@cyclonedx/cdxgen 8.4.3 → 8.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +7 -7
  2. package/utils.js +38 -19
  3. package/utils.test.js +24 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cyclonedx/cdxgen",
3
- "version": "8.4.3",
3
+ "version": "8.4.6",
4
4
  "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
5
5
  "homepage": "http://github.com/cyclonedx/cdxgen",
6
6
  "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -43,14 +43,14 @@
43
43
  },
44
44
  "repository": {
45
45
  "type": "git",
46
- "url": "git+https://github.com/cyclonedx/cdxgen.git"
46
+ "url": "git+https://github.com/CycloneDX/cdxgen"
47
47
  },
48
48
  "bugs": {
49
49
  "url": "https://github.com/cyclonedx/cdxgen/issues"
50
50
  },
51
51
  "dependencies": {
52
- "@babel/parser": "^7.21.4",
53
- "@babel/traverse": "^7.21.4",
52
+ "@babel/parser": "^7.21.8",
53
+ "@babel/traverse": "^7.21.5",
54
54
  "cheerio": "^1.0.0-rc.12",
55
55
  "edn-data": "^1.0.0",
56
56
  "glob": "^8.1.0",
@@ -66,11 +66,11 @@
66
66
  "semver": "^7.5.0",
67
67
  "ssri": "^8.0.1",
68
68
  "table": "^6.8.1",
69
- "tar": "^6.1.13",
69
+ "tar": "^6.1.14",
70
70
  "uuid": "^9.0.0",
71
71
  "xml-js": "^1.6.11",
72
72
  "xmlbuilder": "^15.1.1",
73
- "yargs": "^17.7.1"
73
+ "yargs": "^17.7.2"
74
74
  },
75
75
  "optionalDependencies": {
76
76
  "@cyclonedx/cdxgen-plugins-bin": "^1.1.0",
@@ -88,7 +88,7 @@
88
88
  "queries.json"
89
89
  ],
90
90
  "devDependencies": {
91
- "eslint": "^8.39.0",
91
+ "eslint": "^8.40.0",
92
92
  "jest": "^26.6.3"
93
93
  }
94
94
  }
package/utils.js CHANGED
@@ -256,18 +256,33 @@ const _getDepPkgList = async function (
256
256
  depKeys,
257
257
  pkg
258
258
  ) {
259
- if (pkg && pkg.dependencies) {
260
- const pkgKeys = Object.keys(pkg.dependencies);
261
- for (var k in pkgKeys) {
262
- const name = pkgKeys[k];
263
- const version = pkg.dependencies[name].version;
264
- const purl = new PackageURL("npm", "", name, version, null, null);
259
+ let pkgDependencies =
260
+ pkg.lockfileVersion && pkg.lockfileVersion >= 3
261
+ ? pkg.packages
262
+ : pkg.dependencies;
263
+ if (pkg && pkgDependencies) {
264
+ const pkgKeys = Object.keys(pkgDependencies);
265
+ for (const k of pkgKeys) {
266
+ // Skip the root package in lockFileVersion 3 and above
267
+ if (k === "") {
268
+ continue;
269
+ }
270
+ let name = k;
271
+ const version = pkgDependencies[name].version;
272
+ const purl = new PackageURL(
273
+ "npm",
274
+ "",
275
+ name.replace("node_modules/", ""),
276
+ version,
277
+ null,
278
+ null
279
+ );
265
280
  const purlString = decodeURIComponent(purl.toString());
266
- let scope = pkg.dependencies[name].dev === true ? "optional" : undefined;
281
+ let scope = pkgDependencies[name].dev === true ? "optional" : undefined;
267
282
  const apkg = {
268
- name,
283
+ name: name.replace("node_modules/", ""),
269
284
  version,
270
- _integrity: pkg.dependencies[name].integrity,
285
+ _integrity: pkgDependencies[name].integrity,
271
286
  scope,
272
287
  properties: [
273
288
  {
@@ -277,9 +292,9 @@ const _getDepPkgList = async function (
277
292
  ]
278
293
  };
279
294
  pkgList.push(apkg);
280
- if (pkg.dependencies[name].dependencies) {
295
+ if (pkgDependencies[name].dependencies) {
281
296
  // Include child dependencies
282
- const dependencies = pkg.dependencies[name].dependencies;
297
+ const dependencies = pkgDependencies[name].dependencies;
283
298
  const pkgDepKeys = Object.keys(dependencies);
284
299
  const deplist = [];
285
300
  for (const j in pkgDepKeys) {
@@ -288,7 +303,7 @@ const _getDepPkgList = async function (
288
303
  const deppurl = new PackageURL(
289
304
  "npm",
290
305
  "",
291
- depName,
306
+ depName.replace("node_modules/", ""),
292
307
  depVersion,
293
308
  null,
294
309
  null
@@ -303,13 +318,17 @@ const _getDepPkgList = async function (
303
318
  });
304
319
  depKeys[purlString] = true;
305
320
  }
306
- await _getDepPkgList(
307
- pkgLockFile,
308
- pkgList,
309
- dependenciesList,
310
- depKeys,
311
- pkg.dependencies[name]
312
- );
321
+ if (pkg.lockfileVersion && pkg.lockfileVersion >= 3) {
322
+ // Do not recurse for lock file v3 and above
323
+ } else {
324
+ await _getDepPkgList(
325
+ pkgLockFile,
326
+ pkgList,
327
+ dependenciesList,
328
+ depKeys,
329
+ pkgDependencies[name]
330
+ );
331
+ }
313
332
  } else {
314
333
  if (!depKeys[purlString]) {
315
334
  dependenciesList.push({
package/utils.test.js CHANGED
@@ -1097,6 +1097,30 @@ test("parsePkgLock", async () => {
1097
1097
  "bom-ref": "pkg:application/MyProject",
1098
1098
  name: "MyProject"
1099
1099
  });
1100
+ parsedList = await utils.parsePkgLock("./test/data/package-lock-v2.json");
1101
+ deps = parsedList.pkgList;
1102
+ expect(deps.length).toEqual(1467);
1103
+ expect(parsedList.dependenciesList.length).toEqual(1280);
1104
+ expect(deps[0]).toEqual({
1105
+ "bom-ref": "pkg:application/flink-dashboard@2.0.0",
1106
+ group: "",
1107
+ name: "flink-dashboard",
1108
+ type: "application",
1109
+ version: "2.0.0"
1110
+ });
1111
+ expect(deps[deps.length - 1].name).toEqual("zone.js");
1112
+ parsedList = await utils.parsePkgLock("./test/data/package-lock-v3.json");
1113
+ deps = parsedList.pkgList;
1114
+ expect(deps.length).toEqual(879);
1115
+ expect(parsedList.dependenciesList.length).toEqual(879);
1116
+ expect(deps[0]).toEqual({
1117
+ "bom-ref": "pkg:application/@cyclonedx/cdxgen@8.4.3",
1118
+ group: "",
1119
+ name: "@cyclonedx/cdxgen",
1120
+ type: "application",
1121
+ version: "8.4.3"
1122
+ });
1123
+ expect(deps[deps.length - 1].name).toEqual("yocto-queue");
1100
1124
  });
1101
1125
 
1102
1126
  test("parseBowerJson", async () => {