@cyclonedx/cdxgen 12.1.2 → 12.1.4

package/lib/helpers/utils.poku.js

@@ -2592,10 +2592,11 @@ it("parse mix lock data", () => {
   });
 });
 
+// biome-ignore-start lint/suspicious/noTemplateCurlyInString: fp
 it("parse github actions workflow data", () => {
   assert.deepStrictEqual(parseGitHubWorkflowData(null), []);
   let dep_list = parseGitHubWorkflowData("./.github/workflows/nodejs.yml");
-  assert.deepStrictEqual(dep_list.length, 7);
+  assert.deepStrictEqual(dep_list.length, 8);
   assert.deepStrictEqual(dep_list[0], {
     group: "actions",
     name: "checkout",
@@ -2606,10 +2607,43 @@ it("parse github actions workflow data", () => {
         name: "SrcFile",
         value: "./.github/workflows/nodejs.yml",
       },
+      {
+        name: "cdx:github:workflow:name",
+        value: "Node CI",
+      },
+      {
+        name: "cdx:github:job:name",
+        value: "read-node-versions",
+      },
+      {
+        name: "cdx:github:job:runner",
+        value: "ubuntu-latest",
+      },
+      {
+        name: "cdx:github:action:uses",
+        value: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+      },
+      {
+        name: "cdx:github:action:versionPinningType",
+        value: "sha",
+      },
+      {
+        name: "cdx:github:action:isShaPinned",
+        value: "true",
+      },
+      {
+        name: "cdx:github:workflow:concurrencyGroup",
+        value:
+          "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}",
+      },
       {
         name: "cdx:actions:isOfficial",
         value: "true",
       },
+      {
+        name: "cdx:github:workflow:triggers",
+        value: "pull_request,push,workflow_dispatch",
+      },
     ],
     evidence: {
       identity: {
@@ -2638,6 +2672,38 @@ it("parse github actions workflow data", () => {
           name: "SrcFile",
           value: "./test/data/github-actions-tj.yaml",
         },
+        {
+          name: "cdx:github:workflow:name",
+          value: "Testing",
+        },
+        {
+          name: "cdx:github:job:name",
+          value: "vulnerable-actions",
+        },
+        {
+          name: "cdx:github:job:runner",
+          value: "ubuntu-latest",
+        },
+        {
+          name: "cdx:github:action:uses",
+          value: "pixel/steamcmd@foo",
+        },
+        {
+          name: "cdx:github:action:versionPinningType",
+          value: "tag",
+        },
+        {
+          name: "cdx:github:action:isShaPinned",
+          value: "false",
+        },
+        {
+          name: "cdx:github:step:name",
+          value: "Test action 1",
+        },
+        {
+          name: "cdx:github:workflow:triggers",
+          value: "push,pull_request_target",
+        },
       ],
       evidence: {
         identity: {
@@ -2663,6 +2729,38 @@ it("parse github actions workflow data", () => {
           name: "SrcFile",
           value: "./test/data/github-actions-tj.yaml",
         },
+        {
+          name: "cdx:github:workflow:name",
+          value: "Testing",
+        },
+        {
+          name: "cdx:github:job:name",
+          value: "vulnerable-actions",
+        },
+        {
+          name: "cdx:github:job:runner",
+          value: "ubuntu-latest",
+        },
+        {
+          name: "cdx:github:action:uses",
+          value: "tj/branch@47dd",
+        },
+        {
+          name: "cdx:github:action:versionPinningType",
+          value: "tag",
+        },
+        {
+          name: "cdx:github:action:isShaPinned",
+          value: "false",
+        },
+        {
+          name: "cdx:github:step:name",
+          value: "Test action 2",
+        },
+        {
+          name: "cdx:github:workflow:triggers",
+          value: "push,pull_request_target",
+        },
       ],
       evidence: {
         identity: {
@@ -2688,6 +2786,38 @@ it("parse github actions workflow data", () => {
           name: "SrcFile",
           value: "./test/data/github-actions-tj.yaml",
         },
+        {
+          name: "cdx:github:workflow:name",
+          value: "Testing",
+        },
+        {
+          name: "cdx:github:job:name",
+          value: "vulnerable-actions",
+        },
+        {
+          name: "cdx:github:job:runner",
+          value: "ubuntu-latest",
+        },
+        {
+          name: "cdx:github:action:uses",
+          value: "tj/branch2@v0.0.18",
+        },
+        {
+          name: "cdx:github:action:versionPinningType",
+          value: "tag",
+        },
+        {
+          name: "cdx:github:action:isShaPinned",
+          value: "false",
+        },
+        {
+          name: "cdx:github:step:name",
+          value: "Test action 3",
+        },
+        {
+          name: "cdx:github:workflow:triggers",
+          value: "push,pull_request_target",
+        },
       ],
       evidence: {
         identity: {
@@ -2713,10 +2843,47 @@ it("parse github actions workflow data", () => {
           name: "SrcFile",
           value: "./test/data/github-actions-tj.yaml",
         },
+        {
+          name: "cdx:github:workflow:name",
+          value: "Testing",
+        },
+        {
+          name: "cdx:github:job:name",
+          value: "vulnerable-actions",
+        },
+        {
+          name: "cdx:github:job:runner",
+          value: "ubuntu-latest",
+        },
+        {
+          name: "cdx:github:action:uses",
+          value:
+            "github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3",
+        },
+        {
+          name: "cdx:github:action:versionPinningType",
+          value: "sha",
+        },
+        {
+          name: "cdx:github:action:isShaPinned",
+          value: "true",
+        },
+        {
+          name: "cdx:github:step:name",
+          value: "Upload to code-scanning",
+        },
         {
           name: "cdx:actions:isOfficial",
           value: "true",
         },
+        {
+          name: "cdx:actions:isVerified",
+          value: "true",
+        },
+        {
+          name: "cdx:github:workflow:triggers",
+          value: "push,pull_request_target",
+        },
       ],
       evidence: {
         identity: {
@@ -2734,8 +2901,9 @@ it("parse github actions workflow data", () => {
     },
   ]);
   dep_list = parseGitHubWorkflowData("./.github/workflows/repotests.yml");
-  assert.deepStrictEqual(dep_list.length, 14);
+  assert.deepStrictEqual(dep_list.length, 17);
 });
+// biome-ignore-end lint/suspicious/noTemplateCurlyInString: fp
 
 it("parse cs pkg data", () => {
   assert.deepStrictEqual(parseCsPkgData(null), []);
@@ -6275,6 +6443,15 @@ it("parse requirements.txt", async () => {
       assert.ok(!d.version.includes(";"));
     }
   }
+  deps = await parseReqFile(
+    "./test/data/req_files/requirements-with-license.txt",
+    false,
+  );
+  assert.deepStrictEqual(deps.length, 19);
+  for (const d of deps) {
+    assert.ok(d.licenses);
+    assert.ok(d.licenses.length);
+  }
 });
 
 it("parse pyproject.toml", () => {

package/lib/helpers/validator.js

@@ -9,6 +9,7 @@ import { thoughtLog } from "./logger.js";
 import { DEBUG_MODE, dirNameStr, isPartialTree } from "./utils.js";
 
 const dirName = dirNameStr;
+const PLACEHOLDER_COMPONENT_NAMES = new Set(["app", "application", "project"]);
 
 /**
  * Validate the generated bom using jsonschema
@@ -61,9 +62,13 @@ export const validateBom = (bomJson) => {
   );
   const isValid = validate(bomJson);
   if (!isValid) {
-    console.log(
-      `Schema validation failed for ${bomJson.metadata.component.name}`,
-    );
+    if (bomJson.metadata?.component?.name) {
+      console.log(
+        `Schema validation failed for ${bomJson.metadata.component.name}`,
+      );
+    } else {
+      console.log("Schema validation failed");
+    }
     console.log(validate.errors);
     return false;
   }
@@ -81,8 +86,6 @@ export const validateBom = (bomJson) => {
  *
  * @param {object} bomJson Bom json object
  */
-const PLACEHOLDER_COMPONENT_NAMES = new Set(["app", "application", "project"]);
-
 export const validateMetadata = (bomJson) => {
   const errorList = [];
   const warningsList = [];

package/lib/managers/docker.getConnection.poku.js

@@ -0,0 +1,61 @@
+import { existsSync } from "node:fs";
+import { userInfo as _userInfo } from "node:os";
+import process from "node:process";
+
+import { assert, it, skip } from "poku";
+
+import { getConnection, isWin } from "./docker.js";
+
+if (process.env.CI === "true" && (isWin || process.platform === "darwin")) {
+  skip("Skipping podman detection tests on Windows and Mac");
+}
+
+const uid = _userInfo().uid;
+const podmanSock = `/run/user/${uid}/podman/podman.sock`;
+const hasPodmanSocket = !isWin && existsSync(podmanSock);
+
+if (!hasPodmanSocket) {
+  skip("Skipping: podman rootless socket not available");
+}
+
+// Remove DOCKER_HOST to force auto-detection through the fallback chain.
+// Without the fix, getDefaultOptions sets podmanPrefixUrl and
+// podmanRootlessPrefixUrl on its return object, but getConnection's
+// Object.assign only copies standard got properties into opts. The fallback
+// code then reads opts.podmanRootlessPrefixUrl which is undefined, causing
+// got to receive an invalid URL and the detection to silently fail.
+const origDockerHost = process.env.DOCKER_HOST;
+delete process.env.DOCKER_HOST;
+
+await it("should detect podman rootless via auto-detection", async () => {
+  const conn = await getConnection({}, false);
+  assert.ok(
+    conn,
+    "getConnection must return a connection when podman rootless socket exists, got undefined",
+  );
+});
+
+await it("should return a functional connection that can ping", async () => {
+  const conn = await getConnection({}, false);
+  assert.ok(conn, "getConnection must return a connection");
+  // podman responds to both compat and native ping endpoints
+  let pingOk = false;
+  try {
+    const response = await conn.get("_ping");
+    pingOk = response.body === "OK";
+  } catch (_err) {
+    // fall through to libpod endpoint
+  }
+  if (!pingOk) {
+    const response = await conn.get("libpod/_ping");
+    pingOk = response.body === "OK";
+  }
+  assert.ok(pingOk, "connection must be able to ping the container runtime");
+});
+
+// Restore DOCKER_HOST
+if (origDockerHost !== undefined) {
+  process.env.DOCKER_HOST = origDockerHost;
+} else {
+  delete process.env.DOCKER_HOST;
+}

package/lib/managers/docker.js

@@ -30,6 +30,15 @@ import { getDirs, getOnlyDirs } from "./containerutils.js";
 export const isWin = _platform() === "win32";
 export const DOCKER_HUB_REGISTRY = "docker.io";
 
+/**
+ * Encode a value as base64url (RFC 4648 §5) with padding.
+ * Docker Engine decodes X-Registry-Auth with Go's base64.URLEncoding,
+ * which uses the URL-safe alphabet (-_ instead of +/) and expects = padding.
+ * Node's "base64url" omits padding, so we convert from standard base64.
+ */
+const toBase64Url = (value) =>
+  Buffer.from(value).toString("base64").replace(/\+/g, "-").replace(/\//g, "_");
+
 // Should we extract the tar image in non-strict mode
 const NON_STRICT_TAR_EXTRACT = ["true", "1"].includes(
   process?.env?.NON_STRICT_TAR_EXTRACT,
@@ -209,9 +218,7 @@ const getDefaultOptions = (forRegistry) => {
       authPayload.password = process.env.DOCKER_PASSWORD;
     }
     opts.headers = {
-      "X-Registry-Auth": Buffer.from(JSON.stringify(authPayload)).toString(
-        "base64",
-      ),
+      "X-Registry-Auth": toBase64Url(JSON.stringify(authPayload)),
     };
   }
   if (!authTokenSet && safeExistsSync(join(DOCKER_CONFIG, "config.json"))) {
@@ -229,8 +236,20 @@ const getDefaultOptions = (forRegistry) => {
               continue;
             }
             if (configJson.auths[serverAddress].auth) {
+              // The Docker config stores auth as base64("user:pass").
+              // The X-Registry-Auth header expects base64-encoded JSON.
+              const decoded = Buffer.from(
+                configJson.auths[serverAddress].auth,
+                "base64",
+              ).toString();
+              const sepIdx = decoded.indexOf(":");
+              const authPayload = {
+                username: decoded.substring(0, sepIdx),
+                password: decoded.substring(sepIdx + 1),
+                serveraddress: serverAddress,
+              };
               opts.headers = {
-                "X-Registry-Auth": configJson.auths[serverAddress].auth,
+                "X-Registry-Auth": toBase64Url(JSON.stringify(authPayload)),
               };
               authTokenSet = true;
               break;
@@ -345,6 +364,8 @@ export const getConnection = async (options, forRegistry) => {
   }
   if (!dockerConn) {
     const defaultOptions = getDefaultOptions(forRegistry);
+    const podmanRootlessUrl = defaultOptions.podmanRootlessPrefixUrl;
+    const podmanRootUrl = defaultOptions.podmanPrefixUrl;
     const opts = Object.assign(
       {},
       {
@@ -352,7 +373,6 @@ export const getConnection = async (options, forRegistry) => {
         throwHttpErrors: defaultOptions.throwHttpErrors,
         method: defaultOptions.method,
         prefixUrl: defaultOptions.prefixUrl,
-        headers: defaultOptions.headers,
       },
       options,
     );
@@ -391,7 +411,7 @@ export const getConnection = async (options, forRegistry) => {
             console.log("Docker desktop on Windows detected.");
           }
         } else {
-          opts.prefixUrl = opts.podmanRootlessPrefixUrl;
+          opts.prefixUrl = podmanRootlessUrl;
           await got.get("libpod/_ping", opts);
           isPodman = true;
           isPodmanRootless = true;
@@ -404,7 +424,7 @@ export const getConnection = async (options, forRegistry) => {
         }
       } catch (_err) {
         try {
-          opts.prefixUrl = opts.podmanPrefixUrl;
+          opts.prefixUrl = podmanRootUrl;
           await got.get("libpod/_ping", opts);
           isPodman = true;
           isPodmanRootless = false;
@@ -446,24 +466,19 @@ export const makeRequest = async (path, method, forRegistry) => {
   if (!client) {
     return undefined;
   }
-  const extraOptions = {
+  // Use the client's prefixUrl (set correctly by getConnection for
+  // docker/podman). Only pass per-request auth headers and method options.
+  const defaultOptions = getDefaultOptions(forRegistry);
+  const opts = {
     responseType: method === "GET" ? "json" : "buffer",
     resolveBodyOnly: true,
     enableUnixSockets: true,
+    throwHttpErrors: true,
     method,
   };
-  const defaultOptions = getDefaultOptions(forRegistry);
-  const opts = Object.assign(
-    {},
-    {
-      enableUnixSockets: defaultOptions.enableUnixSockets,
-      throwHttpErrors: defaultOptions.throwHttpErrors,
-      method: defaultOptions.method,
-      prefixUrl: defaultOptions.prefixUrl,
-      headers: defaultOptions.headers,
-    },
-    extraOptions,
-  );
+  if (defaultOptions.headers) {
+    opts.headers = defaultOptions.headers;
+  }
   return await client(path, opts);
 };
 
@@ -1435,9 +1450,7 @@ export const getCredsFromHelper = (exeSuffix, serverAddress) => {
           authPayload.email || authPayload.username || process.env.DOCKER_USER,
         serveraddress: serverAddress,
       };
-      const authKey = Buffer.from(JSON.stringify(fixedAuthPayload)).toString(
-        "base64",
-      );
+      const authKey = toBase64Url(JSON.stringify(fixedAuthPayload));
       registry_auth_keys[serverAddress] = authKey;
       return authKey;
     } catch (_err) {

package/lib/parsers/iri.js

@@ -436,8 +436,7 @@ function validateParsedComponents(components) {
   // Special handling for IPv6 literals
   if (
     components.scheme &&
-    components.host &&
-    components.host.startsWith("[") &&
+    components.host?.startsWith("[") &&
     components.host.endsWith("]")
   ) {
     return components;