@cyclonedx/cdxgen 12.1.1 → 12.1.2

package/lib/cli/index.js

@@ -4379,7 +4379,7 @@ export async function createGoBom(path, options) {
     ) {
       for (const f of sortedGomodFiles) {
         const basePath = dirname(f);
-        // Ignore vendor packages
+        // Ignore vendor packages and test fixtures
         if (
           basePath.includes("/vendor/") ||
           basePath.includes("/build/") ||
@@ -4391,13 +4391,14 @@ export async function createGoBom(path, options) {
         if (DEBUG_MODE) {
           console.log("Executing go list -deps in", basePath);
         }
+        // TODO: Replacing this with -json gives us more interesting data points such as GoFiles, Imports, and Deps
         let result = safeSpawnSync(
           "go",
           [
             "list",
             "-deps",
             "-f",
-            "'{{with .Module}}{{.Path}} {{.Version}} {{.Indirect}} {{.GoMod}} {{.GoVersion}} {{.Main}}{{end}}'",
+            "'{{with .Module}}{{.Path}}|{{.Version}}|{{.Indirect}}|{{.GoMod}}|{{.GoVersion}}|{{.Main}}|{{.Time}}|{{.Deprecated}}|{{.GoModSum}}|{{.Dir}}{{end}}'",
             "./...",
           ],
           {
@@ -6407,6 +6408,7 @@ export async function createRubyBom(path, options) {
   const gemLockExcludeList = (options.exclude || []).concat([
     "**/vendor/bundle/ruby/**/Gemfile.lock",
     "**/test/data/**/Gemfile*.lock",
+    "**/.rbenv/versions/**/Gemfile.lock",
   ]);
   if (!hasAnyProjectType(["oci"], options, false)) {
     excludeList.push("**/vendor/bundle/**");
@@ -6509,6 +6511,7 @@ export async function createRubyBom(path, options) {
     }
   }
   // Parsing .gemspec files would help us get more metadata such as description, authors, licenses etc
+  let rootGemspecComponent;
   if (gemspecFiles.length) {
     if (!gemLockFiles.length && !hasAnyProjectType(["oci"], options, false)) {
       console.log(
@@ -6522,8 +6525,33 @@ export async function createRubyBom(path, options) {
       if (gpkgList.length) {
         pkgList = pkgList.concat(gpkgList);
         pkgList = trimComponents(pkgList);
+        if (
+          !rootGemspecComponent &&
+          dirname(resolve(f)) === resolve(path) &&
+          gpkgList[0]?.name
+        ) {
+          rootGemspecComponent = gpkgList[0];
+        }
       }
     }
+    if (
+      rootGemspecComponent &&
+      !("project-name" in options) &&
+      options.projectName === undefined
+    ) {
+      parentComponent.name = rootGemspecComponent.name;
+      parentComponent.version = rootGemspecComponent.version || "latest";
+      const parentPurl = new PackageURL(
+        "gem",
+        parentComponent.group,
+        parentComponent.name,
+        parentComponent.version,
+        null,
+        null,
+      ).toString();
+      parentComponent["bom-ref"] = decodeURIComponent(parentPurl);
+      parentComponent["purl"] = parentPurl;
+    }
   }
   if (rootList.length) {
     dependencies = mergeDependencies(

package/lib/helpers/licenses.poku.js

@@ -0,0 +1,11 @@
+import { assert, it } from "poku";
+
+import { checkLicenses } from "../../bin/licenses.js";
+
+it("checks dependency licenses", async () => {
+  assert.equal(
+    checkLicenses(),
+    0,
+    "There shouldn't have been license discrepancies",
+  );
+});

package/lib/helpers/utils.js

@@ -7257,18 +7257,20 @@ export async function parseGoModData(goModData, gosumMap) {
       isTool = false;
       continue;
     }
-    if (l.includes("tool ")) {
+    if (l.includes("tool ") || isTool) {
       continue;
     }
-    if (isTool) {
+    if (l.startsWith("toolchain ")) {
+      const toolchainVer = l.split(" ").pop().trim();
+      parentComponent.properties = [
+        { name: "cdx:go:toolchain", value: toolchainVer },
+      ];
       continue;
     }
-
     // Skip go.mod file headers, whitespace, and/or comments
     if (
       l.startsWith("go ") ||
       //TODO: should toolchain be considered as a dependency
-      l.startsWith("toolchain ") ||
       l.includes(")") ||
       l.trim() === "" ||
       l.trim().startsWith("//")
@@ -7378,14 +7380,17 @@ export async function parseGoListDep(rawOutput, gosumMap) {
       .split("\n")
       .filter((p) => p.trim().replace(/["']/g, "").length);
     for (const l of pkgs) {
-      const verArr = l.trim().replace(/["']/g, "").split(" ");
+      const verArr = l.trim().replace(/["']/g, "").split("|");
       if (verArr && verArr.length >= 5) {
         const key = `${verArr[0]}-${verArr[1]}`;
         // Filter duplicates
         if (!keys_cache[key]) {
           keys_cache[key] = key;
           const version = verArr[1];
-          const gosumHash = gosumMap[`${verArr[0]}@${version}`];
+          let gosumHash = gosumMap[`${verArr[0]}@${version}`];
+          if (!gosumHash && verArr.length >= 8 && verArr[8]?.length) {
+            gosumHash = `sha256-${verArr[8].replace("h1:", "")}`;
+          }
           const component = await getGoPkgComponent(
             "",
             verArr[0],
@@ -7412,6 +7417,43 @@ export async function parseGoListDep(rawOutput, gosumMap) {
               value: verArr[2],
             },
           ];
+          if (
+            verArr.length >= 6 &&
+            verArr[6]?.length &&
+            verArr[6] !== "<nil>"
+          ) {
+            component.properties.push({
+              name: "cdx:go:creation_time",
+              value: verArr[6],
+            });
+          }
+          if (verArr.length >= 7 && verArr[7]?.length) {
+            component.properties.push({
+              name: "cdx:go:deprecated",
+              value: verArr[7],
+            });
+          }
+          if (verArr.length >= 9 && verArr[9]?.length) {
+            component.properties.push({
+              name: "cdx:go:local_dir",
+              value: verArr[9],
+            });
+            if (safeExistsSync(join(verArr[9], "LICENSE"))) {
+              const licenseText = readFileSync(join(verArr[9], "LICENSE"), {
+                encoding: "utf-8",
+              });
+              if (licenseText?.length) {
+                component.licenses = [
+                  {
+                    license: {
+                      name: "CUSTOM",
+                      text: { contentType: "text/plain", content: licenseText },
+                    },
+                  },
+                ];
+              }
+            }
+          }
           if (verArr.length > 5 && verArr[5] === "true") {
             parentComponent = component;
           } else {
@@ -16059,29 +16101,24 @@ export function parseCmakeLikeFile(cmakeListFile, pkgType, options = {}) {
         }
       }
     } else if (l.includes("dependency(")) {
-      let tmpA = l.split("dependency(");
-      if (tmpA?.length) {
-        if (!l.includes("_dependency") && !l.includes(".dependency")) {
-          tmpA = tmpA[tmpA.length - 1]
-            .split(", ")
-            .map((v) => v.replace(/['" )]/g, ""));
-          if (tmpA.length) {
-            name_list.push(tmpA[0]);
-            if (tmpA.length > 2 && tmpA[1].startsWith("version")) {
-              const tmpB = tmpA[1].split("version:");
-              if (tmpB && tmpB.length === 2) {
-                if (tmpB[1].includes(">") || tmpB[1].includes("<")) {
-                  // We have a version specifier
-                  versionSpecifiersMap[tmpA[0]] = tmpB[1];
-                } else if (
-                  /^\d+/.test(tmpB[1]) &&
-                  !tmpB[1].includes("${") &&
-                  !tmpB[1].startsWith("@")
-                ) {
-                  // We have a valid version
-                  versionsMap[tmpA[0]] = tmpB[1];
-                }
-              }
+      if (!l.includes("_dependency") && !l.includes(".dependency")) {
+        const depMatch = l.match(/dependency\(\s*['"]?([^'",)\s]+)['"]?/);
+        const depName = depMatch?.[1]?.trim();
+        if (depName) {
+          name_list.push(depName);
+          const versionMatch = l.match(/version\s*:\s*['"]?([^'",)\s]+)['"]?/);
+          const depVersion = versionMatch?.[1]?.trim();
+          if (depVersion) {
+            if (depVersion.includes(">") || depVersion.includes("<")) {
+              // We have a version specifier
+              versionSpecifiersMap[depName] = depVersion;
+            } else if (
+              /^\d+/.test(depVersion) &&
+              !depVersion.includes("${") &&
+              !depVersion.startsWith("@")
+            ) {
+              // We have a valid version
+              versionsMap[depName] = depVersion;
             }
           }
         }

package/lib/helpers/utils.poku.js

@@ -1475,7 +1475,7 @@ describe("go data with licenses", () => {
 });
 
 it("parse go list dependencies", async () => {
-  const retMap = await parseGoListDep(
+  let retMap = await parseGoListDep(
     readFileSync("./test/data/golist-dep.txt", { encoding: "utf-8" }),
     {},
   );
@@ -1502,6 +1502,11 @@ it("parse go list dependencies", async () => {
       },
     ],
   });
+  retMap = await parseGoListDep(
+    readFileSync("./test/data/golist-dep3.txt", { encoding: "utf-8" }),
+    {},
+  );
+  assert.deepStrictEqual(retMap.pkgList.length, 291);
 });
 
 it("parse go mod graph", async () => {
@@ -7645,6 +7650,21 @@ it("parseCmakeLikeFile tests", () => {
     version: "20230125.1",
   });
   assert.deepStrictEqual(retMap.pkgList.length, 2);
+
+  retMap = parseCmakeLikeFile(
+    "./test/data/meson-empty-dependency.build",
+    "conan",
+  );
+  assert.deepStrictEqual(retMap.parentComponent, {
+    "bom-ref": "pkg:conan/empty-dep-test",
+    group: "",
+    name: "empty-dep-test",
+    purl: "pkg:conan/empty-dep-test",
+    type: "application",
+    version: "",
+  });
+  assert.deepStrictEqual(retMap.pkgList.length, 1);
+  assert.deepStrictEqual(retMap.pkgList[0].name, "threads");
 });
 
 it("parseMakeDFile tests", () => {

package/lib/helpers/validator.js

@@ -81,6 +81,8 @@ export const validateBom = (bomJson) => {
  *
  * @param {object} bomJson Bom json object
  */
+const PLACEHOLDER_COMPONENT_NAMES = new Set(["app", "application", "project"]);
+
 export const validateMetadata = (bomJson) => {
   const errorList = [];
   const warningsList = [];
@@ -107,6 +109,14 @@ export const validateMetadata = (bomJson) => {
           "Version is missing for metadata.component. Pass the version using --project-version argument.",
         );
       }
+      const metadataName = bomJson.metadata.component.name
+        ?.trim()
+        .toLowerCase();
+      if (metadataName && PLACEHOLDER_COMPONENT_NAMES.has(metadataName)) {
+        warningsList.push(
+          `metadata.component.name appears to be a placeholder ('${bomJson.metadata.component.name}'). Pass --project-name to set the correct parent component name.`,
+        );
+      }
       // Is the same component getting repeated inside the components block
       if (bomJson.metadata.component.components?.length) {
         for (const comp of bomJson.metadata.component.components) {
@@ -198,6 +208,27 @@ export const validatePurls = (bomJson) => {
           }
           // Catch the trivy version hack that removes the epoch from version
           const qualifiers = purlObj.qualifiers || {};
+          if (
+            Object.keys(qualifiers).length &&
+            [
+              "cargo",
+              "cocoapods",
+              "composer",
+              "cran",
+              "github",
+              "golang",
+              "hackage",
+              "nuget",
+              "opam",
+              "pub",
+              "qpkg",
+              "swift",
+            ].includes(purlObj.type)
+          ) {
+            warningsList.push(
+              `Qualifiers are usually not expected for the PURL type: ${purlObj.type}. Purl: ${comp.purl}, Qualifiers: ${Object.keys(qualifiers).join(", ")}.`,
+            );
+          }
           if (
             qualifiers.epoch &&
             !comp.version.startsWith(`${qualifiers.epoch}:`)

package/lib/managers/binary.js

@@ -7,7 +7,14 @@ import {
   statSync,
 } from "node:fs";
 import { arch as _arch, platform as _platform, homedir } from "node:os";
-import { basename, delimiter, dirname, join, resolve } from "node:path";
+import {
+  basename,
+  delimiter,
+  dirname,
+  join,
+  relative,
+  resolve,
+} from "node:path";
 import process from "node:process";
 
 import { PackageURL } from "packageurl-js";
@@ -27,9 +34,11 @@ import {
   safeMkdirSync,
   safeSpawnSync,
 } from "../helpers/utils.js";
+import { getDirs } from "./containerutils.js";
 
 const dirName = dirNameStr;
 const isWin = _platform() === "win32";
+const OS_PURL_TYPES = ["deb", "apk", "rpm", "alpm", "qpkg"];
 
 function isMusl() {
   const result = safeSpawnSync("ldd", ["--version"]);
@@ -444,7 +453,20 @@ export async function getOSPackages(src, imageConfig) {
   const allTypes = new Set();
   const bundledSdks = new Set();
   const bundledRuntimes = new Set();
-  const binPaths = extractPathEnv(imageConfig?.Env);
+  let binPaths = extractPathEnv(imageConfig?.Env);
+  if (!binPaths?.length && DEBUG_MODE) {
+    const rootBinPaths = getDirs(src, "{sbin,bin}", true, false);
+    const usrBinPaths = getDirs(
+      src,
+      "/{app,opt,usr,home}/**/{sbin,bin}",
+      true,
+      true,
+    );
+    binPaths = binPaths
+      .concat(rootBinPaths)
+      .concat(usrBinPaths)
+      .map((f) => relative(src, f));
+  }
   if (TRIVY_BIN) {
     let imageType = "image";
     const trivyCacheDir = join(homedir(), ".cache", "trivy");
@@ -607,7 +629,7 @@ export async function getOSPackages(src, imageConfig) {
             } catch (_err) {
               // continue regardless of error
             }
-            if (group === "") {
+            if (group === "" && OS_PURL_TYPES.includes(purlObj["type"])) {
               try {
                 if (purlObj?.namespace && purlObj.namespace !== "") {
                   group = purlObj.namespace;
@@ -955,16 +977,16 @@ const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
         const tmpPurl = PackageURL.fromString(d.replace("none", compPurl.type));
         tmpPurl.type = compPurl.type;
         // FIXME: Check if this hack is still needed with the latest trivy
-        if (["deb", "apk", "rpm", "alpm", "qpkg"].includes(compPurl.type)) {
+        if (OS_PURL_TYPES.includes(compPurl.type)) {
           tmpPurl.namespace = compPurl.namespace;
-        }
-        tmpPurl.qualifiers = tmpPurl.qualifiers || {};
-        if (compPurl.qualifiers) {
-          if (compPurl.qualifiers.distro_name) {
-            tmpPurl.qualifiers.distro_name = compPurl.qualifiers.distro_name;
-          }
-          if (compPurl.qualifiers.distro) {
-            tmpPurl.qualifiers.distro = compPurl.qualifiers.distro;
+          tmpPurl.qualifiers = tmpPurl.qualifiers || {};
+          if (compPurl.qualifiers) {
+            if (compPurl.qualifiers.distro_name) {
+              tmpPurl.qualifiers.distro_name = compPurl.qualifiers.distro_name;
+            }
+            if (compPurl.qualifiers.distro) {
+              tmpPurl.qualifiers.distro = compPurl.qualifiers.distro;
+            }
           }
         }
         if (tmpPurl.qualifiers) {

package/lib/managers/containerutils.js

@@ -0,0 +1,68 @@
+import { lstatSync, readdirSync, statSync } from "node:fs";
+import { join } from "node:path";
+
+import { globSync } from "glob";
+
+import { safeExistsSync } from "../helpers/utils.js";
+
+/**
+ * Method to get all dirs matching a name
+ *
+ * @param {string} dirPath Root directory for search
+ * @param {string} dirName Directory name
+ * @param {boolean} hidden Include hidden directories and files. Default: false
+ * @param {boolean} recurse Recurse. Default: false
+ */
+export const getDirs = (dirPath, dirName, hidden = false, recurse = true) => {
+  try {
+    return globSync(`${recurse ? "**" : ""}${dirName}`, {
+      cwd: dirPath,
+      absolute: true,
+      nocase: true,
+      nodir: false,
+      follow: false,
+      dot: hidden,
+    });
+  } catch (_err) {
+    return [];
+  }
+};
+
+function flatten(lists) {
+  return lists.reduce((a, b) => a.concat(b), []);
+}
+
+function getDirectories(srcpath) {
+  if (safeExistsSync(srcpath)) {
+    return readdirSync(srcpath)
+      .map((file) => join(srcpath, file))
+      .filter((path) => {
+        try {
+          return statSync(path).isDirectory();
+        } catch (_e) {
+          return false;
+        }
+      });
+  }
+  return [];
+}
+
+export const getOnlyDirs = (srcpath, dirName) => {
+  return [
+    srcpath,
+    ...flatten(
+      getDirectories(srcpath)
+        .map((p) => {
+          try {
+            if (safeExistsSync(p) && lstatSync(p).isDirectory()) {
+              return getOnlyDirs(p, dirName);
+            }
+            return [];
+          } catch (_err) {
+            return [];
+          }
+        })
+        .filter((p) => p !== undefined),
+    ),
+  ].filter((d) => d.endsWith(dirName));
+};

package/lib/managers/docker.js

@@ -6,7 +6,6 @@ import {
   readdirSync,
   readFileSync,
   rmSync,
-  statSync,
 } from "node:fs";
 import { platform as _platform, userInfo as _userInfo, homedir } from "node:os";
 import { basename, join, resolve, win32 } from "node:path";
@@ -14,7 +13,6 @@ import process from "node:process";
 import stream from "node:stream/promises";
 import { URL } from "node:url";
 
-import { globSync } from "glob";
 import got from "got";
 import { x } from "tar";
 
@@ -27,6 +25,7 @@ import {
   safeMkdirSync,
   safeSpawnSync,
 } from "../helpers/utils.js";
+import { getDirs, getOnlyDirs } from "./containerutils.js";
 
 export const isWin = _platform() === "win32";
 export const DOCKER_HUB_REGISTRY = "docker.io";
@@ -156,67 +155,6 @@ export function detectRancherDesktop() {
 
 // Cache the registry auth keys
 const registry_auth_keys = {};
-
-/**
- * Method to get all dirs matching a name
- *
- * @param {string} dirPath Root directory for search
- * @param {string} dirName Directory name
- */
-export const getDirs = (dirPath, dirName, hidden = false, recurse = true) => {
-  try {
-    return globSync(recurse ? "**/" : `${dirName}`, {
-      cwd: dirPath,
-      absolute: true,
-      nocase: true,
-      nodir: false,
-      follow: false,
-      dot: hidden,
-    });
-  } catch (_err) {
-    return [];
-  }
-};
-
-function flatten(lists) {
-  return lists.reduce((a, b) => a.concat(b), []);
-}
-
-function getDirectories(srcpath) {
-  if (safeExistsSync(srcpath)) {
-    return readdirSync(srcpath)
-      .map((file) => join(srcpath, file))
-      .filter((path) => {
-        try {
-          return statSync(path).isDirectory();
-        } catch (_e) {
-          return false;
-        }
-      });
-  }
-  return [];
-}
-
-export const getOnlyDirs = (srcpath, dirName) => {
-  return [
-    srcpath,
-    ...flatten(
-      getDirectories(srcpath)
-        .map((p) => {
-          try {
-            if (safeExistsSync(p) && lstatSync(p).isDirectory()) {
-              return getOnlyDirs(p, dirName);
-            }
-            return [];
-          } catch (_err) {
-            return [];
-          }
-        })
-        .filter((p) => p !== undefined),
-    ),
-  ].filter((d) => d.endsWith(dirName));
-};
-
 const REQUEST_TIMEOUT_SECS = 60000;
 const getDefaultOptions = (forRegistry) => {
   let authTokenSet = false;
@@ -844,6 +782,33 @@ function handleAbsolutePath(entry) {
   }
 }
 
+/**
+ * Filter out problematic files, paths, and devices during tar extraction.
+ */
+function tarFilter(path, entry) {
+  const name = basename(path);
+  if (name.startsWith(".wh.")) {
+    return false;
+  }
+  const ext = win32.extname(name).toLowerCase();
+  if (MEDIA_EXTENSIONS.has(ext)) {
+    return false;
+  }
+  return !(
+    EXTRACT_EXCLUDE_PATHS.some((p) => path.includes(p)) ||
+    EXTRACT_EXCLUDE_TYPES.has(entry.type)
+  );
+}
+
+function handleTarWarning(code, message) {
+  if (code === "TAR_ENTRY_INFO" || code === "TAR_LONGLINK") {
+    return;
+  }
+  if (DEBUG_MODE) {
+    console.log(code, message);
+  }
+}
+
 // These paths are known to cause extract errors
 const EXTRACT_EXCLUDE_PATHS = [
   "etc/machine-id",
@@ -918,29 +883,9 @@ export const extractTar = async (fullImageName, dir, options) => {
         C: dir,
         portable: true,
         unlink: true,
-        onwarn: (code, message) => {
-          if (code === "TAR_ENTRY_INFO" || code === "TAR_LONGLINK") {
-            return;
-          }
-          if (DEBUG_MODE) {
-            console.log(code, message);
-          }
-        },
+        onwarn: handleTarWarning,
         onReadEntry: handleAbsolutePath,
-        filter: (path, entry) => {
-          const name = basename(path);
-          if (name.startsWith(".wh.")) {
-            return false;
-          }
-          const ext = win32.extname(name).toLowerCase();
-          if (MEDIA_EXTENSIONS.has(ext)) {
-            return false;
-          }
-          return !(
-            EXTRACT_EXCLUDE_PATHS.some((p) => path.includes(p)) ||
-            EXTRACT_EXCLUDE_TYPES.has(entry.type)
-          );
-        },
+        filter: tarFilter,
       }),
     );
     return true;
@@ -1238,19 +1183,17 @@ export const exportImage = async (fullImageName, options) => {
       await stream.pipeline(
         client.stream(`images/${fullImageName}/get`),
         x({
-          sync: true,
+          sync: false,
           preserveOwner: false,
           noMtime: true,
           noChmod: true,
           strict: !NON_STRICT_TAR_EXTRACT,
           C: tempDir,
           portable: true,
-          onwarn: (code, message) => {
-            if (DEBUG_MODE) {
-              console.log(code, message);
-            }
-          },
+          unlink: true,
+          onwarn: handleTarWarning,
           onReadEntry: handleAbsolutePath,
+          filter: tarFilter,
         }),
       );
     } catch (_err) {
@@ -1267,12 +1210,9 @@ export const exportImage = async (fullImageName, options) => {
               strict: !NON_STRICT_TAR_EXTRACT,
               C: tempDir,
               portable: true,
-              onwarn: (code, message) => {
-                if (DEBUG_MODE) {
-                  console.log(code, message);
-                }
-              },
+              onwarn: handleTarWarning,
               onReadEntry: handleAbsolutePath,
+              filter: tarFilter,
             }),
           );
         } catch (_err) {