npm - @cyclonedx/cdxgen - Versions diffs - 9.7.5 → 9.8.1 - Mend

@cyclonedx/cdxgen 9.7.5 → 9.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -2,17 +2,16 @@
 ![cdxgen logo](cdxgen.png)
-cdxgen is a cli tool, library, [REPL](./ADVANCED.md) and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
+cdxgen is a cli tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
-When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating system. cdxgen also includes a tool called `evinse` that can generate component evidences and SaaSBoM for some languages.
+When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBoM for some languages.
 NOTE:
 CycloneDX 1.5 specification is new and unsupported by many downstream tools. Use version 8.6.0 for 1.4 compatibility or pass the argument `--spec-version 1.4`.
 ## Why cdxgen?
-A typical application might comprise of several repos, components, and libraries linked together. Traditional techniques to generate a single SBoM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBoM generator!
+A typical application might have several repos, components, and libraries. Traditional techniques to generate a single SBoM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBoM generator!
 <img src="./docs/why-cdxgen.jpg" alt="why cdxgen" width="256">
@@ -31,7 +30,7 @@ A typical application might comprise of several repos, components, and libraries
 | dart                            | pubspec.lock, pubspec.yaml                                                                                        | Only for pubspec.lock                                                                             |
 | haskell                         | cabal.project.freeze                                                                                              | Yes                                                                                               |
 | elixir                          | mix.lock                                                                                                          | Yes                                                                                               |
-| c/c++                           | conan.lock, conanfile.txt, \*.cmake, CMakeLists.txt, meson.build                                                  | Yes only for conan.lock. Best effort basis for cmake without version numbers.                     |
+| c/c++/Objective C/c++11         | conan.lock, conanfile.txt, \*.cmake, CMakeLists.txt, meson.build, codebase without package managers!              | Yes only for conan.lock. Best effort basis for cmake without version numbers.                     |
 | clojure                         | Clojure CLI (deps.edn), Leiningen (project.clj)                                                                   | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command          |
 | swift                           | Package.resolved, Package.swift (swiftpm)                                                                         | Yes                                                                                               |
 | docker / oci image              | All supported languages. Linux OS packages with plugins [4]                                                       | Best effort based on lock files                                                                   |
@@ -56,28 +55,27 @@ NOTE:
 - Apache maven 3.x is required for parsing pom.xml
 - gradle or gradlew is required to parse gradle projects
-- sbt is required for parsing scala sbt projects. Only scala 2.10 + sbt 0.13.6+ and 2.12 + sbt 1.0+ is supported for now.
+- sbt is required for parsing scala sbt projects. Only scala 2.10 + sbt 0.13.6+ and 2.12 + sbt 1.0+ are currently supported.
   - Alternatively, create a lock file using sbt-dependency-lock [plugin](https://github.com/stringbean/sbt-dependency-lock)
 Footnotes:
-- [1] - For multi-module application, the BoM file could include components that may not be included in the packaged war or ear file.
+- [1] - For multi-module applications, the BoM file could include components not included in the packaged war or ear file.
 - [2] - Pip freeze is automatically performed to improve precision. Requires virtual environment.
-- [3] - Perform dotnet or nuget restore to generate project.assets.json. Without this file cdxgen would not include indirect dependencies.
-- [4] - See section on plugins
-- [5] - Powered by osquery. See section on plugins
+- [3] - Perform dotnet or nuget restore to generate project.assets.json. Without this file, cdxgen would not include indirect dependencies.
+- [4] - See the section on plugins
+- [5] - Powered by osquery. See the section on plugins
 <img src="./docs/cdxgen-tree.jpg" alt="cdxgen tree" width="256">
 ### Automatic usage detection
+For node.js projects, lock files are parsed initially, so the SBoM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBoM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
-For node.js projects, lock files are parsed initially so the SBoM would include all dependencies including dev dependencies. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically have their `scope` property set to `required` in the resulting SBoM. By passing the argument `--no-babel`, you can disable this analysis. Scope property would then be set based on the `dev` attribute in the lock file.
-This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) use this attribute to prioritize vulnerabilities. Tools such dependency track, unfortunately, do not include this feature and hence might over-report the CVEs.
+This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.
-By passing the argument `--required-only`, you can limit the SBoM to only include packages with the scope "required", commonly referred to as production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
+By passing the argument `--required-only`, you can limit the SBoM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
-For go, `go mod why` command is used to identify required packages. For php, composer lock file is used to distinguish required (packages) from optional (packages-dev).
+For go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).
 ## Usage
@@ -99,7 +97,7 @@ $ brew install cdxgen
 Deno install is also supported.
 ```shell
-deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo --allow-write --allow-net -n cdxgen "npm:@cyclonedx/cdxgen/cdxgen"
+deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net -n cdxgen "npm:@cyclonedx/cdxgen/cdxgen"
 ```
 You can also use the cdxgen container image
@@ -147,6 +145,7 @@ $ cdxgen -h
       --project-version        Dependency track project version    [default: ""]
       --project-id             Dependency track project id. Either provide the i
                                d or the project name and version together
+      --parent-project-id      Dependency track parent project id
       --required-only          Include only the packages with required scope on
                                the SBoM.                               [boolean]
       --fail-on-error          Fail if any dependency extractor fails. [boolean]
@@ -174,7 +173,7 @@ $ cdxgen -h
   -v, --version                Show version number                     [boolean]
 ```
-All boolean arguments accepts `--no` prefix to toggle the behavior.
+All boolean arguments accept `--no` prefix to toggle the behavior.
 ## Example
@@ -184,7 +183,7 @@ Minimal example.
 cdxgen -o bom.json
 ```
-For a java project. This would automatically detect maven, gradle or sbt and build bom accordingly
+For a java project. cdxgen would automatically detect maven, gradle, or sbt and build bom accordingly
 ```shell
 cdxgen -t java -o bom.json
@@ -202,7 +201,7 @@ To recursively generate a single BoM for all languages pass `-r` argument.
 cdxgen -r -o bom.json
 ```
-To generate SBoM for an older specification version such as 1.4, pass the version using the `--spec-version` argument.
+To generate SBoM for an older specification version, such as 1.4, pass the version number using the `--spec-version` argument.
 ```shell
 cdxgen -r -o bom.json --spec-version 1.4
@@ -215,15 +214,15 @@ To generate SBoM for C or Python, ensure Java >= 17 is installed.
 cdxgen -t c -o bom.json
 ```
-NOTE: cdxgen is known to freeze with Java 8 or 11 so ensure >= 17 is installed and JAVA_HOME environment variable configured correctly. If in doubt, use the cdxgen container image.
+NOTE: cdxgen is known to freeze with Java 8 or 11, so ensure >= 17 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.
 ## Universal SBoM
-By passing the type `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container and kubernetes manifests. The resulting SBoM could have over thousand components thus requiring additional triaging before use with traditional SCA tools.
+By passing the type argument `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container, and Kubernetes manifests. The resulting SBoM could have over a thousand components, thus requiring additional triaging before use with traditional SCA tools.
 ## SBoM server
-Invoke cdxgen with `--server` argument to run it in a server mode. By default, it listens to port `9090` which can be customized with the arguments `--server-host` and `--server-port`.
+Invoke cdxgen with `--server` argument to run it in server mode. By default, it listens to port `9090`, which can be customized with the arguments `--server-host` and `--server-port`.
 ```shell
 cdxgen --server
@@ -235,7 +234,7 @@ Or use the container image.
 docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server --server-host 0.0.0.0
 ```
-Use curl or your favourite tool to pass arguments to the `/sbom` route.
+Use curl or your favorite tool to pass arguments to the `/sbom` route.
 ### Scanning a local path
@@ -273,7 +272,7 @@ cdxgen app.war
 ## Resolving class names
-Sometimes it is necessary to resolve class names contained in jar files. By passing an optional argument `--resolve-class`, it is possible to get cdxgen create a separate mapping file with the jar name (including the version) as the key and class names list as a value.
+Sometimes, it is necessary to resolve class names contained in jar files. By passing an optional argument `--resolve-class`, it is possible to get cdxgen to create a separate mapping file with the jar name (including the version) as the key and class names list as a value.
 ```shell
 cdxgen -t java --resolve-class -o bom.json
@@ -283,7 +282,7 @@ This would create a bom.json.map file with the jar - class name mapping. Refer t
 ## Resolving licenses
-cdxgen can automatically query the public registries such as maven or npm or nuget to resolve the package licenses. This is a time consuming operation and is disabled by default. To enable, set the environment variable `FETCH_LICENSE` to `true` as shown.
+cdxgen can automatically query public registries such as maven, npm, or nuget to resolve the package licenses. This is a time-consuming operation and is disabled by default. To enable, set the environment variable `FETCH_LICENSE` to `true`, as shown.
 ```bash
 export FETCH_LICENSE=true
@@ -300,6 +299,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Gradle
 - Scala SBT
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
+- csharp (projects.assets.json)
 ## Environment variables
@@ -369,15 +369,11 @@ podman save -q --format oci-archive -o /tmp/slim.tar shiftleft/scan-slim
 cdxgen /tmp/slim.tar -o /tmp/bom.json -t docker
 ```
-NOTE:
-- Only application related packages are collected by cdxgen. Support for OS installed packages is coming soon.
 ### Podman in rootless mode
 Setup podman in either [rootless](https://github.com/containers/podman/blob/master/docs/tutorials/rootless_tutorial.md) or [remote](https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md) mode
-On Linux, do not forget to start the podman socket which is required for API access.
+Do not forget to start the podman socket required for API access on Linux.
 ```shell
 systemctl --user enable --now podman.socket
@@ -395,27 +391,27 @@ obom
 # cdxgen -t os
 ```
-This feature is powered by osquery which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types such as operating-system, device-drivers, files, and data.
+This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types, such as operating-system, device-drivers, files, and data.
 ## Generating SaaSBoM and component evidences
 See [evinse mode](./ADVANCED.md) in the advanced documentation.
-## SBoM signing
+## BoM signing
-cdxgen can sign the generated SBoM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
+cdxgen can sign the generated BoM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
 - SBOM_SIGN_ALGORITHM: Algorithm. Example: RS512
 - SBOM_SIGN_PRIVATE_KEY: Location to the RSA private key
 - SBOM_SIGN_PUBLIC_KEY: Optional. Location to the RSA public key
-To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature` which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation.
+To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature`, which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation.
 ![SBoM signing](sbom-sign.jpg)
 ### Verifying the signature
-Use the bundled `cdx-verify` command which supports verifying a single signature added at the bom level.
+Use the bundled `cdx-verify` command, which supports verifying a single signature added at the bom level.
 ```shell
 npm install -g @cyclonedx/cdxgen
@@ -447,7 +443,7 @@ if (validationResult) {
 ## Automatic services detection
-cdxgen can automatically detect names of services from YAML manifests such as docker-compose or Kubernetes or Skaffold manifests. These would be populated under the `services` attribute in the generated SBoM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code.
+cdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the `services` attribute in the generated SBoM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code.
 ## Conversion to SPDX format
@@ -470,7 +466,7 @@ Minimal example:
 import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
 ```
-See the [Deno Readme](./contrib/deno/README.md) for detailed instruction.
+See the [Deno Readme](./contrib/deno/README.md) for detailed instructions.
 ```javascript
 import { createBom, submitBom } from "@cyclonedx/cdxgen";
@@ -486,7 +482,7 @@ Refer to the [permissions document](./docs/PERMISSIONS.md)
 ## Contributing
-Follow the usual PR process but prior to raising a PR run the following commands.
+Follow the usual PR process, but before raising a PR, run the following commands.
 ```bash
 npm run lint
@@ -496,4 +492,4 @@ npm test
 ## Enterprise support
-Enterprise support including custom development and integration services are available via [AppThreat Ltd](https://www.appthreat.com). Free community support is also available via [discord](https://discord.gg/tmmtjCEHNV).
+Enterprise support, including custom development and integration services, is available via [AppThreat Ltd](https://www.appthreat.com). Free community support is also available via [Discord](https://discord.gg/tmmtjCEHNV).

package/bin/cdxgen.js CHANGED Viewed

@@ -73,6 +73,9 @@ const args = yargs(hideBin(process.argv))
     description:
       "Dependency track project id. Either provide the id or the project name and version together"
   })
+  .option("parent-project-id", {
+    description: "Dependency track parent project id"
+  })
   .option("required-only", {
     type: "boolean",
     description: "Include only the packages with required scope on the SBoM."

package/binary.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { existsSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
 import { join, dirname, basename } from "node:path";
 import { spawnSync } from "node:child_process";
 import { PackageURL } from "packageurl-js";
-import { DEBUG_MODE } from "./utils.js";
+import { DEBUG_MODE, findLicenseId } from "./utils.js";
 import { fileURLToPath } from "node:url";
@@ -509,7 +509,34 @@ export const getOSPackages = (src) => {
               Array.isArray(comp.licenses) &&
               comp.licenses.length
             ) {
-              comp.licenses = [comp.licenses[0]];
+              const newLicenses = [];
+              for (const alic of comp.licenses) {
+                if (alic.license.name) {
+                  // Licenses array can either be made of expressions or id/name but not both
+                  if (
+                    comp.licenses.length == 1 &&
+                    (alic.license.name.toUpperCase().includes(" AND ") ||
+                      alic.license.name.toUpperCase().includes(" OR "))
+                  ) {
+                    newLicenses.push({ expression: alic.license.name });
+                  } else {
+                    const possibleId = findLicenseId(alic.license.name);
+                    if (possibleId !== alic.license.name) {
+                      newLicenses.push({ license: { id: possibleId } });
+                    } else {
+                      newLicenses.push({
+                        license: { name: alic.license.name }
+                      });
+                    }
+                  }
+                } else if (
+                  Object.keys(alic).length &&
+                  Object.keys(alic.license).length
+                ) {
+                  newLicenses.push(alic);
+                }
+              }
+              comp.licenses = newLicenses;
             }
             // Fix hashes
             if (

package/data/lic-mapping.json CHANGED Viewed

@@ -58,6 +58,18 @@
       "BSD (3-clause)"
     ]
   },
+  {
+    "exp": "BSD-4-Clause",
+    "names": [
+      "BSD 4 Clause",
+      "BSD 4-Clause",
+      "BSD-4-Clause",
+      "BSD 4-Clause License",
+      "The BSD 4-Clause License",
+      "BSD 4-Clause \"New\" or \"Revised\" License (BSD-4-Clause)",
+      "BSD (4-clause)"
+    ]
+  },
   {
     "exp": "CDDL-1.0",
     "names": [
@@ -177,6 +189,8 @@
   {
     "exp": "GPL-2.0-only",
     "names": [
+      "GPLv2",
+      "GPL-2.0",
       "GNU General Public License (GPL) version 2",
       "GNU General Public License (GPL) version 2.0",
       "GNU General Public License v2",
@@ -216,12 +230,14 @@
       "GNU General Public License v3",
       "GNU General Public License v3.0",
       "GNU General Public License as published by the Free Software Foundation, version 3.",
-      "GPL-3"
+      "GPL-3",
+      "GPL-3.0"
     ]
   },
   {
     "exp": "GPL-3.0-or-later",
     "names": [
+      "GPLv3+",
       "GNU General Public License (GPL) version 3, or any later version",
       "GNU General Public License (GPL) version 3.0, or any later version",
       "GNU General Public License v3 or later",

package/index.js CHANGED Viewed

@@ -97,7 +97,9 @@ import {
   addEvidenceForImports,
   parseSbtTree,
   parseCmakeLikeFile,
-  getCppModules
+  getCppModules,
+  FETCH_LICENSE,
+  getNugetMetadata
 } from "./utils.js";
 import { spawnSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
@@ -653,8 +655,8 @@ function addComponent(
   }
   if (!isRootPkg) {
     const pkgIdentifier = parsePackageJsonName(pkg.name);
-    const author = pkg.author || "";
-    const publisher = pkg.publisher || "";
+    const author = pkg.author || undefined;
+    const publisher = pkg.publisher || undefined;
     let group = pkg.group || pkgIdentifier.scope;
     // Create empty group
     group = group || "";
@@ -682,7 +684,7 @@ function addComponent(
     purlString = decodeURIComponent(purlString);
     let description = { "#cdata": pkg.description };
     if (format === "json") {
-      description = pkg.description || "";
+      description = pkg.description || undefined;
     }
     let compScope = pkg.scope;
     if (allImports) {
@@ -1265,7 +1267,7 @@ export const createJavaBom = async (path, options) => {
               );
             } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 20 with maven 3.9 which might be incompatible."
+                "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible."
               );
             }
             console.log(
@@ -2983,7 +2985,13 @@ export const createCppBom = (path, options) => {
       }
     }
   }
-  if (!["docker", "oci", "os"].includes(options.projectType)) {
+  // The need for java >= 17 with atom is causing confusions since there could be C projects
+  // inside of other project types. So we currently limit this analyis only when -t argument
+  // is used.
+  if (
+    !["docker", "oci", "os"].includes(options.projectType) &&
+    (!options.createMultiXBom || options.deep)
+  ) {
     let osPkgsList = [];
     // Case 1: Development libraries installed in this OS environment might be used for build
     // We collect OS packages with the word dev in the name using osquery here
@@ -3010,10 +3018,12 @@ export const createCppBom = (path, options) => {
       pkgList = pkgList.concat(dlist);
     }
   }
-  if (!parentComponent) {
-    parentComponent = createDefaultParentComponent(path, "conan", options);
+  if (!options.createMultiXBom) {
+    if (!parentComponent) {
+      parentComponent = createDefaultParentComponent(path, "conan", options);
+    }
+    options.parentComponent = parentComponent;
   }
-  options.parentComponent = parentComponent;
   return buildBomNSData(options, pkgList, "conan", {
     src: path,
     parentComponent
@@ -3913,39 +3923,17 @@ export const createRubyBom = async (path, options) => {
   return {};
 };
-const removeDuplicates = (pkgList, dependencies) => {
-  const uniqueItems = {};
-  const uniqueRefs = new Set();
-  const newPkgList = [];
-  const newDependencies = [];
-  for (const item of pkgList) {
-    if (item) {
-      const { name, version } = item;
-      const key = `${name}-${version}`;
-      if (!uniqueItems[key] && key) {
-        uniqueItems[key] = item;
-        newPkgList.push(item);
-      }
-    }
-  }
-  for (const item of dependencies) {
-    const { ref } = item;
-    if (!uniqueRefs.has(ref)) {
-      uniqueRefs.add(ref);
-      newDependencies.push(item);
-    }
-  }
-  return [newPkgList, newDependencies];
-};
 /**
  * Function to create bom string for csharp projects
  *
  * @param path to the project
  * @param options Parse options from the cli
  */
-export const createCsharpBom = async (path, options) => {
+export const createCsharpBom = async (
+  path,
+  options,
+  parentComponent = undefined
+) => {
   let manifestFiles = [];
   let pkgData = undefined;
   let dependencies = [];
@@ -3970,7 +3958,7 @@ export const createCsharpBom = async (path, options) => {
     (options.multiProject ? "**/" : "") + "*.nupkg"
   );
   let pkgList = [];
-  if (nupkgFiles.length) {
+  if (nupkgFiles.length && projAssetsFiles.length === 0) {
     manifestFiles = manifestFiles.concat(nupkgFiles);
     for (const nf of nupkgFiles) {
       if (DEBUG_MODE) {
@@ -4048,17 +4036,27 @@ export const createCsharpBom = async (path, options) => {
       }
     }
   }
+  if (!parentComponent) {
+    parentComponent = createDefaultParentComponent(path, options.type, options);
+  }
   if (pkgList.length) {
-    const uniquePkg = removeDuplicates(pkgList, dependencies);
-    dependencies = uniquePkg[1];
-    pkgList = uniquePkg[0];
-    return buildBomNSData(options, pkgList, "nuget", {
-      src: path,
-      filename: manifestFiles.join(", "),
-      dependencies
-    });
+    dependencies = mergeDependencies(dependencies, [], parentComponent);
+    pkgList = trimComponents(pkgList, "json");
   }
-  return {};
+  if (FETCH_LICENSE) {
+    const retMap = await getNugetMetadata(pkgList, dependencies);
+    if (retMap.dependencies && retMap.dependencies.length) {
+      dependencies = dependencies.concat(retMap.dependencies);
+    }
+    dependencies = mergeDependencies(dependencies, [], parentComponent);
+    pkgList = trimComponents(pkgList, "json");
+  }
+  return buildBomNSData(options, pkgList, "nuget", {
+    src: path,
+    filename: manifestFiles.join(", "),
+    dependencies,
+    parentComponent
+  });
 };
 export const mergeDependencies = (
@@ -4180,6 +4178,7 @@ export const createMultiXBom = async (pathList, options) => {
   let bomData = undefined;
   let parentComponent = determineParentComponent(options) || {};
   let parentSubComponents = [];
+  options.createMultiXBom = true;
   if (
     ["docker", "oci", "container"].includes(options.projectType) &&
     options.allLayersExplodedDir
@@ -4404,7 +4403,7 @@ export const createMultiXBom = async (pathList, options) => {
         listComponents(options, {}, bomData.bomJson.components, "gem", "xml")
       );
     }
-    bomData = await createCsharpBom(path, options);
+    bomData = await createCsharpBom(path, options, parentComponent);
     if (bomData && bomData.bomJson && bomData.bomJson.components) {
       if (DEBUG_MODE) {
         console.log(
@@ -5229,6 +5228,9 @@ export async function submitBom(args, bomContents) {
     autoCreate: "true",
     bom: encodedBomContents
   };
+  if (typeof args.parentProjectId !== "undefined") {
+    bomPayload.parentUUID = args.parentProjectId;
+  }
   if (DEBUG_MODE) {
     console.log(
       "Submitting BOM to",
@@ -5265,13 +5267,7 @@ export async function submitBom(args, bomContents) {
             "Content-Type": "application/json",
             "user-agent": `@CycloneDX/cdxgen ${_version}`
           },
-          json: {
-            project: args.projectId,
-            projectName: args.projectName,
-            projectVersion: projectVersion,
-            autoCreate: "true",
-            bom: encodedBomContents
-          },
+          json: bomPayload,
           responseType: "json"
         }).json();
       } catch (error) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.7.5",
+  "version": "9.8.1",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -55,7 +55,8 @@
   },
   "dependencies": {
     "@babel/parser": "^7.22.16",
-    "@babel/traverse": "^7.22.17",
+    "@babel/traverse": "^7.22.19",
+    "@npmcli/arborist": "^7.1.0",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
@@ -74,13 +75,13 @@
     "ssri": "^10.0.4",
     "table": "^6.8.1",
     "tar": "^6.2.0",
-    "uuid": "^9.0.0",
+    "uuid": "^9.0.1",
     "xml-js": "^1.6.11",
     "xmlbuilder": "^15.1.1",
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "^1.1.15",
+    "@appthreat/atom": "^1.2.0",
     "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
@@ -98,8 +99,8 @@
   ],
   "devDependencies": {
     "caxa": "^3.0.1",
-    "eslint": "^8.48.0",
-    "jest": "^29.6.4",
+    "eslint": "^8.49.0",
+    "jest": "^29.7.0",
     "prettier": "3.0.3"
   }
 }