@cyclonedx/cdxgen 9.3.1 → 9.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +3 -1
  2. package/index.js +23 -8
  3. package/package.json +1 -1
  4. package/utils.js +29 -3
  5. package/utils.test.js +5 -5
package/README.md CHANGED
@@ -289,7 +289,9 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
289
289
  | MAVEN_HOME | Specify maven home |
290
290
  | GRADLE_CACHE_DIR | Specify gradle cache directory. Useful for class name resolving |
291
291
  | GRADLE_MULTI_PROJECT_MODE | Unused. Automatically handled |
292
- | GRADLE_ARGS | Set to pass additional arguments such as profile or settings to gradle. Eg: --configuration runtimeClassPath |
292
+ | GRADLE_ARGS | Set to pass additional arguments such as profile or settings to gradle (all tasks). Eg: --configuration runtimeClassPath |
293
+ | GRADLE_ARGS_PROPERTIES | Set to pass additional arguments only to the `gradle properties` task, used for collecting metadata about the project |
294
+ | GRADLE_ARGS_DEPENDENCIES | Set to pass additional arguments only to the `gradle dependencies` task, used for listing actual project dependencies |
293
295
  | GRADLE_HOME | Specify gradle home |
294
296
  | GRADLE_CMD | Set to override gradle command |
295
297
  | GRADLE_DEPENDENCY_TASK | By default cdxgen use the task "dependencies" to collect packages. Set to override the task name. |
package/index.js CHANGED
@@ -1216,7 +1216,8 @@ export const createJavaBom = async (path, options) => {
1216
1216
  if (bomJsonObj.dependencies && !options.requiredOnly) {
1217
1217
  dependencies = mergeDependencies(
1218
1218
  dependencies,
1219
- bomJsonObj.dependencies
1219
+ bomJsonObj.dependencies,
1220
+ parentComponent
1220
1221
  );
1221
1222
  }
1222
1223
  }
@@ -1340,11 +1341,16 @@ export const createJavaBom = async (path, options) => {
1340
1341
  gradleDepArgs = gradleDepArgs
1341
1342
  .concat(depTaskWithArgs.slice(1))
1342
1343
  .concat(defaultDepTaskArgs);
1343
- // Support custom GRADLE_ARGS such as --configuration runtimeClassPath
1344
+ // Support custom GRADLE_ARGS such as --configuration runtimeClassPath (used for all tasks)
1344
1345
  if (process.env.GRADLE_ARGS) {
1345
1346
  const addArgs = process.env.GRADLE_ARGS.split(" ");
1346
1347
  gradleDepArgs = gradleDepArgs.concat(addArgs);
1347
1348
  }
1349
+ // gradle args only for the dependencies task
1350
+ if (process.env.GRADLE_ARGS_DEPENDENCIES) {
1351
+ const addArgs = process.env.GRADLE_ARGS_DEPENDENCIES.split(" ");
1352
+ gradleDepArgs = gradleDepArgs.concat(addArgs);
1353
+ }
1348
1354
  console.log(
1349
1355
  "Executing",
1350
1356
  gradleCmd,
@@ -1376,7 +1382,8 @@ export const createJavaBom = async (path, options) => {
1376
1382
  if (parsedList.dependenciesList && parsedList.dependenciesList) {
1377
1383
  dependencies = mergeDependencies(
1378
1384
  dependencies,
1379
- parsedList.dependenciesList
1385
+ parsedList.dependenciesList,
1386
+ parentComponent
1380
1387
  );
1381
1388
  }
1382
1389
  if (dlist && dlist.length) {
@@ -1817,7 +1824,8 @@ export const createNodejsBom = async (path, options) => {
1817
1824
  if (parsedList.dependenciesList && parsedList.dependenciesList) {
1818
1825
  dependencies = mergeDependencies(
1819
1826
  dependencies,
1820
- parsedList.dependenciesList
1827
+ parsedList.dependenciesList,
1828
+ parentComponent
1821
1829
  );
1822
1830
  }
1823
1831
  }
@@ -1845,7 +1853,8 @@ export const createNodejsBom = async (path, options) => {
1845
1853
  if (parsedList.dependenciesList && parsedList.dependenciesList) {
1846
1854
  dependencies = mergeDependencies(
1847
1855
  dependencies,
1848
- parsedList.dependenciesList
1856
+ parsedList.dependenciesList,
1857
+ parentComponent
1849
1858
  );
1850
1859
  }
1851
1860
  }
@@ -1991,7 +2000,8 @@ export const createNodejsBom = async (path, options) => {
1991
2000
  }
1992
2001
  dependencies = mergeDependencies(
1993
2002
  dependencies,
1994
- parsedList.dependenciesList
2003
+ parsedList.dependenciesList,
2004
+ parentComponent
1995
2005
  );
1996
2006
  }
1997
2007
  }
@@ -3158,7 +3168,8 @@ export const createSwiftBom = (path, options) => {
3158
3168
  if (retData.dependenciesList) {
3159
3169
  dependencies = mergeDependencies(
3160
3170
  dependencies,
3161
- retData.dependenciesList
3171
+ retData.dependenciesList,
3172
+ parentComponent
3162
3173
  );
3163
3174
  }
3164
3175
  } else {
@@ -3434,7 +3445,8 @@ export const createContainerSpecLikeBom = async (path, options) => {
3434
3445
  if (mbomData.bomJson.dependencies) {
3435
3446
  dependencies = mergeDependencies(
3436
3447
  dependencies,
3437
- mbomData.bomJson.dependencies
3448
+ mbomData.bomJson.dependencies,
3449
+ parentComponent
3438
3450
  );
3439
3451
  }
3440
3452
  if (mbomData.bomJson.services) {
@@ -3723,6 +3735,9 @@ export const mergeDependencies = (
3723
3735
  newDependencies,
3724
3736
  parentComponent = {}
3725
3737
  ) => {
3738
+ if (!parentComponent && DEBUG_MODE) {
3739
+ console.log("Unable to determine parent component. Dependencies will be flattened.");
3740
+ }
3726
3741
  const deps_map = {};
3727
3742
  const parentRef =
3728
3743
  parentComponent && parentComponent["bom-ref"]
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cyclonedx/cdxgen",
3
- "version": "9.3.1",
3
+ "version": "9.3.2",
4
4
  "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
5
5
  "homepage": "http://github.com/cyclonedx/cdxgen",
6
6
  "author": "Prabhu Subramanian <prabhu@appthreat.com>",
package/utils.js CHANGED
@@ -1292,6 +1292,7 @@ export const parseMavenTree = function (rawOutput) {
1292
1292
  let last_purl = "";
1293
1293
  const stack = [];
1294
1294
  tmpA.forEach((l) => {
1295
+ l = l.replace("\r", "");
1295
1296
  if (!includeMavenTestScope && l.trim().endsWith(":test")) {
1296
1297
  return;
1297
1298
  }
@@ -1447,6 +1448,13 @@ export const parseGradleDep = function (
1447
1448
  if (!rline) {
1448
1449
  continue;
1449
1450
  }
1451
+ if (
1452
+ (rline.startsWith("+--- ") || rline.startsWith("\\--- ")) &&
1453
+ rline.includes("{strictly") &&
1454
+ rline.includes("(c)")
1455
+ ) {
1456
+ continue;
1457
+ }
1450
1458
  if (
1451
1459
  rline.trim() === "" ||
1452
1460
  rline.startsWith("+--- ") ||
@@ -1656,6 +1664,7 @@ export const parseGradleProjects = function (rawOutput) {
1656
1664
  if (typeof rawOutput === "string") {
1657
1665
  const tmpA = rawOutput.split("\n");
1658
1666
  tmpA.forEach((l) => {
1667
+ l = l.replace("\r", "")
1659
1668
  if (l.startsWith("Root project ")) {
1660
1669
  rootProject = l
1661
1670
  .split("Root project ")[1]
@@ -1699,6 +1708,7 @@ export const parseGradleProperties = function (rawOutput) {
1699
1708
  if (typeof rawOutput === "string") {
1700
1709
  const tmpA = rawOutput.split("\n");
1701
1710
  tmpA.forEach((l) => {
1711
+ l = l.replace("\r", "");
1702
1712
  if (l.startsWith("----") || l.startsWith(">") || !l.includes(": ")) {
1703
1713
  return;
1704
1714
  }
@@ -1749,7 +1759,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
1749
1759
  if (subProject && subProject.match(/:/g).length >= 2) {
1750
1760
  return defaultProps;
1751
1761
  }
1752
- const gradlePropertiesArgs = [
1762
+ let gradlePropertiesArgs = [
1753
1763
  subProject ? `${subProject}:properties` : "properties",
1754
1764
  "-q",
1755
1765
  "--console",
@@ -1757,6 +1767,16 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
1757
1767
  "--build-cache"
1758
1768
  ];
1759
1769
  const gradleCmd = getGradleCommand(dir, rootPath);
1770
+ // common gradle args, used for all tasks
1771
+ if (process.env.GRADLE_ARGS) {
1772
+ const addArgs = process.env.GRADLE_ARGS.split(" ");
1773
+ gradlePropertiesArgs = gradlePropertiesArgs.concat(addArgs);
1774
+ }
1775
+ // gradle args only for the properties task
1776
+ if (process.env.GRADLE_ARGS_PROPERTIES) {
1777
+ const addArgs = process.env.GRADLE_ARGS_PROPERTIES.split(" ");
1778
+ gradlePropertiesArgs = gradlePropertiesArgs.concat(addArgs);
1779
+ }
1760
1780
  console.log(
1761
1781
  "Executing",
1762
1782
  gradleCmd,
@@ -1798,6 +1818,7 @@ export const parseBazelSkyframe = function (rawOutput) {
1798
1818
  const keys_cache = {};
1799
1819
  const tmpA = rawOutput.split("\n");
1800
1820
  tmpA.forEach((l) => {
1821
+ l = l.replace("\r", "");
1801
1822
  if (l.indexOf("external/maven") >= 0) {
1802
1823
  l = l.replace("arguments: ", "").replace(/"/g, "");
1803
1824
  // Skyframe could have duplicate entries
@@ -2244,6 +2265,7 @@ export const getPyMetadata = async function (pkgList, fetchDepsInfo) {
2244
2265
  export const parseBdistMetadata = function (mData) {
2245
2266
  const pkg = {};
2246
2267
  mData.split("\n").forEach((l) => {
2268
+ l = l.replace("\r", "");
2247
2269
  if (l.indexOf("Name: ") > -1) {
2248
2270
  pkg.name = l.split("Name: ")[1];
2249
2271
  } else if (l.indexOf("Version: ") > -1) {
@@ -2296,6 +2318,7 @@ export const parsePyProjectToml = (tomlFile) => {
2296
2318
  return pkg;
2297
2319
  }
2298
2320
  tomlData.split("\n").forEach((l) => {
2321
+ l = l.replace("\r", "");
2299
2322
  if (l.indexOf("=") > -1) {
2300
2323
  const tmpA = l.split("=");
2301
2324
  let key = tmpA[0].trim();
@@ -2915,9 +2938,10 @@ export const parseGosumData = async function (gosumData) {
2915
2938
  }
2916
2939
  const pkgs = gosumData.split("\n");
2917
2940
  for (const l of pkgs) {
2941
+ let m = l.replace("\r", "");
2918
2942
  // look for lines containing go.mod
2919
- if (l.indexOf("go.mod") > -1) {
2920
- const tmpA = l.split(" ");
2943
+ if (m.indexOf("go.mod") > -1) {
2944
+ const tmpA = m.split(" ");
2921
2945
  const name = tmpA[0];
2922
2946
  const version = tmpA[1].replace("/go.mod", "");
2923
2947
  const hash = tmpA[tmpA.length - 1].replace("h1:", "sha256-");
@@ -3251,6 +3275,7 @@ export const parseCargoTomlData = async function (cargoData) {
3251
3275
  cargoData.split("\n").forEach((l) => {
3252
3276
  let key = null;
3253
3277
  let value = null;
3278
+ l = l.replace("\r", "");
3254
3279
  if (l.indexOf("[package]") > -1) {
3255
3280
  packageMode = true;
3256
3281
  if (pkg) {
@@ -3973,6 +3998,7 @@ export const parseConanData = function (conanData) {
3973
3998
  return pkgList;
3974
3999
  }
3975
4000
  conanData.split("\n").forEach((l) => {
4001
+ l = l.replace("\r", "");
3976
4002
  if (!l.includes("/")) {
3977
4003
  return;
3978
4004
  }
package/utils.test.js CHANGED
@@ -163,8 +163,8 @@ test("parse gradle dependencies", () => {
163
163
  parsedList = parseGradleDep(
164
164
  readFileSync("./test/data/gradle-android-dep.out", { encoding: "utf-8" })
165
165
  );
166
- expect(parsedList.pkgList.length).toEqual(105);
167
- expect(parsedList.dependenciesList.length).toEqual(106);
166
+ expect(parsedList.pkgList.length).toEqual(104);
167
+ expect(parsedList.dependenciesList.length).toEqual(105);
168
168
  expect(parsedList.pkgList[0]).toEqual({
169
169
  group: "com.android.support.test",
170
170
  name: "runner",
@@ -181,12 +181,12 @@ test("parse gradle dependencies", () => {
181
181
  ]
182
182
  });
183
183
  expect(parsedList.pkgList[103]).toEqual({
184
- group: "androidx.print",
185
- name: "print",
184
+ group: "androidx.core",
185
+ name: "core",
186
186
  qualifiers: {
187
187
  type: "jar"
188
188
  },
189
- version: "1.0.0",
189
+ version: "1.7.0",
190
190
  scope: "optional",
191
191
  properties: [
192
192
  {