@cyclonedx/cdxgen 8.0.0

package/jest.config.js

@@ -0,0 +1,181 @@
+// For a detailed explanation regarding each configuration property, visit:
+// https://jestjs.io/docs/en/configuration.html
+
+module.exports = {
+  // All imported modules in your tests should be mocked automatically
+  // automock: false,
+
+  // Stop running tests after `n` failures
+  // bail: 0,
+
+  // Respect "browser" field in package.json when resolving modules
+  // browser: false,
+
+  // The directory where Jest should store its cached dependency information
+  // cacheDirectory: "/private/var/folders/v6/5570bhc90w3ddx8_vw4ghrjm0000gn/T/jest_dx",
+
+  // Automatically clear mock calls and instances between every test
+  clearMocks: true,
+
+  // Indicates whether the coverage information should be collected while executing the test
+  // collectCoverage: false,
+
+  // An array of glob patterns indicating a set of files for which coverage information should be collected
+  // collectCoverageFrom: undefined,
+
+  // The directory where Jest should output its coverage files
+  coverageDirectory: "coverage",
+
+  // An array of regexp pattern strings used to skip coverage collection
+  coveragePathIgnorePatterns: ["/node_modules/", "/.github/"],
+
+  // A list of reporter names that Jest uses when writing coverage reports
+  coverageReporters: ["json", "lcov"],
+
+  // An object that configures minimum threshold enforcement for coverage results
+  // coverageThreshold: undefined,
+
+  // A path to a custom dependency extractor
+  // dependencyExtractor: undefined,
+
+  // Make calling deprecated APIs throw helpful error messages
+  // errorOnDeprecated: false,
+
+  // Force coverage collection from ignored files using an array of glob patterns
+  // forceCoverageMatch: [],
+
+  // A path to a module which exports an async function that is triggered once before all test suites
+  // globalSetup: undefined,
+
+  // A path to a module which exports an async function that is triggered once after all test suites
+  // globalTeardown: undefined,
+
+  // A set of global variables that need to be available in all test environments
+  // globals: {},
+
+  // The maximum amount of workers used to run your tests. Can be specified as % or a number. E.g. maxWorkers: 10% will use 10% of your CPU amount + 1 as the maximum worker number. maxWorkers: 2 will use a maximum of 2 workers.
+  // maxWorkers: "50%",
+
+  // An array of directory names to be searched recursively up from the requiring module's location
+  // moduleDirectories: [
+  //   "node_modules"
+  // ],
+
+  // An array of file extensions your modules use
+  // moduleFileExtensions: [
+  //   "js",
+  //   "json",
+  //   "jsx",
+  //   "ts",
+  //   "tsx",
+  //   "node"
+  // ],
+
+  // A map from regular expressions to module names that allow to stub out resources with a single module
+  // moduleNameMapper: {},
+
+  // An array of regexp pattern strings, matched against all module paths before considered 'visible' to the module loader
+  // modulePathIgnorePatterns: [],
+
+  // Activates notifications for test results
+  // notify: false,
+
+  // An enum that specifies notification mode. Requires { notify: true }
+  // notifyMode: "failure-change",
+
+  // A preset that is used as a base for Jest's configuration
+  // preset: undefined,
+
+  // Run tests from one or more projects
+  // projects: undefined,
+
+  // Use this configuration option to add custom reporters to Jest
+  // reporters: undefined,
+
+  // Automatically reset mock state between every test
+  // resetMocks: false,
+
+  // Reset the module registry before running each individual test
+  // resetModules: false,
+
+  // A path to a custom resolver
+  // resolver: undefined,
+
+  // Automatically restore mock state between every test
+  // restoreMocks: false,
+
+  // The root directory that Jest should scan for tests and modules within
+  // rootDir: undefined,
+
+  // A list of paths to directories that Jest should use to search for files in
+  // roots: [
+  //   "<rootDir>"
+  // ],
+
+  // Allows you to use a custom runner instead of Jest's default test runner
+  // runner: "jest-runner",
+
+  // The paths to modules that run some code to configure or set up the testing environment before each test
+  // setupFiles: [],
+
+  // A list of paths to modules that run some code to configure or set up the testing framework before each test
+  // setupFilesAfterEnv: [],
+
+  // A list of paths to snapshot serializer modules Jest should use for snapshot testing
+  // snapshotSerializers: [],
+
+  // The test environment that will be used for testing
+  testEnvironment: "node"
+
+  // Options that will be passed to the testEnvironment
+  // testEnvironmentOptions: {},
+
+  // Adds a location field to test results
+  // testLocationInResults: false,
+
+  // The glob patterns Jest uses to detect test files
+  // testMatch: [
+  //   "**/__tests__/**/*.[jt]s?(x)",
+  //   "**/?(*.)+(spec|test).[tj]s?(x)"
+  // ],
+
+  // An array of regexp pattern strings that are matched against all test paths, matched tests are skipped
+  // testPathIgnorePatterns: [
+  //   "/node_modules/"
+  // ],
+
+  // The regexp pattern or array of patterns that Jest uses to detect test files
+  // testRegex: [],
+
+  // This option allows the use of a custom results processor
+  // testResultsProcessor: undefined,
+
+  // This option allows use of a custom test runner
+  // testRunner: "jasmine2",
+
+  // This option sets the URL for the jsdom environment. It is reflected in properties such as location.href
+  // testURL: "http://localhost",
+
+  // Setting this value to "fake" allows the use of fake timers for functions such as "setTimeout"
+  // timers: "real",
+
+  // A map from regular expressions to paths to transformers
+  // transform: undefined,
+
+  // An array of regexp pattern strings that are matched against all source file paths, matched files will skip transformation
+  // transformIgnorePatterns: [
+  //   "/node_modules/"
+  // ],
+
+  // An array of regexp pattern strings that are matched against all modules before the module loader will automatically return a mock for them
+  // unmockedModulePathPatterns: undefined,
+
+  // Indicates whether each individual test should be reported during the run
+  // verbose: undefined,
+
+  // An array of regexp patterns that are matched against all source file paths before re-running tests in watch mode
+  // watchPathIgnorePatterns: [],
+
+  // Whether to use watchman for file crawling
+  // watchman: true,
+};

package/known-licenses.json

@@ -0,0 +1,27 @@
+[
+    {"license": "Apache-2.0", "group": "cloud.google.com", "name": "go"},
+    {"license": "Apache-2.0", "group": "cloud.google.com/go", "name": "*"},
+    {"license": "Apache-2.0", "group": "cuelang.org", "name": "go"},
+    {"license": "MIT", "group": "pack.ag", "name": "amqp"},
+    {"license": "Apache-2.0", "group": "google.golang.org", "name": "*"},
+    {"license": "BSD-3-Clause", "group": "golang.org/x", "name": "*"},
+    {"license": "BSD-3-Clause", "group": "dmitri.shuralyov.com/gpu", "name": "*"},
+    {"license": "Apache-2.0", "group": "contrib.go.opencensus.io", "name": "*"},
+    {"license": "Apache-2.0", "group": "git.apache.org", "name": "*"},
+    {"license": "Apache-2.0", "group": ".", "name": "go.opencensus.io"},
+    {"license": "MIT", "group": "sigs.k8s.io", "name": "*"},
+    {"license": "BSD-3-Clause", "group": "rsc.io", "name": "*"},
+    {"license": "Apache-2.0", "group": "openpitrix.io", "name": "*"},
+    {"license": "BSD-3-Clause", "group": "modernc.org", "name": "*"},
+    {"license": "Apache-2.0", "group": "kubesphere.io", "name": "*"},
+    {"license": "Apache-2.0", "group": "k8s.io", "name": "*"},
+    {"license": "Apache-2.0", "group": "istio.io", "name": "*"},
+    {"license": "MIT", "group": "honnef.co/go", "name": "*"},
+    {"license": "Apache-2.0", "group": ".", "name": "gotest.tools"},
+    {"license": "Apache-2.0", "group": "gopkg.in", "name": "*"},
+    {"license": "Apache-2.0", "group": "code.cloudfoundry.org", "name": "*"},
+    {"license": "BSD-3-Clause", "group": "gonum.org/v1", "name": "*"},
+    {"license": "Apache-2.0", "group": "gomodules.xyz/jsonpatch", "name": "*"},
+    {"license": "MIT", "group": "go.uber.org", "name": "*"},
+    {"license": "MIT", "group": "go.etcd.io", "name": "*"}
+]

package/lic-mapping.json

@@ -0,0 +1,294 @@
+[
+  {
+    "exp": "Apache-2.0",
+    "names": [
+      "Apache 2",
+      "Apache 2.0",
+      "Apache Version 2.0",
+      "Apache 2.0 License",
+      "Apache Software License, Version 2.0",
+      "The Apache Software License, Version 2.0",
+      "Apache License (v2.0)",
+      "Apache License 2.0",
+      "Apache License Version 2.0",
+      "Apache License, Version 2.0",
+      "Apache Public License 2.0",
+      "Apache Software License - Version 2.0",
+      "The Apache License, Version 2.0",
+      "BSD or Apache License, Version 2.0",
+      "Apache Software License",
+      "Apache-2.0 OR MIT"
+    ]
+  },
+  {
+    "exp": "0BSD",
+    "names": [
+      "Zero-Clause BSD",
+      "BSD",
+      "BSD License",
+      "BSD-like"
+    ]
+  },
+  {
+    "exp": "BSD-2-Clause",
+    "names": [
+      "BSD 2 Clause",
+      "BSD 2-Clause",
+      "BSD-2-Clause",
+      "BSD 2-Clause License",
+      "The BSD 2-Clause License",
+      "The 2-Clause BSD License"
+    ]
+  },
+  {
+    "exp": "BSD-3-Clause",
+    "names": [
+      "BSD 3 Clause",
+      "BSD 3-Clause",
+      "BSD-3-Clause",
+      "BSD 3-Clause License",
+      "The BSD 3-Clause License",
+      "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)",
+      "Eclipse Distribution License (New BSD License)",
+      "New BSD License",
+      "Modified BSD License",
+      "Revised BSD",
+      "Revised BSD License",
+      "The New BSD License",
+      "BSD (3-clause)"
+    ]
+  },
+  {
+    "exp": "CDDL-1.0",
+    "names": [
+      "CDDL",
+      "CDDL 1.0",
+      "CDDL License",
+      "Common Development And Distribution License (CDDL) V1.0",
+      "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0"
+    ]
+  },
+  {
+    "exp": "(CDDL-1.0 OR GPL-2.0-with-classpath-exception)",
+    "names": [
+      "CDDL + GPLv2 with classpath exception",
+      "CDDL/GPLv2+CE"
+    ]
+  },
+  {
+    "exp": "CDDL-1.1",
+    "names": [
+      "CDDL 1.1"
+    ]
+  },
+  {
+    "exp": "(CDDL-1.1 OR GPL-2.0-only)",
+    "names": [
+      "Dual license consisting of the CDDL v1.1 and GPL v2"
+    ]
+  },
+  {
+    "exp": "EPL-1.0",
+    "names": [
+      "Eclipse Public License - Version 1.0",
+      "Eclipse Public License (EPL) 1.0",
+      "Eclipse Public License v1.0",
+      "Eclipse Public License, Version 1.0",
+      "Eclipse Public License - v 1.0",
+      "Eclipse Public License - v1.0",
+      "EPL 1.0",
+      "Eclipse Public License 1.0"
+    ]
+  },
+  {
+    "exp": "EPL-2.0",
+    "names": [
+      "Eclipse Public License - Version 2.0",
+      "Eclipse Public License (EPL) 2.0",
+      "Eclipse Public License v2.0",
+      "Eclipse Public License, Version 2.0",
+      "Eclipse Public License - v 2.0",
+      "Eclipse Public License - v2.0",
+      "EPL 2.0"
+    ]
+  },
+  {
+    "exp": "ECL-1.0",
+    "names": [
+      "Educational Community License, Version 1.0"
+    ]
+  },
+  {
+    "exp": "ECL-2.0",
+    "names": [
+      "Educational Community License, Version 2.0"
+    ]
+  },
+  {
+    "exp": "LGPL-2.0-only",
+    "names": [
+      "GNU Lesser General Public License (LGPL), version 2",
+      "GNU Lesser General Public License (LGPL), version 2.0",
+      "GNU Lesser General Public License v2",
+      "GNU Lesser General Public License v2.0"
+    ]
+  },
+  {
+    "exp": "LGPL-2.0-or-later",
+    "names": [
+      "GNU Lesser General Public License (LGPL), version 2 or later",
+      "GNU Lesser General Public License (LGPL), version 2.0 or later",
+      "GNU Lesser General Public License v2 or later",
+      "GNU Lesser General Public License v2.0 or later",
+      "LGPLv2+"
+    ]
+  },
+  {
+    "exp": "LGPL-2.1-only",
+    "names": [
+      "LGPL 2.1",
+      "LGPL v2.1",
+      "LGPL-2.1",
+      "LGPL2.1",
+      "GNU Lesser General Public License",
+      "GNU Lesser General Public License Version 2.1",
+      "GNU Lesser General Public License Version 2.1, February 1999",
+      "GNU Library or Lesser General Public License (LGPL) V2.1"
+    ]
+  },
+  {
+    "exp": "LGPL-2.1-or-later",
+    "names": [
+      "GNU Lesser General Public License (LGPL), version 2.1 or later",
+      "GNU Lesser General Public License v2.1 or later",
+      "LGPL, v2.1 or later"
+    ]
+  },
+  {
+    "exp": "LGPL-3.0-only",
+    "names": [
+      "LGPL 3.0",
+      "LGPL v3.0",
+      "LGPL-3.0",
+      "LGPL3.0",
+      "GNU Lesser General Public License (LGPL), version 3",
+      "GNU Lesser General Public License (LGPL), version 3.0",
+      "GNU Lesser General Public License v3.0",
+      "GNU Lesser General Public License (LGPL), Version 3"
+    ]
+  },
+  {
+    "exp": "LGPL-3.0-or-later",
+    "names": [
+      "GNU Lesser General Public License (LGPL), version 3 or later",
+      "GNU Lesser General Public License (LGPL), version 3.0 or later",
+      "GNU Lesser General Public License v3.0 or later"
+    ]
+  },
+  {
+    "exp": "GPL-2.0-only",
+    "names": [
+      "GNU General Public License (GPL) version 2",
+      "GNU General Public License (GPL) version 2.0",
+      "GNU General Public License v2",
+      "GNU General Public License v2.0",
+      "GNU General Public License Version 2",
+      "GNU General Public License, version 2",
+      "GNU General Public License as published by the Free Software Foundation; version 2."
+    ]
+  },
+  {
+    "exp": "GPL-2.0-or-later",
+    "names": [
+      "GNU General Public License (GPL) version 2, or any later version",
+      "GNU General Public License (GPL) version 2.0, or any later version",
+      "GNU General Public License v2 or later",
+      "GNU General Public License v2.0 or later",
+      "GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version",
+      "GNU GPLv2 or any later version",
+      "GPLv2+"
+    ]
+  },
+  {
+    "exp": "GPL-2.0-with-classpath-exception",
+    "names": [
+      "GPL2 w/ CPE",
+      "GPLv2+CE",
+      "GPLv2 with classpath exception",
+      "GNU General Public License v2.0 only, with Classpath exception",
+      "As a special exception, the copyright holders of this library give you permission to link this library with independent modules to produce an executable, regardless of the license terms of these independent modules"
+    ]
+  },
+  {
+    "exp": "GPL-3.0",
+    "names": [
+      "GNU General Public License (GPL) version 3",
+      "GNU General Public License (GPL) version 3.0",
+      "GNU General Public License v3",
+      "GNU General Public License v3.0",
+      "GNU General Public License as published by the Free Software Foundation, version 3.",
+      "GPL-3"
+    ]
+  },
+  {
+    "exp": "GPL-3.0-or-later",
+    "names": [
+      "GNU General Public License (GPL) version 3, or any later version",
+      "GNU General Public License (GPL) version 3.0, or any later version",
+      "GNU General Public License v3 or later",
+      "GNU General Public License v3.0 or later",
+      "GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version"
+    ]
+  },
+  {
+    "exp": "AGPL-3.0",
+    "names": [
+      "GNU Affero General Public License (GPL) version 3",
+      "GNU Affero General Public License (GPL) version 3.0",
+      "GNU Affero General Public License v3",
+      "GNU Affero General Public License v3.0"
+    ]
+  },
+  {
+    "exp": "MIT",
+    "names": [
+      "MIT License",
+      "The MIT License",
+      "MIT license",
+      "The MIT License (MIT)",
+      "Apache-2.0 OR MIT"
+    ]
+  },
+  {
+    "exp": "MPL-1.1",
+    "names": [
+      "MPL 1.1"
+    ]
+  },
+  {
+    "exp": "MPL-2.0",
+    "names": [
+      "MPL 2.0",
+      "Mozilla Public License 2.0"
+    ]
+  },
+  {
+    "exp": "NetCDF",
+    "names": [
+      "(MIT-style) netCDF C library license"
+    ]
+  },
+  {
+    "exp": "JSON",
+    "names": [
+      "The JSON License",
+      "JSON License"
+    ]
+  },
+  {
+    "exp": "ISC",
+    "names": [
+      "ISC license"
+    ]
+  }
+]

package/package.json

@@ -0,0 +1,94 @@
+{
+  "name": "@cyclonedx/cdxgen",
+  "version": "8.0.0",
+  "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
+  "homepage": "http://github.com/cyclonedx/cdxgen",
+  "author": "Prabhu Subramanian <prabhu@appthreat.com>",
+  "license": "Apache-2.0",
+  "keywords": [
+    "sbom",
+    "bom",
+    "inventory",
+    "spdx",
+    "package-url",
+    "purl",
+    "owasp",
+    "component",
+    "dependency",
+    "appsec",
+    "scrm"
+  ],
+  "contributors": [
+    {
+      "name": "Erlend Oftedal"
+    },
+    {
+      "name": "Steve Springett",
+      "email": "steve.springett@owasp.org",
+      "url": "https://about.me/stevespringett"
+    }
+  ],
+  "main": "index.js",
+  "bin": {
+    "cdxgen": "./bin/cdxgen"
+  },
+  "scripts": {
+    "test": "jest",
+    "watch": "jest --watch",
+    "lint": "eslint index.js utils.js binary.js server.js docker.js bin/cdxgen",
+    "pretty": "prettier --write *.js bin/cdxgen --trailing-comma=none"
+  },
+  "engines": {
+    "node": ">=12.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cyclonedx/cdxgen.git"
+  },
+  "bugs": {
+    "url": "https://github.com/cyclonedx/cdxgen/issues"
+  },
+  "dependencies": {
+    "@babel/parser": "^7.20.7",
+    "@babel/traverse": "^7.20.12",
+    "cheerio": "^1.0.0-rc.12",
+    "edn-data": "^1.0.0",
+    "glob": "^8.0.3",
+    "global-agent": "^3.0.0",
+    "got": "^11.8.5",
+    "js-yaml": "^4.1.0",
+    "jws": "^4.0.0",
+    "node-stream-zip": "^1.15.0",
+    "packageurl-js": "^1.0.0",
+    "parse-packagejson-name": "^1.0.1",
+    "prettify-xml": "^1.2.0",
+    "properties-reader": "^2.2.0",
+    "semver": "^7.3.8",
+    "ssri": "^8.0.1",
+    "table": "^6.8.1",
+    "tar": "^6.1.13",
+    "uuid": "^9.0.0",
+    "xml-js": "^1.6.11",
+    "xmlbuilder": "^15.1.1",
+    "yargs": "^17.6.2"
+  },
+  "optionalDependencies": {
+    "@cyclonedx/cdxgen-plugins-bin": "^1.0.0",
+    "connect": "^3.7.0",
+    "body-parser": "^1.20.1",
+    "compression": "^1.7.4"
+  },
+  "files": [
+    "*.js",
+    "bin/",
+    "spdx-licenses.json",
+    "lic-mapping.json",
+    "known-licenses.json",
+    "vendor-alias.json",
+    "queries.json"
+  ],
+  "devDependencies": {
+    "eslint": "^8.31.0",
+    "jest": "^26.6.3"
+  }
+}

package/queries.json

@@ -0,0 +1,68 @@
+{
+  "kernel_info": {
+    "query": "select * from kernel_info;",
+    "name": "os-image",
+    "description": "Retrieves information from the current kernel in the target system.",
+    "purlType": "swid"
+  },
+  "os_version": {
+    "query": "select * from os_version;",
+    "description": "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
+    "purlType": "swid"
+  },
+  "chrome_extensions": {
+    "query": "select chrome_extensions.* from users join chrome_extensions using (uid);",
+    "description": "Retrieves the list of extensions for Chrome in the target system.",
+    "purlType": "swid"
+  },
+  "firefox_addons": {
+    "query": "select firefox_addons.* from users join firefox_addons using (uid);",
+    "description": "Retrieves the list of addons for Firefox in the target system.",
+    "purlType": "swid"
+  },
+  "deb_packages": {
+    "query": "select * from deb_packages;",
+    "description": "Retrieves all the installed DEB packages in the target Linux system.",
+    "purlType": "deb"
+  },
+  "apt_sources": {
+    "query": "select * from apt_sources;",
+    "description": "Retrieves all the APT sources to install packages from in the target Linux system.",
+    "purlType": "deb"
+  },
+  "portage_packages": {
+    "query": "select * from portage_packages;",
+    "description": "Retrieves all the installed packages on the target Linux system.",
+    "purlType": "ebuild"
+  },
+  "rpm_packages": {
+    "query": "select * from rpm_packages;",
+    "description": "Retrieves all the installed RPM packages in the target Linux system.",
+    "purlType": "rpm"
+  },
+  "backdoored_python_packages": {
+    "query": "select name as package_name, version as package_version, path as package_path from python_packages where package_name = 'acqusition' or package_name = 'apidev-coop' or package_name = 'bzip' or package_name = 'crypt' or package_name = 'django-server' or package_name = 'pwd' or package_name = 'setup-tools' or package_name = 'telnet' or package_name = 'urlib3' or package_name = 'urllib';",
+    "description": "Watches for the backdoored Python packages installed on system.",
+    "purlType": "pypi"
+  },
+  "windows_programs": {
+    "query" : "select * from programs;",
+    "description" : "Retrieves the list of products as they are installed by Windows Installer in the target Windows system.",
+    "purlType": "swid"
+  },
+  "windows_patches": {
+    "query" : "select * from patches;",
+    "description" : "Retrieves all the information for the current windows drivers in the target Windows system.",
+    "purlType": "swid"
+  },
+  "windows_drivers": {
+    "query" : "select * from drivers;",
+    "description" : "Retrieves all the information for the current windows drivers in the target Windows system.",
+    "purlType": "swid"
+  },
+  "windows_shared_resources": {
+    "query" : "select * from shared_resources;",
+    "description" : "Retrieves the list of shared resources in the target Windows system.",
+    "purlType": "swid"
+  }
+}