npm - @cyclonedx/cdxgen - Versions diffs - 8.3.2 → 8.4.0 - Mend

@cyclonedx/cdxgen 8.3.2 → 8.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -298,6 +298,7 @@ cdxgen shiftleft/scan-slim -o /tmp/bom.json -t docker
 You can also pass the .tar file of a container image.
 ```shell
+docker pull shiftleft/scan-slim
 docker save -o /tmp/slim.tar shiftleft/scan-slim
 podman save -q --format oci-archive -o /tmp/slim.tar shiftleft/scan-slim
 cdxgen /tmp/slim.tar -o /tmp/bom.json -t docker

package/bin/cdxgen CHANGED Viewed

@@ -128,7 +128,6 @@ let options = {
   dev: true,
   projectType: args.type,
   multiProject: args.recurse,
-  depth: 3,
   output: args.output,
   resolveClass: args.resolveClass,
   installDeps: true,

package/docker.js CHANGED Viewed

@@ -423,9 +423,15 @@ const extractTar = async (fullImageName, dir) => {
         C: dir,
         portable: true,
         onwarn: () => {},
-        filter: (path) => {
+        filter: (path, entry) => {
           // Some files are known to cause issues with extract
-          if (path.includes("cacerts") || path.includes("ssl/certs")) {
+          if (
+            path.includes("cacerts") ||
+            path.includes("ssl/certs") ||
+            path.includes("etc/") ||
+            path.includes("logs/") ||
+            ["CharacterDevice"].includes(entry.type)
+          ) {
             return false;
           }
           return true;
@@ -434,12 +440,14 @@ const extractTar = async (fullImageName, dir) => {
     );
     return true;
   } catch (err) {
-    console.log(
-      "Error during extraction. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues"
-    );
-    console.log("------------");
-    console.log(err);
-    console.log("------------");
+    if (err.code !== "TAR_BAD_ARCHIVE") {
+      console.log(
+        `Error while extracting image ${fullImageName} to ${dir}. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues`
+      );
+      console.log("------------");
+      console.log(err);
+      console.log("------------");
+    }
     return false;
   }
 };

package/index.js CHANGED Viewed

@@ -536,11 +536,11 @@ function addComponent(
       pkg.purl ||
       new PackageURL(
         ptype,
-        encodeURIComponent(group),
-        encodeURIComponent(name),
+        utils.encodeForPurl(group),
+        utils.encodeForPurl(name),
         version,
         pkg.qualifiers,
-        pkg.subpath
+        utils.encodeForPurl(pkg.subpath)
       );
     let purlString = purl.toString();
     purlString = decodeURIComponent(purlString);
@@ -1006,6 +1006,12 @@ const createJavaBom = async (path, options) => {
       }
       for (let f of pomFiles) {
         const basePath = pathLib.dirname(f);
+        const settingsXml = pathLib.join(basePath, "settings.xml");
+        if (fs.existsSync(settingsXml)) {
+          console.log(
+            `maven settings.xml found in ${basePath}. Please set the MVN_ARGS environment variable based on the full mvn build command used for this project.\nExample: MVN_ARGS='--settings ${settingsXml}'`
+          );
+        }
         let mavenCmd = utils.getMavenCommand(basePath, path);
         // Should we attempt to resolve class names
         if (options.resolveClass) {
@@ -2221,7 +2227,7 @@ const createGoBom = async (path, options) => {
             "list",
             "-deps",
             "-f",
-            "'{{with .Module}}{{.Path}} {{.Version}}{{end}}'",
+            "'{{with .Module}}{{.Path}} {{.Version}} {{.Indirect}} {{.GoMod}} {{.GoVersion}}{{end}}'",
             "./..."
           ],
           { cwd: basePath, encoding: "utf-8", timeout: TIMEOUT_MS }
@@ -2256,7 +2262,11 @@ const createGoBom = async (path, options) => {
         if (circuitBreak) {
           break;
         }
-        let pkgFullName = `${apkg.group}/${apkg.name}`;
+        let pkgFullName = `${apkg.name}`;
+        if (apkg.scope === "required") {
+          allImports[pkgFullName] = true;
+          continue;
+        }
         if (DEBUG_MODE) {
           console.log(`go mod why -m -vendor ${pkgFullName}`);
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.3.2",
+  "version": "8.4.0",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js CHANGED Viewed

@@ -2104,34 +2104,24 @@ const parseGoModData = async function (goModData, gosumMap) {
     if (!isModReplacement) {
       // Add group, name and version component properties for required modules
-      let group = path.dirname(tmpA[0]);
-      const name = path.basename(tmpA[0]);
-      if (group === ".") {
-        group = name;
-      }
       const version = tmpA[1];
-      let gosumHash = gosumMap[`${group}/${name}/${version}`];
+      let gosumHash = gosumMap[`${tmpA[0]}/${version}`];
       // The hash for this version was not found in go.sum, so skip as it is most likely being replaced.
       if (gosumHash === undefined) {
         continue;
       }
-      let component = await getGoPkgComponent(group, name, version, gosumHash);
+      let component = await getGoPkgComponent("", tmpA[0], version, gosumHash);
       pkgComponentsList.push(component);
     } else {
       // Add group, name and version component properties for replacement modules
-      let group = path.dirname(tmpA[2]);
-      const name = path.basename(tmpA[2]);
-      if (group === ".") {
-        group = name;
-      }
       const version = tmpA[3];
-      let gosumHash = gosumMap[`${group}/${name}/${version}`];
+      let gosumHash = gosumMap[`${tmpA[2]}/${version}`];
       // The hash for this version was not found in go.sum, so skip.
       if (gosumHash === undefined) {
         continue;
       }
-      let component = await getGoPkgComponent(group, name, version, gosumHash);
+      let component = await getGoPkgComponent("", tmpA[2], version, gosumHash);
       pkgComponentsList.push(component);
     }
   }
@@ -2154,24 +2144,35 @@ const parseGoListDep = async function (rawOutput, gosumMap) {
     const pkgs = rawOutput.split("\n");
     for (let l of pkgs) {
       const verArr = l.trim().replace(new RegExp("[\"']", "g"), "").split(" ");
-      if (verArr && verArr.length === 2) {
+      if (verArr && verArr.length === 5) {
         const key = verArr[0] + "-" + verArr[1];
         // Filter duplicates
         if (!keys_cache[key]) {
           keys_cache[key] = key;
-          let group = path.dirname(verArr[0]);
-          const name = path.basename(verArr[0]);
           const version = verArr[1];
-          if (group === ".") {
-            group = name;
-          }
-          let gosumHash = gosumMap[`${group}/${name}/${version}`];
+          let gosumHash = gosumMap[`${verArr[0]}/${version}`];
           let component = await getGoPkgComponent(
-            group,
-            name,
+            "",
+            verArr[0],
             version,
             gosumHash
           );
+          if (verArr[2] === "false") {
+            component.scope = "required";
+          } else if (verArr[2] === "true") {
+            component.scope = "optional";
+          }
+          component.properties = [
+            {
+              name: "SrcGoMod",
+              value: verArr[3] || ""
+            },
+            {
+              name: "ModuleGoVersion",
+              value: verArr[4] || ""
+            }
+          ];
           deps.push(component);
         }
       }
@@ -2212,27 +2213,23 @@ const parseGosumData = async function (gosumData) {
     // look for lines containing go.mod
     if (l.indexOf("go.mod") > -1) {
       const tmpA = l.split(" ");
-      let group = path.dirname(tmpA[0]);
-      const name = path.basename(tmpA[0]);
-      if (group === ".") {
-        group = name;
-      }
+      const name = tmpA[0];
       const version = tmpA[1].replace("/go.mod", "");
       const hash = tmpA[tmpA.length - 1].replace("h1:", "sha256-");
       let license = undefined;
       if (process.env.FETCH_LICENSE) {
         if (DEBUG_MODE) {
           console.log(
-            `About to fetch go package license information for ${group}:${name}`
+            `About to fetch go package license information for ${name}`
           );
         }
         license = await getGoPkgLicense({
-          group: group,
+          group: "",
           name: name
         });
       }
       pkgList.push({
-        group: group,
+        group: "",
         name: name,
         version: version,
         _integrity: hash,
@@ -2271,11 +2268,8 @@ const parseGopkgData = async function (gopkgData) {
           pkg._integrity = "sha256-" + toBase64(digestStr);
           break;
         case "name":
-          pkg.group = path.dirname(value);
-          pkg.name = path.basename(value);
-          if (pkg.group === ".") {
-            pkg.group = pkg.name;
-          }
+          pkg.group = "";
+          pkg.name = value;
           if (process.env.FETCH_LICENSE) {
             pkg.license = await getGoPkgLicense({
               group: pkg.group,
@@ -2312,16 +2306,12 @@ const parseGoVersionData = async function (buildInfoData) {
     if (!tmpA || tmpA.length < 3) {
       continue;
     }
-    let group = path.dirname(tmpA[1].trim());
-    const name = path.basename(tmpA[1].trim());
-    if (group === ".") {
-      group = name;
-    }
+    const name = tmpA[1].trim();
     let hash = "";
     if (tmpA.length == 4) {
       hash = tmpA[tmpA.length - 1].replace("h1:", "sha256-");
     }
-    let component = await getGoPkgComponent(group, name, tmpA[2].trim(), hash);
+    let component = await getGoPkgComponent("", name, tmpA[2].trim(), hash);
     pkgList.push(component);
   }
   return pkgList;
@@ -2917,9 +2907,7 @@ const parseContainerSpecData = async function (dcData) {
     try {
       yamlObj = yaml.load(dcData);
     } catch (err) {
-      if (DEBUG_MODE) {
-        console.log(err);
-      }
+      // ignore errors
     }
     if (!yamlObj) {
       continue;
@@ -4188,6 +4176,13 @@ const parseJarManifest = function (jarMetadata) {
 };
 exports.parseJarManifest = parseJarManifest;
+const encodeForPurl = (s) => {
+  return s
+    ? encodeURIComponent(s).replace(/%3A/g, ":").replace(/%2F/g, "/")
+    : s;
+};
+exports.encodeForPurl = encodeForPurl;
 /**
  * Method to extract a war or ear file
  *
@@ -4272,7 +4267,8 @@ const extractJarArchive = function (jarFile, tempDir) {
             jarMetadata["Implementation-Vendor-Id"] ||
             jarMetadata["Bundle-SymbolicName"] ||
             jarMetadata["Bundle-Vendor"] ||
-            jarMetadata["Automatic-Module-Name"];
+            jarMetadata["Automatic-Module-Name"] ||
+            "";
           let name = "";
           if (
             jarMetadata["Bundle-Name"] &&
@@ -4338,8 +4334,8 @@ const extractJarArchive = function (jarFile, tempDir) {
           }
           if (name && version) {
             pkgList.push({
-              group: group === "." ? "" : encodeURIComponent(group) || "",
-              name: name ? encodeURIComponent(name) : "",
+              group: group === "." ? "" : encodeForPurl(group || "") || "",
+              name: name ? encodeForPurl(name) : "",
               version,
               properties: [
                 {

package/utils.test.js CHANGED Viewed

@@ -385,29 +385,29 @@ test("parseGoModData", async () => {
   );
   expect(dep_list.length).toEqual(4);
   expect(dep_list[0]).toEqual({
-    group: "github.com/aws",
-    name: "aws-sdk-go",
+    group: "",
+    name: "github.com/aws/aws-sdk-go",
     license: undefined,
     version: "v1.38.47",
     _integrity: "sha256-fake-sha-for-aws-go-sdk="
   });
   expect(dep_list[1]).toEqual({
-    group: "github.com/spf13",
-    name: "cobra",
+    group: "",
+    name: "github.com/spf13/cobra",
     license: undefined,
     version: "v1.0.0",
     _integrity: "sha256-/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE="
   });
   expect(dep_list[2]).toEqual({
-    group: "google.golang.org",
-    name: "grpc",
+    group: "",
+    name: "google.golang.org/grpc",
     license: undefined,
     version: "v1.21.0",
     _integrity: "sha256-oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM="
   });
   expect(dep_list[3]).toEqual({
-    group: "github.com/spf13",
-    name: "viper",
+    group: "",
+    name: "github.com/spf13/viper",
     license: undefined,
     version: "v1.0.2",
     _integrity: "sha256-A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM="
@@ -426,29 +426,29 @@ test("parseGoSumData", async () => {
   );
   expect(dep_list.length).toEqual(4);
   expect(dep_list[0]).toEqual({
-    group: "google.golang.org",
-    name: "grpc",
+    group: "",
+    name: "google.golang.org/grpc",
     license: undefined,
     version: "v1.21.0",
     _integrity: "sha256-oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM="
   });
   expect(dep_list[1]).toEqual({
-    group: "github.com/spf13",
-    name: "cobra",
+    group: "",
+    name: "github.com/spf13/cobra",
     license: undefined,
     version: "v1.0.0",
     _integrity: "sha256-/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE="
   });
   expect(dep_list[2]).toEqual({
-    group: "github.com/spf13",
-    name: "viper",
+    group: "",
+    name: "github.com/spf13/viper",
     license: undefined,
     version: "v1.0.2",
     _integrity: "sha256-A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM="
   });
   expect(dep_list[3]).toEqual({
-    group: "github.com/stretchr",
-    name: "testify",
+    group: "",
+    name: "github.com/stretchr/testify",
     license: undefined,
     version: "v1.6.1",
     _integrity: "sha256-6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg="
@@ -463,11 +463,22 @@ test("parse go list dependencies", async () => {
     fs.readFileSync("./test/data/golist-dep.txt", { encoding: "utf-8" }),
     {}
   );
-  expect(dep_list.length).toEqual(8);
+  expect(dep_list.length).toEqual(4);
   expect(dep_list[0]).toEqual({
-    group: "github.com/badoux",
-    name: "checkmail",
-    version: "v0.0.0-20181210160741-9661bd69e9ad"
+    group: "",
+    name: "github.com/gorilla/mux",
+    version: "v1.7.4",
+    _integrity: undefined,
+    license: undefined,
+    scope: "required",
+    properties: [
+      {
+        name: "SrcGoMod",
+        value:
+          "/home/almalinux/go/pkg/mod/cache/download/github.com/gorilla/mux/@v/v1.7.4.mod"
+      },
+      { name: "ModuleGoVersion", value: "1.12" }
+    ]
   });
 });
@@ -491,8 +502,8 @@ test("parseGopkgData", async () => {
   );
   expect(dep_list.length).toEqual(36);
   expect(dep_list[0]).toEqual({
-    group: "cloud.google.com",
-    name: "go",
+    group: "",
+    name: "cloud.google.com/go",
     version: "v0.39.0",
     _integrity: "sha256-LKUyprxlVmM0QAS6ECQ20pAxAY6rI2JHZ42x2JeGJ78="
   });
@@ -508,8 +519,8 @@ test("parse go version data", async () => {
   );
   expect(dep_list.length).toEqual(125);
   expect(dep_list[0]).toEqual({
-    group: "github.com/ShiftLeftSecurity",
-    name: "atlassian-connect-go",
+    group: "",
+    name: "github.com/ShiftLeftSecurity/atlassian-connect-go",
     version: "v0.0.2",
     _integrity: "",
     license: undefined
@@ -520,8 +531,8 @@ test("parse go version data", async () => {
   );
   expect(dep_list.length).toEqual(149);
   expect(dep_list[0]).toEqual({
-    group: "cloud.google.com",
-    name: "go",
+    group: "",
+    name: "cloud.google.com/go",
     version: "v0.79.0",
     _integrity: "sha256-oqqswrt4x6b9OGBnNqdssxBl1xf0rSUNjU2BR4BZar0=",
     license: undefined