extractFromManifest = async (
       }
     }
   }
+  const binPaths = extractPathEnv(localData?.Config?.Env);
   const exportData = {
     inspectData: localData,
     manifest,
@@ -1085,6 +1088,7 @@ export const extractFromManifest = async (
     allLayersExplodedDir,
     lastLayerConfig,
     lastWorkingDir,
+    binPaths,
   };
   exportData.pkgPathList = getPkgPathList(exportData, lastWorkingDir);
   return exportData;
@@ -1253,6 +1257,7 @@ export const getPkgPathList = (exportData, lastWorkingDir) => {
       join(allLayersExplodedDir, "/usr/local/lib"),
       join(allLayersExplodedDir, "/usr/local/lib64"),
       join(allLayersExplodedDir, "/opt"),
+      join(allLayersExplodedDir, "/root"),
       join(allLayersExplodedDir, "/home"),
       join(allLayersExplodedDir, "/usr/share"),
       join(allLayersExplodedDir, "/usr/src"),
@@ -1266,6 +1271,7 @@ export const getPkgPathList = (exportData, lastWorkingDir) => {
       join(allLayersExplodedDir, "/usr/local/lib"),
       join(allLayersExplodedDir, "/usr/local/lib64"),
       join(allLayersExplodedDir, "/opt"),
+      join(allLayersExplodedDir, "/root"),
       join(allLayersExplodedDir, "/usr/share"),
       join(allLayersExplodedDir, "/usr/src"),
       join(allLayersExplodedDir, "/var/www/html"),
@@ -1296,7 +1302,8 @@ export const getPkgPathList = (exportData, lastWorkingDir) => {
   if (lastWorkingDir && lastWorkingDir !== "") {
     if (
       !lastWorkingDir.includes("/opt/") &&
-      !lastWorkingDir.includes("/home/")
+      !lastWorkingDir.includes("/home/") &&
+      !lastWorkingDir.includes("/root/")
     ) {
       knownSysPaths.push(lastWorkingDir);
     }
@@ -1320,13 +1327,17 @@ export const getPkgPathList = (exportData, lastWorkingDir) => {
   // Build path list
   for (const wpath of knownSysPaths) {
     pathList = pathList.concat(wpath);
+    const nodeModuleDirs = getOnlyDirs(wpath, "node_modules");
+    if (nodeModuleDirs?.length) {
+      pathList.push(nodeModuleDirs[0]);
+    }
     const pyDirs = getOnlyDirs(wpath, "site-packages");
     if (pyDirs?.length) {
       pathList = pathList.concat(pyDirs);
     }
     const gemsDirs = getOnlyDirs(wpath, "gems");
     if (gemsDirs?.length) {
-      pathList = pathList.concat(gemsDirs);
+      pathList = pathList.concat(gemsDirs[0]);
     }
     const cargoDirs = getOnlyDirs(wpath, ".cargo");
     if (cargoDirs?.length) {
@@ -1337,6 +1348,7 @@ export const getPkgPathList = (exportData, lastWorkingDir) => {
       pathList = pathList.concat(composerDirs);
     }
   }
+  pathList = Array.from(new Set(pathList)).sort();
   if (DEBUG_MODE) {
     console.log("pathList", pathList);
   }
@@ -1344,11 +1356,7 @@ export const getPkgPathList = (exportData, lastWorkingDir) => {
 };
 
 export const removeImage = async (fullImageName, force = false) => {
-  const removeData = await makeRequest(
-    `images/${fullImageName}?force=${force}`,
-    "DELETE",
-  );
-  return removeData;
+  return await makeRequest(`images/${fullImageName}?force=${force}`, "DELETE");
 };
 
 export const getCredsFromHelper = (exeSuffix, serverAddress) => {