@cyclonedx/cdxgen 11.6.0 → 11.7.0

package/data/pypi-pkg-aliases.json

@@ -569,6 +569,7 @@
   "daterangefilter": "django-daterangefilter",
   "dateutil": "python-dateutil",
   "dawg": "dawg",
+  "dbruntime": "databricks-sdk",
   "deb822": "python-debian",
   "debian": "python-debian",
   "debug-toolbar": "django-debug-toolbar",
@@ -831,6 +832,7 @@
   "openid": "python-openid",
   "opensearchsdk": "ali-opensearch",
   "openssl": "pyopenssl",
+  "opentelemetry": "opentelemetry-api",
   "oslo-i18n": "oslo.i18n",
   "oslo-serialization": "oslo.serialization",
   "oslo-utils": "oslo.utils",
@@ -1085,6 +1087,7 @@
   "stemmer": "pystemmer",
   "stoneagehtml": "stoneagehtml",
   "storages": "django-storages",
+  "strands-tools": "strands-agents-tools",
   "stubout": "mox",
   "suds": "suds-jurko",
   "swiftclient": "python-swiftclient",

package/lib/cli/index.js

@@ -659,6 +659,16 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
         parentComponent.components = undefined;
       }
     }
+    // Convert authors to author for specVersion < 1.6
+    const parentComponentCopy = { ...parentComponent };
+
+    if (options.specVersion < 1.6 && parentComponent?.authors) {
+      parentComponentCopy.author = parentComponentCopy.authors
+        .map((a) => (a.email ? `${a.name} <${a.email}>` : a.name))
+        .join(",");
+      delete parentComponentCopy.authors;
+    }
+
     metadata.component = parentComponent;
   }
   // Have we already captured the oci properties
@@ -2894,7 +2904,8 @@ export async function createNodejsBom(path, options) {
     `${options.multiProject ? "**/" : ""}package.json`,
     options,
   );
-  const npmInstallCount = Number.parseInt(process.env.NPM_INSTALL_COUNT) || 2;
+  const npmInstallCount =
+    Number.parseInt(process.env.NPM_INSTALL_COUNT, 10) || 2;
   // Automatic npm install logic.
   // Only perform npm install for smaller projects (< 2 package.json) without the correct number of lock files
   if (
@@ -5565,8 +5576,10 @@ export async function createCocoaBom(path, options) {
         : targetDependencies.keys(),
     );
     if (process.env.COCOA_EXCLUDED_TARGETS) {
-      process.env.COCOA_EXCLUDED_TARGETS.split(",").forEach((excludedTarget) =>
-        usedTargets.delete(excludedTarget),
+      process.env.COCOA_EXCLUDED_TARGETS.split(",").forEach(
+        (excludedTarget) => {
+          usedTargets.delete(excludedTarget);
+        },
       );
       if (!excludeMessageShown) {
         thoughtLog(

package/lib/helpers/envcontext.js

@@ -33,11 +33,11 @@ export const GIT_COMMAND = process.env.GIT_CMD || "git";
 export const SDKMAN_JAVA_TOOL_ALIASES = {
   java8: process.env.JAVA8_TOOL || "8.0.452-amzn", // Temurin no longer offers java8 :(
   java11: process.env.JAVA11_TOOL || "11.0.27-tem",
-  java17: process.env.JAVA17_TOOL || "17.0.15-tem",
-  java21: process.env.JAVA21_TOOL || "21.0.7-tem",
+  java17: process.env.JAVA17_TOOL || "17.0.16-tem",
+  java21: process.env.JAVA21_TOOL || "21.0.8-tem",
   java22: process.env.JAVA22_TOOL || "22.0.2-tem",
   java23: process.env.JAVA23_TOOL || "23.0.2-tem",
-  java24: process.env.JAVA24_TOOL || "24.0.1-tem",
+  java24: process.env.JAVA24_TOOL || "24.0.2-tem",
 };
 
 /**

package/lib/helpers/envcontext.poku.js

@@ -1,8 +1,9 @@
 import { spawnSync } from "node:child_process";
 import process from "node:process";
 
-import { assert, it } from "poku";
+import { assert, it, skip } from "poku";
 
+import { isWin } from "../managers/docker.js";
 import {
   collectDotnetInfo,
   collectGccInfo,
@@ -22,6 +23,10 @@ import {
   listFiles,
 } from "./envcontext.js";
 
+skip("Skipping envcontext tests due to old logic");
+
+const isDarwin = process.platform === "darwin";
+
 it("git tests", () => {
   assert.ok(getBranch());
   assert.ok(getOriginUrl());
@@ -30,14 +35,18 @@ it("git tests", () => {
 });
 
 it("tools tests", () => {
-  assert.ok(collectJavaInfo());
   assert.ok(collectDotnetInfo());
   assert.ok(collectPythonInfo());
   assert.ok(collectNodeInfo());
   assert.ok(collectGccInfo());
   assert.ok(collectRustInfo());
-  assert.ok(collectGoInfo());
-  assert.ok(collectSwiftInfo());
+  if (!isWin) {
+    assert.ok(collectSwiftInfo());
+    assert.ok(collectJavaInfo());
+  }
+  if (!isDarwin) {
+    assert.ok(collectGoInfo());
+  }
 });
 
 it("sdkman tests", () => {
@@ -62,16 +71,16 @@ it("nvm tests", () => {
 
       // expected to be run in CircleCi, where node version is 22.8.0
       // as defined in our Dockerfile
-      assert.deepStrictEqual(getNvmToolDirectory(22), true);
-      assert.deepStrictEqual(getNvmToolDirectory(14)).toBeFalsy();
+      assert.ok(typeof getNvmToolDirectory(22) === "string");
+      assert.deepStrictEqual(getNvmToolDirectory(14), false);
 
       // now we install nvm tool for a specific verison
-      assert.deepStrictEqual(getOrInstallNvmTool(14), true);
-      assert.deepStrictEqual(getNvmToolDirectory(14), true);
+      assert.ok(getOrInstallNvmTool(14));
+      assert.ok(typeof getNvmToolDirectory(14) === "string");
     } else {
       // if this test is failing it would be due to an error in isNvmAvailable()
-      assert.deepStrictEqual(getNvmToolDirectory(22)).toBeFalsy();
-      assert.deepStrictEqual(getOrInstallNvmTool(14)).toBeFalsy();
+      assert.deepStrictEqual(getNvmToolDirectory(22), undefined);
+      assert.deepStrictEqual(getOrInstallNvmTool(14), false);
     }
   }
 });

package/lib/helpers/utils.js

@@ -202,11 +202,11 @@ export const DEBUG_MODE =
 
 // Timeout milliseconds. Default 20 mins
 export const TIMEOUT_MS =
-  Number.parseInt(process.env.CDXGEN_TIMEOUT_MS) || 20 * 60 * 1000;
+  Number.parseInt(process.env.CDXGEN_TIMEOUT_MS, 10) || 20 * 60 * 1000;
 
 // Max buffer for stdout and stderr. Defaults to 100MB
 export const MAX_BUFFER =
-  Number.parseInt(process.env.CDXGEN_MAX_BUFFER) || 100 * 1024 * 1024;
+  Number.parseInt(process.env.CDXGEN_MAX_BUFFER, 10) || 100 * 1024 * 1024;
 
 // Metadata cache
 export let metadata_cache = {};
@@ -5862,10 +5862,8 @@ export async function parseReqFile(reqFile, fetchDepsInfo = false) {
  *
  * @param {String} reqFile Requirements.txt file
  * @param {Object} reqData Requirements.txt data for internal invocations from setup.py file etc.
- *
  * @param {Boolean} fetchDepsInfo Fetch dependencies info from pypi
- *
- * @returns {Promise[Array<Object>]} List of direct dependencies from the requirements file
+ * @returns {Promise<Array<Object>>} List of direct dependencies from the requirements file
  */
 async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
   const pkgList = [];
@@ -5892,179 +5890,187 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
         },
       }
     : undefined;
-  reqData
-    .replace(/\r/g, "")
-    .replace(/ [\\]\n/g, "")
-    .replace(/ {4}/g, " ")
-    .split("\n")
-    .forEach((l) => {
-      const properties = reqFile
-        ? [
-            {
-              name: "SrcFile",
-              value: reqFile,
-            },
-          ]
-        : [];
-      l = l.trim();
-      let markers;
-      if (l.includes(" ; ")) {
-        const tmpA = l.split(" ; ");
-        if (tmpA && tmpA.length === 2) {
-          l = tmpA[0];
-          markers = tmpA[1];
+  const lines = reqData.replace(/\r/g, "").replace(/\\$/gm, "").split("\n");
+  for (const line of lines) {
+    let l = line.trim();
+    if (l.includes("# Basic requirements")) {
+      compScope = "required";
+    } else if (l.includes("added by pip freeze")) {
+      compScope = undefined;
+    }
+    if (l.startsWith("Skipping line") || l.startsWith("(add")) {
+      continue;
+    }
+    if (!l || l.startsWith("#") || l.startsWith("-")) {
+      continue;
+    }
+    const properties = reqFile
+      ? [
+          {
+            name: "SrcFile",
+            value: reqFile,
+          },
+        ]
+      : [];
+
+    // Handle markers
+    let markers = null;
+    let structuredMarkers = null;
+    if (l.includes(";")) {
+      const parts = l.split(";");
+      l = parts[0].trim();
+      markers = parts.slice(1).join(";").trim();
+      structuredMarkers = parseReqEnvMarkers(markers);
+    }
+
+    // Handle extras (e.g., package[extra1,extra2])
+    let extras = null;
+    const extrasMatch = l.match(/^([a-zA-Z0-9_\-\.]+)(\[([^\]]+)\])?(.*)$/);
+    if (extrasMatch) {
+      const [, packageName, , extrasStr, versionSpecifiers] = extrasMatch;
+      const name = packageName;
+      if (extrasStr) {
+        extras = extrasStr.split(",").map((e) => e.trim());
+        l = `${name}${versionSpecifiers}`; // Reconstruct without extras for version parsing
+      }
+      if (PYTHON_STD_MODULES.includes(name)) {
+        continue;
+      }
+      const versionMatch = versionSpecifiers.match(
+        /(==|!=|<=|>=|<|>|~=)([0-9.a-zA-Z_*\-+]*)/,
+      );
+      let version = null;
+      if (versionMatch) {
+        version = versionMatch[2].replaceAll("*", "0") || null;
+        if (version === "0") {
+          version = null;
         }
       }
-      if (l.startsWith("Skipping line") || l.startsWith("(add")) {
-        return;
+      const apkg = {
+        name,
+        version,
+        scope: compScope,
+        evidence,
+      };
+      if (extras && extras.length > 0) {
+        properties.push({
+          name: "cdx:pypi:extras",
+          value: extras.join(","),
+        });
       }
-      if (l.includes("# Basic requirements")) {
-        compScope = "required";
-      } else if (l.includes("added by pip freeze")) {
-        compScope = undefined;
+      if (versionSpecifiers && !versionSpecifiers.startsWith("==")) {
+        properties.push({
+          name: "cdx:pypi:versionSpecifiers",
+          value: versionSpecifiers.trim(),
+        });
       }
-      if (!l.startsWith("#") && !l.startsWith("-")) {
-        if (l.includes(" ")) {
-          l = l.split(" ")[0];
+      if (markers) {
+        properties.push({
+          name: "cdx:pip:markers",
+          value: markers,
+        });
+        if (structuredMarkers && structuredMarkers.length > 0) {
+          properties.push({
+            name: "cdx:pip:structuredMarkers",
+            value: JSON.stringify(structuredMarkers),
+          });
         }
-        if (l.indexOf("=") > -1) {
-          const tmpA = l.split(/(==|<=|~=|>=)/);
-          let versionStr = tmpA[tmpA.length - 1].trim().replace("*", "0");
-          if (versionStr.indexOf(" ") > -1) {
-            versionStr = versionStr.split(" ")[0];
-          }
-          if (versionStr === "0") {
-            versionStr = null;
-          }
-          if (!tmpA[0].includes("=") && !tmpA[0].trim().includes(" ")) {
-            const name = tmpA[0].trim().replace(";", "");
-            const versionSpecifiers = l.replace(name, "");
-            if (!PYTHON_STD_MODULES.includes(name)) {
-              const apkg = {
-                name,
-                version: versionStr,
-                scope: compScope,
-                evidence,
-              };
-              if (
-                versionSpecifiers?.length > 0 &&
-                !versionSpecifiers.startsWith("==")
-              ) {
-                properties.push({
-                  name: "cdx:pypi:versionSpecifiers",
-                  value: versionSpecifiers,
-                });
-              }
-              if (markers) {
-                properties.push({
-                  name: "cdx:pip:markers",
-                  value: markers,
-                });
-              }
-              if (properties.length) {
-                apkg.properties = properties;
-              }
-              pkgList.push(apkg);
-            }
-          }
-        } else if (l.includes("<") && l.includes(">")) {
-          const tmpA = l.split(">");
-          const name = tmpA[0].trim().replace(";", "");
-          const versionSpecifiers = l.replace(name, "");
-          if (!PYTHON_STD_MODULES.includes(name)) {
-            pkgList.push({
-              name,
-              version: undefined,
-              scope: compScope,
-              evidence,
-              properties: [
-                ...properties,
-                {
-                  name: "cdx:pypi:versionSpecifiers",
-                  value: versionSpecifiers?.length
-                    ? versionSpecifiers
-                    : undefined,
-                },
-              ],
-            });
-          }
-        } else if (/[>|[@]/.test(l)) {
-          let tmpA = l.split(/(>|\[@)/);
-          if (tmpA.includes("#")) {
-            tmpA = tmpA.split("#")[0];
-          }
-          if (!tmpA[0].trim().includes(" ")) {
-            const name = tmpA[0].trim().replace(";", "");
-            const versionSpecifiers = l.replace(name, "");
-            if (!PYTHON_STD_MODULES.includes(name)) {
-              pkgList.push({
-                name,
-                version: undefined,
-                scope: compScope,
-                evidence,
-                properties: [
-                  ...properties,
-                  {
-                    name: "cdx:pypi:versionSpecifiers",
-                    value: versionSpecifiers?.length
-                      ? versionSpecifiers
-                      : undefined,
-                  },
-                ],
-              });
-            }
-          }
-        } else if (l) {
-          if (l.includes("#")) {
-            l = l.split("#")[0];
-          }
-          l = l.trim();
-          const tmpA = l.split(/([<>])/);
-          if (tmpA && tmpA.length === 3) {
-            const name = tmpA[0].trim().replace(";", "");
-            const versionSpecifiers = l.replace(name, "");
-            if (!PYTHON_STD_MODULES.includes(name)) {
-              pkgList.push({
-                name,
-                version: undefined,
-                scope: compScope,
-                evidence,
-                properties: [
-                  {
-                    name: "cdx:pypi:versionSpecifiers",
-                    value: versionSpecifiers?.length
-                      ? versionSpecifiers
-                      : undefined,
-                  },
-                ],
-              });
-            }
-          } else if (!l.includes(" ")) {
-            const name = l.replace(";", "");
-            const versionSpecifiers = l.replace(name, "");
-            if (!PYTHON_STD_MODULES.includes(name)) {
-              pkgList.push({
-                name,
-                version: null,
-                scope: compScope,
-                evidence,
-                properties: [
-                  {
-                    name: "cdx:pypi:versionSpecifiers",
-                    value: versionSpecifiers?.length
-                      ? versionSpecifiers
-                      : undefined,
-                  },
-                ],
-              });
-            }
-          }
+      }
+      if (properties.length) {
+        apkg.properties = properties;
+      }
+      pkgList.push(apkg);
+    } else {
+      const match = l.match(/^([a-zA-Z0-9_\-\.]+)(.*)$/);
+      if (!match) {
+        continue;
+      }
+      const [, name, versionSpecifiers] = match;
+      if (PYTHON_STD_MODULES.includes(name)) {
+        continue;
+      }
+      const versionMatch = versionSpecifiers.match(
+        /(==|!=|<=|>=|<|>|~=)([0-9.a-zA-Z_*\-+]*)/,
+      );
+      let version = null;
+      if (versionMatch) {
+        version = versionMatch[2].replace("*", "0") || null;
+        if (version === "0") version = null;
+      }
+      const apkg = {
+        name,
+        version,
+        scope: compScope,
+        evidence,
+      };
+      if (versionSpecifiers && !versionSpecifiers.startsWith("==")) {
+        properties.push({
+          name: "cdx:pypi:versionSpecifiers",
+          value: versionSpecifiers.trim(),
+        });
+      }
+      if (markers) {
+        properties.push({
+          name: "cdx:pip:markers",
+          value: markers,
+        });
+        if (structuredMarkers && structuredMarkers.length > 0) {
+          properties.push({
+            name: "cdx:pip:structuredMarkers",
+            value: JSON.stringify(structuredMarkers),
+          });
         }
       }
-    });
+      if (properties.length) {
+        apkg.properties = properties;
+      }
+      pkgList.push(apkg);
+    }
+  }
   return await getPyMetadata(pkgList, fetchDepsInfo);
 }
 
+/**
+ * Parse environment markers into structured format
+ *
+ * @param {String} markersStr Raw markers string
+ * @returns {Array<Object>} Structured markers array
+ */
+export function parseReqEnvMarkers(markersStr) {
+  if (!markersStr) return [];
+
+  const markers = [];
+  const tokens = markersStr
+    .replace(/\s+/g, " ")
+    .trim()
+    .split(/\s+(and|or)\s+/gi)
+    .filter((token) => token.trim());
+  for (const token of tokens) {
+    if (token.toLowerCase() === "and" || token.toLowerCase() === "or") {
+      markers.push({
+        operator: token.toLowerCase(),
+      });
+    } else {
+      const match = token.match(
+        /([a-zA-Z_]+)\s*(==|!=|<=|>=|<|>)\s*["']?([^"']*)["']?/,
+      );
+      if (match) {
+        markers.push({
+          variable: match[1],
+          operator: match[2],
+          value: match[3],
+        });
+      } else {
+        // Add as raw token if parsing fails
+        markers.push({
+          raw: token,
+        });
+      }
+    }
+  }
+  return markers;
+}
+
 /**
  * Method to find python modules by parsing the imports and then checking with PyPI to obtain the latest version
  *
@@ -12350,10 +12356,14 @@ export function multiChecksumFile(algorithms, path) {
     const stream = createReadStream(path);
     stream.on("error", (err) => reject(err));
     stream.on("data", (chunk) =>
-      algorithms.forEach((alg) => hashes[alg].update(chunk)),
+      algorithms.forEach((alg) => {
+        hashes[alg].update(chunk);
+      }),
     );
     stream.on("end", () => {
-      algorithms.forEach((alg) => (hashes[alg] = hashes[alg].digest("hex")));
+      algorithms.forEach((alg) => {
+        hashes[alg] = hashes[alg].digest("hex");
+      });
       resolve(hashes);
     });
   });
@@ -13193,9 +13203,9 @@ export async function parsePodfileLock(podfileLock, projectPath) {
     }
     for (const [dependencyName, dependency] of dependencies) {
       if (dependency.dependencies) {
-        dependency.dependencies.forEach(
-          (dep) => (dep.name = dep.name.split("/")[0]),
-        );
+        dependency.dependencies.forEach((dep) => {
+          dep.name = dep.name.split("/")[0];
+        });
         dependency.dependencies = [
           ...new Map(
             dependency.dependencies
@@ -13542,13 +13552,15 @@ async function fullScanCocoaPod(dependency, component, options) {
   if (podspec.authors) {
     component.authors = [];
     if (podspec.authors.constructor === Object) {
-      Object.entries(podspec.authors).forEach(([name, email]) =>
+      Object.entries(podspec.authors).forEach(([name, email]) => {
         email.includes("@")
           ? component.authors.push({ name, email })
-          : component.authors.push({ name }),
-      );
+          : component.authors.push({ name });
+      });
     } else if (podspec.authors.constructor === Array) {
-      podspec.authors.forEach((name) => component.authors.push({ name }));
+      podspec.authors.forEach((name) => {
+        component.authors.push({ name });
+      });
     } else {
       component.authors.push({ name: podspec.authors });
     }
@@ -14443,7 +14455,13 @@ export async function getPipFrozenTree(
             console.log(
               "Possible build errors detected with 'pip install'. Set the environment variable CDXGEN_DEBUG_MODE=debug to troubleshoot.",
             );
-            console.log(result.stderr.split("\n").slice(0, 5));
+            if (result?.stderr?.includes("No module named pip")) {
+              console.log(
+                "Using uv? Run uv pip install command prior to running cdxgen.",
+              );
+            } else {
+              console.log(result.stderr.split("\n").slice(0, 5));
+            }
           }
           console.warn(
             "This project does not support python with version types. Use an appropriate container image such as `ghcr.io/appthreat/cdxgen-python39:v11` or `ghcr.io/appthreat/cdxgen-python311:v11` and invoke cdxgen with `-t python` instead.\n",
@@ -14534,13 +14552,19 @@ export async function getPipFrozenTree(
                 "Installation of build dependencies failed. Perhaps the user is using the wrong cdxgen container image? Should I recommend raising a GitHub issue?",
               );
             }
-            console.log(
-              "Possible build errors detected. Set the environment variable CDXGEN_DEBUG_MODE=debug to troubleshoot.",
-            );
             // Bug #1640. result.stderr is null here despite the process erroring with a non-zero value.
             // How do we reproduce this with repo tests?
             if (result?.stderr) {
-              console.log(result.stderr?.split("\n")?.slice(0, 5));
+              if (result?.stderr?.includes("No module named pip")) {
+                console.log(
+                  "Using uv? Run uv pip install command prior to running cdxgen.",
+                );
+              } else {
+                console.log(
+                  "Possible build errors detected. Set the environment variable CDXGEN_DEBUG_MODE=debug to troubleshoot.",
+                );
+                console.log(result.stderr?.split("\n")?.slice(0, 5));
+              }
             }
           }
         }