@cyclonedx/cdxgen 8.1.9 → 8.2.1

package/README.md

@@ -23,6 +23,7 @@ When used with plugins, cdxgen could generate an SBoM for Linux docker images an
 | elixir                                                 | mix.lock                                                                                        | Yes                                                                                      |
 | c/c++                                                  | conan.lock, conanfile.txt                                                                       | Yes only for conan.lock                                                                  |
 | clojure                                                | Clojure CLI (deps.edn), Leiningen (project.clj)                                                 | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command |
+| swift                                                  | Package.resolved, Package.swift (swiftpm)                                                       | Yes                                                                                      |
 | docker / oci image                                     | All supported languages. Linux OS packages with plugins [4]                                     | Best effort based on lock files                                                          |
 | GitHub Actions                                         | .github/workflows/\*.yml                                                                        | N/A                                                                                      |
 | Linux                                                  | All supported languages. Linux OS packages with plugins [5]                                     | Best effort based on lock files                                                          |

package/binary.js

@@ -312,7 +312,9 @@ const getOSPackages = (src) => {
         if (DEBUG_MODE) {
           console.log(`Cleaning up ${tempDir}`);
         }
-        fs.rmSync(tempDir, { recursive: true, force: true });
+        if (fs.rmSync) {
+          fs.rmSync(tempDir, { recursive: true, force: true });
+        }
       }
       if (tmpBom && tmpBom.components) {
         for (const comp of tmpBom.components) {

package/docker.js

@@ -117,7 +117,11 @@ const getDefaultOptions = () => {
           ? "npipe//./pipe/docker_engine:"
           : "unix:/var/run/docker.sock:";
         */
-        opts.prefixUrl = isWin ? WIN_LOCAL_TLS : "unix:/var/run/docker.sock:";
+        opts.prefixUrl = isWin
+          ? WIN_LOCAL_TLS
+          : isDockerRootless
+          ? `unix:${os.homedir()}/.docker/run/docker.sock:`
+          : "unix:/var/run/docker.sock:";
       }
     }
   } else {
@@ -162,6 +166,18 @@ const getConnection = async (options) => {
       }
     } catch (err) {
       // console.log(err, opts);
+      opts.prefixUrl = `unix:${os.homedir()}/.docker/run/docker.sock:`;
+      try {
+        await got.get("_ping", opts);
+        dockerConn = got.extend(opts);
+        isDockerRootless = true;
+        if (DEBUG_MODE) {
+          console.log("Docker service in rootless mode detected!");
+        }
+        return dockerConn;
+      } catch (err) {
+        // console.log(err, opts);
+      }
       try {
         if (isWin) {
           opts.prefixUrl = WIN_LOCAL_TLS;
@@ -323,7 +339,7 @@ const getImage = async (fullImageName) => {
   }
   try {
     localData = await makeRequest(`images/${repo}/json`);
-    if (DEBUG_MODE) {
+    if (DEBUG_MODE && localData) {
       console.log(localData);
     }
   } catch (err) {
@@ -603,7 +619,9 @@ const exportImage = async (fullImageName) => {
       if (DEBUG_MODE) {
         console.log(`Cleaning up ${imageTarFile}`);
       }
-      fs.rmSync(imageTarFile, { force: true });
+      if (fs.rmSync) {
+        fs.rmSync(imageTarFile, { force: true });
+      }
     }
   } else {
     let client = await getConnection();

package/index.js

@@ -44,6 +44,11 @@ if (process.env.PIP_CMD) {
   PIP_CMD = process.env.PIP_CMD;
 }
 
+let SWIFT_CMD = "swift";
+if (process.env.SWIFT_CMD) {
+  SWIFT_CMD = process.env.SWIFT_CMD;
+}
+
 // Construct sbt cache directory
 let SBT_CACHE_DIR =
   process.env.SBT_CACHE_DIR || pathLib.join(os.homedir(), ".ivy2", "cache");
@@ -61,6 +66,29 @@ const HASH_PATTERN =
 // Timeout milliseconds. Default 10 mins
 const TIMEOUT_MS = parseInt(process.env.CDXGEN_TIMEOUT_MS) || 10 * 60 * 1000;
 
+const createDefaultParentComponent = (path) => {
+  // Create a parent component based on the directory name
+  let dirName = pathLib.dirname(path);
+  const tmpA = dirName.split(pathLib.sep);
+  dirName = tmpA[tmpA.length - 1];
+  const parentComponent = {
+    group: "",
+    name: dirName,
+    type: "application"
+  };
+  const ppurl = new PackageURL(
+    "application",
+    parentComponent.group,
+    parentComponent.name,
+    parentComponent.version,
+    null,
+    null
+  ).toString();
+  parentComponent["bom-ref"] = ppurl;
+  parentComponent["purl"] = ppurl;
+  return parentComponent;
+};
+
 const determineParentComponent = (options) => {
   let parentComponent = undefined;
   if (options.projectName && options.projectVersion) {
@@ -491,7 +519,10 @@ function addComponent(
     // Skip @types package for npm
     if (
       ptype == "npm" &&
-      (group === "types" || !name || name.startsWith("@types"))
+      (group === "types" ||
+        group === "@types" ||
+        !name ||
+        name.startsWith("@types"))
     ) {
       return;
     }
@@ -503,7 +534,14 @@ function addComponent(
 
     let purl =
       pkg.purl ||
-      new PackageURL(ptype, group, name, version, pkg.qualifiers, pkg.subpath);
+      new PackageURL(
+        ptype,
+        encodeURIComponent(group),
+        encodeURIComponent(name),
+        version,
+        pkg.qualifiers,
+        pkg.subpath
+      );
     let purlString = purl.toString();
     purlString = decodeURIComponent(purlString);
     let description = { "#cdata": pkg.description };
@@ -1008,13 +1046,13 @@ const createJavaBom = async (path, options) => {
               "Resolve the above maven error. This could be due to the following:\n"
             );
             console.log(
-              "1. Java version requirement - Scan or the CI build agent could be using an incompatible version"
+              "1. Java version requirement: cdxgen container image bundles Java 17 with gradle 8 which might be incompatible."
             );
             console.log(
-              "2. Private maven repository is not serving all the required maven plugins correctly. Refer to your registry documentation to add support for jitpack.io"
+              "2. Private dependencies cannot be downloaded: Check if any additional arguments must be passed to maven and set them via MVN_ARGS environment variable."
             );
             console.log(
-              "3. Check if all required environment variables including any maven profile arguments are passed correctly to this tool"
+              "3. Check if all required environment variables including any maven profile arguments are passed correctly to this tool."
             );
             // Do not fall back to methods that can produce incomplete results when failOnError is set
             options.failOnError && process.exit(1);
@@ -1125,7 +1163,7 @@ const createJavaBom = async (path, options) => {
             console.error(result.stdout, result.stderr);
           }
           console.log(
-            "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7."
+            "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 17 with gradle 8 which might be incompatible."
           );
           options.failOnError && process.exit(1);
         }
@@ -1251,7 +1289,7 @@ const createJavaBom = async (path, options) => {
             }
             if (DEBUG_MODE || !result.stderr || options.failOnError) {
               console.log(
-                "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7."
+                "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 17 with gradle 8 which might be incompatible."
               );
               console.log(
                 "2. When using tools such as sdkman, the init script must be invoked to set the PATH variables correctly."
@@ -2805,6 +2843,91 @@ const createHelmBom = async (path, options) => {
   return {};
 };
 
+/**
+ * Function to create bom string for swift projects
+ *
+ * @param path to the project
+ * @param options Parse options from the cli
+ */
+const createSwiftBom = async (path, options) => {
+  const swiftFiles = utils.getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "Package*.swift"
+  );
+  const pkgResolvedFiles = utils.getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "Package.resolved"
+  );
+  let pkgList = [];
+  let dependencies = [];
+  let parentComponent = {};
+  let completedPath = [];
+  if (pkgResolvedFiles.length) {
+    for (let f of pkgResolvedFiles) {
+      if (!parentComponent || !Object.keys(parentComponent).length) {
+        parentComponent = createDefaultParentComponent(f);
+      }
+      if (DEBUG_MODE) {
+        console.log("Parsing", f);
+      }
+      const dlist = utils.parseSwiftResolved(f);
+      if (dlist && dlist.length) {
+        pkgList = pkgList.concat(dlist);
+      }
+    }
+  } else if (swiftFiles.length) {
+    for (let f of swiftFiles) {
+      const basePath = pathLib.dirname(f);
+      if (completedPath.includes(basePath)) {
+        continue;
+      }
+      let treeData = undefined;
+      if (DEBUG_MODE) {
+        console.log("Executing 'swift package show-dependencies' in", basePath);
+      }
+      const result = spawnSync(
+        SWIFT_CMD,
+        ["package", "show-dependencies", "--format", "json"],
+        {
+          cwd: basePath,
+          encoding: "utf-8",
+          timeout: TIMEOUT_MS
+        }
+      );
+      if (result.status === 0 && result.stdout) {
+        completedPath.push(basePath);
+        treeData = Buffer.from(result.stdout).toString();
+        const retData = utils.parseSwiftJsonTree(treeData, f);
+        if (retData.pkgList && retData.pkgList.length) {
+          parentComponent = retData.pkgList.splice(0, 1)[0];
+          parentComponent.type = "application";
+          pkgList = pkgList.concat(retData.pkgList);
+        }
+        if (retData.dependenciesList) {
+          dependencies = mergeDependencies(
+            dependencies,
+            retData.dependenciesList
+          );
+        }
+      } else {
+        if (DEBUG_MODE) {
+          console.log(
+            "Please install swift from https://www.swift.org/download/ or use the cdxgen container image"
+          );
+        }
+        console.error(result.stderr);
+        options.failOnError && process.exit(1);
+      }
+    }
+  }
+  return buildBomNSData(options, pkgList, "swift", {
+    src: path,
+    filename: swiftFiles.join(", "),
+    parentComponent,
+    dependencies
+  });
+};
+
 /**
  * Function to create bom string for docker compose
  *
@@ -4041,6 +4164,19 @@ const createXBom = async (path, options) => {
   if (cbFiles.length) {
     return await createCloudBuildBom(path, options);
   }
+
+  // Swift
+  const swiftFiles = utils.getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "Package*.swift"
+  );
+  const pkgResolvedFiles = utils.getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "Package.resolved"
+  );
+  if (swiftFiles.length || pkgResolvedFiles.length) {
+    return await createSwiftBom(path, options);
+  }
 };
 
 /**
@@ -4287,6 +4423,9 @@ const createBom = async (path, options) => {
     case "cloudbuild":
       options.multiProject = true;
       return await createCloudBuildBom(path, options);
+    case "swift":
+      options.multiProject = true;
+      return await createSwiftBom(path, options);
     default:
       // In recurse mode return multi-language Bom
       // https://github.com/cyclonedx/cdxgen/issues/95

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.1.9",
+  "version": "8.2.1",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/server.js

@@ -115,7 +115,7 @@ const start = async (options) => {
       }
     }
     res.end("\n");
-    if (cleanup && srcDir && srcDir.startsWith(os.tmpdir())) {
+    if (cleanup && srcDir && srcDir.startsWith(os.tmpdir()) && fs.rmSync) {
       console.log(`Cleaning up ${srcDir}`);
       fs.rmSync(srcDir, { recursive: true, force: true });
     }

package/utils.js

@@ -377,7 +377,7 @@ const parsePkgLock = async (pkgLockFile) => {
         type: "application"
       };
     }
-    if (rootPkg) {
+    if (rootPkg && rootPkg.name) {
       const purl = new PackageURL(
         "application",
         "",
@@ -1018,7 +1018,7 @@ exports.parsePom = parsePom;
  */
 const parseMavenTree = function (rawOutput) {
   if (!rawOutput) {
-    return [];
+    return {};
   }
   const deps = [];
   const dependenciesList = [];
@@ -1128,7 +1128,7 @@ const parseGradleDep = function (rawOutput) {
     level_trees[last_purl] = [];
     let stack = [last_purl];
     const depRegex =
-      /^.*?--- +(?<group>[^\s:]+):(?<name>[^\s:]+)(?::(?:{strictly )?(?<versionspecified>[^\s:}]+))?(?:})?(?: +-> +(?<versionoverride>[^\s:]+))?/gm;
+      /^.*?--- +(?<group>[^\s:]+):(?<name>[^\s:]+)(?::(?:{strictly [[]?)?(?<versionspecified>[^,\s:}]+))?(?:})?(?:[^->]* +-> +(?<versionoverride>[^\s:]+))?/gm;
     while ((match = depRegex.exec(rawOutput))) {
       const [line, group, name, versionspecified, versionoverride] = match;
       const version = versionoverride || versionspecified;
@@ -3773,6 +3773,207 @@ const convertOSQueryResults = function (queryCategory, queryObj, results) {
 };
 exports.convertOSQueryResults = convertOSQueryResults;
 
+const _swiftDepPkgList = (pkgList, dependenciesList, depKeys, jsonData) => {
+  if (jsonData && jsonData.dependencies) {
+    for (let adep of jsonData.dependencies) {
+      const urlOrPath = adep.url || adep.path;
+      const apkg = {
+        group: adep.identity || "",
+        name: adep.name,
+        version: adep.version
+      };
+      const purl = new PackageURL(
+        "swift",
+        apkg.group,
+        apkg.name,
+        apkg.version,
+        null,
+        null
+      );
+      const purlString = decodeURIComponent(purl.toString());
+      if (urlOrPath) {
+        if (urlOrPath.startsWith("http")) {
+          apkg.repository = { url: urlOrPath };
+          if (apkg.path) {
+            apkg.properties = [
+              {
+                name: "SrcPath",
+                value: apkg.path
+              }
+            ];
+          }
+        } else {
+          apkg.properties = [
+            {
+              name: "SrcPath",
+              value: urlOrPath
+            }
+          ];
+        }
+      }
+      pkgList.push(apkg);
+      // Handle the immediate dependencies before recursing
+      if (adep.dependencies && adep.dependencies.length) {
+        const deplist = [];
+        for (let cdep of adep.dependencies) {
+          const deppurl = new PackageURL(
+            "swift",
+            cdep.identity || "",
+            cdep.name,
+            cdep.version,
+            null,
+            null
+          );
+          const deppurlString = decodeURIComponent(deppurl.toString());
+          deplist.push(deppurlString);
+        }
+        if (!depKeys[purlString]) {
+          dependenciesList.push({
+            ref: purlString,
+            dependsOn: deplist
+          });
+          depKeys[purlString] = true;
+        }
+        if (adep.dependencies && adep.dependencies.length) {
+          _swiftDepPkgList(pkgList, dependenciesList, depKeys, adep);
+        }
+      } else {
+        if (!depKeys[purlString]) {
+          dependenciesList.push({
+            ref: purlString,
+            dependsOn: []
+          });
+          depKeys[purlString] = true;
+        }
+      }
+    }
+  }
+  return { pkgList, dependenciesList };
+};
+
+/**
+ * Parse swift dependency tree output
+ * @param {string} rawOutput Swift dependencies json output
+ * @param {string} pkgFile Package.swift file
+ */
+const parseSwiftJsonTree = (rawOutput, pkgFile) => {
+  if (!rawOutput) {
+    return {};
+  }
+  const pkgList = [];
+  const dependenciesList = [];
+  let depKeys = {};
+  let rootPkg = {};
+  let jsonData = {};
+  try {
+    jsonData = JSON.parse(rawOutput);
+    if (jsonData && jsonData.name) {
+      rootPkg = {
+        group: jsonData.identity || "",
+        name: jsonData.name,
+        version: jsonData.version
+      };
+      const urlOrPath = jsonData.url || jsonData.path;
+      if (urlOrPath) {
+        if (urlOrPath.startsWith("http")) {
+          rootPkg.repository = { url: urlOrPath };
+        } else {
+          rootPkg.properties = [
+            {
+              name: "SrcPath",
+              value: urlOrPath
+            },
+            {
+              name: "SrcFile",
+              value: pkgFile
+            }
+          ];
+        }
+      }
+      const purl = new PackageURL(
+        "application",
+        rootPkg.group,
+        rootPkg.name,
+        rootPkg.version,
+        null,
+        null
+      );
+      const purlString = decodeURIComponent(purl.toString());
+      rootPkg["bom-ref"] = purlString;
+      pkgList.push(rootPkg);
+      const deplist = [];
+      for (const rd of jsonData.dependencies) {
+        const deppurl = new PackageURL(
+          "swift",
+          rd.identity || "",
+          rd.name,
+          rd.version,
+          null,
+          null
+        );
+        const deppurlString = decodeURIComponent(deppurl.toString());
+        deplist.push(deppurlString);
+      }
+      dependenciesList.push({
+        ref: purlString,
+        dependsOn: deplist
+      });
+      _swiftDepPkgList(pkgList, dependenciesList, depKeys, jsonData);
+    }
+  } catch (e) {
+    if (DEBUG_MODE) {
+      console.log(e);
+    }
+    return {};
+  }
+  return {
+    pkgList,
+    dependenciesList
+  };
+};
+exports.parseSwiftJsonTree = parseSwiftJsonTree;
+
+/**
+ * Parse swift package resolved file
+ * @param {string} resolvedFile Package.resolved file
+ */
+const parseSwiftResolved = (resolvedFile) => {
+  const pkgList = [];
+  if (fs.existsSync(resolvedFile)) {
+    try {
+      const pkgData = JSON.parse(fs.readFileSync(resolvedFile, "utf8"));
+      let resolvedList = [];
+      if (pkgData.pins) {
+        resolvedList = pkgData.pins;
+      } else if (pkgData.object && pkgData.object.pins) {
+        resolvedList = pkgData.object.pins;
+      }
+      for (const adep of resolvedList) {
+        const apkg = {
+          name: adep.package || adep.identity,
+          group: "",
+          version: adep.state.version || adep.state.revision,
+          properties: [
+            {
+              name: "SrcFile",
+              value: resolvedFile
+            }
+          ]
+        };
+        const repLocation = adep.location || adep.repositoryURL;
+        if (repLocation) {
+          apkg.repository = { url: repLocation };
+        }
+        pkgList.push(apkg);
+      }
+    } catch (err) {
+      // continue regardless of error
+    }
+  }
+  return pkgList;
+};
+exports.parseSwiftResolved = parseSwiftResolved;
+
 /**
  * Collect maven dependencies
  *
@@ -4007,6 +4208,7 @@ const extractJarArchive = function (jarFile, tempDir) {
             jarMetadata["Extension-Name"] ||
             jarMetadata["Implementation-Vendor-Id"] ||
             jarMetadata["Bundle-SymbolicName"] ||
+            jarMetadata["Bundle-Vendor"] ||
             jarMetadata["Automatic-Module-Name"];
           let name = "";
           if (
@@ -4073,8 +4275,8 @@ const extractJarArchive = function (jarFile, tempDir) {
           }
           if (name && version) {
             pkgList.push({
-              group: group === "." ? "" : group || "",
-              name: name || "",
+              group: group === "." ? "" : encodeURIComponent(group) || "",
+              name: name ? encodeURIComponent(name) : "",
               version,
               properties: [
                 {