@cyclonedx/cdxgen 11.2.2 → 11.2.4

package/lib/helpers/utils.js

@@ -53,13 +53,13 @@ import { xml2js } from "xml-js";
 import { getTreeWithPlugin } from "../managers/piptree.js";
 import { thoughtLog } from "./logger.js";
 
-let url = import.meta.url;
-if (!url.startsWith("file://")) {
+let url = import.meta?.url;
+if (url && !url.startsWith("file://")) {
   url = new URL(`file://${import.meta.url}`).toString();
 }
 // TODO: verify if this is a good method (Prabhu)
 // this is due to dirNameStr being "cdxgen/lib/helpers" which causes errors
-export const dirNameStr = import.meta
+export const dirNameStr = url
   ? dirname(dirname(dirname(fileURLToPath(url))))
   : __dirname;
 
@@ -159,8 +159,7 @@ const RUBY_KNOWN_MODULES = JSON.parse(
 // Debug mode flag
 export const DEBUG_MODE =
   ["debug", "verbose"].includes(process.env.CDXGEN_DEBUG_MODE) ||
-  process.env.SCAN_DEBUG_MODE === "debug" ||
-  process.env.NODE_ENV === "development";
+  process.env.SCAN_DEBUG_MODE === "debug";
 
 // Timeout milliseconds. Default 20 mins
 export const TIMEOUT_MS =
@@ -334,6 +333,7 @@ export const PROJECT_TYPE_ALIASES = {
     "java21",
     "java22",
     "java23",
+    "java24",
     "groovy",
     "kotlin",
     "kt",
@@ -345,6 +345,7 @@ export const PROJECT_TYPE_ALIASES = {
     "sbt",
     "bazel",
     "quarkus",
+    "mill",
   ],
   android: ["android", "apk", "aab"],
   jar: ["jar", "war", "ear"],
@@ -467,6 +468,7 @@ export const PROJECT_TYPE_ALIASES = {
   binary: ["binary", "blint"],
   oci: ["docker", "oci", "container", "podman"],
   cocoa: ["cocoa", "cocoapods", "objective-c", "swift", "ios"],
+  scala: ["scala", "scala3", "sbt", "mill"],
 };
 
 // Package manager aliases
@@ -3412,6 +3414,140 @@ export function parseMavenTree(rawOutput, pomFile) {
   };
 }
 
+/**
+ * Parse mill dependencies from file
+ *
+ * @param {string} module name of the module
+ * @param {map} dependencies the parsed dependencies
+ * @param {map} relations a map containing all relations
+ * @param {string} millRootPath root of the project
+ *
+ * @returns the bom-ref of the module
+ */
+export function parseMillDependency(
+  module,
+  dependencies,
+  relations,
+  millRootPath,
+) {
+  const treeRegex = /^(?<treeIndentation>(?:[?├│└─ ]{3})+)(?<dependency>.*)/m;
+  const ESC = "\\x1B";
+  const versionRegex = new RegExp(
+    `^(?:${ESC}\\[\\d+m.+ -> )?(?<version>[^\\ ${ESC}]+)(?:.*${ESC}\\[0m)?`,
+    "m",
+  );
+  const levelCache = new Map();
+  const moduleComponent = completeComponent({
+    name: module,
+    version: "latest",
+  });
+  dependencies.set(moduleComponent["bom-ref"], moduleComponent);
+  relations.set(moduleComponent["bom-ref"], []);
+  levelCache.set(0, moduleComponent["bom-ref"]);
+  let moduleFilePath = module;
+  const versionNumbers = [];
+  let indexOfBracket = moduleFilePath.indexOf("[");
+  for (let versionIndex = 0; indexOfBracket !== -1; versionIndex++) {
+    // Special handling for modules called something like 'main.init.sbt.models[2.12.20]'
+    // This needs to be turned into a path like 'main/init/sbt/models/2.12.20'
+    // However, since all other periods need to be changed to slashes, this needs something more...
+    versionNumbers.push(
+      moduleFilePath.substring(
+        indexOfBracket + 1,
+        moduleFilePath.indexOf("]", indexOfBracket + 1),
+      ),
+    );
+    moduleFilePath = moduleFilePath.replace(
+      `[${versionNumbers[versionIndex]}]`,
+      "[]",
+    );
+    indexOfBracket = moduleFilePath.indexOf("[", indexOfBracket + 1);
+  }
+  moduleFilePath = moduleFilePath.replaceAll(".", "/");
+  for (const versionNumber of versionNumbers) {
+    // Now put the versions we removed above back into the path and replace the brackets at the same time
+    moduleFilePath = moduleFilePath.replace("[]", `/${versionNumber}/`);
+  }
+  moduleFilePath = resolve(
+    millRootPath,
+    "out",
+    moduleFilePath,
+    "ivyDepsTree.log",
+  );
+  moduleComponent.properties = [
+    {
+      name: "SrcFile",
+      value: moduleFilePath,
+    },
+  ];
+  moduleComponent.evidence = {
+    identity: {
+      field: "purl",
+      confidence: 0.6,
+      methods: [
+        {
+          technique: "manifest-analysis",
+          confidence: 0.6,
+          value: moduleFilePath,
+        },
+      ],
+    },
+  };
+  const dependencyTreeLog = readFileSync(moduleFilePath, "utf-8");
+  const dependencyTreeLines = dependencyTreeLog
+    .trim()
+    .split("\n")
+    .map((dependency) => dependency.replaceAll("\r", ""));
+  for (const line of dependencyTreeLines) {
+    const match = treeRegex.exec(line);
+    if (match === null) {
+      continue;
+    }
+    const level = match.groups.treeIndentation.length / 3;
+    let group;
+    let name;
+    let version;
+    if (match.groups.dependency.indexOf(":") === -1) {
+      name = match.groups.dependency;
+      version = "latest";
+    } else {
+      [group, name, version] = match.groups.dependency.split(":");
+      version = versionRegex.exec(version).groups.version;
+    }
+    const component = completeComponent({
+      group,
+      name,
+      version,
+    });
+    if (!dependencies.has(component["bom-ref"])) {
+      dependencies.set(component["bom-ref"], component);
+      relations.set(component["bom-ref"], []);
+    }
+    if (
+      !relations.get(levelCache.get(level - 1)).includes(component["bom-ref"])
+    ) {
+      relations.get(levelCache.get(level - 1)).push(component["bom-ref"]);
+    }
+    levelCache.set(level, component["bom-ref"]);
+  }
+  return moduleComponent["bom-ref"];
+}
+
+function completeComponent(component) {
+  component["type"] = component.group ? "library" : "application";
+  const purl = new PackageURL(
+    "maven",
+    component.group,
+    component.name,
+    component.version,
+    { type: "jar" },
+    null,
+  ).toString();
+  component["purl"] = purl;
+  component["bom-ref"] = decodeURIComponent(purl);
+  return component;
+}
+
 /**
  * Parse gradle dependencies output
  * @param {string} rawOutput Raw string output
@@ -4847,7 +4983,7 @@ export function parsePyProjectTomlFile(tomlFile) {
       });
     }
   }
-  if (tomlData?.tool?.poetry) {
+  if (tomlData?.tool?.poetry?.dependencies) {
     for (const adep of Object.keys(tomlData?.tool?.poetry?.dependencies)) {
       if (
         ![
@@ -5249,7 +5385,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
             }
           }
         }
-      } else if (pkg.dependencies && Object.keys(apkg.dependencies).length) {
+      } else if (apkg.dependencies && Object.keys(apkg.dependencies).length) {
         for (const apkgDep of Object.keys(apkg.dependencies)) {
           depsMap[pkg["bom-ref"]].add(existingPkgMap[apkgDep] || apkgDep);
         }
@@ -5517,7 +5653,7 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
 export async function getPyModules(src, epkgList, options) {
   const allImports = {};
   const dependenciesList = [];
-  let modList;
+  let modList = [];
   const slicesFile = resolve(
     options.depsSlicesFile || options.usagesSlicesFile,
   );
@@ -9595,9 +9731,8 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
     if (!inputStr) {
       return null;
     }
-    const extractNameOperatorVersion = /([\w.-]+)\s*([><=!]+)\s*([\d.]+)/;
-    const match = inputStr.match(extractNameOperatorVersion);
-
+    const extractNameOperatorVersion = /([\w.-]+)\s*([><=!]+)\s*(.*)/;
+    let match = inputStr.match(extractNameOperatorVersion);
     if (match) {
       return {
         name: match[1],
@@ -9605,6 +9740,14 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
         version: match[3],
       };
     }
+    match = inputStr.split(" ");
+    if (match && match.length === 3) {
+      return {
+        name: match[1],
+        operator: match[2],
+        version: match[3],
+      };
+    }
     return null;
   }
 
@@ -9662,7 +9805,7 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
             const tversion = tmpParts[1];
             if (
               tname.toLowerCase() === nameOperatorVersion.name.toLowerCase() &&
-              tversion === nameOperatorVersion.version
+              tversion === nameOperatorVersion.version.replace("-*", "")
             ) {
               nameToUse = tname;
               matchFound = true;
@@ -11016,9 +11159,6 @@ export async function collectGradleDependencies(
  */
 export async function collectJarNS(jarPath, pomPathMap = {}) {
   const jarNSMapping = {};
-  console.log(
-    `About to identify class names for all jars in the path ${jarPath}`,
-  );
   const env = {
     ...process.env,
   };
@@ -11030,7 +11170,9 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
     )}`;
   }
   // Parse jar files to get class names
-  const jarFiles = getAllFiles(jarPath, "**/*.jar");
+  const jarFiles = jarPath.endsWith(".jar")
+    ? [jarPath]
+    : getAllFiles(jarPath, "**/*.jar");
   if (jarFiles?.length) {
     for (const jf of jarFiles) {
       let pomname =
@@ -11164,7 +11306,9 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
       console.log(`Unable to determine class names for the jars in ${jarPath}`);
     }
   } else {
-    console.log(`${jarPath} did not contain any jars.`);
+    console.log(
+      `${jarPath} did not contain any jars. Try building the project to improve the BOM precision.`,
+    );
   }
   return jarNSMapping;
 }
@@ -11349,6 +11493,31 @@ export function checksumFile(hashName, path) {
   });
 }
 
+/**
+ * Computes multiple checksum for a file path using the given hash algorithms
+ *
+ * @param {Array[String]} algorithms Array of algorithms
+ * @param {string} path path to file
+ * @returns {Promise<Object>} hashes object
+ */
+export function multiChecksumFile(algorithms, path) {
+  return new Promise((resolve, reject) => {
+    const hashes = {};
+    for (const alg of algorithms) {
+      hashes[alg] = createHash(alg);
+    }
+    const stream = createReadStream(path);
+    stream.on("error", (err) => reject(err));
+    stream.on("data", (chunk) =>
+      algorithms.forEach((alg) => hashes[alg].update(chunk)),
+    );
+    stream.on("end", () => {
+      algorithms.forEach((alg) => (hashes[alg] = hashes[alg].digest("hex")));
+      resolve(hashes);
+    });
+  });
+}
+
 /**
  * Method to extract a war or ear file
  *
@@ -11637,6 +11806,14 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
               name: "Namespaces",
               value: jarNSMapping[apkg.purl].namespaces.join("\n"),
             });
+          } else {
+            const tmpJarNSMapping = await collectJarNS(jf);
+            if (tmpJarNSMapping?.[jf]?.namespaces?.length) {
+              apkg.properties.push({
+                name: "Namespaces",
+                value: tmpJarNSMapping[jf].namespaces.join("\n"),
+              });
+            }
           }
           pkgList.push(apkg);
         } else {
@@ -11662,7 +11839,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
   if (jarFiles.length !== pkgList.length) {
     if (pkgList.length) {
       console.log(
-        `Obtained only ${pkgList.length} components from ${jarFiles.length} jars.`,
+        `Obtained only ${pkgList.length} components from ${jarFiles.length} jars at ${tempDir}.`,
       );
     } else {
       console.log(
@@ -11916,6 +12093,26 @@ export function getGradleCommand(srcPath, rootPath) {
   return gradleCmd;
 }
 
+/**
+ * Method to return the mill command to use.
+ *
+ * @param {string} srcPath Path to look for mill wrapper
+ */
+export function getMillCommand(srcPath) {
+  let millCmd = `mill${platform() === "win32" ? ".bat" : ""}`;
+  if (safeExistsSync(join(srcPath, millCmd))) {
+    // Use local mill wrapper if available
+    // Enable execute permission
+    try {
+      chmodSync(join(srcPath, millCmd), 0o775);
+    } catch (e) {
+      // continue regardless of error
+    }
+    millCmd = resolve(join(srcPath, millCmd));
+  }
+  return millCmd;
+}
+
 /**
  * Method to combine the general gradle arguments, the sub-commands and the sub-commands' arguments in the correct way
  *
@@ -12741,7 +12938,7 @@ export function getAtomCommand() {
   return "atom";
 }
 
-export function executeAtom(src, args) {
+export function executeAtom(src, args, extra_env = {}) {
   const cwd =
     safeExistsSync(src) && lstatSync(src).isDirectory() ? src : dirname(src);
   let ATOM_BIN = getAtomCommand();
@@ -12758,6 +12955,7 @@ export function executeAtom(src, args) {
   }
   const env = {
     ...process.env,
+    ...extra_env,
   };
   // Atom requires Java >= 21
   if (process.env?.ATOM_JAVA_HOME) {

package/lib/helpers/utils.test.js

@@ -68,6 +68,7 @@ import {
   parseLeiningenData,
   parseMakeDFile,
   parseMavenTree,
+  parseMillDependency,
   parseMixLockData,
   parseNodeShrinkwrap,
   parseNupkg,
@@ -2455,7 +2456,7 @@ test("parse github actions workflow data", () => {
   dep_list = parseGitHubWorkflowData(
     readFileSync("./.github/workflows/repotests.yml", { encoding: "utf-8" }),
   );
-  expect(dep_list.length).toEqual(13);
+  expect(dep_list.length).toEqual(14);
   expect(dep_list[0]).toEqual({
     group: "actions",
     name: "checkout",
@@ -3784,8 +3785,8 @@ test("parsePnpmLock", async () => {
   expect(parsedList.dependenciesList).toHaveLength(462);
   expect(parsedList.pkgList.filter((pkg) => !pkg.scope)).toHaveLength(3);
   parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-  expect(parsedList.pkgList.length).toEqual(623);
-  expect(parsedList.dependenciesList.length).toEqual(623);
+  expect(parsedList.pkgList.length).toEqual(622);
+  expect(parsedList.dependenciesList.length).toEqual(622);
   expect(parsedList.pkgList[0]).toEqual({
     group: "@ampproject",
     name: "remapping",
@@ -6169,3 +6170,48 @@ test("buildObjectForCocoaPod tests", async () => {
     "bom-ref": "pkg:cocoapods/boost@= 1.59.0#graph-includes",
   });
 });
+
+test("parseMillDependency test", () => {
+  const millTestDataRoot = "./test/data/mill/";
+  const dependencies = new Map();
+  const relations = new Map();
+
+  expect(dependencies.has("pkg:maven/bar@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.has("pkg:maven/bar.test@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.has("pkg:maven/foo@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.has("pkg:maven/foo.test@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.size).toEqual(0);
+  expect(relations.size).toEqual(0);
+
+  parseMillDependency("bar", dependencies, relations, millTestDataRoot);
+  expect(dependencies.has("pkg:maven/bar@latest?type=jar")).toBeTruthy;
+  expect(dependencies.has("pkg:maven/bar.test@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.has("pkg:maven/foo@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.has("pkg:maven/foo.test@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.size).toEqual(8);
+  expect(relations.size).toEqual(8);
+
+  parseMillDependency("bar.test", dependencies, relations, millTestDataRoot);
+  expect(dependencies.has("pkg:maven/bar@latest?type=jar")).toBeTruthy;
+  expect(dependencies.has("pkg:maven/bar.test@latest?type=jar")).toBeTruthy;
+  expect(dependencies.has("pkg:maven/foo@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.has("pkg:maven/foo.test@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.size).toEqual(13);
+  expect(relations.size).toEqual(13);
+
+  parseMillDependency("foo", dependencies, relations, millTestDataRoot);
+  expect(dependencies.has("pkg:maven/bar@latest?type=jar")).toBeTruthy;
+  expect(dependencies.has("pkg:maven/bar.test@latest?type=jar")).toBeTruthy;
+  expect(dependencies.has("pkg:maven/foo@latest?type=jar")).toBeTruthy;
+  expect(dependencies.has("pkg:maven/foo.test@latest?type=jar")).toBeftoBeFalsy;
+  expect(dependencies.size).toEqual(14);
+  expect(relations.size).toEqual(14);
+
+  parseMillDependency("foo.test", dependencies, relations, millTestDataRoot);
+  expect(dependencies.has("pkg:maven/bar@latest?type=jar")).toBeTruthy;
+  expect(dependencies.has("pkg:maven/bar.test@latest?type=jar")).toBeTruthy;
+  expect(dependencies.has("pkg:maven/foo@latest?type=jar")).toBeTruthy;
+  expect(dependencies.has("pkg:maven/foo.test@latest?type=jar")).toBeTruthy;
+  expect(dependencies.size).toEqual(15);
+  expect(relations.size).toEqual(15);
+});

package/lib/helpers/validator.js

@@ -7,10 +7,7 @@ import { DEBUG_MODE, dirNameStr, isPartialTree } from "./utils.js";
 
 import { URL } from "node:url";
 import { thoughtLog } from "./logger.js";
-let url = import.meta.url;
-if (!url.startsWith("file://")) {
-  url = new URL(`file://${import.meta.url}`).toString();
-}
+
 const dirName = dirNameStr;
 
 /**