@cyclonedx/cdxgen 9.0.0 → 9.0.1

package/README.md

@@ -2,7 +2,7 @@
 
 ![cdxgen logo](cdxgen.png)
 
-This tool creates a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in XML and JSON format. CycloneDX 1.4 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
+This tool creates a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in XML and JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
 
 When used with plugins, cdxgen could generate an SBoM for Linux docker images and even VMs running Linux or Windows operating system.
 
@@ -132,10 +132,6 @@ Minimal example.
 cdxgen -o bom.json
 ```
 
-NOTE:
-
-cdxgen would always produce bom in both xml and json format as per CycloneDX 1.4 specification. json is the recommended format.
-
 For a java project. This would automatically detect maven, gradle or sbt and build bom accordingly
 
 ```shell

package/data/lic-mapping.json

@@ -17,7 +17,12 @@
       "The Apache License, Version 2.0",
       "BSD or Apache License, Version 2.0",
       "Apache Software License",
-      "Apache-2.0 OR MIT"
+      "Apache-2.0 OR MIT",
+      "Apache2.0",
+      "apache-2-0",
+      "https://opensource.org/licenses/Apache2.0",
+      "https://opensource.org/license/apache-2-0",
+      "http://www.apache.org/licenses/LICENSE-2.0.html"
     ]
   },
   {

package/index.js

@@ -912,7 +912,7 @@ const buildBomXml = (
   const bom = create("bom", {
     encoding: "utf-8",
     separateArrayItems: true
-  }).att("xmlns", "http://cyclonedx.org/schema/bom/1.4");
+  }).att("xmlns", "http://cyclonedx.org/schema/bom/1.5");
   bom.att("serialNumber", serialNum);
   bom.att("version", 1);
   const metadata = addMetadata(parentComponent, "xml", options);
@@ -977,7 +977,7 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
       context,
       options
     );
-    // CycloneDX 1.4 Json Template
+    // CycloneDX 1.5 Json Template
     const jsonTpl = {
       bomFormat: "CycloneDX",
       specVersion: "1.5",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.0.0",
+  "version": "9.0.1",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -4019,52 +4019,100 @@ export const getNugetMetadata = async function (pkgList) {
   const NUGET_URL = "https://api.nuget.org/v3/registration3/";
   const cdepList = [];
   for (const p of pkgList) {
+    let cacheKey = undefined;
     try {
-      if (DEBUG_MODE) {
-        console.log(`Querying nuget for ${p.name}`);
-      }
-      const res = await cdxgenAgent.get(
-        NUGET_URL +
-          p.group.toLowerCase() +
-          (p.group !== "" ? "." : "") +
-          p.name.toLowerCase() +
-          "/index.json",
-        { responseType: "json" }
-      );
-      const items = res.body.items;
-      if (!items || !items[0] || !items[0].items) {
-        continue;
-      }
-      const firstItem = items[0];
-      const body = firstItem.items[firstItem.items.length - 1];
-      // Set the latest version in case it is missing
-      if (!p.version && body.catalogEntry.version) {
-        p.version = body.catalogEntry.version;
-      }
-      p.description = body.catalogEntry.description;
       if (
-        body.catalogEntry.licenseExpression &&
-        body.catalogEntry.licenseExpression !== ""
+        (p.group && p.group.toLowerCase() === "system") ||
+        p.name.toLowerCase().startsWith("system")
       ) {
-        p.license = findLicenseId(body.catalogEntry.licenseExpression);
-      } else if (body.catalogEntry.licenseUrl) {
-        p.license = body.catalogEntry.licenseUrl;
-      }
-      if (body.catalogEntry.projectUrl) {
-        p.repository = { url: body.catalogEntry.projectUrl };
-        p.homepage = {
-          url:
-            "https://www.nuget.org/packages/" +
-            p.group +
-            (p.group !== "" ? "." : "") +
-            p.name +
-            "/" +
-            p.version +
-            "/"
-        };
+        p.license = "http://go.microsoft.com/fwlink/?LinkId=329770";
+      } else if (
+        (p.group && p.group.toLowerCase() === "microsoft") ||
+        p.name.toLowerCase().startsWith("microsoft")
+      ) {
+        p.license =
+          "http://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm";
+      } else if (
+        (p.group && p.group.toLowerCase() === "nuget") ||
+        p.name.toLowerCase().startsWith("nuget")
+      ) {
+        p.license = "Apache-2.0";
+      } else {
+        // If there is a version, we can safely use the cache to retrieve the license
+        // See: https://github.com/CycloneDX/cdxgen/issues/352
+        const twoPartName = p.name.split(".").slice(0, 2).join(".");
+        cacheKey = `${p.group}|${twoPartName}`;
+        let body = metadata_cache[cacheKey];
+        if (body && body.error) {
+          cdepList.push(p);
+          continue;
+        }
+        if (!body) {
+          if (DEBUG_MODE) {
+            console.log(`Querying nuget for ${p.name}`);
+          }
+          const res = await cdxgenAgent.get(
+            NUGET_URL +
+              p.group.toLowerCase() +
+              (p.group !== "" ? "." : "") +
+              p.name.toLowerCase() +
+              "/index.json",
+            { responseType: "json" }
+          );
+          const items = res.body.items;
+          if (!items || !items[0] || !items[0].items) {
+            continue;
+          }
+          const firstItem = items[0];
+          // Work backwards to find the body for the matching version
+          body = firstItem.items[firstItem.items.length - 1];
+          if (p.version) {
+            const newBody = firstItem.items
+              .reverse()
+              .filter(
+                (i) => i.catalogEntry && i.catalogEntry.version === p.version
+              );
+            if (newBody && newBody.length) {
+              body = newBody[0];
+            }
+          }
+          metadata_cache[cacheKey] = body;
+        }
+        // Set the latest version in case it is missing
+        if (!p.version && body.catalogEntry.version) {
+          p.version = body.catalogEntry.version;
+        }
+        p.description = body.catalogEntry.description;
+        if (body.catalogEntry.authors) {
+          p.author = body.catalogEntry.authors.trim();
+        }
+        if (
+          body.catalogEntry.licenseExpression &&
+          body.catalogEntry.licenseExpression !== ""
+        ) {
+          p.license = findLicenseId(body.catalogEntry.licenseExpression);
+        } else if (body.catalogEntry.licenseUrl) {
+          p.license = findLicenseId(body.catalogEntry.licenseUrl);
+        }
+        if (body.catalogEntry.projectUrl) {
+          p.repository = { url: body.catalogEntry.projectUrl };
+          p.homepage = {
+            url:
+              "https://www.nuget.org/packages/" +
+              p.group +
+              (p.group !== "" ? "." : "") +
+              p.name +
+              "/" +
+              p.version +
+              "/"
+          };
+        }
       }
       cdepList.push(p);
     } catch (err) {
+      if (cacheKey) {
+        metadata_cache[cacheKey] = { error: err.code };
+      }
       cdepList.push(p);
     }
   }

package/utils.test.js

@@ -1107,6 +1107,7 @@ test("get nget metadata", async () => {
   ]);
   expect(dep_list.length).toEqual(1);
   expect(dep_list[0]).toEqual({
+    author: "Castle Project Contributors",
     group: "",
     name: "Castle.Core",
     version: "4.4.0",
@@ -1115,7 +1116,7 @@ test("get nget metadata", async () => {
     homepage: {
       url: "https://www.nuget.org/packages/Castle.Core/4.4.0/"
     },
-    license: "http://www.apache.org/licenses/LICENSE-2.0.html",
+    license: "Apache-2.0",
     repository: {
       url: "http://www.castleproject.org/"
     }