@cyclonedx/cdxgen 11.4.4 → 11.6.0

package/lib/cli/index.js

@@ -111,6 +111,8 @@ import {
   parseCsProjAssetsData,
   parseCsProjData,
   parseEdnData,
+  parseFlakeLock,
+  parseFlakeNix,
   parseGemfileLockData,
   parseGemspecData,
   parseGitHubWorkflowData,
@@ -524,29 +526,47 @@ const addFormulationSection = (options, context) => {
   let environmentVars = gitBranch?.length
     ? [{ name: "GIT_BRANCH", value: gitBranch }]
     : [];
+  const envPrefixes = [
+    "GIT",
+    "ANDROID",
+    "DENO",
+    "DOTNET",
+    "JAVA_",
+    "SDKMAN",
+    "CARGO",
+    "CONDA",
+    "RUST",
+    "GEM_",
+    "SCALA_",
+    "MAVEN_",
+    "GRADLE_",
+    "NODE_",
+  ];
+  const envBlocklist = [
+    "key",
+    "token",
+    "pass",
+    "secret",
+    "user",
+    "email",
+    "auth",
+    "session",
+    "proxy",
+    "cred",
+  ];
+
   for (const aevar of Object.keys(process.env)) {
+    const lower = aevar.toLowerCase();
+    const value = process.env[aevar] ?? "";
     if (
-      (aevar.startsWith("GIT") ||
-        aevar.startsWith("ANDROID") ||
-        aevar.startsWith("DENO") ||
-        aevar.startsWith("DOTNET") ||
-        aevar.startsWith("JAVA_") ||
-        aevar.startsWith("SDKMAN") ||
-        aevar.startsWith("CARGO") ||
-        aevar.startsWith("CONDA") ||
-        aevar.startsWith("RUST")) &&
-      !aevar.toLowerCase().includes("key") &&
-      !aevar.toLowerCase().includes("token") &&
-      !aevar.toLowerCase().includes("pass") &&
-      !aevar.toLowerCase().includes("secret") &&
-      !aevar.toLowerCase().includes("user") &&
-      !aevar.toLowerCase().includes("email") &&
-      process.env[aevar] &&
-      process.env[aevar].length
+      envPrefixes.some((p) => aevar.startsWith(p)) &&
+      !envBlocklist.some((b) => lower.includes(b)) &&
+      !envBlocklist.some((b) => value.includes(b)) &&
+      value.length
     ) {
       environmentVars.push({
         name: aevar,
-        value: process.env[aevar],
+        value,
       });
     }
   }
@@ -1385,6 +1405,10 @@ export async function createJarBom(path, options) {
   if (!options.exclude) {
     options.exclude = [];
   }
+  // We can look for jar files within node_modules directory
+  if (typeof options.includeNodeModulesDir === "undefined" || options.deep) {
+    options.includeNodeModulesDir = true;
+  }
   // Exclude certain directories during oci sbom generation
   if (hasAnyProjectType(["oci"], options, false)) {
     options.exclude.push("**/android-sdk*/**");
@@ -1751,9 +1775,7 @@ export async function createJavaBom(path, options) {
           `**MAVEN**: Let's use Maven to collect packages from ${basePath}.`,
         );
         if (DEBUG_MODE) {
-          console.log(
-            `Executing 'mvn ${mvnTreeArgs.join(" ")}' in ${basePath}`,
-          );
+          console.log(`Executing 'mvn dependency:tree ...' in ${basePath}`);
         }
         // Prefer the built-in maven
         result = safeSpawnSync(
@@ -2305,7 +2327,7 @@ export async function createJavaBom(path, options) {
       ) {
         bArgs = ["--bazelrc=.bazelrc", "build", bazelTarget];
       }
-      console.log("Executing", BAZEL_CMD, bArgs.join(" "), "in", basePath);
+      console.log("Executing", BAZEL_CMD, "in", basePath);
       let result = safeSpawnSync(BAZEL_CMD, bArgs, {
         cwd: basePath,
         shell: true,
@@ -2639,7 +2661,7 @@ export async function createJavaBom(path, options) {
     }
     const millArgs = [...millCommonArgs, "__.ivyDepsTree"];
     if (DEBUG_MODE) {
-      console.log("Executing", millCmd, millArgs.join(" "), "in", millRootPath);
+      console.log("Executing", millCmd, "in", millRootPath);
     }
     let sresult = safeSpawnSync(millCmd, millArgs, {
       cwd: millRootPath,
@@ -3761,7 +3783,7 @@ export async function createPythonBom(path, options) {
       // Retrieve the tree using virtualenv in deep mode and as a fallback
       // This is a slow operation
       if ((options.deep || !dependencies.length) && !f.endsWith("uv.lock")) {
-        retMap = getPipFrozenTree(basePath, f, tempDir, parentComponent);
+        retMap = await getPipFrozenTree(basePath, f, tempDir, parentComponent);
         if (retMap.pkgList?.length) {
           pkgList = pkgList.concat(retMap.pkgList);
         }
@@ -3839,9 +3861,49 @@ export async function createPythonBom(path, options) {
         console.error("Pipfile.lock not found at", path);
         options.failOnError && process.exit(1);
       }
-    } else if (requirementsMode) {
-      metadataFilename = "requirements.txt";
-      if (reqFiles?.length) {
+    } else if (reqDirFiles?.length) {
+      for (const j in reqDirFiles) {
+        const f = reqDirFiles[j];
+        const dlist = await parseReqFile(f, false);
+        if (dlist?.length) {
+          pkgList = pkgList.concat(dlist);
+        }
+      }
+      metadataFilename = reqDirFiles.join(", ");
+    } else if (reqFiles?.length) {
+      for (const f of reqFiles) {
+        const dlist = await parseReqFile(f, true);
+        if (dlist?.length) {
+          pkgList = pkgList.concat(dlist);
+        }
+      }
+    }
+  }
+
+  const parentDependsOn = new Set();
+
+  // Use atom in requirements, setup.py and pyproject.toml mode
+  if (requirementsMode || setupPyMode || pyProjectMode || options.deep) {
+    /**
+     * The order of preference is pyproject.toml (newer) and then setup.py
+     */
+    if (options.installDeps) {
+      let pkgMap;
+      if (pyProjectMode && !poetryMode) {
+        pkgMap = await getPipFrozenTree(
+          path,
+          pyProjectFile,
+          tempDir,
+          parentComponent,
+        );
+      } else if (setupPyMode) {
+        pkgMap = await getPipFrozenTree(
+          path,
+          setupPy,
+          tempDir,
+          parentComponent,
+        );
+      } else if (requirementsMode && reqFiles?.length) {
         if (options.installDeps && DEBUG_MODE) {
           console.log(
             "cdxgen will now attempt to generate an SBOM for 'build' lifecycle phase for Python. This would take some time ...\nTo speed up this step, invoke cdxgen from within a virtual environment with all the dependencies installed.\nAlternatively, pass the argument '--lifecycle pre-build' to generate a faster but less precise SBOM.",
@@ -3849,13 +3911,8 @@ export async function createPythonBom(path, options) {
         }
         for (const f of reqFiles) {
           const basePath = dirname(f);
-          let reqData;
-          let frozen = false;
-          // Attempt to pip freeze in a virtualenv to improve precision
           if (options.installDeps) {
-            // If there are multiple requirements files then the tree is getting constructed for each one
-            // adding to the delay.
-            const pkgMap = getPipFrozenTree(
+            const pkgMap = await getPipFrozenTree(
               basePath,
               f,
               tempDir,
@@ -3863,10 +3920,11 @@ export async function createPythonBom(path, options) {
             );
             if (pkgMap.pkgList?.length) {
               pkgList = pkgList.concat(pkgMap.pkgList);
-              frozen = pkgMap.frozen;
+              pkgList = trimComponents(pkgList);
             }
             if (pkgMap.formulationList?.length) {
               formulationList = formulationList.concat(pkgMap.formulationList);
+              formulationList = trimComponents(formulationList);
             }
             if (pkgMap.dependenciesList) {
               dependencies = mergeDependencies(
@@ -3875,61 +3933,31 @@ export async function createPythonBom(path, options) {
                 parentComponent,
               );
             }
-          }
-          // Fallback to parsing manually
-          if (!pkgList.length || !frozen) {
-            thoughtLog(
-              `Manually parsing ${f}. The result would include only direct dependencies.`,
-            );
-            if (DEBUG_MODE) {
-              console.log(
-                `Manually parsing ${f}. The result would include only direct dependencies.`,
+            // Add the root packages from this file to the parent's dependencies
+            for (const p of pkgMap.rootList) {
+              if (
+                parentComponent &&
+                p.name === parentComponent.name &&
+                (p.version === parentComponent.version ||
+                  p.version === "latest")
+              ) {
+                continue;
+              }
+              parentDependsOn.add(
+                `pkg:pypi/${p.name.toLowerCase()}@${p.version}`,
               );
             }
-            reqData = readFileSync(f, { encoding: "utf-8" });
-            const dlist = await parseReqFile(reqData, true);
-            if (dlist?.length) {
-              pkgList = pkgList.concat(dlist);
-            }
-          }
-        } // for
-        metadataFilename = reqFiles.join(", ");
-      } else if (reqDirFiles?.length) {
-        for (const j in reqDirFiles) {
-          const f = reqDirFiles[j];
-          const reqData = readFileSync(f, { encoding: "utf-8" });
-          const dlist = await parseReqFile(reqData, false);
-          if (dlist?.length) {
-            pkgList = pkgList.concat(dlist);
           }
         }
-        metadataFilename = reqDirFiles.join(", ");
-      }
-    }
-  }
-  // Use atom in requirements, setup.py and pyproject.toml mode
-  if (requirementsMode || setupPyMode || pyProjectMode || options.deep) {
-    /**
-     * The order of preference is pyproject.toml (newer) and then setup.py
-     */
-    if (options.installDeps) {
-      let pkgMap;
-      if (pyProjectMode && !poetryMode) {
-        pkgMap = getPipFrozenTree(
+      } else if (!poetryMode) {
+        pkgMap = await getPipFrozenTree(
           path,
-          pyProjectFile,
+          undefined,
           tempDir,
           parentComponent,
         );
-      } else if (setupPyMode) {
-        pkgMap = getPipFrozenTree(path, setupPy, tempDir, parentComponent);
-      } else if (!poetryMode) {
-        pkgMap = getPipFrozenTree(path, undefined, tempDir, parentComponent);
       }
 
-      // Get the imported modules and a dedupe list of packages
-      const parentDependsOn = new Set();
-
       // ATOM parsedeps block
       // Atom parsedeps slices can be used to identify packages that are not declared in manifests
       // Since it is a slow operation, we only use it as a fallback or in deep mode
@@ -4253,11 +4281,21 @@ export async function createGoBom(path, options) {
   }
   if (gomodFiles.length) {
     let shouldManuallyParse = false;
+    // Sort go.mod files by depth (shallowest first) to prioritize root modules
+    const sortedGomodFiles = gomodFiles.sort((a, b) => {
+      const relativePathA = relative(path, a);
+      const relativePathB = relative(path, b);
+      const depthA = relativePathA.split("/").length;
+      const depthB = relativePathB.split("/").length;
+      return depthA - depthB;
+    });
+
+    let rootParentComponent = null;
     // Use the go list -deps and go mod why commands to generate a good quality BOM for non-docker invocations
     if (
       !hasAnyProjectType(["docker", "oci", "container", "os"], options, false)
     ) {
-      for (const f of gomodFiles) {
+      for (const f of sortedGomodFiles) {
         const basePath = dirname(f);
         // Ignore vendor packages
         if (
@@ -4307,13 +4345,23 @@ export async function createGoBom(path, options) {
           if (retMap.pkgList?.length) {
             pkgList = pkgList.concat(retMap.pkgList);
           }
-          // We treat the main module as our parent
+          // Prioritize the shallowest module as the root component
           if (
             retMap.parentComponent &&
             Object.keys(retMap.parentComponent).length
           ) {
-            parentComponent = retMap.parentComponent;
-            parentComponent.type = "application";
+            if (!rootParentComponent) {
+              // First (shallowest) module becomes the root
+              rootParentComponent = retMap.parentComponent;
+              rootParentComponent.type = "application";
+              parentComponent = rootParentComponent;
+            } else {
+              // Subsequent modules become subcomponents
+              if (!parentComponent.components) {
+                parentComponent.components = [];
+              }
+              parentComponent.components.push(retMap.parentComponent);
+            }
           }
           if (DEBUG_MODE) {
             console.log("Executing go mod graph in", basePath);
@@ -4399,11 +4447,14 @@ export async function createGoBom(path, options) {
                 parentComponent,
               );
             }
-            // Retain the parent component hierarchy
+            // Retain the parent component hierarchy, prioritizing the shallowest module
             if (Object.keys(retMap.parentComponent).length) {
-              if (gomodFiles.length === 1) {
-                parentComponent = retMap.parentComponent;
+              if (!rootParentComponent) {
+                // First (shallowest) module becomes the root
+                rootParentComponent = retMap.parentComponent;
+                parentComponent = rootParentComponent;
               } else {
+                // Subsequent modules become subcomponents
                 parentComponent.components = parentComponent.components || [];
                 parentComponent.components.push(retMap.parentComponent);
               }
@@ -4429,7 +4480,7 @@ export async function createGoBom(path, options) {
           dependencies,
           parentComponent,
           src: path,
-          filename: gomodFiles.join(", "),
+          filename: sortedGomodFiles.join(", "),
         });
       }
     }
@@ -4441,7 +4492,7 @@ export async function createGoBom(path, options) {
         "Manually parsing go.mod files. The resultant BOM would be incomplete.",
       );
     }
-    for (const f of gomodFiles) {
+    for (const f of sortedGomodFiles) {
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
@@ -4450,11 +4501,14 @@ export async function createGoBom(path, options) {
       if (retMap?.pkgList?.length) {
         pkgList = pkgList.concat(retMap.pkgList);
       }
-      // Retain the parent component hierarchy
+      // Retain the parent component hierarchy, prioritizing the shallowest module
       if (Object.keys(retMap.parentComponent).length) {
-        if (gomodFiles.length === 1) {
-          parentComponent = retMap.parentComponent;
+        if (!rootParentComponent) {
+          // First (shallowest) module becomes the root
+          rootParentComponent = retMap.parentComponent;
+          parentComponent = rootParentComponent;
         } else {
+          // Subsequent modules become subcomponents
           parentComponent.components = parentComponent.components || [];
           parentComponent.components.push(retMap.parentComponent);
         }
@@ -4479,7 +4533,7 @@ export async function createGoBom(path, options) {
       src: path,
       dependencies,
       parentComponent,
-      filename: gomodFiles.join(", "),
+      filename: sortedGomodFiles.join(", "),
     });
   }
   if (gopkgLockFiles.length) {
@@ -4927,7 +4981,7 @@ export function createClojureBom(path, options) {
         console.log(`Parsing ${f}`);
       }
       const basePath = dirname(f);
-      console.log("Executing", LEIN_CMD, LEIN_ARGS.join(" "), "in", basePath);
+      console.log("Executing", LEIN_CMD, "in", basePath);
       const result = safeSpawnSync(LEIN_CMD, LEIN_ARGS, {
         cwd: basePath,
         encoding: "utf-8",
@@ -4976,7 +5030,7 @@ export function createClojureBom(path, options) {
     }
     for (const f of ednFiles) {
       const basePath = dirname(f);
-      console.log("Executing", CLJ_CMD, CLJ_ARGS.join(" "), "in", basePath);
+      console.log("Executing", CLJ_CMD, "in", basePath);
       const result = safeSpawnSync(CLJ_CMD, CLJ_ARGS, {
         cwd: basePath,
         encoding: "utf-8",
@@ -5584,6 +5638,128 @@ export async function createCocoaBom(path, options) {
   }
 }
 
+/**
+ * Function to create bom string for Nix flakes
+ *
+ * @param {string} path to the project
+ * @param {Object} options Parse options from the cli
+ */
+export async function createNixBom(path, options) {
+  let pkgList = [];
+  let dependencies = [];
+  let parentComponent = {};
+
+  const flakeNixFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}flake.nix`,
+    options,
+  );
+  const flakeLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}flake.lock`,
+    options,
+  );
+
+  for (const flakeNixFile of flakeNixFiles) {
+    if (DEBUG_MODE) {
+      console.log(`Parsing ${flakeNixFile}`);
+    }
+    const { pkgList: nixPkgs, dependencies: nixDeps } =
+      parseFlakeNix(flakeNixFile);
+    if (nixPkgs?.length) {
+      pkgList = pkgList.concat(nixPkgs);
+    }
+    if (nixDeps?.length) {
+      dependencies = dependencies.concat(nixDeps);
+    }
+  }
+
+  for (const flakeLockFile of flakeLockFiles) {
+    if (DEBUG_MODE) {
+      console.log(`Parsing ${flakeLockFile}`);
+    }
+    const { pkgList: lockPkgs, dependencies: lockDeps } =
+      parseFlakeLock(flakeLockFile);
+    if (lockPkgs?.length) {
+      const mergedPkgs = [];
+      const existingNames = new Set();
+
+      for (const lockPkg of lockPkgs) {
+        mergedPkgs.push(lockPkg);
+        existingNames.add(lockPkg.name);
+      }
+
+      for (const nixPkg of pkgList) {
+        if (!existingNames.has(nixPkg.name)) {
+          mergedPkgs.push(nixPkg);
+        }
+      }
+
+      pkgList = mergedPkgs;
+    }
+    if (lockDeps?.length) {
+      dependencies = dependencies.concat(lockDeps);
+    }
+
+    // Create parent component from flake.lock if found
+    if (!Object.keys(parentComponent).length) {
+      const flakeDir = dirname(flakeLockFile);
+      const projectName = basename(flakeDir);
+      parentComponent = {
+        type: "application",
+        name: projectName,
+        version: "latest",
+        description: `Nix flake project: ${projectName}`,
+        "bom-ref": `pkg:nix/${projectName}@latest`,
+        properties: [
+          {
+            name: "SrcFile",
+            value: flakeLockFile,
+          },
+          {
+            name: "cdx:nix:flake_dir",
+            value: flakeDir,
+          },
+        ],
+      };
+    }
+  }
+
+  // If no parent component was created from flake.lock, create one from flake.nix
+  if (!Object.keys(parentComponent).length && flakeNixFiles.length > 0) {
+    const flakeDir = dirname(flakeNixFiles[0]);
+    const projectName = basename(flakeDir);
+    parentComponent = {
+      type: "application",
+      name: projectName,
+      version: "latest",
+      description: `Nix flake project: ${projectName}`,
+      "bom-ref": `pkg:nix/${projectName}@latest`,
+      properties: [
+        {
+          name: "SrcFile",
+          value: flakeNixFiles[0],
+        },
+        {
+          name: "cdx:nix:flake_dir",
+          value: flakeDir,
+        },
+      ],
+    };
+  }
+
+  if (pkgList.length || Object.keys(parentComponent).length) {
+    return buildBomNSData(options, pkgList, "nix", {
+      src: path,
+      filename: [...flakeNixFiles, ...flakeLockFiles].join(", "),
+      dependencies,
+      parentComponent,
+    });
+  }
+
+  return {};
+}
+
 /**
  * Function to create bom string for docker compose
  *
@@ -5921,6 +6097,10 @@ export async function createContainerSpecLikeBom(path, options) {
 export function createPHPBom(path, options) {
   let dependencies = [];
   let parentComponent = {};
+  // We can look for composer files within node_modules directory
+  if (typeof options.includeNodeModulesDir === "undefined" || options.deep) {
+    options.includeNodeModulesDir = true;
+  }
   const composerJsonFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.json`,
@@ -6069,6 +6249,10 @@ export function createPHPBom(path, options) {
  * @param {Object} options Parse options from the cli
  */
 export async function createRubyBom(path, options) {
+  // We can look for gem files within node_modules directory
+  if (typeof options.includeNodeModulesDir === "undefined" || options.deep) {
+    options.includeNodeModulesDir = true;
+  }
   const excludeList = (options.exclude || []).concat(["**/vendor/cache/**"]);
   const gemLockExcludeList = (options.exclude || []).concat([
     "**/vendor/bundle/ruby/**/Gemfile.lock",
@@ -6495,7 +6679,7 @@ export async function createCsharpBom(path, options) {
         console.log(`Parsing ${nf}`);
       }
       const retMap = await parseNupkg(nf);
-      if (retMap?.pkgList.length) {
+      if (retMap?.pkgList?.length) {
         pkgList = pkgList.concat(retMap.pkgList);
         for (const d of retMap.pkgList) {
           parentDependsOn.add(d["bom-ref"]);
@@ -6861,8 +7045,8 @@ export function trimComponents(components) {
         }
         // comp.evidence.identity can be an array or object
         // Merge the evidence.identity based on methods or objects
-        const isArray = Array.isArray(comp.evidence.identity);
-        const identities = isArray
+        const isIdentityArray = Array.isArray(comp.evidence.identity);
+        const identities = isIdentityArray
           ? comp.evidence.identity
           : [comp.evidence.identity];
         for (const aident of identities) {
@@ -6893,9 +7077,23 @@ export function trimComponents(components) {
             existingComponent.evidence.identity.push(aident);
           }
         }
-        if (!isArray) {
+        if (!isIdentityArray) {
+          const firstIdentity = existingComponent.evidence.identity[0];
+          let identConfidence = firstIdentity?.confidence;
+          // We need to set the confidence to the max of all confidences
+          if (firstIdentity?.methods?.length > 1) {
+            for (const aidentMethod of firstIdentity.methods) {
+              if (
+                aidentMethod?.confidence &&
+                aidentMethod.confidence > identConfidence
+              ) {
+                identConfidence = aidentMethod.confidence;
+              }
+            }
+          }
+          firstIdentity.confidence = identConfidence;
           existingComponent.evidence = {
-            identity: existingComponent.evidence.identity[0],
+            identity: firstIdentity,
           };
         }
       }
@@ -7635,6 +7833,27 @@ export async function createMultiXBom(pathList, options) {
         }
       }
     }
+    if (hasAnyProjectType(["oci", "nix"], options)) {
+      bomData = await createNixBom(path, options);
+      if (bomData?.bomJson?.components?.length) {
+        if (DEBUG_MODE) {
+          console.log(
+            `Found ${bomData.bomJson.components.length} Nix flake packages at ${path}`,
+          );
+        }
+        components = components.concat(bomData.bomJson.components);
+        dependencies = mergeDependencies(
+          dependencies,
+          bomData.bomJson.dependencies,
+        );
+        if (
+          bomData.parentComponent &&
+          Object.keys(bomData.parentComponent).length
+        ) {
+          parentSubComponents.push(bomData.parentComponent);
+        }
+      }
+    }
     // Collect any crypto keys
     if (options.specVersion >= 1.6 && options.includeCrypto) {
       if (!hasAnyProjectType(["oci"], options, false)) {
@@ -8063,6 +8282,21 @@ export async function createXBom(path, options) {
   if (cocoaFiles.length) {
     return await createCocoaBom(path, options);
   }
+
+  // Nix flakes
+  const flakeNixFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}flake.nix`,
+    options,
+  );
+  const flakeLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}flake.lock`,
+    options,
+  );
+  if (flakeNixFiles.length || flakeLockFiles.length) {
+    return await createNixBom(path, options);
+  }
 }
 
 /**
@@ -8308,6 +8542,9 @@ export async function createBom(path, options) {
   if (PROJECT_TYPE_ALIASES["cocoa"].includes(projectType[0])) {
     return await createCocoaBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["nix"].includes(projectType[0])) {
+    return await createNixBom(path, options);
+  }
   switch (projectType[0]) {
     case "jar":
       return createJarBom(path, options);

package/lib/evinser/evinser.js

@@ -944,6 +944,9 @@ export function parseSemanticSlices(language, components, semanticsSlice) {
   if (language === "scala") {
     return findPurlLocations(components, semanticsSlice);
   }
+  if (!components) {
+    return undefined;
+  }
   const componentNamePurlMap = {};
   const componentSymbolsMap = {};
   const allObfuscationsMap = {};