@cyclonedx/cdxgen 9.4.0 → 9.5.0

package/evinser.test.js

@@ -0,0 +1,35 @@
+import { expect, test } from "@jest/globals";
+
+import {
+  constructServiceName,
+  detectServicesFromUsages,
+  extractEndpoints
+} from "./evinser.js";
+
+import { readFileSync } from "node:fs";
+
+test("Service detection test", () => {
+  const usageSlice = JSON.parse(
+    readFileSync("./test/data/usages.json", { encoding: "utf-8" })
+  );
+  const objectSlices = usageSlice.objectSlices;
+  for (const slice of objectSlices) {
+    const servicesMap = detectServicesFromUsages("java", slice);
+    expect(servicesMap).toBeDefined();
+    const serviceName = constructServiceName("java", slice);
+    expect(serviceName).toBeDefined();
+  }
+});
+
+test("extract endpoints test", () => {
+  expect(
+    extractEndpoints("java", '@GetMapping(value = { "/", "/home" })')
+  ).toEqual(["/", "/home"]);
+  expect(
+    extractEndpoints(
+      "java",
+      '@PostMapping(value = "/issue", consumes = MediaType.APPLICATION_XML_VALUE)'
+    )
+  ).toEqual(["/issue"]);
+  expect(extractEndpoints("java", '@GetMapping("/token")')).toEqual(["/token"]);
+});

package/index.js

@@ -28,11 +28,13 @@ import {
   collectJarNS,
   includeMavenTestScope,
   getMavenCommand,
+  collectGradleDependencies,
   collectMvnDependencies,
   parsePom,
   parseMavenTree,
   executeGradleProperties,
   getGradleCommand,
+  convertJarNSToPackages,
   parseGradleDep,
   parseBazelSkyframe,
   parseSbtLock,
@@ -130,8 +132,12 @@ let GRADLE_CACHE_DIR =
   process.env.GRADLE_CACHE_DIR ||
   join(homedir(), ".gradle", "caches", "modules-2", "files-2.1");
 if (process.env.GRADLE_USER_HOME) {
-  GRADLE_CACHE_DIR =
-    process.env.GRADLE_USER_HOME + "/caches/modules-2/files-2.1";
+  GRADLE_CACHE_DIR = join(
+    process.env.GRADLE_USER_HOME,
+    "caches",
+    "modules-2",
+    "files-2.1"
+  );
 }
 
 // Clojure CLI
@@ -168,20 +174,24 @@ const TIMEOUT_MS = parseInt(process.env.CDXGEN_TIMEOUT_MS) || 10 * 60 * 1000;
  * @param {string} type Package type
  * @returns component object
  */
-const createDefaultParentComponent = (path, type = "application") => {
+const createDefaultParentComponent = (
+  path,
+  type = "application",
+  options = {}
+) => {
   // Expands any relative path such as dot
   path = resolve(path);
   // Create a parent component based on the directory name
-  let dirName =
+  let dirNameStr =
     existsSync(path) && lstatSync(path).isDirectory()
       ? basename(path)
       : dirname(path);
-  const tmpA = dirName.split(sep);
-  dirName = tmpA[tmpA.length - 1];
+  const tmpA = dirNameStr.split(sep);
+  dirNameStr = tmpA[tmpA.length - 1];
   const parentComponent = {
-    group: "",
-    name: dirName,
-    version: "latest",
+    group: options.projectGroup || "",
+    name: options.projectName || dirNameStr,
+    version: "" + options.projectVersion || "latest",
     type: "application"
   };
   const ppurl = new PackageURL(
@@ -990,36 +1000,55 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
  */
 export const createJarBom = (path, options) => {
   let pkgList = [];
-  let jarFiles = getAllFiles(
-    path,
-    (options.multiProject ? "**/" : "") + "*.[jw]ar"
-  );
-  // Jenkins plugins
-  const hpiFiles = getAllFiles(
-    path,
-    (options.multiProject ? "**/" : "") + "*.hpi"
-  );
-  if (hpiFiles.length) {
-    jarFiles = jarFiles.concat(hpiFiles);
-  }
-  const tempDir = mkdtempSync(join(tmpdir(), "jar-deps-"));
-  for (const jar of jarFiles) {
-    if (DEBUG_MODE) {
-      console.log(`Parsing ${jar}`);
+  let jarFiles = [];
+  let nsMapping = {};
+  const parentComponent = createDefaultParentComponent(path, "maven", options);
+  if (options.useGradleCache) {
+    nsMapping = collectGradleDependencies(
+      getGradleCommand(path, null),
+      path,
+      false,
+      true
+    );
+  } else if (options.useMavenCache) {
+    nsMapping = collectMvnDependencies(
+      getMavenCommand(path, null),
+      null,
+      false,
+      true
+    );
+  } else {
+    jarFiles = getAllFiles(
+      path,
+      (options.multiProject ? "**/" : "") + "*.[jw]ar"
+    );
+    // Jenkins plugins
+    const hpiFiles = getAllFiles(
+      path,
+      (options.multiProject ? "**/" : "") + "*.hpi"
+    );
+    if (hpiFiles.length) {
+      jarFiles = jarFiles.concat(hpiFiles);
     }
-    const dlist = extractJarArchive(jar, tempDir);
-    if (dlist && dlist.length) {
-      pkgList = pkgList.concat(dlist);
+    const tempDir = mkdtempSync(join(tmpdir(), "jar-deps-"));
+    for (const jar of jarFiles) {
+      if (DEBUG_MODE) {
+        console.log(`Parsing ${jar}`);
+      }
+      const dlist = extractJarArchive(jar, tempDir);
+      if (dlist && dlist.length) {
+        pkgList = pkgList.concat(dlist);
+      }
+    }
+    // Clean up
+    if (tempDir && tempDir.startsWith(tmpdir()) && rmSync) {
+      rmSync(tempDir, { recursive: true, force: true });
     }
   }
-  // Clean up
-  if (tempDir && tempDir.startsWith(tmpdir()) && rmSync) {
-    rmSync(tempDir, { recursive: true, force: true });
-  }
+  pkgList = pkgList.concat(convertJarNSToPackages(nsMapping));
   return buildBomNSData(options, pkgList, "maven", {
     src: path,
-    filename: jarFiles.join(", "),
-    nsMapping: {}
+    parentComponent
   });
 };
 
@@ -1108,7 +1137,12 @@ export const createJavaBom = async (path, options) => {
           console.log(
             "Creating class names list based on available jars. This might take a few mins ..."
           );
-          jarNSMapping = collectMvnDependencies(mavenCmd, basePath);
+          jarNSMapping = collectMvnDependencies(
+            mavenCmd,
+            basePath,
+            true,
+            false
+          );
         }
         console.log(
           `Executing '${mavenCmd} ${mvnArgs.join(" ")}' in`,
@@ -1414,6 +1448,13 @@ export const createJavaBom = async (path, options) => {
         }
       } // for
       if (pkgList.length) {
+        if (parentComponent.components && parentComponent.components.length) {
+          for (const subProj of parentComponent.components) {
+            pkgList = pkgList.filter(
+              (pkg) => pkg["bom-ref"] !== subProj["bom-ref"]
+            );
+          }
+        }
         console.log(
           "Obtained",
           pkgList.length,
@@ -2066,7 +2107,7 @@ export const createPythonBom = async (path, options) => {
   let dependencies = [];
   let pkgList = [];
   const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-venv-"));
-  let parentComponent = createDefaultParentComponent(path, "pypi");
+  let parentComponent = createDefaultParentComponent(path, "pypi", options);
   const pipenvMode = existsSync(join(path, "Pipfile"));
   let poetryFiles = getAllFiles(
     path,
@@ -3156,7 +3197,7 @@ export const createSwiftBom = (path, options) => {
   if (pkgResolvedFiles.length) {
     for (const f of pkgResolvedFiles) {
       if (!parentComponent || !Object.keys(parentComponent).length) {
-        parentComponent = createDefaultParentComponent(f, "swift");
+        parentComponent = createDefaultParentComponent(f, "swift", options);
       }
       if (DEBUG_MODE) {
         console.log("Parsing", f);
@@ -4744,14 +4785,20 @@ export const createBom = async (path, options) => {
       return createJarBom(path, options);
     case "gradle-index":
     case "gradle-cache":
+      options.useGradleCache = true;
       return createJarBom(GRADLE_CACHE_DIR, options);
     case "sbt-index":
     case "sbt-cache":
+      options.useSbtCache = true;
       return createJarBom(SBT_CACHE_DIR, options);
     case "maven-index":
     case "maven-cache":
     case "maven-repo":
-      return createJarBom(join(homedir(), ".m2", "repository"), options);
+      options.useMavenCache = true;
+      return createJarBom(
+        process.env.MAVEN_CACHE_DIR || join(homedir(), ".m2", "repository"),
+        options
+      );
     case "nodejs":
     case "js":
     case "javascript":

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.4.0",
+  "version": "9.5.0",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -32,10 +32,12 @@
   "exports": "./index.js",
   "bin": {
     "cdxgen": "./bin/cdxgen.js",
-    "cdxi": "./bin/repl.js"
+    "cdxi": "./bin/repl.js",
+    "evinse": "./bin/evinse.js",
+    "cdx-verify": "./bin/verify.js"
   },
   "scripts": {
-    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false",
+    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false docker.test.js utils.test.js display.test.js",
     "watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch --inject-globals false",
     "lint": "eslint *.js *.test.js bin/*.js",
     "pretty": "prettier --write *.js data/*.json bin/*.js --trailing-comma=none"
@@ -60,6 +62,7 @@
     "glob": "^10.3.0",
     "global-agent": "^3.0.0",
     "got": "^13.0.0",
+    "iconv-lite": "^0.6.3",
     "js-yaml": "^4.1.0",
     "jws": "^4.0.0",
     "node-stream-zip": "^1.15.0",
@@ -76,12 +79,14 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "^1.0.1",
+    "@appthreat/atom": "^1.1.0",
     "@cyclonedx/cdxgen-plugins-bin": "^1.2.0",
     "body-parser": "^1.20.2",
     "compression": "^1.7.4",
     "connect": "^3.7.0",
-    "jsonata": "^2.0.3"
+    "jsonata": "^2.0.3",
+    "sequelize": "^6.32.1",
+    "sqlite3": "^5.1.6"
   },
   "files": [
     "*.js",