@cyclonedx/cdxgen 11.4.0 → 11.4.2

package/README.md

@@ -152,7 +152,8 @@ Options:
       --validate               Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di
                                sable.                                                          [boolean] [default: true]
       --evidence               Generate SBOM with evidence for supported languages.           [boolean] [default: false]
-      --spec-version           CycloneDX Specification version to use. Defaults to 1.6           [number] [default: 1.6]
+      --spec-version           CycloneDX Specification version to use. Defaults to 1.6
+                                                                        [number] [choices: 1.4, 1.5, 1.6] [default: 1.6]
       --filter                 Filter components containing this word in purl or component.properties.value. Multiple va
                                lues allowed.                                                                     [array]
       --only                   Include components only containing this word in purl. Useful to generate BOM with first p
@@ -163,6 +164,8 @@ Options:
   [choices: "appsec", "research", "operational", "threat-modeling", "license-compliance", "generic", "machine-learning",
                                                        "ml", "deep-learning", "ml-deep", "ml-tiny"] [default: "generic"]
       --exclude                Additional glob pattern(s) to ignore                                              [array]
+      --export-proto           Serialize and export BOM as protobuf binary.                   [boolean] [default: false]
+      --proto-bin-file         Path for the serialized protobuf binary.                             [default: "bom.cdx"]
       --include-formulation    Generate formulation section with git metadata and build tools. Defaults to false.
                                                                                               [boolean] [default: false]
       --include-crypto         Include crypto libraries as components.                        [boolean] [default: false]

package/bin/cdxgen.js

@@ -4,11 +4,13 @@ import crypto from "node:crypto";
 import fs from "node:fs";
 import { basename, dirname, join, resolve } from "node:path";
 import process from "node:process";
+
 import globalAgent from "global-agent";
 import jws from "jws";
 import { parse as _load } from "yaml";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
+
 import { createBom, submitBom } from "../lib/cli/index.js";
 import {
   printCallStack,
@@ -21,15 +23,17 @@ import {
   printSummary,
   printTable,
 } from "../lib/helpers/display.js";
-import { thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
+import { TRACE_MODE, thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
 import {
   ATOM_DB,
+  commandsExecuted,
   DEBUG_MODE,
   dirNameStr,
   getTmpDir,
   isMac,
   isSecureMode,
   isWin,
+  remoteHostsAccessed,
   safeExistsSync,
 } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/helpers/validator.js";
@@ -57,7 +61,7 @@ for (const configPattern of configPaths) {
     } else {
       config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
     }
-  } catch (e) {
+  } catch (_e) {
     console.log("Invalid config file", configPath);
   }
 }
@@ -264,12 +268,10 @@ const args = yargs(hideBin(process.argv))
     type: "boolean",
     default: false,
     description: "Serialize and export BOM as protobuf binary.",
-    hidden: true,
   })
   .option("proto-bin-file", {
     description: "Path for the serialized protobuf binary.",
     default: "bom.cdx",
-    hidden: true,
   })
   .option("include-formulation", {
     type: "boolean",
@@ -832,7 +834,7 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
     const jsonFile = options.output;
     // Create bom json file
     if (bomNSData.bomJson) {
-      let jsonPayload = undefined;
+      let jsonPayload;
       if (
         typeof bomNSData.bomJson === "string" ||
         bomNSData.bomJson instanceof String
@@ -859,9 +861,9 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
         if (alg.includes("none")) {
           alg = "RS512";
         }
-        let privateKeyToUse = undefined;
-        let jwkPublicKey = undefined;
-        let publicKeyFile = undefined;
+        let privateKeyToUse;
+        let jwkPublicKey;
+        let publicKeyFile;
         if (options.generateKeyAndSign) {
           const jdirName = dirname(jsonFile);
           publicKeyFile = join(jdirName, "public.key");
@@ -1058,7 +1060,7 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
     if (!validateBom(bomNSData.bomJson)) {
       process.exit(1);
     }
-    thoughtLog("BOM file looks valid. Thank you for using cdxgen!");
+    thoughtLog("✅ BOM file looks valid.");
   }
   thoughtEnd();
   // Automatically submit the bom data
@@ -1075,6 +1077,7 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
   if (options.exportProto) {
     const protobomModule = await import("../lib/helpers/protobom.js");
     protobomModule.writeBinary(bomNSData.bomJson, options.protoBinFile);
+    thoughtLog("BOM file is also available in .proto format!");
   }
   if (options.print && bomNSData.bomJson && bomNSData.bomJson.components) {
     printSummary(bomNSData.bomJson);
@@ -1089,4 +1092,24 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
       printDependencyTree(bomNSData.bomJson, "provides");
     }
   }
+  if (
+    (DEBUG_MODE || TRACE_MODE) &&
+    (!process.env?.CDXGEN_ALLOWED_HOSTS ||
+      !process.env?.CDXGEN_ALLOWED_COMMANDS)
+  ) {
+    let allowListSuggestion = "";
+    const envPrefix = isWin ? "set $env:" : "export ";
+    if (remoteHostsAccessed.size) {
+      allowListSuggestion = `${envPrefix}CDXGEN_ALLOWED_HOSTS="${Array.from(remoteHostsAccessed).join(",")}"\n`;
+    }
+    if (commandsExecuted.size) {
+      allowListSuggestion = `${allowListSuggestion}${envPrefix}CDXGEN_ALLOWED_COMMANDS="${Array.from(commandsExecuted).join(",")}"\n`;
+    }
+    if (allowListSuggestion) {
+      console.log(
+        "SECURE MODE: cdxgen supports allowlists for remote hosts and external commands. Set the following environment variables to get started.",
+      );
+      console.log(allowListSuggestion);
+    }
+  }
 })();

package/bin/evinse.js

@@ -2,8 +2,10 @@
 // Evinse (Evinse Verification Is Nearly SBOM Evidence)
 
 import process from "node:process";
+
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
+
 import {
   analyzeProject,
   createEvinseFile,

package/bin/repl.js

@@ -5,6 +5,7 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 import process from "node:process";
 import repl from "node:repl";
+
 import jsonata from "jsonata";
 
 import { createBom } from "../lib/cli/index.js";
@@ -12,13 +13,14 @@ import {
   printCallStack,
   printDependencyTree,
   printFormulation,
-  printOSTable,
   printOccurrences,
+  printOSTable,
   printServices,
   printSummary,
   printTable,
   printVulnerabilities,
 } from "../lib/helpers/display.js";
+import { readBinary } from "../lib/helpers/protobom.js";
 import { getTmpDir } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/helpers/validator.js";
 
@@ -50,15 +52,15 @@ if (process.env?.CDXGEN_NODE_OPTIONS) {
 }
 
 // The current sbom is stored here
-let sbom = undefined;
+let sbom;
 
-let historyFile = undefined;
+let historyFile;
 const historyConfigDir = join(homedir(), ".config", ".cdxgen");
 if (!process.env.CDXGEN_REPL_HISTORY && !fs.existsSync(historyConfigDir)) {
   try {
     fs.mkdirSync(historyConfigDir, { recursive: true });
     historyFile = join(historyConfigDir, ".repl_history");
-  } catch (e) {
+  } catch (_e) {
     // ignore
   }
 } else {
@@ -78,6 +80,12 @@ export const importSbom = (sbomOrPath) => {
     } catch (e) {
       console.log(`⚠ Unable to import the BOM from ${sbomOrPath} due to ${e}`);
     }
+  } else if (
+    (sbomOrPath?.endsWith(".cdx") || sbomOrPath?.endsWith(".proto")) &&
+    fs.existsSync(sbomOrPath)
+  ) {
+    sbom = readBinary(sbomOrPath, true);
+    printSummary(sbom);
   } else {
     console.log(`⚠ ${sbomOrPath} is invalid.`);
   }

package/bin/verify.js

@@ -3,9 +3,11 @@
 import fs from "node:fs";
 import { join } from "node:path";
 import process from "node:process";
+
 import jws from "jws";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
+
 import { dirNameStr } from "../lib/helpers/utils.js";
 import { getBomWithOras } from "../lib/managers/oci.js";
 

package/lib/cli/index.js

@@ -1,7 +1,7 @@
 import { Buffer } from "node:buffer";
 import {
-  constants,
   accessSync,
+  constants,
   existsSync,
   lstatSync,
   mkdtempSync,
@@ -14,6 +14,7 @@ import {
 import { platform as _platform, arch, homedir } from "node:os";
 import { basename, dirname, join, relative, resolve, sep } from "node:path";
 import process from "node:process";
+
 import got from "got";
 import { PackageURL } from "packageurl-js";
 import { gte, lte } from "semver";
@@ -21,6 +22,7 @@ import { parse } from "ssri";
 import { table } from "table";
 import { v4 as uuidv4 } from "uuid";
 import { parse as loadYaml } from "yaml";
+
 import { findJSImportsExports } from "../helpers/analyzer.js";
 import { collectOSCryptoLibs } from "../helpers/cbomutils.js";
 import {
@@ -32,21 +34,14 @@ import {
 } from "../helpers/envcontext.js";
 import { thoughtLog } from "../helpers/logger.js";
 import {
-  CARGO_CMD,
-  CLJ_CMD,
-  DEBUG_MODE,
-  LEIN_CMD,
-  MAX_BUFFER,
-  PREFER_MAVEN_DEPS_TREE,
-  PROJECT_TYPE_ALIASES,
-  SWIFT_CMD,
-  TIMEOUT_MS,
   addEvidenceForDotnet,
   addEvidenceForImports,
   addPlugin,
   buildGradleCommandArguments,
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
+  CARGO_CMD,
+  CLJ_CMD,
   checksumFile,
   cleanupPlugin,
   collectGemModuleNames,
@@ -56,6 +51,7 @@ import {
   convertJarNSToPackages,
   convertOSQueryResults,
   createUVLock,
+  DEBUG_MODE,
   determineSbtVersion,
   dirNameStr,
   encodeForPurl,
@@ -87,6 +83,10 @@ import {
   isPartialTree,
   isSecureMode,
   isValidIriReference,
+  LEIN_CMD,
+  MAX_BUFFER,
+  PREFER_MAVEN_DEPS_TREE,
+  PROJECT_TYPE_ALIASES,
   parseBazelActionGraph,
   parseBazelSkyframe,
   parseBdistMetadata,
@@ -117,8 +117,8 @@ import {
   parseGoListDep,
   parseGoModData,
   parseGoModGraph,
-  parseGoModWhy,
   parseGoModulesTxt,
+  parseGoModWhy,
   parseGopkgData,
   parseGosumData,
   parseGradleDep,
@@ -160,11 +160,13 @@ import {
   parseYarnLock,
   readZipEntry,
   recomputeScope,
+  SWIFT_CMD,
   safeExistsSync,
   safeMkdirSync,
   safeSpawnSync,
   shouldFetchLicense,
   splitOutputByGradleProjects,
+  TIMEOUT_MS,
 } from "../helpers/utils.js";
 import {
   executeOsQuery,
@@ -283,7 +285,7 @@ const createDefaultParentComponent = (
 };
 
 const determineParentComponent = (options) => {
-  let parentComponent = undefined;
+  let parentComponent;
   if (options.parentComponent && Object.keys(options.parentComponent).length) {
     return options.parentComponent;
   }
@@ -551,7 +553,7 @@ const addFormulationSection = (options, context) => {
   if (!environmentVars.length) {
     environmentVars = undefined;
   }
-  let sourceInput = undefined;
+  let sourceInput;
   if (environmentVars) {
     sourceInput = { environmentVars };
   }
@@ -889,7 +891,7 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
             name: `oci:image:bundles:${sdkName}Sdk`,
             value: "true",
           });
-        } catch (e) {
+        } catch (_e) {
           // ignore
         }
       }
@@ -1227,7 +1229,7 @@ function determinePackageType(pkg) {
           return "framework";
         }
       }
-    } catch (e) {
+    } catch (_e) {
       // continue regardless of error
     }
   } else if (pkg.group) {
@@ -1235,19 +1237,19 @@ function determinePackageType(pkg) {
       return "application";
     }
   }
-  if (Object.prototype.hasOwnProperty.call(pkg, "description")) {
+  if (Object.hasOwn(pkg, "description")) {
     if (pkg.description?.toLowerCase().includes("framework")) {
       return "framework";
     }
   }
-  if (Object.prototype.hasOwnProperty.call(pkg, "keywords")) {
+  if (Object.hasOwn(pkg, "keywords")) {
     for (const keyword of pkg.keywords) {
       if (keyword && keyword.toLowerCase() === "framework") {
         return "framework";
       }
     }
   }
-  if (Object.prototype.hasOwnProperty.call(pkg, "tags")) {
+  if (Object.hasOwn(pkg, "tags")) {
     for (const tag of pkg.tags) {
       if (tag && tag.toLowerCase() === "framework") {
         return "framework";
@@ -1275,16 +1277,16 @@ function processHashes(pkg, component) {
     const integrity = parse(pkg._integrity) || {};
     // Components may have multiple hashes with various lengths. Check each one
     // that is supported by the CycloneDX specification.
-    if (Object.prototype.hasOwnProperty.call(integrity, "sha512")) {
+    if (Object.hasOwn(integrity, "sha512")) {
       addComponentHash("SHA-512", integrity.sha512[0].digest, component);
     }
-    if (Object.prototype.hasOwnProperty.call(integrity, "sha384")) {
+    if (Object.hasOwn(integrity, "sha384")) {
       addComponentHash("SHA-384", integrity.sha384[0].digest, component);
     }
-    if (Object.prototype.hasOwnProperty.call(integrity, "sha256")) {
+    if (Object.hasOwn(integrity, "sha256")) {
       addComponentHash("SHA-256", integrity.sha256[0].digest, component);
     }
-    if (Object.prototype.hasOwnProperty.call(integrity, "sha1")) {
+    if (Object.hasOwn(integrity, "sha1")) {
       addComponentHash("SHA-1", integrity.sha1[0].digest, component);
     }
   }
@@ -1494,7 +1496,7 @@ export async function createJavaBom(path, options) {
   let parentComponent = {};
   // Support for tracking all the tools that created the BOM
   // For java, this would correctly include the cyclonedx maven plugin.
-  let tools = undefined;
+  let tools;
   let possible_misses = false;
   // war/ear mode
   if (path.endsWith(".war") || path.endsWith(".jar")) {
@@ -1577,7 +1579,7 @@ export async function createJavaBom(path, options) {
         }
       }
     }
-    let result = undefined;
+    let result;
     let mvnArgs;
     if (isQuarkus) {
       thoughtLog(
@@ -1660,10 +1662,7 @@ export async function createJavaBom(path, options) {
       // Use the cyclonedx maven plugin if there is no preference for maven deps tree
       if (!useMavenDepsTree) {
         thoughtLog("The user wants me to use the cyclonedx-maven plugin.");
-        console.log(
-          `Executing '${mavenCmd} ${mvnArgs.join(" ")}' in`,
-          basePath,
-        );
+        console.log(`Executing '${mavenCmd}' in`, basePath);
         result = safeSpawnSync(mavenCmd, mvnArgs, {
           cwd: basePath,
           shell: true,
@@ -1698,8 +1697,9 @@ export async function createJavaBom(path, options) {
         const tempMvnTree = join(tempDir, "mvn-tree.txt");
         const tempMvnParentTree = join(tempDir, "mvn-parent-tree.txt");
         let mvnTreeArgs = ["dependency:tree", `-DoutputFile=${tempMvnTree}`];
+        let addArgs = "";
         if (process.env.MVN_ARGS) {
-          const addArgs = process.env.MVN_ARGS.split(" ");
+          addArgs = process.env.MVN_ARGS.split(" ");
           mvnTreeArgs = mvnTreeArgs.concat(addArgs);
         }
         // Automatically use settings.xml to improve the success for fallback
@@ -1713,17 +1713,21 @@ export async function createJavaBom(path, options) {
           thoughtLog(
             "What is the parent component here? Let's use maven command to find out.",
           );
-          result = safeSpawnSync(
-            "mvn",
-            ["dependency:tree", "-N", `-DoutputFile=${tempMvnParentTree}`],
-            {
-              cwd: basePath,
-              shell: true,
-              encoding: "utf-8",
-              timeout: TIMEOUT_MS,
-              maxBuffer: MAX_BUFFER,
-            },
-          );
+          let findParentComponentArgs = [
+            "dependency:tree",
+            "-N",
+            `-DoutputFile=${tempMvnParentTree}`,
+          ];
+          if (addArgs) {
+            findParentComponentArgs = findParentComponentArgs.concat(addArgs);
+          }
+          result = safeSpawnSync("mvn", findParentComponentArgs, {
+            cwd: basePath,
+            shell: true,
+            encoding: "utf-8",
+            timeout: TIMEOUT_MS,
+            maxBuffer: MAX_BUFFER,
+          });
           if (result.status === 0) {
             if (safeExistsSync(tempMvnParentTree)) {
               const mvnTreeString = readFileSync(tempMvnParentTree, {
@@ -1768,8 +1772,13 @@ export async function createJavaBom(path, options) {
           // Our approach to recursively invoking the maven plugin for each sub-module is bound to result in failures
           // These could be due to a range of reasons that are covered below.
           if (pomFiles.length === 1 || DEBUG_MODE || PREFER_MAVEN_DEPS_TREE) {
-            console.error(result.stdout, result.stderr);
-            console.log("The above build errors could be due to:\n");
+            if (result.stdout) {
+              console.log(result.stdout);
+            }
+            if (result.stderr) {
+              console.log(result.stderr);
+              console.log("The above build errors could be due to:\n");
+            }
             if (
               result.stdout &&
               (result.stdout.includes("Non-resolvable parent POM") ||
@@ -1868,7 +1877,7 @@ export async function createJavaBom(path, options) {
     // Locate and parse all bom.json files from the maven plugin
     if (!useMavenDepsTree) {
       for (const abjson of bomJsonFiles) {
-        let bomJsonObj = undefined;
+        let bomJsonObj;
         try {
           if (DEBUG_MODE) {
             console.log(`Extracting data from generated bom file ${abjson}`);
@@ -2003,7 +2012,7 @@ export async function createJavaBom(path, options) {
     );
     if (process.env.GRADLE_INCLUDED_BUILDS === undefined) {
       const outputLines = parallelPropTaskOut.split("\n");
-      for (const [i, line] of outputLines.entries()) {
+      for (const [_i, line] of outputLines.entries()) {
         if (line.startsWith("Root project '") || line.startsWith("Project '")) {
           break;
         }
@@ -3144,6 +3153,10 @@ export async function createNodejsBom(path, options) {
       const basePath = dirname(f);
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
+      const pnpmHooks = join(basePath, ".pnpmfile.cjs");
+      if (safeExistsSync(pnpmHooks)) {
+        thoughtLog("Wait, this pnpm project uses install hooks.");
+      }
       if (!Object.keys(parentComponent).length) {
         if (safeExistsSync(packageJsonF)) {
           const pcs = await parsePkgJson(packageJsonF, true);
@@ -3832,7 +3845,7 @@ export async function createPythonBom(path, options) {
         }
         for (const f of reqFiles) {
           const basePath = dirname(f);
-          let reqData = undefined;
+          let reqData;
           let frozen = false;
           // Attempt to pip freeze in a virtualenv to improve precision
           if (options.installDeps) {
@@ -3896,7 +3909,7 @@ export async function createPythonBom(path, options) {
      * The order of preference is pyproject.toml (newer) and then setup.py
      */
     if (options.installDeps) {
-      let pkgMap = undefined;
+      let pkgMap;
       if (pyProjectMode && !poetryMode) {
         pkgMap = getPipFrozenTree(
           path,
@@ -4093,7 +4106,7 @@ export async function createGoBom(path, options) {
   let maybeBinary;
   try {
     maybeBinary = statSync(path).isFile();
-  } catch (err) {
+  } catch (_err) {
     maybeBinary = false;
   }
   if (maybeBinary || options?.lifecycle?.includes("post-build")) {
@@ -4501,7 +4514,7 @@ export async function createRustBom(path, options) {
   let maybeBinary;
   try {
     maybeBinary = statSync(path).isFile();
-  } catch (err) {
+  } catch (_err) {
     maybeBinary = false;
   }
   if (maybeBinary || options?.lifecycle?.includes("post-build")) {
@@ -4706,7 +4719,7 @@ export async function createDartBom(path, options) {
  * @param {Object} options Parse options from the cli
  */
 export function createCppBom(path, options) {
-  let parentComponent = undefined;
+  let parentComponent;
   let dependencies = [];
   const addedParentComponentsMap = {};
   const conanLockFiles = getAllFiles(
@@ -5313,7 +5326,7 @@ export async function createSwiftBom(path, options) {
       if (completedPath.includes(basePath)) {
         continue;
       }
-      let treeData = undefined;
+      let treeData;
       let packageArgs = ["package"];
       // Additional arguments to pass to the swift package command.
       // Example: --swift-sdks-path <swift-sdks-path> --jobs <jobs>
@@ -5939,11 +5952,11 @@ export function createPHPBom(path, options) {
       }
       options.failOnError && process.exit(1);
     }
-    let composerVersion = undefined;
+    let composerVersion;
     if (DEBUG_MODE) {
       console.log("Parsing version", versionResult.stdout);
     }
-    let tmpV = undefined;
+    let tmpV;
     if (versionResult?.stdout) {
       tmpV = versionResult.stdout.split(" ");
     }
@@ -6274,7 +6287,7 @@ export async function createRubyBom(path, options) {
  */
 export async function createCsharpBom(path, options) {
   let manifestFiles = [];
-  let pkgData = undefined;
+  let pkgData;
   let dependencies = [];
   if (options?.lifecycle?.includes("post-build")) {
     return createBinaryBom(path, options);
@@ -6957,7 +6970,7 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
 export async function createMultiXBom(pathList, options) {
   let components = [];
   let dependencies = [];
-  let bomData = undefined;
+  let bomData;
   let parentComponent = determineParentComponent(options) || {};
   let parentSubComponents = [];
   options.createMultiXBom = true;
@@ -7727,7 +7740,7 @@ export async function createMultiXBom(pathList, options) {
 export async function createXBom(path, options) {
   try {
     accessSync(path, constants.R_OK);
-  } catch (err) {
+  } catch (_err) {
     return undefined;
   }
   if (
@@ -8059,7 +8072,7 @@ export async function createBom(path, options) {
   if (!projectType) {
     projectType = [];
   }
-  let exportData = undefined;
+  let exportData;
   let isContainerMode = false;
   // Docker and image archive support
   // TODO: Support any source archive
@@ -8385,13 +8398,14 @@ export async function submitBom(args, bomContents) {
         "with --skip-dt-tls-check argument: Skip DT TLS check.",
       );
     }
+    // See issue #1963 regarding CRLF hardening
     return await got(serverUrl, {
       method: "PUT",
       https: {
         rejectUnauthorized: !args.skipDtTlsCheck,
       },
       headers: {
-        "X-Api-Key": args.apiKey,
+        "X-Api-Key": (args.apiKey || "").replace(/[\r\n]/g, ""),
         "Content-Type": "application/json",
         "user-agent": `@CycloneDX/cdxgen ${_version}`,
       },