npm - @cyclonedx/cdxgen - Versions diffs - 8.2.4 → 8.3.0 - Mend

@cyclonedx/cdxgen 8.2.4 → 8.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/index.js CHANGED Viewed

@@ -988,9 +988,13 @@ const createJavaBom = async (path, options) => {
     if (pomFiles && pomFiles.length) {
       const cdxMavenPlugin =
         process.env.CDX_MAVEN_PLUGIN ||
-        "org.cyclonedx:cyclonedx-maven-plugin:2.7.6";
+        "org.cyclonedx:cyclonedx-maven-plugin:2.7.7";
       const cdxMavenGoal = process.env.CDX_MAVEN_GOAL || "makeAggregateBom";
-      let mvnArgs = [`${cdxMavenPlugin}:${cdxMavenGoal}`, "-DoutputName=bom"];
+      let mvnArgs = [
+        `${cdxMavenPlugin}:${cdxMavenGoal}`,
+        "-DoutputName=bom",
+        "-DincludeTestScope=true"
+      ];
       // By using quiet mode we can reduce the maxBuffer used and avoid crashes
       if (!DEBUG_MODE) {
         mvnArgs.push("-q");
@@ -1152,8 +1156,14 @@ const createJavaBom = async (path, options) => {
       let gradleCmd = utils.getGradleCommand(path, null);
       const multiProjectMode = process.env.GRADLE_MULTI_PROJECT_MODE || "";
       // Support for multi-project applications
-      if (["true", "1"].includes(multiProjectMode)) {
-        console.log("Executing", gradleCmd, "projects in", path);
+      // Let's experiment with defaulting to multi-project mode when multiple gradle files gets detected
+      if (
+        ["true", "1"].includes(multiProjectMode) ||
+        (gradleFiles.length > 1 && !["false", "0"].includes(multiProjectMode))
+      ) {
+        if (DEBUG_MODE) {
+          console.log("Executing", gradleCmd, "projects in", path);
+        }
         const result = spawnSync(
           gradleCmd,
           ["projects", "-q", "--console", "plain"],
@@ -1171,14 +1181,20 @@ const createJavaBom = async (path, options) => {
         const stdout = result.stdout;
         if (stdout) {
           const cmdOutput = Buffer.from(stdout).toString();
-          const allProjects = utils.parseGradleProjects(cmdOutput);
+          const retMap = utils.parseGradleProjects(cmdOutput);
+          const allProjects = retMap.projects || [];
+          let rootProject = retMap.rootProject;
           if (!allProjects) {
             console.log(
               "No projects found. Is this a gradle multi-project application?"
             );
             options.failOnError && process.exit(1);
           } else {
-            console.log("Found", allProjects.length, "gradle sub-projects");
+            console.log(
+              "Found",
+              allProjects.length,
+              "gradle sub-projects. This might take a while ..."
+            );
             for (let sp of allProjects) {
               let gradleDepArgs = [
                 sp + ":dependencies",
@@ -1212,7 +1228,7 @@ const createJavaBom = async (path, options) => {
               const sstdout = sresult.stdout;
               if (sstdout) {
                 const cmdOutput = Buffer.from(sstdout).toString();
-                const parsedList = utils.parseGradleDep(cmdOutput);
+                const parsedList = utils.parseGradleDep(cmdOutput, rootProject);
                 const dlist = parsedList.pkgList;
                 parentComponent = dlist.splice(0, 1)[0];
                 if (
@@ -1245,7 +1261,7 @@ const createJavaBom = async (path, options) => {
               console.log(
                 "Obtained",
                 pkgList.length,
-                "from this gradle multi-project"
+                "from this gradle multi-project. De-duping this list ..."
               );
             } else {
               console.log(
@@ -1286,8 +1302,29 @@ const createJavaBom = async (path, options) => {
           });
           if (result.status !== 0 || result.error) {
             if (result.stderr) {
+              const cmdError = Buffer.from(result.stderr).toString();
+              if (
+                cmdError.includes(
+                  "is not part of the build defined by settings file"
+                ) ||
+                cmdError.includes(
+                  "was not found in any of the following sources"
+                )
+              ) {
+                console.log(
+                  "This is a multi-project gradle application. Set the environment variable GRADLE_MULTI_PROJECT_MODE to true to improve SBoM accuracy."
+                );
+              }
+              if (DEBUG_MODE) {
+                console.log("-----------------------");
+              }
               console.error(result.stdout, result.stderr);
+              if (DEBUG_MODE) {
+                console.log("-----------------------");
+              }
+              options.failOnError && process.exit(1);
             }
             if (DEBUG_MODE || !result.stderr || options.failOnError) {
               console.log(
                 "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 17 with gradle 8 which might be incompatible."
@@ -1315,9 +1352,6 @@ const createJavaBom = async (path, options) => {
               );
               options.failOnError && process.exit(1);
             }
-          } else {
-            console.log("Gradle unexpectedly didn't produce any output");
-            options.failOnError && process.exit(1);
           }
         }
       }
@@ -4308,6 +4342,7 @@ const createBom = async (path, options) => {
     case "mvn":
     case "maven":
     case "sbt":
+      options.multiProject = true;
       return await createJavaBom(path, options);
     case "jar":
       options.multiProject = true;
@@ -4334,6 +4369,7 @@ const createBom = async (path, options) => {
     case "typescript":
     case "ts":
     case "tsx":
+      options.multiProject = true;
       return await createNodejsBom(path, options);
     case "python":
     case "py":

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.2.4",
+  "version": "8.3.0",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js CHANGED Viewed

@@ -239,6 +239,7 @@ const getNpmMetadata = async function (pkgList) {
 exports.getNpmMetadata = getNpmMetadata;
 const _getDepPkgList = async function (
+  pkgLockFile,
   pkgList,
   dependenciesList,
   depKeys,
@@ -256,7 +257,13 @@ const _getDepPkgList = async function (
         name,
         version,
         _integrity: pkg.dependencies[name].integrity,
-        scope
+        scope,
+        properties: [
+          {
+            name: "SrcFile",
+            value: pkgLockFile
+          }
+        ]
       };
       pkgList.push(apkg);
       if (pkg.dependencies[name].dependencies) {
@@ -286,6 +293,7 @@ const _getDepPkgList = async function (
           depKeys[purlString] = true;
         }
         await _getDepPkgList(
+          pkgLockFile,
           pkgList,
           dependenciesList,
           depKeys,
@@ -431,6 +439,7 @@ const parsePkgLock = async (pkgLockFile) => {
       });
     }
     pkgList = await _getDepPkgList(
+      pkgLockFile,
       pkgList,
       dependenciesList,
       depKeys,
@@ -1140,15 +1149,21 @@ exports.parseMavenTree = parseMavenTree;
 /**
  * Parse gradle dependencies output
  * @param {string} rawOutput Raw string output
+ * @param {string} rootProjectName Root project name
+ * @param {string} rootProjectVersion Root project version
  */
-const parseGradleDep = function (rawOutput) {
+const parseGradleDep = function (
+  rawOutput,
+  rootProjectName = "root",
+  rootProjectVersion = "latest"
+) {
   if (typeof rawOutput === "string") {
     let match = "";
     // To render dependency tree we need a root project
     const rootProject = {
       group: "",
-      name: "root",
-      version: "latest",
+      name: rootProjectName,
+      version: rootProjectVersion,
       type: "maven",
       qualifiers: { type: "jar" }
     };
@@ -1156,7 +1171,7 @@ const parseGradleDep = function (rawOutput) {
     const dependenciesList = [];
     const keys_cache = {};
     let last_level = 0;
-    let last_purl = "pkg:maven/root@latest?type=jar";
+    let last_purl = `pkg:maven/${rootProjectName}@${rootProjectVersion}?type=jar`;
     const level_trees = {};
     level_trees[last_purl] = [];
     let stack = [last_purl];
@@ -1317,31 +1332,41 @@ exports.parseLeinMap = parseLeinMap;
 /**
  * Parse gradle projects output
+ * FIXME: The method needs to be enhanced to capture project dependency tree. See issue #249
+ *
  * @param {string} rawOutput Raw string output
  */
 const parseGradleProjects = function (rawOutput) {
+  let rootProject = "root";
+  const projects = new Set();
   if (typeof rawOutput === "string") {
-    const projects = [];
     const tmpA = rawOutput.split("\n");
     tmpA.forEach((l) => {
-      if (l.startsWith("+--- Project") || l.startsWith("\\--- Project")) {
-        let projName = l
-          .replace("+--- Project ", "")
-          .replace("\\--- Project ", "")
-          .split(" ")[0];
-        projName = projName.replace(/'/g, "");
-        if (
-          !projName.startsWith(":test") &&
-          !projName.startsWith(":docs") &&
-          !projName.startsWith(":qa")
-        ) {
-          projects.push(projName);
+      if (l.startsWith("Root project ")) {
+        rootProject = l
+          .split("Root project ")[1]
+          .split(" ")[0]
+          .replace(/'/g, "");
+      } else if (l.includes("--- Project")) {
+        const tmpB = l.split("Project ");
+        if (tmpB && tmpB.length > 1) {
+          let projName = tmpB[1].split(" ")[0].replace(/'/g, "");
+          // Include all projects including test projects
+          if (projName.startsWith(":")) {
+            projects.add(projName);
+          }
         }
       }
     });
-    return projects;
+    return {
+      rootProject,
+      projects: Array.from(projects)
+    };
   }
-  return [];
+  return {
+    rootProject,
+    projects: []
+  };
 };
 exports.parseGradleProjects = parseGradleProjects;

package/utils.test.js CHANGED Viewed

@@ -208,11 +208,25 @@ test("parse gradle dependencies", () => {
 });
 test("parse gradle projects", () => {
-  expect(utils.parseGradleProjects(null)).toEqual([]);
-  let proj_list = utils.parseGradleProjects(
+  expect(utils.parseGradleProjects(null)).toEqual({
+    projects: [],
+    rootProject: "root"
+  });
+  let retMap = utils.parseGradleProjects(
     fs.readFileSync("./test/data/gradle-projects.out", { encoding: "utf-8" })
   );
-  expect(proj_list.length).toEqual(9);
+  expect(retMap.rootProject).toEqual("elasticsearch");
+  expect(retMap.projects.length).toEqual(368);
+  retMap = utils.parseGradleProjects(
+    fs.readFileSync("./test/data/gradle-projects1.out", { encoding: "utf-8" })
+  );
+  expect(retMap.rootProject).toEqual("elasticsearch");
+  expect(retMap.projects.length).toEqual(403);
+  retMap = utils.parseGradleProjects(
+    fs.readFileSync("./test/data/gradle-projects2.out", { encoding: "utf-8" })
+  );
+  expect(retMap.rootProject).toEqual("fineract");
+  expect(retMap.projects.length).toEqual(22);
 });
 test("parse maven tree", () => {