@cyclonedx/cdxgen 8.4.11 → 8.4.13

package/index.js

@@ -1057,7 +1057,7 @@ const createJavaBom = async (path, options) => {
               "Resolve the above maven error. This could be due to the following:\n"
             );
             console.log(
-              "1. Java version requirement: cdxgen container image bundles Java 17 with gradle 8 which might be incompatible."
+              "1. Java version requirement: cdxgen container image bundles Java 17 with maven 3.8 which might be incompatible."
             );
             console.log(
               "2. Private dependencies cannot be downloaded: Check if any additional arguments must be passed to maven and set them via MVN_ARGS environment variable."
@@ -1580,6 +1580,7 @@ const createJavaBom = async (path, options) => {
           sbtVersion != null &&
           semver.gte(sbtVersion, "1.3.4") &&
           semver.lte(sbtVersion, "1.4.0");
+        const useSlashSyntax = semver.gte(sbtVersion, "1.5.0");
         const isDependencyTreeBuiltIn =
           sbtVersion != null && semver.gte(sbtVersion, "1.4.0");
         let tempDir = fs.mkdtempSync(pathLib.join(os.tmpdir(), "cdxsbt-"));
@@ -1619,7 +1620,11 @@ const createJavaBom = async (path, options) => {
             ];
           } else {
             // write to the existing plugins file
-            sbtArgs = [`"dependencyList::toFile ${dlFile} --force"`];
+            if (useSlashSyntax) {
+              sbtArgs = [`"dependencyList / toFile ${dlFile} --force"`];
+            } else {
+              sbtArgs = [`"dependencyList::toFile ${dlFile} --force"`];
+            }
             pluginFile = utils.addPlugin(basePath, sbtPluginDefinition);
           }
           // Note that the command has to be invoked with `shell: true` to properly execut sbt
@@ -1641,17 +1646,12 @@ const createJavaBom = async (path, options) => {
               "3. Consider creating a lockfile using sbt-dependency-lock plugin. See https://github.com/stringbean/sbt-dependency-lock"
             );
             options.failOnError && process.exit(1);
-          } else if (DEBUG_MODE) {
-            console.log(result.stdout);
           }
           if (!standalonePluginFile) {
             utils.cleanupPlugin(basePath, pluginFile);
           }
           if (fs.existsSync(dlFile)) {
             const cmdOutput = fs.readFileSync(dlFile, { encoding: "utf-8" });
-            if (DEBUG_MODE) {
-              console.log(cmdOutput);
-            }
             const dlist = utils.parseKVDep(cmdOutput);
             if (dlist && dlist.length) {
               pkgList = pkgList.concat(dlist);
@@ -4569,7 +4569,7 @@ exports.createBom = createBom;
  * @param bomContents BOM Xml
  */
 exports.submitBom = async (args, bomContents) => {
-  let serverUrl = args.serverUrl + "/api/v1/bom";
+  let serverUrl = args.serverUrl.replace(/\/$/, "") + "/api/v1/bom";
   let encodedBomContents = Buffer.from(bomContents).toString("base64");
   if (encodedBomContents.startsWith("77u/")) {
     encodedBomContents = encodedBomContents.substring(4);
@@ -4594,13 +4594,49 @@ exports.submitBom = async (args, bomContents) => {
       projectVersion
     );
   }
-  return await got(serverUrl, {
-    method: "POST",
-    headers: {
-      "X-Api-Key": args.apiKey,
-      "Content-Type": "application/json"
-    },
-    json: bomPayload,
-    responseType: "json"
-  }).json();
+  try {
+    return await got(serverUrl, {
+      method: "PUT",
+      headers: {
+        "X-Api-Key": args.apiKey,
+        "Content-Type": "application/json"
+      },
+      json: bomPayload,
+      responseType: "json"
+    }).json();
+  } catch (error) {
+    if (error.response && error.response.statusCode === 401) {
+      // Unauthorized
+      console.log(
+        "Received Unauthorized error. Check the API key used is valid and has necessary permissions to create projects and upload bom."
+      );
+    } else if (error.response && error.response.statusCode === 405) {
+      // Method not allowed errors
+      try {
+        return await got(serverUrl, {
+          method: "POST",
+          headers: {
+            "X-Api-Key": args.apiKey,
+            "Content-Type": "application/json"
+          },
+          json: {
+            project: args.projectId,
+            projectName: args.projectName,
+            projectVersion: projectVersion,
+            autoCreate: "true",
+            bom: Buffer.from(bomContents).toString()
+          },
+          responseType: "json"
+        }).json();
+      } catch (error) {
+        console.log(
+          "Unable to submit the SBoM to the Dependency-Track server using POST method"
+        );
+        console.log(error);
+      }
+    } else {
+      console.log("Unable to submit the SBoM to the Dependency-Track server");
+      console.log(error);
+    }
+  }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.4.11",
+  "version": "8.4.13",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -1103,7 +1103,7 @@ const parseMavenTree = function (rawOutput) {
   let last_purl = "";
   let stack = [];
   tmpA.forEach((l) => {
-    if (!includeMavenTestScope && l.endsWith(":test")) {
+    if (!includeMavenTestScope && l.trim().endsWith(":test")) {
       return;
     }
     let level = 0;
@@ -1218,8 +1218,11 @@ const parseGradleDep = function (
     let last_level = 0;
     let last_purl = `pkg:maven/${rootProjectName}@${rootProjectVersion}?type=jar`;
     const first_purl = last_purl;
+    let last_project_purl = first_purl;
     const level_trees = {};
     level_trees[last_purl] = [];
+    let scope = undefined;
+    let profileName = undefined;
     if (retMap && retMap.projects) {
       const subDependsOn = [];
       for (const sd of retMap.projects) {
@@ -1242,16 +1245,34 @@ const parseGradleDep = function (
     const depRegex =
       /^.*?--- +(?<group>[^\s:]+):(?<name>[^\s:]+)(?::(?:{strictly [[]?)?(?<versionspecified>[^,\s:}]+))?(?:})?(?:[^->]* +-> +(?<versionoverride>[^\s:]+))?/gm;
     for (const rline of rawOutput.split("\n")) {
-      if (last_level !== 1) {
-        if (
-          !rline ||
-          rline.trim() === "" ||
-          rline.startsWith("+--- ") ||
-          rline.startsWith("\\--- ")
-        ) {
-          last_level = 1;
-          last_purl = first_purl;
-          stack = [last_purl];
+      if (!rline) {
+        continue;
+      }
+      if (
+        rline.trim() === "" ||
+        rline.startsWith("+--- ") ||
+        rline.startsWith("\\--- ")
+      ) {
+        last_level = 1;
+        if (rline.startsWith("+--- project :")) {
+          let tmpProj = rline.split("+--- project :");
+          last_project_purl = `pkg:maven/${tmpProj[1].trim()}@${rootProjectVersion}?type=jar`;
+          stack = [last_project_purl];
+          last_purl = last_project_purl;
+        } else {
+          last_project_purl = first_purl;
+          last_purl = last_project_purl;
+          stack = [first_purl];
+        }
+      }
+      if (rline.includes(" - ")) {
+        profileName = rline.split(" - ")[0];
+        if (profileName.toLowerCase().includes("test")) {
+          scope = "optional";
+        } else if (profileName.toLowerCase().includes("runtime")) {
+          scope = "required";
+        } else {
+          scope = undefined;
         }
       }
       while ((match = depRegex.exec(rline))) {
@@ -1273,21 +1294,38 @@ const parseGradleDep = function (
             // Filter duplicates
             if (!deps_keys_cache[purlString]) {
               deps_keys_cache[purlString] = true;
-              deps.push({
+              const adep = {
                 group,
                 name: name,
                 version: version,
                 qualifiers: { type: "jar" }
-              });
+              };
+              if (scope) {
+                adep["scope"] = scope;
+              }
+              if (profileName) {
+                adep.properties = [
+                  {
+                    name: "GradleProfileName",
+                    value: profileName
+                  }
+                ];
+              }
+              deps.push(adep);
             }
             if (!level_trees[purlString]) {
               level_trees[purlString] = [];
             }
-            if (level == 0 || last_purl === "") {
+            if (level == 0) {
+              stack = [first_purl];
+              stack.push(purlString);
+            } else if (last_purl === "") {
               stack.push(purlString);
             } else if (level > last_level) {
               const cnodes = level_trees[last_purl] || [];
-              cnodes.push(purlString);
+              if (!cnodes.includes(purlString)) {
+                cnodes.push(purlString);
+              }
               level_trees[last_purl] = cnodes;
               if (stack[stack.length - 1] !== purlString) {
                 stack.push(purlString);
@@ -1297,9 +1335,11 @@ const parseGradleDep = function (
                 stack.pop();
               }
               const last_stack =
-                stack.length > 0 ? stack[stack.length - 1] : first_purl;
+                stack.length > 0 ? stack[stack.length - 1] : last_project_purl;
               const cnodes = level_trees[last_stack] || [];
-              cnodes.push(purlString);
+              if (!cnodes.includes(purlString)) {
+                cnodes.push(purlString);
+              }
               level_trees[last_stack] = cnodes;
               stack.push(purlString);
             }
@@ -1614,7 +1654,7 @@ const getMvnMetadata = async function (pkgList) {
   if (!pkgList || !pkgList.length) {
     return pkgList;
   }
-  if (DEBUG_MODE) {
+  if (DEBUG_MODE && fetchLicenses) {
     console.log(`About to query maven for ${pkgList.length} packages`);
   }
   for (const p of pkgList) {

package/utils.test.js

@@ -98,7 +98,14 @@ test("parse gradle dependencies", () => {
     qualifiers: {
       type: "jar"
     },
-    version: "1.0.2"
+    scope: "optional",
+    version: "1.0.2",
+    properties: [
+      {
+        name: "GradleProfileName",
+        value: "androidTestImplementation"
+      }
+    ]
   });
   expect(parsedList.pkgList[104]).toEqual({
     group: "androidx.print",
@@ -106,15 +113,14 @@ test("parse gradle dependencies", () => {
     qualifiers: {
       type: "jar"
     },
-    version: "1.0.0"
-  });
-  expect(parsedList.pkgList[105]).toEqual({
-    group: "androidx.core",
-    name: "core",
-    qualifiers: {
-      type: "jar"
-    },
-    version: "1.7.0"
+    version: "1.0.0",
+    scope: "optional",
+    properties: [
+      {
+        name: "GradleProfileName",
+        value: "releaseUnitTestRuntimeClasspath"
+      }
+    ]
   });
   parsedList = utils.parseGradleDep(
     fs.readFileSync("./test/data/gradle-out1.dep", { encoding: "utf-8" })
@@ -125,7 +131,13 @@ test("parse gradle dependencies", () => {
     group: "org.springframework.boot",
     name: "spring-boot-starter-web",
     version: "2.2.0.RELEASE",
-    qualifiers: { type: "jar" }
+    qualifiers: { type: "jar" },
+    properties: [
+      {
+        name: "GradleProfileName",
+        value: "compileClasspath"
+      }
+    ]
   });
 
   parsedList = utils.parseGradleDep(
@@ -210,17 +222,17 @@ test("parse gradle dependencies", () => {
     fs.readFileSync("./test/data/gradle-out-249.dep", { encoding: "utf-8" })
   );
   expect(parsedList.pkgList.length).toEqual(21);
-  expect(parsedList.dependenciesList.length).toEqual(21);
+  expect(parsedList.dependenciesList.length).toEqual(22);
   parsedList = utils.parseGradleDep(
     fs.readFileSync("./test/data/gradle-service.out", { encoding: "utf-8" })
   );
   expect(parsedList.pkgList.length).toEqual(35);
-  expect(parsedList.dependenciesList.length).toEqual(35);
+  expect(parsedList.dependenciesList.length).toEqual(36);
   parsedList = utils.parseGradleDep(
     fs.readFileSync("./test/data/gradle-s.out", { encoding: "utf-8" })
   );
   expect(parsedList.pkgList.length).toEqual(28);
-  expect(parsedList.dependenciesList.length).toEqual(28);
+  expect(parsedList.dependenciesList.length).toEqual(29);
   parsedList = utils.parseGradleDep(
     fs.readFileSync("./test/data/gradle-core.out", { encoding: "utf-8" })
   );
@@ -1022,8 +1034,8 @@ test("get repo license", async () => {
     url: "https://github.com/ugorji/go/blob/master/LICENSE"
   });
 });
-*/
 test("get go pkg license", async () => {
+  jest.setTimeout(120000);
   let license = await utils.getGoPkgLicense({
     group: "github.com/Azure/azure-amqp-common-go",
     name: "v2"
@@ -1057,6 +1069,7 @@ test("get go pkg license", async () => {
     }
   ]);
 });
+*/
 
 test("get licenses", () => {
   let licenses = utils.getLicenses({ license: "MIT" });
@@ -1639,6 +1652,10 @@ test("parse scala sbt list", async () => {
     fs.readFileSync("./test/data/sbt-dl.list", { encoding: "utf-8" })
   );
   expect(deps.length).toEqual(57);
+  deps = utils.parseKVDep(
+    fs.readFileSync("./test/data/atom-sbt-list.txt", { encoding: "utf-8" })
+  );
+  expect(deps.length).toEqual(117);
 });
 
 test("parse scala sbt lock", async () => {