npm - @cyclonedx/cdxgen - Versions diffs - 8.4.13 → 8.5.0 - Mend

@cyclonedx/cdxgen 8.4.13 → 8.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/spdx-licenses.json CHANGED Viewed

@@ -2,6 +2,7 @@
   "0BSD",
   "AAL",
   "Abstyles",
+  "AdaCore-doc",
   "Adobe-2006",
   "Adobe-Glyph",
   "ADSL",
@@ -38,16 +39,19 @@
   "Artistic-1.0-cl8",
   "Artistic-1.0-Perl",
   "Artistic-2.0",
+  "ASWF-Digital-Assets-1.0",
   "Baekmuk",
   "Bahyph",
   "Barr",
   "Beerware",
+  "Bitstream-Charter",
   "Bitstream-Vera",
   "BitTorrent-1.0",
   "BitTorrent-1.1",
   "blessing",
   "BlueOak-1.0.0",
   "Borceux",
+  "Brian-Gladman-3-Clause",
   "BSD-1-Clause",
   "BSD-2-Clause",
   "BSD-2-Clause-FreeBSD",
@@ -67,6 +71,10 @@
   "BSD-4-Clause",
   "BSD-4-Clause-Shortened",
   "BSD-4-Clause-UC",
+  "BSD-4.3RENO",
+  "BSD-4.3TAHOE",
+  "BSD-Advertising-Acknowledgement",
+  "BSD-Attribution-HPND-disclaimer",
   "BSD-Protection",
   "BSD-Source-Code",
   "BSL-1.0",
@@ -104,6 +112,7 @@
   "CC-BY-NC-ND-4.0",
   "CC-BY-NC-SA-1.0",
   "CC-BY-NC-SA-2.0",
+  "CC-BY-NC-SA-2.0-DE",
   "CC-BY-NC-SA-2.0-FR",
   "CC-BY-NC-SA-2.0-UK",
   "CC-BY-NC-SA-2.5",
@@ -125,6 +134,7 @@
   "CC-BY-SA-3.0",
   "CC-BY-SA-3.0-AT",
   "CC-BY-SA-3.0-DE",
+  "CC-BY-SA-3.0-IGO",
   "CC-BY-SA-4.0",
   "CC-PDDC",
   "CC0-1.0",
@@ -145,8 +155,11 @@
   "CERN-OHL-P-2.0",
   "CERN-OHL-S-2.0",
   "CERN-OHL-W-2.0",
+  "CFITSIO",
   "checkmk",
   "ClArtistic",
+  "Clips",
+  "CMU-Mach",
   "CNRI-Jython",
   "CNRI-Python",
   "CNRI-Python-GPL-Compatible",
@@ -155,10 +168,12 @@
   "Condor-1.1",
   "copyleft-next-0.3.0",
   "copyleft-next-0.3.1",
+  "Cornell-Lossless-JPEG",
   "CPAL-1.0",
   "CPL-1.0",
   "CPOL-1.02",
   "Crossword",
+  "cryptsetup-OpenSSL-exception",
   "CrystalStacker",
   "CUA-OPL-1.0",
   "Cube",
@@ -246,15 +261,22 @@
   "GPL-3.0-or-later",
   "GPL-3.0-with-autoconf-exception",
   "GPL-3.0-with-GCC-exception",
+  "Graphics-Gems",
   "gSOAP-1.3b",
   "HaskellReport",
   "Hippocratic-2.1",
+  "HP-1986",
   "HPND",
+  "HPND-export-US",
+  "HPND-Markus-Kuhn",
   "HPND-sell-variant",
+  "HPND-sell-variant-MIT-disclaimer",
   "HTMLTIDY",
   "IBM-pibs",
   "ICU",
+  "IEC-Code-Components-EULA",
   "IJG",
+  "IJG-short",
   "ImageMagick",
   "iMatix",
   "Imlib2",
@@ -267,11 +289,15 @@
   "ISC",
   "Jam",
   "JasPer-2.0",
+  "JPL-image",
   "JPNIC",
   "JSON",
+  "Kazlib",
+  "Knuth-CTAN",
   "LAL-1.2",
   "LAL-1.3",
   "Latex2e",
+  "Latex2e-translated-notice",
   "Leptonica",
   "LGPL-2.0",
   "LGPL-2.0+",
@@ -288,13 +314,17 @@
   "LGPLLR",
   "Libpng",
   "libpng-2.0",
+  "libpri-OpenH323-exception",
   "libselinux-1.0",
   "libtiff",
+  "libutil-David-Nugent",
   "LiLiQ-P-1.1",
   "LiLiQ-R-1.1",
   "LiLiQ-Rplus-1.1",
   "Linux-man-pages-copyleft",
+  "Linux-man-pages-one-para",
   "Linux-OpenIB",
+  "LOOP",
   "LPL-1.0",
   "LPL-1.02",
   "LPPL-1.0",
@@ -305,6 +335,8 @@
   "LZMA-SDK-9.11-to-9.20",
   "LZMA-SDK-9.22",
   "MakeIndex",
+  "Martin-Birgmeier",
+  "metamail",
   "Minpack",
   "MirOS",
   "MIT",
@@ -313,8 +345,10 @@
   "MIT-CMU",
   "MIT-enna",
   "MIT-feh",
+  "MIT-Festival",
   "MIT-Modern-Variant",
   "MIT-open-group",
+  "MIT-Wu",
   "MITNFA",
   "Motosoto",
   "mpi-permissive",
@@ -345,6 +379,7 @@
   "NICTA-1.0",
   "NIST-PD",
   "NIST-PD-fallback",
+  "NIST-Software",
   "NLOD-1.0",
   "NLOD-2.0",
   "NLPL",
@@ -363,6 +398,7 @@
   "OCLC-2.0",
   "ODbL-1.0",
   "ODC-By-1.0",
+  "OFFIS",
   "OFL-1.0",
   "OFL-1.0-no-RFN",
   "OFL-1.0-RFN",
@@ -392,7 +428,9 @@
   "OLDAP-2.6",
   "OLDAP-2.7",
   "OLDAP-2.8",
+  "OLFL-1.3",
   "OML",
+  "OpenPBS-2.3",
   "OpenSSL",
   "OPL-1.0",
   "OPUBL-1.0",
@@ -418,6 +456,7 @@
   "Python-2.0.1",
   "Qhull",
   "QPL-1.0",
+  "QPL-1.0-INRIA-2004",
   "Rdisc",
   "RHeCos-1.1",
   "RPL-1.1",
@@ -435,6 +474,7 @@
   "SGI-B-1.0",
   "SGI-B-1.1",
   "SGI-B-2.0",
+  "SGP4",
   "SHL-0.5",
   "SHL-0.51",
   "SimPL-2.0",
@@ -444,6 +484,7 @@
   "SMLNJ",
   "SMPPL",
   "SNIA",
+  "snprintf",
   "Spencer-86",
   "Spencer-94",
   "Spencer-99",
@@ -453,19 +494,27 @@
   "SSPL-1.0",
   "StandardML-NJ",
   "SugarCRM-1.1.3",
+  "SunPro",
   "SWL",
+  "Symlinks",
   "TAPR-OHL-1.0",
   "TCL",
   "TCP-wrappers",
+  "TermReadKey",
   "TMate",
   "TORQUE-1.1",
   "TOSL",
+  "TPDL",
+  "TPL-1.0",
+  "TTWL",
   "TU-Berlin-1.0",
   "TU-Berlin-2.0",
+  "UCAR",
   "UCL-1.0",
   "Unicode-DFS-2015",
   "Unicode-DFS-2016",
   "Unicode-TOU",
+  "UnixCrypt",
   "Unlicense",
   "UPL-1.0",
   "Vim",
@@ -474,15 +523,20 @@
   "W3C",
   "W3C-19980720",
   "W3C-20150513",
+  "w3m",
   "Watcom-1.0",
+  "Widget-Workshop",
   "Wsuipa",
   "WTFPL",
   "wxWindows",
   "X11",
   "X11-distribute-modifications-variant",
+  "Xdebug-1.03",
   "Xerox",
+  "Xfig",
   "XFree86-1.1",
   "xinetd",
+  "xlock",
   "Xnet",
   "xpp",
   "XSkat",

package/utils.js CHANGED Viewed

@@ -1181,11 +1181,13 @@ exports.parseMavenTree = parseMavenTree;
 /**
  * Parse gradle dependencies output
  * @param {string} rawOutput Raw string output
+ * @param {string} rootProjectGroup Root project group
  * @param {string} rootProjectName Root project name
  * @param {string} rootProjectVersion Root project version
  */
 const parseGradleDep = function (
   rawOutput,
+  rootProjectGroup = "",
   rootProjectName = "root",
   rootProjectVersion = "latest"
 ) {
@@ -1205,18 +1207,27 @@ const parseGradleDep = function (
     let match = "";
     // To render dependency tree we need a root project
     const rootProject = {
-      group: "",
+      group: rootProjectGroup || "",
       name: rootProjectName,
       version: rootProjectVersion,
       type: "maven",
       qualifiers: { type: "jar" }
     };
-    const deps = [rootProject];
+    const deps = [];
     const dependenciesList = [];
     const keys_cache = {};
     const deps_keys_cache = {};
     let last_level = 0;
-    let last_purl = `pkg:maven/${rootProjectName}@${rootProjectVersion}?type=jar`;
+    let last_purl = decodeURIComponent(
+      new PackageURL(
+        "maven",
+        rootProject.group,
+        rootProject.name,
+        rootProject.version,
+        rootProject.qualifiers,
+        null
+      ).toString()
+    );
     const first_purl = last_purl;
     let last_project_purl = first_purl;
     const level_trees = {};
@@ -1230,7 +1241,7 @@ const parseGradleDep = function (
           decodeURIComponent(
             new PackageURL(
               "maven",
-              "",
+              rootProjectGroup,
               sd.replace(":", ""),
               rootProject.version,
               rootProject.qualifiers,
@@ -1452,7 +1463,6 @@ exports.parseLeinMap = parseLeinMap;
 /**
  * Parse gradle projects output
- * FIXME: The method needs to be enhanced to capture project dependency tree. See issue #249
  *
  * @param {string} rawOutput Raw string output
  */
@@ -1486,18 +1496,121 @@ const parseGradleProjects = function (rawOutput) {
         }
       }
     });
-    return {
-      rootProject,
-      projects: Array.from(projects)
-    };
   }
   return {
     rootProject,
-    projects: []
+    projects: Array.from(projects)
   };
 };
 exports.parseGradleProjects = parseGradleProjects;
+/**
+ * Parse gradle properties output
+ *
+ * @param {string} rawOutput Raw string output
+ */
+const parseGradleProperties = function (rawOutput) {
+  let rootProject = "root";
+  let projects = new Set();
+  const metadata = { group: "", version: "latest", properties: [] };
+  if (typeof rawOutput === "string") {
+    const tmpA = rawOutput.split("\n");
+    tmpA.forEach((l) => {
+      if (l.startsWith("----") || l.startsWith(">") || !l.includes(": ")) {
+        return;
+      }
+      const tmpB = l.split(": ");
+      if (tmpB && tmpB.length === 2) {
+        if (tmpB[0] === "name") {
+          rootProject = tmpB[1].trim();
+        } else if (tmpB[0] === "group") {
+          metadata[tmpB[0]] = tmpB[1];
+        } else if (tmpB[0] === "version") {
+          metadata[tmpB[0]] = tmpB[1].trim().replace("unspecified", "latest");
+        } else if (["buildFile", "projectDir", "rootDir"].includes(tmpB[0])) {
+          metadata.properties.push({ name: tmpB[0], value: tmpB[1].trim() });
+        } else if (tmpB[0] === "subprojects") {
+          const spStrs = tmpB[1].replace(/[[\]']/g, "").split(", ");
+          const tmpprojects = spStrs
+            .flatMap((s) => s.replace("project ", ""))
+            .filter((s) => s !== ":app");
+          tmpprojects.forEach(projects.add, projects);
+        }
+      }
+    });
+  }
+  return {
+    rootProject,
+    projects: Array.from(projects),
+    metadata
+  };
+};
+exports.parseGradleProperties = parseGradleProperties;
+/**
+ * Execute gradle properties command and return parsed output
+ *
+ * @param {string} dir Directory to execute the command
+ * @param {string} rootPath Root directory
+ * @param {string} subProject Sub project name
+ */
+const executeGradleProperties = function (dir, rootPath, subProject) {
+  const defaultProps = {
+    rootProject: subProject,
+    projects: [],
+    metadata: {
+      version: "latest"
+    }
+  };
+  // To optimize performance and reduce errors do not query for properties
+  // beyond the first level
+  if (subProject && subProject.match(/:/g).length >= 2) {
+    return defaultProps;
+  }
+  let gradlePropertiesArgs = [
+    subProject ? `${subProject}:properties` : "properties",
+    "-q",
+    "--console",
+    "plain",
+    "--build-cache"
+  ];
+  let gradleCmd = getGradleCommand(dir, rootPath);
+  if (process.env.GRADLE_ARGS) {
+    const addArgs = process.env.GRADLE_ARGS.split(" ");
+    gradlePropertiesArgs = gradlePropertiesArgs.concat(addArgs);
+  }
+  console.log(
+    "Executing",
+    gradleCmd,
+    gradlePropertiesArgs.join(" "),
+    "in",
+    dir
+  );
+  const result = spawnSync(gradleCmd, gradlePropertiesArgs, {
+    cwd: dir,
+    encoding: "utf-8"
+  });
+  if (result.status !== 0 || result.error) {
+    if (result.stderr) {
+      if (result.stderr.includes("does not exist")) {
+        return defaultProps;
+      } else {
+        console.error(result.stdout, result.stderr);
+        console.log(
+          "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 17 with gradle 8 which might be incompatible."
+        );
+      }
+    }
+  }
+  const stdout = result.stdout;
+  if (stdout) {
+    const cmdOutput = Buffer.from(stdout).toString();
+    return parseGradleProperties(cmdOutput);
+  }
+  return {};
+};
+exports.executeGradleProperties = executeGradleProperties;
 /**
  * Parse bazel skyframe state output
  * @param {string} rawOutput Raw string output
@@ -1766,15 +1879,14 @@ exports.parsePyRequiresDist = parsePyRequiresDist;
  * Method to retrieve metadata for python packages by querying pypi
  *
  * @param {Array} pkgList Package list
- * @param {Boolean} fetchIndirectDeps Should we also fetch data about indirect dependencies from pypi
+ * @param {Boolean} fetchDepsInfo Fetch dependencies info from pypi
  */
-const getPyMetadata = async function (pkgList, fetchIndirectDeps) {
-  if (!fetchLicenses && !fetchIndirectDeps) {
+const getPyMetadata = async function (pkgList, fetchDepsInfo) {
+  if (!fetchLicenses && !fetchDepsInfo) {
     return pkgList;
   }
   const PYPI_URL = "https://pypi.org/pypi/";
   let cdepList = [];
-  let indirectDeps = [];
   for (const p of pkgList) {
     if (!p || !p.name) {
       continue;
@@ -1810,12 +1922,6 @@ const getPyMetadata = async function (pkgList, fetchIndirectDeps) {
       ) {
         p.version = body.info.version;
       }
-      const requires_dist = body.info.requires_dist;
-      if (requires_dist && requires_dist.length) {
-        indirectDeps = indirectDeps.concat(
-          requires_dist.map(parsePyRequiresDist)
-        );
-      }
       if (body.releases && body.releases[p.version]) {
         const digest = body.releases[p.version][0].digests;
         if (digest["sha256"]) {
@@ -1832,13 +1938,6 @@ const getPyMetadata = async function (pkgList, fetchIndirectDeps) {
       }
     }
   }
-  if (indirectDeps.length && fetchIndirectDeps) {
-    if (DEBUG_MODE) {
-      console.log("Fetching metadata for indirect dependencies");
-    }
-    const extraList = await getPyMetadata(indirectDeps, false);
-    cdepList = cdepList.concat(extraList);
-  }
   return cdepList;
 };
 exports.getPyMetadata = getPyMetadata;
@@ -1938,18 +2037,22 @@ exports.parsePoetrylockData = parsePoetrylockData;
  * Method to parse requirements.txt data
  *
  * @param {Object} reqData Requirements.txt data
+ * @param {Boolean} fetchIndirectDeps Should we also fetch data about indirect dependencies from pypi
  */
-const parseReqFile = async function (reqData) {
+async function parseReqFile(reqData, fetchIndirectDeps) {
   const pkgList = [];
-  let fetchIndirectDeps = false;
   let compScope = undefined;
   reqData.split("\n").forEach((l) => {
+    l = l.trim();
     if (l.includes("# Basic requirements")) {
       compScope = "required";
     } else if (l.includes("added by pip freeze")) {
       compScope = undefined;
     }
-    if (!l.startsWith("#")) {
+    if (!l.startsWith("#") && !l.startsWith("-")) {
+      if (l.includes(" ")) {
+        l = l.split(" ")[0];
+      }
       if (l.indexOf("=") > -1) {
         let tmpA = l.split(/(==|<=|~=|>=)/);
         if (tmpA.includes("#")) {
@@ -1964,11 +2067,24 @@ const parseReqFile = async function (reqData) {
         }
         if (!tmpA[0].includes("=") && !tmpA[0].trim().includes(" ")) {
           pkgList.push({
-            name: tmpA[0].trim(),
+            name: tmpA[0].trim().replace(";", ""),
             version: versionStr,
             scope: compScope
           });
         }
+      } else if (l.includes("<") && l.includes(">")) {
+        let tmpA = l.split(">");
+        let name = tmpA[0].trim().replace(";", "");
+        let version = undefined;
+        const tmpB = tmpA[1].split("<");
+        if (tmpB && tmpB.length) {
+          version = tmpB[tmpB.length - 1];
+        }
+        pkgList.push({
+          name,
+          version,
+          scope: compScope
+        });
       } else if (/[>|[|@]/.test(l)) {
         let tmpA = l.split(/(>|\[|@)/);
         if (tmpA.includes("#")) {
@@ -1976,7 +2092,7 @@ const parseReqFile = async function (reqData) {
         }
         if (!tmpA[0].trim().includes(" ")) {
           pkgList.push({
-            name: tmpA[0].trim(),
+            name: tmpA[0].trim().replace(";", ""),
             version: null,
             scope: compScope
           });
@@ -1986,9 +2102,16 @@ const parseReqFile = async function (reqData) {
           l = l.split("#")[0];
         }
         l = l.trim();
-        if (!l.includes(" ")) {
+        let tmpA = l.split(/(<|>)/);
+        if (tmpA && tmpA.length === 3) {
+          pkgList.push({
+            name: tmpA[0].trim().replace(";", ""),
+            version: tmpA[2].replace(";", ""),
+            scope: compScope
+          });
+        } else if (!l.includes(" ")) {
           pkgList.push({
-            name: l,
+            name: l.replace(";", ""),
             version: null,
             scope: compScope
           });
@@ -1997,7 +2120,7 @@ const parseReqFile = async function (reqData) {
     }
   });
   return await getPyMetadata(pkgList, fetchIndirectDeps);
-};
+}
 exports.parseReqFile = parseReqFile;
 /**
@@ -2025,7 +2148,7 @@ const parseSetupPyFile = async function (setupPyData) {
       lines = lines.concat(tmpA);
     }
   });
-  return await parseReqFile(lines.join("\n"));
+  return await parseReqFile(lines.join("\n"), false);
 };
 exports.parseSetupPyFile = parseSetupPyFile;