@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/managers/binary.js

@@ -16,11 +16,13 @@ import { createContainerRiskProperties } from "../helpers/containerRisk.js";
 import { createGtfoBinsProperties } from "../helpers/gtfobins.js";
 import {
   adjustLicenseInformation,
+  attachIdentityTools,
   collectExecutables,
   collectSharedLibs,
   DEBUG_MODE,
   dirNameStr,
   extractPathEnv,
+  extractToolRefs,
   findLicenseId,
   getTmpDir,
   isDryRun,
@@ -465,6 +467,7 @@ export async function getOSPackages(src, imageConfig) {
       executables: [],
       osPackages: [],
       sharedLibs: [],
+      tools: [],
     };
   }
   const pkgList = [];
@@ -472,6 +475,7 @@ export async function getOSPackages(src, imageConfig) {
   const allTypes = new Set();
   const bundledSdks = new Set();
   const bundledRuntimes = new Set();
+  let tools = [];
   let binPaths = extractPathEnv(imageConfig?.Env);
   if (!binPaths?.length) {
     const rootBinPaths = getDirs(src, "{sbin,bin}", true, false);
@@ -633,6 +637,15 @@ export async function getOSPackages(src, imageConfig) {
         }
       }
       const tmpDependencies = {};
+      const toolRefs = extractToolRefs(
+        tmpBom?.metadata?.tools,
+        (tool) => tool?.name !== "cdxgen",
+      );
+      tools = (
+        Array.isArray(tmpBom?.metadata?.tools)
+          ? tmpBom.metadata.tools
+          : tmpBom?.metadata?.tools?.components || []
+      ).filter((tool) => tool?.["bom-ref"] && tool?.name !== "cdxgen");
       (tmpBom.dependencies || []).forEach((d) => {
         tmpDependencies[d.ref] = d.dependsOn;
       });
@@ -781,6 +794,7 @@ export async function getOSPackages(src, imageConfig) {
                 console.log(err);
               }
             }
+            attachIdentityTools(comp, toolRefs);
             // Fix licenses
             if (
               comp.licenses &&
@@ -916,6 +930,7 @@ export async function getOSPackages(src, imageConfig) {
                 ).toString();
               }
               newComp["bom-ref"] = decodeURIComponent(newComp.purl);
+              attachIdentityTools(newComp, toolRefs);
               pkgList.push(newComp);
               detectSdksRuntimes(newComp, bundledSdks, bundledRuntimes);
             }
@@ -968,6 +983,7 @@ export async function getOSPackages(src, imageConfig) {
     binPaths,
     executables,
     sharedLibs,
+    tools,
   };
 }
 

package/lib/managers/binary.poku.js

@@ -60,6 +60,7 @@ it("getOSPackages() returns empty collections and reports a blocked dry-run acti
   assert.deepStrictEqual(result.dependenciesList, []);
   assert.deepStrictEqual(result.binPaths, []);
   assert.deepStrictEqual(Array.from(result.allTypes), []);
+  assert.deepStrictEqual(result.tools, []);
   sinon.assert.calledWithMatch(recordActivity, {
     kind: "container",
     status: "blocked",

package/lib/managers/docker.js

@@ -32,6 +32,13 @@ import { getDirs, getOnlyDirs } from "./containerutils.js";
 
 export const isWin = _platform() === "win32";
 export const DOCKER_HUB_REGISTRY = "docker.io";
+// Docker commonly stores Hub credentials under index.docker.io or
+// registry-1.docker.io while pulls target docker.io.
+const DOCKER_HUB_REGISTRY_ALIASES = new Set([
+  DOCKER_HUB_REGISTRY,
+  "index.docker.io",
+  "registry-1.docker.io",
+]);
 
 /**
  * Encode a value as base64url (RFC 4648 §5) with padding.
@@ -42,6 +49,212 @@ export const DOCKER_HUB_REGISTRY = "docker.io";
 const toBase64Url = (value) =>
   Buffer.from(value).toString("base64").replace(/\+/g, "-").replace(/\//g, "_");
 
+const normalizeRegistryPath = (registryPath) => {
+  if (!registryPath || registryPath === "/") {
+    return "";
+  }
+  let normalizedPath = registryPath.trim();
+  if (!normalizedPath.startsWith("/")) {
+    normalizedPath = `/${normalizedPath}`;
+  }
+  while (normalizedPath.endsWith("/")) {
+    normalizedPath = normalizedPath.slice(0, -1);
+  }
+  const lowerCasePath = normalizedPath.toLowerCase();
+  if (lowerCasePath.endsWith("/v1") || lowerCasePath.endsWith("/v2")) {
+    normalizedPath = normalizedPath.slice(0, -3);
+  }
+  return normalizedPath === "/" ? "" : normalizedPath;
+};
+
+const buildRegistryAuthority = (hostname, port) => {
+  if (!hostname) {
+    return undefined;
+  }
+  hostname = hostname.toLowerCase();
+  if (hostname.includes(":") && !hostname.startsWith("[")) {
+    hostname = `[${hostname}]`;
+  }
+  if (port) {
+    return `${hostname}:${port}`;
+  }
+  return hostname;
+};
+
+const parseRawRegistryAuthority = (authority) => {
+  if (!authority?.trim()) {
+    return undefined;
+  }
+  authority = authority.trim();
+  if (authority.startsWith("[")) {
+    const closingBracketIndex = authority.indexOf("]");
+    if (closingBracketIndex === -1) {
+      return undefined;
+    }
+    const hostname = authority.slice(0, closingBracketIndex + 1);
+    const portSuffix = authority.slice(closingBracketIndex + 1);
+    if (!portSuffix) {
+      return buildRegistryAuthority(hostname);
+    }
+    if (!/^:\d+$/.test(portSuffix)) {
+      return undefined;
+    }
+    return buildRegistryAuthority(hostname, portSuffix.slice(1));
+  }
+  const colonIndex = authority.lastIndexOf(":");
+  if (colonIndex > -1 && authority.indexOf(":") === colonIndex) {
+    const portCandidate = authority.slice(colonIndex + 1);
+    if (/^\d+$/.test(portCandidate)) {
+      return buildRegistryAuthority(
+        authority.slice(0, colonIndex),
+        portCandidate,
+      );
+    }
+  }
+  return buildRegistryAuthority(authority);
+};
+
+const parseRegistryReference = (registry) => {
+  if (!registry?.trim()) {
+    return undefined;
+  }
+  registry = registry.trim();
+  if (registry.includes("://")) {
+    if (!URL.canParse(registry)) {
+      return undefined;
+    }
+    const registryUrl = new URL(registry);
+    const authoritySource = registry
+      .slice(registry.indexOf("://") + 3)
+      .split("/")[0];
+    return {
+      authority: parseRawRegistryAuthority(authoritySource),
+      path: normalizeRegistryPath(registryUrl.pathname),
+    };
+  }
+  const slashIndex = registry.indexOf("/");
+  const authority =
+    slashIndex === -1 ? registry : registry.slice(0, slashIndex);
+  const registryPath = slashIndex === -1 ? "" : registry.slice(slashIndex);
+  if (!authority) {
+    return undefined;
+  }
+  try {
+    // Raw registry references such as host:port are not absolute URLs, so we
+    // add an https scheme only to parse the authority and optional port.
+    return {
+      authority: parseRawRegistryAuthority(authority),
+      path: normalizeRegistryPath(registryPath),
+    };
+  } catch (_err) {
+    return undefined;
+  }
+};
+
+const looksLikeImageReference = (value) => {
+  if (typeof value !== "string" || !value.trim()) {
+    return false;
+  }
+  value = value.trim();
+  if (value.includes("://")) {
+    return false;
+  }
+  if (!value.includes("/")) {
+    if (value.includes(":")) {
+      const tagOrPortSuffix = value.slice(value.lastIndexOf(":") + 1);
+      if (!/^\d+$/.test(tagOrPortSuffix)) {
+        return true;
+      }
+      return !parseRegistryReference(value)?.authority;
+    }
+    return !(
+      value.includes(".") ||
+      value === "localhost" ||
+      value.startsWith("[")
+    );
+  }
+  const firstSegment = value.split("/")[0];
+  return !(
+    parseRegistryReference(firstSegment)?.authority &&
+    (firstSegment.includes(".") ||
+      firstSegment.includes(":") ||
+      firstSegment === "localhost" ||
+      firstSegment.startsWith("["))
+  );
+};
+
+const resolveRequestedRegistryRef = (forRegistry, requestedRegistryRef) => {
+  const fallbackRegistry =
+    forRegistry || process.env.DOCKER_SERVER_ADDRESS || DOCKER_HUB_REGISTRY;
+  if (
+    typeof requestedRegistryRef !== "string" ||
+    !requestedRegistryRef.trim()
+  ) {
+    return fallbackRegistry;
+  }
+  requestedRegistryRef = requestedRegistryRef.trim();
+  if (requestedRegistryRef.includes("://")) {
+    return requestedRegistryRef;
+  }
+  return looksLikeImageReference(requestedRegistryRef)
+    ? fallbackRegistry
+    : requestedRegistryRef;
+};
+
+const extractRequestedRegistryRefFromPath = (path, forRegistry) => {
+  if (!path?.includes("?")) {
+    return resolveRequestedRegistryRef(forRegistry, forRegistry);
+  }
+  const queryString = path.slice(path.indexOf("?") + 1);
+  const requestedImageRef = new URLSearchParams(queryString).get("fromImage");
+  return resolveRequestedRegistryRef(
+    forRegistry,
+    requestedImageRef || forRegistry,
+  );
+};
+
+const normalizeRegistryReference = (registry) => {
+  const parsedRegistry = parseRegistryReference(registry);
+  if (!parsedRegistry?.authority) {
+    return undefined;
+  }
+  return parsedRegistry.path
+    ? `${parsedRegistry.authority}${parsedRegistry.path}`
+    : parsedRegistry.authority;
+};
+
+const registriesMatch = (configuredRegistry, requestedRegistry) => {
+  if (!requestedRegistry) {
+    return false;
+  }
+  const normalizedConfiguredRegistry =
+    parseRegistryReference(configuredRegistry);
+  const normalizedRequestedRegistry = parseRegistryReference(requestedRegistry);
+  if (
+    !normalizedConfiguredRegistry?.authority ||
+    !normalizedRequestedRegistry?.authority
+  ) {
+    return false;
+  }
+  const hostMatches =
+    normalizedConfiguredRegistry.authority ===
+      normalizedRequestedRegistry.authority ||
+    (DOCKER_HUB_REGISTRY_ALIASES.has(normalizedConfiguredRegistry.authority) &&
+      DOCKER_HUB_REGISTRY_ALIASES.has(normalizedRequestedRegistry.authority));
+  if (!hostMatches) {
+    return false;
+  }
+  if (!normalizedConfiguredRegistry.path) {
+    return true;
+  }
+  return (
+    normalizedConfiguredRegistry.path === normalizedRequestedRegistry.path ||
+    normalizedRequestedRegistry.path.startsWith(
+      `${normalizedConfiguredRegistry.path}/`,
+    )
+  );
+};
+
 // Should we extract the tar image in non-strict mode
 const NON_STRICT_TAR_EXTRACT = ["true", "1"].includes(
   process?.env?.NON_STRICT_TAR_EXTRACT,
@@ -185,19 +398,21 @@ const REQUEST_TIMEOUT_SECS = 60000;
  *
  * @param {string} [forRegistry] Registry hostname (e.g. "registry-1.docker.io").
  *   Defaults to DOCKER_SERVER_ADDRESS env var or "docker.io".
+ * @param {string} [requestedRegistryRef] Requested registry/image reference used
+ *   to scope config.json auth matching. Unqualified images default to Docker Hub.
  * @returns {Object} Options object suitable for passing to `got`
  */
-const getDefaultOptions = (forRegistry) => {
+const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
   let authTokenSet = false;
   if (!forRegistry) {
     forRegistry = process.env.DOCKER_SERVER_ADDRESS ?? DOCKER_HUB_REGISTRY;
   }
-  if (forRegistry) {
-    forRegistry = forRegistry.replace("http://", "").replace("https://", "");
-    if (forRegistry.includes("/")) {
-      forRegistry = forRegistry.split("/")[0];
-    }
-  }
+  requestedRegistryRef = resolveRequestedRegistryRef(
+    forRegistry,
+    requestedRegistryRef,
+  );
+  const normalizedForRegistry =
+    parseRegistryReference(forRegistry)?.authority ?? forRegistry;
   const opts = {
     enableUnixSockets: true,
     throwHttpErrors: true,
@@ -227,12 +442,12 @@ const getDefaultOptions = (forRegistry) => {
     process.env.DOCKER_USER &&
     process.env.DOCKER_PASSWORD &&
     process.env.DOCKER_EMAIL &&
-    forRegistry
+    normalizedForRegistry
   ) {
     const authPayload = {
       username: process.env.DOCKER_USER,
       email: process.env.DOCKER_EMAIL,
-      serveraddress: forRegistry,
+      serveraddress: normalizedForRegistry,
     };
     if (process.env.DOCKER_USER === "<token>") {
       authPayload.IdentityToken = process.env.DOCKER_PASSWORD;
@@ -242,6 +457,7 @@ const getDefaultOptions = (forRegistry) => {
     opts.headers = {
       "X-Registry-Auth": toBase64Url(JSON.stringify(authPayload)),
     };
+    authTokenSet = true;
   }
   if (!authTokenSet && safeExistsSync(join(DOCKER_CONFIG, "config.json"))) {
     const configData = readFileSync(
@@ -254,7 +470,7 @@ const getDefaultOptions = (forRegistry) => {
         if (configJson.auths) {
           // Check if there are hardcoded tokens
           for (const serverAddress of Object.keys(configJson.auths)) {
-            if (forRegistry && !serverAddress.includes(forRegistry)) {
+            if (!registriesMatch(serverAddress, requestedRegistryRef)) {
               continue;
             }
             if (configJson.auths[serverAddress].auth) {
@@ -293,7 +509,7 @@ const getDefaultOptions = (forRegistry) => {
         } else if (configJson.credHelpers) {
           // Support for credential helpers
           for (const serverAddress of Object.keys(configJson.credHelpers)) {
-            if (forRegistry && !serverAddress.includes(forRegistry)) {
+            if (!registriesMatch(serverAddress, requestedRegistryRef)) {
               continue;
             }
             if (configJson.credHelpers[serverAddress]) {
@@ -535,7 +751,10 @@ export const makeRequest = async (path, method, forRegistry) => {
   }
   // Use the client's prefixUrl (set correctly by getConnection for
   // docker/podman). Only pass per-request auth headers and method options.
-  const defaultOptions = getDefaultOptions(forRegistry);
+  const defaultOptions = getDefaultOptions(
+    forRegistry,
+    extractRequestedRegistryRefFromPath(path, forRegistry),
+  );
   const opts = {
     responseType: method === "GET" ? "json" : "buffer",
     resolveBodyOnly: true,
@@ -858,13 +1077,17 @@ export const getImage = async (fullImageName) => {
   return localData;
 };
 
+/**
+ * @typedef {{ path: string }} TarReadEntryLike
+ */
+
 /**
  * Warnings such as TAR_ENTRY_INFO are treated as errors in strict mode. While this is mostly desired, we can relax this
  * requirement for one particular warning related to absolute paths.
  * This callback function checks for absolute paths in the entry read from the archive and strips them using a custom
  * method.
  *
- * @param entry {tar.ReadEntry} ReadEntry object from node-tar
+ * @param {TarReadEntryLike} entry ReadEntry object from node-tar
  */
 function handleAbsolutePath(entry) {
   if (entry.path === "/" || win32.isAbsolute(entry.path)) {
@@ -1694,8 +1917,9 @@ export const removeImage = async (fullImageName, force = false) => {
  *   if the helper is unavailable or returns an error
  */
 export const getCredsFromHelper = (exeSuffix, serverAddress) => {
-  if (registry_auth_keys[serverAddress]) {
-    return registry_auth_keys[serverAddress];
+  const cacheKey = `${exeSuffix}:${normalizeRegistryReference(serverAddress) ?? serverAddress}`;
+  if (registry_auth_keys[cacheKey]) {
+    return registry_auth_keys[cacheKey];
   }
   let credHelperExe = `docker-credential-${exeSuffix}`;
   if (isWin) {
@@ -1726,7 +1950,7 @@ export const getCredsFromHelper = (exeSuffix, serverAddress) => {
         serveraddress: serverAddress,
       };
       const authKey = toBase64Url(JSON.stringify(fixedAuthPayload));
-      registry_auth_keys[serverAddress] = authKey;
+      registry_auth_keys[cacheKey] = authKey;
       return authKey;
     } catch (_err) {
       return undefined;