@cyclonedx/cdxgen 9.6.1 → 9.7.1

package/evinser.js

@@ -196,7 +196,13 @@ export const createSlice = (purlOrLanguage, filePath, sliceType = "usages") => {
     args.push(process.env.ATOM_SLICE_DEPTH);
   }
   args.push(path.resolve(filePath));
-  executeAtom(filePath, args);
+  const result = executeAtom(filePath, args);
+  if (!result || !fs.existsSync(slicesFile)) {
+    console.warn(`Unable to generate ${sliceType} slice using atom.`);
+    console.log(
+      "Set the environment variable CDXGEN_DEBUG_MODE=debug to troubleshoot."
+    );
+  }
   return {
     tempDir,
     slicesFile,
@@ -363,15 +369,11 @@ export const parseObjectSlices = async (
     ) {
       continue;
     }
-    const locationKey = `${slice.fileName}${
-      slice.lineNumber ? "#" + slice.lineNumber : ""
-    }`;
     await parseSliceUsages(
       language,
       userDefinedTypesMap,
       slice,
       dbObjMap,
-      locationKey,
       purlLocationMap,
       purlImportsMap
     );
@@ -392,7 +394,6 @@ export const parseObjectSlices = async (
  * @param {object} userDefinedTypesMap User Defined types in the application
  * @param {array} usages Usages array for each objectSlice
  * @param {object} dbObjMap DB Models
- * @param {string} locationKey Filename with line number to be used in occurrences evidence
  * @param {object} purlLocationMap Object to track locations where purls are used
  * @param {object} purlImportsMap Object to track package urls and their import aliases
  * @returns
@@ -402,7 +403,6 @@ export const parseSliceUsages = async (
   userDefinedTypesMap,
   slice,
   dbObjMap,
-  locationKey,
   purlLocationMap,
   purlImportsMap
 ) => {
@@ -411,7 +411,6 @@ export const parseSliceUsages = async (
     return undefined;
   }
   const fileName = slice.fileName;
-  const purlsSet = new Set();
   const typesToLookup = new Set();
   const lKeyOverrides = {};
   for (const ausage of usages) {
@@ -441,7 +440,7 @@ export const parseSliceUsages = async (
         }
         const maybeClassType = getClassTypeFromSignature(language, atype[1]);
         typesToLookup.add(maybeClassType);
-        if (language == "javascript" && ausageLine) {
+        if (ausageLine) {
           addToOverrides(lKeyOverrides, maybeClassType, fileName, ausageLine);
         }
       }
@@ -460,7 +459,7 @@ export const parseSliceUsages = async (
         if (!acall?.resolvedMethod.includes("(")) {
           typesToLookup.add(acall?.resolvedMethod);
           // Javascript calls can be resolved to a precise line number only from the call nodes
-          if (language == "javascript" && acall.lineNumber) {
+          if (acall.lineNumber) {
             addToOverrides(
               lKeyOverrides,
               acall?.resolvedMethod,
@@ -474,7 +473,7 @@ export const parseSliceUsages = async (
           acall?.resolvedMethod
         );
         typesToLookup.add(maybeClassType);
-        if (language == "javascript" && acall.lineNumber) {
+        if (acall.lineNumber) {
           addToOverrides(
             lKeyOverrides,
             maybeClassType,
@@ -487,7 +486,7 @@ export const parseSliceUsages = async (
         if (!isFilterableType(language, userDefinedTypesMap, aparamType)) {
           if (!aparamType.includes("(")) {
             typesToLookup.add(aparamType);
-            if (language == "javascript" && acall.lineNumber) {
+            if (acall.lineNumber) {
               if (aparamType.includes(":")) {
                 typesToLookup.add(aparamType.split("::")[0].replace(/:/g, "/"));
               }
@@ -504,7 +503,7 @@ export const parseSliceUsages = async (
             aparamType
           );
           typesToLookup.add(maybeClassType);
-          if (language == "javascript" && acall.lineNumber) {
+          if (acall.lineNumber) {
             addToOverrides(
               lKeyOverrides,
               maybeClassType,
@@ -524,17 +523,11 @@ export const parseSliceUsages = async (
       for (const apurl of Object.keys(purlImportsMap)) {
         const apurlImports = purlImportsMap[apurl];
         if (apurlImports && apurlImports.includes(atype)) {
-          // For javasript, we set all the additional places where a call gets made
-          if (language == "javascript") {
-            if (!purlLocationMap[apurl]) {
-              purlLocationMap[apurl] = new Set();
-            }
-            if (lKeyOverrides[atype]) {
-              purlLocationMap[apurl].add(...lKeyOverrides[atype]);
-            }
-          } else {
-            // This would work well for java since each call node could be mapped to a method
-            purlsSet.add(apurl);
+          if (!purlLocationMap[apurl]) {
+            purlLocationMap[apurl] = new Set();
+          }
+          if (lKeyOverrides[atype]) {
+            purlLocationMap[apurl].add(...lKeyOverrides[atype]);
           }
         }
       }
@@ -552,19 +545,17 @@ export const parseSliceUsages = async (
         }));
       if (nsHits && nsHits.length) {
         for (const ns of nsHits) {
-          purlsSet.add(ns.purl);
+          if (!purlLocationMap[ns.purl]) {
+            purlLocationMap[ns.purl] = new Set();
+          }
+          if (lKeyOverrides[atype]) {
+            purlLocationMap[ns.purl].add(...lKeyOverrides[atype]);
+          }
         }
         typePurlsCache[atype] = nsHits;
       }
     }
   }
-  // Update the purlLocationMap
-  for (const apurl of purlsSet) {
-    if (!purlLocationMap[apurl]) {
-      purlLocationMap[apurl] = new Set();
-    }
-    purlLocationMap[apurl].add(locationKey);
-  }
 };
 
 export const isFilterableType = (

package/index.js

@@ -120,12 +120,13 @@ import {
   executeOsQuery,
   getOSPackages
 } from "./binary.js";
-const osQueries = JSON.parse(
-  readFileSync(join(dirName, "data", "queries.json"))
-);
 
 const isWin = _platform() === "win32";
 
+const osQueries = !isWin
+  ? JSON.parse(readFileSync(join(dirName, "data", "queries.json")))
+  : JSON.parse(readFileSync(join(dirName, "data", "queries-win.json")));
+
 import { table } from "table";
 
 // Construct gradle cache directory
@@ -660,7 +661,6 @@ function addComponent(
       return;
     }
     const licenses = pkg.licenses || getLicenses(pkg, format);
-
     const purl =
       pkg.purl ||
       new PackageURL(
@@ -755,8 +755,22 @@ function addComponent(
  * word for it, otherwise, identify the module as a 'library'.
  */
 function determinePackageType(pkg) {
-  if (pkg.type === "application") {
-    return "application";
+  // Retain the exact component type in certain cases.
+  if (
+    [
+      "application",
+      "container",
+      "platform",
+      "operating-system",
+      "device",
+      "device-driver",
+      "firmware",
+      "file",
+      "machine-learning-model",
+      "data"
+    ].includes(pkg.type)
+  ) {
+    return pkg.type;
   }
   if (pkg.purl) {
     try {
@@ -1184,7 +1198,8 @@ export const createJavaBom = async (path, options) => {
           cwd: basePath,
           shell: true,
           encoding: "utf-8",
-          timeout: TIMEOUT_MS
+          timeout: TIMEOUT_MS,
+          maxBuffer: 50 * 1024 * 1024
         });
         // Check if the cyclonedx plugin created the required bom.xml file
         // Sometimes the plugin fails silently for complex maven projects
@@ -1232,6 +1247,15 @@ export const createJavaBom = async (path, options) => {
               console.log(
                 "1. Try building the project with 'mvn package -Dmaven.test.skip=true' using the correct version of Java and maven before invoking cdxgen."
               );
+            } else if (
+              result.stdout &&
+              result.stdout.includes(
+                "Could not resolve target platform specification"
+              )
+            ) {
+              console.log(
+                "1. Some projects can be built only from the root directory. Invoke cdxgen with --no-recurse option"
+              );
             } else {
               console.log(
                 "1. Java version requirement: cdxgen container image bundles Java 20 with maven 3.9 which might be incompatible."
@@ -1291,6 +1315,7 @@ export const createJavaBom = async (path, options) => {
               !Object.keys(parentComponent).length
             ) {
               parentComponent = bomJsonObj.metadata.component;
+              options.parentComponent = parentComponent;
               pkgList = [];
             }
             if (bomJsonObj.components) {
@@ -1579,7 +1604,12 @@ export const createJavaBom = async (path, options) => {
           result = spawnSync(
             BAZEL_CMD,
             ["aquery", "--output=textproto", "--skyframe_state"],
-            { cwd: basePath, encoding: "utf-8", timeout: TIMEOUT_MS }
+            {
+              cwd: basePath,
+              encoding: "utf-8",
+              timeout: TIMEOUT_MS,
+              maxBuffer: 1024 * 1024 * 100
+            }
           );
           if (result.status !== 0 || result.error) {
             console.error(result.stdout, result.stderr);
@@ -3144,34 +3174,44 @@ export const createCloudBuildBom = (path, options) => {
 };
 
 /**
- * Function to create bom string for the current OS using osquery
+ * Function to create obom string for the current OS using osquery
  *
  * @param path to the project
  * @param options Parse options from the cli
  */
 export const createOSBom = (path, options) => {
   console.warn(
-    "About to generate SBoM for the current OS installation. This would take several minutes ..."
+    "About to generate OBoM for the current OS installation. This will take several minutes ..."
   );
   let pkgList = [];
   let bomData = {};
+  let parentComponent = {};
   for (const queryCategory of Object.keys(osQueries)) {
     const queryObj = osQueries[queryCategory];
     const results = executeOsQuery(queryObj.query);
     const dlist = convertOSQueryResults(queryCategory, queryObj, results);
     if (dlist && dlist.length) {
-      pkgList = pkgList.concat(dlist);
+      if (!Object.keys(parentComponent).length) {
+        parentComponent = dlist.splice(0, 1)[0];
+      }
+      pkgList = pkgList.concat(
+        dlist.sort(function (a, b) {
+          return a.name.localeCompare(b.name);
+        })
+      );
     }
   } // for
   if (pkgList.length) {
     bomData = buildBomNSData(options, pkgList, "", {
       src: "",
-      filename: ""
+      filename: "",
+      parentComponent
     });
   }
   options.bomData = bomData;
   options.multiProject = true;
   options.installDeps = false;
+  options.parentComponent = parentComponent;
   // Force the project type to os
   options.projectType = "os";
   options.lastWorkingDir = undefined;
@@ -3365,7 +3405,7 @@ export const createContainerSpecLikeBom = async (path, options) => {
   const ociSpecs = [];
   let components = [];
   let componentsXmls = [];
-  const parentComponent = {};
+  let parentComponent = {};
   let dependencies = [];
   const doneimages = [];
   const doneservices = [];
@@ -3604,6 +3644,10 @@ export const createContainerSpecLikeBom = async (path, options) => {
       if (mbomData.componentsXmls && mbomData.componentsXmls.length) {
         componentsXmls = componentsXmls.concat(mbomData.componentsXmls);
       }
+      // We need to retain the parentComponent. See #527
+      // Parent component returned by multi X search is usually good
+      parentComponent = mbomData.parentComponent;
+      options.parentComponent = parentComponent;
       if (mbomData.bomJson) {
         if (mbomData.bomJson.dependencies) {
           dependencies = mergeDependencies(
@@ -4496,7 +4540,8 @@ export const createMultiXBom = async (pathList, options) => {
     parentComponent.components = trimComponents(parentSubComponents, "json");
     if (
       parentComponent.components.length == 1 &&
-      parentComponent.components[0].name == parentComponent.name
+      parentComponent.components[0].name == parentComponent.name &&
+      !parentComponent.purl.startsWith("pkg:container")
     ) {
       parentComponent = parentComponent.components[0];
       delete parentComponent.components;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.6.1",
+  "version": "9.7.1",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -32,6 +32,7 @@
   "exports": "./index.js",
   "bin": {
     "cdxgen": "./bin/cdxgen.js",
+    "obom": "./bin/cdxgen.js",
     "cdxi": "./bin/repl.js",
     "evinse": "./bin/evinse.js",
     "cdx-verify": "./bin/verify.js"
@@ -53,13 +54,13 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.22.11",
+    "@babel/parser": "^7.22.14",
     "@babel/traverse": "^7.22.11",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
     "edn-data": "^1.0.0",
-    "glob": "^10.3.0",
+    "glob": "^10.3.4",
     "global-agent": "^3.0.0",
     "got": "^13.0.0",
     "iconv-lite": "^0.6.3",
@@ -79,8 +80,10 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "^1.1.4",
-    "@cyclonedx/cdxgen-plugins-bin": "^1.3.0",
+    "@appthreat/atom": "^1.1.6",
+    "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
+    "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
+    "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
     "body-parser": "^1.20.2",
     "compression": "^1.7.4",
     "connect": "^3.7.0",
@@ -97,6 +100,6 @@
     "caxa": "^3.0.1",
     "eslint": "^8.48.0",
     "jest": "^29.6.4",
-    "prettier": "3.0.2"
+    "prettier": "3.0.3"
   }
 }