@cyclonedx/cdxgen 11.2.2 → 11.2.3

package/README.md

@@ -147,7 +147,8 @@ Options:
       --server-host            Listen address                                                     [default: "127.0.0.1"]
       --server-port            Listen port                                                             [default: "9090"]
       --install-deps           Install dependencies automatically for some projects. Defaults to true but disabled for c
-                               ontainers and oci scans. Use --no-install-deps to disable this feature.         [boolean]
+                               ontainers and oci scans. Use --no-install-deps to disable this feature.
+                                                                                               [boolean] [default: true]
       --validate               Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di
                                sable.                                                          [boolean] [default: true]
       --evidence               Generate SBOM with evidence for supported languages.           [boolean] [default: false]
@@ -170,6 +171,7 @@ Options:
                                luated against or attested to.
   [array] [choices: "asvs-5.0", "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "pcissc-secure-slc-1.1", "scv
                                                                                          s-1.0.0", "ssaf-DRAFT-2023-11"]
+      --json-pretty            Pretty-print the generated BOM json.                           [boolean] [default: false]
       --min-confidence         Minimum confidence needed for the identity of a component from 0 - 1, where 1 is 100% con
                                fidence.                                                            [number] [default: 0]
       --technique              Analysis technique to use

package/bin/cdxgen.js

@@ -24,6 +24,7 @@ import {
 import { thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
 import {
   ATOM_DB,
+  DEBUG_MODE,
   dirNameStr,
   getTmpDir,
   isMac,
@@ -221,6 +222,7 @@ const args = yargs(hideBin(process.argv))
     description: "CycloneDX Specification version to use. Defaults to 1.6",
     default: 1.6,
     type: "number",
+    choices: [1.4, 1.5, 1.6],
   })
   .option("filter", {
     description:
@@ -303,6 +305,11 @@ const args = yargs(hideBin(process.argv))
     description:
       "Do not show the donation banner. Set this attribute if you are an active sponsor for OWASP CycloneDX.",
   })
+  .option("json-pretty", {
+    type: "boolean",
+    default: DEBUG_MODE,
+    description: "Pretty-print the generated BOM json.",
+  })
   .option("feature-flags", {
     description: "Experimental feature flags to enable. Advanced users only.",
     hidden: true,
@@ -442,11 +449,23 @@ if (!options.projectType) {
     "Ok, the user wants me to identify all the project types and generate a consolidated BOM document.",
   );
 }
-if (process.argv[1].includes("cbom")) {
-  thoughtLog(
-    "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
-  );
-  options.includeCrypto = true;
+// Handle dedicated cbom and saasbom commands
+if (["cbom", "saasbom"].includes(process.argv[1])) {
+  if (process.argv[1].includes("cbom")) {
+    thoughtLog(
+      "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
+    );
+    options.includeCrypto = true;
+  } else if (process.argv[1].includes("saasbom")) {
+    thoughtLog(
+      "Ok, the user wants to generate a Software as a Service Bill-of-Materials (SaaSBOM). I should carefully collect the services, endpoints, and data flows.",
+    );
+    if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
+      thoughtLog(
+        "Wait, I'm not running in a container. This means the chances of successfully collecting this inventory are quite low. Perhaps this is an advanced user who has set up atom and atom-tools already 🤔?",
+      );
+    }
+  }
   options.evidence = true;
   options.specVersion = 1.6;
   options.deep = true;
@@ -693,7 +712,7 @@ const checkPermissions = (filePath, options) => {
       "usages-slices-file",
       "reachables-slices-file",
     ];
-    if (options?.type?.includes("swift")) {
+    if (options?.type?.includes("swift") || options?.type?.includes("scala")) {
       slicesFilesKeys.push("semantics-slices-file");
     }
     for (const sf of slicesFilesKeys) {
@@ -798,7 +817,11 @@ const checkPermissions = (filePath, options) => {
         fs.writeFileSync(jsonFile, bomNSData.bomJson);
         jsonPayload = bomNSData.bomJson;
       } else {
-        jsonPayload = JSON.stringify(bomNSData.bomJson, null, null);
+        jsonPayload = JSON.stringify(
+          bomNSData.bomJson,
+          null,
+          options.jsonPretty ? 2 : null,
+        );
         fs.writeFileSync(jsonFile, jsonPayload);
         if (jsonFile.endsWith("bom.json")) {
           thoughtLog(
@@ -900,7 +923,11 @@ const checkPermissions = (filePath, options) => {
             bomJsonUnsignedObj.signature = signatureBlock;
             fs.writeFileSync(
               jsonFile,
-              JSON.stringify(bomJsonUnsignedObj, null, null),
+              JSON.stringify(
+                bomJsonUnsignedObj,
+                null,
+                options.jsonPretty ? 2 : null,
+              ),
             );
             thoughtLog(`Signing the BOM file "${jsonFile}".`);
             if (publicKeyFile) {
@@ -937,7 +964,9 @@ const checkPermissions = (filePath, options) => {
     }
   } else if (!options.print) {
     if (bomNSData.bomJson) {
-      console.log(JSON.stringify(bomNSData.bomJson, null, 2));
+      console.log(
+        JSON.stringify(bomNSData.bomJson, null, options.jsonPretty ? 2 : null),
+      );
     } else {
       console.log("Unable to produce BOM for", filePath);
       console.log("Try running the command with -t <type> or -r argument");
@@ -967,6 +996,7 @@ const checkPermissions = (filePath, options) => {
       includeCrypto: options.includeCrypto,
       specVersion: options.specVersion,
       profile: options.profile,
+      jsonPretty: options.jsonPretty,
     };
     const dbObjMap = await evinserModule.prepareDB(evinseOptions);
     if (dbObjMap) {
@@ -1003,6 +1033,7 @@ const checkPermissions = (filePath, options) => {
       await submitBom(options, bomNSData.bomJson);
     } catch (err) {
       console.log(err);
+      process.exit(1);
     }
   }
   // Protobuf serialization

package/bin/evinse.js

@@ -73,6 +73,7 @@ const args = yargs(hideBin(process.argv))
       "swift",
       "ios",
       "ruby",
+      "scala",
     ],
   })
   .option("db-path", {
@@ -127,7 +128,10 @@ const args = yargs(hideBin(process.argv))
   .option("semantics-slices-file", {
     description: "Use an existing semantics slices file.",
     default: "semantics.slices.json",
-    hidden: true,
+  })
+  .option("openapi-spec-file", {
+    description: "Use an existing openapi specification file (SaaSBOM).",
+    default: "openapi.json",
   })
   .option("print", {
     alias: "p",

package/lib/cli/index.js

@@ -1542,7 +1542,7 @@ export async function createJavaBom(path, options) {
     let mvnArgs;
     if (isQuarkus) {
       thoughtLog(
-        "This appears to be a quarkus project. Let's use the right maven plugin.",
+        "This appears to be a Quarkus project. Let's use the right Maven plugin.",
       );
       // disable analytics. See: https://quarkus.io/usage/
       mvnArgs = [
@@ -1550,6 +1550,11 @@ export async function createJavaBom(path, options) {
         "quarkus:dependency-sbom",
         "-Dquarkus.analytics.disabled=true",
       ];
+      if (options.specVersion) {
+        mvnArgs = mvnArgs.concat(
+          `-Dquarkus.dependency.sbom.schema-version=${options.specVersion}`,
+        );
+      }
     } else {
       const cdxMavenPlugin =
         process.env.CDX_MAVEN_PLUGIN ||
@@ -1755,7 +1760,7 @@ export async function createJavaBom(path, options) {
               );
             } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 23 with maven 3.9 which might be incompatible. Try running cdxgen with the custom JDK11-based image `ghcr.io/cyclonedx/cdxgen-java11:v11`.",
+                "1. Java version requirement: cdxgen container image bundles Java 24 with maven 3.9 which might be incompatible. Try running cdxgen with the custom JDK11-based image `ghcr.io/cyclonedx/cdxgen-java11:v11`.",
               );
             }
             console.log(
@@ -2347,7 +2352,8 @@ export async function createJavaBom(path, options) {
     `${options.multiProject ? "**/" : ""}build.sbt.lock`,
     options,
   );
-
+  const tempCacheDir = mkdtempSync(join(getTmpDir(), "sbt-cache-"));
+  safeMkdirSync(tempCacheDir, { recursive: true });
   if (
     sbtProjects?.length &&
     isPackageManagerAllowed("sbt", ["bazel", "maven", "gradle"], options)
@@ -2402,6 +2408,14 @@ export async function createJavaBom(path, options) {
         }
       }
       writeFileSync(tempSbtPlugins, sbtPluginDefinition);
+      let sbtExtraArgs = "";
+      const env = { ...process.env };
+      // We need to collect the jars from the cache
+      if (options.deep) {
+        sbtExtraArgs = " updateClassifiers";
+        env["COURSIER_CACHE"] = tempCacheDir;
+        env["SBT_IVY_HOME"] = tempCacheDir;
+      }
       for (const i in sbtProjects) {
         const basePath = sbtProjects[i];
         const dlFile = join(tempDir, `dl-${i}.tmp`);
@@ -2416,11 +2430,11 @@ export async function createJavaBom(path, options) {
           // write to the existing plugins file
           if (useSlashSyntax) {
             sbtArgs = [
-              `'set ThisBuild / asciiGraphWidth := 400' "dependencyTree / toFile ${dlFile} --force"`,
+              `'set ThisBuild / asciiGraphWidth := 800'${sbtExtraArgs} "dependencyTree / toFile ${dlFile} --force"`,
             ];
           } else {
             sbtArgs = [
-              `'set asciiGraphWidth in ThisBuild := 400' "dependencyTree::toFile ${dlFile} --force"`,
+              `'set asciiGraphWidth in ThisBuild := 800'${sbtExtraArgs} "dependencyTree::toFile ${dlFile} --force"`,
             ];
           }
           pluginFile = addPlugin(basePath, sbtPluginDefinition);
@@ -2441,6 +2455,7 @@ export async function createJavaBom(path, options) {
           encoding: "utf-8",
           timeout: TIMEOUT_MS,
           maxBuffer: MAX_BUFFER,
+          env,
         });
         if (result.status !== 0 || result.error) {
           console.error(result.stdout, result.stderr);
@@ -2492,12 +2507,36 @@ export async function createJavaBom(path, options) {
     }
     // Should we attempt to resolve class names
     if (options.resolveClass || options.deep) {
-      const tmpjarNSMapping = await collectJarNS(SBT_CACHE_DIR);
+      const tmpjarNSMapping = await collectJarNS(tempCacheDir);
       if (tmpjarNSMapping && Object.keys(tmpjarNSMapping).length) {
         jarNSMapping = { ...jarNSMapping, ...tmpjarNSMapping };
       }
+      // sbt can store jars in the target directory
+      const jarNSData = await createJarBom(path, options);
+      if (jarNSData?.bomJson?.components) {
+        pkgList = pkgList.concat(jarNSData?.bomJson?.components);
+        const targetJarNSMapping = {};
+        for (const p of jarNSData.bomJson.components) {
+          if (!p?.purl || !p?.properties?.length) {
+            continue;
+          }
+          const nsProp = p.properties.filter(
+            (prop) => prop.name === "Namespaces",
+          );
+          if (nsProp.length) {
+            targetJarNSMapping[p.purl] = nsProp[0].value;
+          }
+        }
+        jarNSMapping = { ...jarNSMapping, ...targetJarNSMapping };
+      }
     }
   }
+  if (tempCacheDir?.startsWith(getTmpDir())) {
+    rmSync(tempCacheDir, {
+      recursive: true,
+      force: true,
+    });
+  }
   pkgList = trimComponents(pkgList);
   pkgList = await getMvnMetadata(pkgList, jarNSMapping, options.deep);
   return buildBomNSData(options, pkgList, "maven", {
@@ -6669,6 +6708,16 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
     dependencies = [];
   }
   components = trimComponents(components);
+  // Let's apply some common tweaks
+  // Convert evidence.identity section to an object for 1.5
+  if (options.specVersion === 1.5) {
+    for (const comp of components) {
+      if (comp?.evidence?.identity && Array.isArray(comp.evidence.identity)) {
+        comp.evidence.identity = comp.evidence.identity[0];
+        delete comp.evidence.identity.concludedValue;
+      }
+    }
+  }
   if (DEBUG_MODE) {
     console.log(
       `Obtained ${components.length} components and ${dependencies.length} dependencies after dedupe.`,
@@ -6723,7 +6772,7 @@ export async function createMultiXBom(pathList, options) {
       binPaths,
       executables,
       sharedLibs,
-    } = getOSPackages(
+    } = await getOSPackages(
       options.allLayersExplodedDir,
       options.exportData?.inspectData?.Config,
     );
@@ -8069,7 +8118,8 @@ export async function createBom(path, options) {
  *
  * @param {Object} args CLI args
  * @param {Object} bomContents BOM Json
- * @return {Promise<{ token: string } | { errors: string[] } | undefined>} a promise with a token (if request was successful), a body with errors (if request failed) or undefined (in case of invalid arguments)
+ * @return {Promise<{ token: string } | undefined>} a promise with a token (if request was successful) or undefined (in case of invalid arguments)
+ * @throws {Error} if the request fails
  */
 export async function submitBom(args, bomContents) {
   const serverUrl = `${args.serverUrl.replace(/\/$/, "")}/api/v1/bom`;
@@ -8102,6 +8152,7 @@ export async function submitBom(args, bomContents) {
     console.log(
       "projectId, projectName and projectVersion, or all three must be provided.",
     );
+    args.failOnError && process.exit(1);
     return;
   }
   if (
@@ -8187,6 +8238,7 @@ export async function submitBom(args, bomContents) {
         console.log("Unable to submit the SBOM to the Dependency-Track server");
       }
     }
-    return error.response?.body;
+    // rethrow error as function is async and we should try to catch it in the caller
+    throw error;
   }
 }