npm - @cyclonedx/cdxgen - Versions diffs - 9.11.0 → 9.11.2 - Mend

@cyclonedx/cdxgen 9.11.0 → 9.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/index.js CHANGED Viewed

@@ -1236,46 +1236,50 @@ export const createJavaBom = async (path, options) => {
             maxBuffer: MAX_BUFFER
           });
           if (result.status !== 0 || result.error) {
-            console.error(result.stdout, result.stderr);
-            console.log(
-              "Resolve the above maven error. This could be due to the following:\n"
-            );
-            if (
-              result.stdout &&
-              (result.stdout.includes("Non-resolvable parent POM") ||
-                result.stdout.includes("points at wrong local POM"))
-            ) {
+            // Our approach to recursively invoking the maven plugin for each sub-module is bound to result in failures
+            // These could be due to a range of reasons that are covered below.
+            if (pomFiles.length === 1 || DEBUG_MODE) {
+              console.error(result.stdout, result.stderr);
               console.log(
-                "1. Check if the pom.xml contains valid settings such `parent.relativePath` to make mvn command work from within the sub-directory."
+                "Resolve the above maven error. This could be due to the following:\n"
               );
-            } else if (
-              result.stdout &&
-              (result.stdout.includes("Could not resolve dependencies") ||
-                result.stdout.includes("no dependency information available"))
-            ) {
-              console.log(
-                "1. Try building the project with 'mvn package -Dmaven.test.skip=true' using the correct version of Java and maven before invoking cdxgen."
-              );
-            } else if (
-              result.stdout &&
-              result.stdout.includes(
-                "Could not resolve target platform specification"
-              )
-            ) {
+              if (
+                result.stdout &&
+                (result.stdout.includes("Non-resolvable parent POM") ||
+                  result.stdout.includes("points at wrong local POM"))
+              ) {
+                console.log(
+                  "1. Check if the pom.xml contains valid settings such `parent.relativePath` to make mvn command work from within the sub-directory."
+                );
+              } else if (
+                result.stdout &&
+                (result.stdout.includes("Could not resolve dependencies") ||
+                  result.stdout.includes("no dependency information available"))
+              ) {
+                console.log(
+                  "1. Try building the project with 'mvn package -Dmaven.test.skip=true' using the correct version of Java and maven before invoking cdxgen."
+                );
+              } else if (
+                result.stdout &&
+                result.stdout.includes(
+                  "Could not resolve target platform specification"
+                )
+              ) {
+                console.log(
+                  "1. Some projects can be built only from the root directory. Invoke cdxgen with --no-recurse option"
+                );
+              } else {
+                console.log(
+                  "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible."
+                );
+              }
               console.log(
-                "1. Some projects can be built only from the root directory. Invoke cdxgen with --no-recurse option"
+                "2. Private dependencies cannot be downloaded: Check if any additional arguments must be passed to maven and set them via MVN_ARGS environment variable."
               );
-            } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible."
+                "3. Check if all required environment variables including any maven profile arguments are passed correctly to this tool."
               );
             }
-            console.log(
-              "2. Private dependencies cannot be downloaded: Check if any additional arguments must be passed to maven and set them via MVN_ARGS environment variable."
-            );
-            console.log(
-              "3. Check if all required environment variables including any maven profile arguments are passed correctly to this tool."
-            );
             // Do not fall back to methods that can produce incomplete results when failOnError is set
             options.failOnError && process.exit(1);
             console.log(
@@ -1718,7 +1722,18 @@ export const createJavaBom = async (path, options) => {
         }
       } else {
         const SBT_CMD = process.env.SBT_CMD || "sbt";
-        const sbtVersion = determineSbtVersion(path);
+        let sbtVersion = determineSbtVersion(path);
+        // If can't find sbt version at the root of repository then search in
+        // sbt project array too because sometimes the project folder isn't at
+        // root of repository
+        if (sbtVersion == null) {
+          for (const i in sbtProjects) {
+            sbtVersion = determineSbtVersion(sbtProjects[i]);
+            if (sbtVersion != null) {
+              break;
+            }
+          }
+        }
         if (DEBUG_MODE) {
           console.log("Detected sbt version: " + sbtVersion);
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.11.0",
+  "version": "9.11.2",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -83,7 +83,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "1.8.3",
+    "@appthreat/atom": "1.8.4",
     "@appthreat/cdx-proto": "^0.0.4",
     "@cyclonedx/cdxgen-plugins-bin": "^1.5.4",
     "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "^1.5.4",

package/utils.js CHANGED Viewed

@@ -1260,6 +1260,9 @@ export const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
       ).toString();
   }
   if (existsSync(pnpmLock)) {
+    if (DEBUG_MODE) {
+      console.log(`Parsing file ${pnpmLock}`);
+    }
     const lockData = readFileSync(pnpmLock, "utf8");
     const yamlObj = _load(lockData);
     if (!yamlObj) {
@@ -1295,7 +1298,7 @@ export const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
     } catch (e) {
       // ignore parse errors
     }
-    const packages = yamlObj.packages;
+    const packages = yamlObj.packages || {};
     const pkgKeys = Object.keys(packages);
     for (const k in pkgKeys) {
       // Eg: @babel/code-frame/7.10.1
@@ -7207,6 +7210,9 @@ export const extractJarArchive = async function (
  */
 export const determineSbtVersion = function (projectPath) {
   const buildPropFile = join(projectPath, "project", "build.properties");
+  if (DEBUG_MODE) {
+    console.log("Looking for", buildPropFile);
+  }
   if (existsSync(buildPropFile)) {
     const properties = propertiesReader(buildPropFile);
     const property = properties.get("sbt.version");
@@ -7495,6 +7501,7 @@ export const executeAtom = (src, args) => {
     timeout: TIMEOUT_MS,
     detached: !isWin && !process.env.CI,
     shell: isWin,
+    killSignal: "SIGKILL",
     env
   });
   if (result.stderr) {