@cyclonedx/cdxgen 11.4.4 → 11.5.0

package/lib/helpers/utils.test.js

@@ -1,5 +1,5 @@
 import { Buffer } from "node:buffer";
-import { readFileSync } from "node:fs";
+import { existsSync, readFileSync } from "node:fs";
 import path from "node:path";
 
 import { afterAll, beforeAll, describe, expect, test } from "@jest/globals";
@@ -11,6 +11,7 @@ import {
   buildObjectForGradleModule,
   encodeForPurl,
   findLicenseId,
+  findPnpmPackagePath,
   getCratesMetadata,
   getDartMetadata,
   getLicenses,
@@ -39,6 +40,7 @@ import {
   parseCmakeDotFile,
   parseCmakeLikeFile,
   parseCocoaDependency,
+  parseComposerJson,
   parseComposerLock,
   parseConanData,
   parseConanLockData,
@@ -49,6 +51,8 @@ import {
   parseCsProjAssetsData,
   parseCsProjData,
   parseEdnData,
+  parseFlakeLock,
+  parseFlakeNix,
   parseGemfileLockData,
   parseGemspecData,
   parseGitHubWorkflowData,
@@ -98,6 +102,7 @@ import {
   parseSwiftJsonTree,
   parseSwiftResolved,
   parseYarnLock,
+  pnpmMetadata,
   readZipEntry,
   splitOutputByGradleProjects,
   toGemModuleNames,
@@ -1634,6 +1639,64 @@ test("parse go mod why dependencies", () => {
   expect(pkg_name).toBeUndefined();
 });
 
+test("multimodule go.mod file ordering", async () => {
+  // Test that simulates the file ordering logic from createGoBom
+  const mockPath = "/workspace/project";
+  const mockGomodFiles = [
+    "/workspace/project/deep/nested/go.mod",
+    "/workspace/project/go.mod",
+    "/workspace/project/submodule/go.mod",
+  ];
+
+  // Sort files by depth (shallowest first) - this is the fix we implemented
+  const sortedFiles = mockGomodFiles.sort((a, b) => {
+    const relativePathA = a.replace(`${mockPath}/`, "");
+    const relativePathB = b.replace(`${mockPath}/`, "");
+    const depthA = relativePathA.split("/").length;
+    const depthB = relativePathB.split("/").length;
+    return depthA - depthB;
+  });
+
+  // The root go.mod should be first (shallowest)
+  expect(sortedFiles[0]).toEqual("/workspace/project/go.mod");
+  expect(sortedFiles[1]).toEqual("/workspace/project/submodule/go.mod");
+  expect(sortedFiles[2]).toEqual("/workspace/project/deep/nested/go.mod");
+});
+
+test("parseGoModData for multiple modules with root priority", async () => {
+  // Test parsing multiple go.mod files to ensure proper component hierarchy
+  const rootModData = readFileSync("./test/data/multimodule-root.mod", {
+    encoding: "utf-8",
+  });
+  const subModData = readFileSync("./test/data/multimodule-sub.mod", {
+    encoding: "utf-8",
+  });
+  const deepModData = readFileSync("./test/data/multimodule-deep.mod", {
+    encoding: "utf-8",
+  });
+
+  const rootResult = await parseGoModData(rootModData, {});
+  const subResult = await parseGoModData(subModData, {});
+  const deepResult = await parseGoModData(deepModData, {});
+
+  // Root module should be identified correctly
+  expect(rootResult.parentComponent.name).toEqual(
+    "github.com/example/root-project",
+  );
+  expect(rootResult.parentComponent.type).toEqual("application");
+
+  // Sub modules should also be parsed correctly
+  expect(subResult.parentComponent.name).toEqual(
+    "github.com/example/root-project/submodule",
+  );
+  expect(deepResult.parentComponent.name).toEqual(
+    "github.com/example/root-project/deep/nested",
+  );
+
+  // In the fixed logic, the root should take priority over sub-modules
+  // This test verifies the parsing works correctly for each individual module
+}, 10000);
+
 test("parseGopkgData", async () => {
   let dep_list = await parseGopkgData(null);
   expect(dep_list).toEqual([]);
@@ -2197,7 +2260,7 @@ test("parse cabal freeze", () => {
 test("parse conan data", () => {
   expect(parseConanLockData(null)).toEqual([]);
   let dep_list = parseConanLockData(
-    readFileSync("./test/data/conan.lock", { encoding: "utf-8" }),
+    readFileSync("./test/data/conan-v1.lock", { encoding: "utf-8" }),
   );
   expect(dep_list.length).toEqual(3);
   expect(dep_list[0]).toEqual({
@@ -2206,6 +2269,16 @@ test("parse conan data", () => {
     "bom-ref": "pkg:conan/zstd@1.4.4",
     purl: "pkg:conan/zstd@1.4.4",
   });
+  dep_list = parseConanLockData(
+    readFileSync("./test/data/conan-v2.lock", { encoding: "utf-8" }),
+  );
+  expect(dep_list.length).toEqual(2);
+  expect(dep_list[0]).toEqual({
+    name: "opensta",
+    version: "4.0.0",
+    "bom-ref": "pkg:conan/opensta@4.0.0?rrev=765a7eed989e624c762a73291d712b14",
+    purl: "pkg:conan/opensta@4.0.0?rrev=765a7eed989e624c762a73291d712b14",
+  });
   dep_list = parseConanData(
     readFileSync("./test/data/conanfile.txt", { encoding: "utf-8" }),
   );
@@ -3844,6 +3917,149 @@ test("parsePnpmLock", async () => {
   expect(parsedList.dependenciesList.length).toEqual(1189);
 });
 
+test("findPnpmPackagePath", () => {
+  // Test with non-existent base directory
+  expect(
+    findPnpmPackagePath("/nonexistent", "test-package", "1.0.0"),
+  ).toBeNull();
+
+  // Test with null/undefined inputs
+  expect(findPnpmPackagePath(null, "test-package", "1.0.0")).toBeNull();
+  expect(findPnpmPackagePath("/tmp", null, "1.0.0")).toBeNull();
+  expect(findPnpmPackagePath("/tmp", "", "1.0.0")).toBeNull();
+
+  // Test with actual cdxgen project structure - should find packages in node_modules
+  const packagePath = findPnpmPackagePath(".", "chalk", "4.1.2");
+  if (packagePath) {
+    expect(packagePath).toMatch(/node_modules.*chalk/);
+    // Verify package.json exists at the found path
+    expect(existsSync(path.join(packagePath, "package.json"))).toBe(true);
+  }
+
+  // Test with scoped package
+  const scopedPackagePath = findPnpmPackagePath(".", "@babel/core", "7.22.5");
+  if (scopedPackagePath) {
+    expect(scopedPackagePath).toMatch(/node_modules.*@babel.*core/);
+  }
+});
+
+test("pnpmMetadata enhancement", async () => {
+  // Test with empty/null inputs
+  expect(await pnpmMetadata([], "./pnpm-lock.yaml")).toEqual([]);
+  expect(await pnpmMetadata(null, "./pnpm-lock.yaml")).toEqual(null);
+  expect(await pnpmMetadata(undefined, "./pnpm-lock.yaml")).toEqual(undefined);
+
+  // Test with non-existent lockfile path
+  const mockPkgList = [
+    {
+      name: "test-package",
+      version: "1.0.0",
+      properties: [],
+    },
+  ];
+  const result = await pnpmMetadata(mockPkgList, "/nonexistent/pnpm-lock.yaml");
+  expect(result).toEqual(mockPkgList);
+  expect(result[0].description).toBeUndefined();
+
+  // Test with actual project that has node_modules
+  const testPkgList = [
+    {
+      name: "chalk",
+      version: "4.1.2",
+      properties: [],
+    },
+    {
+      name: "nonexistent-package",
+      version: "1.0.0",
+      properties: [],
+    },
+  ];
+
+  const enhancedResult = await pnpmMetadata(testPkgList, "./pnpm-lock.yaml");
+
+  const chalkPkg = enhancedResult.find((p) => p.name === "chalk");
+  if (chalkPkg) {
+    const localPath = chalkPkg.properties?.find(
+      (p) => p.name === "LocalNodeModulesPath",
+    );
+    if (localPath) {
+      expect(localPath.value).toMatch(/node_modules.*chalk/);
+      expect(chalkPkg.description).toBeDefined();
+      expect(chalkPkg.license).toBeDefined();
+    }
+  }
+
+  // Non-existent package should remain unchanged
+  const nonExistentPkg = enhancedResult.find(
+    (p) => p.name === "nonexistent-package",
+  );
+  expect(nonExistentPkg.description).toBeUndefined();
+  expect(
+    nonExistentPkg.properties.find((p) => p.name === "LocalNodeModulesPath"),
+  ).toBeUndefined();
+});
+
+test("pnpmMetadata preserves existing metadata", async () => {
+  const testPkgList = [
+    {
+      name: "test-package",
+      version: "1.0.0",
+      description: "Existing description",
+      author: "Existing author",
+      license: "Existing license",
+      properties: [],
+    },
+  ];
+
+  const result = await pnpmMetadata(testPkgList, "./pnpm-lock.yaml");
+
+  // Should preserve existing metadata
+  expect(result[0].description).toBe("Existing description");
+  expect(result[0].author).toBe("Existing author");
+  expect(result[0].license).toBe("Existing license");
+});
+
+test("pnpmMetadata with scoped packages", async () => {
+  const testPkgList = [
+    {
+      name: "@babel/core",
+      version: "7.22.5",
+      properties: [],
+    },
+  ];
+
+  const result = await pnpmMetadata(testPkgList, "./pnpm-lock.yaml");
+
+  // Check if scoped package was processed
+  const babelPkg = result.find((p) => p.name === "@babel/core");
+  expect(babelPkg).toBeDefined();
+  expect(babelPkg.name).toBe("@babel/core");
+});
+
+test("pnpmMetadata integration with parsePnpmLock", async () => {
+  // Test that the integration works by parsing a real pnpm lock file
+  const parsedList = await parsePnpmLock("./pnpm-lock.yaml");
+
+  // Check that some packages have been enhanced with LocalNodeModulesPath
+  const enhancedPackages = parsedList.pkgList.filter((pkg) =>
+    pkg.properties?.some((p) => p.name === "LocalNodeModulesPath"),
+  );
+
+  if (enhancedPackages.length > 0) {
+    expect(enhancedPackages.length).toBeGreaterThan(0);
+
+    const examplePkg = enhancedPackages[0];
+    expect(
+      examplePkg.properties.find((p) => p.name === "LocalNodeModulesPath"),
+    ).toBeDefined();
+
+    const packagesWithMetadata = enhancedPackages.filter(
+      (pkg) => pkg.description || pkg.license || pkg.author,
+    );
+    expect(packagesWithMetadata.length).toBeGreaterThan(0);
+  }
+});
+
 test("parseYarnLock", async () => {
   let identMap = yarnLockToIdentMap(readFileSync("./test/yarn.lock", "utf8"));
   expect(Object.keys(identMap).length).toEqual(62);
@@ -4466,6 +4682,14 @@ test("parseComposerLock", () => {
   });
 });
 
+test("parseComposerJson", () => {
+  let retMap = parseComposerJson("./test/data/composer.json");
+  expect(Object.keys(retMap.rootRequires).length).toEqual(1);
+
+  retMap = parseComposerJson("./test/data/composer-2.json");
+  expect(Object.keys(retMap.rootRequires).length).toEqual(31);
+});
+
 test("parseGemfileLockData", async () => {
   let retMap = await parseGemfileLockData(
     readFileSync("./test/data/Gemfile.lock", { encoding: "utf-8" }),
@@ -4780,37 +5004,58 @@ test("parseGemspecData", async () => {
 });
 
 test("parse requirements.txt", async () => {
-  let deps = await parseReqFile(
-    readFileSync("./test/data/requirements.comments.txt", {
-      encoding: "utf-8",
-    }),
-    false,
-  );
+  let deps = await parseReqFile("./test/data/requirements.comments.txt", false);
   expect(deps.length).toEqual(31);
-  deps = await parseReqFile(
-    readFileSync("./test/data/requirements.freeze.txt", {
-      encoding: "utf-8",
-    }),
-    false,
-  );
+  deps = await parseReqFile("./test/data/requirements.freeze.txt", false);
   expect(deps.length).toEqual(113);
   expect(deps[0]).toEqual({
     name: "elasticsearch",
     version: "8.6.2",
     scope: "required",
+    properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/requirements.freeze.txt",
+      },
+    ],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 0.5,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 0.5,
+            value: "./test/data/requirements.freeze.txt",
+          },
+        ],
+      },
+    },
   });
-  deps = await parseReqFile(
-    readFileSync("./test/data/chen-science-requirements.txt", {
-      encoding: "utf-8",
-    }),
-    false,
-  );
+  deps = await parseReqFile("./test/data/chen-science-requirements.txt", false);
   expect(deps.length).toEqual(87);
   expect(deps[0]).toEqual({
     name: "aiofiles",
     version: "23.2.1",
     scope: undefined,
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 0.5,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 0.5,
+            value: "./test/data/chen-science-requirements.txt",
+          },
+        ],
+      },
+    },
     properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/chen-science-requirements.txt",
+      },
       {
         name: "cdx:pip:markers",
         value:
@@ -4819,9 +5064,7 @@ test("parse requirements.txt", async () => {
     ],
   });
   deps = await parseReqFile(
-    readFileSync("./test/data/requirements-lock.linux_py3.txt", {
-      encoding: "utf-8",
-    }),
+    "./test/data/requirements-lock.linux_py3.txt",
     false,
   );
   expect(deps.length).toEqual(375);
@@ -4829,11 +5072,49 @@ test("parse requirements.txt", async () => {
     name: "adal",
     scope: undefined,
     version: "1.2.2",
+    properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/requirements-lock.linux_py3.txt",
+      },
+    ],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 0.5,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 0.5,
+            value: "./test/data/requirements-lock.linux_py3.txt",
+          },
+        ],
+      },
+    },
   });
   expect(deps[deps.length - 1]).toEqual({
     name: "zipp",
     scope: undefined,
     version: "0.6.0",
+    properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/requirements-lock.linux_py3.txt",
+      },
+    ],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 0.5,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 0.5,
+            value: "./test/data/requirements-lock.linux_py3.txt",
+          },
+        ],
+      },
+    },
   });
 });
 
@@ -6266,3 +6547,143 @@ test("parseMillDependency test", () => {
   expect(dependencies.size).toEqual(15);
   expect(relations.size).toEqual(15);
 });
+
+test("parse flake.nix file", () => {
+  const result = parseFlakeNix("./test/data/test-flake.nix");
+  expect(result.pkgList).toBeDefined();
+  expect(result.dependencies).toBeDefined();
+  expect(result.pkgList.length).toEqual(3);
+
+  // Check nixpkgs input
+  const nixpkgs = result.pkgList.find((pkg) => pkg.name === "nixpkgs");
+  expect(nixpkgs).toBeDefined();
+  expect(nixpkgs.version).toEqual("latest");
+  expect(nixpkgs.purl).toEqual("pkg:nix/nixpkgs@latest");
+  expect(nixpkgs["bom-ref"]).toEqual("pkg:nix/nixpkgs@latest");
+  expect(nixpkgs.scope).toEqual("required");
+  expect(nixpkgs.description).toEqual("Nix flake input: nixpkgs");
+  expect(nixpkgs.properties).toBeDefined();
+
+  // Check properties
+  const srcFileProperty = nixpkgs.properties.find((p) => p.name === "SrcFile");
+  expect(srcFileProperty.value).toEqual("./test/data/test-flake.nix");
+
+  const urlProperty = nixpkgs.properties.find(
+    (p) => p.name === "cdx:nix:input_url",
+  );
+  expect(urlProperty.value).toEqual("github:NixOS/nixpkgs/release-23.11");
+
+  // Check flake-utils input
+  const flakeUtils = result.pkgList.find((pkg) => pkg.name === "flake-utils");
+  expect(flakeUtils).toBeDefined();
+  expect(flakeUtils.version).toEqual("latest");
+
+  // Check rust-overlay input
+  const rustOverlay = result.pkgList.find((pkg) => pkg.name === "rust-overlay");
+  expect(rustOverlay).toBeDefined();
+  expect(rustOverlay.version).toEqual("latest");
+
+  const rustOverlayUrlProperty = rustOverlay.properties.find(
+    (p) => p.name === "cdx:nix:input_url",
+  );
+  expect(rustOverlayUrlProperty.value).toEqual("github:oxalica/rust-overlay");
+
+  // Check evidence
+  expect(nixpkgs.evidence).toBeDefined();
+  expect(nixpkgs.evidence.identity.field).toEqual("purl");
+  expect(nixpkgs.evidence.identity.confidence).toEqual(0.8);
+  expect(nixpkgs.evidence.identity.methods[0].technique).toEqual(
+    "manifest-analysis",
+  );
+});
+
+test("parse flake.lock file", () => {
+  const result = parseFlakeLock("./test/data/test-flake.lock");
+  expect(result.pkgList).toBeDefined();
+  expect(result.dependencies).toBeDefined();
+  expect(result.pkgList.length).toEqual(4);
+
+  // Check nixpkgs package
+  const nixpkgs = result.pkgList.find((pkg) => pkg.name === "nixpkgs");
+  expect(nixpkgs).toBeDefined();
+  expect(nixpkgs.version).toEqual("bd645e8"); // Short commit hash
+  expect(nixpkgs.purl).toEqual("pkg:nix/nixpkgs@bd645e8");
+  expect(nixpkgs["bom-ref"]).toEqual("pkg:nix/nixpkgs@bd645e8");
+  expect(nixpkgs.scope).toEqual("required");
+  expect(nixpkgs.description).toEqual("Nix flake dependency: nixpkgs");
+
+  // Check properties for nixpkgs
+  const nixpkgsProperties = nixpkgs.properties;
+  expect(nixpkgsProperties).toBeDefined();
+
+  const srcFileProperty = nixpkgsProperties.find((p) => p.name === "SrcFile");
+  expect(srcFileProperty.value).toEqual("./test/data/test-flake.lock");
+
+  const narHashProperty = nixpkgsProperties.find(
+    (p) => p.name === "cdx:nix:nar_hash",
+  );
+  expect(narHashProperty.value).toEqual(
+    "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
+  );
+
+  const lastModifiedProperty = nixpkgsProperties.find(
+    (p) => p.name === "cdx:nix:last_modified",
+  );
+  expect(lastModifiedProperty.value).toEqual("1704194953");
+
+  const revisionProperty = nixpkgsProperties.find(
+    (p) => p.name === "cdx:nix:revision",
+  );
+  expect(revisionProperty.value).toEqual(
+    "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
+  );
+
+  // Check flake-utils package
+  const flakeUtils = result.pkgList.find((pkg) => pkg.name === "flake-utils");
+  expect(flakeUtils).toBeDefined();
+  expect(flakeUtils.version).toEqual("1ef2e67");
+
+  // Check rust-overlay package
+  const rustOverlay = result.pkgList.find((pkg) => pkg.name === "rust-overlay");
+  expect(rustOverlay).toBeDefined();
+  expect(rustOverlay.version).toEqual("9a8a835");
+
+  // Check systems package
+  const systems = result.pkgList.find((pkg) => pkg.name === "systems");
+  expect(systems).toBeDefined();
+  expect(systems.version).toEqual("da67096");
+
+  // Check dependencies
+  expect(result.dependencies.length).toEqual(1);
+  const rootDep = result.dependencies[0];
+  expect(rootDep.ref).toEqual("pkg:nix/flake@latest");
+  expect(rootDep.dependsOn).toBeDefined();
+  expect(rootDep.dependsOn.length).toEqual(3); // flake-utils, nixpkgs, rust-overlay
+  expect(rootDep.dependsOn).toContain("pkg:nix/flake-utils@1ef2e67");
+  expect(rootDep.dependsOn).toContain("pkg:nix/nixpkgs@bd645e8");
+  expect(rootDep.dependsOn).toContain("pkg:nix/rust-overlay@9a8a835");
+
+  // Check evidence
+  expect(nixpkgs.evidence).toBeDefined();
+  expect(nixpkgs.evidence.identity.field).toEqual("purl");
+  expect(nixpkgs.evidence.identity.confidence).toEqual(1.0);
+  expect(nixpkgs.evidence.identity.methods[0].technique).toEqual(
+    "manifest-analysis",
+  );
+});
+
+test("parse flake.nix file with missing file", () => {
+  const result = parseFlakeNix("./test/data/missing-flake.nix");
+  expect(result.pkgList).toBeDefined();
+  expect(result.dependencies).toBeDefined();
+  expect(result.pkgList.length).toEqual(0);
+  expect(result.dependencies.length).toEqual(0);
+});
+
+test("parse flake.lock file with missing file", () => {
+  const result = parseFlakeLock("./test/data/missing-flake.lock");
+  expect(result.pkgList).toBeDefined();
+  expect(result.dependencies).toBeDefined();
+  expect(result.pkgList.length).toEqual(0);
+  expect(result.dependencies.length).toEqual(0);
+});

package/lib/helpers/validator.js

@@ -185,6 +185,16 @@ export const validatePurls = (bomJson) => {
               `purl does not include namespace but includes encoded slash in name for npm type. ${comp.purl}`,
             );
           }
+          // Catch the trivy version hack that removes the epoch from version
+          const qualifiers = purlObj.qualifiers || {};
+          if (
+            qualifiers.epoch &&
+            !comp.version.startsWith(`${qualifiers.epoch}:`)
+          ) {
+            errorList.push(
+              `'${comp.name}' version '${comp.version}' doesn't include epoch '${qualifiers.epoch}'.`,
+            );
+          }
         } catch (_ex) {
           errorList.push(`Invalid purl ${comp.purl}`);
         }