@cyclonedx/cdxgen 9.3.2 → 9.4.0

package/README.md

@@ -10,6 +10,12 @@ NOTE:
 
 CycloneDX 1.5 specification is brand new and unsupported by many downstream tools. Use version 8.6.0 for 1.4 compatibility or pass the argument `--spec-version 1.4`.
 
+## Why cdxgen?
+
+A typical application might comprise of several repos, components, and libraries linked together. Traditional techniques to generate a single SBoM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBoM generator!
+
+<img src="./docs/why-cdxgen.jpg" alt="why cdxgen" width="256">
+
 ## Supported languages and package format
 
 | Language/Platform               | Package format                                                                                                    | Transitive dependencies                                                                           |
@@ -61,7 +67,7 @@ Footnotes:
 - [4] - See section on plugins
 - [5] - Powered by osquery. See section on plugins
 
-![cdxgen tree](./docs/cdxgen-tree.jpg)
+<img src="./docs/cdxgen-tree.jpg" alt="cdxgen tree" width="256">
 
 ### Automatic usage detection
 
@@ -375,10 +381,33 @@ cdxgen can sign the generated SBoM json file to increase authenticity and non-re
 - SBOM_SIGN_PRIVATE_KEY: Location to the RSA private key
 - SBOM_SIGN_PUBLIC_KEY: Optional. Location to the RSA public key
 
-To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature` which could be used for validation. [jwt.io](jwt.io) is a known site that could be used for such signature validation.
+To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature` which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation.
 
 ![SBoM signing](sbom-sign.jpg)
 
+### Verifying the signature (Node.js example)
+
+There are many [libraries](https://jwt.io/#libraries-io) available to validate JSON Web Tokens. Below is a javascript example.
+
+```js
+# npm install jws
+const jws = require("jws");
+const fs = require("fs");
+// Location of the SBoM json file
+const bomJsonFile = "bom.json";
+// Location of the public key
+const publicKeyFile = "public.key";
+const bomJson = JSON.parse(fs.readFileSync(bomJsonFile, "utf8"));
+// Retrieve the signature
+const bomSignature = bomJson.signature.value;
+const validationResult = jws.verify(bomSignature, bomJson.signature.algorithm, fs.readFileSync(publicKeyFile, "utf8"));
+if (validationResult) {
+  console.log("Signature is valid!");
+} else {
+  console.log("SBoM signature is invalid :(");
+}
+```
+
 ## Automatic services detection
 
 cdxgen could automatically detect names of services from YAML manifests such as docker-compose or Kubernetes or Skaffold manifests. These would be populated under the `services` attribute in the generated SBoM. Please help improve this feature by filing issues for any inaccurate detection.
@@ -414,6 +443,50 @@ const bomNSData = await createBom(filePath, options);
 const dbody = await submitBom(args, bomNSData.bomJson);
 ```
 
+## Interactive mode
+
+`cdxi` is a new interactive REPL server to interactively create, import and search an SBoM. All the exported functions from cdxgen and node.js could be used in this mode. In addition, several custom commands are defined.
+
+### Custom commands
+
+| Command   | Description                                                                                                                                                                                                    |
+| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| .create   | Create an SBoM from a path                                                                                                                                                                                     |
+| .import   | Import an existing SBoM from a path. Any SBoM in CycloneDX format is supported.                                                                                                                                |
+| .search   | Search the given string in the components name, group, purl and description                                                                                                                                    |
+| .sort     | Sort the components based on the given attribute. Eg: .sort name to sort by name. Accepts full jsonata [order by](http://docs.jsonata.org/path-operators#order-by-) clause too. Eg: `.sort components^(>name)` |
+| .query    | Pass a raw query in [jsonata](http://docs.jsonata.org/) format                                                                                                                                                 |
+| .print    | Print the SBoM as a table                                                                                                                                                                                      |
+| .tree     | Print the dependency tree if available                                                                                                                                                                         |
+| .validate | Validate the SBoM                                                                                                                                                                                              |
+| .exit     | To exit the shell                                                                                                                                                                                              |
+| .save     | To save the modified SBoM to a new file                                                                                                                                                                        |
+| .update   | Update components based on query expression. Use syntax `\| query \| new object \|`. See example.                                                                                                              |
+
+### Sample REPL usage
+
+Start the REPL server.
+
+```shell
+cdxi
+```
+
+Below are some example commands to create an SBoM for a spring application and perform searches and queries.
+
+```
+.create /mnt/work/vuln-spring
+.print
+.search spring
+.query components[name ~> /spring/ and scope = "required"]
+.sort name
+.sort components^(>name)
+.update | components[name ~> /spring/] | {'publisher': "foo"} |
+```
+
+### REPL History
+
+Repl history will get persisted under `$HOME/.config/.cdxgen` directory. To override this location, use the environment variable `CDXGEN_REPL_HISTORY`.
+
 ## Node.js >= 20 permission model
 
 Refer to the [permissions document](./docs/PERMISSIONS.md)
@@ -427,3 +500,7 @@ npm run lint
 npm run pretty
 npm test
 ```
+
+## Enterprise support
+
+Enterprise support including custom development and integration services are available via AppThreat Ltd. Free community support is also available via [discord](https://discord.gg/tmmtjCEHNV).

package/bin/cdxgen.js

@@ -266,9 +266,10 @@ const checkPermissions = (filePath) => {
           }
           let privateKeyToUse = undefined;
           let jwkPublicKey = undefined;
+          let publicKeyFile = undefined;
           if (args.generateKeyAndSign) {
             const jdirName = dirname(jsonFile);
-            const publicKeyFile = join(jdirName, "public.key");
+            publicKeyFile = join(jdirName, "public.key");
             const privateKeyFile = join(jdirName, "private.key");
             const { privateKey, publicKey } = crypto.generateKeyPairSync(
               "rsa",
@@ -331,6 +332,26 @@ const checkPermissions = (filePath) => {
                 jsonFile,
                 JSON.stringify(bomJsonUnsignedObj, null, 2)
               );
+              if (publicKeyFile) {
+                // Verifying this signature
+                const signatureVerification = jws.verify(
+                  signature,
+                  alg,
+                  fs.readFileSync(publicKeyFile, "utf8")
+                );
+                if (signatureVerification) {
+                  console.log(
+                    "SBoM signature is verifiable with the public key and the algorithm",
+                    publicKeyFile,
+                    alg
+                  );
+                } else {
+                  console.log("SBoM signature verification was unsuccessful");
+                  console.log(
+                    "Check if the public key was exported in PEM format"
+                  );
+                }
+              }
             }
           } catch (ex) {
             console.log("SBoM signing was unsuccessful", ex);

package/bin/repl.js

@@ -0,0 +1,311 @@
+import repl from "node:repl";
+import jsonata from "jsonata";
+import fs from "node:fs";
+import { join } from "node:path";
+import { homedir, tmpdir } from "node:os";
+import process from "node:process";
+
+import { createBom } from "../index.js";
+import { validateBom } from "../validator.js";
+import { printTable, printDependencyTree } from "../display.js";
+
+const options = {
+  useColors: true,
+  breakEvalOnSigint: true,
+  preview: true,
+  prompt: "↝ ",
+  ignoreUndefined: true,
+  useGlobal: true
+};
+
+const cdxArt = ` ██████╗██████╗ ██╗  ██╗
+██╔════╝██╔══██╗╚██╗██╔╝
+██║     ██║  ██║ ╚███╔╝ 
+██║     ██║  ██║ ██╔██╗ 
+╚██████╗██████╔╝██╔╝ ██╗
+ ╚═════╝╚═════╝ ╚═╝  ╚═╝
+`;
+
+console.log("\n" + cdxArt);
+
+// The current sbom is stored here
+let sbom = undefined;
+
+let historyFile = undefined;
+const historyConfigDir = join(homedir(), ".config", ".cdxgen");
+if (!process.env.CDXGEN_REPL_HISTORY && !fs.existsSync(historyConfigDir)) {
+  try {
+    fs.mkdirSync(historyConfigDir, { recursive: true });
+    historyFile = join(historyConfigDir, ".repl_history");
+  } catch (e) {
+    // ignore
+  }
+} else {
+  historyFile = join(historyConfigDir, ".repl_history");
+}
+
+export const importSbom = (sbomOrPath) => {
+  if (sbomOrPath && sbomOrPath.endsWith(".json") && fs.existsSync(sbomOrPath)) {
+    try {
+      sbom = JSON.parse(fs.readFileSync(sbomOrPath, "utf-8"));
+      console.log(`✅ SBoM imported successfully from ${sbomOrPath}`);
+    } catch (e) {
+      console.log(
+        `⚠ Unable to import the SBoM from ${sbomOrPath} due to ${e}`
+      );
+    }
+  } else {
+    console.log(`⚠ ${sbomOrPath} is invalid.`);
+  }
+};
+// Load any sbom passed from the command line
+if (process.argv.length > 2) {
+  importSbom(process.argv[process.argv.length - 1]);
+  console.log("💭 Type .print to view the SBoM as a table");
+} else if (fs.existsSync("bom.json")) {
+  // If the current directory has a bom.json load it
+  importSbom("bom.json");
+} else {
+  console.log("💭 Use .create <path> to create an SBoM for the given path.");
+  console.log("💭 Use .import <json> to import an existing SBoM.");
+  console.log("💭 Type .exit or press ctrl+d to close.");
+}
+
+const cdxgenRepl = repl.start(options);
+if (historyFile) {
+  cdxgenRepl.setupHistory(
+    process.env.CDXGEN_REPL_HISTORY || historyFile,
+    (err) => {
+      if (err) {
+        console.log(
+          "⚠ REPL history would not be persisted for this session. Set the environment variable CDXGEN_REPL_HISTORY to specify a custom history file"
+        );
+      }
+    }
+  );
+}
+cdxgenRepl.defineCommand("create", {
+  help: "create an SBoM for the given path",
+  async action(sbomOrPath) {
+    this.clearBufferedCommand();
+    const tempDir = fs.mkdtempSync(join(tmpdir(), "cdxgen-repl-"));
+    const bomFile = join(tempDir, "bom.json");
+    const bomNSData = await createBom(sbomOrPath, {
+      multiProject: true,
+      installDeps: true,
+      output: bomFile
+    });
+    if (bomNSData) {
+      sbom = bomNSData.bomJson;
+      console.log("✅ SBoM imported successfully.");
+      console.log("💭 Type .print to view the SBoM as a table");
+    } else {
+      console.log("SBoM was not generated successfully");
+    }
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("import", {
+  help: "import an existing SBoM",
+  action(sbomOrPath) {
+    this.clearBufferedCommand();
+    importSbom(sbomOrPath);
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("exit", {
+  help: "exit",
+  action() {
+    this.close();
+  }
+});
+cdxgenRepl.defineCommand("sbom", {
+  help: "show the current sbom",
+  action() {
+    if (sbom) {
+      console.log(sbom);
+    } else {
+      console.log(
+        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("search", {
+  help: "search the current sbom",
+  async action(searchStr) {
+    if (sbom) {
+      if (searchStr) {
+        try {
+          if (!searchStr.includes("~>")) {
+            searchStr = `components[group ~> /${searchStr}/i or name ~> /${searchStr}/i or description ~> /${searchStr}/i or publisher ~> /${searchStr}/i or purl ~> /${searchStr}/i]`;
+          }
+          const expression = jsonata(searchStr);
+          let components = await expression.evaluate(sbom);
+          if (!components) {
+            console.log("No results found!");
+          } else {
+            printTable({ components, dependencies: [] });
+          }
+        } catch (e) {
+          console.log(e);
+        }
+      } else {
+        console.log(
+          "⚠ Specify the search string. Eg: .search <search string>"
+        );
+      }
+    } else {
+      console.log(
+        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("sort", {
+  help: "sort the current sbom based on the attribute",
+  async action(sortStr) {
+    if (sbom) {
+      if (sortStr) {
+        try {
+          if (!sortStr.includes("^")) {
+            sortStr = `components^(${sortStr})`;
+          }
+          const expression = jsonata(sortStr);
+          let components = await expression.evaluate(sbom);
+          if (!components) {
+            console.log("No results found!");
+          } else {
+            printTable({ components, dependencies: [] });
+            // Store the sorted list in memory
+            if (components.length === sbom.components.length) {
+              sbom.components = components;
+            }
+          }
+        } catch (e) {
+          console.log(e);
+        }
+      } else {
+        console.log("⚠ Specify the attribute to sort by. Eg: .sort name");
+      }
+    } else {
+      console.log(
+        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("query", {
+  help: "query the current sbom",
+  async action(querySpec) {
+    if (sbom) {
+      if (querySpec) {
+        try {
+          const expression = jsonata(querySpec);
+          console.log(await expression.evaluate(sbom));
+        } catch (e) {
+          console.log(e);
+        }
+      } else {
+        console.log(
+          "⚠ Specify the search specification in jsonata format. Eg: .query metadata.component"
+        );
+      }
+    } else {
+      console.log(
+        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("print", {
+  help: "print the current sbom as a table",
+  action() {
+    if (sbom) {
+      printTable(sbom);
+    } else {
+      console.log(
+        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("tree", {
+  help: "display the dependency tree",
+  action() {
+    if (sbom) {
+      printDependencyTree(sbom);
+    } else {
+      console.log(
+        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("validate", {
+  help: "validate the sbom",
+  action() {
+    if (sbom) {
+      const result = validateBom(sbom);
+      if (result) {
+        console.log("SBoM is valid!");
+      }
+    } else {
+      console.log(
+        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("save", {
+  help: "save the sbom to a new file",
+  action(saveToFile) {
+    if (sbom) {
+      if (!saveToFile) {
+        saveToFile = "bom.json";
+      }
+      fs.writeFileSync(saveToFile, JSON.stringify(sbom, null, 2));
+      console.log(`SBoM saved successfully to ${saveToFile}`);
+    } else {
+      console.log(
+        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+cdxgenRepl.defineCommand("update", {
+  help: "update the sbom components based on the given query",
+  async action(updateSpec) {
+    if (sbom) {
+      if (!updateSpec) {
+        return;
+      }
+      if (!updateSpec.startsWith("|")) {
+        updateSpec = "|" + updateSpec;
+      }
+      if (!updateSpec.endsWith("|")) {
+        updateSpec = updateSpec + "|";
+      }
+      updateSpec = "$ ~> " + updateSpec;
+      const expression = jsonata(updateSpec);
+      const newSbom = await expression.evaluate(sbom);
+      if (newSbom && newSbom.components.length <= sbom.components.length) {
+        sbom = newSbom;
+      }
+      console.log("SBoM updated successfully.");
+    } else {
+      console.log(
+        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});

package/display.js

@@ -13,6 +13,9 @@ const MAX_TREE_DEPTH = 3;
 
 export const printTable = (bomJson) => {
   const data = [["Group", "Name", "Version", "Scope"]];
+  if (!bomJson || !bomJson.components) {
+    return;
+  }
   for (const comp of bomJson.components) {
     data.push([comp.group || "", comp.name, comp.version, comp.scope || ""]);
   }

package/docker.js

@@ -24,7 +24,7 @@ import { x } from "tar";
 import { spawnSync } from "node:child_process";
 import { DEBUG_MODE } from "./utils.js";
 
-const isWin = _platform() === "win32";
+export const isWin = _platform() === "win32";
 
 let dockerConn = undefined;
 let isPodman = false;

package/docker.test.js

@@ -3,14 +3,17 @@ import {
   parseImageName,
   getImage,
   removeImage,
-  exportImage
+  exportImage,
+  isWin
 } from "./docker.js";
 import { expect, test } from "@jest/globals";
 
 test("docker connection", async () => {
-  const dockerConn = await getConnection();
-  expect(dockerConn);
-});
+  if (!(isWin && process.env.CI === "true")) {
+    const dockerConn = await getConnection();
+    expect(dockerConn);
+  }
+}, 120000);
 
 test("parseImageName tests", () => {
   expect(parseImageName("debian")).toEqual({
@@ -59,7 +62,7 @@ test("parseImageName tests", () => {
     digest: "5d008306a7c5d09ba0161a3408fa3839dc2c9dd991ffb68adecc1040399fe9e1",
     platform: ""
   });
-});
+}, 120000);
 
 test("docker getImage", async () => {
   const imageData = await getImage("hello-world:latest");

package/index.js

@@ -199,18 +199,25 @@ const createDefaultParentComponent = (path, type = "application") => {
 
 const determineParentComponent = (options) => {
   let parentComponent = undefined;
-  if (options.projectName && options.projectVersion) {
+  if (options.parentComponent && Object.keys(options.parentComponent).length) {
+    return options.parentComponent;
+  } else if (options.projectName && options.projectVersion) {
     parentComponent = {
       group: options.projectGroup || "",
       name: options.projectName,
       version: "" + options.projectVersion || "",
       type: "application"
     };
-  } else if (
-    options.parentComponent &&
-    Object.keys(options.parentComponent).length
-  ) {
-    return options.parentComponent;
+    const ppurl = new PackageURL(
+      parentComponent.type,
+      parentComponent.group,
+      parentComponent.name,
+      parentComponent.version,
+      null,
+      null
+    ).toString();
+    parentComponent["bom-ref"] = ppurl;
+    parentComponent["purl"] = decodeURIComponent(ppurl);
   }
   return parentComponent;
 };
@@ -323,11 +330,18 @@ function addMetadata(parentComponent = {}, format = "xml", options = {}) {
     if (parentComponent) {
       delete parentComponent.evidence;
       delete parentComponent._integrity;
+      delete parentComponent.license;
+      if (!parentComponent["purl"] && parentComponent["bom-ref"]) {
+        parentComponent["purl"] = decodeURIComponent(
+          parentComponent["bom-ref"]
+        );
+      }
     }
     if (parentComponent && parentComponent.components) {
       for (const comp of parentComponent.components) {
         delete comp.evidence;
         delete comp._integrity;
+        delete comp.license;
         if (!comp["bom-ref"] && comp.name && comp.type) {
           let fullName =
             comp.group && comp.group.length
@@ -1336,7 +1350,7 @@ export const createJavaBom = async (path, options) => {
         let gradleDepArgs = [
           sp.purl === parentComponent.purl
             ? depTaskWithArgs[0]
-            : `:${sp.name}:${depTaskWithArgs[0]}`
+            : `:${sp.name.replace(/\//, ":")}:${depTaskWithArgs[0]}`
         ];
         gradleDepArgs = gradleDepArgs
           .concat(depTaskWithArgs.slice(1))
@@ -1786,9 +1800,9 @@ export const createNodejsBom = async (path, options) => {
           parentComponent.type = "application";
           ppurl = new PackageURL(
             "npm",
-            parentComponent.group,
-            parentComponent.name,
-            parentComponent.version,
+            options.projectGroup || parentComponent.group,
+            options.projectName || parentComponent.name,
+            options.projectVersion || parentComponent.version,
             null,
             null
           ).toString();
@@ -1806,9 +1820,9 @@ export const createNodejsBom = async (path, options) => {
         };
         ppurl = new PackageURL(
           "npm",
-          parentComponent.group,
-          parentComponent.name,
-          parentComponent.version,
+          options.projectGroup || parentComponent.group,
+          options.projectName || parentComponent.name,
+          options.projectVersion || parentComponent.version,
           null,
           null
         ).toString();
@@ -1837,11 +1851,10 @@ export const createNodejsBom = async (path, options) => {
         console.log(`Parsing ${f}`);
       }
       // Parse package-lock.json if available
-      const parsedList = await parsePkgLock(f);
+      const parsedList = await parsePkgLock(f, options);
       const dlist = parsedList.pkgList;
       const tmpParentComponent = dlist.splice(0, 1)[0] || {};
       tmpParentComponent.type = "application";
-      // Create a default parent component based on directory name
       if (!Object.keys(parentComponent).length) {
         parentComponent = tmpParentComponent;
       } else {
@@ -1929,9 +1942,9 @@ export const createNodejsBom = async (path, options) => {
           tmpParentComponent.type = "application";
           ppurl = new PackageURL(
             "npm",
-            tmpParentComponent.group,
-            tmpParentComponent.name,
-            tmpParentComponent.version,
+            options.projectGroup || tmpParentComponent.group,
+            options.projectName || tmpParentComponent.name,
+            options.projectVersion || tmpParentComponent.version,
             null,
             null
           ).toString();
@@ -1948,15 +1961,15 @@ export const createNodejsBom = async (path, options) => {
         const tmpA = dirName.split(sep);
         dirName = tmpA[tmpA.length - 1];
         const tmpParentComponent = {
-          group: "",
-          name: dirName,
+          group: options.projectGroup || "",
+          name: options.projectName || dirName,
           type: "application"
         };
         ppurl = new PackageURL(
           "npm",
           tmpParentComponent.group,
           tmpParentComponent.name,
-          tmpParentComponent.version,
+          options.projectVersion || tmpParentComponent.version,
           null,
           null
         ).toString();
@@ -2030,6 +2043,8 @@ export const createNodejsBom = async (path, options) => {
   if (parentSubComponents.length) {
     parentComponent.components = parentSubComponents;
   }
+  // We need to set this to force our version to be used rather than the directory name based one.
+  options.parentComponent = parentComponent;
   return buildBomNSData(options, pkgList, "npm", {
     allImports,
     src: path,
@@ -2260,14 +2275,20 @@ export const createPythonBom = async (path, options) => {
         pkgMap = getPipFrozenTree(path, undefined, tempDir);
       }
       // Get the imported modules and a dedupe list of packages
-      const parentDependsOn = [];
+      const parentDependsOn = new Set();
       const retMap = await getPyModules(path, pkgList);
       if (retMap.pkgList && retMap.pkgList.length) {
         pkgList = pkgList.concat(retMap.pkgList);
         for (const p of retMap.pkgList) {
-          if (p.version) {
-            parentDependsOn.push(`pkg:pypi/${p.name}@${p.version}`);
+          if (
+            !p.version ||
+            (parentComponent &&
+              p.name === parentComponent.name &&
+              (p.version === parentComponent.version || p.version === "latest"))
+          ) {
+            continue;
           }
+          parentDependsOn.add(`pkg:pypi/${p.name}@${p.version}`);
         }
       }
       if (retMap.dependenciesList) {
@@ -2285,11 +2306,11 @@ export const createPythonBom = async (path, options) => {
         if (
           parentComponent &&
           p.name === parentComponent.name &&
-          p.version === parentComponent.version
+          (p.version === parentComponent.version || p.version === "latest")
         ) {
           continue;
         }
-        parentDependsOn.push(`pkg:pypi/${p.name}@${p.version}`);
+        parentDependsOn.add(`pkg:pypi/${p.name}@${p.version}`);
       }
       if (pkgMap.pkgList && pkgMap.pkgList.length) {
         pkgList = pkgList.concat(pkgMap.pkgList);
@@ -2301,13 +2322,22 @@ export const createPythonBom = async (path, options) => {
           parentComponent
         );
       }
-      const pdependencies = {
-        ref: parentComponent["bom-ref"],
-        dependsOn: parentDependsOn.filter(
-          (r) => parentComponent && r !== parentComponent["bom-ref"]
-        )
-      };
-      dependencies.splice(0, 0, pdependencies);
+      let parentPresent = false;
+      for (const d of dependencies) {
+        if (d.ref === parentComponent["bom-ref"]) {
+          parentPresent = true;
+          break;
+        }
+      }
+      if (!parentPresent) {
+        const pdependencies = {
+          ref: parentComponent["bom-ref"],
+          dependsOn: Array.from(parentDependsOn).filter(
+            (r) => parentComponent && r !== parentComponent["bom-ref"]
+          )
+        };
+        dependencies.splice(0, 0, pdependencies);
+      }
     }
   }
   // Final fallback is to manually parse setup.py if we still
@@ -3736,7 +3766,9 @@ export const mergeDependencies = (
   parentComponent = {}
 ) => {
   if (!parentComponent && DEBUG_MODE) {
-    console.log("Unable to determine parent component. Dependencies will be flattened.");
+    console.log(
+      "Unable to determine parent component. Dependencies will be flattened."
+    );
   }
   const deps_map = {};
   const parentRef =

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.3.2",
+  "version": "9.4.0",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -31,13 +31,14 @@
   "type": "module",
   "exports": "./index.js",
   "bin": {
-    "cdxgen": "./bin/cdxgen.js"
+    "cdxgen": "./bin/cdxgen.js",
+    "cdxi": "./bin/repl.js"
   },
   "scripts": {
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false",
     "watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch --inject-globals false",
-    "lint": "eslint *.js *.test.js bin/cdxgen.js",
-    "pretty": "prettier --write *.js data/*.json bin/cdxgen.js --trailing-comma=none"
+    "lint": "eslint *.js *.test.js bin/*.js",
+    "pretty": "prettier --write *.js data/*.json bin/*.js --trailing-comma=none"
   },
   "engines": {
     "node": ">=16"
@@ -50,8 +51,8 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.22.5",
-    "@babel/traverse": "^7.22.5",
+    "@babel/parser": "^7.22.10",
+    "@babel/traverse": "^7.22.10",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
@@ -75,11 +76,12 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "^1.0.0",
+    "@appthreat/atom": "^1.0.1",
     "@cyclonedx/cdxgen-plugins-bin": "^1.2.0",
     "body-parser": "^1.20.2",
     "compression": "^1.7.4",
-    "connect": "^3.7.0"
+    "connect": "^3.7.0",
+    "jsonata": "^2.0.3"
   },
   "files": [
     "*.js",
@@ -88,7 +90,8 @@
   ],
   "devDependencies": {
     "caxa": "^3.0.1",
-    "eslint": "^8.43.0",
-    "jest": "^29.5.0"
+    "eslint": "^8.47.0",
+    "jest": "^29.5.0",
+    "prettier": "3.0.1"
   }
 }

package/piptree.js

@@ -57,12 +57,11 @@ def find_deps(idx, visited, reqs, traverse_count):
         if not d:
             continue
         r.project_name = d.project_name if d is not None else r.project_name
-        if len(visited) > 100 and visited.get(r.project_name):
+        if len(visited) > 100 or visited.get(r.project_name, 0) > 5:
             return freqs
         specs = sorted(r.specs, reverse=True)
         specs_str = ",".join(["".join(sp) for sp in specs]) if specs else ""
         dreqs = d.requires()
-        visited[r.project_name] = True
         freqs.append(
             {
                 "name": r.project_name,
@@ -71,6 +70,7 @@ def find_deps(idx, visited, reqs, traverse_count):
                 "dependencies": find_deps(idx, visited, dreqs, traverse_count + 1) if dreqs and traverse_count < 200 else [],
             }
         )
+        visited[r.project_name] = visited.get(r.project_name, 0) + 1
     return freqs
 
 

package/utils.js

@@ -497,12 +497,16 @@ export const parsePkgJson = async (pkgJsonFile) => {
  * Parse nodejs package lock file
  *
  * @param {string} pkgLockFile package-lock.json file
+ * @param {object} options Command line options
  */
-export const parsePkgLock = async (pkgLockFile) => {
+export const parsePkgLock = async (pkgLockFile, options = {}) => {
   let pkgList = [];
   const dependenciesList = [];
   const depKeys = {};
   let rootPkg = {};
+  if (!options) {
+    options = {};
+  }
   if (existsSync(pkgLockFile)) {
     const lockData = JSON.parse(readFileSync(pkgLockFile, "utf8"));
     rootPkg.name = lockData.name || "";
@@ -510,16 +514,16 @@ export const parsePkgLock = async (pkgLockFile) => {
     if (lockData.name && lockData.packages && lockData.packages[""]) {
       // Build the initial dependency tree for the root package
       rootPkg = {
-        group: "",
-        name: lockData.name,
-        version: lockData.version,
+        group: options.projectGroup || "",
+        name: options.projectName || lockData.name,
+        version: options.projectVersion || lockData.version,
         type: "application",
         "bom-ref": decodeURIComponent(
           new PackageURL(
             "npm",
-            "",
-            lockData.name,
-            lockData.version,
+            options.projectGroup || "",
+            options.projectName || lockData.name,
+            options.projectVersion || lockData.version,
             null,
             null
           ).toString()
@@ -531,10 +535,10 @@ export const parsePkgLock = async (pkgLockFile) => {
       dirName = tmpA[tmpA.length - 1];
       // v1 lock file
       rootPkg = {
-        group: "",
-        name: lockData.name || dirName,
-        version: lockData.version || "",
-        type: "application"
+        group: options.projectGroup || "",
+        name: options.projectName || lockData.name || dirName,
+        version: options.projectVersion || lockData.version || "",
+        type: "npm"
       };
     }
     if (rootPkg && rootPkg.name) {
@@ -625,6 +629,7 @@ export const yarnLockToIdentMap = function (lockData) {
   const identMap = {};
   let currentIdents = [];
   lockData.split("\n").forEach((l) => {
+    l = l.replace("\r", "");
     if (l === "\n" || l.startsWith("#")) {
       return;
     }
@@ -687,6 +692,7 @@ export const parseYarnLock = async function (yarnLockFile) {
     const identMap = yarnLockToIdentMap(lockData);
     let prefixAtSymbol = false;
     lockData.split("\n").forEach((l) => {
+      l = l.replace("\r", "");
       if (l === "\n" || l.startsWith("#")) {
         return;
       }
@@ -1664,7 +1670,7 @@ export const parseGradleProjects = function (rawOutput) {
   if (typeof rawOutput === "string") {
     const tmpA = rawOutput.split("\n");
     tmpA.forEach((l) => {
-      l = l.replace("\r", "")
+      l = l.replace("\r", "");
       if (l.startsWith("Root project ")) {
         rootProject = l
           .split("Root project ")[1]
@@ -1676,7 +1682,8 @@ export const parseGradleProjects = function (rawOutput) {
           const projName = tmpB[1].split(" ")[0].replace(/'/g, "");
           // Include all projects including test projects
           if (projName.startsWith(":")) {
-            projects.add(projName);
+            // Handle the case where the project name could have a space. Eg: +--- project :app (*)
+            projects.add(projName.split(" ")[0]);
           }
         }
       } else if (l.includes("--- project ")) {
@@ -1684,7 +1691,7 @@ export const parseGradleProjects = function (rawOutput) {
         if (tmpB && tmpB.length > 1) {
           const projName = tmpB[1];
           if (projName.startsWith(":")) {
-            projects.add(projName);
+            projects.add(projName.split(" ")[0]);
           }
         }
       }
@@ -1726,7 +1733,7 @@ export const parseGradleProperties = function (rawOutput) {
           const spStrs = tmpB[1].replace(/[[\]']/g, "").split(", ");
           const tmpprojects = spStrs
             .flatMap((s) => s.replace("project ", ""))
-            .filter((s) => ![":app", ""].includes(s.trim()));
+            .filter((s) => ![""].includes(s.trim()));
           tmpprojects.forEach(projects.add, projects);
         }
       }
@@ -1893,6 +1900,7 @@ export const parseKVDep = function (rawOutput) {
   if (typeof rawOutput === "string") {
     const deps = [];
     rawOutput.split("\n").forEach((l) => {
+      l = l.replace("\r", "");
       const tmpA = l.split(":");
       if (tmpA.length === 3) {
         deps.push({
@@ -2331,6 +2339,9 @@ export const parsePyProjectToml = (tomlFile) => {
           pkg.name = value;
           break;
         case "version":
+          if (value.includes("{")) {
+            value = "latest";
+          }
           pkg.version = value;
           break;
         case "authors":
@@ -2365,6 +2376,7 @@ export const parsePoetrylockData = async function (lockData, lockFile) {
     return pkgList;
   }
   lockData.split("\n").forEach((l) => {
+    l = l.replace("\r", "");
     let key = null;
     let value = null;
     // Package section starts with this marker
@@ -2420,6 +2432,7 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
   const pkgList = [];
   let compScope = undefined;
   reqData.split("\n").forEach((l) => {
+    l = l.replace("\r", "");
     l = l.trim();
     if (l.startsWith("Skipping line") || l.startsWith("(add")) {
       return;
@@ -3146,6 +3159,7 @@ export const parseGemfileLockData = async function (gemLockData) {
   let specsFound = false;
   gemLockData.split("\n").forEach((l) => {
     l = l.trim();
+    l = l.replace("\r", "");
     if (specsFound) {
       const tmpA = l.split(" ");
       if (tmpA && tmpA.length == 2) {
@@ -3358,6 +3372,7 @@ export const parseCargoData = async function (cargoData) {
   cargoData.split("\n").forEach((l) => {
     let key = null;
     let value = null;
+    l = l.replace("\r", "");
     // Ignore version = 3 found at the top of newer lock files
     if (!pkg && l.startsWith("version =")) {
       return;
@@ -3402,6 +3417,7 @@ export const parseCargoAuditableData = async function (cargoData) {
     return pkgList;
   }
   cargoData.split("\n").forEach((l) => {
+    l = l.replace("\r", "");
     const tmpA = l.split("\t");
     if (tmpA && tmpA.length > 2) {
       let group = dirname(tmpA[0].trim());
@@ -3433,6 +3449,7 @@ export const parsePubLockData = async function (pubLockData) {
   pubLockData.split("\n").forEach((l) => {
     let key = null;
     let value = null;
+    l = l.replace("\r", "");
     if (!pkg && (l.startsWith("sdks:") || !l.startsWith("  "))) {
       return;
     }
@@ -3848,6 +3865,7 @@ export const parseCabalData = function (cabalData) {
     if (!l.includes(" ==")) {
       return;
     }
+    l = l.replace("\r", "");
     if (l.includes(" ==")) {
       const tmpA = l.split(" ==");
       const name = tmpA[0]
@@ -3875,6 +3893,7 @@ export const parseMixLockData = function (mixData) {
     if (!l.includes(":hex")) {
       return;
     }
+    l = l.replace("\r", "");
     if (l.includes(":hex")) {
       const tmpA = l.split(",");
       if (tmpA.length > 3) {
@@ -4969,6 +4988,7 @@ export const parseJarManifest = function (jarMetadata) {
     return metadata;
   }
   jarMetadata.split("\n").forEach((l) => {
+    l = l.replace("\r", "");
     if (l.includes(": ")) {
       const tmpA = l.split(": ");
       if (tmpA && tmpA.length === 2) {
@@ -4999,10 +5019,19 @@ export const extractJarArchive = function (jarFile, tempDir) {
   const fname = basename(jarFile);
   let pomname = undefined;
   // If there is a pom file in the same directory, try to use it
+  let manifestname = join(dirname(jarFile), "META-INF", "MANIFEST.MF");
+  // Issue 439: Current implementation checks for existance of a .pom file, but .pom file is not used.
+  // Instead code expects to find META-INF/MANIFEST.MF in the same folder as a .jar file.
+  // For now check for presence of both .pom and MANIFEST.MF files.
   if (jarFile.endsWith(".jar")) {
     pomname = jarFile.replace(".jar", ".pom");
   }
-  if (pomname && existsSync(pomname)) {
+  if (
+    pomname &&
+    existsSync(pomname) &&
+    manifestname &&
+    existsSync(manifestname)
+  ) {
     tempDir = dirname(jarFile);
   } else if (!existsSync(join(tempDir, fname))) {
     // Only copy if the file doesn't exist
@@ -5548,7 +5577,11 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
    *
    * By checking the environment variable "VIRTUAL_ENV" we decide whether to create an env or not
    */
-  if (!process.env.VIRTUAL_ENV) {
+  if (
+    !process.env.VIRTUAL_ENV &&
+    reqOrSetupFile &&
+    !reqOrSetupFile.endsWith("poetry.lock")
+  ) {
     result = spawnSync(PYTHON_CMD, ["-m", "venv", tempVenvDir], {
       encoding: "utf-8"
     });
@@ -5562,29 +5595,43 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
         }
       }
     } else {
+      if (DEBUG_MODE) {
+        console.log(join("Using virtual environment in ", tempVenvDir));
+      }
       env.VIRTUAL_ENV = tempVenvDir;
       env.PATH = `${join(
         tempVenvDir,
-        platform() == "win32" ? "Scripts" : "bin"
+        platform() === "win32" ? "Scripts" : "bin"
       )}${_delimiter}${process.env.PATH || ""}`;
     }
   }
   /**
    * We now have a virtual environment so we can attempt to install the project and perform
    * pip freeze to collect the packages that got installed.
+   * Note that we did not create a virtual environment for poetry because poetry will do this when we run the install.
    * This step is accurate but not reproducible since the resulting list could differ based on various factors
    * such as the version of python, pip, os, pypi.org availability (and weather?)
    */
   // Bug #388. Perform pip install in all virtualenv to make the experience consistent
   if (reqOrSetupFile) {
     if (reqOrSetupFile.endsWith("poetry.lock")) {
-      let poetryInstallArgs = ["-m", "poetry", "install", "-n", "--no-root"];
+      let poetryConfigArgs = [
+        "config",
+        "virtualenvs.options.no-setuptools",
+        "true",
+        "--local"
+      ];
+      result = spawnSync("poetry", poetryConfigArgs, {
+        cwd: basePath,
+        encoding: "utf-8",
+        timeout: TIMEOUT_MS
+      });
+      let poetryInstallArgs = ["install", "-n", "--no-root"];
       // Attempt to perform poetry install
-      result = spawnSync(PYTHON_CMD, poetryInstallArgs, {
+      result = spawnSync("poetry", poetryInstallArgs, {
         cwd: basePath,
         encoding: "utf-8",
-        timeout: TIMEOUT_MS,
-        env
+        timeout: TIMEOUT_MS
       });
       if (result.status !== 0 || result.error) {
         if (result.stderr && result.stderr.includes("No module named poetry")) {
@@ -5597,6 +5644,9 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
             env
           });
           if (result.status !== 0 || result.error) {
+            if (DEBUG_MODE && result.stderr) {
+              console.log(result.stderr);
+            }
             console.log("poetry install has failed.");
             console.log(
               "1. Install the poetry command using python -m pip install poetry."
@@ -5610,11 +5660,27 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
           }
         } else {
           console.log(
-            "poetry install has failed. Setup and activate the poetry virtual environment and re-run cdxgen."
+            "Poetry install has failed. Setup and activate the poetry virtual environment and re-run cdxgen."
           );
         }
+      } else {
+        let poetryEnvArgs = ["env info", "--path"];
+        result = spawnSync("poetry", poetryEnvArgs, {
+          cwd: basePath,
+          encoding: "utf-8",
+          timeout: TIMEOUT_MS,
+          env
+        });
+        tempVenvDir = result.stdout.replaceAll(/[\r\n]+/g, "");
+        if (tempVenvDir && tempVenvDir.length) {
+          env.VIRTUAL_ENV = tempVenvDir;
+          env.PATH = `${join(
+            tempVenvDir,
+            platform() === "win32" ? "Scripts" : "bin"
+          )}${_delimiter}${process.env.PATH || ""}`;
+        }
       }
-    } else if (!reqOrSetupFile.endsWith(".lock")) {
+    } else {
       const pipInstallArgs = [
         "-m",
         "pip",
@@ -5659,7 +5725,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
           console.log(
             "Possible build errors detected. The resulting list in the SBoM would therefore be incomplete.\nTry installing any missing build tools or development libraries to improve the accuracy."
           );
-          if (platform() == "win32") {
+          if (platform() === "win32") {
             console.log(
               "- Install the appropriate compilers and build tools on Windows by following this documentation - https://wiki.python.org/moin/WindowsCompilers"
             );
@@ -5703,28 +5769,32 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
         continue;
       }
       const name = t.name.replace(/_/g, "-").toLowerCase();
-      pkgList.push({
-        name,
-        version: t.version,
-        evidence: {
-          identity: {
-            field: "purl",
-            confidence: 1,
-            methods: [
-              {
-                technique: "instrumentation",
-                confidence: 1,
-                value: env.VIRTUAL_ENV
-              }
-            ]
+      const version = t.version;
+      let exclude = ["pip", "setuptools", "wheel"];
+      if (!exclude.includes(name)) {
+        pkgList.push({
+          name,
+          version,
+          evidence: {
+            identity: {
+              field: "purl",
+              confidence: 1,
+              methods: [
+                {
+                  technique: "instrumentation",
+                  confidence: 1,
+                  value: env.VIRTUAL_ENV
+                }
+              ]
+            }
           }
-        }
-      });
-      rootList.push({
-        name,
-        version: t.version
-      });
-      flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t);
+        });
+        rootList.push({
+          name,
+          version
+        });
+        flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t);
+      }
     } // end for
     for (const k of Object.keys(dependenciesMap)) {
       dependenciesList.push({ ref: k, dependsOn: dependenciesMap[k] });

package/utils.test.js

@@ -295,6 +295,10 @@ test("parse gradle dependencies", () => {
   );
   expect(parsedList.pkgList.length).toEqual(152);
   expect(parsedList.dependenciesList.length).toEqual(153);
+  parsedList = parseGradleDep(
+    readFileSync("./test/data/gradle-android-app.dep", { encoding: "utf-8" })
+  );
+  expect(parsedList.pkgList.length).toEqual(101);
 });
 
 test("parse gradle projects", () => {
@@ -317,6 +321,11 @@ test("parse gradle projects", () => {
   );
   expect(retMap.rootProject).toEqual("fineract");
   expect(retMap.projects.length).toEqual(22);
+  retMap = parseGradleProjects(
+    readFileSync("./test/data/gradle-android-app.dep", { encoding: "utf-8" })
+  );
+  expect(retMap.rootProject).toEqual("root");
+  expect(retMap.projects).toEqual([":app"]);
 });
 
 test("parse gradle properties", () => {
@@ -366,7 +375,7 @@ test("parse gradle properties", () => {
   );
   expect(retMap).toEqual({
     rootProject: "java-test",
-    projects: [],
+    projects: [":app"],
     metadata: {
       group: "com.ajmalab.demo",
       version: "latest",
@@ -411,6 +420,13 @@ test("parse gradle properties", () => {
   );
   expect(retMap.rootProject).toEqual("elasticsearch");
   expect(retMap.projects.length).toEqual(409);
+  retMap = parseGradleProperties(
+    readFileSync("./test/data/gradle-properties-android.txt", {
+      encoding: "utf-8"
+    })
+  );
+  expect(retMap.rootProject).toEqual("CdxgenAndroidTest");
+  expect(retMap.projects.length).toEqual(2);
 });
 
 test("parse maven tree", () => {
@@ -1290,16 +1306,19 @@ test("parsePkgLock", async () => {
     version: "2.0.0"
   });
   expect(deps[deps.length - 1].name).toEqual("zone.js");
-  parsedList = await parsePkgLock("./test/data/package-lock-v3.json");
+  parsedList = await parsePkgLock("./test/data/package-lock-v3.json", {
+    projectVersion: "latest",
+    projectName: "cdxgen"
+  });
   deps = parsedList.pkgList;
   expect(deps.length).toEqual(879);
   expect(parsedList.dependenciesList.length).toEqual(879);
   expect(deps[0]).toEqual({
-    "bom-ref": "pkg:npm/@cyclonedx/cdxgen@8.4.3",
+    "bom-ref": "pkg:npm/cdxgen@latest",
     group: "",
-    name: "@cyclonedx/cdxgen",
+    name: "cdxgen",
     type: "application",
-    version: "8.4.3"
+    version: "latest"
   });
   expect(deps[deps.length - 1].name).toEqual("yocto-queue");
   parsedList = await parsePkgLock("./test/data/package-lock4.json");