@cyclonedx/cdxgen 8.4.6 → 8.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +1 -1
  2. package/binary.js +1 -0
  3. package/docker.js +1 -0
  4. package/index.js +53 -4
  5. package/package.json +2 -2
  6. package/utils.js +29 -0
  7. package/utils.test.js +5 -0
package/README.md CHANGED
@@ -248,7 +248,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
248
248
 
249
249
  | Variable | Description |
250
250
  | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
251
- | SCAN_DEBUG_MODE | Set to `debug` to enable debug messages |
251
+ | CDXGEN_DEBUG_MODE | Set to `debug` to enable debug messages |
252
252
  | GITHUB_TOKEN | Specify GitHub token to prevent traffic shaping while querying license and repo information |
253
253
  | MVN_CMD | Set to override maven command |
254
254
  | MVN_ARGS | Set to pass additional arguments such as profile or settings to maven |
package/binary.js CHANGED
@@ -7,6 +7,7 @@ const isWin = require("os").platform() === "win32";
7
7
 
8
8
  // Debug mode flag
9
9
  const DEBUG_MODE =
10
+ process.env.CDXGEN_DEBUG_MODE === "debug" ||
10
11
  process.env.SCAN_DEBUG_MODE === "debug" ||
11
12
  process.env.SHIFTLEFT_LOGGING_LEVEL === "debug" ||
12
13
  process.env.NODE_ENV === "development";
package/docker.js CHANGED
@@ -21,6 +21,7 @@ let isWinLocalTLS = false;
21
21
 
22
22
  // Debug mode flag
23
23
  const DEBUG_MODE =
24
+ process.env.CDXGEN_DEBUG_MODE === "debug" ||
24
25
  process.env.SCAN_DEBUG_MODE === "debug" ||
25
26
  process.env.SHIFTLEFT_LOGGING_LEVEL === "debug";
26
27
 
package/index.js CHANGED
@@ -55,6 +55,7 @@ let SBT_CACHE_DIR =
55
55
 
56
56
  // Debug mode flag
57
57
  const DEBUG_MODE =
58
+ process.env.CDXGEN_DEBUG_MODE === "debug" ||
58
59
  process.env.SCAN_DEBUG_MODE === "debug" ||
59
60
  process.env.SHIFTLEFT_LOGGING_LEVEL === "debug" ||
60
61
  process.env.NODE_ENV === "development";
@@ -1189,6 +1190,15 @@ const createJavaBom = async (path, options) => {
1189
1190
  const retMap = utils.parseGradleProjects(cmdOutput);
1190
1191
  const allProjects = retMap.projects || [];
1191
1192
  let rootProject = retMap.rootProject;
1193
+ if (rootProject) {
1194
+ parentComponent = {
1195
+ group: "",
1196
+ name: rootProject,
1197
+ version: "latest",
1198
+ type: "maven",
1199
+ qualifiers: { type: "jar" }
1200
+ };
1201
+ }
1192
1202
  if (!allProjects) {
1193
1203
  console.log(
1194
1204
  "No projects found. Is this a gradle multi-project application?"
@@ -1200,6 +1210,37 @@ const createJavaBom = async (path, options) => {
1200
1210
  allProjects.length,
1201
1211
  "gradle sub-projects. This might take a while ..."
1202
1212
  );
1213
+ // We need the first dependency between the root project and child projects
1214
+ // See: #249 and #315
1215
+ const rootDependsOn = [];
1216
+ for (let sp of allProjects) {
1217
+ sp = sp.replace(":", "");
1218
+ rootDependsOn.push(
1219
+ decodeURIComponent(
1220
+ new PackageURL(
1221
+ "maven",
1222
+ "",
1223
+ sp,
1224
+ parentComponent.version,
1225
+ parentComponent.qualifiers,
1226
+ null
1227
+ ).toString()
1228
+ )
1229
+ );
1230
+ }
1231
+ dependencies.push({
1232
+ ref: decodeURIComponent(
1233
+ new PackageURL(
1234
+ "maven",
1235
+ parentComponent.group,
1236
+ parentComponent.name,
1237
+ parentComponent.version,
1238
+ parentComponent.qualifiers,
1239
+ null
1240
+ ).toString()
1241
+ ),
1242
+ dependsOn: rootDependsOn
1243
+ });
1203
1244
  for (let sp of allProjects) {
1204
1245
  let gradleDepArgs = [
1205
1246
  sp + ":dependencies",
@@ -1232,15 +1273,20 @@ const createJavaBom = async (path, options) => {
1232
1273
  }
1233
1274
  const sstdout = sresult.stdout;
1234
1275
  if (sstdout) {
1276
+ sp = sp.replace(":", "");
1235
1277
  const cmdOutput = Buffer.from(sstdout).toString();
1236
- const parsedList = utils.parseGradleDep(cmdOutput, rootProject);
1278
+ const parsedList = utils.parseGradleDep(cmdOutput, sp);
1237
1279
  const dlist = parsedList.pkgList;
1238
- parentComponent = dlist.splice(0, 1)[0];
1280
+ // Do not overwrite the parentComponent in multi-project mode
1281
+ if (!parentComponent) {
1282
+ parentComponent = dlist.splice(0, 1)[0];
1283
+ }
1239
1284
  if (
1240
1285
  parsedList.dependenciesList &&
1241
1286
  parsedList.dependenciesList
1242
1287
  ) {
1243
- dependencies = dependencies.concat(
1288
+ dependencies = mergeDependencies(
1289
+ dependencies,
1244
1290
  parsedList.dependenciesList
1245
1291
  );
1246
1292
  }
@@ -1347,7 +1393,10 @@ const createJavaBom = async (path, options) => {
1347
1393
  const dlist = parsedList.pkgList;
1348
1394
  parentComponent = dlist.splice(0, 1)[0];
1349
1395
  if (parsedList.dependenciesList && parsedList.dependenciesList) {
1350
- dependencies = dependencies.concat(parsedList.dependenciesList);
1396
+ dependencies = mergeDependencies(
1397
+ dependencies,
1398
+ parsedList.dependenciesList
1399
+ );
1351
1400
  }
1352
1401
  if (dlist && dlist.length) {
1353
1402
  pkgList = pkgList.concat(dlist);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cyclonedx/cdxgen",
3
- "version": "8.4.6",
3
+ "version": "8.4.7",
4
4
  "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
5
5
  "homepage": "http://github.com/cyclonedx/cdxgen",
6
6
  "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -89,6 +89,6 @@
89
89
  ],
90
90
  "devDependencies": {
91
91
  "eslint": "^8.40.0",
92
- "jest": "^26.6.3"
92
+ "jest": "^29.5.0"
93
93
  }
94
94
  }
package/utils.js CHANGED
@@ -20,6 +20,7 @@ const { PackageURL } = require("packageurl-js");
20
20
 
21
21
  // Debug mode flag
22
22
  const DEBUG_MODE =
23
+ process.env.CDXGEN_DEBUG_MODE === "debug" ||
23
24
  process.env.SCAN_DEBUG_MODE === "debug" ||
24
25
  process.env.SHIFTLEFT_LOGGING_LEVEL === "debug";
25
26
 
@@ -1203,8 +1204,28 @@ const parseGradleDep = function (
1203
1204
  const keys_cache = {};
1204
1205
  let last_level = 0;
1205
1206
  let last_purl = `pkg:maven/${rootProjectName}@${rootProjectVersion}?type=jar`;
1207
+ // Bug: 249. Get any sub-projects refered here
1208
+ const retMap = parseGradleProjects(rawOutput);
1206
1209
  const level_trees = {};
1207
1210
  level_trees[last_purl] = [];
1211
+ if (retMap && retMap.projects) {
1212
+ const subDependsOn = [];
1213
+ for (const sd of retMap.projects) {
1214
+ subDependsOn.push(
1215
+ decodeURIComponent(
1216
+ new PackageURL(
1217
+ "maven",
1218
+ "",
1219
+ sd.replace(":", ""),
1220
+ rootProject.version,
1221
+ rootProject.qualifiers,
1222
+ null
1223
+ ).toString()
1224
+ )
1225
+ );
1226
+ }
1227
+ level_trees[last_purl] = subDependsOn;
1228
+ }
1208
1229
  let stack = [last_purl];
1209
1230
  const depRegex =
1210
1231
  /^.*?--- +(?<group>[^\s:]+):(?<name>[^\s:]+)(?::(?:{strictly [[]?)?(?<versionspecified>[^,\s:}]+))?(?:})?(?:[^->]* +-> +(?<versionoverride>[^\s:]+))?/gm;
@@ -1387,6 +1408,14 @@ const parseGradleProjects = function (rawOutput) {
1387
1408
  projects.add(projName);
1388
1409
  }
1389
1410
  }
1411
+ } else if (l.includes("--- project ")) {
1412
+ const tmpB = l.split("--- project ");
1413
+ if (tmpB && tmpB.length > 1) {
1414
+ let projName = tmpB[1];
1415
+ if (projName.startsWith(":")) {
1416
+ projects.add(projName);
1417
+ }
1418
+ }
1390
1419
  }
1391
1420
  });
1392
1421
  return {
package/utils.test.js CHANGED
@@ -206,6 +206,11 @@ test("parse gradle dependencies", () => {
206
206
  );
207
207
  expect(parsedList.pkgList.length).toEqual(68);
208
208
  expect(parsedList.dependenciesList.length).toEqual(69);
209
+ parsedList = utils.parseGradleDep(
210
+ fs.readFileSync("./test/data/gradle-out-249.dep", { encoding: "utf-8" })
211
+ );
212
+ expect(parsedList.pkgList.length).toEqual(21);
213
+ expect(parsedList.dependenciesList.length).toEqual(21);
209
214
  });
210
215
 
211
216
  test("parse gradle projects", () => {