@cyclonedx/cdxgen 9.2.1 → 9.2.2

package/index.js

@@ -1312,6 +1312,7 @@ export const createJavaBom = async (path, options) => {
         // Bug #317 fix
         parentComponent.components = allProjects.flatMap((s) => {
           delete s.qualifiers;
+          delete s.evidence;
           return s;
         });
         dependencies.push({
@@ -3787,6 +3788,7 @@ export const createMultiXBom = async (pathList, options) => {
       ) {
         parentSubComponents.push(bomData.parentComponent);
       }
+      // Retain metadata.component.components
       if (
         bomData.parentComponent.components &&
         bomData.parentComponent.components.length
@@ -3819,6 +3821,15 @@ export const createMultiXBom = async (pathList, options) => {
       ) {
         parentSubComponents.push(bomData.parentComponent);
       }
+      // Retain metadata.component.components
+      if (
+        bomData.parentComponent.components &&
+        bomData.parentComponent.components.length
+      ) {
+        parentSubComponents = parentSubComponents.concat(
+          bomData.parentComponent.components
+        );
+      }
       componentsXmls = componentsXmls.concat(
         listComponents(options, {}, bomData.bomJson.components, "maven", "xml")
       );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.2.1",
+  "version": "9.2.2",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -443,10 +443,22 @@ export const parsePkgJson = async (pkgJsonFile) => {
     try {
       const pkgData = JSON.parse(readFileSync(pkgJsonFile, "utf8"));
       const pkgIdentifier = parsePackageJsonName(pkgData.name);
+      const name = pkgIdentifier.fullName || pkgData.name;
+      const group = pkgIdentifier.scope || "";
+      const purl = new PackageURL(
+        "npm",
+        encodeForPurl(group),
+        encodeForPurl(name),
+        pkgData.version,
+        null,
+        null
+      ).toString();
       pkgList.push({
-        name: pkgIdentifier.fullName || pkgData.name,
-        group: pkgIdentifier.scope || "",
+        name,
+        group,
         version: pkgData.version,
+        purl,
+        "bom-ref": decodeURIComponent(purl),
         properties: [
           {
             name: "SrcFile",
@@ -1740,7 +1752,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
   if (subProject && subProject.match(/:/g).length >= 2) {
     return defaultProps;
   }
-  let gradlePropertiesArgs = [
+  const gradlePropertiesArgs = [
     subProject ? `${subProject}:properties` : "properties",
     "-q",
     "--console",

package/validator.js

@@ -68,11 +68,16 @@ export const validateMetadata = (bomJson) => {
       warningsList.push("metadata.component is missing.");
     }
     if (bomJson.metadata.component) {
+      // Do we have a purl and bom-ref for metadata.component
+      if (!bomJson.metadata.component.purl) {
+        warningsList.push(`purl is missing for metadata.component`);
+      }
+      if (!bomJson.metadata.component["bom-ref"]) {
+        warningsList.push(`bom-ref is missing for metadata.component`);
+      }
       // Do we have a version for metadata.component
       if (!bomJson.metadata.component.version) {
-        warningsList.push(
-          `Version is missing for metadata.component with ref ${bomJson.metadata.component["bom-ref"]}`
-        );
+        warningsList.push(`Version is missing for metadata.component`);
       }
       // Is the same component getting repeated inside the components block
       if (