@cyclonedx/cdxgen 9.11.6 → 10.0.0

package/data/cosdb-queries.json

@@ -5,7 +5,7 @@
     "purlType": "deb"
   },
   "portage_packages": {
-    "query": "select * from portage_packages where name like '%dev%' OR name like '%header%';",
+    "query": "select * from portage_packages where package like '%dev%' OR package like '%header%';",
     "description": "Retrieves all the installed packages on the target Linux system.",
     "purlType": "ebuild"
   },

package/display.js

@@ -1,4 +1,4 @@
-import { existsSync, readFileSync } from "fs";
+import { existsSync, readFileSync } from "node:fs";
 import { createStream, table } from "table";
 
 // https://github.com/yangshun/tree-node-cli/blob/master/src/index.js
@@ -166,7 +166,7 @@ export const printCallStack = (bomJson) => {
         )
       )
     ).sort(locationComparator);
-    let frameDisplay = [frames[0]];
+    const frameDisplay = [frames[0]];
     if (frames.length > 1) {
       for (let i = 1; i < frames.length - 1; i++) {
         frameDisplay.push(`${SYMBOLS_ANSI.BRANCH} ${frames[i]}`);

package/docker.js

@@ -2,6 +2,8 @@ import got from "got";
 import { globSync } from "glob";
 import { parse } from "node:url";
 import stream from "node:stream/promises";
+import process from "node:process";
+import { Buffer } from "node:buffer";
 import {
   existsSync,
   readdirSync,
@@ -498,7 +500,7 @@ export const getImage = async (fullImageName) => {
   let localData = undefined;
   let pullData = undefined;
   const { registry, repo, tag, digest } = parseImageName(fullImageName);
-  let repoWithTag =
+  const repoWithTag =
     registry && registry !== "docker.io"
       ? fullImageName
       : `${repo}:${tag !== "" ? tag : ":latest"}`;
@@ -718,7 +720,7 @@ export const extractTar = async (fullImageName, dir) => {
         "Please run cdxgen from a powershell terminal with admin privileges to create symlinks."
       );
       console.log(err);
-    } else if (err.code !== "TAR_BAD_ARCHIVE") {
+    } else if (!["TAR_BAD_ARCHIVE", "TAR_ENTRY_INFO"].includes(err.code)) {
       console.log(
         `Error while extracting image ${fullImageName} to ${dir}. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues`
       );

package/envcontext.js

@@ -0,0 +1,302 @@
+import { spawnSync } from "node:child_process";
+import {
+  isWin,
+  PYTHON_CMD,
+  JAVA_CMD,
+  DOTNET_CMD,
+  NODE_CMD,
+  NPM_CMD,
+  GCC_CMD,
+  GO_CMD,
+  RUSTC_CMD,
+  CARGO_CMD
+} from "./utils.js";
+import process from "node:process";
+import { Buffer } from "node:buffer";
+
+const GIT_COMMAND = process.env.GIT_CMD || "git";
+
+/**
+ * Retrieves a git config item
+ * @param {string} configKey Git config key
+ * @param {string} dir repo directory
+ *
+ * @returns Output from git config or undefined
+ */
+export const getGitConfig = (configKey, dir) => {
+  return execGitCommand(dir, ["config", "--get", configKey]);
+};
+
+/**
+ * Retrieves the git origin url
+ * @param {string} dir repo directory
+ *
+ * @returns Output from git config or undefined
+ */
+export const getOriginUrl = (dir) => {
+  return getGitConfig("remote.origin.url", dir);
+};
+
+/**
+ * Retrieves the git branch name
+ * @param {string} configKey Git config key
+ * @param {string} dir repo directory
+ *
+ * @returns Output from git config or undefined
+ */
+export const getBranch = (configKey, dir) => {
+  return execGitCommand(dir, ["rev-parse", "--abbrev-ref", "HEAD"]);
+};
+
+/**
+ * Retrieves the files list from git
+ * @param {string} dir repo directory
+ *
+ * @returns Output from git config or undefined
+ */
+export const listFiles = (dir) => {
+  const filesList = [];
+  const output = execGitCommand(dir, [
+    "ls-tree",
+    "-l",
+    "-r",
+    "--full-tree",
+    "HEAD"
+  ]);
+  if (output) {
+    output.split("\n").forEach((l) => {
+      l = l.replace("\r", "");
+      if (l === "\n" || l.startsWith("#")) {
+        return;
+      }
+      const tmpA = l.split(" ");
+      if (tmpA && tmpA.length >= 5) {
+        const lastParts = tmpA[tmpA.length - 1].split("\t");
+        filesList.push({
+          hash: tmpA[2],
+          name: lastParts[lastParts.length - 1]
+        });
+      }
+    });
+  }
+  return filesList;
+};
+
+/**
+ * Execute a git command
+ *
+ * @param {string} dir Repo directory
+ * @param {Array} args arguments to git command
+ *
+ * @returns Output from the git command
+ */
+export const execGitCommand = (dir, args) => {
+  return getCommandOutput(GIT_COMMAND, dir, args);
+};
+
+/**
+ * Collect Java version and installed modules
+ *
+ * @param {string} dir Working directory
+ * @returns Object containing the java details
+ */
+export const collectJavaInfo = (dir) => {
+  const versionDesc = getCommandOutput(JAVA_CMD, dir, ["--version"]);
+  const moduleDesc = getCommandOutput(JAVA_CMD, dir, ["--list-modules"]) || "";
+  if (versionDesc) {
+    return {
+      type: "platform",
+      name: "java",
+      version: versionDesc.split("\n")[0].replace("java ", ""),
+      description: versionDesc,
+      properties: [
+        {
+          name: "java:modules",
+          value: moduleDesc.replaceAll("\n", ", ")
+        }
+      ]
+    };
+  }
+  return undefined;
+};
+
+/**
+ * Collect dotnet version
+ *
+ * @param {string} dir Working directory
+ * @returns Object containing dotnet details
+ */
+export const collectDotnetInfo = (dir) => {
+  const versionDesc = getCommandOutput(DOTNET_CMD, dir, ["--version"]);
+  const moduleDesc =
+    getCommandOutput(DOTNET_CMD, dir, ["--list-runtimes"]) || "";
+  if (versionDesc) {
+    return {
+      type: "platform",
+      name: "dotnet",
+      version: versionDesc.trim(),
+      description: moduleDesc.replaceAll("\n", "\\n")
+    };
+  }
+  return undefined;
+};
+
+/**
+ * Collect python version
+ *
+ * @param {string} dir Working directory
+ * @returns Object containing python details
+ */
+export const collectPythonInfo = (dir) => {
+  const versionDesc = getCommandOutput(PYTHON_CMD, dir, ["--version"]);
+  const moduleDesc =
+    getCommandOutput(PYTHON_CMD, dir, ["-m", "pip", "--version"]) || "";
+  if (versionDesc) {
+    return {
+      type: "platform",
+      name: "python",
+      version: versionDesc.replace("Python ", ""),
+      description: moduleDesc.replaceAll("\n", "\\n")
+    };
+  }
+  return undefined;
+};
+
+/**
+ * Collect node version
+ *
+ * @param {string} dir Working directory
+ * @returns Object containing node details
+ */
+export const collectNodeInfo = (dir) => {
+  const versionDesc = getCommandOutput(NODE_CMD, dir, ["--version"]);
+  let moduleDesc = getCommandOutput(NPM_CMD, dir, ["--version"]);
+  if (moduleDesc) {
+    moduleDesc = `npm: ${moduleDesc}`;
+  }
+  if (versionDesc) {
+    return {
+      type: "platform",
+      name: "node",
+      version: versionDesc.trim(),
+      description: moduleDesc
+    };
+  }
+  return undefined;
+};
+
+/**
+ * Collect gcc version
+ *
+ * @param {string} dir Working directory
+ * @returns Object containing gcc details
+ */
+export const collectGccInfo = (dir) => {
+  const versionDesc = getCommandOutput(GCC_CMD, dir, ["--version"]);
+  const moduleDesc = getCommandOutput(GCC_CMD, dir, ["-print-search-dirs"]);
+  if (versionDesc) {
+    return {
+      type: "platform",
+      name: "gcc",
+      version: versionDesc.split("\n")[0],
+      description: moduleDesc.replaceAll("\n", "\\n")
+    };
+  }
+  return undefined;
+};
+
+/**
+ * Collect rust version
+ *
+ * @param {string} dir Working directory
+ * @returns Object containing rust details
+ */
+export const collectRustInfo = (dir) => {
+  const versionDesc = getCommandOutput(RUSTC_CMD, dir, ["--version"]);
+  const moduleDesc = getCommandOutput(CARGO_CMD, dir, ["--version"]);
+  if (versionDesc) {
+    return {
+      type: "platform",
+      name: "rustc",
+      version: versionDesc.trim(),
+      description: moduleDesc.trim()
+    };
+  }
+  return undefined;
+};
+
+/**
+ * Collect go version
+ *
+ * @param {string} dir Working directory
+ * @returns Object containing go details
+ */
+export const collectGoInfo = (dir) => {
+  const versionDesc = getCommandOutput(GO_CMD, dir, ["version"]);
+  if (versionDesc) {
+    return {
+      type: "platform",
+      name: "go",
+      version: versionDesc.trim()
+    };
+  }
+  return undefined;
+};
+
+export const collectEnvInfo = (dir) => {
+  const infoComponents = [];
+  let cmp = collectJavaInfo(dir);
+  if (cmp) {
+    infoComponents.push(cmp);
+  }
+  cmp = collectDotnetInfo(dir);
+  if (cmp) {
+    infoComponents.push(cmp);
+  }
+  cmp = collectPythonInfo(dir);
+  if (cmp) {
+    infoComponents.push(cmp);
+  }
+  cmp = collectNodeInfo(dir);
+  if (cmp) {
+    infoComponents.push(cmp);
+  }
+  cmp = collectGccInfo(dir);
+  if (cmp) {
+    infoComponents.push(cmp);
+  }
+  cmp = collectRustInfo(dir);
+  if (cmp) {
+    infoComponents.push(cmp);
+  }
+  cmp = collectGoInfo(dir);
+  if (cmp) {
+    infoComponents.push(cmp);
+  }
+  return infoComponents;
+};
+
+/**
+ * Execute any command to retrieve the output
+ *
+ * @param {*} cmd Command to execute
+ * @param {*} dir working directory
+ * @param {*} args arguments
+ * @returns String output from the command or undefined in case of error
+ */
+const getCommandOutput = (cmd, dir, args) => {
+  const result = spawnSync(cmd, args, {
+    cwd: dir,
+    encoding: "utf-8",
+    shell: isWin
+  });
+  if (result.status !== 0 || result.error) {
+    return undefined;
+  } else {
+    const stdout = result.stdout;
+    if (stdout) {
+      const cmdOutput = Buffer.from(stdout).toString();
+      return cmdOutput.trim();
+    }
+  }
+};

package/envcontext.test.js

@@ -0,0 +1,31 @@
+import { expect, test } from "@jest/globals";
+
+import {
+  getBranch,
+  getOriginUrl,
+  listFiles,
+  collectJavaInfo,
+  collectDotnetInfo,
+  collectPythonInfo,
+  collectNodeInfo,
+  collectGccInfo,
+  collectRustInfo,
+  collectGoInfo
+} from "./envcontext.js";
+
+test("git tests", () => {
+  expect(getBranch()).toBeDefined();
+  expect(getOriginUrl()).toBeDefined();
+  const files = listFiles();
+  expect(files.length).toBeGreaterThan(10);
+});
+
+test("tools tests", () => {
+  expect(collectJavaInfo()).toBeDefined();
+  expect(collectDotnetInfo()).toBeDefined();
+  expect(collectPythonInfo()).toBeDefined();
+  expect(collectNodeInfo()).toBeDefined();
+  expect(collectGccInfo()).toBeDefined();
+  expect(collectRustInfo()).toBeDefined();
+  expect(collectGoInfo()).toBeDefined();
+});

package/evinser.js

@@ -4,7 +4,8 @@ import {
   getGradleCommand,
   getMavenCommand,
   collectGradleDependencies,
-  collectMvnDependencies
+  collectMvnDependencies,
+  DEBUG_MODE
 } from "./utils.js";
 import { tmpdir } from "node:os";
 import path from "node:path";
@@ -98,7 +99,7 @@ export const catalogMavenDeps = async (
   if (fs.existsSync(path.join(dirPath, "bom.json.map"))) {
     try {
       const mapData = JSON.parse(
-        fs.readFileSync(path.join(dirPath, "bom.json.map"))
+        fs.readFileSync(path.join(dirPath, "bom.json.map"), "utf-8")
       );
       if (mapData && Object.keys(mapData).length) {
         jarNSMapping = mapData;
@@ -111,7 +112,7 @@ export const catalogMavenDeps = async (
     console.log("About to collect jar dependencies for the path", dirPath);
     const mavenCmd = getMavenCommand(dirPath, dirPath);
     // collect all jars including from the cache if data-flow mode is enabled
-    jarNSMapping = collectMvnDependencies(
+    jarNSMapping = await collectMvnDependencies(
       mavenCmd,
       dirPath,
       false,
@@ -145,7 +146,7 @@ export const catalogGradleDeps = async (dirPath, purlsJars, Namespaces) => {
   );
   const gradleCmd = getGradleCommand(dirPath, dirPath);
   // collect all jars including from the cache if data-flow mode is enabled
-  const jarNSMapping = collectGradleDependencies(
+  const jarNSMapping = await collectGradleDependencies(
     gradleCmd,
     dirPath,
     false,
@@ -1110,7 +1111,7 @@ export const collectDataFlowFrames = async (
   }
   const paths = dataFlowSlice?.paths || [];
   for (const apath of paths) {
-    let aframe = [];
+    const aframe = [];
     let referredPurls = new Set();
     for (const nid of apath) {
       const theNode = nodeCache[nid];
@@ -1163,7 +1164,7 @@ export const collectDataFlowFrames = async (
               referredPurls.add(ns.purl);
             }
             typePurlsCache[typeFullName] = nsHits;
-          } else {
+          } else if (DEBUG_MODE) {
             console.log("Unable to identify purl for", typeFullName);
           }
         }
@@ -1213,14 +1214,14 @@ export const collectDataFlowFrames = async (
  * @param {string} language Application language
  * @param {object} reachablesSlice Reachables slice object from atom
  */
-export const collectReachableFrames = async (language, reachablesSlice) => {
+export const collectReachableFrames = (language, reachablesSlice) => {
   const reachableNodes = reachablesSlice?.reachables || [];
   // purl key and an array of frames array
   // CycloneDX 1.5 currently accepts only 1 frame as evidence
   // so this method is more future-proof
   const dfFrames = {};
   for (const anode of reachableNodes) {
-    let aframe = [];
+    const aframe = [];
     let referredPurls = new Set(anode.purls || []);
     for (const fnode of anode.flows) {
       if (!fnode.parentFileName || fnode.parentFileName === "<unknown>") {