@cyclonedx/cdxgen 9.11.2 → 9.11.4

package/README.md

@@ -345,7 +345,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Gradle
 - Scala SBT
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
-- .NET (project.assets.json, paket.lock)
+- .NET (packages.lock.json, project.assets.json, paket.lock)
 - Go (go.mod)
 - PHP (composer.lock)
 

package/index.js

@@ -1391,7 +1391,7 @@ export const createJavaBom = async (path, options) => {
         parentComponent = {
           name: rootProject,
           type: "application",
-          ...(retMap.metadata || {})
+          ...retMap.metadata
         };
         const parentPurl = new PackageURL(
           "maven",
@@ -1415,7 +1415,7 @@ export const createJavaBom = async (path, options) => {
               name: rspName,
               type: "application",
               qualifiers: { type: "jar" },
-              ...(retMap.metadata || {})
+              ...retMap.metadata
             };
             const rootSubProjectPurl = new PackageURL(
               "maven",
@@ -4280,14 +4280,11 @@ export const createRubyBom = async (path, options) => {
  * @param path to the project
  * @param options Parse options from the cli
  */
-export const createCsharpBom = async (
-  path,
-  options,
-  parentComponent = undefined
-) => {
+export const createCsharpBom = async (path, options) => {
   let manifestFiles = [];
   let pkgData = undefined;
   let dependencies = [];
+  let parentComponent = createDefaultParentComponent(path, "nuget", options);
   let csProjFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "*.csproj",
@@ -4352,21 +4349,39 @@ export const createCsharpBom = async (
         pkgList = pkgList.concat(dlist);
       }
       if (deps && deps.length) {
-        dependencies = dependencies.concat(deps);
+        dependencies = mergeDependencies(dependencies, deps, parentComponent);
       }
     }
   } else if (pkgLockFiles.length) {
     manifestFiles = manifestFiles.concat(pkgLockFiles);
+    let parentDependsOn = [];
     // packages.lock.json from nuget
     for (const af of pkgLockFiles) {
       if (DEBUG_MODE) {
         console.log(`Parsing ${af}`);
       }
       pkgData = readFileSync(af, { encoding: "utf-8" });
-      const dlist = await parseCsPkgLockData(pkgData);
+      let results = await parseCsPkgLockData(pkgData, af);
+      let deps = results["dependenciesList"];
+      let dlist = results["pkgList"];
+      let rootList = results["rootList"];
       if (dlist && dlist.length) {
         pkgList = pkgList.concat(dlist);
       }
+      if (deps && deps.length) {
+        dependencies = mergeDependencies(dependencies, deps, parentComponent);
+      }
+      // Keep track of the direct dependencies so that we can construct one complete
+      // list after processing all lock files
+      if (rootList && rootList.length) {
+        parentDependsOn = parentDependsOn.concat(rootList);
+      }
+    }
+    if (parentDependsOn.length) {
+      dependencies.splice(0, 0, {
+        ref: parentComponent["bom-ref"],
+        dependsOn: parentDependsOn.map((p) => p["bom-ref"])
+      });
     }
   } else if (pkgConfigFiles.length) {
     manifestFiles = manifestFiles.concat(pkgConfigFiles);
@@ -4418,15 +4433,11 @@ export const createCsharpBom = async (
         pkgList = pkgList.concat(dlist);
       }
       if (deps && deps.length) {
-        dependencies = dependencies.concat(deps);
+        dependencies = mergeDependencies(dependencies, deps, parentComponent);
       }
     }
   }
-  if (!parentComponent) {
-    parentComponent = createDefaultParentComponent(path, options.type, options);
-  }
   if (pkgList.length) {
-    dependencies = mergeDependencies(dependencies, [], parentComponent);
     pkgList = trimComponents(pkgList, "json");
     // Perform deep analysis using dosai
     if (options.deep) {
@@ -4450,7 +4461,6 @@ export const createCsharpBom = async (
     if (retMap.dependencies && retMap.dependencies.length) {
       dependencies = dependencies.concat(retMap.dependencies);
     }
-    dependencies = mergeDependencies(dependencies, [], parentComponent);
     pkgList = trimComponents(pkgList, "json");
   }
   return buildBomNSData(options, pkgList, "nuget", {
@@ -4808,7 +4818,7 @@ export const createMultiXBom = async (pathList, options) => {
         listComponents(options, {}, bomData.bomJson.components, "gem", "xml")
       );
     }
-    bomData = await createCsharpBom(path, options, parentComponent);
+    bomData = await createCsharpBom(path, options);
     if (
       bomData &&
       bomData.bomJson &&

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.11.2",
+  "version": "9.11.4",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -55,9 +55,9 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.23.6",
-    "@babel/traverse": "^7.23.7",
-    "@npmcli/arborist": "7.2.2",
+    "@babel/parser": "^7.23.9",
+    "@babel/traverse": "^7.23.9",
+    "@npmcli/arborist": "7.3.1",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",

package/utils.js

@@ -5577,28 +5577,95 @@ export const parseCsProjAssetsData = async function (
   };
 };
 
-export const parseCsPkgLockData = async function (csLockData) {
+export const parseCsPkgLockData = async function (csLockData, pkgLockFile) {
   const pkgList = [];
+  const dependenciesList = [];
+  const rootList = [];
   let pkg = null;
   if (!csLockData) {
-    return pkgList;
+    return {
+      pkgList,
+      dependenciesList,
+      rootList
+    };
   }
   const assetData = JSON.parse(csLockData);
   if (!assetData || !assetData.dependencies) {
-    return pkgList;
+    return {
+      pkgList,
+      dependenciesList,
+      rootList
+    };
   }
   for (const aversion of Object.keys(assetData.dependencies)) {
     for (const alib of Object.keys(assetData.dependencies[aversion])) {
       const libData = assetData.dependencies[aversion][alib];
+      const purl = new PackageURL(
+        "nuget",
+        "",
+        alib,
+        libData.resolved,
+        null,
+        null
+      ).toString();
       pkg = {
         group: "",
         name: alib,
-        version: libData.resolved
+        version: libData.resolved,
+        purl,
+        "bom-ref": decodeURIComponent(purl),
+        _integrity: libData.contentHash
+          ? "sha512-" + libData.contentHash
+          : undefined,
+        properties: [
+          {
+            name: "SrcFile",
+            value: pkgLockFile
+          }
+        ],
+        evidence: {
+          identity: {
+            field: "purl",
+            confidence: 1,
+            methods: [
+              {
+                technique: "manifest-analysis",
+                confidence: 1,
+                value: pkgLockFile
+              }
+            ]
+          }
+        }
       };
       pkgList.push(pkg);
+      if (libData.type === "Direct") {
+        rootList.push(pkg);
+      }
+      const dependsOn = [];
+      if (libData.dependencies) {
+        for (const adep of Object.keys(libData.dependencies)) {
+          const adpurl = new PackageURL(
+            "nuget",
+            "",
+            adep,
+            libData.dependencies[adep],
+            null,
+            null
+          ).toString();
+          dependsOn.push(decodeURIComponent(adpurl));
+        }
+      }
+      dependenciesList.push({
+        ref: decodeURIComponent(purl),
+        dependsOn
+      });
     }
   }
-  return pkgList;
+  return {
+    pkgList,
+    dependenciesList,
+    rootList
+  };
 };
 
 export const parsePaketLockData = async function (paketLockData, pkgLockFile) {

package/utils.test.js

@@ -1333,16 +1333,82 @@ test("parse project.assets.json", async () => {
 });
 
 test("parse packages.lock.json", async () => {
-  expect(await parseCsPkgLockData(null)).toEqual([]);
-  const dep_list = await parseCsPkgLockData(
-    readFileSync("./test/data/packages.lock.json", { encoding: "utf-8" })
+  expect(await parseCsPkgLockData(null)).toEqual({
+    dependenciesList: [],
+    pkgList: [],
+    rootList: []
+  });
+  let dep_list = await parseCsPkgLockData(
+    readFileSync("./test/data/packages.lock.json", { encoding: "utf-8" }),
+    "./test/data/packages.lock.json"
   );
-  expect(dep_list.length).toEqual(14);
-  expect(dep_list[0]).toEqual({
+  expect(dep_list["pkgList"].length).toEqual(14);
+  expect(dep_list["pkgList"][0]).toEqual({
     group: "",
     name: "Antlr",
-    version: "3.5.0.2"
+    version: "3.5.0.2",
+    purl: "pkg:nuget/Antlr@3.5.0.2",
+    "bom-ref": "pkg:nuget/Antlr@3.5.0.2",
+    _integrity:
+      "sha512-CSfrVuDVMx3OrQhT84zed+tOdM1clljyRLWWlQM22fJsmG836RVDGQlE6tzysXh8X8p9UjkHbLr6OqEIVhtdEA==",
+    properties: [{ name: "SrcFile", value: "./test/data/packages.lock.json" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 1,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 1,
+            value: "./test/data/packages.lock.json"
+          }
+        ]
+      }
+    }
+  });
+  dep_list = await parseCsPkgLockData(
+    readFileSync("./test/data/packages2.lock.json", { encoding: "utf-8" }),
+    "./test/data/packages2.lock.json"
+  );
+  expect(dep_list["pkgList"].length).toEqual(34);
+  expect(dep_list["dependenciesList"].length).toEqual(34);
+  expect(dep_list["pkgList"][0]).toEqual({
+    group: "",
+    name: "McMaster.Extensions.Hosting.CommandLine",
+    version: "4.0.1",
+    purl: "pkg:nuget/McMaster.Extensions.Hosting.CommandLine@4.0.1",
+    "bom-ref": "pkg:nuget/McMaster.Extensions.Hosting.CommandLine@4.0.1",
+    _integrity:
+      "sha512-pZJF/zeXT3OC+3GUNO9ZicpCO9I7wYLmj0E2qPR8CRA6iUs0kGu6SCkmraB1sITx4elcVjMLiZDGMsBVMqaPhg==",
+    properties: [{ name: "SrcFile", value: "./test/data/packages2.lock.json" }],
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 1,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 1,
+            value: "./test/data/packages2.lock.json"
+          }
+        ]
+      }
+    }
   });
+  expect(dep_list["dependenciesList"][0]).toEqual({
+    ref: "pkg:nuget/McMaster.Extensions.Hosting.CommandLine@4.0.1",
+    dependsOn: [
+      "pkg:nuget/McMaster.Extensions.CommandLineUtils@4.0.1",
+      "pkg:nuget/Microsoft.Extensions.Hosting.Abstractions@6.0.0",
+      "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@6.0.0"
+    ]
+  });
+  dep_list = await parseCsPkgLockData(
+    readFileSync("./test/data/packages3.lock.json", { encoding: "utf-8" }),
+    "./test/data/packages3.lock.json"
+  );
+  expect(dep_list["pkgList"].length).toEqual(15);
+  expect(dep_list["dependenciesList"].length).toEqual(15);
 });
 
 test("parse paket.lock", async () => {