@cyclonedx/cdxgen 11.4.0 → 11.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (57) hide show
  1. package/README.md +4 -1
  2. package/bin/cdxgen.js +32 -9
  3. package/bin/evinse.js +2 -0
  4. package/bin/repl.js +12 -4
  5. package/bin/verify.js +2 -0
  6. package/lib/cli/index.js +71 -57
  7. package/lib/evinser/evinser.js +26 -20
  8. package/lib/evinser/evinser.test.js +2 -2
  9. package/lib/evinser/swiftsem.js +1 -0
  10. package/lib/evinser/swiftsem.test.js +2 -2
  11. package/lib/helpers/analyzer.js +5 -4
  12. package/lib/helpers/cbomutils.js +2 -0
  13. package/lib/helpers/db.js +1 -0
  14. package/lib/helpers/display.js +1 -0
  15. package/lib/helpers/display.test.js +2 -0
  16. package/lib/helpers/envcontext.js +10 -8
  17. package/lib/helpers/envcontext.test.js +3 -1
  18. package/lib/helpers/logger.js +70 -10
  19. package/lib/helpers/protobom.js +29 -16
  20. package/lib/helpers/protobom.test.js +4 -1
  21. package/lib/helpers/utils.js +276 -106
  22. package/lib/helpers/utils.test.js +41 -11
  23. package/lib/helpers/validator.js +5 -5
  24. package/lib/managers/binary.js +17 -15
  25. package/lib/managers/docker.js +33 -31
  26. package/lib/managers/docker.test.js +2 -0
  27. package/lib/managers/oci.js +2 -1
  28. package/lib/managers/piptree.js +1 -0
  29. package/lib/server/server.js +90 -27
  30. package/lib/server/server.test.js +126 -0
  31. package/lib/stages/postgen/annotator.js +1 -0
  32. package/lib/stages/postgen/annotator.test.js +2 -2
  33. package/lib/stages/postgen/postgen.js +14 -6
  34. package/lib/stages/postgen/postgen.test.js +3 -2
  35. package/lib/stages/pregen/pregen.js +4 -3
  36. package/package.json +12 -11
  37. package/types/lib/cli/index.d.ts.map +1 -1
  38. package/types/lib/evinser/swiftsem.d.ts.map +1 -1
  39. package/types/lib/helpers/analyzer.d.ts.map +1 -1
  40. package/types/lib/helpers/cbomutils.d.ts.map +1 -1
  41. package/types/lib/helpers/db.d.ts.map +1 -1
  42. package/types/lib/helpers/display.d.ts.map +1 -1
  43. package/types/lib/helpers/envcontext.d.ts.map +1 -1
  44. package/types/lib/helpers/logger.d.ts +9 -0
  45. package/types/lib/helpers/logger.d.ts.map +1 -1
  46. package/types/lib/helpers/protobom.d.ts.map +1 -1
  47. package/types/lib/helpers/utils.d.ts +6 -3
  48. package/types/lib/helpers/utils.d.ts.map +1 -1
  49. package/types/lib/managers/binary.d.ts.map +1 -1
  50. package/types/lib/managers/docker.d.ts.map +1 -1
  51. package/types/lib/managers/oci.d.ts.map +1 -1
  52. package/types/lib/managers/piptree.d.ts.map +1 -1
  53. package/types/lib/server/server.d.ts +11 -0
  54. package/types/lib/server/server.d.ts.map +1 -1
  55. package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
  56. package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
  57. package/types/lib/stages/pregen/pregen.d.ts.map +1 -1
package/lib/helpers/utils.js CHANGED
@@ -2,8 +2,8 @@ import { Buffer } from "node:buffer";
2
2
  import { spawnSync } from "node:child_process";
3
3
  import { createHash, randomUUID } from "node:crypto";
4
4
  import {
5
- constants,
6
5
  chmodSync,
6
+ constants,
7
7
  copyFileSync,
8
8
  createReadStream,
9
9
  existsSync,
@@ -17,17 +17,18 @@ import {
17
17
  } from "node:fs";
18
18
  import { homedir, platform, tmpdir } from "node:os";
19
19
  import path, {
20
- basename,
21
20
  delimiter as _delimiter,
21
+ sep as _sep,
22
+ basename,
22
23
  dirname,
23
24
  extname,
24
25
  join,
25
- resolve,
26
26
  relative,
27
- sep as _sep,
27
+ resolve,
28
28
  } from "node:path";
29
29
  import process from "node:process";
30
- import { URL, fileURLToPath } from "node:url";
30
+ import { fileURLToPath, URL } from "node:url";
31
+
31
32
  import toml from "@iarna/toml";
32
33
  import Arborist from "@npmcli/arborist";
33
34
  import { load } from "cheerio";
@@ -50,8 +51,9 @@ import {
50
51
  import { IriValidationStrategy, validateIri } from "validate-iri";
51
52
  import { xml2js } from "xml-js";
52
53
  import { parse as _load } from "yaml";
54
+
53
55
  import { getTreeWithPlugin } from "../managers/piptree.js";
54
- import { thoughtLog } from "./logger.js";
56
+ import { thoughtLog, traceLog } from "./logger.js";
55
57
 
56
58
  let url = import.meta?.url;
57
59
  if (url && !url.startsWith("file://")) {
@@ -113,8 +115,20 @@ export function safeMkdirSync(filePath, options) {
113
115
  return mkdirSync(filePath, options);
114
116
  }
115
117
 
118
+ export const commandsExecuted = new Set();
119
+ function isAllowedCommand(command) {
120
+ if (!process.env.CDXGEN_ALLOWED_COMMANDS) {
121
+ return true;
122
+ }
123
+ const allow_commands = (process.env.CDXGEN_ALLOWED_COMMANDS || "").split(",");
124
+ return allow_commands.includes(command.trim());
125
+ }
126
+
116
127
  export function safeSpawnSync(command, args, options) {
117
- if (isSecureMode && process.permission && !process.permission.has("child")) {
128
+ if (
129
+ (isSecureMode && process.permission && !process.permission.has("child")) ||
130
+ !isAllowedCommand(command)
131
+ ) {
118
132
  if (DEBUG_MODE) {
119
133
  console.log(`cdxgen lacks execute permission for ${command}`);
120
134
  }
@@ -125,6 +139,8 @@ export function safeSpawnSync(command, args, options) {
125
139
  error: new Error("No execute permission"),
126
140
  };
127
141
  }
142
+ traceLog("spawn", { command, args, ...options });
143
+ commandsExecuted.add(command);
128
144
  // Fix for DEP0190 warning
129
145
  if (options?.shell === true) {
130
146
  if (args?.length) {
@@ -646,6 +662,26 @@ function isCacheDisabled() {
646
662
  }
647
663
 
648
664
  const cache = isCacheDisabled() ? undefined : gotHttpCache;
665
+ export const remoteHostsAccessed = new Set();
666
+
667
+ function isAllowedHost(hostname) {
668
+ if (!process.env.CDXGEN_ALLOWED_HOSTS) {
669
+ return true;
670
+ }
671
+ const allow_hosts = (process.env.CDXGEN_ALLOWED_HOSTS || "").split(",");
672
+ for (const ahost of allow_hosts) {
673
+ if (!ahost.length) {
674
+ continue;
675
+ }
676
+ if (hostname === ahost) {
677
+ return true;
678
+ }
679
+ // wildcard support
680
+ if (ahost.startsWith("*.") && hostname.endsWith(ahost.replace("*", ""))) {
681
+ return true;
682
+ }
683
+ }
684
+ }
649
685
 
650
686
  // Custom user-agent for cdxgen
651
687
  export const cdxgenAgent = got.extend({
@@ -656,6 +692,31 @@ export const cdxgenAgent = got.extend({
656
692
  retry: {
657
693
  limit: 0,
658
694
  },
695
+ hooks: {
696
+ beforeRequest: [
697
+ (options) => {
698
+ if (!isAllowedHost(options.url.hostname)) {
699
+ console.log(
700
+ `Access to the remote host '${options.url.hostname}' is not permitted.`,
701
+ );
702
+ return new AbortController().abort();
703
+ }
704
+ // Only allow https protocol in secure mode
705
+ if (isSecureMode && options.url.protocol !== "https:") {
706
+ console.log(
707
+ `Access to the remote host '${options.url.hostname}' is not permitted via the '${options.url.protocol}' protocol.`,
708
+ );
709
+ return new AbortController().abort();
710
+ }
711
+ remoteHostsAccessed.add(options.url.hostname);
712
+ traceLog("http", {
713
+ protocol: options.url.protocol,
714
+ pathname: options.url.pathname,
715
+ host: options.url.host,
716
+ });
717
+ },
718
+ ],
719
+ },
659
720
  });
660
721
 
661
722
  /**
@@ -1005,7 +1066,7 @@ export async function getSwiftPackageMetadata(pkgList) {
1005
1066
  if (p.repository.url.includes("://github.com/")) {
1006
1067
  try {
1007
1068
  p.license = await getRepoLicense(p.repository.url, undefined);
1008
- } catch (e) {
1069
+ } catch (_e) {
1009
1070
  console.error("error fetching repo license from", p.repository.url);
1010
1071
  }
1011
1072
  } else {
@@ -1067,7 +1128,7 @@ export async function getNpmMetadata(pkgList) {
1067
1128
  p.homepage = { url: body.homepage };
1068
1129
  }
1069
1130
  cdepList.push(p);
1070
- } catch (err) {
1131
+ } catch (_err) {
1071
1132
  cdepList.push(p);
1072
1133
  if (DEBUG_MODE) {
1073
1134
  console.error(p, "was not found on npm");
@@ -1147,7 +1208,7 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
1147
1208
  };
1148
1209
  }
1149
1210
  pkgList.push(apkg);
1150
- } catch (err) {
1211
+ } catch (_err) {
1151
1212
  // continue regardless of error
1152
1213
  }
1153
1214
  }
@@ -1332,7 +1393,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
1332
1393
  value: "false",
1333
1394
  });
1334
1395
  }
1335
- } catch (err) {
1396
+ } catch (_err) {
1336
1397
  // ignore
1337
1398
  }
1338
1399
  if (node?.isWorkspace) {
@@ -1615,7 +1676,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
1615
1676
  // legacyPeerDeps=false enables npm >v3 package dependency resolution
1616
1677
  legacyPeerDeps: false,
1617
1678
  });
1618
- let tree = undefined;
1679
+ let tree;
1619
1680
  try {
1620
1681
  const rootNodeModulesDir = join(path.dirname(pkgLockFile), "node_modules");
1621
1682
  if (safeExistsSync(rootNodeModulesDir)) {
@@ -2260,6 +2321,9 @@ export async function parsePnpmLock(
2260
2321
  const pkgRefMap = {};
2261
2322
  // Track references to packages that are directly installed from github.com
2262
2323
  const gitPkgRefs = {};
2324
+ // Track aliases
2325
+ const possibleAliases = {};
2326
+ const possibleAliasesRefs = {};
2263
2327
  // pnpm could refer to packages from git sources
2264
2328
  const githubServerHost = process.env.CDXGEN_GIT_HOST || "github.com";
2265
2329
  // Convert workspace package names to an object to help with the lookup
@@ -2287,7 +2351,7 @@ export async function parsePnpmLock(
2287
2351
  lockfileVersion = yamlObj.lockfileVersion;
2288
2352
  try {
2289
2353
  lockfileVersion = Number.parseFloat(lockfileVersion, 10);
2290
- } catch (e) {
2354
+ } catch (_e) {
2291
2355
  // ignore parse errors
2292
2356
  }
2293
2357
  // This logic matches the pnpm list command to include only direct dependencies
@@ -2310,9 +2374,19 @@ export async function parsePnpmLock(
2310
2374
  ? yamlObj.importers["."]?.peerDependencies || {}
2311
2375
  : {};
2312
2376
  const ddeplist = new Set();
2313
- // Find the root optional dependencies
2377
+ // Find the root dev dependencies
2314
2378
  for (const rdk of Object.keys(rootDevDeps)) {
2315
2379
  const version = await getVersionNumPnpm(rootDevDeps[rdk]);
2380
+ let specifier;
2381
+ if (
2382
+ typeof rootDevDeps[rdk] === "object" &&
2383
+ rootDevDeps[rdk].specifier
2384
+ ) {
2385
+ specifier = rootDevDeps[rdk].specifier;
2386
+ }
2387
+ if (specifier?.includes("npm:")) {
2388
+ possibleAliases[rdk] = specifier;
2389
+ }
2316
2390
  const dpurl = new PackageURL(
2317
2391
  "npm",
2318
2392
  "",
@@ -2323,8 +2397,19 @@ export async function parsePnpmLock(
2323
2397
  ).toString();
2324
2398
  possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
2325
2399
  }
2400
+ // Find the root optional and peer dependencies
2326
2401
  for (const rdk of Object.keys({ ...rootOptionalDeps, ...rootPeerDeps })) {
2327
2402
  const version = await getVersionNumPnpm(rootOptionalDeps[rdk]);
2403
+ let specifier;
2404
+ if (
2405
+ typeof rootOptionalDeps[rdk] === "object" &&
2406
+ rootOptionalDeps[rdk].specifier
2407
+ ) {
2408
+ specifier = rootOptionalDeps[rdk].specifier;
2409
+ }
2410
+ if (specifier?.includes("npm:")) {
2411
+ possibleAliases[rdk] = specifier;
2412
+ }
2328
2413
  const dpurl = new PackageURL(
2329
2414
  "npm",
2330
2415
  "",
@@ -2335,8 +2420,19 @@ export async function parsePnpmLock(
2335
2420
  ).toString();
2336
2421
  possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
2337
2422
  }
2423
+ // Find the root direct dependencies
2338
2424
  for (const dk of Object.keys(rootDirectDeps)) {
2339
2425
  const version = await getVersionNumPnpm(rootDirectDeps[dk]);
2426
+ let specifier;
2427
+ if (
2428
+ typeof rootDirectDeps[dk] === "object" &&
2429
+ rootDirectDeps[dk].specifier
2430
+ ) {
2431
+ specifier = rootDirectDeps[dk].specifier;
2432
+ }
2433
+ if (specifier?.includes("npm:")) {
2434
+ possibleAliases[dk] = specifier;
2435
+ }
2340
2436
  const dpurl = new PackageURL(
2341
2437
  "npm",
2342
2438
  "",
@@ -2367,8 +2463,8 @@ export async function parsePnpmLock(
2367
2463
  {};
2368
2464
  const componentPeerDeps =
2369
2465
  yamlObj?.importers[importedComponentName]["peerDependencies"] || {};
2370
- let compPurl = undefined;
2371
- let pkgSrcFile = undefined;
2466
+ let compPurl;
2467
+ let pkgSrcFile;
2372
2468
  let fallbackMode = true;
2373
2469
  if (safeExistsSync(join(importedComponentName, "package.json"))) {
2374
2470
  pkgSrcFile = join(importedComponentName, "package.json");
@@ -2563,19 +2659,35 @@ export async function parsePnpmLock(
2563
2659
  packages[fullName]?.optionalDependencies ||
2564
2660
  snapshots[fullName]?.optionalDependencies ||
2565
2661
  {};
2662
+ const _peerDeps =
2663
+ packages[pkgKeys[k]]?.peerDependencies ||
2664
+ snapshots[pkgKeys[k]]?.peerDependencies ||
2665
+ packages[fullName]?.peerDependencies ||
2666
+ snapshots[fullName]?.peerDependencies ||
2667
+ {};
2566
2668
  // Track the explicit optional dependencies of this package
2567
2669
  for (const opkgName of Object.keys(optionalDeps)) {
2568
2670
  let vers = optionalDeps[opkgName];
2569
2671
  if (vers?.includes("(")) {
2570
2672
  vers = vers.split("(")[0];
2571
2673
  }
2572
- const opurlString = PackageURL.fromString(
2573
- `pkg:npm/${encodeURIComponent(opkgName).replace(/%2F/g, "/")}@${vers}`,
2574
- ).toString();
2674
+ let opurlString;
2675
+ if (vers.includes("@")) {
2676
+ opurlString = PackageURL.fromString(
2677
+ `pkg:npm/${vers.replace(/^@/g, "%40")}`,
2678
+ ).toString();
2679
+ } else {
2680
+ opurlString = PackageURL.fromString(
2681
+ `pkg:npm/${encodeURIComponent(opkgName).replace(/%2F/g, "/")}@${vers}`,
2682
+ ).toString();
2683
+ }
2575
2684
  const obomRef = decodeURIComponent(opurlString);
2576
2685
  if (possibleOptionalDeps[obomRef] === undefined) {
2577
2686
  possibleOptionalDeps[obomRef] = true;
2578
2687
  }
2688
+ if (possibleAliases[opkgName]) {
2689
+ possibleAliasesRefs[obomRef] = opkgName;
2690
+ }
2579
2691
  }
2580
2692
  let scope =
2581
2693
  packageNode.dev === true || packageNode.optional === true
@@ -2595,7 +2707,7 @@ export async function parsePnpmLock(
2595
2707
  let name = "";
2596
2708
  let version = "";
2597
2709
  let group = "";
2598
- let srcUrl = undefined;
2710
+ let srcUrl;
2599
2711
  const hasBin = packageNode?.hasBin;
2600
2712
  const deprecatedMessage = packageNode?.deprecated;
2601
2713
  if (lockfileVersion >= 9 && fullName.includes("@")) {
@@ -2893,12 +3005,17 @@ export async function parsePnpmLock(
2893
3005
  }
2894
3006
  }
2895
3007
  }
2896
-
2897
3008
  // Ensure any required dependency is not scoped optionally
2898
3009
  for (const apkg of pkgList) {
2899
3010
  if (requiredDependencies[apkg["bom-ref"]]) {
2900
3011
  apkg.scope = undefined;
2901
3012
  }
3013
+ if (possibleAliasesRefs[apkg["bom-ref"]]) {
3014
+ apkg.properties.push({
3015
+ name: "cdx:pnpm:alias",
3016
+ value: possibleAliasesRefs[apkg["bom-ref"]],
3017
+ });
3018
+ }
2902
3019
  // There are no workspaces so exit early
2903
3020
  if (!Object.keys(workspacePackageNames).length) {
2904
3021
  continue;
@@ -3015,7 +3132,7 @@ export async function parseBowerJson(bowerJsonFile) {
3015
3132
  },
3016
3133
  },
3017
3134
  });
3018
- } catch (err) {
3135
+ } catch (_err) {
3019
3136
  // continue regardless of error
3020
3137
  }
3021
3138
  }
@@ -3100,7 +3217,7 @@ export async function parseMinJs(minJsFile) {
3100
3217
  }
3101
3218
  }
3102
3219
  });
3103
- } catch (err) {
3220
+ } catch (_err) {
3104
3221
  // continue regardless of error
3105
3222
  }
3106
3223
  }
@@ -3214,7 +3331,7 @@ export function parsePom(pomFile) {
3214
3331
  }
3215
3332
  for (const adep of dependencies) {
3216
3333
  const version = adep.version;
3217
- let versionStr = undefined;
3334
+ let versionStr;
3218
3335
  if (version?._) {
3219
3336
  versionStr = version._;
3220
3337
  }
@@ -3271,7 +3388,7 @@ export function parseMavenTree(rawOutput, pomFile) {
3271
3388
  const tmpA = rawOutput.split("\n");
3272
3389
  let last_level = 0;
3273
3390
  let last_purl = "";
3274
- let first_ref = undefined;
3391
+ let first_ref;
3275
3392
  const stack = [];
3276
3393
  tmpA.forEach((l) => {
3277
3394
  l = l.replace("\r", "");
@@ -3289,7 +3406,7 @@ export function parseMavenTree(rawOutput, pomFile) {
3289
3406
  // Support for classifiers
3290
3407
  // com.github.jnr:jffi:jar:1.3.11:compile
3291
3408
  // com.github.jnr:jffi:jar:native:1.3.11:runtime
3292
- let classifier = undefined;
3409
+ let classifier;
3293
3410
  if (pkgArr && pkgArr.length > 2) {
3294
3411
  let versionStr = pkgArr[pkgArr.length - 2];
3295
3412
  const componentScope = pkgArr[pkgArr.length - 1];
@@ -3304,7 +3421,7 @@ export function parseMavenTree(rawOutput, pomFile) {
3304
3421
  if (!includeMavenTestScope && componentScope === "test") {
3305
3422
  return;
3306
3423
  }
3307
- let scope = undefined;
3424
+ let scope;
3308
3425
  if (["compile", "runtime"].includes(componentScope)) {
3309
3426
  scope = "required";
3310
3427
  } else if (componentScope === "test") {
@@ -3590,8 +3707,8 @@ export async function parseGradleDep(
3590
3707
  let last_project_bomref = first_bomref;
3591
3708
  const level_trees = {};
3592
3709
  level_trees[last_bomref] = [];
3593
- let scope = undefined;
3594
- let profileName = undefined;
3710
+ let scope;
3711
+ let profileName;
3595
3712
  if (retMap?.projects) {
3596
3713
  const modulesToSkip = process.env.GRADLE_SKIP_MODULES
3597
3714
  ? process.env.GRADLE_SKIP_MODULES.split(",")
@@ -4474,7 +4591,7 @@ export async function fetchPomXml({ urlPrefix, group, name, version }) {
4474
4591
  try {
4475
4592
  const res = await cdxgenAgent.get(fullUrl);
4476
4593
  return res.body;
4477
- } catch (err) {
4594
+ } catch (_err) {
4478
4595
  return undefined;
4479
4596
  }
4480
4597
  }
@@ -4607,12 +4724,12 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
4607
4724
  if (p.name.includes("[")) {
4608
4725
  p.name = p.name.split("[")[0];
4609
4726
  }
4610
- let res = undefined;
4727
+ let res;
4611
4728
  try {
4612
4729
  res = await cdxgenAgent.get(`${PYPI_URL + p.name}/json`, {
4613
4730
  responseType: "json",
4614
4731
  });
4615
- } catch (err) {
4732
+ } catch (_err) {
4616
4733
  // retry by prefixing django- to the package name
4617
4734
  res = await cdxgenAgent.get(`${PYPI_URL}django-${p.name}/json`, {
4618
4735
  responseType: "json",
@@ -4666,7 +4783,7 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
4666
4783
  }
4667
4784
  // Use the latest version if none specified
4668
4785
  if (!p.version || !p.version.trim().length) {
4669
- let versionSpecifiers = undefined;
4786
+ let versionSpecifiers;
4670
4787
  if (p.properties?.length) {
4671
4788
  for (const pprop of p.properties) {
4672
4789
  if (pprop.name === "cdx:pypi:versionSpecifiers") {
@@ -4754,7 +4871,7 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
4754
4871
  p.purl = purlString;
4755
4872
  p["bom-ref"] = decodeURIComponent(purlString);
4756
4873
  cdepList.push(p);
4757
- } catch (err) {
4874
+ } catch (_err) {
4758
4875
  if (DEBUG_MODE) {
4759
4876
  console.error(p.name, "is not found on PyPI.");
4760
4877
  console.log(
@@ -4841,7 +4958,7 @@ export async function parsePiplockData(lockData) {
4841
4958
  const depBlock = lockData[k];
4842
4959
  Object.keys(depBlock).forEach((p) => {
4843
4960
  const pkg = depBlock[p];
4844
- if (Object.prototype.hasOwnProperty.call(pkg, "version")) {
4961
+ if (Object.hasOwn(pkg, "version")) {
4845
4962
  const versionStr = pkg.version.replace("==", "");
4846
4963
  pkgList.push({ name: p, version: versionStr });
4847
4964
  }
@@ -5501,7 +5618,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
5501
5618
  */
5502
5619
  export async function parseReqFile(reqData, fetchDepsInfo) {
5503
5620
  const pkgList = [];
5504
- let compScope = undefined;
5621
+ let compScope;
5505
5622
  reqData
5506
5623
  .replace(/\r/g, "")
5507
5624
  .replace(/ [\\]\n/g, "")
@@ -5509,7 +5626,7 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
5509
5626
  .split("\n")
5510
5627
  .forEach((l) => {
5511
5628
  l = l.trim();
5512
- let markers = undefined;
5629
+ let markers;
5513
5630
  if (l.includes(" ; ")) {
5514
5631
  const tmpA = l.split(" ; ");
5515
5632
  if (tmpA && tmpA.length === 2) {
@@ -6179,7 +6296,7 @@ export async function getGoPkgLicense(repoMetadata) {
6179
6296
  metadata_cache[pkgUrl] = licList;
6180
6297
  return licList;
6181
6298
  }
6182
- } catch (err) {
6299
+ } catch (_err) {
6183
6300
  return undefined;
6184
6301
  }
6185
6302
  if (group.indexOf("github.com") > -1) {
@@ -6211,14 +6328,14 @@ async function getGoPkgVCSUrl(group, name) {
6211
6328
  metadata_cache[pkgUrl] = vcs;
6212
6329
  return vcs;
6213
6330
  }
6214
- } catch (err) {
6331
+ } catch (_err) {
6215
6332
  return undefined;
6216
6333
  }
6217
6334
  return undefined;
6218
6335
  }
6219
6336
 
6220
6337
  export async function getGoPkgComponent(group, name, version, hash) {
6221
- let license = undefined;
6338
+ let license;
6222
6339
  if (shouldFetchLicense()) {
6223
6340
  if (DEBUG_MODE) {
6224
6341
  console.log(
@@ -6234,7 +6351,7 @@ export async function getGoPkgComponent(group, name, version, hash) {
6234
6351
  const purlString = new PackageURL("golang", group, name, version)
6235
6352
  .toString()
6236
6353
  .replace(/%2F/g, "/");
6237
- let vcs = undefined;
6354
+ let vcs;
6238
6355
  if (shouldFetchVCS()) {
6239
6356
  vcs = await getGoPkgVCSUrl(group, name);
6240
6357
  }
@@ -6716,13 +6833,14 @@ export async function parseGoModGraph(
6716
6833
  }
6717
6834
 
6718
6835
  /**
6719
- * Parse go mod why output
6836
+ * Parse go mod why output.
6837
+ *
6720
6838
  * @param {string} rawOutput Output from go mod why
6721
- * @returns package name or none
6839
+ * @returns {string|undefined} package name or none
6722
6840
  */
6723
6841
  export function parseGoModWhy(rawOutput) {
6724
6842
  if (typeof rawOutput === "string") {
6725
- let pkg_name = undefined;
6843
+ let pkg_name;
6726
6844
  const lines = rawOutput.split("\n");
6727
6845
  lines.forEach((l) => {
6728
6846
  if (l && !l.startsWith("#") && !l.startsWith("(")) {
@@ -6780,7 +6898,7 @@ export async function parseGopkgData(gopkgData) {
6780
6898
  const tmpA = l.split("=");
6781
6899
  key = tmpA[0].trim();
6782
6900
  value = tmpA[1].trim().replace(/"/g, "");
6783
- let digestStr = undefined;
6901
+ let digestStr;
6784
6902
  switch (key) {
6785
6903
  case "digest":
6786
6904
  digestStr = value.replace("1:", "");
@@ -7242,7 +7360,7 @@ export async function parseGemspecData(gemspecData, gemspecFile) {
7242
7360
  pkg[aprop] = apropList.split(",");
7243
7361
  }
7244
7362
  }
7245
- } catch (err) {
7363
+ } catch (_err) {
7246
7364
  const alist = l
7247
7365
  .replace(/[[\]'"]/g, "")
7248
7366
  .replaceAll("%w", "")
@@ -7269,7 +7387,7 @@ export async function parseGemspecData(gemspecData, gemspecFile) {
7269
7387
  value: exeList.join(", "),
7270
7388
  });
7271
7389
  }
7272
- } catch (err) {
7390
+ } catch (_err) {
7273
7391
  // pass
7274
7392
  }
7275
7393
  }
@@ -7391,12 +7509,12 @@ export async function parseGemfileLockData(gemLockData, lockFile) {
7391
7509
  }
7392
7510
  });
7393
7511
  specsFound = false;
7394
- let lastParent = undefined;
7395
- let lastRemote = undefined;
7396
- let lastRevision = undefined;
7397
- let lastBranch = undefined;
7398
- let lastTag = undefined;
7399
- let lastParentPlatform = undefined;
7512
+ let lastParent;
7513
+ let lastRemote;
7514
+ let lastRevision;
7515
+ let lastBranch;
7516
+ let lastTag;
7517
+ let lastParentPlatform;
7400
7518
  // Dependencies block would begin with DEPENDENCIES
7401
7519
  let dependenciesBlock = false;
7402
7520
  const rootList = [];
@@ -7574,6 +7692,59 @@ export async function parseGemfileLockData(gemLockData, lockFile) {
7574
7692
  const rootDepName = l.trim().split(" ")[0].replace("!", "");
7575
7693
  if (pkgNameRef[rootDepName]) {
7576
7694
  rootList.push(pkgNameRef[rootDepName]);
7695
+ } else {
7696
+ // We are dealing with an optional platform-dependent import
7697
+ // create a placeholder component to track this
7698
+ let specifier;
7699
+ if (l.includes("(")) {
7700
+ specifier = l.trim().split(" (").pop().replace(")", "").trim();
7701
+ }
7702
+ const untrackedPurl = new PackageURL(
7703
+ "gem",
7704
+ "",
7705
+ rootDepName,
7706
+ null,
7707
+ null,
7708
+ null,
7709
+ ).toString();
7710
+ const untrackedBomRef = decodeURIComponent(untrackedPurl);
7711
+ const untrackedProps = [
7712
+ {
7713
+ name: "SrcFile",
7714
+ value: lockFile,
7715
+ },
7716
+ ];
7717
+ if (specifier) {
7718
+ untrackedProps.push({
7719
+ name: "cdx:gem:versionSpecifiers",
7720
+ value: specifier,
7721
+ });
7722
+ }
7723
+ const untrackedRootDep = {
7724
+ name: rootDepName,
7725
+ version: undefined,
7726
+ purl: untrackedPurl,
7727
+ "bom-ref": untrackedBomRef,
7728
+ properties: untrackedProps,
7729
+ evidence: {
7730
+ identity: {
7731
+ field: "purl",
7732
+ confidence: 0.3,
7733
+ methods: [
7734
+ {
7735
+ technique: "manifest-analysis",
7736
+ confidence: 0.3,
7737
+ value: lockFile,
7738
+ },
7739
+ ],
7740
+ },
7741
+ },
7742
+ };
7743
+ pkgnames[untrackedPurl] = true;
7744
+ pkgNameRef[rootDepName] = untrackedBomRef;
7745
+ pkgList.push(untrackedRootDep);
7746
+ rootList.push(untrackedBomRef);
7747
+ dependenciesMap[untrackedBomRef] = new Set();
7577
7748
  }
7578
7749
  }
7579
7750
  });
@@ -7659,7 +7830,7 @@ export async function getCratesMetadata(pkgList) {
7659
7830
  });
7660
7831
  }
7661
7832
  cdepList.push(p);
7662
- } catch (err) {
7833
+ } catch (_err) {
7663
7834
  cdepList.push(p);
7664
7835
  }
7665
7836
  }
@@ -7713,7 +7884,7 @@ export async function getDartMetadata(pkgList) {
7713
7884
  }
7714
7885
  cdepList.push(p);
7715
7886
  }
7716
- } catch (err) {
7887
+ } catch (_err) {
7717
7888
  cdepList.push(p);
7718
7889
  }
7719
7890
  }
@@ -8234,10 +8405,10 @@ export async function parsePubLockData(pubLockData, lockFile) {
8234
8405
 
8235
8406
  export function parsePubYamlData(pubYamlData) {
8236
8407
  const pkgList = [];
8237
- let yamlObj = undefined;
8408
+ let yamlObj;
8238
8409
  try {
8239
8410
  yamlObj = _load(pubYamlData);
8240
- } catch (err) {
8411
+ } catch (_err) {
8241
8412
  // continue regardless of error
8242
8413
  }
8243
8414
  if (!yamlObj) {
@@ -8260,10 +8431,10 @@ export function parsePubYamlData(pubYamlData) {
8260
8431
 
8261
8432
  export function parseHelmYamlData(helmData) {
8262
8433
  const pkgList = [];
8263
- let yamlObj = undefined;
8434
+ let yamlObj;
8264
8435
  try {
8265
8436
  yamlObj = _load(helmData);
8266
- } catch (err) {
8437
+ } catch (_err) {
8267
8438
  // continue regardless of error
8268
8439
  }
8269
8440
  if (!yamlObj) {
@@ -8547,10 +8718,10 @@ export function parseContainerSpecData(dcData) {
8547
8718
  dcDataList = dcData.split("---");
8548
8719
  }
8549
8720
  for (const dcData of dcDataList) {
8550
- let yamlObj = undefined;
8721
+ let yamlObj;
8551
8722
  try {
8552
8723
  yamlObj = _load(dcData);
8553
- } catch (err) {
8724
+ } catch (_err) {
8554
8725
  // ignore errors
8555
8726
  }
8556
8727
  if (!yamlObj) {
@@ -8721,7 +8892,7 @@ export function parseOpenapiSpecData(oaData) {
8721
8892
  } else {
8722
8893
  oaData = JSON.parse(oaData);
8723
8894
  }
8724
- } catch (e) {
8895
+ } catch (_e) {
8725
8896
  return servlist;
8726
8897
  }
8727
8898
 
@@ -9236,7 +9407,7 @@ export async function parseNupkg(nupkgFile) {
9236
9407
  export function parseNuspecData(nupkgFile, nuspecData) {
9237
9408
  const pkgList = [];
9238
9409
  const pkg = { group: "" };
9239
- let npkg = undefined;
9410
+ let npkg;
9240
9411
  const dependenciesMap = {};
9241
9412
  const addedMap = {};
9242
9413
  try {
@@ -9248,7 +9419,7 @@ export function parseNuspecData(nupkgFile, nuspecData) {
9248
9419
  attributesKey: "$",
9249
9420
  commentKey: "value",
9250
9421
  }).package;
9251
- } catch (e) {
9422
+ } catch (_e) {
9252
9423
  // If we are parsing with invalid encoding, unicode replacement character is used
9253
9424
  if (nuspecData.charCodeAt(0) === 65533) {
9254
9425
  console.log(`Unable to parse ${nupkgFile} in utf-8 mode`);
@@ -9315,7 +9486,7 @@ export function parseNuspecData(nupkgFile, nuspecData) {
9315
9486
  }
9316
9487
  const dependsOn = [];
9317
9488
  for (const agroup of dependencyGroups) {
9318
- let targetFramework = undefined;
9489
+ let targetFramework;
9319
9490
  if (agroup?.$?.targetFramework) {
9320
9491
  targetFramework = agroup.$.targetFramework;
9321
9492
  }
@@ -9462,7 +9633,7 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
9462
9633
  csProjData = csProjData.slice(1);
9463
9634
  }
9464
9635
  const projectTargetFrameworks = [];
9465
- let projects = undefined;
9636
+ let projects;
9466
9637
  try {
9467
9638
  projects = xml2js(csProjData, {
9468
9639
  compact: true,
@@ -9472,7 +9643,7 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
9472
9643
  attributesKey: "$",
9473
9644
  commentKey: "value",
9474
9645
  }).Project;
9475
- } catch (e) {
9646
+ } catch (_e) {
9476
9647
  console.log(`Unable to parse ${projFile} with utf-8 encoding!`);
9477
9648
  }
9478
9649
  if (!projects || projects.length === 0) {
@@ -10335,7 +10506,7 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
10335
10506
  let lockData = {};
10336
10507
  try {
10337
10508
  lockData = JSON.parse(readFileSync(pkgLockFile, { encoding: "utf-8" }));
10338
- } catch (e) {
10509
+ } catch (_e) {
10339
10510
  console.error("Invalid composer.lock file:", pkgLockFile);
10340
10511
  return [];
10341
10512
  }
@@ -10619,7 +10790,7 @@ export function parseSbtLock(pkgLockFile) {
10619
10790
  if (artifacts?.length) {
10620
10791
  integrity = artifacts[0].hash.replace("sha1:", "sha1-");
10621
10792
  }
10622
- let compScope = undefined;
10793
+ let compScope;
10623
10794
  if (pkg.configurations) {
10624
10795
  if (pkg.configurations.includes("runtime")) {
10625
10796
  compScope = "required";
@@ -10796,7 +10967,7 @@ export function convertOSQueryResults(
10796
10967
  if (publisher === "null") {
10797
10968
  publisher = "";
10798
10969
  }
10799
- let scope = undefined;
10970
+ let scope;
10800
10971
  const compScope = res.priority;
10801
10972
  if (["required", "optional", "excluded"].includes(compScope)) {
10802
10973
  scope = compScope;
@@ -10816,7 +10987,7 @@ export function convertOSQueryResults(
10816
10987
  if (!name && results.length === 1 && queryObj.name) {
10817
10988
  name = queryObj.name;
10818
10989
  }
10819
- let qualifiers = undefined;
10990
+ let qualifiers;
10820
10991
  if (res.identifying_number?.length) {
10821
10992
  qualifiers = {
10822
10993
  tag_id: res.identifying_number.replace("{", "").replace("}", ""),
@@ -10842,7 +11013,7 @@ export function convertOSQueryResults(
10842
11013
  subpath,
10843
11014
  ).toString();
10844
11015
  const props = [{ name: "cdx:osquery:category", value: queryCategory }];
10845
- let providesList = undefined;
11016
+ let providesList;
10846
11017
  if (enhance) {
10847
11018
  switch (queryObj.purlType) {
10848
11019
  case "deb":
@@ -11110,7 +11281,7 @@ export function parseSwiftResolved(resolvedFile) {
11110
11281
  }
11111
11282
  pkgList.push(rootPkg);
11112
11283
  }
11113
- } catch (err) {
11284
+ } catch (_err) {
11114
11285
  // continue regardless of error
11115
11286
  }
11116
11287
  }
@@ -11248,8 +11419,8 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
11248
11419
  let pomname =
11249
11420
  pomPathMap[basename(jf).replace(".jar", ".pom")] ||
11250
11421
  jf.replace(".jar", ".pom");
11251
- let pomData = undefined;
11252
- let purl = undefined;
11422
+ let pomData;
11423
+ let purl;
11253
11424
  // In some cases, the pom name might be slightly different to the jar name
11254
11425
  if (!safeExistsSync(pomname)) {
11255
11426
  let searchDir = dirname(jf);
@@ -11373,7 +11544,7 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
11373
11544
  { alg: "SHA-256", content: hashValues["sha256"] },
11374
11545
  { alg: "SHA-512", content: hashValues["sha512"] },
11375
11546
  ];
11376
- } catch (e) {
11547
+ } catch (_e) {
11377
11548
  // ignore
11378
11549
  }
11379
11550
  jarNSMapping[purl || jf] = {
@@ -11406,10 +11577,10 @@ export async function convertJarNSToPackages(jarNSMapping) {
11406
11577
  if (!pom) {
11407
11578
  pom = {};
11408
11579
  }
11409
- let purlObj = undefined;
11580
+ let purlObj;
11410
11581
  try {
11411
11582
  purlObj = PackageURL.fromString(purl);
11412
- } catch (e) {
11583
+ } catch (_e) {
11413
11584
  // ignore
11414
11585
  purlObj = {};
11415
11586
  }
@@ -11618,7 +11789,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
11618
11789
  const pkgList = [];
11619
11790
  let jarFiles = [];
11620
11791
  const fname = basename(jarFile);
11621
- let pomname = undefined;
11792
+ let pomname;
11622
11793
  // If there is a pom file in the same directory, try to use it
11623
11794
  const manifestname = join(dirname(jarFile), "META-INF", "MANIFEST.MF");
11624
11795
  // Issue 439: Current implementation checks for existance of a .pom file, but .pom file is not used.
@@ -11719,7 +11890,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
11719
11890
  await zip.extract(null, tempDir);
11720
11891
  await zip.close();
11721
11892
  jarResult = { status: 0 };
11722
- } catch (e) {
11893
+ } catch (_e) {
11723
11894
  if (DEBUG_MODE) {
11724
11895
  console.log(`Unable to extract ${jf}. Skipping.`);
11725
11896
  }
@@ -11917,7 +12088,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
11917
12088
  force: true,
11918
12089
  });
11919
12090
  }
11920
- } catch (err) {
12091
+ } catch (_err) {
11921
12092
  // ignore cleanup errors
11922
12093
  }
11923
12094
  } // for
@@ -12036,7 +12207,7 @@ export async function readZipEntry(
12036
12207
  filePattern,
12037
12208
  contentEncoding = "utf-8",
12038
12209
  ) {
12039
- let retData = undefined;
12210
+ let retData;
12040
12211
  try {
12041
12212
  const zip = new StreamZip.async({ file: zipFile });
12042
12213
  const entriesCount = await zip.entriesCount;
@@ -12160,7 +12331,7 @@ export function getGradleCommand(srcPath, rootPath) {
12160
12331
  // Enable execute permission
12161
12332
  try {
12162
12333
  chmodSync(join(srcPath, findGradleFile), 0o775);
12163
- } catch (e) {
12334
+ } catch (_e) {
12164
12335
  // continue regardless of error
12165
12336
  }
12166
12337
  gradleCmd = resolve(join(srcPath, findGradleFile));
@@ -12168,7 +12339,7 @@ export function getGradleCommand(srcPath, rootPath) {
12168
12339
  // Check if the root directory has a wrapper script
12169
12340
  try {
12170
12341
  chmodSync(join(rootPath, findGradleFile), 0o775);
12171
- } catch (e) {
12342
+ } catch (_e) {
12172
12343
  // continue regardless of error
12173
12344
  }
12174
12345
  gradleCmd = resolve(join(rootPath, findGradleFile));
@@ -12192,7 +12363,7 @@ export function getMillCommand(srcPath) {
12192
12363
  // Enable execute permission
12193
12364
  try {
12194
12365
  chmodSync(join(srcPath, millCmd), 0o775);
12195
- } catch (e) {
12366
+ } catch (_e) {
12196
12367
  // continue regardless of error
12197
12368
  }
12198
12369
  millCmd = resolve(join(srcPath, millCmd));
@@ -12695,13 +12866,13 @@ async function fullScanCocoaPod(dependency, component, options) {
12695
12866
  podspecLocation.replace("<DEFAULT>", branchName),
12696
12867
  );
12697
12868
  podspecLocation = podspecLocation.replace("<DEFAULT>", branchName);
12698
- } catch (err) {
12869
+ } catch (_err) {
12699
12870
  try {
12700
12871
  httpResult = await cdxgenAgent.get(
12701
12872
  `${podspecLocation.replace("<DEFAULT>", branchName)}.json`,
12702
12873
  );
12703
12874
  podspecLocation = `${podspecLocation.replace("<DEFAULT>", branchName)}.json`;
12704
- } catch (err) {
12875
+ } catch (_err) {
12705
12876
  continue;
12706
12877
  }
12707
12878
  }
@@ -12781,7 +12952,7 @@ async function fullScanCocoaPod(dependency, component, options) {
12781
12952
  podspecText.lastIndexOf("}") + 1,
12782
12953
  ),
12783
12954
  );
12784
- } catch (e) {
12955
+ } catch (_e) {
12785
12956
  return;
12786
12957
  }
12787
12958
  const externalRefs = [];
@@ -13048,7 +13219,7 @@ export function getMavenCommand(srcPath, rootPath) {
13048
13219
  // Enable execute permission
13049
13220
  try {
13050
13221
  chmodSync(join(srcPath, findMavenFile), 0o775);
13051
- } catch (e) {
13222
+ } catch (_e) {
13052
13223
  // continue regardless of error
13053
13224
  }
13054
13225
  mavenWrapperCmd = resolve(join(srcPath, findMavenFile));
@@ -13057,7 +13228,7 @@ export function getMavenCommand(srcPath, rootPath) {
13057
13228
  // Check if the root directory has a wrapper script
13058
13229
  try {
13059
13230
  chmodSync(join(rootPath, findMavenFile), 0o775);
13060
- } catch (e) {
13231
+ } catch (_e) {
13061
13232
  // continue regardless of error
13062
13233
  }
13063
13234
  mavenWrapperCmd = resolve(join(rootPath, findMavenFile));
@@ -13447,7 +13618,7 @@ export function getPipFrozenTree(
13447
13618
  const formulationList = [];
13448
13619
  const rootList = [];
13449
13620
  const dependenciesList = [];
13450
- let result = undefined;
13621
+ let result;
13451
13622
  let frozen = true;
13452
13623
  const env = {
13453
13624
  ...process.env,
@@ -13911,7 +14082,7 @@ export function getPipTreeForPackages(
13911
14082
  const failedPkgList = [];
13912
14083
  const rootList = [];
13913
14084
  const dependenciesList = [];
13914
- let result = undefined;
14085
+ let result;
13915
14086
  const env = {
13916
14087
  ...process.env,
13917
14088
  };
@@ -14083,9 +14254,8 @@ export function parsePackageJsonName(name) {
14083
14254
  projectName: "",
14084
14255
  moduleName: "",
14085
14256
  };
14086
- const match = (typeof name === "object" ? name.name || "" : name || "").match(
14087
- nameRegExp,
14088
- );
14257
+ const safeName = name?.name ?? name ?? "";
14258
+ const match = safeName.match(nameRegExp);
14089
14259
  if (match) {
14090
14260
  returnObject.scope =
14091
14261
  (match[1] && name.includes("@") ? `@${match[1]}` : match[1]) || null;
@@ -14212,7 +14382,7 @@ export async function addEvidenceForImports(
14212
14382
  }
14213
14383
  // Capture metadata such as description from local node_modules in deep mode
14214
14384
  if (deep && !pkg.description && pkg.properties) {
14215
- let localNodeModulesPath = undefined;
14385
+ let localNodeModulesPath;
14216
14386
  for (const aprop of pkg.properties) {
14217
14387
  if (aprop.name === "LocalNodeModulesPath") {
14218
14388
  localNodeModulesPath = resolve(join(aprop.value, "package.json"));
@@ -14267,7 +14437,7 @@ export function parseCmakeDotFile(dotFile, pkgType, options = {}) {
14267
14437
  let name = "";
14268
14438
  const group = "";
14269
14439
  const version = "";
14270
- let path = undefined;
14440
+ let path;
14271
14441
  if (l.startsWith("digraph")) {
14272
14442
  const tmpA = l.split(" ");
14273
14443
  if (tmpA && tmpA.length > 1) {
@@ -14409,7 +14579,7 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
14409
14579
  .filter((v) => v.length > 1);
14410
14580
  const parentName =
14411
14581
  tmpB.length > 0 ? tmpB[0].replace(":", "").trim() : "";
14412
- let parentVersion = undefined;
14582
+ let parentVersion;
14413
14583
  // In case of meson.build we can find the version number after the word version
14414
14584
  // thanks to our replaces and splits
14415
14585
  const versionIndex = tmpB.findIndex(
@@ -14666,7 +14836,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
14666
14836
  const pkgAddedMap = {};
14667
14837
  let sliceData;
14668
14838
  const epkgMap = {};
14669
- let parentComponent = undefined;
14839
+ let parentComponent;
14670
14840
  const dependsOn = new Set();
14671
14841
 
14672
14842
  (epkgList || []).forEach((p) => {
@@ -14702,8 +14872,8 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
14702
14872
  // Are there any dependencies declared in vcpkg.json
14703
14873
  if (vcPkgData.dependencies && Array.isArray(vcPkgData.dependencies)) {
14704
14874
  for (const avcdep of vcPkgData.dependencies) {
14705
- let avcpkgName = undefined;
14706
- let scope = undefined;
14875
+ let avcpkgName;
14876
+ let scope;
14707
14877
  if (typeof avcdep === "string" || avcdep instanceof String) {
14708
14878
  avcpkgName = avcdep;
14709
14879
  } else if (Object.keys(avcdep).length && avcdep.name) {
@@ -14970,7 +15140,7 @@ export function parseCUsageSlice(sliceData) {
14970
15140
  usageData[slFileName] = allLines;
14971
15141
  }
14972
15142
  }
14973
- } catch (err) {
15143
+ } catch (_err) {
14974
15144
  // ignore
14975
15145
  }
14976
15146
  return usageData;
@@ -15113,7 +15283,7 @@ export async function getNugetMetadata(pkgList, dependencies = undefined) {
15113
15283
  const cdepList = [];
15114
15284
  const depRepList = {};
15115
15285
  for (const p of pkgList) {
15116
- let cacheKey = undefined;
15286
+ let cacheKey;
15117
15287
  try {
15118
15288
  // If there is a version, we can safely use the cache to retrieve the license
15119
15289
  // See: https://github.com/CycloneDX/cdxgen/issues/352
@@ -15415,7 +15585,7 @@ export function isValidIriReference(iri) {
15415
15585
  } else if (iri.toLocaleLowerCase().startsWith("http")) {
15416
15586
  try {
15417
15587
  new URL(iri);
15418
- } catch (error) {
15588
+ } catch (_error) {
15419
15589
  iriIsValid = false;
15420
15590
  }
15421
15591
  }
@@ -15569,7 +15739,7 @@ export function collectExecutables(basePath, binPaths) {
15569
15739
  ignore: ignoreList,
15570
15740
  });
15571
15741
  executables = executables.concat(files);
15572
- } catch (err) {
15742
+ } catch (_err) {
15573
15743
  // ignore
15574
15744
  }
15575
15745
  }
@@ -15628,7 +15798,7 @@ export function collectSharedLibs(
15628
15798
  ignore: ignoreList,
15629
15799
  });
15630
15800
  sharedLibs = sharedLibs.concat(files);
15631
- } catch (err) {
15801
+ } catch (_err) {
15632
15802
  // ignore
15633
15803
  }
15634
15804
  }