npm - @cyclonedx/cdxgen - Versions diffs - 12.1.2 → 12.1.4 - Mend

@cyclonedx/cdxgen 12.1.2 → 12.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (102) hide show

package/README.md +11 -9
package/bin/cdxgen.js +1 -1
package/lib/cli/index.js +9 -5
package/lib/evinser/evinser.js +2 -8
package/lib/helpers/display.js +1 -1
package/lib/helpers/envcontext.js +10 -2
package/lib/helpers/utils.js +462 -86
package/lib/helpers/utils.poku.js +179 -2
package/lib/helpers/validator.js +8 -5
package/lib/managers/docker.getConnection.poku.js +61 -0
package/lib/managers/docker.js +36 -23
package/lib/parsers/iri.js +1 -2
package/lib/server/server.js +164 -34
package/lib/server/server.poku.js +232 -10
package/lib/stages/postgen/annotator.js +281 -3
package/lib/stages/postgen/postgen.js +4 -7
package/lib/third-party/arborist/lib/diff.js +1 -1
package/lib/third-party/arborist/lib/node.js +1 -1
package/lib/third-party/arborist/lib/yarn-lock.js +1 -1
package/package.json +22 -328
package/types/bin/dependencies.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +39 -39
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +19 -19
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/evinser/swiftsem.d.ts +14 -14
package/types/lib/evinser/swiftsem.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +1 -1
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/db.d.ts +2 -2
package/types/lib/helpers/db.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts +2 -2
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/envcontext.d.ts +14 -14
package/types/lib/helpers/envcontext.d.ts.map +1 -1
package/types/lib/helpers/logger.d.ts +1 -1
package/types/lib/helpers/logger.d.ts.map +1 -1
package/types/lib/helpers/protobom.d.ts +4 -2
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +103 -88
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/helpers/validator.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +2 -2
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts +2 -2
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts +1 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/managers/piptree.d.ts +1 -1
package/types/lib/managers/piptree.d.ts.map +1 -1
package/types/lib/parsers/iri.d.ts +6 -6
package/types/lib/parsers/iri.d.ts.map +1 -1
package/types/lib/server/server.d.ts +14 -0
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts +3 -3
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +5 -5
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/pregen/pregen.d.ts +6 -6
package/types/lib/stages/pregen/pregen.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/arborist/index.d.ts +4 -3
package/types/lib/third-party/arborist/lib/arborist/index.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/can-place-dep.d.ts +5 -5
package/types/lib/third-party/arborist/lib/can-place-dep.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/case-insensitive-map.d.ts +4 -4
package/types/lib/third-party/arborist/lib/case-insensitive-map.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/diff.d.ts +3 -3
package/types/lib/third-party/arborist/lib/diff.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/edge.d.ts +2 -2
package/types/lib/third-party/arborist/lib/edge.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/gather-dep-set.d.ts +1 -1
package/types/lib/third-party/arborist/lib/gather-dep-set.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/inventory.d.ts +3 -2
package/types/lib/third-party/arborist/lib/inventory.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/link.d.ts +10 -7
package/types/lib/third-party/arborist/lib/link.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/node.d.ts +8 -8
package/types/lib/third-party/arborist/lib/node.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/optional-set.d.ts +1 -1
package/types/lib/third-party/arborist/lib/optional-set.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/override-set.d.ts +3 -3
package/types/lib/third-party/arborist/lib/override-set.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/peer-entry-sets.d.ts +1 -1
package/types/lib/third-party/arborist/lib/peer-entry-sets.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/place-dep.d.ts +3 -3
package/types/lib/third-party/arborist/lib/place-dep.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/shrinkwrap.d.ts +7 -7
package/types/lib/third-party/arborist/lib/shrinkwrap.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/version-from-tgz.d.ts +1 -1
package/types/lib/third-party/arborist/lib/version-from-tgz.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/yarn-lock.d.ts +4 -3
package/types/lib/third-party/arborist/lib/yarn-lock.d.ts.map +1 -1
package/bin/dependencies.js +0 -131
package/bin/licenses.js +0 -78
package/lib/helpers/dependencies.poku.js +0 -11
package/lib/helpers/licenses.poku.js +0 -11
package/types/lib/third-party/arborist/lib/arborist/load-actual.d.ts +0 -34
package/types/lib/third-party/arborist/lib/arborist/load-actual.d.ts.map +0 -1
package/types/lib/third-party/arborist/lib/arborist/load-virtual.d.ts +0 -24
package/types/lib/third-party/arborist/lib/arborist/load-virtual.d.ts.map +0 -1
package/types/lib/third-party/arborist/lib/tracker.d.ts +0 -13
package/types/lib/third-party/arborist/lib/tracker.d.ts.map +0 -1

package/README.md CHANGED Viewed

@@ -1,3 +1,4 @@
+[![SBOM](https://img.shields.io/badge/SBOM-with_%E2%9D%A4%EF%B8%8F_by_cdxgen-FF753D)](https://github.com/cdxgen/cdxgen)
 [![JSR][badge-jsr]][jsr-cdxgen]
 [![NPM][badge-npm]][npmjs-cdxgen]
 [![GitHub Releases][badge-github-releases]][github-releases]
@@ -50,13 +51,6 @@ Sections include:
 ## Usage
-## For Contributors / Developers
-```shell
-pnpm install
-pnpm dlx cdxgen
-```
 ## Installing
 ```shell
@@ -78,7 +72,7 @@ $ brew install cdxgen
 If you are a [Winget][winget-homepage] user on windows, you can also install cdxgen via:
 ```shell
-$ winget install cdxgen
+winget install cdxgen
 ```
 Deno and bun runtime can be used with limited support.
@@ -110,7 +104,7 @@ docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghc
 In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)
 ```ts
-import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^11.0.0";
+import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^12.1.0";
 ```
 ## Getting Help
@@ -604,6 +598,14 @@ cdxgen is an OWASP Foundation production project.
 [<img src="https://owasp.org/assets/images/logo.png" width="20%" />](https://owasp.org)
+## cdxgen badge
+Copy the below block to your markdown files to show your ❤️ for cdxgen.
+```markdown
+[![SBOM](https://img.shields.io/badge/SBOM-with_%E2%9D%A4%EF%B8%8F_by_cdxgen-FF753D)](https://github.com/cdxgen/cdxgen)
+```
 <!-- LINK LABELS -->
 <!-- Badges -->

package/bin/cdxgen.js CHANGED Viewed

@@ -1114,7 +1114,7 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
     protobomModule.writeBinary(bomNSData.bomJson, options.protoBinFile);
     thoughtLog("BOM file is also available in .proto format!");
   }
-  if (options.print && bomNSData.bomJson && bomNSData.bomJson.components) {
+  if (options.print && bomNSData.bomJson?.components) {
     printSummary(bomNSData.bomJson);
     if (options.includeFormulation) {
       printFormulation(bomNSData.bomJson);

package/lib/cli/index.js CHANGED Viewed

@@ -2883,7 +2883,7 @@ export async function createNodejsBom(path, options) {
   // Only perform npm install for smaller projects (< 2 package.json) without the correct number of lock files
   if (
     (pkgJsonLockFiles?.length === 0 ||
-      pkgJsonLockFiles?.length < pkgJsonFiles?.length) &&
+      pkgJsonLockFiles?.length < pkgJsonFiles?.length - 1) &&
     yarnLockFiles?.length === 0 &&
     pnpmLockFiles?.length === 0 &&
     pkgJsonFiles?.length <= npmInstallCount &&
@@ -2930,11 +2930,15 @@ export async function createNodejsBom(path, options) {
           process.env[`${pkgMgr.toUpperCase()}_INSTALL_ARGS`].split(" ");
         installArgs = installArgs.concat(addArgs);
       }
-      if (pkgMgr === "npm" && isSecureMode) {
+      // Always invoke the install command with ignore-scripts to guard against version spoofing
+      if (["npm", "pnpm", "yarn"].includes(pkgMgr)) {
         if (!installArgs.includes("--ignore-scripts")) {
           installArgs.push("--ignore-scripts");
         }
-        if (!installArgs.includes("--no-audit")) {
+        if (pkgMgr === "pnpm") {
+          installArgs.push("--ignore-pnpmfile");
+        }
+        if (pkgMgr === "npm" && !installArgs.includes("--no-audit")) {
           installArgs.push("--no-audit");
         }
       }
@@ -3957,7 +3961,7 @@ export async function createPythonBom(path, options) {
       metadataFilename = reqDirFiles.join(", ");
     } else if (reqFiles?.length) {
       for (const f of reqFiles) {
-        const dlist = await parseReqFile(f, true);
+        const dlist = await parseReqFile(f, false);
         if (dlist?.length) {
           pkgList = pkgList.concat(dlist);
         }
@@ -7061,7 +7065,7 @@ export async function createCsharpBom(path, options) {
     }
   }
   // Parent dependency tree
-  if (parentDependsOn.size && parentComponent && parentComponent["bom-ref"]) {
+  if (parentDependsOn.size && parentComponent?.["bom-ref"]) {
     dependencies.splice(0, 0, {
       ref: parentComponent["bom-ref"],
       dependsOn: Array.from(parentDependsOn).sort(),

package/lib/evinser/evinser.js CHANGED Viewed

@@ -1248,8 +1248,7 @@ export function detectServicesFromUsages(language, slice, servicesMap = {}) {
 export function detectServicesFromUDT(language, userDefinedTypes, servicesMap) {
   if (
     ["python", "py", "c", "cpp", "c++", "php", "ruby"].includes(language) &&
-    userDefinedTypes &&
-    userDefinedTypes.length
+    userDefinedTypes?.length
   ) {
     for (const audt of userDefinedTypes) {
       if (
@@ -1270,12 +1269,7 @@ export function detectServicesFromUDT(language, userDefinedTypes, servicesMap) {
         audt.name.toLowerCase().includes("connect")
       ) {
         const fields = audt.fields || [];
-        if (
-          fields.length &&
-          fields[0] &&
-          fields[0].name &&
-          fields[0].name.length > 1
-        ) {
+        if (fields.length && fields[0]?.name && fields[0].name.length > 1) {
           const endpoints = extractEndpoints(language, fields[0].name);
           let serviceName = "service";
           if (audt.fileName) {

package/lib/helpers/display.js CHANGED Viewed

@@ -14,7 +14,7 @@ const SYMBOLS_ANSI = {
 const MAX_TREE_DEPTH = 6;
 const highlightStr = (s, highlight) => {
-  if (highlight && s && s.includes(highlight)) {
+  if (highlight && s?.includes(highlight)) {
     s = s.replaceAll(highlight, `\x1b[1;33m${highlight}\x1b[0m`);
   }
   return s;

package/lib/helpers/envcontext.js CHANGED Viewed

@@ -200,9 +200,17 @@ export function collectDotnetInfo(dir) {
  * @returns Object containing python details
  */
 export function collectPythonInfo(dir) {
-  const versionDesc = getCommandOutput(getPythonCommand(), dir, ["--version"]);
+  const versionDesc = getCommandOutput(getPythonCommand(), dir, [
+    "-S",
+    "--version",
+  ]);
   const moduleDesc =
-    getCommandOutput(getPythonCommand(), dir, ["-m", "pip", "--version"]) || "";
+    getCommandOutput(getPythonCommand(), dir, [
+      "-S",
+      "-m",
+      "pip",
+      "--version",
+    ]) || "";
   if (versionDesc) {
     return {
       type: "platform",