@cyclonedx/cdxgen 9.3.1 → 9.4.0

package/index.js

@@ -199,18 +199,25 @@ const createDefaultParentComponent = (path, type = "application") => {
 
 const determineParentComponent = (options) => {
   let parentComponent = undefined;
-  if (options.projectName && options.projectVersion) {
+  if (options.parentComponent && Object.keys(options.parentComponent).length) {
+    return options.parentComponent;
+  } else if (options.projectName && options.projectVersion) {
     parentComponent = {
       group: options.projectGroup || "",
       name: options.projectName,
       version: "" + options.projectVersion || "",
       type: "application"
     };
-  } else if (
-    options.parentComponent &&
-    Object.keys(options.parentComponent).length
-  ) {
-    return options.parentComponent;
+    const ppurl = new PackageURL(
+      parentComponent.type,
+      parentComponent.group,
+      parentComponent.name,
+      parentComponent.version,
+      null,
+      null
+    ).toString();
+    parentComponent["bom-ref"] = ppurl;
+    parentComponent["purl"] = decodeURIComponent(ppurl);
   }
   return parentComponent;
 };
@@ -323,11 +330,18 @@ function addMetadata(parentComponent = {}, format = "xml", options = {}) {
     if (parentComponent) {
       delete parentComponent.evidence;
       delete parentComponent._integrity;
+      delete parentComponent.license;
+      if (!parentComponent["purl"] && parentComponent["bom-ref"]) {
+        parentComponent["purl"] = decodeURIComponent(
+          parentComponent["bom-ref"]
+        );
+      }
     }
     if (parentComponent && parentComponent.components) {
       for (const comp of parentComponent.components) {
         delete comp.evidence;
         delete comp._integrity;
+        delete comp.license;
         if (!comp["bom-ref"] && comp.name && comp.type) {
           let fullName =
             comp.group && comp.group.length
@@ -1216,7 +1230,8 @@ export const createJavaBom = async (path, options) => {
             if (bomJsonObj.dependencies && !options.requiredOnly) {
               dependencies = mergeDependencies(
                 dependencies,
-                bomJsonObj.dependencies
+                bomJsonObj.dependencies,
+                parentComponent
               );
             }
           }
@@ -1335,16 +1350,21 @@ export const createJavaBom = async (path, options) => {
         let gradleDepArgs = [
           sp.purl === parentComponent.purl
             ? depTaskWithArgs[0]
-            : `:${sp.name}:${depTaskWithArgs[0]}`
+            : `:${sp.name.replace(/\//, ":")}:${depTaskWithArgs[0]}`
         ];
         gradleDepArgs = gradleDepArgs
           .concat(depTaskWithArgs.slice(1))
           .concat(defaultDepTaskArgs);
-        // Support custom GRADLE_ARGS such as --configuration runtimeClassPath
+        // Support custom GRADLE_ARGS such as --configuration runtimeClassPath (used for all tasks)
         if (process.env.GRADLE_ARGS) {
           const addArgs = process.env.GRADLE_ARGS.split(" ");
           gradleDepArgs = gradleDepArgs.concat(addArgs);
         }
+        // gradle args only for the dependencies task
+        if (process.env.GRADLE_ARGS_DEPENDENCIES) {
+          const addArgs = process.env.GRADLE_ARGS_DEPENDENCIES.split(" ");
+          gradleDepArgs = gradleDepArgs.concat(addArgs);
+        }
         console.log(
           "Executing",
           gradleCmd,
@@ -1376,7 +1396,8 @@ export const createJavaBom = async (path, options) => {
           if (parsedList.dependenciesList && parsedList.dependenciesList) {
             dependencies = mergeDependencies(
               dependencies,
-              parsedList.dependenciesList
+              parsedList.dependenciesList,
+              parentComponent
             );
           }
           if (dlist && dlist.length) {
@@ -1779,9 +1800,9 @@ export const createNodejsBom = async (path, options) => {
           parentComponent.type = "application";
           ppurl = new PackageURL(
             "npm",
-            parentComponent.group,
-            parentComponent.name,
-            parentComponent.version,
+            options.projectGroup || parentComponent.group,
+            options.projectName || parentComponent.name,
+            options.projectVersion || parentComponent.version,
             null,
             null
           ).toString();
@@ -1799,9 +1820,9 @@ export const createNodejsBom = async (path, options) => {
         };
         ppurl = new PackageURL(
           "npm",
-          parentComponent.group,
-          parentComponent.name,
-          parentComponent.version,
+          options.projectGroup || parentComponent.group,
+          options.projectName || parentComponent.name,
+          options.projectVersion || parentComponent.version,
           null,
           null
         ).toString();
@@ -1817,7 +1838,8 @@ export const createNodejsBom = async (path, options) => {
       if (parsedList.dependenciesList && parsedList.dependenciesList) {
         dependencies = mergeDependencies(
           dependencies,
-          parsedList.dependenciesList
+          parsedList.dependenciesList,
+          parentComponent
         );
       }
     }
@@ -1829,11 +1851,10 @@ export const createNodejsBom = async (path, options) => {
         console.log(`Parsing ${f}`);
       }
       // Parse package-lock.json if available
-      const parsedList = await parsePkgLock(f);
+      const parsedList = await parsePkgLock(f, options);
       const dlist = parsedList.pkgList;
       const tmpParentComponent = dlist.splice(0, 1)[0] || {};
       tmpParentComponent.type = "application";
-      // Create a default parent component based on directory name
       if (!Object.keys(parentComponent).length) {
         parentComponent = tmpParentComponent;
       } else {
@@ -1845,7 +1866,8 @@ export const createNodejsBom = async (path, options) => {
       if (parsedList.dependenciesList && parsedList.dependenciesList) {
         dependencies = mergeDependencies(
           dependencies,
-          parsedList.dependenciesList
+          parsedList.dependenciesList,
+          parentComponent
         );
       }
     }
@@ -1920,9 +1942,9 @@ export const createNodejsBom = async (path, options) => {
           tmpParentComponent.type = "application";
           ppurl = new PackageURL(
             "npm",
-            tmpParentComponent.group,
-            tmpParentComponent.name,
-            tmpParentComponent.version,
+            options.projectGroup || tmpParentComponent.group,
+            options.projectName || tmpParentComponent.name,
+            options.projectVersion || tmpParentComponent.version,
             null,
             null
           ).toString();
@@ -1939,15 +1961,15 @@ export const createNodejsBom = async (path, options) => {
         const tmpA = dirName.split(sep);
         dirName = tmpA[tmpA.length - 1];
         const tmpParentComponent = {
-          group: "",
-          name: dirName,
+          group: options.projectGroup || "",
+          name: options.projectName || dirName,
           type: "application"
         };
         ppurl = new PackageURL(
           "npm",
           tmpParentComponent.group,
           tmpParentComponent.name,
-          tmpParentComponent.version,
+          options.projectVersion || tmpParentComponent.version,
           null,
           null
         ).toString();
@@ -1991,7 +2013,8 @@ export const createNodejsBom = async (path, options) => {
         }
         dependencies = mergeDependencies(
           dependencies,
-          parsedList.dependenciesList
+          parsedList.dependenciesList,
+          parentComponent
         );
       }
     }
@@ -2020,6 +2043,8 @@ export const createNodejsBom = async (path, options) => {
   if (parentSubComponents.length) {
     parentComponent.components = parentSubComponents;
   }
+  // We need to set this to force our version to be used rather than the directory name based one.
+  options.parentComponent = parentComponent;
   return buildBomNSData(options, pkgList, "npm", {
     allImports,
     src: path,
@@ -2250,14 +2275,20 @@ export const createPythonBom = async (path, options) => {
         pkgMap = getPipFrozenTree(path, undefined, tempDir);
       }
       // Get the imported modules and a dedupe list of packages
-      const parentDependsOn = [];
+      const parentDependsOn = new Set();
       const retMap = await getPyModules(path, pkgList);
       if (retMap.pkgList && retMap.pkgList.length) {
         pkgList = pkgList.concat(retMap.pkgList);
         for (const p of retMap.pkgList) {
-          if (p.version) {
-            parentDependsOn.push(`pkg:pypi/${p.name}@${p.version}`);
+          if (
+            !p.version ||
+            (parentComponent &&
+              p.name === parentComponent.name &&
+              (p.version === parentComponent.version || p.version === "latest"))
+          ) {
+            continue;
           }
+          parentDependsOn.add(`pkg:pypi/${p.name}@${p.version}`);
         }
       }
       if (retMap.dependenciesList) {
@@ -2275,11 +2306,11 @@ export const createPythonBom = async (path, options) => {
         if (
           parentComponent &&
           p.name === parentComponent.name &&
-          p.version === parentComponent.version
+          (p.version === parentComponent.version || p.version === "latest")
         ) {
           continue;
         }
-        parentDependsOn.push(`pkg:pypi/${p.name}@${p.version}`);
+        parentDependsOn.add(`pkg:pypi/${p.name}@${p.version}`);
       }
       if (pkgMap.pkgList && pkgMap.pkgList.length) {
         pkgList = pkgList.concat(pkgMap.pkgList);
@@ -2291,13 +2322,22 @@ export const createPythonBom = async (path, options) => {
           parentComponent
         );
       }
-      const pdependencies = {
-        ref: parentComponent["bom-ref"],
-        dependsOn: parentDependsOn.filter(
-          (r) => parentComponent && r !== parentComponent["bom-ref"]
-        )
-      };
-      dependencies.splice(0, 0, pdependencies);
+      let parentPresent = false;
+      for (const d of dependencies) {
+        if (d.ref === parentComponent["bom-ref"]) {
+          parentPresent = true;
+          break;
+        }
+      }
+      if (!parentPresent) {
+        const pdependencies = {
+          ref: parentComponent["bom-ref"],
+          dependsOn: Array.from(parentDependsOn).filter(
+            (r) => parentComponent && r !== parentComponent["bom-ref"]
+          )
+        };
+        dependencies.splice(0, 0, pdependencies);
+      }
     }
   }
   // Final fallback is to manually parse setup.py if we still
@@ -3158,7 +3198,8 @@ export const createSwiftBom = (path, options) => {
         if (retData.dependenciesList) {
           dependencies = mergeDependencies(
             dependencies,
-            retData.dependenciesList
+            retData.dependenciesList,
+            parentComponent
           );
         }
       } else {
@@ -3434,7 +3475,8 @@ export const createContainerSpecLikeBom = async (path, options) => {
         if (mbomData.bomJson.dependencies) {
           dependencies = mergeDependencies(
             dependencies,
-            mbomData.bomJson.dependencies
+            mbomData.bomJson.dependencies,
+            parentComponent
           );
         }
         if (mbomData.bomJson.services) {
@@ -3723,6 +3765,11 @@ export const mergeDependencies = (
   newDependencies,
   parentComponent = {}
 ) => {
+  if (!parentComponent && DEBUG_MODE) {
+    console.log(
+      "Unable to determine parent component. Dependencies will be flattened."
+    );
+  }
   const deps_map = {};
   const parentRef =
     parentComponent && parentComponent["bom-ref"]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.3.1",
+  "version": "9.4.0",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -31,13 +31,14 @@
   "type": "module",
   "exports": "./index.js",
   "bin": {
-    "cdxgen": "./bin/cdxgen.js"
+    "cdxgen": "./bin/cdxgen.js",
+    "cdxi": "./bin/repl.js"
   },
   "scripts": {
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false",
     "watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch --inject-globals false",
-    "lint": "eslint *.js *.test.js bin/cdxgen.js",
-    "pretty": "prettier --write *.js data/*.json bin/cdxgen.js --trailing-comma=none"
+    "lint": "eslint *.js *.test.js bin/*.js",
+    "pretty": "prettier --write *.js data/*.json bin/*.js --trailing-comma=none"
   },
   "engines": {
     "node": ">=16"
@@ -50,8 +51,8 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.22.5",
-    "@babel/traverse": "^7.22.5",
+    "@babel/parser": "^7.22.10",
+    "@babel/traverse": "^7.22.10",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
@@ -75,11 +76,12 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "^1.0.0",
+    "@appthreat/atom": "^1.0.1",
     "@cyclonedx/cdxgen-plugins-bin": "^1.2.0",
     "body-parser": "^1.20.2",
     "compression": "^1.7.4",
-    "connect": "^3.7.0"
+    "connect": "^3.7.0",
+    "jsonata": "^2.0.3"
   },
   "files": [
     "*.js",
@@ -88,7 +90,8 @@
   ],
   "devDependencies": {
     "caxa": "^3.0.1",
-    "eslint": "^8.43.0",
-    "jest": "^29.5.0"
+    "eslint": "^8.47.0",
+    "jest": "^29.5.0",
+    "prettier": "3.0.1"
   }
 }

package/piptree.js

@@ -57,12 +57,11 @@ def find_deps(idx, visited, reqs, traverse_count):
         if not d:
             continue
         r.project_name = d.project_name if d is not None else r.project_name
-        if len(visited) > 100 and visited.get(r.project_name):
+        if len(visited) > 100 or visited.get(r.project_name, 0) > 5:
             return freqs
         specs = sorted(r.specs, reverse=True)
         specs_str = ",".join(["".join(sp) for sp in specs]) if specs else ""
         dreqs = d.requires()
-        visited[r.project_name] = True
         freqs.append(
             {
                 "name": r.project_name,
@@ -71,6 +70,7 @@ def find_deps(idx, visited, reqs, traverse_count):
                 "dependencies": find_deps(idx, visited, dreqs, traverse_count + 1) if dreqs and traverse_count < 200 else [],
             }
         )
+        visited[r.project_name] = visited.get(r.project_name, 0) + 1
     return freqs