@cyclonedx/cdxgen 8.2.0 → 8.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/binary.js +3 -1
- package/docker.js +3 -1
- package/index.js +12 -2
- package/package.json +1 -1
- package/server.js +1 -1
- package/utils.js +25 -9
- package/utils.test.js +24 -1
package/README.md
CHANGED
|
@@ -166,7 +166,7 @@ cdxgen --server
|
|
|
166
166
|
Or use the container image.
|
|
167
167
|
|
|
168
168
|
```bash
|
|
169
|
-
docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server
|
|
169
|
+
docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server --server-host 0.0.0.0
|
|
170
170
|
```
|
|
171
171
|
|
|
172
172
|
Use curl or your favourite tool to pass arguments to the `/sbom` route.
|
package/binary.js
CHANGED
|
@@ -312,7 +312,9 @@ const getOSPackages = (src) => {
|
|
|
312
312
|
if (DEBUG_MODE) {
|
|
313
313
|
console.log(`Cleaning up ${tempDir}`);
|
|
314
314
|
}
|
|
315
|
-
fs.rmSync
|
|
315
|
+
if (fs.rmSync) {
|
|
316
|
+
fs.rmSync(tempDir, { recursive: true, force: true });
|
|
317
|
+
}
|
|
316
318
|
}
|
|
317
319
|
if (tmpBom && tmpBom.components) {
|
|
318
320
|
for (const comp of tmpBom.components) {
|
package/docker.js
CHANGED
|
@@ -619,7 +619,9 @@ const exportImage = async (fullImageName) => {
|
|
|
619
619
|
if (DEBUG_MODE) {
|
|
620
620
|
console.log(`Cleaning up ${imageTarFile}`);
|
|
621
621
|
}
|
|
622
|
-
fs.rmSync
|
|
622
|
+
if (fs.rmSync) {
|
|
623
|
+
fs.rmSync(imageTarFile, { force: true });
|
|
624
|
+
}
|
|
623
625
|
}
|
|
624
626
|
} else {
|
|
625
627
|
let client = await getConnection();
|
package/index.js
CHANGED
|
@@ -519,7 +519,10 @@ function addComponent(
|
|
|
519
519
|
// Skip @types package for npm
|
|
520
520
|
if (
|
|
521
521
|
ptype == "npm" &&
|
|
522
|
-
(group === "types" ||
|
|
522
|
+
(group === "types" ||
|
|
523
|
+
group === "@types" ||
|
|
524
|
+
!name ||
|
|
525
|
+
name.startsWith("@types"))
|
|
523
526
|
) {
|
|
524
527
|
return;
|
|
525
528
|
}
|
|
@@ -531,7 +534,14 @@ function addComponent(
|
|
|
531
534
|
|
|
532
535
|
let purl =
|
|
533
536
|
pkg.purl ||
|
|
534
|
-
new PackageURL(
|
|
537
|
+
new PackageURL(
|
|
538
|
+
ptype,
|
|
539
|
+
encodeURIComponent(group),
|
|
540
|
+
encodeURIComponent(name),
|
|
541
|
+
version,
|
|
542
|
+
pkg.qualifiers,
|
|
543
|
+
pkg.subpath
|
|
544
|
+
);
|
|
535
545
|
let purlString = purl.toString();
|
|
536
546
|
purlString = decodeURIComponent(purlString);
|
|
537
547
|
let description = { "#cdata": pkg.description };
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "8.2.
|
|
3
|
+
"version": "8.2.2",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
package/server.js
CHANGED
|
@@ -115,7 +115,7 @@ const start = async (options) => {
|
|
|
115
115
|
}
|
|
116
116
|
}
|
|
117
117
|
res.end("\n");
|
|
118
|
-
if (cleanup && srcDir && srcDir.startsWith(os.tmpdir())) {
|
|
118
|
+
if (cleanup && srcDir && srcDir.startsWith(os.tmpdir()) && fs.rmSync) {
|
|
119
119
|
console.log(`Cleaning up ${srcDir}`);
|
|
120
120
|
fs.rmSync(srcDir, { recursive: true, force: true });
|
|
121
121
|
}
|
package/utils.js
CHANGED
|
@@ -754,11 +754,15 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
754
754
|
const ddeps = yamlObj.dependencies || {};
|
|
755
755
|
const ddeplist = [];
|
|
756
756
|
for (const dk of Object.keys(ddeps)) {
|
|
757
|
+
let version = ddeps[dk];
|
|
758
|
+
if (typeof version === "object" && version.version) {
|
|
759
|
+
version = version.version;
|
|
760
|
+
}
|
|
757
761
|
const dpurl = new PackageURL(
|
|
758
762
|
"npm",
|
|
759
763
|
"",
|
|
760
764
|
dk,
|
|
761
|
-
|
|
765
|
+
version,
|
|
762
766
|
null,
|
|
763
767
|
null
|
|
764
768
|
).toString();
|
|
@@ -769,10 +773,12 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
769
773
|
dependsOn: ddeplist
|
|
770
774
|
});
|
|
771
775
|
}
|
|
776
|
+
const lockfileVersion = yamlObj.lockfileVersion;
|
|
772
777
|
const packages = yamlObj.packages;
|
|
773
778
|
const pkgKeys = Object.keys(packages);
|
|
774
779
|
for (var k in pkgKeys) {
|
|
775
780
|
// Eg: @babel/code-frame/7.10.1
|
|
781
|
+
// In lockfileVersion 6, /@babel/code-frame@7.18.6
|
|
776
782
|
const fullName = pkgKeys[k].replace("/@", "@");
|
|
777
783
|
const parts = fullName.split("/");
|
|
778
784
|
const integrity = packages[pkgKeys[k]].resolution.integrity;
|
|
@@ -782,13 +788,22 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
782
788
|
let name = "";
|
|
783
789
|
let version = "";
|
|
784
790
|
let group = "";
|
|
785
|
-
if (
|
|
786
|
-
|
|
787
|
-
version = parts[1];
|
|
788
|
-
} else if (parts.length === 3) {
|
|
791
|
+
if (lockfileVersion === "6.0" && fullName.includes("@")) {
|
|
792
|
+
const tmpA = parts[parts.length - 1].split("@");
|
|
789
793
|
group = parts[0];
|
|
790
|
-
|
|
791
|
-
|
|
794
|
+
if (parts.length === 2 && tmpA.length > 1) {
|
|
795
|
+
name = tmpA[0];
|
|
796
|
+
version = tmpA[1];
|
|
797
|
+
}
|
|
798
|
+
} else {
|
|
799
|
+
if (parts.length === 2) {
|
|
800
|
+
name = parts[0];
|
|
801
|
+
version = parts[1];
|
|
802
|
+
} else if (parts.length === 3) {
|
|
803
|
+
group = parts[0];
|
|
804
|
+
name = parts[1];
|
|
805
|
+
version = parts[2];
|
|
806
|
+
}
|
|
792
807
|
}
|
|
793
808
|
if (group !== "@types" && name.indexOf("file:") !== 0) {
|
|
794
809
|
const purlString = new PackageURL(
|
|
@@ -4208,6 +4223,7 @@ const extractJarArchive = function (jarFile, tempDir) {
|
|
|
4208
4223
|
jarMetadata["Extension-Name"] ||
|
|
4209
4224
|
jarMetadata["Implementation-Vendor-Id"] ||
|
|
4210
4225
|
jarMetadata["Bundle-SymbolicName"] ||
|
|
4226
|
+
jarMetadata["Bundle-Vendor"] ||
|
|
4211
4227
|
jarMetadata["Automatic-Module-Name"];
|
|
4212
4228
|
let name = "";
|
|
4213
4229
|
if (
|
|
@@ -4274,8 +4290,8 @@ const extractJarArchive = function (jarFile, tempDir) {
|
|
|
4274
4290
|
}
|
|
4275
4291
|
if (name && version) {
|
|
4276
4292
|
pkgList.push({
|
|
4277
|
-
group: group === "." ? "" : group || "",
|
|
4278
|
-
name: name
|
|
4293
|
+
group: group === "." ? "" : encodeURIComponent(group) || "",
|
|
4294
|
+
name: name ? encodeURIComponent(name) : "",
|
|
4279
4295
|
version,
|
|
4280
4296
|
properties: [
|
|
4281
4297
|
{
|
package/utils.test.js
CHANGED
|
@@ -1193,6 +1193,28 @@ test("parsePnpmLock", async () => {
|
|
|
1193
1193
|
|
|
1194
1194
|
parsedList = await utils.parsePnpmLock("./test/data/pnpm-lock4.yaml");
|
|
1195
1195
|
expect(parsedList.pkgList.length).toEqual(1);
|
|
1196
|
+
|
|
1197
|
+
parsedList = await utils.parsePnpmLock("./test/data/pnpm-lock6.yaml");
|
|
1198
|
+
expect(parsedList.pkgList.length).toEqual(195);
|
|
1199
|
+
expect(parsedList.dependenciesList.length).toEqual(195);
|
|
1200
|
+
expect(parsedList.pkgList[0]).toEqual({
|
|
1201
|
+
group: "@babel",
|
|
1202
|
+
name: "code-frame",
|
|
1203
|
+
version: "7.18.6",
|
|
1204
|
+
scope: "optional",
|
|
1205
|
+
_integrity:
|
|
1206
|
+
"sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
|
|
1207
|
+
properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }]
|
|
1208
|
+
});
|
|
1209
|
+
expect(parsedList.pkgList[parsedList.pkgList.length - 1]).toEqual({
|
|
1210
|
+
group: "",
|
|
1211
|
+
name: "yargs",
|
|
1212
|
+
version: "17.7.1",
|
|
1213
|
+
scope: "optional",
|
|
1214
|
+
_integrity:
|
|
1215
|
+
"sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==",
|
|
1216
|
+
properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }]
|
|
1217
|
+
});
|
|
1196
1218
|
});
|
|
1197
1219
|
|
|
1198
1220
|
test("parseYarnLock", async () => {
|
|
@@ -1214,7 +1236,7 @@ test("parseYarnLock", async () => {
|
|
|
1214
1236
|
}
|
|
1215
1237
|
]
|
|
1216
1238
|
});
|
|
1217
|
-
|
|
1239
|
+
expect(parsedList.dependenciesList.length).toEqual(56);
|
|
1218
1240
|
identMap = utils.yarnLockToIdentMap(
|
|
1219
1241
|
fs.readFileSync("./test/data/yarn_locks/yarn.lock", "utf8")
|
|
1220
1242
|
);
|
|
@@ -1329,6 +1351,7 @@ test("parseYarnLock", async () => {
|
|
|
1329
1351
|
});
|
|
1330
1352
|
parsedList = await utils.parseYarnLock("./test/data/yarn_locks/yarn4.lock");
|
|
1331
1353
|
expect(parsedList.pkgList.length).toEqual(1);
|
|
1354
|
+
expect(parsedList.dependenciesList.length).toEqual(1);
|
|
1332
1355
|
parsedList = await utils.parseYarnLock("./test/data/yarn_locks/yarn-at.lock");
|
|
1333
1356
|
expect(parsedList.pkgList.length).toEqual(4);
|
|
1334
1357
|
expect(parsedList.dependenciesList.length).toEqual(4);
|