@cyclonedx/cdxgen 8.3.1 → 8.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -0
- package/binary.js +0 -1
- package/docker.js +8 -4
- package/docker.test.js +1 -0
- package/index.js +3 -3
- package/package.json +4 -4
- package/utils.js +11 -3
- package/utils.test.js +11 -10
package/README.md
CHANGED
|
@@ -298,6 +298,7 @@ cdxgen shiftleft/scan-slim -o /tmp/bom.json -t docker
|
|
|
298
298
|
You can also pass the .tar file of a container image.
|
|
299
299
|
|
|
300
300
|
```shell
|
|
301
|
+
docker pull shiftleft/scan-slim
|
|
301
302
|
docker save -o /tmp/slim.tar shiftleft/scan-slim
|
|
302
303
|
podman save -q --format oci-archive -o /tmp/slim.tar shiftleft/scan-slim
|
|
303
304
|
cdxgen /tmp/slim.tar -o /tmp/bom.json -t docker
|
package/binary.js
CHANGED
package/docker.js
CHANGED
|
@@ -424,7 +424,8 @@ const extractTar = async (fullImageName, dir) => {
|
|
|
424
424
|
portable: true,
|
|
425
425
|
onwarn: () => {},
|
|
426
426
|
filter: (path) => {
|
|
427
|
-
|
|
427
|
+
// Some files are known to cause issues with extract
|
|
428
|
+
if (path.includes("cacerts") || path.includes("ssl/certs")) {
|
|
428
429
|
return false;
|
|
429
430
|
}
|
|
430
431
|
return true;
|
|
@@ -433,9 +434,12 @@ const extractTar = async (fullImageName, dir) => {
|
|
|
433
434
|
);
|
|
434
435
|
return true;
|
|
435
436
|
} catch (err) {
|
|
436
|
-
|
|
437
|
-
|
|
438
|
-
|
|
437
|
+
console.log(
|
|
438
|
+
"Error during extraction. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues"
|
|
439
|
+
);
|
|
440
|
+
console.log("------------");
|
|
441
|
+
console.log(err);
|
|
442
|
+
console.log("------------");
|
|
439
443
|
return false;
|
|
440
444
|
}
|
|
441
445
|
};
|
package/docker.test.js
CHANGED
package/index.js
CHANGED
|
@@ -536,11 +536,11 @@ function addComponent(
|
|
|
536
536
|
pkg.purl ||
|
|
537
537
|
new PackageURL(
|
|
538
538
|
ptype,
|
|
539
|
-
|
|
540
|
-
|
|
539
|
+
utils.encodeForPurl(group),
|
|
540
|
+
utils.encodeForPurl(name),
|
|
541
541
|
version,
|
|
542
542
|
pkg.qualifiers,
|
|
543
|
-
pkg.subpath
|
|
543
|
+
utils.encodeForPurl(pkg.subpath)
|
|
544
544
|
);
|
|
545
545
|
let purlString = purl.toString();
|
|
546
546
|
purlString = decodeURIComponent(purlString);
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyclonedx/cdxgen",
|
|
3
|
-
"version": "8.3.
|
|
3
|
+
"version": "8.3.3",
|
|
4
4
|
"description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
|
|
5
5
|
"homepage": "http://github.com/cyclonedx/cdxgen",
|
|
6
6
|
"author": "Prabhu Subramanian <prabhu@appthreat.com>",
|
|
@@ -33,9 +33,9 @@
|
|
|
33
33
|
"cdxgen": "./bin/cdxgen"
|
|
34
34
|
},
|
|
35
35
|
"scripts": {
|
|
36
|
-
"test": "jest",
|
|
37
|
-
"watch": "jest --watch",
|
|
38
|
-
"lint": "eslint index.js utils.js binary.js server.js docker.js bin/cdxgen",
|
|
36
|
+
"test": "jest --inject-globals false",
|
|
37
|
+
"watch": "jest --watch --inject-globals false",
|
|
38
|
+
"lint": "eslint index.js utils.js binary.js server.js docker.js *.test.js bin/cdxgen",
|
|
39
39
|
"pretty": "prettier --write *.js bin/cdxgen --trailing-comma=none"
|
|
40
40
|
},
|
|
41
41
|
"engines": {
|
package/utils.js
CHANGED
|
@@ -4188,6 +4188,13 @@ const parseJarManifest = function (jarMetadata) {
|
|
|
4188
4188
|
};
|
|
4189
4189
|
exports.parseJarManifest = parseJarManifest;
|
|
4190
4190
|
|
|
4191
|
+
const encodeForPurl = (s) => {
|
|
4192
|
+
return s
|
|
4193
|
+
? encodeURIComponent(s).replace(/%3A/g, ":").replace(/%2F/g, "/")
|
|
4194
|
+
: s;
|
|
4195
|
+
};
|
|
4196
|
+
exports.encodeForPurl = encodeForPurl;
|
|
4197
|
+
|
|
4191
4198
|
/**
|
|
4192
4199
|
* Method to extract a war or ear file
|
|
4193
4200
|
*
|
|
@@ -4272,7 +4279,8 @@ const extractJarArchive = function (jarFile, tempDir) {
|
|
|
4272
4279
|
jarMetadata["Implementation-Vendor-Id"] ||
|
|
4273
4280
|
jarMetadata["Bundle-SymbolicName"] ||
|
|
4274
4281
|
jarMetadata["Bundle-Vendor"] ||
|
|
4275
|
-
jarMetadata["Automatic-Module-Name"]
|
|
4282
|
+
jarMetadata["Automatic-Module-Name"] ||
|
|
4283
|
+
"";
|
|
4276
4284
|
let name = "";
|
|
4277
4285
|
if (
|
|
4278
4286
|
jarMetadata["Bundle-Name"] &&
|
|
@@ -4338,8 +4346,8 @@ const extractJarArchive = function (jarFile, tempDir) {
|
|
|
4338
4346
|
}
|
|
4339
4347
|
if (name && version) {
|
|
4340
4348
|
pkgList.push({
|
|
4341
|
-
group: group === "." ? "" :
|
|
4342
|
-
name: name ?
|
|
4349
|
+
group: group === "." ? "" : encodeForPurl(group || "") || "",
|
|
4350
|
+
name: name ? encodeForPurl(name) : "",
|
|
4343
4351
|
version,
|
|
4344
4352
|
properties: [
|
|
4345
4353
|
{
|
package/utils.test.js
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
const utils = require("./utils");
|
|
2
2
|
const fs = require("fs");
|
|
3
3
|
const ssri = require("ssri");
|
|
4
|
+
const { jest, expect, test } = require("@jest/globals");
|
|
4
5
|
|
|
5
6
|
test("SSRI test", () => {
|
|
6
7
|
// gopkg.lock hash
|
|
7
|
-
ss = ssri.parse(
|
|
8
|
+
let ss = ssri.parse(
|
|
8
9
|
"2ca532a6bc655663344004ba102436d29031018eab236247678db1d8978627bf"
|
|
9
10
|
);
|
|
10
11
|
expect(ss).toEqual(null);
|
|
@@ -529,7 +530,7 @@ test("parse go version data", async () => {
|
|
|
529
530
|
|
|
530
531
|
test("parse cargo lock", async () => {
|
|
531
532
|
expect(await utils.parseCargoData(null)).toEqual([]);
|
|
532
|
-
dep_list = await utils.parseCargoData(
|
|
533
|
+
let dep_list = await utils.parseCargoData(
|
|
533
534
|
fs.readFileSync("./test/Cargo.lock", { encoding: "utf-8" })
|
|
534
535
|
);
|
|
535
536
|
expect(dep_list.length).toEqual(224);
|
|
@@ -555,7 +556,7 @@ test("parse cargo lock", async () => {
|
|
|
555
556
|
|
|
556
557
|
test("parse cargo toml", async () => {
|
|
557
558
|
expect(await utils.parseCargoTomlData(null)).toEqual([]);
|
|
558
|
-
dep_list = await utils.parseCargoTomlData(
|
|
559
|
+
let dep_list = await utils.parseCargoTomlData(
|
|
559
560
|
fs.readFileSync("./test/data/Cargo1.toml", { encoding: "utf-8" })
|
|
560
561
|
);
|
|
561
562
|
expect(dep_list.length).toEqual(4);
|
|
@@ -581,7 +582,7 @@ test("parse cargo toml", async () => {
|
|
|
581
582
|
|
|
582
583
|
test("parse cargo auditable data", async () => {
|
|
583
584
|
expect(await utils.parseCargoAuditableData(null)).toEqual([]);
|
|
584
|
-
dep_list = await utils.parseCargoAuditableData(
|
|
585
|
+
let dep_list = await utils.parseCargoAuditableData(
|
|
585
586
|
fs.readFileSync("./test/data/cargo-auditable.txt", { encoding: "utf-8" })
|
|
586
587
|
);
|
|
587
588
|
expect(dep_list.length).toEqual(32);
|
|
@@ -621,7 +622,7 @@ test("get crates metadata", async () => {
|
|
|
621
622
|
|
|
622
623
|
test("parse pub lock", async () => {
|
|
623
624
|
expect(await utils.parsePubLockData(null)).toEqual([]);
|
|
624
|
-
dep_list = await utils.parsePubLockData(
|
|
625
|
+
let dep_list = await utils.parsePubLockData(
|
|
625
626
|
fs.readFileSync("./test/data/pubspec.lock", { encoding: "utf-8" })
|
|
626
627
|
);
|
|
627
628
|
expect(dep_list.length).toEqual(26);
|
|
@@ -668,7 +669,7 @@ test("get dart metadata", async () => {
|
|
|
668
669
|
|
|
669
670
|
test("parse cabal freeze", async () => {
|
|
670
671
|
expect(await utils.parseCabalData(null)).toEqual([]);
|
|
671
|
-
dep_list = await utils.parseCabalData(
|
|
672
|
+
let dep_list = await utils.parseCabalData(
|
|
672
673
|
fs.readFileSync("./test/data/cabal.project.freeze", { encoding: "utf-8" })
|
|
673
674
|
);
|
|
674
675
|
expect(dep_list.length).toEqual(24);
|
|
@@ -688,7 +689,7 @@ test("parse cabal freeze", async () => {
|
|
|
688
689
|
|
|
689
690
|
test("parse conan data", async () => {
|
|
690
691
|
expect(await utils.parseConanLockData(null)).toEqual([]);
|
|
691
|
-
dep_list = await utils.parseConanLockData(
|
|
692
|
+
let dep_list = await utils.parseConanLockData(
|
|
692
693
|
fs.readFileSync("./test/data/conan.lock", { encoding: "utf-8" })
|
|
693
694
|
);
|
|
694
695
|
expect(dep_list.length).toEqual(3);
|
|
@@ -786,7 +787,7 @@ test("parse clojure data", () => {
|
|
|
786
787
|
|
|
787
788
|
test("parse mix lock data", async () => {
|
|
788
789
|
expect(await utils.parseMixLockData(null)).toEqual([]);
|
|
789
|
-
dep_list = await utils.parseMixLockData(
|
|
790
|
+
let dep_list = await utils.parseMixLockData(
|
|
790
791
|
fs.readFileSync("./test/data/mix.lock", { encoding: "utf-8" })
|
|
791
792
|
);
|
|
792
793
|
expect(dep_list.length).toEqual(16);
|
|
@@ -806,7 +807,7 @@ test("parse mix lock data", async () => {
|
|
|
806
807
|
|
|
807
808
|
test("parse github actions workflow data", async () => {
|
|
808
809
|
expect(await utils.parseGitHubWorkflowData(null)).toEqual([]);
|
|
809
|
-
dep_list = await utils.parseGitHubWorkflowData(
|
|
810
|
+
let dep_list = await utils.parseGitHubWorkflowData(
|
|
810
811
|
fs.readFileSync("./.github/workflows/nodejs.yml", { encoding: "utf-8" })
|
|
811
812
|
);
|
|
812
813
|
expect(dep_list.length).toEqual(3);
|
|
@@ -1722,7 +1723,7 @@ test("parse container spec like files", async () => {
|
|
|
1722
1723
|
|
|
1723
1724
|
test("parse cloudbuild data", async () => {
|
|
1724
1725
|
expect(await utils.parseCloudBuildData(null)).toEqual([]);
|
|
1725
|
-
dep_list = await utils.parseCloudBuildData(
|
|
1726
|
+
let dep_list = await utils.parseCloudBuildData(
|
|
1726
1727
|
fs.readFileSync("./test/data/cloudbuild.yaml", { encoding: "utf-8" })
|
|
1727
1728
|
);
|
|
1728
1729
|
expect(dep_list.length).toEqual(1);
|