@cyclonedx/cdxgen 9.0.1 → 9.1.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.0.1",
+  "version": "9.1.1",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -36,7 +36,7 @@
   "scripts": {
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false",
     "watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch --inject-globals false",
-    "lint": "eslint index.js utils.js binary.js server.js docker.js *.test.js bin/cdxgen.js",
+    "lint": "eslint *.js *.test.js bin/cdxgen.js",
     "pretty": "prettier --write *.js data/*.json bin/cdxgen.js --trailing-comma=none"
   },
   "engines": {
@@ -52,6 +52,8 @@
   "dependencies": {
     "@babel/parser": "^7.22.5",
     "@babel/traverse": "^7.22.5",
+    "ajv": "^8.12.0",
+    "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
     "edn-data": "^1.0.0",
     "glob": "^10.3.0",
@@ -64,7 +66,7 @@
     "prettify-xml": "^1.2.0",
     "properties-reader": "^2.2.0",
     "semver": "^7.5.3",
-    "ssri": "^8.0.1",
+    "ssri": "^10.0.4",
     "table": "^6.8.1",
     "tar": "^6.1.15",
     "uuid": "^9.0.0",

package/piptree.js

@@ -0,0 +1,136 @@
+/**
+ * The idea behind this plugin came from the excellent pipdeptree package
+ * https://github.com/tox-dev/pipdeptree
+ *
+ * We use the internal pip api to construct the dependency tree for modern python + pip environments
+ */
+import {
+  existsSync,
+  mkdtempSync,
+  readFileSync,
+  rmSync,
+  writeFileSync
+} from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { spawnSync } from "node:child_process";
+
+const PIP_TREE_PLUGIN_CONTENT = `
+import importlib.metadata as importlib_metadata
+import json
+import sys
+
+from pip._internal.metadata import pkg_resources
+
+
+def frozen_req_from_dist(dist):
+    try:
+        from pip._internal.operations.freeze import FrozenRequirement
+    except ImportError:
+        from pip import FrozenRequirement
+    try:
+        from pip._internal import metadata
+
+        dist = metadata.pkg_resources.Distribution(dist)
+        try:
+            fr = FrozenRequirement.from_dist(dist)
+        except TypeError:
+            fr = FrozenRequirement.from_dist(dist, [])
+        return str(fr).strip()
+    except ImportError:
+        pass
+
+
+def get_installed_distributions():
+    dists = pkg_resources.Environment.from_paths(None).iter_installed_distributions(
+        local_only=False,
+        skip=(),
+        user_only=False,
+    )
+    return [d._dist for d in dists]
+
+
+def find_deps(idx, reqs):
+    freqs = []
+    for r in reqs:
+        d = idx.get(r.key)
+        r.project_name = d.project_name if d is not None else r.project_name
+        specs = sorted(r.specs, reverse=True)
+        specs_str = ",".join(["".join(sp) for sp in specs]) if specs else ""
+        freqs.append(
+            {
+                "name": r.project_name,
+                "version": importlib_metadata.version(r.key),
+                "versionSpecifiers": specs_str,
+                "dependencies": find_deps(idx, d.requires()),
+            }
+        )
+    return freqs
+
+
+def main(argv):
+    out_file = "piptree.json" if len(argv) < 2 else argv[-1]
+    tree = []
+    pkgs = get_installed_distributions()
+    idx = {p.key: p for p in pkgs}
+    for p in pkgs:
+        fr = frozen_req_from_dist(p)
+        tmpA = fr.split("==")
+        name = tmpA[0]
+        if name.startswith("-e"):
+            continue
+        version = ""
+        if len(tmpA) == 2:
+            version = tmpA[1]
+        tree.append(
+            {
+                "name": name,
+                "version": version,
+                "dependencies": find_deps(idx, p.requires()),
+            }
+        )
+    all_deps = {}
+    for t in tree:
+        for d in t["dependencies"]:
+            all_deps[d["name"]] = True
+    trimmed_tree = [
+        t for t in tree if t["name"] not in all_deps
+    ]
+    with open(out_file, mode="w", encoding="utf-8") as fp:
+        json.dump(trimmed_tree, fp)
+
+
+if __name__ == "__main__":
+    main(sys.argv)
+`;
+
+/**
+ * Execute the piptree plugin and return the generated tree as json object
+ */
+export const getTreeWithPlugin = (env, python_cmd, basePath) => {
+  let tree = undefined;
+  const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-piptree-"));
+  const pipPlugin = join(tempDir, "piptree.py");
+  const pipTreeJson = join(tempDir, "piptree.json");
+  const pipPluginArgs = [pipPlugin, pipTreeJson];
+  writeFileSync(pipPlugin, PIP_TREE_PLUGIN_CONTENT);
+  const result = spawnSync(python_cmd, pipPluginArgs, {
+    cwd: basePath,
+    encoding: "utf-8",
+    env
+  });
+  if (result.status !== 0 || result.error) {
+    console.log(result.stdout, result.stderr);
+  }
+  if (existsSync(pipTreeJson)) {
+    tree = JSON.parse(
+      readFileSync(pipTreeJson, {
+        encoding: "utf-8"
+      })
+    );
+  }
+  if (rmSync) {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+  return tree;
+};

package/server.js

@@ -79,7 +79,7 @@ const configureServer = (cdxgenServer) => {
   cdxgenServer.keepAliveTimeout = 0;
 };
 
-const start = async (options) => {
+const start = (options) => {
   console.log("Listening on", options.serverHost, options.serverPort);
   const cdxgenServer = http
     .createServer(app)
@@ -89,7 +89,7 @@ const start = async (options) => {
     const q = url.parse(req.url, true).query;
     let cleanup = false;
     options = parseQueryString(q, req.body, options);
-    let filePath = q.path || q.url || req.body.path || req.body.url;
+    const filePath = q.path || q.url || req.body.path || req.body.url;
     if (!filePath) {
       res.writeHead(500, { "Content-Type": "application/json" });
       return res.end(