@cyclonedx/cdxgen 8.3.3 → 8.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +27 -26
  2. package/bin/cdxgen +0 -1
  3. package/docker.js +16 -8
  4. package/index.js +17 -8
  5. package/package.json +1 -1
  6. package/utils.js +53 -58
  7. package/utils.test.js +44 -30
package/README.md CHANGED
@@ -246,32 +246,33 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
246
246
 
247
247
  ## Environment variables
248
248
 
249
- | Variable | Description |
250
- | ------------------------- | ------------------------------------------------------------------------------------------------------------------ |
251
- | SCAN_DEBUG_MODE | Set to debug to enable debug messages |
252
- | GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information |
253
- | MVN_CMD | Set to override maven command |
254
- | MVN_ARGS | Set to pass additional arguments such as profile or settings to maven |
255
- | MAVEN_HOME | Specify maven home |
256
- | GRADLE_CACHE_DIR | Specify gradle cache directory. Useful for class name resolving |
257
- | GRADLE_MULTI_PROJECT_MODE | Set this variable for gradle multi-project applications. Do not use this with recurse mode. |
258
- | GRADLE_ARGS | Set to pass additional arguments such as profile or settings to gradle. Eg: --configuration runtimeClassPath |
259
- | GRADLE_HOME | Specify gradle home |
260
- | GRADLE_CMD | Set to override gradle command |
261
- | GRADLE_DEPENDENCY_TASK | By default cdxgen use the task "dependencies" to collect packages. Set to override the task name. |
262
- | SBT_CACHE_DIR | Specify sbt cache directory. Useful for class name resolving |
263
- | FETCH_LICENSE | Set this variable to fetch license information from the registry. npm and golang only |
264
- | USE_GOSUM | Set to true to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod |
265
- | CDXGEN_TIMEOUT_MS | Default timeout for known execution involving maven, gradle or sbt |
266
- | CDXGEN_SERVER_TIMEOUT_MS | Default timeout in server mode |
267
- | BAZEL_TARGET | Bazel target to build. Default :all (Eg: //java-maven) |
268
- | CLJ_CMD | Set to override the clojure cli command |
269
- | LEIN_CMD | Set to override the leiningen command |
270
- | SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc |
271
- | SBOM_SIGN_PRIVATE_KEY | Private key to use for signing |
272
- | SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature |
273
- | CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.6" |
274
- | CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom |
249
+ | Variable | Description |
250
+ | ---------------------------- | -------------------------------------------------------------------------------------------------------------------|
251
+ | SCAN_DEBUG_MODE | Set to debug to enable debug messages |
252
+ | GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information |
253
+ | MVN_CMD | Set to override maven command |
254
+ | MVN_ARGS | Set to pass additional arguments such as profile or settings to maven |
255
+ | MAVEN_HOME | Specify maven home |
256
+ | GRADLE_CACHE_DIR | Specify gradle cache directory. Useful for class name resolving |
257
+ | GRADLE_MULTI_PROJECT_MODE | Set this variable for gradle multi-project applications. Do not use this with recurse mode. |
258
+ | GRADLE_ARGS | Set to pass additional arguments such as profile or settings to gradle. Eg: --configuration runtimeClassPath |
259
+ | GRADLE_HOME | Specify gradle home |
260
+ | GRADLE_CMD | Set to override gradle command |
261
+ | GRADLE_DEPENDENCY_TASK | By default cdxgen use the task "dependencies" to collect packages. Set to override the task name. |
262
+ | SBT_CACHE_DIR | Specify sbt cache directory. Useful for class name resolving |
263
+ | FETCH_LICENSE | Set this variable to fetch license information from the registry. npm and golang only |
264
+ | USE_GOSUM | Set to true to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod |
265
+ | CDXGEN_TIMEOUT_MS | Default timeout for known execution involving maven, gradle or sbt |
266
+ | CDXGEN_SERVER_TIMEOUT_MS | Default timeout in server mode |
267
+ | BAZEL_TARGET | Bazel target to build. Default :all (Eg: //java-maven) |
268
+ | CLJ_CMD | Set to override the clojure cli command |
269
+ | LEIN_CMD | Set to override the leiningen command |
270
+ | SBOM_SIGN_ALGORITHM | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc |
271
+ | SBOM_SIGN_PRIVATE_KEY | Private key to use for signing |
272
+ | SBOM_SIGN_PUBLIC_KEY | Optional. Public key to include in the SBoM signature |
273
+ | CDX_MAVEN_PLUGIN | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.8" |
274
+ | CDX_MAVEN_GOAL | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom |
275
+ | CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true |
275
276
 
276
277
  ## Plugins
277
278
 
package/bin/cdxgen CHANGED
@@ -128,7 +128,6 @@ let options = {
128
128
  dev: true,
129
129
  projectType: args.type,
130
130
  multiProject: args.recurse,
131
- depth: 3,
132
131
  output: args.output,
133
132
  resolveClass: args.resolveClass,
134
133
  installDeps: true,
package/docker.js CHANGED
@@ -423,9 +423,15 @@ const extractTar = async (fullImageName, dir) => {
423
423
  C: dir,
424
424
  portable: true,
425
425
  onwarn: () => {},
426
- filter: (path) => {
426
+ filter: (path, entry) => {
427
427
  // Some files are known to cause issues with extract
428
- if (path.includes("cacerts") || path.includes("ssl/certs")) {
428
+ if (
429
+ path.includes("cacerts") ||
430
+ path.includes("ssl/certs") ||
431
+ path.includes("etc/") ||
432
+ path.includes("logs/") ||
433
+ ["CharacterDevice"].includes(entry.type)
434
+ ) {
429
435
  return false;
430
436
  }
431
437
  return true;
@@ -434,12 +440,14 @@ const extractTar = async (fullImageName, dir) => {
434
440
  );
435
441
  return true;
436
442
  } catch (err) {
437
- console.log(
438
- "Error during extraction. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues"
439
- );
440
- console.log("------------");
441
- console.log(err);
442
- console.log("------------");
443
+ if (err.code !== "TAR_BAD_ARCHIVE") {
444
+ console.log(
445
+ `Error while extracting image ${fullImageName} to ${dir}. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues`
446
+ );
447
+ console.log("------------");
448
+ console.log(err);
449
+ console.log("------------");
450
+ }
443
451
  return false;
444
452
  }
445
453
  };
package/index.js CHANGED
@@ -988,13 +988,12 @@ const createJavaBom = async (path, options) => {
988
988
  if (pomFiles && pomFiles.length) {
989
989
  const cdxMavenPlugin =
990
990
  process.env.CDX_MAVEN_PLUGIN ||
991
- "org.cyclonedx:cyclonedx-maven-plugin:2.7.7";
991
+ "org.cyclonedx:cyclonedx-maven-plugin:2.7.8";
992
992
  const cdxMavenGoal = process.env.CDX_MAVEN_GOAL || "makeAggregateBom";
993
- let mvnArgs = [
994
- `${cdxMavenPlugin}:${cdxMavenGoal}`,
995
- "-DoutputName=bom",
996
- "-DincludeTestScope=true"
997
- ];
993
+ let mvnArgs = [`${cdxMavenPlugin}:${cdxMavenGoal}`, "-DoutputName=bom"];
994
+ if (utils.includeMavenTestScope) {
995
+ mvnArgs.push("-DincludeTestScope=true");
996
+ }
998
997
  // By using quiet mode we can reduce the maxBuffer used and avoid crashes
999
998
  if (!DEBUG_MODE) {
1000
999
  mvnArgs.push("-q");
@@ -1006,6 +1005,12 @@ const createJavaBom = async (path, options) => {
1006
1005
  }
1007
1006
  for (let f of pomFiles) {
1008
1007
  const basePath = pathLib.dirname(f);
1008
+ const settingsXml = pathLib.join(basePath, "settings.xml");
1009
+ if (fs.existsSync(settingsXml)) {
1010
+ console.log(
1011
+ `maven settings.xml found in ${basePath}. Please set the MVN_ARGS environment variable based on the full mvn build command used for this project.\nExample: MVN_ARGS='--settings ${settingsXml}'`
1012
+ );
1013
+ }
1009
1014
  let mavenCmd = utils.getMavenCommand(basePath, path);
1010
1015
  // Should we attempt to resolve class names
1011
1016
  if (options.resolveClass) {
@@ -2221,7 +2226,7 @@ const createGoBom = async (path, options) => {
2221
2226
  "list",
2222
2227
  "-deps",
2223
2228
  "-f",
2224
- "'{{with .Module}}{{.Path}} {{.Version}}{{end}}'",
2229
+ "'{{with .Module}}{{.Path}} {{.Version}} {{.Indirect}} {{.GoMod}} {{.GoVersion}}{{end}}'",
2225
2230
  "./..."
2226
2231
  ],
2227
2232
  { cwd: basePath, encoding: "utf-8", timeout: TIMEOUT_MS }
@@ -2256,7 +2261,11 @@ const createGoBom = async (path, options) => {
2256
2261
  if (circuitBreak) {
2257
2262
  break;
2258
2263
  }
2259
- let pkgFullName = `${apkg.group}/${apkg.name}`;
2264
+ let pkgFullName = `${apkg.name}`;
2265
+ if (apkg.scope === "required") {
2266
+ allImports[pkgFullName] = true;
2267
+ continue;
2268
+ }
2260
2269
  if (DEBUG_MODE) {
2261
2270
  console.log(`go mod why -m -vendor ${pkgFullName}`);
2262
2271
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cyclonedx/cdxgen",
3
- "version": "8.3.3",
3
+ "version": "8.4.1",
4
4
  "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
5
5
  "homepage": "http://github.com/cyclonedx/cdxgen",
6
6
  "author": "Prabhu Subramanian <prabhu@appthreat.com>",
package/utils.js CHANGED
@@ -26,6 +26,12 @@ const DEBUG_MODE =
26
26
  // Metadata cache
27
27
  let metadata_cache = {};
28
28
 
29
+ // Whether test scope shall be included for java/maven projects; default, if unset shall be 'true'
30
+ const includeMavenTestScope =
31
+ !process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE ||
32
+ ["true", "1"].includes(process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE);
33
+ exports.includeMavenTestScope = includeMavenTestScope;
34
+
29
35
  const MAX_LICENSE_ID_LENGTH = 100;
30
36
 
31
37
  /**
@@ -1035,18 +1041,19 @@ const parsePom = function (pomFile) {
1035
1041
  let versionStr = undefined;
1036
1042
  if (version && version._ && version._.indexOf("$") == -1) {
1037
1043
  versionStr = version._;
1038
- deps.push({
1039
- group: adep.groupId ? adep.groupId._ : "",
1040
- name: adep.artifactId ? adep.artifactId._ : "",
1041
- version: versionStr,
1042
- qualifiers: { type: "jar" },
1043
- properties: [
1044
- {
1045
- name: "SrcFile",
1046
- value: pomFile
1047
- }
1048
- ]
1049
- });
1044
+ if (includeMavenTestScope || !adep.scope || adep.scope !== "test")
1045
+ deps.push({
1046
+ group: adep.groupId ? adep.groupId._ : "",
1047
+ name: adep.artifactId ? adep.artifactId._ : "",
1048
+ version: versionStr,
1049
+ qualifiers: { type: "jar" },
1050
+ properties: [
1051
+ {
1052
+ name: "SrcFile",
1053
+ value: pomFile
1054
+ }
1055
+ ]
1056
+ });
1050
1057
  }
1051
1058
  }
1052
1059
  }
@@ -1071,7 +1078,7 @@ const parseMavenTree = function (rawOutput) {
1071
1078
  let last_purl = "";
1072
1079
  let stack = [];
1073
1080
  tmpA.forEach((l) => {
1074
- if (l.endsWith(":test")) {
1081
+ if (!includeMavenTestScope && l.endsWith(":test")) {
1075
1082
  return;
1076
1083
  }
1077
1084
  let level = 0;
@@ -2104,34 +2111,24 @@ const parseGoModData = async function (goModData, gosumMap) {
2104
2111
 
2105
2112
  if (!isModReplacement) {
2106
2113
  // Add group, name and version component properties for required modules
2107
- let group = path.dirname(tmpA[0]);
2108
- const name = path.basename(tmpA[0]);
2109
- if (group === ".") {
2110
- group = name;
2111
- }
2112
2114
  const version = tmpA[1];
2113
- let gosumHash = gosumMap[`${group}/${name}/${version}`];
2115
+ let gosumHash = gosumMap[`${tmpA[0]}/${version}`];
2114
2116
  // The hash for this version was not found in go.sum, so skip as it is most likely being replaced.
2115
2117
  if (gosumHash === undefined) {
2116
2118
  continue;
2117
2119
  }
2118
- let component = await getGoPkgComponent(group, name, version, gosumHash);
2120
+ let component = await getGoPkgComponent("", tmpA[0], version, gosumHash);
2119
2121
  pkgComponentsList.push(component);
2120
2122
  } else {
2121
2123
  // Add group, name and version component properties for replacement modules
2122
- let group = path.dirname(tmpA[2]);
2123
- const name = path.basename(tmpA[2]);
2124
- if (group === ".") {
2125
- group = name;
2126
- }
2127
2124
  const version = tmpA[3];
2128
2125
 
2129
- let gosumHash = gosumMap[`${group}/${name}/${version}`];
2126
+ let gosumHash = gosumMap[`${tmpA[2]}/${version}`];
2130
2127
  // The hash for this version was not found in go.sum, so skip.
2131
2128
  if (gosumHash === undefined) {
2132
2129
  continue;
2133
2130
  }
2134
- let component = await getGoPkgComponent(group, name, version, gosumHash);
2131
+ let component = await getGoPkgComponent("", tmpA[2], version, gosumHash);
2135
2132
  pkgComponentsList.push(component);
2136
2133
  }
2137
2134
  }
@@ -2154,24 +2151,35 @@ const parseGoListDep = async function (rawOutput, gosumMap) {
2154
2151
  const pkgs = rawOutput.split("\n");
2155
2152
  for (let l of pkgs) {
2156
2153
  const verArr = l.trim().replace(new RegExp("[\"']", "g"), "").split(" ");
2157
- if (verArr && verArr.length === 2) {
2154
+
2155
+ if (verArr && verArr.length === 5) {
2158
2156
  const key = verArr[0] + "-" + verArr[1];
2159
2157
  // Filter duplicates
2160
2158
  if (!keys_cache[key]) {
2161
2159
  keys_cache[key] = key;
2162
- let group = path.dirname(verArr[0]);
2163
- const name = path.basename(verArr[0]);
2164
2160
  const version = verArr[1];
2165
- if (group === ".") {
2166
- group = name;
2167
- }
2168
- let gosumHash = gosumMap[`${group}/${name}/${version}`];
2161
+ let gosumHash = gosumMap[`${verArr[0]}/${version}`];
2169
2162
  let component = await getGoPkgComponent(
2170
- group,
2171
- name,
2163
+ "",
2164
+ verArr[0],
2172
2165
  version,
2173
2166
  gosumHash
2174
2167
  );
2168
+ if (verArr[2] === "false") {
2169
+ component.scope = "required";
2170
+ } else if (verArr[2] === "true") {
2171
+ component.scope = "optional";
2172
+ }
2173
+ component.properties = [
2174
+ {
2175
+ name: "SrcGoMod",
2176
+ value: verArr[3] || ""
2177
+ },
2178
+ {
2179
+ name: "ModuleGoVersion",
2180
+ value: verArr[4] || ""
2181
+ }
2182
+ ];
2175
2183
  deps.push(component);
2176
2184
  }
2177
2185
  }
@@ -2212,27 +2220,23 @@ const parseGosumData = async function (gosumData) {
2212
2220
  // look for lines containing go.mod
2213
2221
  if (l.indexOf("go.mod") > -1) {
2214
2222
  const tmpA = l.split(" ");
2215
- let group = path.dirname(tmpA[0]);
2216
- const name = path.basename(tmpA[0]);
2217
- if (group === ".") {
2218
- group = name;
2219
- }
2223
+ const name = tmpA[0];
2220
2224
  const version = tmpA[1].replace("/go.mod", "");
2221
2225
  const hash = tmpA[tmpA.length - 1].replace("h1:", "sha256-");
2222
2226
  let license = undefined;
2223
2227
  if (process.env.FETCH_LICENSE) {
2224
2228
  if (DEBUG_MODE) {
2225
2229
  console.log(
2226
- `About to fetch go package license information for ${group}:${name}`
2230
+ `About to fetch go package license information for ${name}`
2227
2231
  );
2228
2232
  }
2229
2233
  license = await getGoPkgLicense({
2230
- group: group,
2234
+ group: "",
2231
2235
  name: name
2232
2236
  });
2233
2237
  }
2234
2238
  pkgList.push({
2235
- group: group,
2239
+ group: "",
2236
2240
  name: name,
2237
2241
  version: version,
2238
2242
  _integrity: hash,
@@ -2271,11 +2275,8 @@ const parseGopkgData = async function (gopkgData) {
2271
2275
  pkg._integrity = "sha256-" + toBase64(digestStr);
2272
2276
  break;
2273
2277
  case "name":
2274
- pkg.group = path.dirname(value);
2275
- pkg.name = path.basename(value);
2276
- if (pkg.group === ".") {
2277
- pkg.group = pkg.name;
2278
- }
2278
+ pkg.group = "";
2279
+ pkg.name = value;
2279
2280
  if (process.env.FETCH_LICENSE) {
2280
2281
  pkg.license = await getGoPkgLicense({
2281
2282
  group: pkg.group,
@@ -2312,16 +2313,12 @@ const parseGoVersionData = async function (buildInfoData) {
2312
2313
  if (!tmpA || tmpA.length < 3) {
2313
2314
  continue;
2314
2315
  }
2315
- let group = path.dirname(tmpA[1].trim());
2316
- const name = path.basename(tmpA[1].trim());
2317
- if (group === ".") {
2318
- group = name;
2319
- }
2316
+ const name = tmpA[1].trim();
2320
2317
  let hash = "";
2321
2318
  if (tmpA.length == 4) {
2322
2319
  hash = tmpA[tmpA.length - 1].replace("h1:", "sha256-");
2323
2320
  }
2324
- let component = await getGoPkgComponent(group, name, tmpA[2].trim(), hash);
2321
+ let component = await getGoPkgComponent("", name, tmpA[2].trim(), hash);
2325
2322
  pkgList.push(component);
2326
2323
  }
2327
2324
  return pkgList;
@@ -2917,9 +2914,7 @@ const parseContainerSpecData = async function (dcData) {
2917
2914
  try {
2918
2915
  yamlObj = yaml.load(dcData);
2919
2916
  } catch (err) {
2920
- if (DEBUG_MODE) {
2921
- console.log(err);
2922
- }
2917
+ // ignore errors
2923
2918
  }
2924
2919
  if (!yamlObj) {
2925
2920
  continue;
package/utils.test.js CHANGED
@@ -235,8 +235,8 @@ test("parse maven tree", () => {
235
235
  let parsedList = utils.parseMavenTree(
236
236
  fs.readFileSync("./test/data/sample-mvn-tree.txt", { encoding: "utf-8" })
237
237
  );
238
- expect(parsedList.pkgList.length).toEqual(59);
239
- expect(parsedList.dependenciesList.length).toEqual(59);
238
+ expect(parsedList.pkgList.length).toEqual(61);
239
+ expect(parsedList.dependenciesList.length).toEqual(61);
240
240
  expect(parsedList.pkgList[0]).toEqual({
241
241
  group: "com.pogeyan.cmis",
242
242
  name: "copper-server",
@@ -259,6 +259,7 @@ test("parse maven tree", () => {
259
259
  "pkg:maven/commons-fileupload/commons-fileupload@1.4?type=jar",
260
260
  "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.12.0?type=jar",
261
261
  "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0?type=jar",
262
+ "pkg:maven/junit/junit@4.12?type=jar",
262
263
  "pkg:maven/com.typesafe.akka/akka-actor_2.11@2.4.14?type=jar",
263
264
  "pkg:maven/com.typesafe.akka/akka-cluster_2.11@2.4.14?type=jar",
264
265
  "pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13?type=jar",
@@ -271,8 +272,8 @@ test("parse maven tree", () => {
271
272
  encoding: "utf-8"
272
273
  })
273
274
  );
274
- expect(parsedList.pkgList.length).toEqual(27);
275
- expect(parsedList.dependenciesList.length).toEqual(27);
275
+ expect(parsedList.pkgList.length).toEqual(37);
276
+ expect(parsedList.dependenciesList.length).toEqual(37);
276
277
  expect(parsedList.pkgList[0]).toEqual({
277
278
  group: "com.gitlab.security_products.tests",
278
279
  name: "java-maven",
@@ -282,7 +283,9 @@ test("parse maven tree", () => {
282
283
  expect(parsedList.dependenciesList[0]).toEqual({
283
284
  ref: "pkg:maven/com.gitlab.security_products.tests/java-maven@1.0-SNAPSHOT?type=jar",
284
285
  dependsOn: [
286
+ "pkg:maven/org.powermock/powermock-api-mockito@1.7.3?type=jar",
285
287
  "pkg:maven/io.netty/netty@3.9.1.Final?type=jar",
288
+ "pkg:maven/junit/junit@3.8.1?type=jar",
286
289
  "pkg:maven/org.apache.maven/maven-artifact@3.3.9?type=jar",
287
290
  "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.2?type=jar",
288
291
  "pkg:maven/org.mozilla/rhino@1.7.10?type=jar",
@@ -385,29 +388,29 @@ test("parseGoModData", async () => {
385
388
  );
386
389
  expect(dep_list.length).toEqual(4);
387
390
  expect(dep_list[0]).toEqual({
388
- group: "github.com/aws",
389
- name: "aws-sdk-go",
391
+ group: "",
392
+ name: "github.com/aws/aws-sdk-go",
390
393
  license: undefined,
391
394
  version: "v1.38.47",
392
395
  _integrity: "sha256-fake-sha-for-aws-go-sdk="
393
396
  });
394
397
  expect(dep_list[1]).toEqual({
395
- group: "github.com/spf13",
396
- name: "cobra",
398
+ group: "",
399
+ name: "github.com/spf13/cobra",
397
400
  license: undefined,
398
401
  version: "v1.0.0",
399
402
  _integrity: "sha256-/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE="
400
403
  });
401
404
  expect(dep_list[2]).toEqual({
402
- group: "google.golang.org",
403
- name: "grpc",
405
+ group: "",
406
+ name: "google.golang.org/grpc",
404
407
  license: undefined,
405
408
  version: "v1.21.0",
406
409
  _integrity: "sha256-oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM="
407
410
  });
408
411
  expect(dep_list[3]).toEqual({
409
- group: "github.com/spf13",
410
- name: "viper",
412
+ group: "",
413
+ name: "github.com/spf13/viper",
411
414
  license: undefined,
412
415
  version: "v1.0.2",
413
416
  _integrity: "sha256-A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM="
@@ -426,29 +429,29 @@ test("parseGoSumData", async () => {
426
429
  );
427
430
  expect(dep_list.length).toEqual(4);
428
431
  expect(dep_list[0]).toEqual({
429
- group: "google.golang.org",
430
- name: "grpc",
432
+ group: "",
433
+ name: "google.golang.org/grpc",
431
434
  license: undefined,
432
435
  version: "v1.21.0",
433
436
  _integrity: "sha256-oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM="
434
437
  });
435
438
  expect(dep_list[1]).toEqual({
436
- group: "github.com/spf13",
437
- name: "cobra",
439
+ group: "",
440
+ name: "github.com/spf13/cobra",
438
441
  license: undefined,
439
442
  version: "v1.0.0",
440
443
  _integrity: "sha256-/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE="
441
444
  });
442
445
  expect(dep_list[2]).toEqual({
443
- group: "github.com/spf13",
444
- name: "viper",
446
+ group: "",
447
+ name: "github.com/spf13/viper",
445
448
  license: undefined,
446
449
  version: "v1.0.2",
447
450
  _integrity: "sha256-A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM="
448
451
  });
449
452
  expect(dep_list[3]).toEqual({
450
- group: "github.com/stretchr",
451
- name: "testify",
453
+ group: "",
454
+ name: "github.com/stretchr/testify",
452
455
  license: undefined,
453
456
  version: "v1.6.1",
454
457
  _integrity: "sha256-6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg="
@@ -463,11 +466,22 @@ test("parse go list dependencies", async () => {
463
466
  fs.readFileSync("./test/data/golist-dep.txt", { encoding: "utf-8" }),
464
467
  {}
465
468
  );
466
- expect(dep_list.length).toEqual(8);
469
+ expect(dep_list.length).toEqual(4);
467
470
  expect(dep_list[0]).toEqual({
468
- group: "github.com/badoux",
469
- name: "checkmail",
470
- version: "v0.0.0-20181210160741-9661bd69e9ad"
471
+ group: "",
472
+ name: "github.com/gorilla/mux",
473
+ version: "v1.7.4",
474
+ _integrity: undefined,
475
+ license: undefined,
476
+ scope: "required",
477
+ properties: [
478
+ {
479
+ name: "SrcGoMod",
480
+ value:
481
+ "/home/almalinux/go/pkg/mod/cache/download/github.com/gorilla/mux/@v/v1.7.4.mod"
482
+ },
483
+ { name: "ModuleGoVersion", value: "1.12" }
484
+ ]
471
485
  });
472
486
  });
473
487
 
@@ -491,8 +505,8 @@ test("parseGopkgData", async () => {
491
505
  );
492
506
  expect(dep_list.length).toEqual(36);
493
507
  expect(dep_list[0]).toEqual({
494
- group: "cloud.google.com",
495
- name: "go",
508
+ group: "",
509
+ name: "cloud.google.com/go",
496
510
  version: "v0.39.0",
497
511
  _integrity: "sha256-LKUyprxlVmM0QAS6ECQ20pAxAY6rI2JHZ42x2JeGJ78="
498
512
  });
@@ -508,8 +522,8 @@ test("parse go version data", async () => {
508
522
  );
509
523
  expect(dep_list.length).toEqual(125);
510
524
  expect(dep_list[0]).toEqual({
511
- group: "github.com/ShiftLeftSecurity",
512
- name: "atlassian-connect-go",
525
+ group: "",
526
+ name: "github.com/ShiftLeftSecurity/atlassian-connect-go",
513
527
  version: "v0.0.2",
514
528
  _integrity: "",
515
529
  license: undefined
@@ -520,8 +534,8 @@ test("parse go version data", async () => {
520
534
  );
521
535
  expect(dep_list.length).toEqual(149);
522
536
  expect(dep_list[0]).toEqual({
523
- group: "cloud.google.com",
524
- name: "go",
537
+ group: "",
538
+ name: "cloud.google.com/go",
525
539
  version: "v0.79.0",
526
540
  _integrity: "sha256-oqqswrt4x6b9OGBnNqdssxBl1xf0rSUNjU2BR4BZar0=",
527
541
  license: undefined