@cyclonedx/cdxgen 8.0.3 → 8.0.5

package/README.md

@@ -71,19 +71,19 @@ For go, `go mod why` command is used to identify required packages. For php, com
 
 ## Installing
 
-```bash
+```shell
 sudo npm install -g @cyclonedx/cdxgen
 ```
 
 You can also use the cdxgen container image
 
 ```bash
-docker run --rm -it -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/bom.json
+docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/bom.json
 ```
 
 ## Getting Help
 
-```bash
+```text
 $ cdxgen -h
 Options:
   -o, --output           Output file for bom.xml or bom.json. Default console
@@ -122,7 +122,7 @@ Options:
 
 Minimal example.
 
-```bash
+```shell
 cdxgen -o bom.json
 ```
 
@@ -132,19 +132,19 @@ cdxgen would always produce bom in both xml and json format as per CycloneDX 1.4
 
 For a java project. This would automatically detect maven, gradle or sbt and build bom accordingly
 
-```bash
+```shell
 cdxgen -t java -o bom.json
 ```
 
 To print the SBoM as a table pass `-p` argument.
 
-```bash
+```shell
 cdxgen -t java -o bom.json -p
 ```
 
 To recursively generate a single BoM for all languages pass `-r` argument.
 
-```bash
+```shell
 cdxgen -r -o bom.json
 ```
 
@@ -156,27 +156,27 @@ By passing the type `-t universal`, cdxgen could be forced to opportunistically
 
 Invoke cdxgen with `--server` argument to run it in a server mode. By default, it listens to port `9090` which can be customized with the arguments `--server-host` and `--server-port`.
 
-```bash
+```shell
 cdxgen --server
 ```
 
 Or use the container image.
 
 ```bash
-docker run --rm -it -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server
+docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server
 ```
 
 Use curl or your favourite tool to pass arguments to the `/sbom` route.
 
 ### Scanning a local path
 
-```bash
+```shell
 curl "http://127.0.0.1:9090/sbom?path=/Volumes/Work/sandbox/vulnerable-aws-koa-app&multiProject=true&type=js"
 ```
 
 ### Scanning a git repo
 
-```bash
+```shell
 curl "http://127.0.0.1:9090/sbom?url=https://github.com/HooliCorp/vulnerable-aws-koa-app.git&multiProject=true&type=js"
 ```
 
@@ -188,7 +188,7 @@ curl -H "Content-Type: application/json" http://localhost:9090/sbom -XPOST -d $'
 
 ### Docker compose
 
-```
+```shell
 git clone https://github.com/cyclonedx/cdxgen.git
 docker compose up
 ```
@@ -199,7 +199,7 @@ In universal mode, cdxgen can look for any [Privado](https://www.privado.ai?utm_
 
 Invoke privado scan first to generate this report followed by an invocation of cdxgen in universal mode as shown.
 
-```bash
+```shell
 privado scan --enable-javascript <directory>
 cdxgen -t universal <directory> -o bom.json
 ```
@@ -208,7 +208,7 @@ cdxgen -t universal <directory> -o bom.json
 
 cdxgen can generate a BoM file from a given war file.
 
-```bash
+```shell
 # cdxgen -t java app.war
 cdxgen app.war
 ```
@@ -217,7 +217,7 @@ cdxgen app.war
 
 Sometimes it is necessary to resolve class names contained in jar files. By passing an optional argument `--resolve-class`, it is possible to get cdxgen create a separate mapping file with the jar name (including the version) as the key and class names list as a value.
 
-```bash
+```shell
 cdxgen -t java --resolve-class -o bom.json
 ```
 
@@ -271,7 +271,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 
 cdxgen could be extended with external binary plugins to support more SBoM use cases. These are now installed as an optional dependency.
 
-```
+```shell
 sudo npm install -g @cyclonedx/cdxgen-plugins-bin
 ```
 
@@ -279,19 +279,19 @@ sudo npm install -g @cyclonedx/cdxgen-plugins-bin
 
 `docker` type is automatically detected based on the presence of values such as `sha256` or `docker.io` prefix etc in the path.
 
-```bash
+```shell
 cdxgen odoo@sha256:4e1e147f0e6714e8f8c5806d2b484075b4076ca50490577cdf9162566086d15e -o /tmp/bom.json
 ```
 
 You can also pass `-t docker` for simple labels. Only the `latest` tag would be pulled if none was specified.
 
-```bash
+```shell
 cdxgen shiftleft/scan-slim -o /tmp/bom.json -t docker
 ```
 
 You can also pass the .tar file of a container image.
 
-```bash
+```shell
 docker save -o /tmp/slim.tar shiftleft/scan-slim
 podman save -q --format oci-archive -o /tmp/slim.tar shiftleft/scan-slim
 cdxgen /tmp/slim.tar -o /tmp/bom.json -t docker
@@ -307,7 +307,7 @@ Setup podman in either [rootless](https://github.com/containers/podman/blob/mast
 
 On Linux, do not forget to start the podman socket which is required for API access.
 
-```bash
+```shell
 systemctl --user enable --now podman.socket
 systemctl --user start podman.socket
 podman system service -t 0 &
@@ -317,7 +317,7 @@ podman system service -t 0 &
 
 You can use cdxgen to generate SBoM for a live system or a VM for compliance and vulnerability management purposes by passing the argument `-t os`.
 
-```
+```shell
 cdxgen -t os
 ```
 
@@ -348,10 +348,14 @@ Use the [CycloneDX CLI](https://github.com/CycloneDX/cyclonedx-cli) tool for adv
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE](LICENSE) file for the full license.
 
 [license]: https://github.com/cyclonedx/cdxgen/blob/master/LICENSE
+[cyclonedx-homepage]: https://cyclonedx.org
 
-## Discord support
-
-The developers could be reached via the [discord](https://discord.gg/DCNxzaeUpd) channel.
+## Contributing
 
+Follow the usual PR process but prior to raising a PR run the following commands.
 
-[cyclonedx-homepage]: https://cyclonedx.org
+```bash
+npm run lint
+npm run pretty
+npm test
+```

package/bin/cdxgen

@@ -155,7 +155,10 @@ let options = {
   }
   const bomNSData = (await bom.createBom(filePath, options)) || {};
 
-  if (args.output) {
+  if (
+    args.output &&
+    (typeof args.output === "string" || args.output instanceof String)
+  ) {
     if (bomNSData.bomXmlFiles) {
       console.log("BOM files produced:", bomNSData.bomXmlFiles);
     } else {

package/index.js

@@ -1681,13 +1681,6 @@ const createNodejsBom = async (path, options) => {
         );
       }
     }
-    return buildBomNSData(options, pkgList, "npm", {
-      allImports,
-      src: path,
-      filename: manifestFiles.join(", "),
-      dependencies,
-      parentComponent
-    });
   }
   if (pkgLockFiles && pkgLockFiles.length) {
     manifestFiles = manifestFiles.concat(pkgLockFiles);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.0.3",
+  "version": "8.0.5",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -49,11 +49,11 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.20.7",
-    "@babel/traverse": "^7.20.12",
+    "@babel/parser": "^7.20.15",
+    "@babel/traverse": "^7.20.13",
     "cheerio": "^1.0.0-rc.12",
     "edn-data": "^1.0.0",
-    "glob": "^8.0.3",
+    "glob": "^8.1.0",
     "global-agent": "^3.0.0",
     "got": "^11.8.5",
     "js-yaml": "^4.1.0",
@@ -73,7 +73,7 @@
     "yargs": "^17.6.2"
   },
   "optionalDependencies": {
-    "@cyclonedx/cdxgen-plugins-bin": "^1.0.0",
+    "@cyclonedx/cdxgen-plugins-bin": "^1.0.5",
     "connect": "^3.7.0",
     "body-parser": "^1.20.1",
     "compression": "^1.7.4"

package/utils.js

@@ -36,6 +36,18 @@ const MAX_LICENSE_ID_LENGTH = 100;
  */
 const getAllFiles = function (dirPath, pattern) {
   try {
+    const ignoreList = [
+      "**/.hg/**",
+      "**/.git/**",
+      "**/venv/**",
+      "**/docs/**",
+      "**/examples/**",
+      "**/site-packages/**"
+    ];
+    // Only ignore node_modules if the caller is not looking for package.json
+    if (!pattern.includes("package.json")) {
+      ignoreList.push("**/node_modules/**");
+    }
     return glob.sync(pattern, {
       cwd: dirPath,
       silent: true,
@@ -45,15 +57,7 @@ const getAllFiles = function (dirPath, pattern) {
       strict: true,
       dot: pattern.startsWith(".") ? true : false,
       follow: false,
-      ignore: [
-        "node_modules",
-        ".hg",
-        ".git",
-        "venv",
-        "docs",
-        "examples",
-        "site-packages"
-      ]
+      ignore: ignoreList
     });
   } catch (err) {
     if (DEBUG_MODE) {
@@ -327,10 +331,10 @@ const parsePkgJson = async (pkgJsonFile) => {
       // continue regardless of error
     }
   }
-  if (process.env.FETCH_LICENSE) {
+  if (process.env.FETCH_LICENSE && pkgList && pkgList.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages`
+        `About to fetch license information for ${pkgList.length} packages in parsePkgJson`
       );
     }
     return await getNpmMetadata(pkgList);
@@ -432,10 +436,10 @@ const parsePkgLock = async (pkgLockFile) => {
       lockData
     );
   }
-  if (process.env.FETCH_LICENSE) {
+  if (process.env.FETCH_LICENSE && pkgList && pkgList.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages`
+        `About to fetch license information for ${pkgList.length} packages in parsePkgLock`
       );
     }
     pkgList = await getNpmMetadata(pkgList);
@@ -481,7 +485,7 @@ const yarnLockToIdentMap = function (lockData) {
             if (group) {
               group = `${group}/`;
             }
-            if (range.startsWith("npm:")) {
+            if (range && range.startsWith("npm:")) {
               range = range.replace("npm:", "");
             }
             currentIdents.push(`${group || ""}${name}@${range}`);
@@ -638,10 +642,10 @@ const parseYarnLock = async function (yarnLockFile) {
       }
     });
   }
-  if (process.env.FETCH_LICENSE) {
+  if (process.env.FETCH_LICENSE && pkgList && pkgList.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages`
+        `About to fetch license information for ${pkgList.length} packages in parseYarnLock`
       );
     }
     pkgList = await getNpmMetadata(pkgList);
@@ -705,10 +709,10 @@ const parseNodeShrinkwrap = async function (swFile) {
       }
     }
   }
-  if (process.env.FETCH_LICENSE) {
+  if (process.env.FETCH_LICENSE && pkgList && pkgList.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages`
+        `About to fetch license information for ${pkgList.length} packages in parseNodeShrinkwrap`
       );
     }
     return await getNpmMetadata(pkgList);
@@ -827,10 +831,10 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
       }
     }
   }
-  if (process.env.FETCH_LICENSE) {
+  if (process.env.FETCH_LICENSE && pkgList && pkgList.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages`
+        `About to fetch license information for ${pkgList.length} packages in parsePnpmLock`
       );
     }
     pkgList = await getNpmMetadata(pkgList);
@@ -874,10 +878,10 @@ const parseBowerJson = async (bowerJsonFile) => {
       // continue regardless of error
     }
   }
-  if (process.env.FETCH_LICENSE) {
+  if (process.env.FETCH_LICENSE && pkgList && pkgList.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages`
+        `About to fetch license information for ${pkgList.length} packages in parseBowerJson`
       );
     }
     return await getNpmMetadata(pkgList);
@@ -948,10 +952,10 @@ const parseMinJs = async (minJsFile) => {
       // continue regardless of error
     }
   }
-  if (process.env.FETCH_LICENSE) {
+  if (process.env.FETCH_LICENSE && pkgList && pkgList.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages`
+        `About to fetch license information for ${pkgList.length} packages in parseMinJs`
       );
     }
     return await getNpmMetadata(pkgList);