@cyclonedx/cdxgen 9.7.0 → 9.7.1

package/README.md

@@ -90,6 +90,12 @@ sudo npm install -g @cyclonedx/cdxgen
 sudo npm install -g @cyclonedx/cdxgen@8.6.0
 ```
 
+If you are a [Homebrew](https://brew.sh/) user, you can also install [cdxgen](https://formulae.brew.sh/formula/cdxgen) via:
+
+```shell
+$ brew install cdxgen
+```
+
 Deno install is also supported.
 
 ```shell
@@ -161,8 +167,8 @@ Options:
                                                        [boolean] [default: true]
       --spec-version           CycloneDX Specification version to use. Defaults
                                to 1.5                             [default: 1.5]
-      --version                Show version number                     [boolean]
-  -h                           Show help                               [boolean]
+  -h, --help                   Show help                               [boolean]
+  -v, --version                Show version number                     [boolean]
 ```
 
 All boolean arguments accepts `--no` prefix to toggle the behavior.
@@ -293,6 +299,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | MVN_ARGS                     | Set to pass additional arguments such as profile or settings to maven                                                                |
 | MAVEN_HOME                   | Specify maven home                                                                                                                   |
 | MAVEN_CENTRAL_URL            | Specify URL of Maven Central for metadata fetching (e.g. when private repo is used)                                                  |
+| BAZEL_STRIP_MAVEN_PREFIX     | Strip Maven group prefix (e.g. useful when private repo is used, defaults to `/maven2/`)                                             |
 | GRADLE_CACHE_DIR             | Specify gradle cache directory. Useful for class name resolving                                                                      |
 | GRADLE_MULTI_PROJECT_MODE    | Unused. Automatically handled                                                                                                        |
 | GRADLE_ARGS                  | Set to pass additional arguments such as profile or settings to gradle (all tasks). Eg: --configuration runtimeClassPath             |
@@ -367,10 +374,12 @@ podman system service -t 0 &
 
 ### Generate OBoM for a live system
 
-You can use cdxgen to generate an OBoM for a live system or a VM for compliance and vulnerability management purposes by passing the argument `-t os`. Windows and Linux operating systems are supported in this mode.
+You can use the `obom` command to generate an OBoM for a live system or a VM for compliance and vulnerability management purposes. Windows and Linux operating systems are supported in this mode.
 
 ```shell
-cdxgen -t os
+# obom is an alias for cdxgen -t os
+obom
+# cdxgen -t os
 ```
 
 This feature is powered by osquery which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types such as operating-system, device-drivers, files, and data.

package/bin/cdxgen.js

@@ -121,7 +121,9 @@ const args = yargs(hideBin(process.argv))
   })
   .scriptName("cdxgen")
   .version()
-  .help("h").argv;
+  .alias("v", "version")
+  .help("h")
+  .alias("h", "help").argv;
 
 if (args.version) {
   const packageJsonAsString = fs.readFileSync(
@@ -156,6 +158,11 @@ if (args.serverUrl || args.apiKey) {
   args.specVersion = 1.4;
 }
 
+// Support for obom aliases
+if (process.argv[1].includes("obom") && !args.type) {
+  args.type = "os";
+}
+
 /**
  * projectType: python, nodejs, java, golang
  * multiProject: Boolean to indicate monorepo or multi-module projects

package/bin/repl.js

@@ -12,6 +12,7 @@ import { validateBom } from "../validator.js";
 import {
   printCallStack,
   printOccurrences,
+  printOSTable,
   printTable,
   printDependencyTree,
   printServices
@@ -32,8 +33,8 @@ process.env.NODE_NO_READLINE = 1;
 const cdxArt = `
  ██████╗██████╗ ██╗  ██╗
 ██╔════╝██╔══██╗╚██╗██╔╝
-██║     ██║  ██║ ╚███╔╝ 
-██║     ██║  ██║ ██╔██╗ 
+██║     ██║  ██║ ╚███╔╝
+██║     ██║  ██║ ██╔██╗
 ╚██████╗██████╔╝██╔╝ ██╗
  ╚═════╝╚═════╝ ╚═╝  ╚═╝
 `;
@@ -109,16 +110,16 @@ cdxgenRepl.defineCommand("create", {
     });
     if (bomNSData) {
       sbom = bomNSData.bomJson;
-      console.log("✅ SBoM imported successfully.");
-      console.log("💭 Type .print to view the SBoM as a table");
+      console.log("✅ BoM imported successfully.");
+      console.log("💭 Type .print to view the BoM as a table");
     } else {
-      console.log("SBoM was not generated successfully");
+      console.log("BoM was not generated successfully");
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("import", {
-  help: "import an existing SBoM",
+  help: "import an existing BoM",
   action(sbomOrPath) {
     this.clearBufferedCommand();
     importSbom(sbomOrPath);
@@ -138,14 +139,14 @@ cdxgenRepl.defineCommand("sbom", {
       console.log(sbom);
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("search", {
-  help: "search the current sbom. performs case insensitive search on various attributes.",
+  help: "search the current bom. performs case insensitive search on various attributes.",
   async action(searchStr) {
     if (sbom) {
       if (searchStr) {
@@ -170,14 +171,14 @@ cdxgenRepl.defineCommand("search", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("sort", {
-  help: "sort the current sbom based on the attribute",
+  help: "sort the current bom based on the attribute",
   async action(sortStr) {
     if (sbom) {
       if (sortStr) {
@@ -204,14 +205,14 @@ cdxgenRepl.defineCommand("sort", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("query", {
-  help: "query the current sbom using jsonata expression",
+  help: "query the current bom using jsonata expression",
   async action(querySpec) {
     if (sbom) {
       if (querySpec) {
@@ -228,20 +229,20 @@ cdxgenRepl.defineCommand("query", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("print", {
-  help: "print the current sbom as a table",
+  help: "print the current bom as a table",
   action() {
     if (sbom) {
       printTable(sbom);
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
@@ -254,14 +255,14 @@ cdxgenRepl.defineCommand("tree", {
       printDependencyTree(sbom);
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("validate", {
-  help: "validate the sbom using jsonschema",
+  help: "validate the bom using jsonschema",
   action() {
     if (sbom) {
       const result = validateBom(sbom);
@@ -270,31 +271,31 @@ cdxgenRepl.defineCommand("validate", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("save", {
-  help: "save the sbom to a new file",
+  help: "save the bom to a new file",
   action(saveToFile) {
     if (sbom) {
       if (!saveToFile) {
         saveToFile = "bom.json";
       }
       fs.writeFileSync(saveToFile, JSON.stringify(sbom, null, 2));
-      console.log(`SBoM saved successfully to ${saveToFile}`);
+      console.log(`BoM saved successfully to ${saveToFile}`);
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("update", {
-  help: "update the sbom components based on the given query",
+  help: "update the bom components based on the given query",
   async action(updateSpec) {
     if (sbom) {
       if (!updateSpec) {
@@ -312,10 +313,10 @@ cdxgenRepl.defineCommand("update", {
       if (newSbom && newSbom.components.length <= sbom.components.length) {
         sbom = newSbom;
       }
-      console.log("SBoM updated successfully.");
+      console.log("BoM updated successfully.");
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
@@ -332,7 +333,7 @@ cdxgenRepl.defineCommand("occurrences", {
         let components = await expression.evaluate(sbom);
         if (!components) {
           console.log(
-            "No results found. Use evinse command to generate an SBoM with evidence."
+            "No results found. Use evinse command to generate an BoM with evidence."
           );
         } else {
           if (!Array.isArray(components)) {
@@ -345,7 +346,7 @@ cdxgenRepl.defineCommand("occurrences", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an evinse SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an evinse BoM"
       );
     }
     this.displayPrompt();
@@ -425,3 +426,130 @@ cdxgenRepl.defineCommand("services", {
     this.displayPrompt();
   }
 });
+cdxgenRepl.defineCommand("osinfocategories", {
+  help: "view the category names for the OS info from the obom",
+  async action() {
+    if (sbom) {
+      try {
+        const expression = jsonata(
+          '$distinct(components.properties[name="cdx:osquery:category"].value)'
+        );
+        let catgories = await expression.evaluate(sbom);
+        if (!catgories) {
+          console.log(
+            "Unable to retrieve the os info categories. Only OBoMs generated by cdxgen are supported by this tool."
+          );
+        } else {
+          console.log(catgories.join("\n"));
+        }
+      } catch (e) {
+        console.log(e);
+      }
+    } else {
+      console.log(
+        "⚠ No OBoM is loaded. Use .import command to import an OBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+
+// Let's dynamically define more commands from the queries
+[
+  "apt_sources",
+  "behavioral_reverse_shell",
+  "certificates",
+  "chrome_extensions",
+  "crontab_snapshot",
+  "deb_packages",
+  "docker_container_ports",
+  "docker_containers",
+  "docker_networks",
+  "docker_volumes",
+  "etc_hosts",
+  "firefox_addons",
+  "homebrew_packages",
+  "installed_applications",
+  "interface_addresses",
+  "kernel_info",
+  "kernel_integrity",
+  "kernel_modules",
+  "ld_preload",
+  "listening_ports",
+  "os_version",
+  "pipes",
+  "pipes_snapshot",
+  "portage_packages",
+  "process_events",
+  "processes",
+  "python_packages",
+  "rpm_packages",
+  "scheduled_tasks",
+  "services_snapshot",
+  "startup_items",
+  "system_info_snapshot",
+  "windows_drivers",
+  "windows_patches",
+  "windows_programs",
+  "windows_shared_resources",
+  "yum_sources",
+  "appcompat_shims",
+  "atom_packages",
+  "browser_plugins",
+  "certificates",
+  "chocolatey_packages",
+  "chrome_extensions",
+  "etc_hosts",
+  "firefox_addons",
+  "ie_extensions",
+  "kernel_info",
+  "npm_packages",
+  "opera_extensions",
+  "pipes_snapshot",
+  "process_open_sockets",
+  "safari_extensions",
+  "scheduled_tasks",
+  "services_snapshot",
+  "startup_items",
+  "routes",
+  "system_info_snapshot",
+  "win_version",
+  "windows_firewall_rules",
+  "windows_optional_features",
+  "windows_programs",
+  "windows_shared_resources",
+  "windows_update_history",
+  "wmi_cli_event_consumers",
+  "wmi_cli_event_consumers_snapshot",
+  "wmi_event_filters",
+  "wmi_filter_consumer_binding"
+].forEach((c) => {
+  cdxgenRepl.defineCommand(c, {
+    help: `query the ${c} category from the OS info`,
+    async action() {
+      if (sbom) {
+        try {
+          const expression = jsonata(
+            `components[properties[name="cdx:osquery:category" and value="${c}"]]`
+          );
+          let components = await expression.evaluate(sbom);
+          if (!components) {
+            console.log("No results found.");
+          } else {
+            if (!Array.isArray(components)) {
+              components = [components];
+            }
+            printOSTable({ components });
+          }
+        } catch (e) {
+          console.log(e);
+        }
+      } else {
+        console.log(
+          "⚠ No OBoM is loaded. Use .import command to import an OBoM"
+        );
+      }
+      this.displayPrompt();
+    }
+  });
+});

package/data/queries-win.json

@@ -162,10 +162,10 @@
     "componentType": "data"
   },
   "listening_ports": {
-    "query": "SELECT * FROM listening_ports;",
-    "description": "List all listening_ports.",
+    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
+    "description": "List all processes and their listening_ports.",
     "purlType": "swid",
-    "componentType": "data"
+    "componentType": "application"
   },
   "processes": {
     "query": "SELECT * FROM processes;",
@@ -196,5 +196,11 @@
     "description": "List all windows_firewall_rules.",
     "purlType": "swid",
     "componentType": "data"
+  },
+  "logical_drives": {
+    "query": "SELECT * FROM logical_drives;",
+    "description": "List all logical_drives.",
+    "purlType": "swid",
+    "componentType": "device"
   }
 }

package/data/queries.json

@@ -96,12 +96,6 @@
     "purlType": "swid",
     "componentType": "data"
   },
-  "pipes": {
-    "query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);",
-    "description": "Named and Anonymous pipes.",
-    "purlType": "swid",
-    "componentType": "data"
-  },
   "etc_hosts": {
     "query": "SELECT * FROM etc_hosts;",
     "description": "List the contents of the Windows hosts file.",
@@ -181,10 +175,10 @@
     "componentType": "data"
   },
   "listening_ports": {
-    "query": "SELECT * FROM listening_ports;",
-    "description": "List all listening_ports.",
+    "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
+    "description": "List all processes and their listening_ports.",
     "purlType": "swid",
-    "componentType": "data"
+    "componentType": "application"
   },
   "interface_addresses": {
     "query": "SELECT * FROM interface_addresses;",

package/display.js

@@ -1,4 +1,4 @@
-import { table } from "table";
+import { createStream, table } from "table";
 
 // https://github.com/yangshun/tree-node-cli/blob/master/src/index.js
 const SYMBOLS_ANSI = {
@@ -12,19 +12,31 @@ const SYMBOLS_ANSI = {
 const MAX_TREE_DEPTH = 6;
 
 export const printTable = (bomJson) => {
-  const data = [["Group", "Name", "Version", "Scope"]];
   if (!bomJson || !bomJson.components) {
     return;
   }
-  for (const comp of bomJson.components) {
-    data.push([comp.group || "", comp.name, comp.version, comp.scope || ""]);
+  if (
+    bomJson.metadata &&
+    bomJson.metadata.component &&
+    ["operating-system", "platform"].includes(bomJson.metadata.component.type)
+  ) {
+    return printOSTable(bomJson);
   }
+  const data = [["Group", "Name", "Version", "Scope"]];
   const config = {
     header: {
       alignment: "center",
       content: "Software Bill-of-Materials\nGenerated by cdxgen"
     }
   };
+  for (const comp of bomJson.components) {
+    data.push([
+      comp.group || "",
+      comp.name,
+      `\x1b[1;35m${comp.version}\x1b[0m`,
+      comp.scope || ""
+    ]);
+  }
   console.log(table(data, config));
   console.log(
     "BOM includes",
@@ -34,6 +46,32 @@ export const printTable = (bomJson) => {
     "dependencies"
   );
 };
+const formatProps = (props) => {
+  const retList = [];
+  for (const p of props) {
+    retList.push(`\x1b[0;32m${p.name}\x1b[0m ${p.value}`);
+  }
+  return retList.join("\n");
+};
+export const printOSTable = (bomJson) => {
+  const config = {
+    columnDefault: {
+      width: 50
+    },
+    columnCount: 3,
+    columns: [{ width: 20 }, { width: 40 }, { width: 50 }]
+  };
+  const stream = createStream(config);
+  stream.write(["Type", "Title", "Properties"]);
+  for (const comp of bomJson.components) {
+    stream.write([
+      comp.type,
+      `\x1b[1;35m${comp.name.replace(/\+/g, " ").replace(/--/g, "::")}\x1b[0m`,
+      formatProps(comp.properties || [])
+    ]);
+  }
+  console.log();
+};
 export const printServices = (bomJson) => {
   const data = [["Name", "Endpoints", "Authenticated", "X Trust Boundary"]];
   if (!bomJson || !bomJson.services) {
@@ -43,8 +81,8 @@ export const printServices = (bomJson) => {
     data.push([
       aservice.name || "",
       aservice.endpoints ? aservice.endpoints.join("\n") : "",
-      aservice.authenticated ? "Yes" : "",
-      aservice.xTrustBoundary ? "Yes" : ""
+      aservice.authenticated ? "\x1b[1;35mYes\x1b[0m" : "",
+      aservice.xTrustBoundary ? "\x1b[1;35mYes\x1b[0m" : ""
     ]);
   }
   const config = {

package/index.js

@@ -1247,6 +1247,15 @@ export const createJavaBom = async (path, options) => {
               console.log(
                 "1. Try building the project with 'mvn package -Dmaven.test.skip=true' using the correct version of Java and maven before invoking cdxgen."
               );
+            } else if (
+              result.stdout &&
+              result.stdout.includes(
+                "Could not resolve target platform specification"
+              )
+            ) {
+              console.log(
+                "1. Some projects can be built only from the root directory. Invoke cdxgen with --no-recurse option"
+              );
             } else {
               console.log(
                 "1. Java version requirement: cdxgen container image bundles Java 20 with maven 3.9 which might be incompatible."
@@ -1306,6 +1315,7 @@ export const createJavaBom = async (path, options) => {
               !Object.keys(parentComponent).length
             ) {
               parentComponent = bomJsonObj.metadata.component;
+              options.parentComponent = parentComponent;
               pkgList = [];
             }
             if (bomJsonObj.components) {
@@ -1594,7 +1604,12 @@ export const createJavaBom = async (path, options) => {
           result = spawnSync(
             BAZEL_CMD,
             ["aquery", "--output=textproto", "--skyframe_state"],
-            { cwd: basePath, encoding: "utf-8", timeout: TIMEOUT_MS }
+            {
+              cwd: basePath,
+              encoding: "utf-8",
+              timeout: TIMEOUT_MS,
+              maxBuffer: 1024 * 1024 * 100
+            }
           );
           if (result.status !== 0 || result.error) {
             console.error(result.stdout, result.stderr);
@@ -3390,7 +3405,7 @@ export const createContainerSpecLikeBom = async (path, options) => {
   const ociSpecs = [];
   let components = [];
   let componentsXmls = [];
-  const parentComponent = {};
+  let parentComponent = {};
   let dependencies = [];
   const doneimages = [];
   const doneservices = [];
@@ -3629,6 +3644,10 @@ export const createContainerSpecLikeBom = async (path, options) => {
       if (mbomData.componentsXmls && mbomData.componentsXmls.length) {
         componentsXmls = componentsXmls.concat(mbomData.componentsXmls);
       }
+      // We need to retain the parentComponent. See #527
+      // Parent component returned by multi X search is usually good
+      parentComponent = mbomData.parentComponent;
+      options.parentComponent = parentComponent;
       if (mbomData.bomJson) {
         if (mbomData.bomJson.dependencies) {
           dependencies = mergeDependencies(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.7.0",
+  "version": "9.7.1",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -32,6 +32,7 @@
   "exports": "./index.js",
   "bin": {
     "cdxgen": "./bin/cdxgen.js",
+    "obom": "./bin/cdxgen.js",
     "cdxi": "./bin/repl.js",
     "evinse": "./bin/evinse.js",
     "cdx-verify": "./bin/verify.js"
@@ -53,13 +54,13 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.22.11",
+    "@babel/parser": "^7.22.14",
     "@babel/traverse": "^7.22.11",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
     "edn-data": "^1.0.0",
-    "glob": "^10.3.0",
+    "glob": "^10.3.4",
     "global-agent": "^3.0.0",
     "got": "^13.0.0",
     "iconv-lite": "^0.6.3",
@@ -79,7 +80,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "^1.1.4",
+    "@appthreat/atom": "^1.1.6",
     "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
@@ -99,6 +100,6 @@
     "caxa": "^3.0.1",
     "eslint": "^8.48.0",
     "jest": "^29.6.4",
-    "prettier": "3.0.2"
+    "prettier": "3.0.3"
   }
 }

package/utils.js

@@ -1339,7 +1339,7 @@ export const parseMavenTree = function (rawOutput) {
             pkgArr[0],
             pkgArr[1],
             versionStr,
-            { type: "jar" },
+            { type: pkgArr[2] },
             null
           ).toString();
           purlString = decodeURIComponent(purlString);
@@ -1347,7 +1347,7 @@ export const parseMavenTree = function (rawOutput) {
             group: pkgArr[0],
             name: pkgArr[1],
             version: versionStr,
-            qualifiers: { type: "jar" }
+            qualifiers: { type: pkgArr[2] }
           });
           if (!level_trees[purlString]) {
             level_trees[purlString] = [];
@@ -1878,8 +1878,9 @@ export const parseBazelSkyframe = function (rawOutput) {
             // Remove the protocol, registry url and then file name
             let prefix_slice_count = 2;
             // Bug: #169
-            if (l.includes("/maven2/")) {
-              prefix_slice_count = 3;
+            const prefix = process.env.BAZEL_STRIP_MAVEN_PREFIX || "/maven2/";
+            if (l.includes(prefix)) {
+              prefix_slice_count = prefix.split("/").length;
             }
             jarPathParts = jarPathParts.slice(prefix_slice_count, -1);
             // The last part would be the version
@@ -5203,11 +5204,18 @@ export const collectJarNS = function (jarPath, pomPathMap = {}) {
   if (jarFiles && jarFiles.length) {
     for (const jf of jarFiles) {
       const jarname = jf;
-      const pomname =
+      let pomname =
         pomPathMap[basename(jf).replace(".jar", ".pom")] ||
         jarname.replace(".jar", ".pom");
       let pomData = undefined;
       let purl = undefined;
+      // In some cases, the pom name might be slightly different to the jar name
+      if (!existsSync(pomname)) {
+        const pomSearch = getAllFiles(dirname(jf), "*.pom");
+        if (pomSearch && pomSearch.length === 1) {
+          pomname = pomSearch[0];
+        }
+      }
       if (existsSync(pomname)) {
         pomData = parsePomXml(readFileSync(pomname, "utf-8"));
         if (pomData) {
@@ -5221,6 +5229,52 @@ export const collectJarNS = function (jarPath, pomPathMap = {}) {
           );
           purl = purlObj.toString();
         }
+      } else if (jf.includes(join(".m2", "repository"))) {
+        // Let's try our best to construct a purl for .m2 cache entries of the form
+        // .m2/repository/org/apache/logging/log4j/log4j-web/3.0.0-SNAPSHOT/log4j-web-3.0.0-SNAPSHOT.jar
+        const tmpA = jf.split(join(".m2", "repository", ""));
+        if (tmpA && tmpA.length) {
+          let tmpJarPath = tmpA[tmpA.length - 1];
+          // This would yield log4j-web-3.0.0-SNAPSHOT.jar
+          const jarFileName = basename(tmpJarPath).replace(".jar", "");
+          let tmpDirParts = dirname(tmpJarPath).split(_sep);
+          // Retrieve the version
+          let jarVersion = tmpDirParts.pop();
+          if (jarVersion === "plugins") {
+            jarVersion = tmpDirParts.pop();
+            if (jarVersion === "eclipse") {
+              jarVersion = tmpDirParts.pop();
+            }
+          }
+          // The result would form the group name
+          let jarGroupName = tmpDirParts.join(".").replace(/^\./, "");
+          let qualifierType = "jar";
+          // Support for p2 bundles and plugins
+          // See https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/137
+          // See https://github.com/CycloneDX/cdxgen/pull/510#issuecomment-1702551615
+          if (jarGroupName.startsWith("p2.osgi.bundle")) {
+            jarGroupName = "p2.osgi.bundle";
+            qualifierType = "osgi-bundle";
+          } else if (jarGroupName.startsWith("p2.eclipse.plugin")) {
+            jarGroupName = "p2.eclipse.plugin";
+            qualifierType = "eclipse-plugin";
+          } else if (jarGroupName.startsWith("p2.binary")) {
+            jarGroupName = "p2.binary";
+            qualifierType = "eclipse-executable";
+          } else if (jarGroupName.startsWith("p2.org.eclipse.update.feature")) {
+            jarGroupName = "p2.org.eclipse.update.feature";
+            qualifierType = "eclipse-feature";
+          }
+          const purlObj = new PackageURL(
+            "maven",
+            jarGroupName,
+            jarFileName.replace(`-${jarVersion}`, ""),
+            jarVersion,
+            { type: qualifierType },
+            null
+          );
+          purl = purlObj.toString();
+        }
       } else if (jf.includes(join(".gradle", "caches"))) {
         // Let's try our best to construct a purl for gradle cache entries of the form
         // .gradle/caches/modules-2/files-2.1/org.xmlresolver/xmlresolver/4.2.0/f4dbdaa83d636dcac91c9003ffa7fb173173fe8d/xmlresolver-4.2.0-data.jar
@@ -5228,7 +5282,7 @@ export const collectJarNS = function (jarPath, pomPathMap = {}) {
         if (tmpA && tmpA.length) {
           let tmpJarPath = tmpA[tmpA.length - 1];
           // This would yield xmlresolver-4.2.0-data.jar
-          const jarFileName = basename(tmpJarPath);
+          const jarFileName = basename(tmpJarPath).replace(".jar", "");
           let tmpDirParts = dirname(tmpJarPath).split(_sep);
           // This would remove the hash from the end of the directory name
           tmpDirParts.pop();
@@ -5294,6 +5348,9 @@ export const convertJarNSToPackages = (jarNSMapping) => {
     }
     const name = pom.artifactId || purlObj.name;
     if (!name) {
+      console.warn(
+        `Unable to identify the metadata for ${purl}. This will be skipped.`
+      );
       continue;
     }
     const apackage = {

package/utils.test.js

@@ -502,10 +502,10 @@ test("parse maven tree", () => {
     group: "com.pogeyan.cmis",
     name: "copper-server",
     version: "1.15.2",
-    qualifiers: { type: "jar" }
+    qualifiers: { type: "war" }
   });
   expect(parsedList.dependenciesList[0]).toEqual({
-    ref: "pkg:maven/com.pogeyan.cmis/copper-server@1.15.2?type=jar",
+    ref: "pkg:maven/com.pogeyan.cmis/copper-server@1.15.2?type=war",
     dependsOn: [
       "pkg:maven/javax/javaee-web-api@7.0?type=jar",
       "pkg:maven/org.apache.chemistry.opencmis/chemistry-opencmis-server-support@1.0.0?type=jar",
@@ -553,6 +553,35 @@ test("parse maven tree", () => {
       "pkg:maven/org.apache.geode/geode-core@1.1.1?type=jar"
     ]
   });
+  parsedList = parseMavenTree(
+    readFileSync("./test/data/mvn-p2-plugin.txt", {
+      encoding: "utf-8"
+    })
+  );
+  expect(parsedList.pkgList.length).toEqual(79);
+  expect(parsedList.pkgList[0]).toEqual({
+    group: "example.group",
+    name: "eclipse-repository",
+    version: "1.0.0-SNAPSHOT",
+    qualifiers: { type: "eclipse-repository" }
+  });
+  expect(parsedList.pkgList[4]).toEqual({
+    group: "p2.eclipse.plugin",
+    name: "com.ibm.icu",
+    version: "67.1.0.v20200706-1749",
+    qualifiers: { type: "eclipse-plugin" }
+  });
+  expect(parsedList.dependenciesList.length).toEqual(79);
+  expect(parsedList.dependenciesList[0]).toEqual({
+    ref: "pkg:maven/example.group/eclipse-repository@1.0.0-SNAPSHOT?type=eclipse-repository",
+    dependsOn: [
+      "pkg:maven/example.group/example-feature@0.1.0-SNAPSHOT?type=eclipse-feature",
+      "pkg:maven/example.group/example-feature-2@0.2.0-SNAPSHOT?type=eclipse-feature",
+      "pkg:maven/example.group/example-bundle@0.1.0-SNAPSHOT?type=eclipse-plugin",
+      "pkg:maven/example.group/org.tycho.demo.rootfiles@1.0.0?type=p2-installable-unit",
+      "pkg:maven/example.group/org.tycho.demo.rootfiles.win@1.0.0-SNAPSHOT?type=p2-installable-unit"
+    ]
+  });
 });
 
 // Slow test