npm - @cyclonedx/cdxgen - Versions diffs - 8.0.6 → 8.1.1 - Mend

@cyclonedx/cdxgen 8.0.6 → 8.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -257,7 +257,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | GRADLE_CMD                | Set to override gradle command                                                                                     |
 | GRADLE_DEPENDENCY_TASK    | By default cdxgen use the task "dependencies" to collect packages. Set to override the task name.                  |
 | SBT_CACHE_DIR             | Specify sbt cache directory. Useful for class name resolving                                                       |
-| FETCH_LICENSE             | Set to true to fetch license information from the registry. npm and golang only                                    |
+| FETCH_LICENSE             | Set this variable to fetch license information from the registry. npm and golang only                              |
 | USE_GOSUM                 | Set to true to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod |
 | CDXGEN_TIMEOUT_MS         | Default timeout for known execution involving maven, gradle or sbt                                                 |
 | BAZEL_TARGET              | Bazel target to build. Default :all (Eg: //java-maven)                                                             |

package/index.js CHANGED Viewed

@@ -1106,8 +1106,9 @@ const createJavaBom = async (path, options) => {
     );
     if (gradleFiles && gradleFiles.length && options.installDeps) {
       let gradleCmd = utils.getGradleCommand(path, null);
+      const multiProjectMode = process.env.GRADLE_MULTI_PROJECT_MODE || "";
       // Support for multi-project applications
-      if (process.env.GRADLE_MULTI_PROJECT_MODE) {
+      if (["true", "1"].includes(multiProjectMode)) {
         console.log("Executing", gradleCmd, "projects in", path);
         const result = spawnSync(
           gradleCmd,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.0.6",
+  "version": "8.1.1",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js CHANGED Viewed

@@ -477,7 +477,7 @@ const yarnLockToIdentMap = function (lockData) {
               s = s.substring(0, s.length - 1);
             }
             // Non-strict mode parsing
-            const match = s.match(/^(?:@([^/]+?)\/)?([^/]+?)(?:@(.+))?$/);
+            const match = s.match(/^(?:(@[^/]+?)\/)?([^/]+?)(?:@(.+))?$/);
             if (!match) {
               continue;
             }
@@ -488,7 +488,7 @@ const yarnLockToIdentMap = function (lockData) {
             if (range && range.startsWith("npm:")) {
               range = range.replace("npm:", "");
             }
-            currentIdents.push(`${group || ""}${name}@${range}`);
+            currentIdents.push(`${group || ""}${name}|${range}`);
           }
         }
       }
@@ -525,6 +525,7 @@ const parseYarnLock = async function (yarnLockFile) {
     let deplist = [];
     // This would have the keys and the resolved version required to solve the dependency tree
     const identMap = yarnLockToIdentMap(lockData);
+    let prefixAtSymbol = false;
     lockData.split("\n").forEach((l) => {
       if (l === "\n" || l.startsWith("#")) {
         return;
@@ -575,7 +576,9 @@ const parseYarnLock = async function (yarnLockFile) {
           depsMode = false;
         }
         // Collect the group and the name
-        const tmpA = l.replace(/["']/g, "").split("@");
+        l = l.replace(/["']/g, "");
+        prefixAtSymbol = l.startsWith("@");
+        const tmpA = l.split("@");
         // ignore possible leading empty strings
         if (tmpA[0] === "") {
           tmpA.shift();
@@ -584,7 +587,7 @@ const parseYarnLock = async function (yarnLockFile) {
           const fullName = tmpA[0];
           if (fullName.indexOf("/") > -1) {
             const parts = fullName.split("/");
-            group = parts[0];
+            group = (prefixAtSymbol ? "@" : "") + parts[0];
             name = parts[1];
           } else {
             name = fullName;
@@ -598,13 +601,10 @@ const parseYarnLock = async function (yarnLockFile) {
         const tmpA = l.trim().replace(/["']/g, "").split(" ");
         if (tmpA && tmpA.length === 2) {
           let dgroupname = tmpA[0];
-          if (dgroupname.startsWith("@")) {
-            dgroupname = dgroupname.substring(1);
-          }
           if (dgroupname.endsWith(":")) {
             dgroupname = dgroupname.substring(0, dgroupname.length - 1);
           }
-          const resolvedVersion = identMap[`${dgroupname}@${tmpA[1]}`];
+          const resolvedVersion = identMap[`${dgroupname}|${tmpA[1]}`];
           const depPurlString = new PackageURL(
             "npm",
             null,

package/utils.test.js CHANGED Viewed

@@ -1133,7 +1133,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList.length).toEqual(2029);
   expect(parsedList.dependenciesList.length).toEqual(2029);
   expect(parsedList.pkgList[0]).toEqual({
-    group: "babel",
+    group: "@babel",
     name: "cli",
     version: "7.10.1",
     _integrity:
@@ -1158,7 +1158,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-zpruxnFMz6K94gs2pqc3sidzFDbQpKT5D6P/J/I9s8ekHZ5eczgnRp6pqXC86Bh7+44j/btpmOT0kwiboyqTnA==",
-    group: "apollo",
+    group: "@apollo",
     name: "client",
     version: "3.2.5",
     properties: [
@@ -1177,7 +1177,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-rZ1k9kQvJX21Vwgx1L6kSQ6yeXo9cCMyqURSnjG+MRoJn+Mr3LblxmVdzScHXRzv0N9yzy49oG7Bqxp9Knyv/g==",
-    group: "actions",
+    group: "@actions",
     name: "artifact",
     version: "0.6.1",
     properties: [
@@ -1211,7 +1211,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-G0U5NjBUYIs39l1J1ckgpVfVX2IxpzRAIT4/2An86O2Mcri3k5xNu7/RRkfObo12wN9s7BmnREAMhH7252oZiA==",
-    group: "arcanis",
+    group: "@arcanis",
     name: "slice-ansi",
     version: "1.0.2",
     properties: [
@@ -1227,7 +1227,7 @@ test("parseYarnLock", async () => {
   expect(parsedList.pkgList[0]).toEqual({
     _integrity:
       "sha512-vtU+q0TmdIDmezU7lKub73vObN6nmd3lkcKWz7R9hyNI8gz5o7grDb+FML9nykOLW+09gGIup2xyJ86j5vBKpg==",
-    group: "babel",
+    group: "@babel",
     name: "code-frame",
     version: "7.16.7",
     properties: [
@@ -1239,6 +1239,19 @@ test("parseYarnLock", async () => {
   });
   parsedList = await utils.parseYarnLock("./test/data/yarn_locks/yarn4.lock");
   expect(parsedList.pkgList.length).toEqual(1);
+  parsedList = await utils.parseYarnLock("./test/data/yarn_locks/yarn-at.lock");
+  expect(parsedList.pkgList.length).toEqual(4);
+  expect(parsedList.dependenciesList.length).toEqual(4);
+  expect(parsedList.pkgList[0]).toEqual({
+    group: "@ac-synth",
+    name: "yjs",
+    version: "13.5.39-alpha1",
+    _integrity:
+      "sha512-JE93VWVyVa07xkK1wJ5ogjSZ30Nn4ptUuUXdPnu8MsKme1xFHLFFD3UtnHxnxnNDSnGx+WLlhuyHdIFfSCYqYg==",
+    properties: [
+      { name: "SrcFile", value: "./test/data/yarn_locks/yarn-at.lock" }
+    ]
+  });
 });
 test("parseComposerLock", () => {