@cyclonedx/cdxgen 11.4.1 → 11.4.3

package/lib/helpers/utils.js

@@ -2,8 +2,8 @@ import { Buffer } from "node:buffer";
 import { spawnSync } from "node:child_process";
 import { createHash, randomUUID } from "node:crypto";
 import {
-  constants,
   chmodSync,
+  constants,
   copyFileSync,
   createReadStream,
   existsSync,
@@ -17,17 +17,18 @@ import {
 } from "node:fs";
 import { homedir, platform, tmpdir } from "node:os";
 import path, {
-  basename,
   delimiter as _delimiter,
+  sep as _sep,
+  basename,
   dirname,
   extname,
   join,
-  resolve,
   relative,
-  sep as _sep,
+  resolve,
 } from "node:path";
 import process from "node:process";
-import { URL, fileURLToPath } from "node:url";
+import { fileURLToPath, URL } from "node:url";
+
 import toml from "@iarna/toml";
 import Arborist from "@npmcli/arborist";
 import { load } from "cheerio";
@@ -50,8 +51,9 @@ import {
 import { IriValidationStrategy, validateIri } from "validate-iri";
 import { xml2js } from "xml-js";
 import { parse as _load } from "yaml";
+
 import { getTreeWithPlugin } from "../managers/piptree.js";
-import { thoughtLog } from "./logger.js";
+import { thoughtLog, traceLog } from "./logger.js";
 
 let url = import.meta?.url;
 if (url && !url.startsWith("file://")) {
@@ -113,8 +115,20 @@ export function safeMkdirSync(filePath, options) {
   return mkdirSync(filePath, options);
 }
 
+export const commandsExecuted = new Set();
+function isAllowedCommand(command) {
+  if (!process.env.CDXGEN_ALLOWED_COMMANDS) {
+    return true;
+  }
+  const allow_commands = (process.env.CDXGEN_ALLOWED_COMMANDS || "").split(",");
+  return allow_commands.includes(command.trim());
+}
+
 export function safeSpawnSync(command, args, options) {
-  if (isSecureMode && process.permission && !process.permission.has("child")) {
+  if (
+    (isSecureMode && process.permission && !process.permission.has("child")) ||
+    !isAllowedCommand(command)
+  ) {
     if (DEBUG_MODE) {
       console.log(`cdxgen lacks execute permission for ${command}`);
     }
@@ -125,6 +139,8 @@ export function safeSpawnSync(command, args, options) {
       error: new Error("No execute permission"),
     };
   }
+  traceLog("spawn", { command, args, ...options });
+  commandsExecuted.add(command);
   // Fix for DEP0190 warning
   if (options?.shell === true) {
     if (args?.length) {
@@ -646,6 +662,26 @@ function isCacheDisabled() {
 }
 
 const cache = isCacheDisabled() ? undefined : gotHttpCache;
+export const remoteHostsAccessed = new Set();
+
+function isAllowedHost(hostname) {
+  if (!process.env.CDXGEN_ALLOWED_HOSTS) {
+    return true;
+  }
+  const allow_hosts = (process.env.CDXGEN_ALLOWED_HOSTS || "").split(",");
+  for (const ahost of allow_hosts) {
+    if (!ahost.length) {
+      continue;
+    }
+    if (hostname === ahost) {
+      return true;
+    }
+    // wildcard support
+    if (ahost.startsWith("*.") && hostname.endsWith(ahost.replace("*", ""))) {
+      return true;
+    }
+  }
+}
 
 // Custom user-agent for cdxgen
 export const cdxgenAgent = got.extend({
@@ -656,6 +692,31 @@ export const cdxgenAgent = got.extend({
   retry: {
     limit: 0,
   },
+  hooks: {
+    beforeRequest: [
+      (options) => {
+        if (!isAllowedHost(options.url.hostname)) {
+          console.log(
+            `Access to the remote host '${options.url.hostname}' is not permitted.`,
+          );
+          return new AbortController().abort();
+        }
+        // Only allow https protocol in secure mode
+        if (isSecureMode && options.url.protocol !== "https:") {
+          console.log(
+            `Access to the remote host '${options.url.hostname}' is not permitted via the '${options.url.protocol}' protocol.`,
+          );
+          return new AbortController().abort();
+        }
+        remoteHostsAccessed.add(options.url.hostname);
+        traceLog("http", {
+          protocol: options.url.protocol,
+          pathname: options.url.pathname,
+          host: options.url.host,
+        });
+      },
+    ],
+  },
 });
 
 /**
@@ -1005,7 +1066,7 @@ export async function getSwiftPackageMetadata(pkgList) {
       if (p.repository.url.includes("://github.com/")) {
         try {
           p.license = await getRepoLicense(p.repository.url, undefined);
-        } catch (e) {
+        } catch (_e) {
           console.error("error fetching repo license from", p.repository.url);
         }
       } else {
@@ -1067,7 +1128,7 @@ export async function getNpmMetadata(pkgList) {
         p.homepage = { url: body.homepage };
       }
       cdepList.push(p);
-    } catch (err) {
+    } catch (_err) {
       cdepList.push(p);
       if (DEBUG_MODE) {
         console.error(p, "was not found on npm");
@@ -1147,7 +1208,7 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
         };
       }
       pkgList.push(apkg);
-    } catch (err) {
+    } catch (_err) {
       // continue regardless of error
     }
   }
@@ -1332,7 +1393,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
             value: "false",
           });
         }
-      } catch (err) {
+      } catch (_err) {
         // ignore
       }
       if (node?.isWorkspace) {
@@ -1615,7 +1676,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
     // legacyPeerDeps=false enables npm >v3 package dependency resolution
     legacyPeerDeps: false,
   });
-  let tree = undefined;
+  let tree;
   try {
     const rootNodeModulesDir = join(path.dirname(pkgLockFile), "node_modules");
     if (safeExistsSync(rootNodeModulesDir)) {
@@ -2290,7 +2351,7 @@ export async function parsePnpmLock(
     lockfileVersion = yamlObj.lockfileVersion;
     try {
       lockfileVersion = Number.parseFloat(lockfileVersion, 10);
-    } catch (e) {
+    } catch (_e) {
       // ignore parse errors
     }
     // This logic matches the pnpm list command to include only direct dependencies
@@ -2402,8 +2463,8 @@ export async function parsePnpmLock(
           {};
         const componentPeerDeps =
           yamlObj?.importers[importedComponentName]["peerDependencies"] || {};
-        let compPurl = undefined;
-        let pkgSrcFile = undefined;
+        let compPurl;
+        let pkgSrcFile;
         let fallbackMode = true;
         if (safeExistsSync(join(importedComponentName, "package.json"))) {
           pkgSrcFile = join(importedComponentName, "package.json");
@@ -2598,7 +2659,7 @@ export async function parsePnpmLock(
         packages[fullName]?.optionalDependencies ||
         snapshots[fullName]?.optionalDependencies ||
         {};
-      const peerDeps =
+      const _peerDeps =
         packages[pkgKeys[k]]?.peerDependencies ||
         snapshots[pkgKeys[k]]?.peerDependencies ||
         packages[fullName]?.peerDependencies ||
@@ -2646,7 +2707,7 @@ export async function parsePnpmLock(
         let name = "";
         let version = "";
         let group = "";
-        let srcUrl = undefined;
+        let srcUrl;
         const hasBin = packageNode?.hasBin;
         const deprecatedMessage = packageNode?.deprecated;
         if (lockfileVersion >= 9 && fullName.includes("@")) {
@@ -3071,7 +3132,7 @@ export async function parseBowerJson(bowerJsonFile) {
           },
         },
       });
-    } catch (err) {
+    } catch (_err) {
       // continue regardless of error
     }
   }
@@ -3156,7 +3217,7 @@ export async function parseMinJs(minJsFile) {
           }
         }
       });
-    } catch (err) {
+    } catch (_err) {
       // continue regardless of error
     }
   }
@@ -3270,7 +3331,7 @@ export function parsePom(pomFile) {
     }
     for (const adep of dependencies) {
       const version = adep.version;
-      let versionStr = undefined;
+      let versionStr;
       if (version?._) {
         versionStr = version._;
       }
@@ -3327,7 +3388,7 @@ export function parseMavenTree(rawOutput, pomFile) {
   const tmpA = rawOutput.split("\n");
   let last_level = 0;
   let last_purl = "";
-  let first_ref = undefined;
+  let first_ref;
   const stack = [];
   tmpA.forEach((l) => {
     l = l.replace("\r", "");
@@ -3345,7 +3406,7 @@ export function parseMavenTree(rawOutput, pomFile) {
       // Support for classifiers
       // com.github.jnr:jffi:jar:1.3.11:compile
       // com.github.jnr:jffi:jar:native:1.3.11:runtime
-      let classifier = undefined;
+      let classifier;
       if (pkgArr && pkgArr.length > 2) {
         let versionStr = pkgArr[pkgArr.length - 2];
         const componentScope = pkgArr[pkgArr.length - 1];
@@ -3360,7 +3421,7 @@ export function parseMavenTree(rawOutput, pomFile) {
         if (!includeMavenTestScope && componentScope === "test") {
           return;
         }
-        let scope = undefined;
+        let scope;
         if (["compile", "runtime"].includes(componentScope)) {
           scope = "required";
         } else if (componentScope === "test") {
@@ -3646,8 +3707,8 @@ export async function parseGradleDep(
     let last_project_bomref = first_bomref;
     const level_trees = {};
     level_trees[last_bomref] = [];
-    let scope = undefined;
-    let profileName = undefined;
+    let scope;
+    let profileName;
     if (retMap?.projects) {
       const modulesToSkip = process.env.GRADLE_SKIP_MODULES
         ? process.env.GRADLE_SKIP_MODULES.split(",")
@@ -4530,7 +4591,7 @@ export async function fetchPomXml({ urlPrefix, group, name, version }) {
   try {
     const res = await cdxgenAgent.get(fullUrl);
     return res.body;
-  } catch (err) {
+  } catch (_err) {
     return undefined;
   }
 }
@@ -4663,12 +4724,12 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
       if (p.name.includes("[")) {
         p.name = p.name.split("[")[0];
       }
-      let res = undefined;
+      let res;
       try {
         res = await cdxgenAgent.get(`${PYPI_URL + p.name}/json`, {
           responseType: "json",
         });
-      } catch (err) {
+      } catch (_err) {
         // retry by prefixing django- to the package name
         res = await cdxgenAgent.get(`${PYPI_URL}django-${p.name}/json`, {
           responseType: "json",
@@ -4722,7 +4783,7 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
       }
       // Use the latest version if none specified
       if (!p.version || !p.version.trim().length) {
-        let versionSpecifiers = undefined;
+        let versionSpecifiers;
         if (p.properties?.length) {
           for (const pprop of p.properties) {
             if (pprop.name === "cdx:pypi:versionSpecifiers") {
@@ -4810,7 +4871,7 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
       p.purl = purlString;
       p["bom-ref"] = decodeURIComponent(purlString);
       cdepList.push(p);
-    } catch (err) {
+    } catch (_err) {
       if (DEBUG_MODE) {
         console.error(p.name, "is not found on PyPI.");
         console.log(
@@ -4897,7 +4958,7 @@ export async function parsePiplockData(lockData) {
       const depBlock = lockData[k];
       Object.keys(depBlock).forEach((p) => {
         const pkg = depBlock[p];
-        if (Object.prototype.hasOwnProperty.call(pkg, "version")) {
+        if (Object.hasOwn(pkg, "version")) {
           const versionStr = pkg.version.replace("==", "");
           pkgList.push({ name: p, version: versionStr });
         }
@@ -5557,7 +5618,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
  */
 export async function parseReqFile(reqData, fetchDepsInfo) {
   const pkgList = [];
-  let compScope = undefined;
+  let compScope;
   reqData
     .replace(/\r/g, "")
     .replace(/ [\\]\n/g, "")
@@ -5565,7 +5626,7 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
     .split("\n")
     .forEach((l) => {
       l = l.trim();
-      let markers = undefined;
+      let markers;
       if (l.includes(" ; ")) {
         const tmpA = l.split(" ; ");
         if (tmpA && tmpA.length === 2) {
@@ -6235,7 +6296,7 @@ export async function getGoPkgLicense(repoMetadata) {
       metadata_cache[pkgUrl] = licList;
       return licList;
     }
-  } catch (err) {
+  } catch (_err) {
     return undefined;
   }
   if (group.indexOf("github.com") > -1) {
@@ -6267,14 +6328,14 @@ async function getGoPkgVCSUrl(group, name) {
       metadata_cache[pkgUrl] = vcs;
       return vcs;
     }
-  } catch (err) {
+  } catch (_err) {
     return undefined;
   }
   return undefined;
 }
 
 export async function getGoPkgComponent(group, name, version, hash) {
-  let license = undefined;
+  let license;
   if (shouldFetchLicense()) {
     if (DEBUG_MODE) {
       console.log(
@@ -6290,7 +6351,7 @@ export async function getGoPkgComponent(group, name, version, hash) {
   const purlString = new PackageURL("golang", group, name, version)
     .toString()
     .replace(/%2F/g, "/");
-  let vcs = undefined;
+  let vcs;
   if (shouldFetchVCS()) {
     vcs = await getGoPkgVCSUrl(group, name);
   }
@@ -6772,13 +6833,14 @@ export async function parseGoModGraph(
 }
 
 /**
- * Parse go mod why output
+ * Parse go mod why output.
+ *
  * @param {string} rawOutput Output from go mod why
- * @returns package name or none
+ * @returns {string|undefined} package name or none
  */
 export function parseGoModWhy(rawOutput) {
   if (typeof rawOutput === "string") {
-    let pkg_name = undefined;
+    let pkg_name;
     const lines = rawOutput.split("\n");
     lines.forEach((l) => {
       if (l && !l.startsWith("#") && !l.startsWith("(")) {
@@ -6836,7 +6898,7 @@ export async function parseGopkgData(gopkgData) {
       const tmpA = l.split("=");
       key = tmpA[0].trim();
       value = tmpA[1].trim().replace(/"/g, "");
-      let digestStr = undefined;
+      let digestStr;
       switch (key) {
         case "digest":
           digestStr = value.replace("1:", "");
@@ -7298,7 +7360,7 @@ export async function parseGemspecData(gemspecData, gemspecFile) {
               pkg[aprop] = apropList.split(",");
             }
           }
-        } catch (err) {
+        } catch (_err) {
           const alist = l
             .replace(/[[\]'"]/g, "")
             .replaceAll("%w", "")
@@ -7325,7 +7387,7 @@ export async function parseGemspecData(gemspecData, gemspecFile) {
             value: exeList.join(", "),
           });
         }
-      } catch (err) {
+      } catch (_err) {
         // pass
       }
     }
@@ -7447,12 +7509,12 @@ export async function parseGemfileLockData(gemLockData, lockFile) {
     }
   });
   specsFound = false;
-  let lastParent = undefined;
-  let lastRemote = undefined;
-  let lastRevision = undefined;
-  let lastBranch = undefined;
-  let lastTag = undefined;
-  let lastParentPlatform = undefined;
+  let lastParent;
+  let lastRemote;
+  let lastRevision;
+  let lastBranch;
+  let lastTag;
+  let lastParentPlatform;
   // Dependencies block would begin with DEPENDENCIES
   let dependenciesBlock = false;
   const rootList = [];
@@ -7630,6 +7692,59 @@ export async function parseGemfileLockData(gemLockData, lockFile) {
       const rootDepName = l.trim().split(" ")[0].replace("!", "");
       if (pkgNameRef[rootDepName]) {
         rootList.push(pkgNameRef[rootDepName]);
+      } else {
+        // We are dealing with an optional platform-dependent import
+        // create a placeholder component to track this
+        let specifier;
+        if (l.includes("(")) {
+          specifier = l.trim().split(" (").pop().replace(")", "").trim();
+        }
+        const untrackedPurl = new PackageURL(
+          "gem",
+          "",
+          rootDepName,
+          null,
+          null,
+          null,
+        ).toString();
+        const untrackedBomRef = decodeURIComponent(untrackedPurl);
+        const untrackedProps = [
+          {
+            name: "SrcFile",
+            value: lockFile,
+          },
+        ];
+        if (specifier) {
+          untrackedProps.push({
+            name: "cdx:gem:versionSpecifiers",
+            value: specifier,
+          });
+        }
+        const untrackedRootDep = {
+          name: rootDepName,
+          version: undefined,
+          purl: untrackedPurl,
+          "bom-ref": untrackedBomRef,
+          properties: untrackedProps,
+          evidence: {
+            identity: {
+              field: "purl",
+              confidence: 0.3,
+              methods: [
+                {
+                  technique: "manifest-analysis",
+                  confidence: 0.3,
+                  value: lockFile,
+                },
+              ],
+            },
+          },
+        };
+        pkgnames[untrackedPurl] = true;
+        pkgNameRef[rootDepName] = untrackedBomRef;
+        pkgList.push(untrackedRootDep);
+        rootList.push(untrackedBomRef);
+        dependenciesMap[untrackedBomRef] = new Set();
       }
     }
   });
@@ -7715,7 +7830,7 @@ export async function getCratesMetadata(pkgList) {
         });
       }
       cdepList.push(p);
-    } catch (err) {
+    } catch (_err) {
       cdepList.push(p);
     }
   }
@@ -7769,7 +7884,7 @@ export async function getDartMetadata(pkgList) {
         }
         cdepList.push(p);
       }
-    } catch (err) {
+    } catch (_err) {
       cdepList.push(p);
     }
   }
@@ -8290,10 +8405,10 @@ export async function parsePubLockData(pubLockData, lockFile) {
 
 export function parsePubYamlData(pubYamlData) {
   const pkgList = [];
-  let yamlObj = undefined;
+  let yamlObj;
   try {
     yamlObj = _load(pubYamlData);
-  } catch (err) {
+  } catch (_err) {
     // continue regardless of error
   }
   if (!yamlObj) {
@@ -8316,10 +8431,10 @@ export function parsePubYamlData(pubYamlData) {
 
 export function parseHelmYamlData(helmData) {
   const pkgList = [];
-  let yamlObj = undefined;
+  let yamlObj;
   try {
     yamlObj = _load(helmData);
-  } catch (err) {
+  } catch (_err) {
     // continue regardless of error
   }
   if (!yamlObj) {
@@ -8603,10 +8718,10 @@ export function parseContainerSpecData(dcData) {
     dcDataList = dcData.split("---");
   }
   for (const dcData of dcDataList) {
-    let yamlObj = undefined;
+    let yamlObj;
     try {
       yamlObj = _load(dcData);
-    } catch (err) {
+    } catch (_err) {
       // ignore errors
     }
     if (!yamlObj) {
@@ -8777,7 +8892,7 @@ export function parseOpenapiSpecData(oaData) {
     } else {
       oaData = JSON.parse(oaData);
     }
-  } catch (e) {
+  } catch (_e) {
     return servlist;
   }
 
@@ -9292,7 +9407,7 @@ export async function parseNupkg(nupkgFile) {
 export function parseNuspecData(nupkgFile, nuspecData) {
   const pkgList = [];
   const pkg = { group: "" };
-  let npkg = undefined;
+  let npkg;
   const dependenciesMap = {};
   const addedMap = {};
   try {
@@ -9304,7 +9419,7 @@ export function parseNuspecData(nupkgFile, nuspecData) {
       attributesKey: "$",
       commentKey: "value",
     }).package;
-  } catch (e) {
+  } catch (_e) {
     // If we are parsing with invalid encoding, unicode replacement character is used
     if (nuspecData.charCodeAt(0) === 65533) {
       console.log(`Unable to parse ${nupkgFile} in utf-8 mode`);
@@ -9371,7 +9486,7 @@ export function parseNuspecData(nupkgFile, nuspecData) {
     }
     const dependsOn = [];
     for (const agroup of dependencyGroups) {
-      let targetFramework = undefined;
+      let targetFramework;
       if (agroup?.$?.targetFramework) {
         targetFramework = agroup.$.targetFramework;
       }
@@ -9518,7 +9633,7 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
     csProjData = csProjData.slice(1);
   }
   const projectTargetFrameworks = [];
-  let projects = undefined;
+  let projects;
   try {
     projects = xml2js(csProjData, {
       compact: true,
@@ -9528,7 +9643,7 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
       attributesKey: "$",
       commentKey: "value",
     }).Project;
-  } catch (e) {
+  } catch (_e) {
     console.log(`Unable to parse ${projFile} with utf-8 encoding!`);
   }
   if (!projects || projects.length === 0) {
@@ -10391,7 +10506,7 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
     let lockData = {};
     try {
       lockData = JSON.parse(readFileSync(pkgLockFile, { encoding: "utf-8" }));
-    } catch (e) {
+    } catch (_e) {
       console.error("Invalid composer.lock file:", pkgLockFile);
       return [];
     }
@@ -10675,7 +10790,7 @@ export function parseSbtLock(pkgLockFile) {
         if (artifacts?.length) {
           integrity = artifacts[0].hash.replace("sha1:", "sha1-");
         }
-        let compScope = undefined;
+        let compScope;
         if (pkg.configurations) {
           if (pkg.configurations.includes("runtime")) {
             compScope = "required";
@@ -10852,7 +10967,7 @@ export function convertOSQueryResults(
       if (publisher === "null") {
         publisher = "";
       }
-      let scope = undefined;
+      let scope;
       const compScope = res.priority;
       if (["required", "optional", "excluded"].includes(compScope)) {
         scope = compScope;
@@ -10872,7 +10987,7 @@ export function convertOSQueryResults(
       if (!name && results.length === 1 && queryObj.name) {
         name = queryObj.name;
       }
-      let qualifiers = undefined;
+      let qualifiers;
       if (res.identifying_number?.length) {
         qualifiers = {
           tag_id: res.identifying_number.replace("{", "").replace("}", ""),
@@ -10898,7 +11013,7 @@ export function convertOSQueryResults(
           subpath,
         ).toString();
         const props = [{ name: "cdx:osquery:category", value: queryCategory }];
-        let providesList = undefined;
+        let providesList;
         if (enhance) {
           switch (queryObj.purlType) {
             case "deb":
@@ -11166,7 +11281,7 @@ export function parseSwiftResolved(resolvedFile) {
         }
         pkgList.push(rootPkg);
       }
-    } catch (err) {
+    } catch (_err) {
       // continue regardless of error
     }
   }
@@ -11304,8 +11419,8 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
       let pomname =
         pomPathMap[basename(jf).replace(".jar", ".pom")] ||
         jf.replace(".jar", ".pom");
-      let pomData = undefined;
-      let purl = undefined;
+      let pomData;
+      let purl;
       // In some cases, the pom name might be slightly different to the jar name
       if (!safeExistsSync(pomname)) {
         let searchDir = dirname(jf);
@@ -11429,7 +11544,7 @@ export async function collectJarNS(jarPath, pomPathMap = {}) {
             { alg: "SHA-256", content: hashValues["sha256"] },
             { alg: "SHA-512", content: hashValues["sha512"] },
           ];
-        } catch (e) {
+        } catch (_e) {
           // ignore
         }
         jarNSMapping[purl || jf] = {
@@ -11462,10 +11577,10 @@ export async function convertJarNSToPackages(jarNSMapping) {
     if (!pom) {
       pom = {};
     }
-    let purlObj = undefined;
+    let purlObj;
     try {
       purlObj = PackageURL.fromString(purl);
-    } catch (e) {
+    } catch (_e) {
       // ignore
       purlObj = {};
     }
@@ -11674,7 +11789,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
   const pkgList = [];
   let jarFiles = [];
   const fname = basename(jarFile);
-  let pomname = undefined;
+  let pomname;
   // If there is a pom file in the same directory, try to use it
   const manifestname = join(dirname(jarFile), "META-INF", "MANIFEST.MF");
   // Issue 439: Current implementation checks for existance of a .pom file, but .pom file is not used.
@@ -11775,7 +11890,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
           await zip.extract(null, tempDir);
           await zip.close();
           jarResult = { status: 0 };
-        } catch (e) {
+        } catch (_e) {
           if (DEBUG_MODE) {
             console.log(`Unable to extract ${jf}. Skipping.`);
           }
@@ -11973,7 +12088,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
             force: true,
           });
         }
-      } catch (err) {
+      } catch (_err) {
         // ignore cleanup errors
       }
     } // for
@@ -12092,7 +12207,7 @@ export async function readZipEntry(
   filePattern,
   contentEncoding = "utf-8",
 ) {
-  let retData = undefined;
+  let retData;
   try {
     const zip = new StreamZip.async({ file: zipFile });
     const entriesCount = await zip.entriesCount;
@@ -12216,7 +12331,7 @@ export function getGradleCommand(srcPath, rootPath) {
     // Enable execute permission
     try {
       chmodSync(join(srcPath, findGradleFile), 0o775);
-    } catch (e) {
+    } catch (_e) {
       // continue regardless of error
     }
     gradleCmd = resolve(join(srcPath, findGradleFile));
@@ -12224,7 +12339,7 @@ export function getGradleCommand(srcPath, rootPath) {
     // Check if the root directory has a wrapper script
     try {
       chmodSync(join(rootPath, findGradleFile), 0o775);
-    } catch (e) {
+    } catch (_e) {
       // continue regardless of error
     }
     gradleCmd = resolve(join(rootPath, findGradleFile));
@@ -12248,7 +12363,7 @@ export function getMillCommand(srcPath) {
     // Enable execute permission
     try {
       chmodSync(join(srcPath, millCmd), 0o775);
-    } catch (e) {
+    } catch (_e) {
       // continue regardless of error
     }
     millCmd = resolve(join(srcPath, millCmd));
@@ -12751,13 +12866,13 @@ async function fullScanCocoaPod(dependency, component, options) {
               podspecLocation.replace("<DEFAULT>", branchName),
             );
             podspecLocation = podspecLocation.replace("<DEFAULT>", branchName);
-          } catch (err) {
+          } catch (_err) {
             try {
               httpResult = await cdxgenAgent.get(
                 `${podspecLocation.replace("<DEFAULT>", branchName)}.json`,
               );
               podspecLocation = `${podspecLocation.replace("<DEFAULT>", branchName)}.json`;
-            } catch (err) {
+            } catch (_err) {
               continue;
             }
           }
@@ -12837,7 +12952,7 @@ async function fullScanCocoaPod(dependency, component, options) {
         podspecText.lastIndexOf("}") + 1,
       ),
     );
-  } catch (e) {
+  } catch (_e) {
     return;
   }
   const externalRefs = [];
@@ -13104,7 +13219,7 @@ export function getMavenCommand(srcPath, rootPath) {
     // Enable execute permission
     try {
       chmodSync(join(srcPath, findMavenFile), 0o775);
-    } catch (e) {
+    } catch (_e) {
       // continue regardless of error
     }
     mavenWrapperCmd = resolve(join(srcPath, findMavenFile));
@@ -13113,7 +13228,7 @@ export function getMavenCommand(srcPath, rootPath) {
     // Check if the root directory has a wrapper script
     try {
       chmodSync(join(rootPath, findMavenFile), 0o775);
-    } catch (e) {
+    } catch (_e) {
       // continue regardless of error
     }
     mavenWrapperCmd = resolve(join(rootPath, findMavenFile));
@@ -13503,7 +13618,7 @@ export function getPipFrozenTree(
   const formulationList = [];
   const rootList = [];
   const dependenciesList = [];
-  let result = undefined;
+  let result;
   let frozen = true;
   const env = {
     ...process.env,
@@ -13967,7 +14082,7 @@ export function getPipTreeForPackages(
   const failedPkgList = [];
   const rootList = [];
   const dependenciesList = [];
-  let result = undefined;
+  let result;
   const env = {
     ...process.env,
   };
@@ -14139,9 +14254,8 @@ export function parsePackageJsonName(name) {
     projectName: "",
     moduleName: "",
   };
-  const match = (typeof name === "object" ? name.name || "" : name || "").match(
-    nameRegExp,
-  );
+  const safeName = name?.name ?? name ?? "";
+  const match = safeName.match(nameRegExp);
   if (match) {
     returnObject.scope =
       (match[1] && name.includes("@") ? `@${match[1]}` : match[1]) || null;
@@ -14268,7 +14382,7 @@ export async function addEvidenceForImports(
       }
       // Capture metadata such as description from local node_modules in deep mode
       if (deep && !pkg.description && pkg.properties) {
-        let localNodeModulesPath = undefined;
+        let localNodeModulesPath;
         for (const aprop of pkg.properties) {
           if (aprop.name === "LocalNodeModulesPath") {
             localNodeModulesPath = resolve(join(aprop.value, "package.json"));
@@ -14323,7 +14437,7 @@ export function parseCmakeDotFile(dotFile, pkgType, options = {}) {
     let name = "";
     const group = "";
     const version = "";
-    let path = undefined;
+    let path;
     if (l.startsWith("digraph")) {
       const tmpA = l.split(" ");
       if (tmpA && tmpA.length > 1) {
@@ -14465,7 +14579,7 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
           .filter((v) => v.length > 1);
         const parentName =
           tmpB.length > 0 ? tmpB[0].replace(":", "").trim() : "";
-        let parentVersion = undefined;
+        let parentVersion;
         // In case of meson.build we can find the version number after the word version
         // thanks to our replaces and splits
         const versionIndex = tmpB.findIndex(
@@ -14722,7 +14836,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
   const pkgAddedMap = {};
   let sliceData;
   const epkgMap = {};
-  let parentComponent = undefined;
+  let parentComponent;
   const dependsOn = new Set();
 
   (epkgList || []).forEach((p) => {
@@ -14758,8 +14872,8 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
       // Are there any dependencies declared in vcpkg.json
       if (vcPkgData.dependencies && Array.isArray(vcPkgData.dependencies)) {
         for (const avcdep of vcPkgData.dependencies) {
-          let avcpkgName = undefined;
-          let scope = undefined;
+          let avcpkgName;
+          let scope;
           if (typeof avcdep === "string" || avcdep instanceof String) {
             avcpkgName = avcdep;
           } else if (Object.keys(avcdep).length && avcdep.name) {
@@ -15026,7 +15140,7 @@ export function parseCUsageSlice(sliceData) {
         usageData[slFileName] = allLines;
       }
     }
-  } catch (err) {
+  } catch (_err) {
     // ignore
   }
   return usageData;
@@ -15169,7 +15283,7 @@ export async function getNugetMetadata(pkgList, dependencies = undefined) {
   const cdepList = [];
   const depRepList = {};
   for (const p of pkgList) {
-    let cacheKey = undefined;
+    let cacheKey;
     try {
       // If there is a version, we can safely use the cache to retrieve the license
       // See: https://github.com/CycloneDX/cdxgen/issues/352
@@ -15471,7 +15585,7 @@ export function isValidIriReference(iri) {
   } else if (iri.toLocaleLowerCase().startsWith("http")) {
     try {
       new URL(iri);
-    } catch (error) {
+    } catch (_error) {
       iriIsValid = false;
     }
   }
@@ -15625,7 +15739,7 @@ export function collectExecutables(basePath, binPaths) {
         ignore: ignoreList,
       });
       executables = executables.concat(files);
-    } catch (err) {
+    } catch (_err) {
       // ignore
     }
   }
@@ -15684,7 +15798,7 @@ export function collectSharedLibs(
         ignore: ignoreList,
       });
       sharedLibs = sharedLibs.concat(files);
-    } catch (err) {
+    } catch (_err) {
       // ignore
     }
   }