@cyclonedx/cdxgen 12.1.3 → 12.1.5

package/README.md

@@ -104,7 +104,7 @@ docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghc
 In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)
 
 ```ts
-import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^11.0.0";
+import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^12.1.0";
 ```
 
 ## Getting Help

package/bin/cdxgen.js

@@ -42,6 +42,7 @@ import {
 } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/helpers/validator.js";
 import { postProcess } from "../lib/stages/postgen/postgen.js";
+import { auditEnvironment } from "../lib/stages/pregen/env-audit.js";
 import { prepareEnv } from "../lib/stages/pregen/pregen.js";
 
 // Support for config files
@@ -840,6 +841,17 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
 (async () => {
   // Display the sponsor banner
   printSponsorBanner(options);
+  // Our quest to audit and check the SBOM generation environment to prevent our users from getting exploited
+  // during SBOM generation.
+  const envWarnings = auditEnvironment();
+  if (envWarnings?.length) {
+    for (const w of envWarnings) {
+      console.log(`SECURE MODE: ${w}`);
+    }
+    if (isSecureMode) {
+      process.exit(1);
+    }
+  }
   // Start SBOM server
   if (options.server) {
     const serverModule = await import("../lib/server/server.js");

package/bin/repl.js

@@ -594,7 +594,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
 cdxgenRepl.defineCommand("licenses", {
   help: "visualize license distribution",
   async action() {
-    if (!sbom || !sbom.components) {
+    if (!sbom?.components) {
       console.log("⚠ No SBOM loaded.");
       this.displayPrompt();
       return;
@@ -649,7 +649,7 @@ cdxgenRepl.defineCommand("inspect", {
 cdxgenRepl.defineCommand("tagcloud", {
   help: "generate a text/tag cloud based on component descriptions and tags",
   action() {
-    if (!sbom || !sbom.components) {
+    if (!sbom?.components) {
       console.log("⚠ No SBOM loaded.");
       this.displayPrompt();
       return;

package/lib/cli/index.js

@@ -28,6 +28,7 @@ import { parseCaxaMetadata } from "../helpers/caxa.js";
 import { collectOSCryptoLibs } from "../helpers/cbomutils.js";
 import {
   collectEnvInfo,
+  GIT_COMMAND,
   getBranch,
   getOriginUrl,
   gitTreeHashes,
@@ -188,6 +189,7 @@ import {
   getPkgPathList,
   parseImageName,
 } from "../managers/docker.js";
+import { DEFAULT_NPMRC_BLOCKLIST, parseNpmrc } from "../parsers/npmrc.js";
 
 const dirName = dirNameStr;
 
@@ -2879,17 +2881,17 @@ export async function createNodejsBom(path, options) {
   );
   const npmInstallCount =
     Number.parseInt(process.env.NPM_INSTALL_COUNT, 10) || 2;
+  let anyInstallSuccess = false;
   // Automatic npm install logic.
   // Only perform npm install for smaller projects (< 2 package.json) without the correct number of lock files
   if (
     (pkgJsonLockFiles?.length === 0 ||
-      pkgJsonLockFiles?.length < pkgJsonFiles?.length) &&
+      pkgJsonLockFiles?.length < pkgJsonFiles?.length - 1) &&
     yarnLockFiles?.length === 0 &&
     pnpmLockFiles?.length === 0 &&
     pkgJsonFiles?.length <= npmInstallCount &&
     options.installDeps
   ) {
-    let anyInstallSuccess = false;
     for (const apkgJson of pkgJsonFiles) {
       let pkgMgr = "npm";
       const supPkgMgrs = ["npm", "yarn", "yarnpkg", "pnpm", "pnpx"];
@@ -2930,21 +2932,58 @@ export async function createNodejsBom(path, options) {
           process.env[`${pkgMgr.toUpperCase()}_INSTALL_ARGS`].split(" ");
         installArgs = installArgs.concat(addArgs);
       }
-      if (pkgMgr === "npm" && isSecureMode) {
+      // Always invoke the install command with ignore-scripts to guard against version spoofing
+      if (["npm", "pnpm", "yarn"].includes(pkgMgr)) {
         if (!installArgs.includes("--ignore-scripts")) {
           installArgs.push("--ignore-scripts");
         }
-        if (!installArgs.includes("--no-audit")) {
-          installArgs.push("--no-audit");
+        if (pkgMgr === "pnpm") {
+          installArgs.push("--ignore-pnpmfile");
         }
+        if (pkgMgr === "npm") {
+          for (const c of ["--no-audit", "--no-bin-links"]) {
+            if (!installArgs.includes(c)) {
+              installArgs.push(c);
+            }
+          }
+          installArgs.push(`--git=${GIT_COMMAND}`);
+        }
+      }
+      if (
+        pkgMgr === "npm" &&
+        isSecureMode &&
+        !installArgs.join(" ").includes("--allow-git")
+      ) {
+        console.log(
+          "Consider passing '--allow-git=none' via the environment variable NPM_INSTALL_ARGS to prevent any git dependencies from being fetched and installed via npm.",
+        );
       }
       const basePath = dirname(apkgJson);
+      let npmrcData;
+      if (safeExistsSync(join(basePath, ".npmrc"))) {
+        thoughtLog(
+          "Wait, there is a .npmrc file here! I'm going to check if it has anything malicious.",
+        );
+        npmrcData = readFileSync(join(basePath, ".npmrc"), "utf-8");
+        const npmrcObj = parseNpmrc(npmrcData);
+        for (const [key, value] of Object.entries(npmrcObj)) {
+          const baseKey = key.replace(/^(?:\/\/[^/]+\/|@[^:]+:)/, "");
+          if (
+            DEFAULT_NPMRC_BLOCKLIST.has(baseKey) ||
+            DEFAULT_NPMRC_BLOCKLIST.has(key)
+          ) {
+            console.warn(
+              `\x1b[1;35mSECURE MODE: Dangerous configuration ${key}=${value} detected in .npmrc! Verify if this is a trusted project. Remove this setting or any other problematic configurations to proceed.\x1b[0m`,
+            );
+            process.exit(1);
+          }
+        }
+      }
       // juice-shop mode
       // Projects such as juice-shop prevent lockfile creations using .npmrc files
       // Plus, they might require specific npm install args such as --legacy-peer-deps that could lead to strange node_modules structure
       // To keep life simple, let's look for any .npmrc file that has package-lock=false to toggle before npm install
-      if (pkgMgr === "npm" && safeExistsSync(join(basePath, ".npmrc"))) {
-        const npmrcData = readFileSync(join(basePath, ".npmrc"));
+      if (pkgMgr === "npm") {
         if (
           npmrcData?.includes("package-lock=false") &&
           !installArgs.includes("--package-lock")
@@ -2962,6 +3001,9 @@ export async function createNodejsBom(path, options) {
           `**PACKAGE MANAGER**: Let's run the '${pkgMgr}' command with the arguments '${installArgs.join(" ")}' to generate the needed lock files.`,
         );
       }
+      console.warn(
+        "\x1b[1;35mNotice: Generating an SBOM without a lockfile is risky and non-deterministic. Consider generating and committing the lockfile to your repository to ensure reproducible builds and SBOMs.\x1b[0m",
+      );
       console.log(
         `Executing '${pkgMgr} ${installArgs.join(" ")}' in`,
         basePath,
@@ -3235,6 +3277,11 @@ export async function createNodejsBom(path, options) {
     pkgLockFiles?.length &&
     isPackageManagerAllowed("npm", ["pnpm", "yarn"], options)
   ) {
+    if (anyInstallSuccess) {
+      thoughtLog(
+        `I have ${pkgLockFiles.length} package-lock.json file(s) now after a successful npm install.`,
+      );
+    }
     manifestFiles = manifestFiles.concat(pkgLockFiles);
     for (const f of pkgLockFiles) {
       if (DEBUG_MODE) {
@@ -3844,7 +3891,6 @@ export async function createPythonBom(path, options) {
         console.log(`Parsing ${f}`);
       }
       let retMap = await parsePyLockData(lockData, f);
-      // Should we exit for workspace errors
       if (retMap?.workspaceWarningShown) {
         options.failOnError && process.exit(1);
       }
@@ -3852,7 +3898,6 @@ export async function createPythonBom(path, options) {
         pkgList = pkgList.concat(retMap.pkgList);
         pkgList = trimComponents(pkgList);
       }
-      // Retain the parent hierarchy
       if (retMap?.parentComponent?.components?.length) {
         if (!parentComponent.components) {
           parentComponent.components = [];
@@ -3868,36 +3913,81 @@ export async function createPythonBom(path, options) {
           parentComponent,
         );
       }
-      // Retrieve the tree using virtualenv in deep mode and as a fallback
-      // This is a slow operation
       if ((options.deep || !dependencies.length) && !f.endsWith("uv.lock")) {
-        retMap = await getPipFrozenTree(basePath, f, tempDir, parentComponent);
-        if (retMap.pkgList?.length) {
-          pkgList = pkgList.concat(retMap.pkgList);
-        }
-        if (retMap.formulationList?.length) {
-          formulationList = formulationList.concat(retMap.formulationList);
-        }
-        if (retMap.dependenciesList) {
-          dependencies = mergeDependencies(
-            dependencies,
-            retMap.dependenciesList,
+        if (options.installDeps) {
+          retMap = await getPipFrozenTree(
+            basePath,
+            f,
+            tempDir,
             parentComponent,
           );
+          if (retMap.pkgList?.length) pkgList = pkgList.concat(retMap.pkgList);
+          if (retMap.formulationList?.length)
+            formulationList = formulationList.concat(retMap.formulationList);
+          if (retMap.dependenciesList)
+            dependencies = mergeDependencies(
+              dependencies,
+              retMap.dependenciesList,
+              parentComponent,
+            );
+          if (retMap.rootList) {
+            const parentDependsOn = new Set();
+            for (const p of retMap.rootList)
+              parentDependsOn.add(
+                `pkg:pypi/${p.name.toLowerCase()}@${p.version}`,
+              );
+            dependencies.splice(0, 0, {
+              ref: parentComponent["bom-ref"],
+              dependsOn: [...parentDependsOn].sort(),
+            });
+          }
+        } else {
+          let exportedReqs = "";
+          if (f.endsWith("poetry.lock")) {
+            thoughtLog(
+              "Using poetry export as a safe, static alternative to pip install.",
+            );
+            const expCmd = safeSpawnSync(
+              "poetry",
+              ["export", "-f", "requirements.txt"],
+              { cwd: basePath, shell: false },
+            );
+            if (expCmd.status === 0 && expCmd.stdout)
+              exportedReqs = expCmd.stdout.toString();
+          } else if (f.endsWith("pdm.lock")) {
+            thoughtLog(
+              "Using pdm export as a safe, static alternative to pip install.",
+            );
+            const expCmd = safeSpawnSync(
+              "pdm",
+              ["export", "-f", "requirements"],
+              { cwd: basePath, shell: false },
+            );
+            if (expCmd.status === 0 && expCmd.stdout)
+              exportedReqs = expCmd.stdout.toString();
+          }
+          if (exportedReqs) {
+            const tmpReqFile = join(
+              tempDir,
+              `exported-${basename(basePath)}-reqs.txt`,
+            );
+            writeFileSync(tmpReqFile, exportedReqs);
+            const dlist = await parseReqFile(tmpReqFile, false);
+            if (dlist?.length) {
+              pkgList = pkgList.concat(dlist);
+              const parentDependsOn = new Set();
+              for (const p of dlist)
+                parentDependsOn.add(
+                  `pkg:pypi/${p.name.toLowerCase()}@${p.version}`,
+                );
+              dependencies.splice(0, 0, {
+                ref: parentComponent["bom-ref"],
+                dependsOn: [...parentDependsOn].sort(),
+              });
+            }
+          }
         }
       }
-      if (retMap.rootList) {
-        const parentDependsOn = new Set();
-        // Complete the dependency tree by making parent component depend on the first level
-        for (const p of retMap.rootList) {
-          parentDependsOn.add(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
-        }
-        const pdependencies = {
-          ref: parentComponent["bom-ref"],
-          dependsOn: [...parentDependsOn].sort(),
-        };
-        dependencies.splice(0, 0, pdependencies);
-      }
     }
     options.parentComponent = parentComponent;
   } // poetryMode
@@ -3915,7 +4005,7 @@ export async function createPythonBom(path, options) {
     for (const wf of whlFiles) {
       const mData = await readZipEntry(wf, "METADATA");
       if (mData) {
-        const dlist = parseBdistMetadata(undefined, mData);
+        const dlist = parseBdistMetadata(join(wf, "METADATA"), mData);
         if (dlist?.length) {
           pkgList = pkgList.concat(dlist);
         }
@@ -3997,29 +4087,29 @@ export async function createPythonBom(path, options) {
         for (const f of reqFiles) {
           const basePath = dirname(f);
           if (options.installDeps) {
-            const pkgMap = await getPipFrozenTree(
+            const rpkgMap = await getPipFrozenTree(
               basePath,
               f,
               tempDir,
               parentComponent,
             );
-            if (pkgMap.pkgList?.length) {
-              pkgList = pkgList.concat(pkgMap.pkgList);
+            if (rpkgMap.pkgList?.length) {
+              pkgList = pkgList.concat(rpkgMap.pkgList);
               pkgList = trimComponents(pkgList);
             }
-            if (pkgMap.formulationList?.length) {
-              formulationList = formulationList.concat(pkgMap.formulationList);
+            if (rpkgMap.formulationList?.length) {
+              formulationList = formulationList.concat(rpkgMap.formulationList);
               formulationList = trimComponents(formulationList);
             }
-            if (pkgMap.dependenciesList) {
+            if (rpkgMap.dependenciesList) {
               dependencies = mergeDependencies(
                 dependencies,
-                pkgMap.dependenciesList,
+                rpkgMap.dependenciesList,
                 parentComponent,
               );
             }
             // Add the root packages from this file to the parent's dependencies
-            for (const p of pkgMap.rootList) {
+            for (const p of rpkgMap.rootList) {
               if (
                 parentComponent &&
                 p.name === parentComponent.name &&
@@ -4042,12 +4132,42 @@ export async function createPythonBom(path, options) {
           parentComponent,
         );
       }
-
+      if (pkgMap) {
+        // Complete the dependency tree by making parent component depend on the first level
+        for (const p of pkgMap.rootList) {
+          if (
+            parentComponent &&
+            p.name === parentComponent.name &&
+            (p.version === parentComponent.version || p.version === "latest")
+          ) {
+            continue;
+          }
+          parentDependsOn.add(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
+        }
+        if (pkgMap?.pkgList?.length) {
+          pkgList = pkgList.concat(pkgMap.pkgList);
+        }
+        if (pkgMap?.formulationList?.length) {
+          formulationList = formulationList.concat(pkgMap.formulationList);
+        }
+        if (pkgMap?.dependenciesList) {
+          dependencies = mergeDependencies(
+            dependencies,
+            pkgMap.dependenciesList,
+            parentComponent,
+          );
+        }
+      }
       // ATOM parsedeps block
       // Atom parsedeps slices can be used to identify packages that are not declared in manifests
       // Since it is a slow operation, we only use it as a fallback or in deep mode
       // This change was made in 10.9.2 release onwards
       if (options.deep || !pkgList.length) {
+        if (!pkgList.length) {
+          thoughtLog(
+            "I couldn't find any components yet. Let's try static analysis with atom parsedeps command.",
+          );
+        }
         const retMap = await getPyModules(path, pkgList, options);
         // We need to patch the existing package list to add ImportedModules for evinse to work
         if (retMap.modList?.length) {
@@ -4096,32 +4216,6 @@ export async function createPythonBom(path, options) {
         }
       }
       // ATOM parsedeps block
-      if (pkgMap) {
-        // Complete the dependency tree by making parent component depend on the first level
-        for (const p of pkgMap.rootList) {
-          if (
-            parentComponent &&
-            p.name === parentComponent.name &&
-            (p.version === parentComponent.version || p.version === "latest")
-          ) {
-            continue;
-          }
-          parentDependsOn.add(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
-        }
-        if (pkgMap?.pkgList?.length) {
-          pkgList = pkgList.concat(pkgMap.pkgList);
-        }
-        if (pkgMap?.formulationList?.length) {
-          formulationList = formulationList.concat(pkgMap.formulationList);
-        }
-        if (pkgMap?.dependenciesList) {
-          dependencies = mergeDependencies(
-            dependencies,
-            pkgMap.dependenciesList,
-            parentComponent,
-          );
-        }
-      }
       let parentPresent = false;
       for (const d of dependencies) {
         if (d.ref === parentComponent["bom-ref"]) {
@@ -4140,7 +4234,6 @@ export async function createPythonBom(path, options) {
       }
     }
   }
-
   // Final fallback is to manually parse setup.py if we still
   // have an empty list
   if (!pkgList.length && setupPyMode) {

package/lib/evinser/evinser.js

@@ -407,7 +407,7 @@ export function initFromSbom(components, language) {
   const purlLocationMap = {};
   const purlImportsMap = {};
   for (const comp of components) {
-    if (!comp || !comp.evidence) {
+    if (!comp?.evidence) {
       continue;
     }
     if (["php", "ruby"].includes(language)) {
@@ -648,8 +648,7 @@ export async function parseObjectSlices(
   ]) {
     // Skip the library code typically without filename
     if (
-      !slice.fileName ||
-      !slice.fileName.trim().length ||
+      !slice.fileName?.trim().length ||
       slice.fileName === "<empty>" ||
       slice.fileName === "<unknown>"
     ) {
@@ -1807,7 +1806,7 @@ export function collectReachableFrames(_language, reachablesSlice) {
  * @returns
  */
 export function framePicker(dfFrames) {
-  if (!dfFrames || !dfFrames.length) {
+  if (!dfFrames?.length) {
     return undefined;
   }
   let aframe = dfFrames[0];

package/lib/evinser/swiftsem.js

@@ -530,7 +530,7 @@ export function moduleInfo(moduleName, compilerArgs) {
  * @returns {Object|undefined} Parsed classes, protocols, enums and their functions
  */
 export function parseModuleInfo(moduleInfoJson) {
-  if (!moduleInfoJson || !moduleInfoJson["key.annotations"]) {
+  if (!moduleInfoJson?.["key.annotations"]) {
     return undefined;
   }
   const classes = new Set();

package/lib/helpers/caxa.js

@@ -9,7 +9,7 @@ export async function parseCaxaMetadata(mfile) {
   } catch (_e) {
     return {};
   }
-  if (!mdata || !mdata.components) {
+  if (!mdata?.components) {
     return {};
   }
   const { parentComponent } = mdata;

package/lib/helpers/display.js

@@ -24,7 +24,7 @@ export function printTable(
   filterTypes = undefined,
   highlight = undefined,
 ) {
-  if (!bomJson || !bomJson.components) {
+  if (!bomJson?.components) {
     return;
   }
   if (
@@ -120,7 +120,7 @@ export function printOSTable(bomJson) {
 }
 export function printServices(bomJson) {
   const data = [["Name", "Endpoints", "Authenticated", "X Trust Boundary"]];
-  if (!bomJson || !bomJson.services) {
+  if (!bomJson?.services) {
     return;
   }
   for (const aservice of bomJson.services) {
@@ -144,7 +144,7 @@ export function printServices(bomJson) {
 
 export function printFormulation(bomJson) {
   const data = [["Tyoe", "Name", "Version"]];
-  if (!bomJson || !bomJson.formulation) {
+  if (!bomJson?.formulation) {
     return;
   }
   for (const aform of bomJson.formulation) {
@@ -179,7 +179,7 @@ const locationComparator = (a, b) => {
 };
 
 export function printOccurrences(bomJson) {
-  if (!bomJson || !bomJson.components) {
+  if (!bomJson?.components) {
     return;
   }
   const data = ["Group", "Name", "Version", "Occurrences"];
@@ -219,15 +219,11 @@ export function printOccurrences(bomJson) {
 
 export function printCallStack(bomJson) {
   const data = [["Group", "Name", "Version", "Call Stack"]];
-  if (!bomJson || !bomJson.components) {
+  if (!bomJson?.components) {
     return;
   }
   for (const comp of bomJson.components) {
-    if (
-      !comp.evidence ||
-      !comp.evidence.callstack ||
-      !comp.evidence.callstack.frames
-    ) {
+    if (!comp.evidence?.callstack?.frames) {
       continue;
     }
     const frames = Array.from(

package/lib/helpers/envcontext.js

@@ -30,13 +30,13 @@ export const GIT_COMMAND = process.env.GIT_CMD || "git";
 // sdkman tool aliases
 export const SDKMAN_JAVA_TOOL_ALIASES = {
   java8: process.env.JAVA8_TOOL || "8.0.452-amzn", // Temurin no longer offers java8 :(
-  java11: process.env.JAVA11_TOOL || "11.0.29-tem",
-  java17: process.env.JAVA17_TOOL || "17.0.17-tem",
-  java21: process.env.JAVA21_TOOL || "21.0.9-tem",
+  java11: process.env.JAVA11_TOOL || "11.0.30-tem",
+  java17: process.env.JAVA17_TOOL || "17.0.18-tem",
+  java21: process.env.JAVA21_TOOL || "21.0.10-tem",
   java22: process.env.JAVA22_TOOL || "22.0.2-tem",
   java23: process.env.JAVA23_TOOL || "23.0.2-tem",
   java24: process.env.JAVA24_TOOL || "24.0.2-tem",
-  java25: process.env.JAVA25_TOOL || "25.0.1-tem",
+  java25: process.env.JAVA25_TOOL || "25.0.2-tem",
 };
 
 /**
@@ -206,7 +206,7 @@ export function collectPythonInfo(dir) {
   ]);
   const moduleDesc =
     getCommandOutput(getPythonCommand(), dir, [
-      "-S",
+      "-I",
       "-m",
       "pip",
       "--version",