@cyclonedx/cdxgen 8.3.0 → 8.3.2

package/binary.js

@@ -279,8 +279,11 @@ const getOSPackages = (src) => {
     const bomJsonFile = path.join(tempDir, "trivy-bom.json");
     const args = [
       imageType,
-      "--skip-update",
+      "--skip-db-update",
       "--offline-scan",
+      "--no-progress",
+      "--exit-code",
+      "0",
       "--format",
       "cyclonedx",
       "--output",
@@ -302,11 +305,16 @@ const getOSPackages = (src) => {
       }
     }
     if (fs.existsSync(bomJsonFile)) {
-      const tmpBom = JSON.parse(
-        fs.readFileSync(bomJsonFile, {
-          encoding: "utf-8"
-        })
-      );
+      let tmpBom = {};
+      try {
+        tmpBom = JSON.parse(
+          fs.readFileSync(bomJsonFile, {
+            encoding: "utf-8"
+          })
+        );
+      } catch (e) {
+        // ignore errors
+      }
       // Clean up
       if (tempDir && tempDir.startsWith(os.tmpdir())) {
         if (DEBUG_MODE) {

package/docker.js

@@ -159,9 +159,11 @@ const getConnection = async (options) => {
       dockerConn = got.extend(opts);
       if (DEBUG_MODE) {
         if (isDockerRootless) {
-          console.log("Docker service in rootless mode detected!");
+          console.log("Docker service in rootless mode detected.");
         } else {
-          console.log("Docker service in root mode detected!");
+          console.log(
+            "Docker service in root mode detected. Consider switching to rootless mode to improve security. See https://docs.docker.com/engine/security/rootless/"
+          );
         }
       }
     } catch (err) {
@@ -172,7 +174,7 @@ const getConnection = async (options) => {
         dockerConn = got.extend(opts);
         isDockerRootless = true;
         if (DEBUG_MODE) {
-          console.log("Docker service in rootless mode detected!");
+          console.log("Docker service in rootless mode detected.");
         }
         return dockerConn;
       } catch (err) {
@@ -185,7 +187,7 @@ const getConnection = async (options) => {
           dockerConn = got.extend(opts);
           isWinLocalTLS = true;
           if (DEBUG_MODE) {
-            console.log("Docker desktop on Windows detected!");
+            console.log("Docker desktop on Windows detected.");
           }
         } else {
           opts.prefixUrl = opts.podmanRootlessPrefixUrl;
@@ -194,7 +196,9 @@ const getConnection = async (options) => {
           isPodmanRootless = true;
           dockerConn = got.extend(opts);
           if (DEBUG_MODE) {
-            console.log("Podman in rootless mode detected!");
+            console.log(
+              "Podman in rootless mode detected. Thank you for using podman!"
+            );
           }
         }
       } catch (err) {
@@ -205,7 +209,9 @@ const getConnection = async (options) => {
           isPodman = true;
           isPodmanRootless = false;
           dockerConn = got.extend(opts);
-          console.log("Podman in root mode detected!");
+          console.log(
+            "Podman in root mode detected. Consider switching to rootless mode to improve security. See https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md"
+          );
         } catch (err) {
           if (os.platform() === "win32") {
             console.warn(
@@ -416,14 +422,24 @@ const extractTar = async (fullImageName, dir) => {
         strict: true,
         C: dir,
         portable: true,
-        onwarn: () => {}
+        onwarn: () => {},
+        filter: (path) => {
+          // Some files are known to cause issues with extract
+          if (path.includes("cacerts") || path.includes("ssl/certs")) {
+            return false;
+          }
+          return true;
+        }
       })
     );
     return true;
   } catch (err) {
-    if (DEBUG_MODE) {
-      console.log(err);
-    }
+    console.log(
+      "Error during extraction. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues"
+    );
+    console.log("------------");
+    console.log(err);
+    console.log("------------");
     return false;
   }
 };

package/docker.test.js

@@ -1,4 +1,5 @@
 const dockerLib = require("./docker");
+const { jest, expect, test } = require("@jest/globals");
 
 test("docker connection", async () => {
   const dockerConn = await dockerLib.getConnection();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.3.0",
+  "version": "8.3.2",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -33,9 +33,9 @@
     "cdxgen": "./bin/cdxgen"
   },
   "scripts": {
-    "test": "jest",
-    "watch": "jest --watch",
-    "lint": "eslint index.js utils.js binary.js server.js docker.js bin/cdxgen",
+    "test": "jest --inject-globals false",
+    "watch": "jest --watch --inject-globals false",
+    "lint": "eslint index.js utils.js binary.js server.js docker.js *.test.js bin/cdxgen",
     "pretty": "prettier --write *.js bin/cdxgen --trailing-comma=none"
   },
   "engines": {
@@ -49,8 +49,8 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.20.15",
-    "@babel/traverse": "^7.20.13",
+    "@babel/parser": "^7.21.4",
+    "@babel/traverse": "^7.21.4",
     "cheerio": "^1.0.0-rc.12",
     "edn-data": "^1.0.0",
     "glob": "^8.1.0",
@@ -59,24 +59,24 @@
     "js-yaml": "^4.1.0",
     "jws": "^4.0.0",
     "node-stream-zip": "^1.15.0",
-    "packageurl-js": "^1.0.0",
+    "packageurl-js": "^1.0.2",
     "parse-packagejson-name": "^1.0.1",
     "prettify-xml": "^1.2.0",
     "properties-reader": "^2.2.0",
-    "semver": "^7.3.8",
+    "semver": "^7.5.0",
     "ssri": "^8.0.1",
     "table": "^6.8.1",
     "tar": "^6.1.13",
     "uuid": "^9.0.0",
     "xml-js": "^1.6.11",
     "xmlbuilder": "^15.1.1",
-    "yargs": "^17.6.2"
+    "yargs": "^17.7.1"
   },
   "optionalDependencies": {
-    "@cyclonedx/cdxgen-plugins-bin": "^1.0.5",
-    "connect": "^3.7.0",
-    "body-parser": "^1.20.1",
-    "compression": "^1.7.4"
+    "@cyclonedx/cdxgen-plugins-bin": "^1.1.0",
+    "body-parser": "^1.20.2",
+    "compression": "^1.7.4",
+    "connect": "^3.7.0"
   },
   "files": [
     "*.js",
@@ -88,7 +88,7 @@
     "queries.json"
   ],
   "devDependencies": {
-    "eslint": "^8.31.0",
+    "eslint": "^8.39.0",
     "jest": "^26.6.3"
   }
 }

package/utils.js

@@ -4207,8 +4207,13 @@ const extractJarArchive = function (jarFile, tempDir) {
   }
   if (pomname && fs.existsSync(pomname)) {
     tempDir = path.dirname(jarFile);
-  } else {
-    fs.copyFileSync(jarFile, path.join(tempDir, fname));
+  } else if (!fs.existsSync(path.join(tempDir, fname))) {
+    // Only copy if the file doesn't exist
+    fs.copyFileSync(
+      jarFile,
+      path.join(tempDir, fname),
+      fs.constants.COPYFILE_FICLONE
+    );
   }
   if (jarFile.endsWith(".war") || jarFile.endsWith(".hpi")) {
     let jarResult = spawnSync("jar", ["-xf", path.join(tempDir, fname)], {
@@ -4405,7 +4410,11 @@ const addPlugin = function (projectPath, plugin) {
   var originalPluginsFile = null;
   if (fs.existsSync(pluginsFile)) {
     originalPluginsFile = pluginsFile + ".cdxgen";
-    fs.copyFileSync(pluginsFile, originalPluginsFile);
+    fs.copyFileSync(
+      pluginsFile,
+      originalPluginsFile,
+      fs.constants.COPYFILE_FICLONE
+    );
   }
 
   fs.writeFileSync(pluginsFile, plugin, { flag: "a" });
@@ -4429,7 +4438,11 @@ const cleanupPlugin = function (projectPath, originalPluginsFile) {
       return !fs.existsSync(pluginsFile);
     } else {
       // Bring back the original file
-      fs.copyFileSync(originalPluginsFile, pluginsFile);
+      fs.copyFileSync(
+        originalPluginsFile,
+        pluginsFile,
+        fs.constants.COPYFILE_FICLONE
+      );
       fs.unlinkSync(originalPluginsFile);
       return true;
     }

package/utils.test.js

@@ -1,10 +1,11 @@
 const utils = require("./utils");
 const fs = require("fs");
 const ssri = require("ssri");
+const { jest, expect, test } = require("@jest/globals");
 
 test("SSRI test", () => {
   // gopkg.lock hash
-  ss = ssri.parse(
+  let ss = ssri.parse(
     "2ca532a6bc655663344004ba102436d29031018eab236247678db1d8978627bf"
   );
   expect(ss).toEqual(null);
@@ -529,7 +530,7 @@ test("parse go version data", async () => {
 
 test("parse cargo lock", async () => {
   expect(await utils.parseCargoData(null)).toEqual([]);
-  dep_list = await utils.parseCargoData(
+  let dep_list = await utils.parseCargoData(
     fs.readFileSync("./test/Cargo.lock", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(224);
@@ -555,7 +556,7 @@ test("parse cargo lock", async () => {
 
 test("parse cargo toml", async () => {
   expect(await utils.parseCargoTomlData(null)).toEqual([]);
-  dep_list = await utils.parseCargoTomlData(
+  let dep_list = await utils.parseCargoTomlData(
     fs.readFileSync("./test/data/Cargo1.toml", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(4);
@@ -581,7 +582,7 @@ test("parse cargo toml", async () => {
 
 test("parse cargo auditable data", async () => {
   expect(await utils.parseCargoAuditableData(null)).toEqual([]);
-  dep_list = await utils.parseCargoAuditableData(
+  let dep_list = await utils.parseCargoAuditableData(
     fs.readFileSync("./test/data/cargo-auditable.txt", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(32);
@@ -621,7 +622,7 @@ test("get crates metadata", async () => {
 
 test("parse pub lock", async () => {
   expect(await utils.parsePubLockData(null)).toEqual([]);
-  dep_list = await utils.parsePubLockData(
+  let dep_list = await utils.parsePubLockData(
     fs.readFileSync("./test/data/pubspec.lock", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(26);
@@ -668,7 +669,7 @@ test("get dart metadata", async () => {
 
 test("parse cabal freeze", async () => {
   expect(await utils.parseCabalData(null)).toEqual([]);
-  dep_list = await utils.parseCabalData(
+  let dep_list = await utils.parseCabalData(
     fs.readFileSync("./test/data/cabal.project.freeze", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(24);
@@ -688,7 +689,7 @@ test("parse cabal freeze", async () => {
 
 test("parse conan data", async () => {
   expect(await utils.parseConanLockData(null)).toEqual([]);
-  dep_list = await utils.parseConanLockData(
+  let dep_list = await utils.parseConanLockData(
     fs.readFileSync("./test/data/conan.lock", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(3);
@@ -786,7 +787,7 @@ test("parse clojure data", () => {
 
 test("parse mix lock data", async () => {
   expect(await utils.parseMixLockData(null)).toEqual([]);
-  dep_list = await utils.parseMixLockData(
+  let dep_list = await utils.parseMixLockData(
     fs.readFileSync("./test/data/mix.lock", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(16);
@@ -806,7 +807,7 @@ test("parse mix lock data", async () => {
 
 test("parse github actions workflow data", async () => {
   expect(await utils.parseGitHubWorkflowData(null)).toEqual([]);
-  dep_list = await utils.parseGitHubWorkflowData(
+  let dep_list = await utils.parseGitHubWorkflowData(
     fs.readFileSync("./.github/workflows/nodejs.yml", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(3);
@@ -1722,7 +1723,7 @@ test("parse container spec like files", async () => {
 
 test("parse cloudbuild data", async () => {
   expect(await utils.parseCloudBuildData(null)).toEqual([]);
-  dep_list = await utils.parseCloudBuildData(
+  let dep_list = await utils.parseCloudBuildData(
     fs.readFileSync("./test/data/cloudbuild.yaml", { encoding: "utf-8" })
   );
   expect(dep_list.length).toEqual(1);