@cyclonedx/cdxgen 8.1.3 → 8.1.5

package/docker.js

@@ -381,7 +381,7 @@ const getImage = async (fullImageName) => {
       `Unable to pull ${fullImageName}. Check if the name is valid. Perform any authentication prior to invoking cdxgen.`
     );
     console.log(
-      `Trying manually pulling this image using docker pull ${fullImageName}`
+      `Trying to manually pulling this image using docker pull ${fullImageName}`
     );
   }
   return localData;

package/index.js

@@ -1692,7 +1692,7 @@ const createNodejsBom = async (path, options) => {
       // Parse package-lock.json if available
       const parsedList = await utils.parsePkgLock(f);
       const dlist = parsedList.pkgList;
-      parentComponent = dlist.splice(0, 1)[0];
+      parentComponent = dlist.splice(0, 1)[0] || {};
       parentComponent.type = "application";
       if (dlist && dlist.length) {
         pkgList = pkgList.concat(dlist);
@@ -1858,7 +1858,7 @@ const createNodejsBom = async (path, options) => {
     });
   }
   // Projects containing just min files or bower
-  if (pkgList.length) {
+  if (pkgList) {
     return buildBomNSData(options, pkgList, "npm", {
       allImports,
       src: path,
@@ -2104,6 +2104,7 @@ const createGoBom = async (path, options) => {
     (options.multiProject ? "**/" : "") + "go.mod"
   );
   if (gomodFiles.length) {
+    let shouldManuallyParse = false;
     // Use the go list -deps and go mod why commands to generate a good quality BoM for non-docker invocations
     if (!["docker", "oci", "os"].includes(options.projectType)) {
       for (let f of gomodFiles) {
@@ -2127,6 +2128,7 @@ const createGoBom = async (path, options) => {
           { cwd: basePath, encoding: "utf-8", timeout: TIMEOUT_MS }
         );
         if (result.status !== 0 || result.error) {
+          shouldManuallyParse = true;
           console.error(result.stdout, result.stderr);
           options.failOnError && process.exit(1);
         }
@@ -2138,6 +2140,7 @@ const createGoBom = async (path, options) => {
             pkgList = pkgList.concat(dlist);
           }
         } else {
+          shouldManuallyParse = true;
           console.error("go unexpectedly didn't return any output");
           options.failOnError && process.exit(1);
         }
@@ -2182,11 +2185,13 @@ const createGoBom = async (path, options) => {
       if (DEBUG_MODE) {
         console.log(`Required packages: ${Object.keys(allImports).length}`);
       }
-      return buildBomNSData(options, pkgList, "golang", {
-        allImports,
-        src: path,
-        filename: gomodFiles.join(", ")
-      });
+      if (pkgList.length && !shouldManuallyParse) {
+        return buildBomNSData(options, pkgList, "golang", {
+          allImports,
+          src: path,
+          filename: gomodFiles.join(", ")
+        });
+      }
     }
     // Parse the gomod files manually. The resultant BoM would be incomplete
     if (!["docker", "oci", "os"].includes(options.projectType)) {
@@ -3455,7 +3460,7 @@ const createMultiXBom = async (pathList, options) => {
     if (bomData && bomData.bomJson && bomData.bomJson.components) {
       if (DEBUG_MODE) {
         console.log(
-          `Found ${bomData.bomJson.components.length} node.js packages at ${path}`
+          `Found ${bomData.bomJson.components.length} npm packages at ${path}`
         );
       }
       components = components.concat(bomData.bomJson.components);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.1.3",
+  "version": "8.1.5",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -352,9 +352,10 @@ const parsePkgLock = async (pkgLockFile) => {
   let pkgList = [];
   let dependenciesList = [];
   let depKeys = {};
-  let rootPkg = undefined;
+  let rootPkg = {};
   if (fs.existsSync(pkgLockFile)) {
     const lockData = JSON.parse(fs.readFileSync(pkgLockFile, "utf8"));
+    rootPkg.name = lockData.name || "";
     // lockfile v2 onwards
     if (lockData.name && lockData.packages && lockData.packages[""]) {
       // Build the initial dependency tree for the root package
@@ -390,7 +391,7 @@ const parsePkgLock = async (pkgLockFile) => {
       pkgList.push(rootPkg);
       // npm ls command seems to include both dependencies and devDependencies
       // For tree purposes, including only the dependencies should be enough
-      let rootPkgDeps = undefined;
+      let rootPkgDeps = [];
       if (
         lockData.packages &&
         lockData.packages[""] &&
@@ -2798,10 +2799,11 @@ const recurseImageNameLookup = (keyValueObj, pkgList, imgList) => {
       typeof imageLike === "string" &&
       !imgList.includes(imageLike)
     ) {
-      if (imageLike.includes(":${VERSION:")) {
+      if (imageLike.includes("VERSION")) {
         imageLike = imageLike
           .replace(":${VERSION:-", ":")
           .replace(":${VERSION:", ":")
+          .replace(":%VERSION%", ":latest")
           .replace("}", "");
       }
       pkgList.push({ image: imageLike });

package/utils.test.js

@@ -978,6 +978,13 @@ test("parsePkgLock", async () => {
     "sha512-/r5HiDwOXTjucbBYkrTMpzWQAwil9MH7zSEfKH+RWWZv27r4vDiUd2FiBJItyQoPThLPxaf82IO6gCXyJR0ZnQ=="
   );
   expect(parsedList.dependenciesList.length).toEqual(572);
+  parsedList = await utils.parsePkgLock("./test/data/package-lock2.json");
+  deps = parsedList.pkgList;
+  expect(deps.length).toEqual(1);
+  expect(deps[0]).toEqual({
+    "bom-ref": "pkg:application/MyProject",
+    name: "MyProject"
+  });
 });
 
 test("parseBowerJson", async () => {