@cyclonedx/cdxgen 9.8.0 → 9.8.1

package/README.md

@@ -2,17 +2,16 @@
 
 ![cdxgen logo](cdxgen.png)
 
-cdxgen is a cli tool, library, [REPL](./ADVANCED.md) and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
+cdxgen is a cli tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
 
-When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating system. cdxgen also includes a tool called `evinse` that can generate component evidences and SaaSBoM for some languages.
+When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBoM for some languages.
 
 NOTE:
 
 CycloneDX 1.5 specification is new and unsupported by many downstream tools. Use version 8.6.0 for 1.4 compatibility or pass the argument `--spec-version 1.4`.
 
 ## Why cdxgen?
-
-A typical application might comprise of several repos, components, and libraries linked together. Traditional techniques to generate a single SBoM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBoM generator!
+A typical application might have several repos, components, and libraries. Traditional techniques to generate a single SBoM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBoM generator!
 
 <img src="./docs/why-cdxgen.jpg" alt="why cdxgen" width="256">
 
@@ -56,28 +55,27 @@ NOTE:
 
 - Apache maven 3.x is required for parsing pom.xml
 - gradle or gradlew is required to parse gradle projects
-- sbt is required for parsing scala sbt projects. Only scala 2.10 + sbt 0.13.6+ and 2.12 + sbt 1.0+ is supported for now.
+- sbt is required for parsing scala sbt projects. Only scala 2.10 + sbt 0.13.6+ and 2.12 + sbt 1.0+ are currently supported.
   - Alternatively, create a lock file using sbt-dependency-lock [plugin](https://github.com/stringbean/sbt-dependency-lock)
 
 Footnotes:
 
-- [1] - For multi-module application, the BoM file could include components that may not be included in the packaged war or ear file.
+- [1] - For multi-module applications, the BoM file could include components not included in the packaged war or ear file.
 - [2] - Pip freeze is automatically performed to improve precision. Requires virtual environment.
-- [3] - Perform dotnet or nuget restore to generate project.assets.json. Without this file cdxgen would not include indirect dependencies.
-- [4] - See section on plugins
-- [5] - Powered by osquery. See section on plugins
+- [3] - Perform dotnet or nuget restore to generate project.assets.json. Without this file, cdxgen would not include indirect dependencies.
+- [4] - See the section on plugins
+- [5] - Powered by osquery. See the section on plugins
 
 <img src="./docs/cdxgen-tree.jpg" alt="cdxgen tree" width="256">
 
 ### Automatic usage detection
+For node.js projects, lock files are parsed initially, so the SBoM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBoM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
 
-For node.js projects, lock files are parsed initially so the SBoM would include all dependencies including dev dependencies. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically have their `scope` property set to `required` in the resulting SBoM. By passing the argument `--no-babel`, you can disable this analysis. Scope property would then be set based on the `dev` attribute in the lock file.
-
-This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) use this attribute to prioritize vulnerabilities. Tools such dependency track, unfortunately, do not include this feature and hence might over-report the CVEs.
+This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.
 
-By passing the argument `--required-only`, you can limit the SBoM to only include packages with the scope "required", commonly referred to as production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
+By passing the argument `--required-only`, you can limit the SBoM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
 
-For go, `go mod why` command is used to identify required packages. For php, composer lock file is used to distinguish required (packages) from optional (packages-dev).
+For go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).
 
 ## Usage
 
@@ -99,7 +97,7 @@ $ brew install cdxgen
 Deno install is also supported.
 
 ```shell
-deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo --allow-write --allow-net -n cdxgen "npm:@cyclonedx/cdxgen/cdxgen"
+deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net -n cdxgen "npm:@cyclonedx/cdxgen/cdxgen"
 ```
 
 You can also use the cdxgen container image
@@ -175,7 +173,7 @@ $ cdxgen -h
   -v, --version                Show version number                     [boolean]
 ```
 
-All boolean arguments accepts `--no` prefix to toggle the behavior.
+All boolean arguments accept `--no` prefix to toggle the behavior.
 
 ## Example
 
@@ -185,7 +183,7 @@ Minimal example.
 cdxgen -o bom.json
 ```
 
-For a java project. This would automatically detect maven, gradle or sbt and build bom accordingly
+For a java project. cdxgen would automatically detect maven, gradle, or sbt and build bom accordingly
 
 ```shell
 cdxgen -t java -o bom.json
@@ -203,7 +201,7 @@ To recursively generate a single BoM for all languages pass `-r` argument.
 cdxgen -r -o bom.json
 ```
 
-To generate SBoM for an older specification version such as 1.4, pass the version using the `--spec-version` argument.
+To generate SBoM for an older specification version, such as 1.4, pass the version number using the `--spec-version` argument.
 
 ```shell
 cdxgen -r -o bom.json --spec-version 1.4
@@ -216,15 +214,15 @@ To generate SBoM for C or Python, ensure Java >= 17 is installed.
 cdxgen -t c -o bom.json
 ```
 
-NOTE: cdxgen is known to freeze with Java 8 or 11 so ensure >= 17 is installed and JAVA_HOME environment variable configured correctly. If in doubt, use the cdxgen container image.
+NOTE: cdxgen is known to freeze with Java 8 or 11, so ensure >= 17 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.
 
 ## Universal SBoM
 
-By passing the type `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container and kubernetes manifests. The resulting SBoM could have over thousand components thus requiring additional triaging before use with traditional SCA tools.
+By passing the type argument `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container, and Kubernetes manifests. The resulting SBoM could have over a thousand components, thus requiring additional triaging before use with traditional SCA tools.
 
 ## SBoM server
 
-Invoke cdxgen with `--server` argument to run it in a server mode. By default, it listens to port `9090` which can be customized with the arguments `--server-host` and `--server-port`.
+Invoke cdxgen with `--server` argument to run it in server mode. By default, it listens to port `9090`, which can be customized with the arguments `--server-host` and `--server-port`.
 
 ```shell
 cdxgen --server
@@ -236,7 +234,7 @@ Or use the container image.
 docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server --server-host 0.0.0.0
 ```
 
-Use curl or your favourite tool to pass arguments to the `/sbom` route.
+Use curl or your favorite tool to pass arguments to the `/sbom` route.
 
 ### Scanning a local path
 
@@ -274,7 +272,7 @@ cdxgen app.war
 
 ## Resolving class names
 
-Sometimes it is necessary to resolve class names contained in jar files. By passing an optional argument `--resolve-class`, it is possible to get cdxgen create a separate mapping file with the jar name (including the version) as the key and class names list as a value.
+Sometimes, it is necessary to resolve class names contained in jar files. By passing an optional argument `--resolve-class`, it is possible to get cdxgen to create a separate mapping file with the jar name (including the version) as the key and class names list as a value.
 
 ```shell
 cdxgen -t java --resolve-class -o bom.json
@@ -284,7 +282,7 @@ This would create a bom.json.map file with the jar - class name mapping. Refer t
 
 ## Resolving licenses
 
-cdxgen can automatically query the public registries such as maven or npm or nuget to resolve the package licenses. This is a time consuming operation and is disabled by default. To enable, set the environment variable `FETCH_LICENSE` to `true` as shown.
+cdxgen can automatically query public registries such as maven, npm, or nuget to resolve the package licenses. This is a time-consuming operation and is disabled by default. To enable, set the environment variable `FETCH_LICENSE` to `true`, as shown.
 
 ```bash
 export FETCH_LICENSE=true
@@ -301,6 +299,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Gradle
 - Scala SBT
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
+- csharp (projects.assets.json)
 
 ## Environment variables
 
@@ -370,15 +369,11 @@ podman save -q --format oci-archive -o /tmp/slim.tar shiftleft/scan-slim
 cdxgen /tmp/slim.tar -o /tmp/bom.json -t docker
 ```
 
-NOTE:
-
-- Only application related packages are collected by cdxgen. Support for OS installed packages is coming soon.
-
 ### Podman in rootless mode
 
 Setup podman in either [rootless](https://github.com/containers/podman/blob/master/docs/tutorials/rootless_tutorial.md) or [remote](https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md) mode
 
-On Linux, do not forget to start the podman socket which is required for API access.
+Do not forget to start the podman socket required for API access on Linux.
 
 ```shell
 systemctl --user enable --now podman.socket
@@ -396,27 +391,27 @@ obom
 # cdxgen -t os
 ```
 
-This feature is powered by osquery which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types such as operating-system, device-drivers, files, and data.
+This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types, such as operating-system, device-drivers, files, and data.
 
 ## Generating SaaSBoM and component evidences
 
 See [evinse mode](./ADVANCED.md) in the advanced documentation.
 
-## SBoM signing
+## BoM signing
 
-cdxgen can sign the generated SBoM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
+cdxgen can sign the generated BoM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
 
 - SBOM_SIGN_ALGORITHM: Algorithm. Example: RS512
 - SBOM_SIGN_PRIVATE_KEY: Location to the RSA private key
 - SBOM_SIGN_PUBLIC_KEY: Optional. Location to the RSA public key
 
-To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature` which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation.
+To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature`, which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation.
 
 ![SBoM signing](sbom-sign.jpg)
 
 ### Verifying the signature
 
-Use the bundled `cdx-verify` command which supports verifying a single signature added at the bom level.
+Use the bundled `cdx-verify` command, which supports verifying a single signature added at the bom level.
 
 ```shell
 npm install -g @cyclonedx/cdxgen
@@ -448,7 +443,7 @@ if (validationResult) {
 
 ## Automatic services detection
 
-cdxgen can automatically detect names of services from YAML manifests such as docker-compose or Kubernetes or Skaffold manifests. These would be populated under the `services` attribute in the generated SBoM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code.
+cdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the `services` attribute in the generated SBoM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code.
 
 ## Conversion to SPDX format
 
@@ -471,7 +466,7 @@ Minimal example:
 import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
 ```
 
-See the [Deno Readme](./contrib/deno/README.md) for detailed instruction.
+See the [Deno Readme](./contrib/deno/README.md) for detailed instructions.
 
 ```javascript
 import { createBom, submitBom } from "@cyclonedx/cdxgen";
@@ -487,7 +482,7 @@ Refer to the [permissions document](./docs/PERMISSIONS.md)
 
 ## Contributing
 
-Follow the usual PR process but prior to raising a PR run the following commands.
+Follow the usual PR process, but before raising a PR, run the following commands.
 
 ```bash
 npm run lint
@@ -497,4 +492,4 @@ npm test
 
 ## Enterprise support
 
-Enterprise support including custom development and integration services are available via [AppThreat Ltd](https://www.appthreat.com). Free community support is also available via [discord](https://discord.gg/tmmtjCEHNV).
+Enterprise support, including custom development and integration services, is available via [AppThreat Ltd](https://www.appthreat.com). Free community support is also available via [Discord](https://discord.gg/tmmtjCEHNV).

package/binary.js

@@ -3,7 +3,7 @@ import { existsSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
 import { join, dirname, basename } from "node:path";
 import { spawnSync } from "node:child_process";
 import { PackageURL } from "packageurl-js";
-import { DEBUG_MODE } from "./utils.js";
+import { DEBUG_MODE, findLicenseId } from "./utils.js";
 
 import { fileURLToPath } from "node:url";
 
@@ -509,7 +509,34 @@ export const getOSPackages = (src) => {
               Array.isArray(comp.licenses) &&
               comp.licenses.length
             ) {
-              comp.licenses = [comp.licenses[0]];
+              const newLicenses = [];
+              for (const alic of comp.licenses) {
+                if (alic.license.name) {
+                  // Licenses array can either be made of expressions or id/name but not both
+                  if (
+                    comp.licenses.length == 1 &&
+                    (alic.license.name.toUpperCase().includes(" AND ") ||
+                      alic.license.name.toUpperCase().includes(" OR "))
+                  ) {
+                    newLicenses.push({ expression: alic.license.name });
+                  } else {
+                    const possibleId = findLicenseId(alic.license.name);
+                    if (possibleId !== alic.license.name) {
+                      newLicenses.push({ license: { id: possibleId } });
+                    } else {
+                      newLicenses.push({
+                        license: { name: alic.license.name }
+                      });
+                    }
+                  }
+                } else if (
+                  Object.keys(alic).length &&
+                  Object.keys(alic.license).length
+                ) {
+                  newLicenses.push(alic);
+                }
+              }
+              comp.licenses = newLicenses;
             }
             // Fix hashes
             if (

package/data/lic-mapping.json

@@ -58,6 +58,18 @@
       "BSD (3-clause)"
     ]
   },
+  {
+    "exp": "BSD-4-Clause",
+    "names": [
+      "BSD 4 Clause",
+      "BSD 4-Clause",
+      "BSD-4-Clause",
+      "BSD 4-Clause License",
+      "The BSD 4-Clause License",
+      "BSD 4-Clause \"New\" or \"Revised\" License (BSD-4-Clause)",
+      "BSD (4-clause)"
+    ]
+  },
   {
     "exp": "CDDL-1.0",
     "names": [
@@ -177,6 +189,8 @@
   {
     "exp": "GPL-2.0-only",
     "names": [
+      "GPLv2",
+      "GPL-2.0",
       "GNU General Public License (GPL) version 2",
       "GNU General Public License (GPL) version 2.0",
       "GNU General Public License v2",
@@ -216,12 +230,14 @@
       "GNU General Public License v3",
       "GNU General Public License v3.0",
       "GNU General Public License as published by the Free Software Foundation, version 3.",
-      "GPL-3"
+      "GPL-3",
+      "GPL-3.0"
     ]
   },
   {
     "exp": "GPL-3.0-or-later",
     "names": [
+      "GPLv3+",
       "GNU General Public License (GPL) version 3, or any later version",
       "GNU General Public License (GPL) version 3.0, or any later version",
       "GNU General Public License v3 or later",

package/index.js

@@ -655,8 +655,8 @@ function addComponent(
   }
   if (!isRootPkg) {
     const pkgIdentifier = parsePackageJsonName(pkg.name);
-    const author = pkg.author || "";
-    const publisher = pkg.publisher || "";
+    const author = pkg.author || undefined;
+    const publisher = pkg.publisher || undefined;
     let group = pkg.group || pkgIdentifier.scope;
     // Create empty group
     group = group || "";
@@ -684,7 +684,7 @@ function addComponent(
     purlString = decodeURIComponent(purlString);
     let description = { "#cdata": pkg.description };
     if (format === "json") {
-      description = pkg.description || "";
+      description = pkg.description || undefined;
     }
     let compScope = pkg.scope;
     if (allImports) {
@@ -1267,7 +1267,7 @@ export const createJavaBom = async (path, options) => {
               );
             } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 20 with maven 3.9 which might be incompatible."
+                "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible."
               );
             }
             console.log(
@@ -2985,7 +2985,13 @@ export const createCppBom = (path, options) => {
       }
     }
   }
-  if (!["docker", "oci", "os"].includes(options.projectType)) {
+  // The need for java >= 17 with atom is causing confusions since there could be C projects
+  // inside of other project types. So we currently limit this analyis only when -t argument
+  // is used.
+  if (
+    !["docker", "oci", "os"].includes(options.projectType) &&
+    (!options.createMultiXBom || options.deep)
+  ) {
     let osPkgsList = [];
     // Case 1: Development libraries installed in this OS environment might be used for build
     // We collect OS packages with the word dev in the name using osquery here
@@ -3012,10 +3018,12 @@ export const createCppBom = (path, options) => {
       pkgList = pkgList.concat(dlist);
     }
   }
-  if (!parentComponent) {
-    parentComponent = createDefaultParentComponent(path, "conan", options);
+  if (!options.createMultiXBom) {
+    if (!parentComponent) {
+      parentComponent = createDefaultParentComponent(path, "conan", options);
+    }
+    options.parentComponent = parentComponent;
   }
-  options.parentComponent = parentComponent;
   return buildBomNSData(options, pkgList, "conan", {
     src: path,
     parentComponent
@@ -4170,6 +4178,7 @@ export const createMultiXBom = async (pathList, options) => {
   let bomData = undefined;
   let parentComponent = determineParentComponent(options) || {};
   let parentSubComponents = [];
+  options.createMultiXBom = true;
   if (
     ["docker", "oci", "container"].includes(options.projectType) &&
     options.allLayersExplodedDir

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.8.0",
+  "version": "9.8.1",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -1745,7 +1745,10 @@ export const parseGradleProjects = function (rawOutput) {
           // Include all projects including test projects
           if (projName.startsWith(":")) {
             // Handle the case where the project name could have a space. Eg: +--- project :app (*)
-            projects.add(projName.split(" ")[0]);
+            const tmpName = projName.split(" ")[0];
+            if (tmpName.length > 1) {
+              projects.add(tmpName);
+            }
           }
         }
       } else if (l.includes("--- project ")) {
@@ -1753,7 +1756,10 @@ export const parseGradleProjects = function (rawOutput) {
         if (tmpB && tmpB.length > 1) {
           const projName = tmpB[1];
           if (projName.startsWith(":")) {
-            projects.add(projName.split(" ")[0]);
+            const tmpName = projName.split(" ")[0];
+            if (tmpName.length > 1) {
+              projects.add(tmpName);
+            }
           }
         }
       }
@@ -1864,7 +1870,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
       } else {
         console.error(result.stdout, result.stderr);
         console.log(
-          "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 20 with gradle 8 which might be incompatible."
+          "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 21 with gradle 8 which might be incompatible."
         );
       }
       if (result.stderr.includes("not get unknown property")) {
@@ -2057,7 +2063,7 @@ export const parseKVDep = function (rawOutput) {
  */
 export const findLicenseId = function (name) {
   for (const l of licenseMapping) {
-    if (l.names.includes(name)) {
+    if (l.names.includes(name) || l.exp.toUpperCase() === name.toUpperCase()) {
       return l.exp;
     }
   }
@@ -3948,7 +3954,6 @@ export const parseOpenapiSpecData = function (oaData) {
       oaData = JSON.parse(oaData);
     }
   } catch (e) {
-    console.error(e);
     return servlist;
   }
   const name = oaData.info.title.replace(/ /g, "-");
@@ -6010,7 +6015,9 @@ export const getGradleCommand = (srcPath, rootPath) => {
  */
 export const getMavenCommand = (srcPath, rootPath) => {
   let mavenCmd = "mvn";
-
+  // Check if the wrapper script is both available and functional
+  let isWrapperReady = false;
+  let isWrapperFound = false;
   let findMavenFile = "mvnw";
   if (platform() == "win32") {
     findMavenFile = "mvnw.bat";
@@ -6031,6 +6038,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
       // continue regardless of error
     }
     mavenCmd = resolve(join(srcPath, findMavenFile));
+    isWrapperFound = true;
   } else if (rootPath && existsSync(join(rootPath, findMavenFile))) {
     // Check if the root directory has a wrapper script
     try {
@@ -6039,10 +6047,35 @@ export const getMavenCommand = (srcPath, rootPath) => {
       // continue regardless of error
     }
     mavenCmd = resolve(join(rootPath, findMavenFile));
-  } else if (process.env.MVN_CMD || process.env.MAVEN_CMD) {
-    mavenCmd = process.env.MVN_CMD || process.env.MAVEN_CMD;
-  } else if (process.env.MAVEN_HOME) {
-    mavenCmd = join(process.env.MAVEN_HOME, "bin", "mvn");
+    isWrapperFound = true;
+  }
+  if (isWrapperFound) {
+    if (DEBUG_MODE) {
+      console.log(
+        "Testing the wrapper script by invoking wrapper:wrapper task"
+      );
+    }
+    const result = spawnSync(mavenCmd, ["wrapper:wrapper"], {
+      encoding: "utf-8",
+      cwd: rootPath,
+      timeout: TIMEOUT_MS
+    });
+    if (!result.error) {
+      isWrapperReady = true;
+    } else {
+      if (DEBUG_MODE) {
+        console.log(
+          "Maven wrapper script test has failed. Will use the installed version of maven."
+        );
+      }
+    }
+  }
+  if (!isWrapperFound || !isWrapperReady) {
+    if (process.env.MVN_CMD || process.env.MAVEN_CMD) {
+      mavenCmd = process.env.MVN_CMD || process.env.MAVEN_CMD;
+    } else if (process.env.MAVEN_HOME) {
+      mavenCmd = join(process.env.MAVEN_HOME, "bin", "mvn");
+    }
   }
   return mavenCmd;
 };

package/utils.test.js

@@ -346,6 +346,12 @@ test("parse gradle dependencies", () => {
   );
   expect(parsedList.pkgList.length).toEqual(6);
   expect(parsedList.dependenciesList.length).toEqual(7);
+  parsedList = parseGradleDep(
+    readFileSync("./test/data/gradle-dependencies-559.txt", {
+      encoding: "utf-8"
+    })
+  );
+  expect(parsedList.pkgList.length).toEqual(372);
 });
 
 test("parse gradle projects", () => {
@@ -493,6 +499,13 @@ test("parse gradle properties", () => {
   );
   expect(retMap.rootProject).toEqual("root");
   expect(retMap.projects).toEqual([]);
+  retMap = parseGradleProperties(
+    readFileSync("./test/data/gradle-properties-559.txt", {
+      encoding: "utf-8"
+    })
+  );
+  expect(retMap.rootProject).toEqual("failing-project");
+  expect(retMap.projects).toEqual([]);
 });
 
 test("parse maven tree", () => {