@cyclonedx/cdxgen 8.4.10 → 8.4.12

package/index.js

@@ -1287,7 +1287,7 @@ const createJavaBom = async (path, options) => {
                 const parsedList = utils.parseGradleDep(cmdOutput, sp);
                 const dlist = parsedList.pkgList;
                 // Do not overwrite the parentComponent in multi-project mode
-                if (!parentComponent) {
+                if (!parentComponent || !Object.keys(parentComponent).length) {
                   parentComponent = dlist.splice(0, 1)[0];
                 }
                 if (
@@ -1400,7 +1400,7 @@ const createJavaBom = async (path, options) => {
             const cmdOutput = Buffer.from(stdout).toString();
             const parsedList = utils.parseGradleDep(cmdOutput);
             const dlist = parsedList.pkgList;
-            if (!parentComponent) {
+            if (!parentComponent || !Object.keys(parentComponent).length) {
               parentComponent = dlist.splice(0, 1)[0];
             }
             if (parsedList.dependenciesList && parsedList.dependenciesList) {
@@ -4594,13 +4594,47 @@ exports.submitBom = async (args, bomContents) => {
       projectVersion
     );
   }
-  return await got(serverUrl, {
-    method: "POST",
-    headers: {
-      "X-Api-Key": args.apiKey,
-      "Content-Type": "application/json"
-    },
-    json: bomPayload,
-    responseType: "json"
-  }).json();
+  try {
+    return await got(serverUrl, {
+      method: "PUT",
+      headers: {
+        "X-Api-Key": args.apiKey,
+        "Content-Type": "application/json"
+      },
+      json: bomPayload,
+      responseType: "json"
+    }).json();
+  } catch (error) {
+    if (error.response.statusCode === 401) {
+      // Unauthorized
+      console.log(
+        "Received Unauthorized error. Check the API key used is valid and has necessary permissions to create projects and upload bom."
+      );
+    } else if (error.response.statusCode === 405) {
+      // Method not allowed errors
+      try {
+        return await got(serverUrl, {
+          method: "POST",
+          headers: {
+            "X-Api-Key": args.apiKey,
+            "Content-Type": "application/json"
+          },
+          json: {
+            project: args.projectId,
+            projectName: args.projectName,
+            projectVersion: projectVersion,
+            autoCreate: "true",
+            bom: Buffer.from(bomContents).toString()
+          },
+          responseType: "json"
+        }).json();
+      } catch (error) {
+        console.log("Unable to submit the SBoM to the Dependency-Track server");
+        console.log(error);
+      }
+    } else {
+      console.log("Unable to submit the SBoM to the Dependency-Track server");
+      console.log(error);
+    }
+  }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.4.10",
+  "version": "8.4.12",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -1218,8 +1218,11 @@ const parseGradleDep = function (
     let last_level = 0;
     let last_purl = `pkg:maven/${rootProjectName}@${rootProjectVersion}?type=jar`;
     const first_purl = last_purl;
+    let last_project_purl = first_purl;
     const level_trees = {};
     level_trees[last_purl] = [];
+    let scope = undefined;
+    let profileName = undefined;
     if (retMap && retMap.projects) {
       const subDependsOn = [];
       for (const sd of retMap.projects) {
@@ -1242,16 +1245,34 @@ const parseGradleDep = function (
     const depRegex =
       /^.*?--- +(?<group>[^\s:]+):(?<name>[^\s:]+)(?::(?:{strictly [[]?)?(?<versionspecified>[^,\s:}]+))?(?:})?(?:[^->]* +-> +(?<versionoverride>[^\s:]+))?/gm;
     for (const rline of rawOutput.split("\n")) {
-      if (last_level !== 1) {
-        if (
-          !rline ||
-          rline.trim() === "" ||
-          rline.startsWith("+--- ") ||
-          rline.startsWith("\\--- ")
-        ) {
-          last_level = 1;
-          last_purl = first_purl;
-          stack = [last_purl];
+      if (!rline) {
+        continue;
+      }
+      if (
+        rline.trim() === "" ||
+        rline.startsWith("+--- ") ||
+        rline.startsWith("\\--- ")
+      ) {
+        last_level = 1;
+        if (rline.startsWith("+--- project :")) {
+          let tmpProj = rline.split("+--- project :");
+          last_project_purl = `pkg:maven/${tmpProj[1].trim()}@${rootProjectVersion}?type=jar`;
+          stack = [last_project_purl];
+          last_purl = last_project_purl;
+        } else {
+          last_project_purl = first_purl;
+          last_purl = last_project_purl;
+          stack = [first_purl];
+        }
+      }
+      if (rline.includes(" - ")) {
+        profileName = rline.split(" - ")[0];
+        if (profileName.toLowerCase().includes("test")) {
+          scope = "optional";
+        } else if (profileName.toLowerCase().includes("runtime")) {
+          scope = "required";
+        } else {
+          scope = undefined;
         }
       }
       while ((match = depRegex.exec(rline))) {
@@ -1273,21 +1294,38 @@ const parseGradleDep = function (
             // Filter duplicates
             if (!deps_keys_cache[purlString]) {
               deps_keys_cache[purlString] = true;
-              deps.push({
+              const adep = {
                 group,
                 name: name,
                 version: version,
                 qualifiers: { type: "jar" }
-              });
+              };
+              if (scope) {
+                adep["scope"] = scope;
+              }
+              if (profileName) {
+                adep.properties = [
+                  {
+                    name: "GradleProfileName",
+                    value: profileName
+                  }
+                ];
+              }
+              deps.push(adep);
             }
             if (!level_trees[purlString]) {
               level_trees[purlString] = [];
             }
-            if (level == 0 || last_purl === "") {
+            if (level == 0) {
+              stack = [first_purl];
+              stack.push(purlString);
+            } else if (last_purl === "") {
               stack.push(purlString);
             } else if (level > last_level) {
               const cnodes = level_trees[last_purl] || [];
-              cnodes.push(purlString);
+              if (!cnodes.includes(purlString)) {
+                cnodes.push(purlString);
+              }
               level_trees[last_purl] = cnodes;
               if (stack[stack.length - 1] !== purlString) {
                 stack.push(purlString);
@@ -1297,9 +1335,11 @@ const parseGradleDep = function (
                 stack.pop();
               }
               const last_stack =
-                stack.length > 0 ? stack[stack.length - 1] : first_purl;
+                stack.length > 0 ? stack[stack.length - 1] : last_project_purl;
               const cnodes = level_trees[last_stack] || [];
-              cnodes.push(purlString);
+              if (!cnodes.includes(purlString)) {
+                cnodes.push(purlString);
+              }
               level_trees[last_stack] = cnodes;
               stack.push(purlString);
             }

package/utils.test.js

@@ -98,7 +98,14 @@ test("parse gradle dependencies", () => {
     qualifiers: {
       type: "jar"
     },
-    version: "1.0.2"
+    scope: "optional",
+    version: "1.0.2",
+    properties: [
+      {
+        name: "GradleProfileName",
+        value: "androidTestImplementation"
+      }
+    ]
   });
   expect(parsedList.pkgList[104]).toEqual({
     group: "androidx.print",
@@ -106,15 +113,14 @@ test("parse gradle dependencies", () => {
     qualifiers: {
       type: "jar"
     },
-    version: "1.0.0"
-  });
-  expect(parsedList.pkgList[105]).toEqual({
-    group: "androidx.core",
-    name: "core",
-    qualifiers: {
-      type: "jar"
-    },
-    version: "1.7.0"
+    version: "1.0.0",
+    scope: "optional",
+    properties: [
+      {
+        name: "GradleProfileName",
+        value: "releaseUnitTestRuntimeClasspath"
+      }
+    ]
   });
   parsedList = utils.parseGradleDep(
     fs.readFileSync("./test/data/gradle-out1.dep", { encoding: "utf-8" })
@@ -125,7 +131,13 @@ test("parse gradle dependencies", () => {
     group: "org.springframework.boot",
     name: "spring-boot-starter-web",
     version: "2.2.0.RELEASE",
-    qualifiers: { type: "jar" }
+    qualifiers: { type: "jar" },
+    properties: [
+      {
+        name: "GradleProfileName",
+        value: "compileClasspath"
+      }
+    ]
   });
 
   parsedList = utils.parseGradleDep(
@@ -210,17 +222,17 @@ test("parse gradle dependencies", () => {
     fs.readFileSync("./test/data/gradle-out-249.dep", { encoding: "utf-8" })
   );
   expect(parsedList.pkgList.length).toEqual(21);
-  expect(parsedList.dependenciesList.length).toEqual(21);
+  expect(parsedList.dependenciesList.length).toEqual(22);
   parsedList = utils.parseGradleDep(
     fs.readFileSync("./test/data/gradle-service.out", { encoding: "utf-8" })
   );
   expect(parsedList.pkgList.length).toEqual(35);
-  expect(parsedList.dependenciesList.length).toEqual(35);
+  expect(parsedList.dependenciesList.length).toEqual(36);
   parsedList = utils.parseGradleDep(
     fs.readFileSync("./test/data/gradle-s.out", { encoding: "utf-8" })
   );
   expect(parsedList.pkgList.length).toEqual(28);
-  expect(parsedList.dependenciesList.length).toEqual(28);
+  expect(parsedList.dependenciesList.length).toEqual(29);
   parsedList = utils.parseGradleDep(
     fs.readFileSync("./test/data/gradle-core.out", { encoding: "utf-8" })
   );
@@ -1022,8 +1034,8 @@ test("get repo license", async () => {
     url: "https://github.com/ugorji/go/blob/master/LICENSE"
   });
 });
-*/
 test("get go pkg license", async () => {
+  jest.setTimeout(120000);
   let license = await utils.getGoPkgLicense({
     group: "github.com/Azure/azure-amqp-common-go",
     name: "v2"
@@ -1057,6 +1069,7 @@ test("get go pkg license", async () => {
     }
   ]);
 });
+*/
 
 test("get licenses", () => {
   let licenses = utils.getLicenses({ license: "MIT" });