@cyclonedx/cdxgen 11.2.2 → 11.2.4

package/README.md

@@ -147,7 +147,8 @@ Options:
       --server-host            Listen address                                                     [default: "127.0.0.1"]
       --server-port            Listen port                                                             [default: "9090"]
       --install-deps           Install dependencies automatically for some projects. Defaults to true but disabled for c
-                               ontainers and oci scans. Use --no-install-deps to disable this feature.         [boolean]
+                               ontainers and oci scans. Use --no-install-deps to disable this feature.
+                                                                                               [boolean] [default: true]
       --validate               Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di
                                sable.                                                          [boolean] [default: true]
       --evidence               Generate SBOM with evidence for supported languages.           [boolean] [default: false]
@@ -170,6 +171,7 @@ Options:
                                luated against or attested to.
   [array] [choices: "asvs-5.0", "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "pcissc-secure-slc-1.1", "scv
                                                                                          s-1.0.0", "ssaf-DRAFT-2023-11"]
+      --json-pretty            Pretty-print the generated BOM json.                           [boolean] [default: false]
       --min-confidence         Minimum confidence needed for the identity of a component from 0 - 1, where 1 is 100% con
                                fidence.                                                            [number] [default: 0]
       --technique              Analysis technique to use

package/bin/cdxgen.js

@@ -24,6 +24,7 @@ import {
 import { thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
 import {
   ATOM_DB,
+  DEBUG_MODE,
   dirNameStr,
   getTmpDir,
   isMac,
@@ -55,10 +56,6 @@ if (configPath) {
   }
 }
 
-let url = import.meta.url;
-if (!url.startsWith("file://")) {
-  url = new URL(`file://${import.meta.url}`).toString();
-}
 const dirName = dirNameStr;
 
 import yargs from "yargs";
@@ -221,6 +218,7 @@ const args = yargs(hideBin(process.argv))
     description: "CycloneDX Specification version to use. Defaults to 1.6",
     default: 1.6,
     type: "number",
+    choices: [1.4, 1.5, 1.6],
   })
   .option("filter", {
     description:
@@ -303,6 +301,11 @@ const args = yargs(hideBin(process.argv))
     description:
       "Do not show the donation banner. Set this attribute if you are an active sponsor for OWASP CycloneDX.",
   })
+  .option("json-pretty", {
+    type: "boolean",
+    default: DEBUG_MODE,
+    description: "Pretty-print the generated BOM json.",
+  })
   .option("feature-flags", {
     description: "Experimental feature flags to enable. Advanced users only.",
     hidden: true,
@@ -442,11 +445,23 @@ if (!options.projectType) {
     "Ok, the user wants me to identify all the project types and generate a consolidated BOM document.",
   );
 }
-if (process.argv[1].includes("cbom")) {
-  thoughtLog(
-    "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
-  );
-  options.includeCrypto = true;
+// Handle dedicated cbom and saasbom commands
+if (["cbom", "saasbom"].includes(process.argv[1])) {
+  if (process.argv[1].includes("cbom")) {
+    thoughtLog(
+      "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
+    );
+    options.includeCrypto = true;
+  } else if (process.argv[1].includes("saasbom")) {
+    thoughtLog(
+      "Ok, the user wants to generate a Software as a Service Bill-of-Materials (SaaSBOM). I should carefully collect the services, endpoints, and data flows.",
+    );
+    if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
+      thoughtLog(
+        "Wait, I'm not running in a container. This means the chances of successfully collecting this inventory are quite low. Perhaps this is an advanced user who has set up atom and atom-tools already 🤔?",
+      );
+    }
+  }
   options.evidence = true;
   options.specVersion = 1.6;
   options.deep = true;
@@ -693,7 +708,7 @@ const checkPermissions = (filePath, options) => {
       "usages-slices-file",
       "reachables-slices-file",
     ];
-    if (options?.type?.includes("swift")) {
+    if (options?.type?.includes("swift") || options?.type?.includes("scala")) {
       slicesFilesKeys.push("semantics-slices-file");
     }
     for (const sf of slicesFilesKeys) {
@@ -798,7 +813,11 @@ const checkPermissions = (filePath, options) => {
         fs.writeFileSync(jsonFile, bomNSData.bomJson);
         jsonPayload = bomNSData.bomJson;
       } else {
-        jsonPayload = JSON.stringify(bomNSData.bomJson, null, null);
+        jsonPayload = JSON.stringify(
+          bomNSData.bomJson,
+          null,
+          options.jsonPretty ? 2 : null,
+        );
         fs.writeFileSync(jsonFile, jsonPayload);
         if (jsonFile.endsWith("bom.json")) {
           thoughtLog(
@@ -900,7 +919,11 @@ const checkPermissions = (filePath, options) => {
             bomJsonUnsignedObj.signature = signatureBlock;
             fs.writeFileSync(
               jsonFile,
-              JSON.stringify(bomJsonUnsignedObj, null, null),
+              JSON.stringify(
+                bomJsonUnsignedObj,
+                null,
+                options.jsonPretty ? 2 : null,
+              ),
             );
             thoughtLog(`Signing the BOM file "${jsonFile}".`);
             if (publicKeyFile) {
@@ -937,7 +960,9 @@ const checkPermissions = (filePath, options) => {
     }
   } else if (!options.print) {
     if (bomNSData.bomJson) {
-      console.log(JSON.stringify(bomNSData.bomJson, null, 2));
+      console.log(
+        JSON.stringify(bomNSData.bomJson, null, options.jsonPretty ? 2 : null),
+      );
     } else {
       console.log("Unable to produce BOM for", filePath);
       console.log("Try running the command with -t <type> or -r argument");
@@ -967,6 +992,7 @@ const checkPermissions = (filePath, options) => {
       includeCrypto: options.includeCrypto,
       specVersion: options.specVersion,
       profile: options.profile,
+      jsonPretty: options.jsonPretty,
     };
     const dbObjMap = await evinserModule.prepareDB(evinseOptions);
     if (dbObjMap) {
@@ -1003,6 +1029,7 @@ const checkPermissions = (filePath, options) => {
       await submitBom(options, bomNSData.bomJson);
     } catch (err) {
       console.log(err);
+      process.exit(1);
     }
   }
   // Protobuf serialization

package/bin/evinse.js

@@ -73,6 +73,7 @@ const args = yargs(hideBin(process.argv))
       "swift",
       "ios",
       "ruby",
+      "scala",
     ],
   })
   .option("db-path", {
@@ -127,7 +128,10 @@ const args = yargs(hideBin(process.argv))
   .option("semantics-slices-file", {
     description: "Use an existing semantics slices file.",
     default: "semantics.slices.json",
-    hidden: true,
+  })
+  .option("openapi-spec-file", {
+    description: "Use an existing openapi specification file (SaaSBOM).",
+    default: "openapi.json",
   })
   .option("print", {
     alias: "p",

package/bin/verify.js

@@ -9,10 +9,6 @@ import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 import { dirNameStr } from "../lib/helpers/utils.js";
 
-let url = import.meta.url;
-if (!url.startsWith("file://")) {
-  url = new URL(`file://${import.meta.url}`).toString();
-}
 const dirName = dirNameStr;
 
 const args = yargs(hideBin(process.argv))

package/index.cjs

@@ -0,0 +1,15 @@
+// this file is a wrapper of ./lib/cli/index.js that can be used by commonjs projects importing this module
+// that prefer to use require instead of await import()
+const importPromise = import("./lib/cli/index.js");
+
+module.exports = new Proxy(
+  {},
+  {
+    get:
+      (_, prop) =>
+      async (...args) => {
+        const mod = await importPromise;
+        return typeof mod[prop] === "function" ? mod[prop](...args) : mod[prop];
+      },
+  },
+);

package/lib/cli/index.js

@@ -73,6 +73,7 @@ import {
   getGradleCommand,
   getLicenses,
   getMavenCommand,
+  getMillCommand,
   getMvnMetadata,
   getNugetMetadata,
   getPipFrozenTree,
@@ -130,6 +131,7 @@ import {
   parseLeiningenData,
   parseMakeDFile,
   parseMavenTree,
+  parseMillDependency,
   parseMinJs,
   parseMixLockData,
   parseNodeShrinkwrap,
@@ -180,10 +182,6 @@ import {
   parseImageName,
 } from "../managers/docker.js";
 
-let url = import.meta.url;
-if (!url.startsWith("file://")) {
-  url = new URL(`file://${import.meta.url}`).toString();
-}
 const dirName = dirNameStr;
 
 const selfPJson = JSON.parse(
@@ -416,7 +414,10 @@ const addLifecyclesSection = (options) => {
     if (inspectData) {
       lifecycles.push({ phase: "post-build" });
     }
-  } else if (options.deep) {
+  } else if (
+    options?.projectType?.length &&
+    options?.projectType?.includes("binary")
+  ) {
     lifecycles.push({ phase: "post-build" });
   }
   if (options.projectType?.includes("os")) {
@@ -1393,8 +1394,8 @@ export async function createJarBom(path, options) {
   if (hpiFiles.length) {
     jarFiles = jarFiles.concat(hpiFiles);
   }
-  const tempDir = mkdtempSync(join(getTmpDir(), "jar-deps-"));
   for (const jar of jarFiles) {
+    const tempDir = mkdtempSync(join(getTmpDir(), "jar-deps-"));
     if (DEBUG_MODE) {
       console.log(`Parsing ${jar}`);
     }
@@ -1405,10 +1406,10 @@ export async function createJarBom(path, options) {
     if (pkgList.length) {
       pkgList = await getMvnMetadata(pkgList);
     }
-  }
-  // Clean up
-  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
-    rmSync(tempDir, { recursive: true, force: true });
+    // Clean up
+    if (tempDir?.startsWith(getTmpDir()) && rmSync) {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
   }
   pkgList = pkgList.concat(convertJarNSToPackages(nsMapping));
   return buildBomNSData(options, pkgList, "maven", {
@@ -1513,10 +1514,20 @@ export async function createJavaBom(path, options) {
     `${options.multiProject ? "**/" : ""}build.gradle*`,
     options,
   );
+  // mill
+  const millFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}build.mill`,
+    options,
+  );
   let bomJsonFiles = [];
   if (
     pomFiles?.length &&
-    isPackageManagerAllowed("maven", ["bazel", "sbt", "gradle"], options)
+    isPackageManagerAllowed(
+      "maven",
+      ["bazel", "sbt", "gradle", "mill"],
+      options,
+    )
   ) {
     if (gradleFiles.length) {
       thoughtLog(
@@ -1542,7 +1553,7 @@ export async function createJavaBom(path, options) {
     let mvnArgs;
     if (isQuarkus) {
       thoughtLog(
-        "This appears to be a quarkus project. Let's use the right maven plugin.",
+        "This appears to be a Quarkus project. Let's use the right Maven plugin.",
       );
       // disable analytics. See: https://quarkus.io/usage/
       mvnArgs = [
@@ -1550,6 +1561,11 @@ export async function createJavaBom(path, options) {
         "quarkus:dependency-sbom",
         "-Dquarkus.analytics.disabled=true",
       ];
+      if (options.specVersion) {
+        mvnArgs = mvnArgs.concat(
+          `-Dquarkus.dependency.sbom.schema-version=${options.specVersion}`,
+        );
+      }
     } else {
       const cdxMavenPlugin =
         process.env.CDX_MAVEN_PLUGIN ||
@@ -1755,7 +1771,7 @@ export async function createJavaBom(path, options) {
               );
             } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 23 with maven 3.9 which might be incompatible. Try running cdxgen with the custom JDK11-based image `ghcr.io/cyclonedx/cdxgen-java11:v11`.",
+                "1. Java version requirement: cdxgen container image bundles Java 24 with maven 3.9 which might be incompatible. Try running cdxgen with the custom JDK11-based image `ghcr.io/cyclonedx/cdxgen-java11:v11`.",
               );
             }
             console.log(
@@ -1937,7 +1953,11 @@ export async function createJavaBom(path, options) {
   // Execute gradle properties
   if (
     gradleFiles?.length &&
-    isPackageManagerAllowed("gradle", ["maven", "bazel", "sbt"], options)
+    isPackageManagerAllowed(
+      "gradle",
+      ["maven", "bazel", "sbt", "mill"],
+      options,
+    )
   ) {
     let rootProjects = [null];
     let allProjectsStr = [];
@@ -2073,7 +2093,11 @@ export async function createJavaBom(path, options) {
   if (
     gradleFiles?.length &&
     options.installDeps &&
-    isPackageManagerAllowed("gradle", ["maven", "bazel", "sbt"], options)
+    isPackageManagerAllowed(
+      "gradle",
+      ["maven", "bazel", "sbt", "mill"],
+      options,
+    )
   ) {
     allProjects.push(parentComponent);
     const gradleCmd = getGradleCommand(gradleRootPath, null);
@@ -2209,7 +2233,11 @@ export async function createJavaBom(path, options) {
   if (
     bazelFiles?.length &&
     !hasAnyProjectType(["docker", "oci", "container", "os"], options, false) &&
-    isPackageManagerAllowed("bazel", ["maven", "gradle", "sbt"], options)
+    isPackageManagerAllowed(
+      "bazel",
+      ["maven", "gradle", "sbt", "mill"],
+      options,
+    )
   ) {
     let BAZEL_CMD = "bazel";
     if (process.env.BAZEL_HOME) {
@@ -2347,10 +2375,15 @@ export async function createJavaBom(path, options) {
     `${options.multiProject ? "**/" : ""}build.sbt.lock`,
     options,
   );
-
+  const tempCacheDir = mkdtempSync(join(getTmpDir(), "sbt-cache-"));
+  safeMkdirSync(tempCacheDir, { recursive: true });
   if (
     sbtProjects?.length &&
-    isPackageManagerAllowed("sbt", ["bazel", "maven", "gradle"], options)
+    isPackageManagerAllowed(
+      "sbt",
+      ["bazel", "maven", "gradle", "mill"],
+      options,
+    )
   ) {
     // If the project use sbt lock files
     if (sbtLockFiles?.length) {
@@ -2402,6 +2435,14 @@ export async function createJavaBom(path, options) {
         }
       }
       writeFileSync(tempSbtPlugins, sbtPluginDefinition);
+      let sbtExtraArgs = "";
+      const env = { ...process.env };
+      // We need to collect the jars from the cache
+      if (options.deep) {
+        sbtExtraArgs = " updateClassifiers";
+        env["COURSIER_CACHE"] = tempCacheDir;
+        env["SBT_IVY_HOME"] = tempCacheDir;
+      }
       for (const i in sbtProjects) {
         const basePath = sbtProjects[i];
         const dlFile = join(tempDir, `dl-${i}.tmp`);
@@ -2416,11 +2457,11 @@ export async function createJavaBom(path, options) {
           // write to the existing plugins file
           if (useSlashSyntax) {
             sbtArgs = [
-              `'set ThisBuild / asciiGraphWidth := 400' "dependencyTree / toFile ${dlFile} --force"`,
+              `'set ThisBuild / asciiGraphWidth := 800'${sbtExtraArgs} "dependencyTree / toFile ${dlFile} --force"`,
             ];
           } else {
             sbtArgs = [
-              `'set asciiGraphWidth in ThisBuild := 400' "dependencyTree::toFile ${dlFile} --force"`,
+              `'set asciiGraphWidth in ThisBuild := 800'${sbtExtraArgs} "dependencyTree::toFile ${dlFile} --force"`,
             ];
           }
           pluginFile = addPlugin(basePath, sbtPluginDefinition);
@@ -2441,6 +2482,7 @@ export async function createJavaBom(path, options) {
           encoding: "utf-8",
           timeout: TIMEOUT_MS,
           maxBuffer: MAX_BUFFER,
+          env,
         });
         if (result.status !== 0 || result.error) {
           console.error(result.stdout, result.stderr);
@@ -2492,12 +2534,148 @@ export async function createJavaBom(path, options) {
     }
     // Should we attempt to resolve class names
     if (options.resolveClass || options.deep) {
-      const tmpjarNSMapping = await collectJarNS(SBT_CACHE_DIR);
+      const tmpjarNSMapping = await collectJarNS(tempCacheDir);
       if (tmpjarNSMapping && Object.keys(tmpjarNSMapping).length) {
         jarNSMapping = { ...jarNSMapping, ...tmpjarNSMapping };
       }
+      // sbt can store jars in the target directory
+      const jarNSData = await createJarBom(path, options);
+      if (jarNSData?.bomJson?.components) {
+        pkgList = pkgList.concat(jarNSData?.bomJson?.components);
+        const targetJarNSMapping = {};
+        for (const p of jarNSData.bomJson.components) {
+          if (!p?.purl || !p?.properties?.length) {
+            continue;
+          }
+          const nsProp = p.properties.filter(
+            (prop) => prop.name === "Namespaces",
+          );
+          if (nsProp.length) {
+            targetJarNSMapping[p.purl] = nsProp[0].value;
+          }
+        }
+        jarNSMapping = { ...jarNSMapping, ...targetJarNSMapping };
+      }
+    }
+  }
+  if (tempCacheDir?.startsWith(getTmpDir())) {
+    rmSync(tempCacheDir, {
+      recursive: true,
+      force: true,
+    });
+  }
+
+  if (
+    millFiles?.length &&
+    isPackageManagerAllowed(
+      "mill",
+      ["bazel", "sbt", "gradle", "maven"],
+      options,
+    )
+  ) {
+    const millRootPath = dirname(millFiles[0]);
+    parentComponent = createDefaultParentComponent(
+      millRootPath,
+      "maven",
+      options,
+    );
+    const millCmd = getMillCommand(millRootPath);
+    const millCommonArgs = [
+      "--no-server",
+      "--silent",
+      "--disable-prompt",
+      "--disable-callgraph",
+      "-k",
+      "--color",
+      "false",
+    ];
+    const millArgs = [...millCommonArgs, "__.ivyDepsTree"];
+    if (DEBUG_MODE) {
+      console.log("Executing", millCmd, millArgs.join(" "), "in", millRootPath);
+    }
+    let sresult = spawnSync(millCmd, millArgs, {
+      cwd: millRootPath,
+      encoding: "utf-8",
+      shell: isWin,
+      timeout: TIMEOUT_MS,
+      maxBuffer: MAX_BUFFER * 10,
+    });
+    if (sresult.status !== 0 || sresult.error) {
+      if (options.failOnError || DEBUG_MODE) {
+        console.error(sresult.stdout, sresult.stderr);
+      }
+      options.failOnError && process.exit(1);
+    }
+    const millResolveArgs = [...millCommonArgs, "resolve", "__.ivyDepsTree"];
+    if (DEBUG_MODE) {
+      console.log(
+        "Executing",
+        millCmd,
+        millResolveArgs.join(" "),
+        "in",
+        millRootPath,
+      );
+    }
+    sresult = spawnSync(millCmd, millResolveArgs, {
+      cwd: millRootPath,
+      encoding: "utf-8",
+      shell: isWin,
+      timeout: TIMEOUT_MS,
+      maxBuffer: MAX_BUFFER,
+    });
+    if (sresult.status !== 0 || sresult.error) {
+      if (options.failOnError || DEBUG_MODE) {
+        console.error(sresult.stdout, sresult.stderr);
+      }
+      options.failOnError && process.exit(1);
+    }
+    const sstdout = sresult.stdout;
+    if (sstdout) {
+      parentComponent.components = [];
+      const modules = sstdout
+        .trim()
+        .split("\n")
+        .map((a) => a.substring(0, a.lastIndexOf(".")))
+        .filter((a) =>
+          ["true", "1"].includes(process.env.MILL_EXCLUDE_TEST)
+            ? !a.endsWith(".test")
+            : true,
+        );
+      const moduleBomRefs = [];
+      const packages = new Map();
+      const relations = new Map();
+      relations.set(parentComponent["bom-ref"], []);
+      for (const module of modules) {
+        moduleBomRefs.push(
+          parseMillDependency(module, packages, relations, millRootPath),
+        );
+      }
+      for (const module of moduleBomRefs) {
+        parentComponent.components.push(packages.get(module));
+        relations.get(parentComponent["bom-ref"]).push(module);
+        packages.delete(module);
+      }
+      const newDependencies = [];
+      for (const [ref, dependsOn] of relations.entries()) {
+        newDependencies.push({
+          ref,
+          dependsOn,
+        });
+      }
+      if (DEBUG_MODE) {
+        console.log(
+          `Obtained ${packages.size} components and ${relations.size} dependencies from mill.`,
+        );
+      }
+      pkgList = pkgList.concat(...packages.values());
+      dependencies = mergeDependencies(
+        dependencies,
+        newDependencies,
+        parentComponent,
+      );
     }
   }
+
   pkgList = trimComponents(pkgList);
   pkgList = await getMvnMetadata(pkgList, jarNSMapping, options.deep);
   return buildBomNSData(options, pkgList, "maven", {
@@ -6669,6 +6847,16 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
     dependencies = [];
   }
   components = trimComponents(components);
+  // Let's apply some common tweaks
+  // Convert evidence.identity section to an object for 1.5
+  if (options.specVersion === 1.5) {
+    for (const comp of components) {
+      if (comp?.evidence?.identity && Array.isArray(comp.evidence.identity)) {
+        comp.evidence.identity = comp.evidence.identity[0];
+        delete comp.evidence.identity.concludedValue;
+      }
+    }
+  }
   if (DEBUG_MODE) {
     console.log(
       `Obtained ${components.length} components and ${dependencies.length} dependencies after dedupe.`,
@@ -6723,7 +6911,7 @@ export async function createMultiXBom(pathList, options) {
       binPaths,
       executables,
       sharedLibs,
-    } = getOSPackages(
+    } = await getOSPackages(
       options.allLayersExplodedDir,
       options.exportData?.inspectData?.Config,
     );
@@ -8069,7 +8257,8 @@ export async function createBom(path, options) {
  *
  * @param {Object} args CLI args
  * @param {Object} bomContents BOM Json
- * @return {Promise<{ token: string } | { errors: string[] } | undefined>} a promise with a token (if request was successful), a body with errors (if request failed) or undefined (in case of invalid arguments)
+ * @return {Promise<{ token: string } | undefined>} a promise with a token (if request was successful) or undefined (in case of invalid arguments)
+ * @throws {Error} if the request fails
  */
 export async function submitBom(args, bomContents) {
   const serverUrl = `${args.serverUrl.replace(/\/$/, "")}/api/v1/bom`;
@@ -8102,6 +8291,7 @@ export async function submitBom(args, bomContents) {
     console.log(
       "projectId, projectName and projectVersion, or all three must be provided.",
     );
+    args.failOnError && process.exit(1);
     return;
   }
   if (
@@ -8187,6 +8377,7 @@ export async function submitBom(args, bomContents) {
         console.log("Unable to submit the SBOM to the Dependency-Track server");
       }
     }
-    return error.response?.body;
+    // rethrow error as function is async and we should try to catch it in the caller
+    throw error;
   }
 }