@cyclonedx/cdxgen 8.2.1 → 8.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/package.json +1 -1
- package/utils.js +41 -8
- package/utils.test.js +34 -0
package/README.md
CHANGED
|
@@ -166,7 +166,7 @@ cdxgen --server
|
|
|
166
166
|
Or use the container image.
|
|
167
167
|
|
|
168
168
|
```bash
|
|
169
|
-
docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server
|
|
169
|
+
docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server --server-host 0.0.0.0
|
|
170
170
|
```
|
|
171
171
|
|
|
172
172
|
Use curl or your favourite tool to pass arguments to the `/sbom` route.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "8.2.
|
|
3
|
+
"version": "8.2.3",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
package/utils.js
CHANGED
|
@@ -754,11 +754,15 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
754
754
|
const ddeps = yamlObj.dependencies || {};
|
|
755
755
|
const ddeplist = [];
|
|
756
756
|
for (const dk of Object.keys(ddeps)) {
|
|
757
|
+
let version = ddeps[dk];
|
|
758
|
+
if (typeof version === "object" && version.version) {
|
|
759
|
+
version = version.version;
|
|
760
|
+
}
|
|
757
761
|
const dpurl = new PackageURL(
|
|
758
762
|
"npm",
|
|
759
763
|
"",
|
|
760
764
|
dk,
|
|
761
|
-
|
|
765
|
+
version,
|
|
762
766
|
null,
|
|
763
767
|
null
|
|
764
768
|
).toString();
|
|
@@ -769,11 +773,22 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
769
773
|
dependsOn: ddeplist
|
|
770
774
|
});
|
|
771
775
|
}
|
|
776
|
+
let lockfileVersion = yamlObj.lockfileVersion;
|
|
777
|
+
try {
|
|
778
|
+
lockfileVersion = parseInt(lockfileVersion, 10);
|
|
779
|
+
} catch (e) {
|
|
780
|
+
// ignore parse errors
|
|
781
|
+
}
|
|
772
782
|
const packages = yamlObj.packages;
|
|
773
783
|
const pkgKeys = Object.keys(packages);
|
|
774
784
|
for (var k in pkgKeys) {
|
|
775
785
|
// Eg: @babel/code-frame/7.10.1
|
|
776
|
-
|
|
786
|
+
// In lockfileVersion 6, /@babel/code-frame@7.18.6
|
|
787
|
+
let fullName = pkgKeys[k].replace("/@", "@");
|
|
788
|
+
// Handle /vite@4.2.1(@types/node@18.15.11) in lockfileVersion 6
|
|
789
|
+
if (lockfileVersion >= 6 && fullName.includes("(")) {
|
|
790
|
+
fullName = fullName.split("(")[0];
|
|
791
|
+
}
|
|
777
792
|
const parts = fullName.split("/");
|
|
778
793
|
const integrity = packages[pkgKeys[k]].resolution.integrity;
|
|
779
794
|
const deps = packages[pkgKeys[k]].dependencies || [];
|
|
@@ -782,13 +797,31 @@ const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
|
|
|
782
797
|
let name = "";
|
|
783
798
|
let version = "";
|
|
784
799
|
let group = "";
|
|
785
|
-
if (
|
|
786
|
-
|
|
787
|
-
version = parts[1];
|
|
788
|
-
} else if (parts.length === 3) {
|
|
800
|
+
if (lockfileVersion >= 6 && fullName.includes("@")) {
|
|
801
|
+
const tmpA = parts[parts.length - 1].split("@");
|
|
789
802
|
group = parts[0];
|
|
790
|
-
|
|
791
|
-
|
|
803
|
+
if (parts.length === 2 && tmpA.length > 1) {
|
|
804
|
+
name = tmpA[0];
|
|
805
|
+
version = tmpA[1];
|
|
806
|
+
} else {
|
|
807
|
+
console.log(parts, fullName);
|
|
808
|
+
}
|
|
809
|
+
} else {
|
|
810
|
+
if (parts.length === 2) {
|
|
811
|
+
name = parts[0];
|
|
812
|
+
version = parts[1];
|
|
813
|
+
} else if (parts.length === 3) {
|
|
814
|
+
group = parts[0];
|
|
815
|
+
name = parts[1];
|
|
816
|
+
version = parts[2];
|
|
817
|
+
}
|
|
818
|
+
}
|
|
819
|
+
// Let's have some warnings till we fully support pnpm 8
|
|
820
|
+
if (!name) {
|
|
821
|
+
console.warn(
|
|
822
|
+
`Unable to extract name and version for string ${pkgKeys[k]}`
|
|
823
|
+
);
|
|
824
|
+
continue;
|
|
792
825
|
}
|
|
793
826
|
if (group !== "@types" && name.indexOf("file:") !== 0) {
|
|
794
827
|
const purlString = new PackageURL(
|
package/utils.test.js
CHANGED
|
@@ -1193,6 +1193,40 @@ test("parsePnpmLock", async () => {
|
|
|
1193
1193
|
|
|
1194
1194
|
parsedList = await utils.parsePnpmLock("./test/data/pnpm-lock4.yaml");
|
|
1195
1195
|
expect(parsedList.pkgList.length).toEqual(1);
|
|
1196
|
+
|
|
1197
|
+
parsedList = await utils.parsePnpmLock("./test/data/pnpm-lock6.yaml");
|
|
1198
|
+
expect(parsedList.pkgList.length).toEqual(195);
|
|
1199
|
+
expect(parsedList.dependenciesList.length).toEqual(195);
|
|
1200
|
+
expect(parsedList.pkgList[0]).toEqual({
|
|
1201
|
+
group: "@babel",
|
|
1202
|
+
name: "code-frame",
|
|
1203
|
+
version: "7.18.6",
|
|
1204
|
+
scope: "optional",
|
|
1205
|
+
_integrity:
|
|
1206
|
+
"sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
|
|
1207
|
+
properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }]
|
|
1208
|
+
});
|
|
1209
|
+
expect(parsedList.pkgList[parsedList.pkgList.length - 1]).toEqual({
|
|
1210
|
+
group: "",
|
|
1211
|
+
name: "yargs",
|
|
1212
|
+
version: "17.7.1",
|
|
1213
|
+
scope: "optional",
|
|
1214
|
+
_integrity:
|
|
1215
|
+
"sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==",
|
|
1216
|
+
properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }]
|
|
1217
|
+
});
|
|
1218
|
+
parsedList = await utils.parsePnpmLock("./test/data/pnpm-lock6a.yaml");
|
|
1219
|
+
expect(parsedList.pkgList.length).toEqual(229);
|
|
1220
|
+
expect(parsedList.dependenciesList.length).toEqual(229);
|
|
1221
|
+
expect(parsedList.pkgList[0]).toEqual({
|
|
1222
|
+
group: "@babel",
|
|
1223
|
+
name: "code-frame",
|
|
1224
|
+
version: "7.18.6",
|
|
1225
|
+
scope: "optional",
|
|
1226
|
+
_integrity:
|
|
1227
|
+
"sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
|
|
1228
|
+
properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6a.yaml" }]
|
|
1229
|
+
});
|
|
1196
1230
|
});
|
|
1197
1231
|
|
|
1198
1232
|
test("parseYarnLock", async () => {
|