@cyclonedx/cdxgen 9.10.0 → 9.10.2

package/README.md

@@ -22,7 +22,7 @@ Most SBOM tools are like barcode scanners. They can scan a few package manifest
 | ------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | -------- |
 | Node.js                         | npm-shrinkwrap.json, package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js                   | Yes except .min.js                                                                                | Yes      |
 | Java                            | maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel                                              | Yes unless pom.xml is manually parsed due to unavailability of maven or errors                    | Yes      |
-| PHP                             | composer.lock                                                                                                     | Yes                                                                                               |          |
+| PHP                             | composer.lock                                                                                                     | Yes                                                                                               | Yes      |
 | Python                          | pyproject.toml, setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, pdm.lock, bdist_wheel, .whl, .egg-info | Yes using the automatic pip install/freeze. When disabled, only with Pipfile.lock and poetry.lock | Yes      |
 | Go                              | binary, go.mod, go.sum, Gopkg.lock                                                                                | Yes except binary                                                                                 | Yes      |
 | Ruby                            | Gemfile.lock, gemspec                                                                                             | Only for Gemfile.lock                                                                             |          |
@@ -347,6 +347,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
 - .NET (project.assets.json, paket.lock)
 - Go (go.mod)
+- PHP (composer.lock)
 
 ## Environment variables
 
@@ -358,6 +359,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | MVN_ARGS                     | Set to pass additional arguments such as profile or settings to maven                                                                |
 | MAVEN_HOME                   | Specify maven home                                                                                                                   |
 | MAVEN_CENTRAL_URL            | Specify URL of Maven Central for metadata fetching (e.g. when private repo is used)                                                  |
+| ANDROID_MAVEN_URL            | Specify URL of Android Maven Repository for metadata fetching (e.g. when private repo is used)                                       |
 | BAZEL_TARGET                 | Bazel target to build. Default :all (Eg: //java-maven)                                                                               |
 | BAZEL_STRIP_MAVEN_PREFIX     | Strip Maven group prefix (e.g. useful when private repo is used, defaults to `/maven2/`)                                             |
 | BAZEL_USE_ACTION_GRAPH       | SBOM for specific Bazel target, uses `bazel aquery 'outputs(".*.jar", deps(<BAZEL_TARGET>))'` (defaults to `false`)                  |

package/bin/cdxgen.js

@@ -220,6 +220,17 @@ const args = yargs(hideBin(process.argv))
     description: "Additional glob pattern(s) to ignore",
     hidden: true
   })
+  .option("export-proto", {
+    type: "boolean",
+    default: false,
+    description: "Serialize and export BOM as protobuf binary.",
+    hidden: true
+  })
+  .option("proto-bin-file", {
+    description: "Path for the serialized protobuf binary.",
+    default: "bom.cdx",
+    hidden: true
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("filter")
   .array("only")
@@ -582,7 +593,11 @@ const checkPermissions = (filePath) => {
       console.log(err);
     }
   }
-
+  // Protobuf serialization
+  if (options.exportProto) {
+    const protobomModule = await import("../protobom.js");
+    protobomModule.writeBinary(bomNSData.bomJson, options.protoBinFile);
+  }
   if (options.print && bomNSData.bomJson && bomNSData.bomJson.components) {
     printDependencyTree(bomNSData.bomJson);
     printTable(bomNSData.bomJson);

package/index.js

@@ -4048,6 +4048,8 @@ export const createContainerSpecLikeBom = async (path, options) => {
  * @param options Parse options from the cli
  */
 export const createPHPBom = (path, options) => {
+  let dependencies = [];
+  let parentComponent = {};
   const composerJsonFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "composer.json",
@@ -4117,17 +4119,56 @@ export const createPHPBom = (path, options) => {
   );
   if (composerLockFiles.length) {
     for (const f of composerLockFiles) {
+      const basePath = dirname(f);
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
-      const dlist = parseComposerLock(f);
-      if (dlist && dlist.length) {
-        pkgList = pkgList.concat(dlist);
+      // Is there a composer.json to find the parent component
+      if (
+        !Object.keys(parentComponent).length &&
+        existsSync(join(basePath, "composer.json"))
+      ) {
+        const composerData = JSON.parse(
+          readFileSync(join(basePath, "composer.json"), { encoding: "utf-8" })
+        );
+        const pkgName = composerData.name;
+        if (pkgName) {
+          parentComponent.group = dirname(pkgName);
+          if (parentComponent.group === ".") {
+            parentComponent.group = "";
+          }
+          parentComponent.name = basename(pkgName);
+          parentComponent.type = "application";
+          parentComponent.version = composerData.version || "latest";
+          parentComponent["bom-ref"] = decodeURIComponent(
+            new PackageURL(
+              "composer",
+              parentComponent.group,
+              parentComponent.name,
+              parentComponent.version,
+              null,
+              null
+            ).toString()
+          );
+        }
+      }
+      const retMap = parseComposerLock(f);
+      if (retMap.pkgList && retMap.pkgList.length) {
+        pkgList = pkgList.concat(retMap.pkgList);
+      }
+      if (retMap.dependenciesList) {
+        dependencies = mergeDependencies(
+          dependencies,
+          retMap.dependenciesList,
+          parentComponent
+        );
       }
     }
     return buildBomNSData(options, pkgList, "composer", {
       src: path,
-      filename: composerLockFiles.join(", ")
+      filename: composerLockFiles.join(", "),
+      dependencies,
+      parentComponent
     });
   }
   return {};
@@ -4331,7 +4372,7 @@ export const createCsharpBom = async (
         console.log(`Parsing ${f}`);
       }
       pkgData = readFileSync(f, { encoding: "utf-8" });
-      const results = await parsePaketLockData(pkgData);
+      const results = await parsePaketLockData(pkgData, f);
       const dlist = results.pkgList;
       const deps = results.dependenciesList;
       if (dlist && dlist.length) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.10.0",
+  "version": "9.10.2",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -57,7 +57,7 @@
   "dependencies": {
     "@babel/parser": "^7.23.6",
     "@babel/traverse": "^7.23.6",
-    "@npmcli/arborist": "7.2.0",
+    "@npmcli/arborist": "7.2.2",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
@@ -83,7 +83,8 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "1.7.5",
+    "@appthreat/atom": "1.8.0",
+    "@appthreat/cdx-proto": "^0.0.4",
     "@cyclonedx/cdxgen-plugins-bin": "^1.5.4",
     "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "^1.5.4",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.5.4",
@@ -105,7 +106,7 @@
     "docsify-cli": "^4.4.4",
     "eslint": "^8.56.0",
     "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-prettier": "^5.0.1",
+    "eslint-plugin-prettier": "^5.1.2",
     "jest": "^29.7.0",
     "prettier": "3.1.1"
   }

package/protobom.js

@@ -0,0 +1,36 @@
+import { Bom } from "@appthreat/cdx-proto";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+
+const stringifyIfNeeded = (bomJson) => {
+  if (typeof bomJson === "string" || bomJson instanceof String) {
+    return bomJson;
+  }
+  return JSON.stringify(bomJson);
+};
+
+export const writeBinary = (bomJson, binFile) => {
+  if (bomJson && binFile) {
+    const bomObject = new Bom();
+    writeFileSync(
+      binFile,
+      bomObject
+        .fromJsonString(stringifyIfNeeded(bomJson), {
+          ignoreUnknownFields: true
+        })
+        .toBinary({ writeUnknownFields: true })
+    );
+  }
+};
+
+export const readBinary = (binFile, asJson = true) => {
+  if (!existsSync(binFile)) {
+    return undefined;
+  }
+  const bomObject = new Bom().fromBinary(readFileSync(binFile), {
+    readUnknownFields: true
+  });
+  if (asJson) {
+    return bomObject.toJson({ emitDefaultValues: true });
+  }
+  return bomObject;
+};

package/protobom.test.js

@@ -0,0 +1,32 @@
+import { expect, test } from "@jest/globals";
+import { tmpdir } from "node:os";
+import { existsSync, rmSync, mkdtempSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+
+import { writeBinary, readBinary } from "./protobom.js";
+
+const tempDir = mkdtempSync(join(tmpdir(), "bin-tests-"));
+const testBom = JSON.parse(
+  readFileSync("./test/data/bom-java.json", { encoding: "utf-8" })
+);
+
+test("proto binary tests", async () => {
+  const binFile = join(tempDir, "test.cdx.bin");
+  writeBinary({}, binFile);
+  expect(existsSync(binFile)).toBeTruthy();
+  writeBinary(testBom, binFile);
+  expect(existsSync(binFile)).toBeTruthy();
+  let bomObject = readBinary(binFile);
+  expect(bomObject).toBeDefined();
+  expect(bomObject.serialNumber).toEqual(
+    "urn:uuid:cc8b5a04-2698-4375-b04c-cedfa4317fee"
+  );
+  bomObject = readBinary(binFile, false);
+  expect(bomObject).toBeDefined();
+  expect(bomObject.serialNumber).toEqual(
+    "urn:uuid:cc8b5a04-2698-4375-b04c-cedfa4317fee"
+  );
+  if (tempDir && tempDir.startsWith(tmpdir()) && rmSync) {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});

package/utils.js

@@ -666,6 +666,12 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
         purl: purlString,
         "bom-ref": decodeURIComponent(purlString)
       };
+      if (node.resolved) {
+        pkg.properties.push({
+          name: "ResolvedUrl",
+          value: node.resolved
+        });
+      }
     }
     const packageLicense = node.package.license;
     if (packageLicense) {
@@ -694,8 +700,9 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
             null
           ).toString()
         );
-
-        workspaceDependsOn.push(depWorkspacePurlString);
+        if (decodeURIComponent(purlString) !== depWorkspacePurlString) {
+          workspaceDependsOn.push(depWorkspacePurlString);
+        }
       }
     }
 
@@ -726,7 +733,9 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
             null
           ).toString()
         );
-        childrenDependsOn.push(depChildString);
+        if (decodeURIComponent(purlString) !== depChildString) {
+          childrenDependsOn.push(depChildString);
+        }
       }
     }
 
@@ -735,31 +744,35 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
     for (const edge of node.edgesOut.values()) {
       let targetVersion;
       let targetName;
-
+      let foundMatch = false;
       // if the edge doesn't have an integrity, it's likely a peer dependency
       // which isn't installed
-      let edgeToIntegrity = edge.to ? edge.to.integrity : null;
-      // let packageName = node.packageName;
-      // let edgeName = edge.name;
+      // Bug #795. At times, npm loses the integrity node completely and such packages are getting missed out
+      // To keep things safe, we include these packages.
+      let edgeToIntegrity = edge.to ? edge.to.integrity : undefined;
       if (!edgeToIntegrity) {
-        continue;
-      }
-
-      // the edges don't actually contain a version, so we need to search the root node
-      // children to find the correct version. we check the node children first, then
-      // we check the root node children
-      let foundMatch = false;
-      for (const child of node.children) {
-        if (child[1].integrity == edgeToIntegrity) {
-          targetName = child[0].replace(/node_modules\//g, "");
-          // The package name could be different from the targetName retrieved
-          // Eg: "string-width-cjs": "npm:string-width@^4.2.0",
-          if (child[1].packageName && child[1].packageName !== targetName) {
-            targetName = child[1].packageName;
-          }
-          targetVersion = child[1].version;
-          foundMatch = true;
-          break;
+        // This hack is required to fix the package name
+        targetName = node.name.replace(/-cjs$/, "");
+        targetVersion = node.version;
+        foundMatch = true;
+      } else {
+        // the edges don't actually contain a version, so we need to search the root node
+        // children to find the correct version. we check the node children first, then
+        // we check the root node children
+        for (const child of node.children) {
+          if (edgeToIntegrity) {
+            if (child[1].integrity == edgeToIntegrity) {
+              targetName = child[0].replace(/node_modules\//g, "");
+              // The package name could be different from the targetName retrieved
+              // Eg: "string-width-cjs": "npm:string-width@^4.2.0",
+              if (child[1].packageName && child[1].packageName !== targetName) {
+                targetName = child[1].packageName;
+              }
+              targetVersion = child[1].version;
+              foundMatch = true;
+              break;
+            }
+          }
         }
       }
       if (!foundMatch) {
@@ -792,8 +805,12 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
           null
         ).toString()
       );
-      pkgDependsOn.push(depPurlString);
-      if (edge.to == null) continue;
+      if (decodeURIComponent(purlString) !== depPurlString) {
+        pkgDependsOn.push(depPurlString);
+      }
+      if (edge.to == null) {
+        continue;
+      }
       const { pkgList: childPkgList, dependenciesList: childDependenciesList } =
         parseArboristNode(
           edge.to,
@@ -1351,6 +1368,8 @@ export const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
             group: group,
             name: name,
             version: version,
+            purl: purlString,
+            "bom-ref": decodeURIComponent(purlString),
             scope,
             _integrity: integrity,
             properties: [
@@ -2366,7 +2385,8 @@ export const guessLicenseId = function (content) {
 export const getMvnMetadata = async function (pkgList, jarNSMapping = {}) {
   const MAVEN_CENTRAL_URL =
     process.env.MAVEN_CENTRAL_URL || "https://repo1.maven.org/maven2/";
-  const ANDROID_MAVEN = "https://maven.google.com/";
+  const ANDROID_MAVEN_URL =
+    process.env.ANDROID_MAVEN_URL || "https://maven.google.com/";
   const cdepList = [];
   if (!pkgList || !pkgList.length) {
     return pkgList;
@@ -2414,7 +2434,7 @@ export const getMvnMetadata = async function (pkgList, jarNSMapping = {}) {
     let urlPrefix = MAVEN_CENTRAL_URL;
     // Ideally we should try one resolver after the other. But it increases the time taken
     if (group.indexOf("android") !== -1) {
-      urlPrefix = ANDROID_MAVEN;
+      urlPrefix = ANDROID_MAVEN_URL;
     }
     // Querying maven requires a valid group name
     if (!group || group === "") {
@@ -5574,7 +5594,7 @@ export const parseCsPkgLockData = async function (csLockData) {
   return pkgList;
 };
 
-export const parsePaketLockData = async function (paketLockData) {
+export const parsePaketLockData = async function (paketLockData, pkgLockFile) {
   const pkgList = [];
   const dependenciesList = [];
   const dependenciesMap = {};
@@ -5602,14 +5622,39 @@ export const parsePaketLockData = async function (paketLockData) {
     if (match) {
       const name = match[1];
       const version = match[2];
-      const purl = decodeURIComponent(
-        new PackageURL("nuget", "", name, version, null, null).toString()
-      );
+      const purl = new PackageURL(
+        "nuget",
+        "",
+        name,
+        version,
+        null,
+        null
+      ).toString();
       pkg = {
         group: "",
-        name: name,
-        version: version,
-        purl: purl
+        name,
+        version,
+        purl,
+        "bom-ref": decodeURIComponent(purl),
+        properties: [
+          {
+            name: "SrcFile",
+            value: pkgLockFile
+          }
+        ],
+        evidence: {
+          identity: {
+            field: "purl",
+            confidence: 1,
+            methods: [
+              {
+                technique: "manifest-analysis",
+                confidence: 1,
+                value: pkgLockFile
+              }
+            ]
+          }
+        }
       };
       pkgList.push(pkg);
       dependenciesMap[purl] = new Set();
@@ -5661,6 +5706,7 @@ export const parsePaketLockData = async function (paketLockData) {
     dependenciesList
   };
 };
+
 /**
  * Parse composer lock file
  *
@@ -5668,6 +5714,9 @@ export const parsePaketLockData = async function (paketLockData) {
  */
 export const parseComposerLock = function (pkgLockFile) {
   const pkgList = [];
+  const dependenciesList = [];
+  const dependenciesMap = {};
+  const pkgNamePurlMap = {};
   if (existsSync(pkgLockFile)) {
     let lockData = {};
     try {
@@ -5684,6 +5733,7 @@ export const parseComposerLock = function (pkgLockFile) {
       if (lockData["packages-dev"]) {
         packages["optional"] = lockData["packages-dev"];
       }
+      // Pass 1: Collect all packages
       for (const compScope in packages) {
         for (const i in packages[compScope]) {
           const pkg = packages[compScope][i];
@@ -5696,14 +5746,20 @@ export const parseComposerLock = function (pkgLockFile) {
             group = "";
           }
           const name = basename(pkg.name);
-          pkgList.push({
+          const purl = new PackageURL(
+            "composer",
+            group,
+            name,
+            pkg.version,
+            null,
+            null
+          ).toString();
+          const apkg = {
             group: group,
             name: name,
-            // Remove leading v from version to work around bug
-            //  https://github.com/OSSIndex/vulns/issues/231
-            // @TODO: remove workaround when DependencyTrack v4.4 is released,
-            //  which has it's own workaround. Or when the 231 bug is fixed.
-            version: pkg.version.replace(/^v/, ""),
+            purl,
+            "bom-ref": decodeURIComponent(purl),
+            version: pkg.version,
             repository: pkg.source,
             license: pkg.license,
             description: pkg.description,
@@ -5727,12 +5783,58 @@ export const parseComposerLock = function (pkgLockFile) {
                 ]
               }
             }
-          });
+          };
+          if (pkg.autoload && Object.keys(pkg.autoload).length) {
+            const namespaces = [];
+            for (const aaload of Object.keys(pkg.autoload)) {
+              if (aaload.startsWith("psr")) {
+                for (const ans of Object.keys(pkg.autoload[aaload])) {
+                  namespaces.push(ans);
+                }
+              }
+            }
+            if (namespaces.length) {
+              apkg.properties.push({
+                name: "Namespaces",
+                value: namespaces.join(", ")
+              });
+            }
+          }
+          pkgList.push(apkg);
+          dependenciesMap[purl] = new Set();
+          pkgNamePurlMap[pkg.name] = purl;
+        }
+      }
+      // Pass 2: Construct dependency tree
+      for (const compScope in packages) {
+        for (const i in packages[compScope]) {
+          const pkg = packages[compScope][i];
+          if (!pkg || !pkg.name || !pkg.version) {
+            continue;
+          }
+          if (!pkg.require || !Object.keys(pkg.require).length) {
+            continue;
+          }
+          const purl = pkgNamePurlMap[pkg.name];
+          for (const adepName of Object.keys(pkg.require)) {
+            if (pkgNamePurlMap[adepName]) {
+              dependenciesMap[purl].add(pkgNamePurlMap[adepName]);
+            }
+          }
         }
       }
     }
   }
-  return pkgList;
+  for (const ref in dependenciesMap) {
+    dependenciesList.push({
+      ref: ref,
+      dependsOn: Array.from(dependenciesMap[ref])
+    });
+  }
+  return {
+    pkgList,
+    dependenciesList
+  };
 };
 
 export const parseSbtTree = (sbtTreeFile) => {

package/utils.test.js

@@ -1351,14 +1351,30 @@ test("parse paket.lock", async () => {
     dependenciesList: []
   });
   const dep_list = await parsePaketLockData(
-    readFileSync("./test/data/paket.lock", { encoding: "utf-8" })
+    readFileSync("./test/data/paket.lock", { encoding: "utf-8" }),
+    "./test/data/paket.lock"
   );
   expect(dep_list.pkgList.length).toEqual(13);
   expect(dep_list.pkgList[0]).toEqual({
     group: "",
     name: "0x53A.ReferenceAssemblies.Paket",
     version: "0.2",
-    purl: "pkg:nuget/0x53A.ReferenceAssemblies.Paket@0.2"
+    purl: "pkg:nuget/0x53A.ReferenceAssemblies.Paket@0.2",
+    "bom-ref": "pkg:nuget/0x53A.ReferenceAssemblies.Paket@0.2",
+    properties: [{ name: "SrcFile", value: "./test/data/paket.lock" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 1,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 1,
+            value: "./test/data/paket.lock"
+          }
+        ]
+      }
+    }
   });
   expect(dep_list.dependenciesList.length).toEqual(13);
   expect(dep_list.dependenciesList[2]).toEqual({
@@ -1694,7 +1710,7 @@ test("parsePkgLock v2 workspace", async () => {
   );
   let pkgs = parsedList.pkgList;
   let deps = parsedList.dependenciesList;
-  expect(pkgs.length).toEqual(1032);
+  expect(pkgs.length).toEqual(1034);
   expect(pkgs[0].license).toEqual("MIT");
   let hasAppWorkspacePkg = pkgs.some(
     (obj) => obj["bom-ref"] === "pkg:npm/app@0.0.0"
@@ -1746,8 +1762,8 @@ test("parsePkgLock v3", async () => {
     projectName: "cdxgen"
   });
   deps = parsedList.pkgList;
-  expect(deps.length).toEqual(1205);
-  expect(parsedList.dependenciesList.length).toEqual(1205);
+  expect(deps.length).toEqual(1195);
+  expect(parsedList.dependenciesList.length).toEqual(1195);
 });
 
 test("parseBowerJson", async () => {
@@ -1807,6 +1823,8 @@ test("parsePnpmLock", async () => {
       "sha512-IGhtTmpjGbYzcEDOw7DcQtbQSXcG9ftmAXtWTu9V936vDye4xjjekktFAtgZsWpzTj/X01jocB46mTywm/4SZw==",
     group: "@babel",
     name: "code-frame",
+    "bom-ref": "pkg:npm/@babel/code-frame@7.10.1",
+    purl: "pkg:npm/%40babel/code-frame@7.10.1",
     scope: undefined,
     version: "7.10.1",
     properties: [
@@ -1837,6 +1855,8 @@ test("parsePnpmLock", async () => {
       "sha512-iAXqUn8IIeBTNd72xsFlgaXHkMBMt6y4HJp1tIaK465CWLT/fG1aqB7ykr95gHHmlBdGbFeWWfyB4NJJ0nmeIg==",
     group: "@babel",
     name: "code-frame",
+    "bom-ref": "pkg:npm/@babel/code-frame@7.16.7",
+    purl: "pkg:npm/%40babel/code-frame@7.16.7",
     scope: "optional",
     version: "7.16.7",
     properties: [
@@ -1866,6 +1886,8 @@ test("parsePnpmLock", async () => {
     group: "",
     name: "ansi-regex",
     version: "2.1.1",
+    "bom-ref": "pkg:npm/ansi-regex@2.1.1",
+    purl: "pkg:npm/ansi-regex@2.1.1",
     scope: undefined,
     _integrity: "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=",
     properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock2.yaml" }],
@@ -1900,6 +1922,8 @@ test("parsePnpmLock", async () => {
     group: "@nodelib",
     name: "fs.scandir",
     version: "2.1.5",
+    "bom-ref": "pkg:npm/@nodelib/fs.scandir@2.1.5",
+    purl: "pkg:npm/%40nodelib/fs.scandir@2.1.5",
     scope: undefined,
     _integrity:
       "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
@@ -1933,6 +1957,8 @@ test("parsePnpmLock", async () => {
     group: "@babel",
     name: "code-frame",
     version: "7.18.6",
+    "bom-ref": "pkg:npm/@babel/code-frame@7.18.6",
+    purl: "pkg:npm/%40babel/code-frame@7.18.6",
     scope: "optional",
     _integrity:
       "sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
@@ -1955,6 +1981,8 @@ test("parsePnpmLock", async () => {
     group: "",
     name: "yargs",
     version: "17.7.1",
+    "bom-ref": "pkg:npm/yargs@17.7.1",
+    purl: "pkg:npm/yargs@17.7.1",
     scope: "optional",
     _integrity:
       "sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==",
@@ -1980,6 +2008,8 @@ test("parsePnpmLock", async () => {
     group: "@babel",
     name: "code-frame",
     version: "7.18.6",
+    "bom-ref": "pkg:npm/@babel/code-frame@7.18.6",
+    purl: "pkg:npm/%40babel/code-frame@7.18.6",
     scope: "optional",
     _integrity:
       "sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
@@ -2301,13 +2331,16 @@ test("parseYarnLock", async () => {
 });
 
 test("parseComposerLock", () => {
-  let deps = parseComposerLock("./test/data/composer.lock");
-  expect(deps.length).toEqual(1);
-  expect(deps[0]).toEqual({
+  let retMap = parseComposerLock("./test/data/composer.lock");
+  expect(retMap.pkgList.length).toEqual(1);
+  expect(retMap.dependenciesList.length).toEqual(1);
+  expect(retMap.pkgList[0]).toEqual({
     group: "quickbooks",
     name: "v3-php-sdk",
     scope: "required",
-    version: "4.0.6.1",
+    version: "v4.0.6.1",
+    purl: "pkg:composer/quickbooks/v3-php-sdk@v4.0.6.1",
+    "bom-ref": "pkg:composer/quickbooks/v3-php-sdk@v4.0.6.1",
     repository: {
       type: "git",
       url: "https://github.com/intuit/QuickBooks-V3-PHP-SDK.git",
@@ -2319,6 +2352,10 @@ test("parseComposerLock", () => {
       {
         name: "SrcFile",
         value: "./test/data/composer.lock"
+      },
+      {
+        name: "Namespaces",
+        value: "QuickBooksOnline\\API\\"
       }
     ],
     evidence: {
@@ -2336,13 +2373,16 @@ test("parseComposerLock", () => {
     }
   });
 
-  deps = parseComposerLock("./test/data/composer-2.lock");
-  expect(deps.length).toEqual(73);
-  expect(deps[0]).toEqual({
+  retMap = parseComposerLock("./test/data/composer-2.lock");
+  expect(retMap.pkgList.length).toEqual(73);
+  expect(retMap.dependenciesList.length).toEqual(73);
+  expect(retMap.pkgList[0]).toEqual({
     group: "amphp",
     name: "amp",
     scope: "required",
-    version: "2.4.4",
+    version: "v2.4.4",
+    purl: "pkg:composer/amphp/amp@v2.4.4",
+    "bom-ref": "pkg:composer/amphp/amp@v2.4.4",
     repository: {
       type: "git",
       url: "https://github.com/amphp/amp.git",
@@ -2354,6 +2394,10 @@ test("parseComposerLock", () => {
       {
         name: "SrcFile",
         value: "./test/data/composer-2.lock"
+      },
+      {
+        name: "Namespaces",
+        value: "Amp\\"
       }
     ],
     evidence: {
@@ -2371,12 +2415,15 @@ test("parseComposerLock", () => {
     }
   });
 
-  deps = parseComposerLock("./test/data/composer-3.lock");
-  expect(deps.length).toEqual(62);
-  expect(deps[0]).toEqual({
+  retMap = parseComposerLock("./test/data/composer-3.lock");
+  expect(retMap.pkgList.length).toEqual(62);
+  expect(retMap.dependenciesList.length).toEqual(62);
+  expect(retMap.pkgList[0]).toEqual({
     group: "amphp",
     name: "amp",
-    version: "2.6.2",
+    version: "v2.6.2",
+    purl: "pkg:composer/amphp/amp@v2.6.2",
+    "bom-ref": "pkg:composer/amphp/amp@v2.6.2",
     repository: {
       type: "git",
       url: "https://github.com/amphp/amp.git",
@@ -2385,7 +2432,13 @@ test("parseComposerLock", () => {
     license: ["MIT"],
     description: "A non-blocking concurrency framework for PHP applications.",
     scope: "required",
-    properties: [{ name: "SrcFile", value: "./test/data/composer-3.lock" }],
+    properties: [
+      { name: "SrcFile", value: "./test/data/composer-3.lock" },
+      {
+        name: "Namespaces",
+        value: "Amp\\"
+      }
+    ],
     evidence: {
       identity: {
         field: "purl",
@@ -2400,6 +2453,42 @@ test("parseComposerLock", () => {
       }
     }
   });
+  retMap = parseComposerLock("./test/data/composer-4.lock");
+  expect(retMap.pkgList.length).toEqual(50);
+  expect(retMap.dependenciesList.length).toEqual(50);
+  expect(retMap.pkgList[0]).toEqual({
+    group: "apache",
+    name: "log4php",
+    purl: "pkg:composer/apache/log4php@2.3.0",
+    "bom-ref": "pkg:composer/apache/log4php@2.3.0",
+    version: "2.3.0",
+    repository: {
+      type: "git",
+      url: "https://git-wip-us.apache.org/repos/asf/logging-log4php.git",
+      reference: "8c6df2481cd68d0d211d38f700406c5f0a9de0c2"
+    },
+    license: ["Apache-2.0"],
+    description: "A versatile logging framework for PHP",
+    scope: "required",
+    properties: [{ name: "SrcFile", value: "./test/data/composer-4.lock" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 1,
+        methods: [
+          {
+            confidence: 1,
+            technique: "manifest-analysis",
+            value: "./test/data/composer-4.lock"
+          }
+        ]
+      }
+    }
+  });
+  expect(retMap.dependenciesList[1]).toEqual({
+    ref: "pkg:composer/doctrine/annotations@v1.2.1",
+    dependsOn: ["pkg:composer/doctrine/lexer@v1.0"]
+  });
 });
 
 test("parseGemfileLockData", async () => {