@cyclonedx/cdxgen 8.0.5 → 8.1.0

package/index.js

@@ -2108,7 +2108,7 @@ const createGoBom = async (path, options) => {
       for (let f of gomodFiles) {
         const basePath = pathLib.dirname(f);
         // Ignore vendor packages
-        if (basePath.includes("vendor") || basePath.includes("build")) {
+        if (basePath.includes("/vendor/") || basePath.includes("/build/")) {
           continue;
         }
         if (DEBUG_MODE) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.0.5",
+  "version": "8.1.0",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -477,7 +477,7 @@ const yarnLockToIdentMap = function (lockData) {
               s = s.substring(0, s.length - 1);
             }
             // Non-strict mode parsing
-            const match = s.match(/^(?:@([^/]+?)\/)?([^/]+?)(?:@(.+))?$/);
+            const match = s.match(/^(?:(@[^/]+?)\/)?([^/]+?)(?:@(.+))?$/);
             if (!match) {
               continue;
             }
@@ -488,7 +488,7 @@ const yarnLockToIdentMap = function (lockData) {
             if (range && range.startsWith("npm:")) {
               range = range.replace("npm:", "");
             }
-            currentIdents.push(`${group || ""}${name}@${range}`);
+            currentIdents.push(`${group || ""}${name}|${range}`);
           }
         }
       }
@@ -525,6 +525,7 @@ const parseYarnLock = async function (yarnLockFile) {
     let deplist = [];
     // This would have the keys and the resolved version required to solve the dependency tree
     const identMap = yarnLockToIdentMap(lockData);
+    let prefixAtSymbol = false;
     lockData.split("\n").forEach((l) => {
       if (l === "\n" || l.startsWith("#")) {
         return;
@@ -575,7 +576,9 @@ const parseYarnLock = async function (yarnLockFile) {
           depsMode = false;
         }
         // Collect the group and the name
-        const tmpA = l.replace(/["']/g, "").split("@");
+        l = l.replace(/["']/g, "");
+        prefixAtSymbol = l.startsWith("@");
+        const tmpA = l.split("@");
         // ignore possible leading empty strings
         if (tmpA[0] === "") {
           tmpA.shift();
@@ -584,7 +587,7 @@ const parseYarnLock = async function (yarnLockFile) {
           const fullName = tmpA[0];
           if (fullName.indexOf("/") > -1) {
             const parts = fullName.split("/");
-            group = parts[0];
+            group = (prefixAtSymbol ? "@" : "") + parts[0];
             name = parts[1];
           } else {
             name = fullName;
@@ -598,13 +601,10 @@ const parseYarnLock = async function (yarnLockFile) {
         const tmpA = l.trim().replace(/["']/g, "").split(" ");
         if (tmpA && tmpA.length === 2) {
           let dgroupname = tmpA[0];
-          if (dgroupname.startsWith("@")) {
-            dgroupname = dgroupname.substring(1);
-          }
           if (dgroupname.endsWith(":")) {
             dgroupname = dgroupname.substring(0, dgroupname.length - 1);
           }
-          const resolvedVersion = identMap[`${dgroupname}@${tmpA[1]}`];
+          const resolvedVersion = identMap[`${dgroupname}|${tmpA[1]}`];
           const depPurlString = new PackageURL(
             "npm",
             null,

package/utils.test.js

@@ -1133,7 +1133,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList.length).toEqual(2029);
   expect(parsedList.dependenciesList.length).toEqual(2029);
   expect(parsedList.pkgList[0]).toEqual({
-    group: "babel",
+    group: "@babel",
     name: "cli",
     version: "7.10.1",
     _integrity:
@@ -1158,7 +1158,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-zpruxnFMz6K94gs2pqc3sidzFDbQpKT5D6P/J/I9s8ekHZ5eczgnRp6pqXC86Bh7+44j/btpmOT0kwiboyqTnA==",
-    group: "apollo",
+    group: "@apollo",
     name: "client",
     version: "3.2.5",
     properties: [
@@ -1177,7 +1177,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-rZ1k9kQvJX21Vwgx1L6kSQ6yeXo9cCMyqURSnjG+MRoJn+Mr3LblxmVdzScHXRzv0N9yzy49oG7Bqxp9Knyv/g==",
-    group: "actions",
+    group: "@actions",
     name: "artifact",
     version: "0.6.1",
     properties: [
@@ -1211,7 +1211,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-G0U5NjBUYIs39l1J1ckgpVfVX2IxpzRAIT4/2An86O2Mcri3k5xNu7/RRkfObo12wN9s7BmnREAMhH7252oZiA==",
-    group: "arcanis",
+    group: "@arcanis",
     name: "slice-ansi",
     version: "1.0.2",
     properties: [
@@ -1227,7 +1227,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-vtU+q0TmdIDmezU7lKub73vObN6nmd3lkcKWz7R9hyNI8gz5o7grDb+FML9nykOLW+09gGIup2xyJ86j5vBKpg==",
-    group: "babel",
+    group: "@babel",
     name: "code-frame",
     version: "7.16.7",
     properties: [
@@ -1239,6 +1239,19 @@ test("parseYarnLock", async () => {
   });
   parsedList = await utils.parseYarnLock("./test/data/yarn_locks/yarn4.lock");
   expect(parsedList.pkgList.length).toEqual(1);
+  parsedList = await utils.parseYarnLock("./test/data/yarn_locks/yarn-at.lock");
+  expect(parsedList.pkgList.length).toEqual(4);
+  expect(parsedList.dependenciesList.length).toEqual(4);
+  expect(parsedList.pkgList[0]).toEqual({
+    group: "@ac-synth",
+    name: "yjs",
+    version: "13.5.39-alpha1",
+    _integrity:
+      "sha512-JE93VWVyVa07xkK1wJ5ogjSZ30Nn4ptUuUXdPnu8MsKme1xFHLFFD3UtnHxnxnNDSnGx+WLlhuyHdIFfSCYqYg==",
+    properties: [
+      { name: "SrcFile", value: "./test/data/yarn_locks/yarn-at.lock" }
+    ]
+  });
 });
 
 test("parseComposerLock", () => {