npm - @cyclonedx/cdxgen - Versions diffs - 9.11.1 → 9.11.3 - Mend

@cyclonedx/cdxgen 9.11.1 → 9.11.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -345,7 +345,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Gradle
 - Scala SBT
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
-- .NET (project.assets.json, paket.lock)
+- .NET (packages.lock.json, project.assets.json, paket.lock)
 - Go (go.mod)
 - PHP (composer.lock)

package/index.js CHANGED Viewed

@@ -1236,46 +1236,50 @@ export const createJavaBom = async (path, options) => {
             maxBuffer: MAX_BUFFER
           });
           if (result.status !== 0 || result.error) {
-            console.error(result.stdout, result.stderr);
-            console.log(
-              "Resolve the above maven error. This could be due to the following:\n"
-            );
-            if (
-              result.stdout &&
-              (result.stdout.includes("Non-resolvable parent POM") ||
-                result.stdout.includes("points at wrong local POM"))
-            ) {
-              console.log(
-                "1. Check if the pom.xml contains valid settings such `parent.relativePath` to make mvn command work from within the sub-directory."
-              );
-            } else if (
-              result.stdout &&
-              (result.stdout.includes("Could not resolve dependencies") ||
-                result.stdout.includes("no dependency information available"))
-            ) {
+            // Our approach to recursively invoking the maven plugin for each sub-module is bound to result in failures
+            // These could be due to a range of reasons that are covered below.
+            if (pomFiles.length === 1 || DEBUG_MODE) {
+              console.error(result.stdout, result.stderr);
               console.log(
-                "1. Try building the project with 'mvn package -Dmaven.test.skip=true' using the correct version of Java and maven before invoking cdxgen."
+                "Resolve the above maven error. This could be due to the following:\n"
               );
-            } else if (
-              result.stdout &&
-              result.stdout.includes(
-                "Could not resolve target platform specification"
-              )
-            ) {
+              if (
+                result.stdout &&
+                (result.stdout.includes("Non-resolvable parent POM") ||
+                  result.stdout.includes("points at wrong local POM"))
+              ) {
+                console.log(
+                  "1. Check if the pom.xml contains valid settings such `parent.relativePath` to make mvn command work from within the sub-directory."
+                );
+              } else if (
+                result.stdout &&
+                (result.stdout.includes("Could not resolve dependencies") ||
+                  result.stdout.includes("no dependency information available"))
+              ) {
+                console.log(
+                  "1. Try building the project with 'mvn package -Dmaven.test.skip=true' using the correct version of Java and maven before invoking cdxgen."
+                );
+              } else if (
+                result.stdout &&
+                result.stdout.includes(
+                  "Could not resolve target platform specification"
+                )
+              ) {
+                console.log(
+                  "1. Some projects can be built only from the root directory. Invoke cdxgen with --no-recurse option"
+                );
+              } else {
+                console.log(
+                  "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible."
+                );
+              }
               console.log(
-                "1. Some projects can be built only from the root directory. Invoke cdxgen with --no-recurse option"
+                "2. Private dependencies cannot be downloaded: Check if any additional arguments must be passed to maven and set them via MVN_ARGS environment variable."
               );
-            } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible."
+                "3. Check if all required environment variables including any maven profile arguments are passed correctly to this tool."
               );
             }
-            console.log(
-              "2. Private dependencies cannot be downloaded: Check if any additional arguments must be passed to maven and set them via MVN_ARGS environment variable."
-            );
-            console.log(
-              "3. Check if all required environment variables including any maven profile arguments are passed correctly to this tool."
-            );
             // Do not fall back to methods that can produce incomplete results when failOnError is set
             options.failOnError && process.exit(1);
             console.log(
@@ -1718,7 +1722,18 @@ export const createJavaBom = async (path, options) => {
         }
       } else {
         const SBT_CMD = process.env.SBT_CMD || "sbt";
-        const sbtVersion = determineSbtVersion(path);
+        let sbtVersion = determineSbtVersion(path);
+        // If can't find sbt version at the root of repository then search in
+        // sbt project array too because sometimes the project folder isn't at
+        // root of repository
+        if (sbtVersion == null) {
+          for (const i in sbtProjects) {
+            sbtVersion = determineSbtVersion(sbtProjects[i]);
+            if (sbtVersion != null) {
+              break;
+            }
+          }
+        }
         if (DEBUG_MODE) {
           console.log("Detected sbt version: " + sbtVersion);
         }
@@ -4342,16 +4357,41 @@ export const createCsharpBom = async (
     }
   } else if (pkgLockFiles.length) {
     manifestFiles = manifestFiles.concat(pkgLockFiles);
+    let parentDependsOn = [];
     // packages.lock.json from nuget
     for (const af of pkgLockFiles) {
       if (DEBUG_MODE) {
         console.log(`Parsing ${af}`);
       }
       pkgData = readFileSync(af, { encoding: "utf-8" });
-      const dlist = await parseCsPkgLockData(pkgData);
+      let results = await parseCsPkgLockData(pkgData, af);
+      let deps = results["dependenciesList"];
+      let dlist = results["pkgList"];
+      let rootList = results["rootList"];
       if (dlist && dlist.length) {
         pkgList = pkgList.concat(dlist);
       }
+      if (deps && deps.length) {
+        dependencies = dependencies.concat(deps);
+      }
+      if (!parentComponent) {
+        parentComponent = createDefaultParentComponent(
+          path,
+          options.type,
+          options
+        );
+      }
+      // Keep track of the direct dependencies so that we can construct one complete
+      // list after processing all lock files
+      if (rootList && rootList.length) {
+        parentDependsOn = parentDependsOn.concat(rootList);
+      }
+    }
+    if (parentDependsOn.length) {
+      dependencies.splice(0, 0, {
+        ref: parentComponent["bom-ref"],
+        dependsOn: parentDependsOn.map((p) => p["bom-ref"])
+      });
     }
   } else if (pkgConfigFiles.length) {
     manifestFiles = manifestFiles.concat(pkgConfigFiles);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.11.1",
+  "version": "9.11.3",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -55,9 +55,9 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.23.6",
-    "@babel/traverse": "^7.23.7",
-    "@npmcli/arborist": "7.2.2",
+    "@babel/parser": "^7.23.9",
+    "@babel/traverse": "^7.23.9",
+    "@npmcli/arborist": "7.3.1",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",

package/utils.js CHANGED Viewed

@@ -1260,6 +1260,9 @@ export const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
       ).toString();
   }
   if (existsSync(pnpmLock)) {
+    if (DEBUG_MODE) {
+      console.log(`Parsing file ${pnpmLock}`);
+    }
     const lockData = readFileSync(pnpmLock, "utf8");
     const yamlObj = _load(lockData);
     if (!yamlObj) {
@@ -1295,7 +1298,7 @@ export const parsePnpmLock = async function (pnpmLock, parentComponent = null) {
     } catch (e) {
       // ignore parse errors
     }
-    const packages = yamlObj.packages;
+    const packages = yamlObj.packages || {};
     const pkgKeys = Object.keys(packages);
     for (const k in pkgKeys) {
       // Eg: @babel/code-frame/7.10.1
@@ -5574,28 +5577,95 @@ export const parseCsProjAssetsData = async function (
   };
 };
-export const parseCsPkgLockData = async function (csLockData) {
+export const parseCsPkgLockData = async function (csLockData, pkgLockFile) {
   const pkgList = [];
+  const dependenciesList = [];
+  const rootList = [];
   let pkg = null;
   if (!csLockData) {
-    return pkgList;
+    return {
+      pkgList,
+      dependenciesList,
+      rootList
+    };
   }
   const assetData = JSON.parse(csLockData);
   if (!assetData || !assetData.dependencies) {
-    return pkgList;
+    return {
+      pkgList,
+      dependenciesList,
+      rootList
+    };
   }
   for (const aversion of Object.keys(assetData.dependencies)) {
     for (const alib of Object.keys(assetData.dependencies[aversion])) {
       const libData = assetData.dependencies[aversion][alib];
+      const purl = new PackageURL(
+        "nuget",
+        "",
+        alib,
+        libData.resolved,
+        null,
+        null
+      ).toString();
       pkg = {
         group: "",
         name: alib,
-        version: libData.resolved
+        version: libData.resolved,
+        purl,
+        "bom-ref": decodeURIComponent(purl),
+        _integrity: libData.contentHash
+          ? "sha512-" + libData.contentHash
+          : undefined,
+        properties: [
+          {
+            name: "SrcFile",
+            value: pkgLockFile
+          }
+        ],
+        evidence: {
+          identity: {
+            field: "purl",
+            confidence: 1,
+            methods: [
+              {
+                technique: "manifest-analysis",
+                confidence: 1,
+                value: pkgLockFile
+              }
+            ]
+          }
+        }
       };
       pkgList.push(pkg);
+      if (libData.type === "Direct") {
+        rootList.push(pkg);
+      }
+      const dependsOn = [];
+      if (libData.dependencies) {
+        for (const adep of Object.keys(libData.dependencies)) {
+          const adpurl = new PackageURL(
+            "nuget",
+            "",
+            adep,
+            libData.dependencies[adep],
+            null,
+            null
+          ).toString();
+          dependsOn.push(decodeURIComponent(adpurl));
+        }
+      }
+      dependenciesList.push({
+        ref: decodeURIComponent(purl),
+        dependsOn
+      });
     }
   }
-  return pkgList;
+  return {
+    pkgList,
+    dependenciesList,
+    rootList
+  };
 };
 export const parsePaketLockData = async function (paketLockData, pkgLockFile) {
@@ -7207,6 +7277,9 @@ export const extractJarArchive = async function (
  */
 export const determineSbtVersion = function (projectPath) {
   const buildPropFile = join(projectPath, "project", "build.properties");
+  if (DEBUG_MODE) {
+    console.log("Looking for", buildPropFile);
+  }
   if (existsSync(buildPropFile)) {
     const properties = propertiesReader(buildPropFile);
     const property = properties.get("sbt.version");
@@ -7495,6 +7568,7 @@ export const executeAtom = (src, args) => {
     timeout: TIMEOUT_MS,
     detached: !isWin && !process.env.CI,
     shell: isWin,
+    killSignal: "SIGKILL",
     env
   });
   if (result.stderr) {

package/utils.test.js CHANGED Viewed

@@ -1333,16 +1333,82 @@ test("parse project.assets.json", async () => {
 });
 test("parse packages.lock.json", async () => {
-  expect(await parseCsPkgLockData(null)).toEqual([]);
-  const dep_list = await parseCsPkgLockData(
-    readFileSync("./test/data/packages.lock.json", { encoding: "utf-8" })
+  expect(await parseCsPkgLockData(null)).toEqual({
+    dependenciesList: [],
+    pkgList: [],
+    rootList: []
+  });
+  let dep_list = await parseCsPkgLockData(
+    readFileSync("./test/data/packages.lock.json", { encoding: "utf-8" }),
+    "./test/data/packages.lock.json"
   );
-  expect(dep_list.length).toEqual(14);
-  expect(dep_list[0]).toEqual({
+  expect(dep_list["pkgList"].length).toEqual(14);
+  expect(dep_list["pkgList"][0]).toEqual({
     group: "",
     name: "Antlr",
-    version: "3.5.0.2"
+    version: "3.5.0.2",
+    purl: "pkg:nuget/Antlr@3.5.0.2",
+    "bom-ref": "pkg:nuget/Antlr@3.5.0.2",
+    _integrity:
+      "sha512-CSfrVuDVMx3OrQhT84zed+tOdM1clljyRLWWlQM22fJsmG836RVDGQlE6tzysXh8X8p9UjkHbLr6OqEIVhtdEA==",
+    properties: [{ name: "SrcFile", value: "./test/data/packages.lock.json" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 1,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 1,
+            value: "./test/data/packages.lock.json"
+          }
+        ]
+      }
+    }
+  });
+  dep_list = await parseCsPkgLockData(
+    readFileSync("./test/data/packages2.lock.json", { encoding: "utf-8" }),
+    "./test/data/packages2.lock.json"
+  );
+  expect(dep_list["pkgList"].length).toEqual(34);
+  expect(dep_list["dependenciesList"].length).toEqual(34);
+  expect(dep_list["pkgList"][0]).toEqual({
+    group: "",
+    name: "McMaster.Extensions.Hosting.CommandLine",
+    version: "4.0.1",
+    purl: "pkg:nuget/McMaster.Extensions.Hosting.CommandLine@4.0.1",
+    "bom-ref": "pkg:nuget/McMaster.Extensions.Hosting.CommandLine@4.0.1",
+    _integrity:
+      "sha512-pZJF/zeXT3OC+3GUNO9ZicpCO9I7wYLmj0E2qPR8CRA6iUs0kGu6SCkmraB1sITx4elcVjMLiZDGMsBVMqaPhg==",
+    properties: [{ name: "SrcFile", value: "./test/data/packages2.lock.json" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 1,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 1,
+            value: "./test/data/packages2.lock.json"
+          }
+        ]
+      }
+    }
   });
+  expect(dep_list["dependenciesList"][0]).toEqual({
+    ref: "pkg:nuget/McMaster.Extensions.Hosting.CommandLine@4.0.1",
+    dependsOn: [
+      "pkg:nuget/McMaster.Extensions.CommandLineUtils@4.0.1",
+      "pkg:nuget/Microsoft.Extensions.Hosting.Abstractions@6.0.0",
+      "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@6.0.0"
+    ]
+  });
+  dep_list = await parseCsPkgLockData(
+    readFileSync("./test/data/packages3.lock.json", { encoding: "utf-8" }),
+    "./test/data/packages3.lock.json"
+  );
+  expect(dep_list["pkgList"].length).toEqual(15);
+  expect(dep_list["dependenciesList"].length).toEqual(15);
 });
 test("parse paket.lock", async () => {