@cyclonedx/cdxgen 8.2.1 → 8.2.2

package/README.md

@@ -166,7 +166,7 @@ cdxgen --server
 Or use the container image.
 
 ```bash
-docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server
+docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server --server-host 0.0.0.0
 ```
 
 Use curl or your favourite tool to pass arguments to the `/sbom` route.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.2.1",
+  "version": "8.2.2",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -754,11 +754,15 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
       const ddeps = yamlObj.dependencies || {};
       const ddeplist = [];
       for (const dk of Object.keys(ddeps)) {
+        let version = ddeps[dk];
+        if (typeof version === "object" && version.version) {
+          version = version.version;
+        }
         const dpurl = new PackageURL(
           "npm",
           "",
           dk,
-          ddeps[dk],
+          version,
           null,
           null
         ).toString();
@@ -769,10 +773,12 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
         dependsOn: ddeplist
       });
     }
+    const lockfileVersion = yamlObj.lockfileVersion;
     const packages = yamlObj.packages;
     const pkgKeys = Object.keys(packages);
     for (var k in pkgKeys) {
       // Eg: @babel/code-frame/7.10.1
+      // In lockfileVersion 6, /@babel/code-frame@7.18.6
       const fullName = pkgKeys[k].replace("/@", "@");
       const parts = fullName.split("/");
       const integrity = packages[pkgKeys[k]].resolution.integrity;
@@ -782,13 +788,22 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
         let name = "";
         let version = "";
         let group = "";
-        if (parts.length === 2) {
-          name = parts[0];
-          version = parts[1];
-        } else if (parts.length === 3) {
+        if (lockfileVersion === "6.0" && fullName.includes("@")) {
+          const tmpA = parts[parts.length - 1].split("@");
           group = parts[0];
-          name = parts[1];
-          version = parts[2];
+          if (parts.length === 2 && tmpA.length > 1) {
+            name = tmpA[0];
+            version = tmpA[1];
+          }
+        } else {
+          if (parts.length === 2) {
+            name = parts[0];
+            version = parts[1];
+          } else if (parts.length === 3) {
+            group = parts[0];
+            name = parts[1];
+            version = parts[2];
+          }
         }
         if (group !== "@types" && name.indexOf("file:") !== 0) {
           const purlString = new PackageURL(

package/utils.test.js

@@ -1193,6 +1193,28 @@ test("parsePnpmLock", async () => {
 
   parsedList = await utils.parsePnpmLock("./test/data/pnpm-lock4.yaml");
   expect(parsedList.pkgList.length).toEqual(1);
+
+  parsedList = await utils.parsePnpmLock("./test/data/pnpm-lock6.yaml");
+  expect(parsedList.pkgList.length).toEqual(195);
+  expect(parsedList.dependenciesList.length).toEqual(195);
+  expect(parsedList.pkgList[0]).toEqual({
+    group: "@babel",
+    name: "code-frame",
+    version: "7.18.6",
+    scope: "optional",
+    _integrity:
+      "sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
+    properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }]
+  });
+  expect(parsedList.pkgList[parsedList.pkgList.length - 1]).toEqual({
+    group: "",
+    name: "yargs",
+    version: "17.7.1",
+    scope: "optional",
+    _integrity:
+      "sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==",
+    properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }]
+  });
 });
 
 test("parseYarnLock", async () => {