@cyclonedx/cdxgen 12.2.0 → 12.3.0

package/lib/cli/index.js

@@ -19,15 +19,26 @@ import got from "got";
 import { PackageURL } from "packageurl-js";
 import { gte, lte } from "semver";
 import { parse } from "ssri";
-import { table } from "table";
 import { v4 as uuidv4 } from "uuid";
 import { parse as loadYaml } from "yaml";
 
 import { findJSImportsExports } from "../helpers/analyzer.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
+import {
+  CHROME_EXTENSION_PURL_TYPE,
+  collectChromeExtensionsFromPath,
+  collectInstalledChromeExtensions,
+  discoverChromiumExtensionDirs,
+} from "../helpers/chromextutils.js";
 import { mergeDependencies, trimComponents } from "../helpers/depsUtils.js";
 import { GIT_COMMAND } from "../helpers/envcontext.js";
 import { thoughtLog } from "../helpers/logger.js";
+import { isPyLockFile } from "../helpers/pylockutils.js";
+import {
+  buildDependencyTrackBomPayload,
+  getDependencyTrackBomUrl,
+} from "../helpers/remote/dependency-track.js";
+import { table } from "../helpers/table.js";
 import {
   addEvidenceForDotnet,
   addEvidenceForImports,
@@ -1252,7 +1263,7 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
     // CycloneDX Json Template
     const jsonTpl = {
       bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || "1.5"}`,
+      specVersion: `${options.specVersion || "1.7"}`,
       serialNumber: serialNum,
       version: 1,
       metadata: metadata,
@@ -1490,6 +1501,8 @@ export async function createJavaBom(path, options) {
     }
     let result;
     let mvnArgs;
+    // FIXME: How do we motivate everyone to upgrade to 1.7?
+    const toolsSpecVersion = 1.6;
     if (isQuarkus) {
       thoughtLog(
         "This appears to be a Quarkus project. Let's use the right Maven plugin.",
@@ -1500,12 +1513,14 @@ export async function createJavaBom(path, options) {
         "quarkus:dependency-sbom",
         "-Dquarkus.analytics.disabled=true",
       ];
-      if (options.specVersion) {
+      if (options.specVersion >= 1.6) {
         mvnArgs = mvnArgs.concat(
-          `-Dquarkus.dependency.sbom.schema-version=${options.specVersion}`,
+          `-Dquarkus.dependency.sbom.schema-version=${toolsSpecVersion}`,
         );
       }
     } else {
+      // FIXME: The last maven plugin release was on November 28th, 2024.
+      // Should we fork this repo and maintain it ourselves?
       const cdxMavenPlugin =
         process.env.CDX_MAVEN_PLUGIN ||
         "org.cyclonedx:cyclonedx-maven-plugin:2.9.1";
@@ -1527,9 +1542,11 @@ export async function createJavaBom(path, options) {
         const addArgs = process.env.MVN_ARGS.split(" ");
         mvnArgs = mvnArgs.concat(addArgs);
       }
-      // specVersion 1.4 doesn't support externalReferences.type=disribution-intake
+      // specVersion 1.4 doesn't support externalReferences.type=distribution-intake
       // so we need to run the plugin with the correct version
-      if (options.specVersion) {
+      if (options.specVersion >= 1.6) {
+        mvnArgs = mvnArgs.concat(`-DschemaVersion=${toolsSpecVersion}`);
+      } else if (options.specVersion > 1.4) {
         mvnArgs = mvnArgs.concat(`-DschemaVersion=${options.specVersion}`);
       }
     }
@@ -2723,6 +2740,21 @@ export async function createNodejsBom(path, options) {
     `${options.multiProject ? "**/" : ""}bower.json`,
     options,
   );
+  if (DEBUG_MODE) {
+    const wasmFiles = getAllFiles(
+      path,
+      `${options.multiProject ? "**/" : ""}*.wasm`,
+      {
+        ...options,
+        includeNodeModulesDir: true,
+      },
+    );
+    if (wasmFiles?.length) {
+      console.log(
+        `Found ${wasmFiles.length} wasm files in this project. cdxgen will make a best attempt to identify the exports and imports from these files.`,
+      );
+    }
+  }
   // Parse min js files
   if (minJsFiles?.length) {
     manifestFiles = manifestFiles.concat(minJsFiles);
@@ -2994,7 +3026,7 @@ export async function createNodejsBom(path, options) {
           if (!wpkgJsonFiles?.length) {
             if (!workspaceWarningShown) {
               workspaceWarningShown = true;
-              console.log(
+              console.warn(
                 `Unable to find any package.json files belonging to the workspace '${awp}' referred in ${f}. To improve SBOM precision, run cdxgen from the directory containing the complete source code.`,
               );
             }
@@ -3084,7 +3116,7 @@ export async function createNodejsBom(path, options) {
       }
       if (!Object.keys(parentComponent).length) {
         if (safeExistsSync(packageJsonF)) {
-          const pcs = await parsePkgJson(packageJsonF, true);
+          const pcs = await parsePkgJson(packageJsonF, true, true);
           if (pcs.length && Object.keys(pcs[0]).length) {
             parentComponent = { ...pcs[0] };
             parentComponent.type = "application";
@@ -3170,7 +3202,7 @@ export async function createNodejsBom(path, options) {
         const basePath = dirname(f);
         const packageJsonF = join(basePath, "package.json");
         if (safeExistsSync(packageJsonF)) {
-          const pcs = await parsePkgJson(packageJsonF, true);
+          const pcs = await parsePkgJson(packageJsonF, true, true);
           if (pcs.length && Object.keys(pcs[0]).length) {
             tmpParentComponent = { ...pcs[0] };
             tmpParentComponent.type = "application";
@@ -3242,6 +3274,7 @@ export async function createNodejsBom(path, options) {
     const pnpmLock = join(path, "common", "config", "rush", "pnpm-lock.yaml");
     if (safeExistsSync(swFile)) {
       let pkgList = await parseNodeShrinkwrap(swFile);
+      pkgList = addWasmComponentsFromImports(pkgList, allImports);
       if (allImports && Object.keys(allImports).length) {
         pkgList = await addEvidenceForImports(
           pkgList,
@@ -3258,9 +3291,13 @@ export async function createNodejsBom(path, options) {
     }
     if (safeExistsSync(pnpmLock)) {
       const pnpmLockObj = await parsePnpmLock(pnpmLock);
+      let pkgList = addWasmComponentsFromImports(
+        pnpmLockObj.pkgList,
+        allImports,
+      );
       if (allImports && Object.keys(allImports).length) {
         pkgList = await addEvidenceForImports(
-          pnpmLockObj.pkgList,
+          pkgList,
           allImports,
           allExports,
           options.deep,
@@ -3335,7 +3372,7 @@ export async function createNodejsBom(path, options) {
           if (!wpkgJsonFiles?.length) {
             if (!workspaceWarningShown) {
               workspaceWarningShown = true;
-              console.log(
+              console.warn(
                 `Unable to find any package.json files belonging to the workspace '${awp}' referred in ${packageJsonFile}. To improve SBOM precision, run cdxgen from the directory containing the complete source code.`,
               );
             }
@@ -3389,7 +3426,7 @@ export async function createNodejsBom(path, options) {
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
       if (safeExistsSync(packageJsonF)) {
-        const pcs = await parsePkgJson(packageJsonF, true);
+        const pcs = await parsePkgJson(packageJsonF, true, true);
         if (pcs.length && Object.keys(pcs[0]).length) {
           const tmpParentComponent = { ...pcs[0] };
           tmpParentComponent.type = "application";
@@ -3498,7 +3535,7 @@ export async function createNodejsBom(path, options) {
     }
     if (!parentComponent || !Object.keys(parentComponent).length) {
       if (safeExistsSync(join(path, "package.json"))) {
-        const pcs = await parsePkgJson(join(path, "package.json"), true);
+        const pcs = await parsePkgJson(join(path, "package.json"), true, true);
         if (pcs.length && Object.keys(pcs[0]).length) {
           parentComponent = { ...pcs[0] };
           parentComponent.type = "application";
@@ -3537,6 +3574,7 @@ export async function createNodejsBom(path, options) {
     options.parentComponent = parentComponent;
   }
   if (allImports && Object.keys(allImports).length) {
+    pkgList = addWasmComponentsFromImports(pkgList, allImports);
     pkgList = await addEvidenceForImports(
       pkgList,
       allImports,
@@ -3552,6 +3590,84 @@ export async function createNodejsBom(path, options) {
   });
 }
 
+const WASM_IMPORT_PATTERN = /\.wasm([?#].*)?$/i;
+
+/**
+ * Adds generic wasm components from discovered source imports.
+ *
+ * @param {Array<Object>} pkgList Node.js package list
+ * @param {Object} allImports analyzer imports map
+ * @returns {Array<Object>} pkgList enriched with wasm components
+ */
+const addWasmComponentsFromImports = (pkgList, allImports) => {
+  if (!allImports || !Object.keys(allImports).length) {
+    return pkgList;
+  }
+  const existingPurls = new Set();
+  for (const pkg of pkgList) {
+    if (pkg?.purl) {
+      existingPurls.add(pkg.purl);
+    }
+  }
+  for (const [importPath, occurrences] of Object.entries(allImports)) {
+    if (!WASM_IMPORT_PATTERN.test(importPath)) {
+      continue;
+    }
+    const cleanImportPath = importPath.replace(/[?#].*$/, "");
+    const normalizedImportPath = cleanImportPath
+      .replace(/\\/g, "/")
+      .replace(/^\.\//, "");
+    const wasmComponentName = normalizedImportPath || cleanImportPath;
+    const wasmFileName = basename(cleanImportPath);
+    if (!allImports[wasmComponentName]) {
+      allImports[wasmComponentName] = new Set();
+    }
+    for (const occurrence of occurrences) {
+      allImports[wasmComponentName].add(occurrence);
+    }
+    const wasmPurl = new PackageURL(
+      "generic",
+      "",
+      wasmFileName,
+      "",
+      normalizedImportPath ? { path: normalizedImportPath } : undefined,
+      undefined,
+    ).toString();
+    if (existingPurls.has(wasmPurl)) {
+      continue;
+    }
+    const firstOccurrence = Array.from(occurrences)[0];
+    const srcFile = firstOccurrence?.importedAs || importPath;
+    pkgList.push({
+      name: wasmComponentName,
+      type: "library",
+      purl: wasmPurl,
+      "bom-ref": wasmPurl,
+      properties: [
+        {
+          name: "SrcFile",
+          value: srcFile,
+        },
+      ],
+      evidence: {
+        identity: {
+          field: "purl",
+          confidence: 0.3,
+          methods: [
+            {
+              technique: "filename",
+              confidence: 0.3,
+              value: srcFile,
+            },
+          ],
+        },
+      },
+    });
+    existingPurls.add(wasmPurl);
+  }
+  return pkgList;
+};
+
 /**
  * Function to create bom string for Projects that use Pixi package manager.
  * createPixiBom is based on createPythonBom.
@@ -3687,6 +3803,14 @@ export async function createPythonBom(path, options) {
   if (uvLockFiles?.length) {
     poetryFiles = poetryFiles.concat(uvLockFiles);
   }
+  const pyLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}pylock*.toml`,
+    options,
+  )?.filter((f) => isPyLockFile(f));
+  if (pyLockFiles?.length) {
+    poetryFiles = poetryFiles.concat(pyLockFiles);
+  }
   let reqFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}*requirements*.txt`,
@@ -3752,7 +3876,9 @@ export async function createPythonBom(path, options) {
   }
   // When we identify uv lock files, do not parse requirements files
   const requirementsMode =
-    (reqFiles?.length || reqDirFiles?.length) && !uvLockFiles.length;
+    (reqFiles?.length || reqDirFiles?.length) &&
+    !uvLockFiles.length &&
+    !pyLockFiles?.length;
   const poetryMode = poetryFiles?.length;
 
   // TODO: Support for nested directories
@@ -3771,6 +3897,12 @@ export async function createPythonBom(path, options) {
       if (retMap?.workspaceWarningShown) {
         options.failOnError && process.exit(1);
       }
+      if (retMap?.pyLockProperties?.length) {
+        parentComponent.properties = parentComponent.properties || [];
+        parentComponent.properties = parentComponent.properties.concat(
+          retMap.pyLockProperties,
+        );
+      }
       if (retMap.pkgList?.length) {
         pkgList = pkgList.concat(retMap.pkgList);
         pkgList = trimComponents(pkgList);
@@ -3790,7 +3922,11 @@ export async function createPythonBom(path, options) {
           parentComponent,
         );
       }
-      if ((options.deep || !dependencies.length) && !f.endsWith("uv.lock")) {
+      if (
+        (options.deep || !dependencies.length) &&
+        !f.endsWith("uv.lock") &&
+        !isPyLockFile(f)
+      ) {
         if (options.installDeps) {
           retMap = await getPipFrozenTree(
             basePath,
@@ -5583,15 +5719,27 @@ export async function createCocoaBom(path, options) {
   for (const podFile of cocoaFiles) {
     const projectPath = dirname(podFile);
     const lockFile = `${podFile}.lock`;
-    if (!safeExistsSync(lockFile) || options.deep) {
+    let missingLockWarningShown = false;
+    if (!safeExistsSync(lockFile)) {
       if (options.installDeps) {
         executePodCommand(["install"], projectPath, options);
       } else {
         console.log(
           "No 'Podfile.lock' found and '--no-install-deps' is set -- A Podfile.lock is needed to parse dependencies!",
         );
+        missingLockWarningShown = true;
         options.failOnError && process.exit(1);
       }
+    } else if (options.deep && options.installDeps) {
+      executePodCommand(["install"], projectPath, options);
+    }
+    if (!safeExistsSync(lockFile)) {
+      if (!missingLockWarningShown) {
+        console.log(
+          `No 'Podfile.lock' found for ${projectPath}. Skipping CocoaPods dependency parsing for this project.`,
+        );
+      }
+      continue;
     }
     const parentComponent = await buildObjectForCocoaPod(
       {
@@ -7179,6 +7327,61 @@ export async function createVscodeExtensionBom(path, options) {
   });
 }
 
+/**
+ * Function to create BOM for installed Chrome and Chromium-based browser extensions.
+ *
+ * @param {string} path to the project path or a directly provided extension path
+ * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
+ */
+export async function createChromeExtensionBom(path, options) {
+  let dependencies = [];
+  let sourcePaths = [];
+  const directResult = collectChromeExtensionsFromPath(path);
+  const chromeDirs = discoverChromiumExtensionDirs();
+  let pkgList = directResult.components || [];
+  if (directResult.extensionDirs?.length) {
+    sourcePaths = directResult.extensionDirs.slice();
+    for (const extDir of directResult.extensionDirs) {
+      const deepResult = await analyzeExtensionDir(extDir, options);
+      if (deepResult.pkgList.length) {
+        pkgList = pkgList.concat(deepResult.pkgList);
+      }
+      if (deepResult.dependencies.length) {
+        dependencies = mergeDependencies(dependencies, deepResult.dependencies);
+      }
+    }
+  }
+  if (pkgList.length && DEBUG_MODE) {
+    thoughtLog(
+      `Found ${pkgList.length} component(s) from direct Chrome extension path scan`,
+    );
+  }
+  if (chromeDirs.length) {
+    if (DEBUG_MODE) {
+      thoughtLog(
+        `Discovered Chromium extension directories: ${chromeDirs.map((d) => `${d.browser} (${d.channel}): ${d.dir}`).join(", ")}`,
+      );
+    }
+    if (!pkgList.length) {
+      pkgList = collectInstalledChromeExtensions(chromeDirs);
+      sourcePaths = chromeDirs.map((d) => d.dir);
+    }
+    if (DEBUG_MODE && pkgList.length && !directResult.components?.length) {
+      thoughtLog(
+        `Found ${pkgList.length} Chrome/Chromium extension(s) from ${chromeDirs.length} browser location(s)`,
+      );
+    }
+  }
+  pkgList = trimComponents(pkgList);
+  return buildBomNSData(options, pkgList, CHROME_EXTENSION_PURL_TYPE, {
+    src: path,
+    filename: sourcePaths.join(", "),
+    nsMapping: {},
+    dependencies,
+  });
+}
+
 /**
  * Analyze an extracted extension directory for bundled dependencies.
  * Looks for npm lock files, node_modules, package.json files, minified JS,
@@ -7350,7 +7553,7 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
     components,
     bomJson: {
       bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || 1.5}`,
+      specVersion: `${options.specVersion || 1.7}`,
       serialNumber: serialNum,
       version: 1,
       metadata: addMetadata(parentComponent, options, {}),
@@ -8099,6 +8302,46 @@ export async function createMultiXBom(pathList, options) {
         }
       }
     }
+    if (hasAnyProjectType(["chrome-extension"], options)) {
+      let isExplicitChromeExtensionPath = false;
+      if (safeExistsSync(path)) {
+        if (basename(path) === "manifest.json") {
+          isExplicitChromeExtensionPath = true;
+        } else {
+          try {
+            isExplicitChromeExtensionPath =
+              statSync(path).isDirectory() &&
+              safeExistsSync(join(path, "manifest.json"));
+          } catch (_err) {
+            isExplicitChromeExtensionPath = false;
+          }
+        }
+      }
+      if (isExplicitChromeExtensionPath || !options.__didScanChromeExtensions) {
+        if (!isExplicitChromeExtensionPath) {
+          options.__didScanChromeExtensions = true;
+        }
+        bomData = await createChromeExtensionBom(path, options);
+        if (bomData?.bomJson?.components?.length) {
+          if (DEBUG_MODE) {
+            console.log(
+              `Found ${bomData.bomJson.components.length} Chrome extension(s) on this host`,
+            );
+          }
+          components = components.concat(bomData.bomJson.components);
+          dependencies = mergeDependencies(
+            dependencies,
+            bomData.bomJson.dependencies,
+          );
+          if (
+            bomData.parentComponent &&
+            Object.keys(bomData.parentComponent).length
+          ) {
+            parentSubComponents.push(bomData.parentComponent);
+          }
+        }
+      }
+    }
     // Collect any crypto keys
     if (options.specVersion >= 1.6 && options.includeCrypto) {
       if (!hasAnyProjectType(["oci"], options, false)) {
@@ -8253,10 +8496,16 @@ export async function createXBom(path, options) {
   // python
   const pipenvMode = safeExistsSync(join(path, "Pipfile"));
   const poetryMode = safeExistsSync(join(path, "poetry.lock"));
+  const pyLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}pylock*.toml`,
+    options,
+  ).filter((f) => isPyLockFile(f));
+  const pyLockMode = pyLockFiles.length > 0;
   const pyProjectMode =
-    !poetryMode && safeExistsSync(join(path, "pyproject.toml"));
+    !poetryMode && !pyLockMode && safeExistsSync(join(path, "pyproject.toml"));
   const setupPyMode = safeExistsSync(join(path, "setup.py"));
-  if (pipenvMode || poetryMode || pyProjectMode || setupPyMode) {
+  if (pipenvMode || poetryMode || pyLockMode || pyProjectMode || setupPyMode) {
     return await createPythonBom(path, options);
   }
   const reqFiles = getAllFiles(
@@ -8818,6 +9067,9 @@ export async function createBom(path, options) {
   if (PROJECT_TYPE_ALIASES["vscode-extension"].includes(projectType[0])) {
     return await createVscodeExtensionBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["chrome-extension"].includes(projectType[0])) {
+    return await createChromeExtensionBom(path, options);
+  }
   switch (projectType[0]) {
     case "jar":
       return createJarBom(path, options);
@@ -8856,66 +9108,22 @@ export async function createBom(path, options) {
  * @throws {Error} if the request fails
  */
 export async function submitBom(args, bomContents) {
-  const serverUrl = `${args.serverUrl.replace(/\/$/, "")}/api/v1/bom`;
-  let encodedBomContents = Buffer.from(JSON.stringify(bomContents)).toString(
-    "base64",
-  );
-  if (encodedBomContents.startsWith("77u/")) {
-    encodedBomContents = encodedBomContents.substring(4);
-  }
-  const bomPayload = {
-    autoCreate: "true",
-    bom: encodedBomContents,
-  };
-  const projectVersion = args.projectVersion || "main";
-  if (
-    typeof args.projectId !== "undefined" ||
-    (typeof args.projectName !== "undefined" &&
-      typeof projectVersion !== "undefined")
-  ) {
-    if (typeof args.projectId !== "undefined") {
-      bomPayload.project = args.projectId;
-    }
-    if (typeof args.projectName !== "undefined") {
-      bomPayload.projectName = args.projectName;
-    }
-    if (typeof projectVersion !== "undefined") {
-      bomPayload.projectVersion = projectVersion;
-    }
-  } else {
+  const serverUrl = getDependencyTrackBomUrl(args.serverUrl);
+  const bomPayload = buildDependencyTrackBomPayload(args, bomContents);
+  if (!bomPayload) {
     console.log(
-      "projectId, projectName and projectVersion, or all three must be provided.",
+      "Invalid Dependency-Track submission arguments. Provide projectId or projectName (projectVersion defaults to main) and specify parent project either by UUID or by parent project name + version.",
     );
     args.failOnError && process.exit(1);
     return;
   }
-  if (
-    typeof args.parentProjectId !== "undefined" ||
-    typeof args.parentUUID !== "undefined"
-  ) {
-    bomPayload.parentUUID = args.parentProjectId || args.parentUUID;
-  }
-  // Add project tags if provided
-  // see https://docs.dependencytrack.org/2024/10/01/v4.12.0/
-  // corresponding API usage documentation can be found on the
-  // API docs site of your instance, see
-  // https://docs.dependencytrack.org/integrations/rest-api/
-  // or public instance see https://yoursky.blue/documentation/rest-api
-  if (typeof args.projectTag !== "undefined") {
-    // If args.projectTag is not an array, convert it to an array
-    // Attention, array items should be of form { name: "tagName " }
-    // see https://yoursky.blue/documentation/rest-api#tag/bom/operation/UploadBomBase64Encoded
-    bomPayload.projectTags = (
-      Array.isArray(args.projectTag) ? args.projectTag : [args.projectTag]
-    ).map((tag) => ({ name: tag }));
-  }
   if (DEBUG_MODE) {
     console.log(
       "Submitting BOM to",
       serverUrl,
       "params",
       args.projectName,
-      projectVersion,
+      bomPayload.projectVersion,
     );
   }
   try {