@cyclonedx/cdxgen 12.2.0 → 12.2.1

package/README.md

@@ -107,7 +107,7 @@ docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghc
 In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)
 
 ```ts
-import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^12.2.0";
+import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^12.2.1";
 ```
 
 ## Getting Help
@@ -139,7 +139,10 @@ Options:
       --project-tag               Dependency track project tag. Multiple values allowed.                         [array]
       --project-id                Dependency track project id. Either provide the id or the project name and version tog
                                   ether                                                                         [string]
-      --parent-project-id         Dependency track parent project id                                            [string]
+      --parent-project-id         Dependency track parent project id. You must provide the id or both
+                                  parent project name and parent project version.                               [string]
+      --parent-project-name       Dependency track parent project name                                          [string]
+      --parent-project-version    Dependency track parent project version                                       [string]
       --required-only             Include only the packages with required scope on the SBOM. Would set compositions.aggr
                                   egate to incomplete unless --no-auto-compositions is passed.                 [boolean]
       --fail-on-error             Fail if any dependency extractor fails.                                      [boolean]

package/bin/cdxgen.js

@@ -171,6 +171,24 @@ const args = _yargs
     description: "Dependency track parent project id",
     type: "string",
   })
+  .option("parent-project-name", {
+    description: "Dependency track parent project name",
+    type: "string",
+  })
+  .option("parent-project-version", {
+    description: "Dependency track parent project version",
+    type: "string",
+  })
+  .option("auto-create", {
+    description: "Dependency track autoCreate value for BOM uploads",
+    type: "boolean",
+    hidden: true,
+  })
+  .option("is-latest", {
+    description: "Dependency track isLatest value for BOM uploads",
+    type: "boolean",
+    hidden: true,
+  })
   .option("required-only", {
     type: "boolean",
     description:
@@ -249,7 +267,7 @@ const args = _yargs
     hidden: true,
   })
   .option("spec-version", {
-    description: "CycloneDX Specification version to use. Defaults to 1.6",
+    description: "CycloneDX Specification version to use. Defaults to 1.7",
     default: 1.7,
     type: "number",
     choices: [1.4, 1.5, 1.6, 1.7],

package/lib/cli/index.js

@@ -19,7 +19,6 @@ import got from "got";
 import { PackageURL } from "packageurl-js";
 import { gte, lte } from "semver";
 import { parse } from "ssri";
-import { table } from "table";
 import { v4 as uuidv4 } from "uuid";
 import { parse as loadYaml } from "yaml";
 
@@ -28,6 +27,11 @@ import { parseCaxaMetadata } from "../helpers/caxa.js";
 import { mergeDependencies, trimComponents } from "../helpers/depsUtils.js";
 import { GIT_COMMAND } from "../helpers/envcontext.js";
 import { thoughtLog } from "../helpers/logger.js";
+import {
+  buildDependencyTrackBomPayload,
+  getDependencyTrackBomUrl,
+} from "../helpers/remote/dependency-track.js";
+import { table } from "../helpers/table.js";
 import {
   addEvidenceForDotnet,
   addEvidenceForImports,
@@ -1252,7 +1256,7 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
     // CycloneDX Json Template
     const jsonTpl = {
       bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || "1.5"}`,
+      specVersion: `${options.specVersion || "1.7"}`,
       serialNumber: serialNum,
       version: 1,
       metadata: metadata,
@@ -1490,6 +1494,8 @@ export async function createJavaBom(path, options) {
     }
     let result;
     let mvnArgs;
+    // FIXME: How do we motivate everyone to upgrade to 1.7?
+    const toolsSpecVersion = 1.6;
     if (isQuarkus) {
       thoughtLog(
         "This appears to be a Quarkus project. Let's use the right Maven plugin.",
@@ -1500,12 +1506,14 @@ export async function createJavaBom(path, options) {
         "quarkus:dependency-sbom",
         "-Dquarkus.analytics.disabled=true",
       ];
-      if (options.specVersion) {
+      if (options.specVersion >= 1.6) {
         mvnArgs = mvnArgs.concat(
-          `-Dquarkus.dependency.sbom.schema-version=${options.specVersion}`,
+          `-Dquarkus.dependency.sbom.schema-version=${toolsSpecVersion}`,
         );
       }
     } else {
+      // FIXME: The last maven plugin release was on November 28th, 2024.
+      // Should we fork this repo and maintain it ourselves?
       const cdxMavenPlugin =
         process.env.CDX_MAVEN_PLUGIN ||
         "org.cyclonedx:cyclonedx-maven-plugin:2.9.1";
@@ -1527,9 +1535,11 @@ export async function createJavaBom(path, options) {
         const addArgs = process.env.MVN_ARGS.split(" ");
         mvnArgs = mvnArgs.concat(addArgs);
       }
-      // specVersion 1.4 doesn't support externalReferences.type=disribution-intake
+      // specVersion 1.4 doesn't support externalReferences.type=distribution-intake
       // so we need to run the plugin with the correct version
-      if (options.specVersion) {
+      if (options.specVersion >= 1.6) {
+        mvnArgs = mvnArgs.concat(`-DschemaVersion=${toolsSpecVersion}`);
+      } else if (options.specVersion > 1.4) {
         mvnArgs = mvnArgs.concat(`-DschemaVersion=${options.specVersion}`);
       }
     }
@@ -2723,6 +2733,21 @@ export async function createNodejsBom(path, options) {
     `${options.multiProject ? "**/" : ""}bower.json`,
     options,
   );
+  if (DEBUG_MODE) {
+    const wasmFiles = getAllFiles(
+      path,
+      `${options.multiProject ? "**/" : ""}*.wasm`,
+      {
+        ...options,
+        includeNodeModulesDir: true,
+      },
+    );
+    if (wasmFiles?.length) {
+      console.log(
+        `Found ${wasmFiles.length} wasm files in this project. cdxgen will make a best attempt to identify the exports and imports from these files.`,
+      );
+    }
+  }
   // Parse min js files
   if (minJsFiles?.length) {
     manifestFiles = manifestFiles.concat(minJsFiles);
@@ -3242,6 +3267,7 @@ export async function createNodejsBom(path, options) {
     const pnpmLock = join(path, "common", "config", "rush", "pnpm-lock.yaml");
     if (safeExistsSync(swFile)) {
       let pkgList = await parseNodeShrinkwrap(swFile);
+      pkgList = addWasmComponentsFromImports(pkgList, allImports);
       if (allImports && Object.keys(allImports).length) {
         pkgList = await addEvidenceForImports(
           pkgList,
@@ -3258,9 +3284,13 @@ export async function createNodejsBom(path, options) {
     }
     if (safeExistsSync(pnpmLock)) {
       const pnpmLockObj = await parsePnpmLock(pnpmLock);
+      let pkgList = addWasmComponentsFromImports(
+        pnpmLockObj.pkgList,
+        allImports,
+      );
       if (allImports && Object.keys(allImports).length) {
         pkgList = await addEvidenceForImports(
-          pnpmLockObj.pkgList,
+          pkgList,
           allImports,
           allExports,
           options.deep,
@@ -3537,6 +3567,7 @@ export async function createNodejsBom(path, options) {
     options.parentComponent = parentComponent;
   }
   if (allImports && Object.keys(allImports).length) {
+    pkgList = addWasmComponentsFromImports(pkgList, allImports);
     pkgList = await addEvidenceForImports(
       pkgList,
       allImports,
@@ -3552,6 +3583,84 @@ export async function createNodejsBom(path, options) {
   });
 }
 
+const WASM_IMPORT_PATTERN = /\.wasm([?#].*)?$/i;
+
+/**
+ * Adds generic wasm components from discovered source imports.
+ *
+ * @param {Array<Object>} pkgList Node.js package list
+ * @param {Object} allImports analyzer imports map
+ * @returns {Array<Object>} pkgList enriched with wasm components
+ */
+const addWasmComponentsFromImports = (pkgList, allImports) => {
+  if (!allImports || !Object.keys(allImports).length) {
+    return pkgList;
+  }
+  const existingPurls = new Set();
+  for (const pkg of pkgList) {
+    if (pkg?.purl) {
+      existingPurls.add(pkg.purl);
+    }
+  }
+  for (const [importPath, occurrences] of Object.entries(allImports)) {
+    if (!WASM_IMPORT_PATTERN.test(importPath)) {
+      continue;
+    }
+    const cleanImportPath = importPath.replace(/[?#].*$/, "");
+    const normalizedImportPath = cleanImportPath
+      .replace(/\\/g, "/")
+      .replace(/^\.\//, "");
+    const wasmComponentName = normalizedImportPath || cleanImportPath;
+    const wasmFileName = basename(cleanImportPath);
+    if (!allImports[wasmComponentName]) {
+      allImports[wasmComponentName] = new Set();
+    }
+    for (const occurrence of occurrences) {
+      allImports[wasmComponentName].add(occurrence);
+    }
+    const wasmPurl = new PackageURL(
+      "generic",
+      "",
+      wasmFileName,
+      "",
+      normalizedImportPath ? { path: normalizedImportPath } : undefined,
+      undefined,
+    ).toString();
+    if (existingPurls.has(wasmPurl)) {
+      continue;
+    }
+    const firstOccurrence = Array.from(occurrences)[0];
+    const srcFile = firstOccurrence?.importedAs || importPath;
+    pkgList.push({
+      name: wasmComponentName,
+      type: "library",
+      purl: wasmPurl,
+      "bom-ref": wasmPurl,
+      properties: [
+        {
+          name: "SrcFile",
+          value: srcFile,
+        },
+      ],
+      evidence: {
+        identity: {
+          field: "purl",
+          confidence: 0.3,
+          methods: [
+            {
+              technique: "filename",
+              confidence: 0.3,
+              value: srcFile,
+            },
+          ],
+        },
+      },
+    });
+    existingPurls.add(wasmPurl);
+  }
+  return pkgList;
+};
+
 /**
  * Function to create bom string for Projects that use Pixi package manager.
  * createPixiBom is based on createPythonBom.
@@ -7350,7 +7459,7 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
     components,
     bomJson: {
       bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || 1.5}`,
+      specVersion: `${options.specVersion || 1.7}`,
       serialNumber: serialNum,
       version: 1,
       metadata: addMetadata(parentComponent, options, {}),
@@ -8856,66 +8965,22 @@ export async function createBom(path, options) {
  * @throws {Error} if the request fails
  */
 export async function submitBom(args, bomContents) {
-  const serverUrl = `${args.serverUrl.replace(/\/$/, "")}/api/v1/bom`;
-  let encodedBomContents = Buffer.from(JSON.stringify(bomContents)).toString(
-    "base64",
-  );
-  if (encodedBomContents.startsWith("77u/")) {
-    encodedBomContents = encodedBomContents.substring(4);
-  }
-  const bomPayload = {
-    autoCreate: "true",
-    bom: encodedBomContents,
-  };
-  const projectVersion = args.projectVersion || "main";
-  if (
-    typeof args.projectId !== "undefined" ||
-    (typeof args.projectName !== "undefined" &&
-      typeof projectVersion !== "undefined")
-  ) {
-    if (typeof args.projectId !== "undefined") {
-      bomPayload.project = args.projectId;
-    }
-    if (typeof args.projectName !== "undefined") {
-      bomPayload.projectName = args.projectName;
-    }
-    if (typeof projectVersion !== "undefined") {
-      bomPayload.projectVersion = projectVersion;
-    }
-  } else {
+  const serverUrl = getDependencyTrackBomUrl(args.serverUrl);
+  const bomPayload = buildDependencyTrackBomPayload(args, bomContents);
+  if (!bomPayload) {
     console.log(
-      "projectId, projectName and projectVersion, or all three must be provided.",
+      "Invalid Dependency-Track submission arguments. Provide projectId or projectName (projectVersion defaults to main) and specify parent project either by UUID or by parent project name + version.",
     );
     args.failOnError && process.exit(1);
     return;
   }
-  if (
-    typeof args.parentProjectId !== "undefined" ||
-    typeof args.parentUUID !== "undefined"
-  ) {
-    bomPayload.parentUUID = args.parentProjectId || args.parentUUID;
-  }
-  // Add project tags if provided
-  // see https://docs.dependencytrack.org/2024/10/01/v4.12.0/
-  // corresponding API usage documentation can be found on the
-  // API docs site of your instance, see
-  // https://docs.dependencytrack.org/integrations/rest-api/
-  // or public instance see https://yoursky.blue/documentation/rest-api
-  if (typeof args.projectTag !== "undefined") {
-    // If args.projectTag is not an array, convert it to an array
-    // Attention, array items should be of form { name: "tagName " }
-    // see https://yoursky.blue/documentation/rest-api#tag/bom/operation/UploadBomBase64Encoded
-    bomPayload.projectTags = (
-      Array.isArray(args.projectTag) ? args.projectTag : [args.projectTag]
-    ).map((tag) => ({ name: tag }));
-  }
   if (DEBUG_MODE) {
     console.log(
       "Submitting BOM to",
       serverUrl,
       "params",
       args.projectName,
-      projectVersion,
+      bomPayload.projectVersion,
     );
   }
   try {

package/lib/cli/index.poku.js

@@ -120,5 +120,122 @@ describe("CLI tests", () => {
       assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
       assert.deepEqual(options.json, expectedRequestPayload);
     });
+
+    it("should include parentName and parentVersion when parent project name and version are passed", async () => {
+      const fakeGotResponse = {
+        json: sinon.stub().resolves({ success: true }),
+      };
+
+      const gotStub = sinon.stub().returns(fakeGotResponse);
+      gotStub.extend = sinon.stub().returns(gotStub);
+
+      const { submitBom } = await esmock("./index.js", {
+        got: { default: gotStub },
+      });
+
+      const serverUrl = "https://dtrack.example.com";
+      const projectName = "cdxgen-test-project";
+      const projectVersion = "2.0.0";
+      const parentProjectName = "parent-project";
+      const parentProjectVersion = "1.0.0";
+      const bomContent = {
+        bom: "test3",
+      };
+      const apiKey = "TEST_API_KEY";
+      const skipDtTlsCheck = false;
+
+      const expectedRequestPayload = {
+        autoCreate: "true",
+        bom: "eyJib20iOiJ0ZXN0MyJ9", // stringified and base64 encoded bomContent
+        parentName: parentProjectName,
+        parentVersion: parentProjectVersion,
+        projectName,
+        projectVersion,
+      };
+
+      await submitBom(
+        {
+          serverUrl,
+          projectName,
+          projectVersion,
+          parentProjectName,
+          parentProjectVersion,
+          apiKey,
+          skipDtTlsCheck,
+        },
+        bomContent,
+      );
+
+      sinon.assert.calledOnce(gotStub);
+      const [calledUrl, options] = gotStub.firstCall.args;
+
+      assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
+      assert.equal(options.method, "PUT");
+      assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
+      assert.equal(options.headers["X-Api-Key"], apiKey);
+      assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
+      assert.deepEqual(options.json, expectedRequestPayload);
+    });
+
+    it("should include configurable autoCreate and isLatest values in payload", async () => {
+      const fakeGotResponse = {
+        json: sinon.stub().resolves({ success: true }),
+      };
+
+      const gotStub = sinon.stub().returns(fakeGotResponse);
+      gotStub.extend = sinon.stub().returns(gotStub);
+
+      const { submitBom } = await esmock("./index.js", {
+        got: { default: gotStub },
+      });
+
+      const serverUrl = "https://dtrack.example.com";
+      const projectName = "cdxgen-test-project";
+      const apiKey = "TEST_API_KEY";
+
+      await submitBom(
+        {
+          serverUrl,
+          projectName,
+          apiKey,
+          autoCreate: false,
+          isLatest: true,
+        },
+        { bom: "test4" },
+      );
+
+      sinon.assert.calledOnce(gotStub);
+      const [_calledUrl, options] = gotStub.firstCall.args;
+      assert.equal(options.json.autoCreate, "false");
+      assert.equal(options.json.isLatest, true);
+      assert.equal(options.json.projectVersion, "main");
+    });
+
+    it("should reject invalid mixed parent modes before making network request", async () => {
+      const fakeGotResponse = {
+        json: sinon.stub().resolves({ success: true }),
+      };
+
+      const gotStub = sinon.stub().returns(fakeGotResponse);
+      gotStub.extend = sinon.stub().returns(gotStub);
+
+      const { submitBom } = await esmock("./index.js", {
+        got: { default: gotStub },
+      });
+
+      const response = await submitBom(
+        {
+          serverUrl: "https://dtrack.example.com",
+          projectName: "cdxgen-test-project",
+          parentProjectId: "5103b8b4-4ca3-46ea-8051-036a3b2ab17e",
+          parentProjectName: "parent",
+          parentProjectVersion: "1.0.0",
+        },
+        { bom: "test5" },
+      );
+
+      assert.equal(response, undefined);
+      sinon.assert.notCalled(gotStub);
+    });
   });
 });