npm - @cyclonedx/cdxgen - Versions diffs - 9.8.1 → 9.8.3 - Mend

@cyclonedx/cdxgen 9.8.1 → 9.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -11,6 +11,7 @@ NOTE:
 CycloneDX 1.5 specification is new and unsupported by many downstream tools. Use version 8.6.0 for 1.4 compatibility or pass the argument `--spec-version 1.4`.
 ## Why cdxgen?
 A typical application might have several repos, components, and libraries. Traditional techniques to generate a single SBoM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBoM generator!
 <img src="./docs/why-cdxgen.jpg" alt="why cdxgen" width="256">
@@ -69,6 +70,7 @@ Footnotes:
 <img src="./docs/cdxgen-tree.jpg" alt="cdxgen tree" width="256">
 ### Automatic usage detection
 For node.js projects, lock files are parsed initially, so the SBoM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBoM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
 This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.

package/index.js CHANGED Viewed

@@ -332,6 +332,17 @@ const componentToSimpleFullName = (comp) => {
   return fullName;
 };
+// Remove unwanted properties from parent component
+const cleanParentComponent = (comp) => {
+  delete comp.evidence;
+  delete comp._integrity;
+  delete comp.license;
+  delete comp.qualifiers;
+  delete comp.repository;
+  delete comp.homepage;
+  return comp;
+};
 /**
  * Function to create metadata block
  *
@@ -358,10 +369,7 @@ function addMetadata(parentComponent = {}, format = "xml", options = {}) {
   }
   if (parentComponent && Object.keys(parentComponent).length) {
     if (parentComponent) {
-      delete parentComponent.evidence;
-      delete parentComponent._integrity;
-      delete parentComponent.license;
-      delete parentComponent.qualifiers;
+      cleanParentComponent(parentComponent);
       if (!parentComponent["purl"] && parentComponent["bom-ref"]) {
         parentComponent["purl"] = parentComponent["bom-ref"];
       }
@@ -371,10 +379,7 @@ function addMetadata(parentComponent = {}, format = "xml", options = {}) {
       const subComponents = [];
       const addedSubComponents = {};
       for (const comp of parentComponent.components) {
-        delete comp.evidence;
-        delete comp._integrity;
-        delete comp.license;
-        delete comp.qualifiers;
+        cleanParentComponent(comp);
         if (comp.name && comp.type) {
           let fullName = componentToSimpleFullName(comp);
           // Fixes #479
@@ -1267,7 +1272,7 @@ export const createJavaBom = async (path, options) => {
               );
             } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible."
+                "1. Java version requirement: cdxgen container image bundles Java 20 with maven 3.9 which might be incompatible."
               );
             }
             console.log(
@@ -1948,7 +1953,7 @@ export const createNodejsBom = async (path, options) => {
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
       if (existsSync(packageJsonF)) {
-        const pcs = await parsePkgJson(packageJsonF);
+        const pcs = await parsePkgJson(packageJsonF, true);
         if (pcs.length) {
           parentComponent = pcs[0];
           parentComponent.type = "application";
@@ -2096,7 +2101,7 @@ export const createNodejsBom = async (path, options) => {
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
       if (existsSync(packageJsonF)) {
-        const pcs = await parsePkgJson(packageJsonF);
+        const pcs = await parsePkgJson(packageJsonF, true);
         if (pcs.length) {
           const tmpParentComponent = pcs[0];
           tmpParentComponent.type = "application";
@@ -2195,7 +2200,7 @@ export const createNodejsBom = async (path, options) => {
     }
     if (!parentComponent || !Object.keys(parentComponent).length) {
       if (existsSync(join(path, "package.json"))) {
-        const pcs = await parsePkgJson(join(path, "package.json"));
+        const pcs = await parsePkgJson(join(path, "package.json"), true);
         if (pcs.length) {
           parentComponent = pcs[0];
           parentComponent.type = "application";
@@ -2659,7 +2664,12 @@ export const createGoBom = async (path, options) => {
         );
         if (result.status !== 0 || result.error) {
           shouldManuallyParse = true;
-          console.error(result.stdout, result.stderr);
+          if (result.stdout) {
+            console.log(result.stdout);
+          }
+          if (result.stderr) {
+            console.log(result.stderr);
+          }
           options.failOnError && process.exit(1);
         }
         const stdout = result.stdout;
@@ -2702,7 +2712,12 @@ export const createGoBom = async (path, options) => {
         );
         if (mresult.status !== 0 || mresult.error) {
           if (DEBUG_MODE) {
-            console.log(mresult.stdout, mresult.stderr);
+            if (mresult.stdout) {
+              console.log(mresult.stdout);
+            }
+            if (mresult.stderr) {
+              console.log(mresult.stderr);
+            }
           }
           circuitBreak = true;
         } else {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.8.1",
+  "version": "9.8.3",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -81,7 +81,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "^1.2.0",
+    "@appthreat/atom": "^1.2.1",
     "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",

package/utils.js CHANGED Viewed

@@ -50,6 +50,7 @@ if (!url.startsWith("file://")) {
   url = new URL(`file://${import.meta.url}`).toString();
 }
 const dirNameStr = import.meta ? dirname(fileURLToPath(url)) : __dirname;
+const isWin = platform() === "win32";
 const licenseMapping = JSON.parse(
   readFileSync(join(dirNameStr, "data", "lic-mapping.json"))
@@ -345,8 +346,9 @@ export const getNpmMetadata = async function (pkgList) {
  * Parse nodejs package json file
  *
  * @param {string} pkgJsonFile package.json file
+ * @param {boolean} simple Return a simpler representation of the component by skipping extended attributes and license fetch.
  */
-export const parsePkgJson = async (pkgJsonFile) => {
+export const parsePkgJson = async (pkgJsonFile, simple = false) => {
   const pkgList = [];
   if (existsSync(pkgJsonFile)) {
     try {
@@ -362,18 +364,20 @@ export const parsePkgJson = async (pkgJsonFile) => {
         null,
         null
       ).toString();
-      pkgList.push({
+      const apkg = {
         name,
         group,
         version: pkgData.version,
-        "bom-ref": decodeURIComponent(purl),
-        properties: [
+        "bom-ref": decodeURIComponent(purl)
+      };
+      if (!simple) {
+        apkg.properties = [
           {
             name: "SrcFile",
             value: pkgJsonFile
           }
-        ],
-        evidence: {
+        ];
+        apkg.evidence = {
           identity: {
             field: "purl",
             confidence: 1,
@@ -385,13 +389,14 @@ export const parsePkgJson = async (pkgJsonFile) => {
               }
             ]
           }
-        }
-      });
+        };
+      }
+      pkgList.push(apkg);
     } catch (err) {
       // continue regardless of error
     }
   }
-  if (FETCH_LICENSE && pkgList && pkgList.length) {
+  if (!simple && FETCH_LICENSE && pkgList && pkgList.length) {
     if (DEBUG_MODE) {
       console.log(
         `About to fetch license information for ${pkgList.length} packages in parsePkgJson`
@@ -509,6 +514,11 @@ export const parsePkgLock = async (pkgLockFile, options = {}) => {
         "bom-ref": purlString
       };
     }
+    const packageLicense = node.package.license;
+    if (packageLicense) {
+      // License will be overridden if FETCH_LICENSE is enabled
+      pkg.license = packageLicense;
+    }
     pkgList.push(pkg);
     // retrieve workspace node pkglists
@@ -1861,7 +1871,8 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
   );
   const result = spawnSync(gradleCmd, gradlePropertiesArgs, {
     cwd: dir,
-    encoding: "utf-8"
+    encoding: "utf-8",
+    shell: isWin
   });
   if (result.status !== 0 || result.error) {
     if (result.stderr) {
@@ -1870,7 +1881,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
       } else {
         console.error(result.stdout, result.stderr);
         console.log(
-          "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 21 with gradle 8 which might be incompatible."
+          "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 20 with gradle 8 which might be incompatible."
         );
       }
       if (result.stderr.includes("not get unknown property")) {
@@ -2892,11 +2903,20 @@ export const getGoPkgLicense = async function (repoMetadata) {
       const licenseIds = licenses.split(", ");
       const licList = [];
       for (const id of licenseIds) {
-        const alicense = {
-          id: id
-        };
-        alicense["url"] = pkgUrlPrefix;
-        licList.push(alicense);
+        if (id.trim().length) {
+          const alicense = {};
+          if (id.includes(" ")) {
+            alicense.name = id
+              .trim()
+              .replace(/ {2}/g, "")
+              .replace("\n", " ")
+              .replace("\n", " OR ");
+          } else {
+            alicense.id = id.trim();
+          }
+          alicense["url"] = pkgUrlPrefix;
+          licList.push(alicense);
+        }
       }
       metadata_cache[pkgUrlPrefix] = licList;
       return licList;
@@ -5316,7 +5336,8 @@ export const collectMvnDependencies = function (
     );
     const result = spawnSync(mavenCmd, copyArgs, {
       cwd: basePath,
-      encoding: "utf-8"
+      encoding: "utf-8",
+      shell: isWin
     });
     if (result.status !== 0 || result.error) {
       console.error(result.stdout, result.stderr);
@@ -5395,10 +5416,24 @@ export const collectJarNS = function (jarPath, pomPathMap = {}) {
   console.log(
     `About to identify class names for all jars in the path ${jarPath}`
   );
+  const env = {
+    ...process.env
+  };
+  // jar command usually would not be available in the PATH for windows
+  if (isWin && env.JAVA_HOME) {
+    env.PATH = `${env.PATH || env.Path}${_delimiter}${join(
+      env.JAVA_HOME,
+      "bin"
+    )}`;
+  }
+  let jarCommandAvailable = true;
   // Execute jar tvf to get class names
   const jarFiles = getAllFiles(jarPath, "**/*.jar");
   if (jarFiles && jarFiles.length) {
     for (const jf of jarFiles) {
+      if (!jarCommandAvailable) {
+        break;
+      }
       const jarname = jf;
       let pomname =
         pomPathMap[basename(jf).replace(".jar", ".pom")] ||
@@ -5500,18 +5535,42 @@ export const collectJarNS = function (jarPath, pomPathMap = {}) {
       if (DEBUG_MODE) {
         console.log(`Executing 'jar tf ${jf}'`);
       }
-      const jarResult = spawnSync("jar", ["-tf", jf], { encoding: "utf-8" });
+      const jarResult = spawnSync("jar", ["-tf", jf], {
+        encoding: "utf-8",
+        shell: isWin,
+        maxBuffer: 50 * 1024 * 1024,
+        env
+      });
+      if (
+        jarResult &&
+        jarResult.stderr &&
+        jarResult.stderr.includes(
+          "is not recognized as an internal or external command"
+        )
+      ) {
+        jarCommandAvailable = false;
+        console.log(
+          "jar command is not available in PATH. Ensure JDK >= 17 is installed and set the environment variables JAVA_HOME and PATH to the bin directory inside JAVA_HOME."
+        );
+      }
       const consolelines = (jarResult.stdout || "").split("\n");
       const nsList = consolelines
         .filter((l) => {
           return (
-            l.includes(".class") &&
+            (l.includes(".class") ||
+              l.includes(".java") ||
+              l.includes(".kt")) &&
             !l.includes("-INF") &&
             !l.includes("module-info")
           );
         })
         .map((e) => {
-          return e.replace(".class", "").replace(/\/$/, "").replace(/\//g, ".");
+          return e
+            .replace("\r", "")
+            .replace(/.(class|java|kt)/, "")
+            .replace(/\/$/, "")
+            .replace(/\//g, ".");
         });
       jarNSMapping[purl || jf] = {
         jarFile: jf,
@@ -5678,10 +5737,22 @@ export const extractJarArchive = function (jarFile, tempDir) {
     // Only copy if the file doesn't exist
     copyFileSync(jarFile, join(tempDir, fname), constants.COPYFILE_FICLONE);
   }
+  const env = {
+    ...process.env
+  };
+  // jar command usually would not be available in the PATH for windows
+  if (isWin && env.JAVA_HOME) {
+    env.PATH = `${env.PATH || env.Path}${_delimiter}${join(
+      env.JAVA_HOME,
+      "bin"
+    )}`;
+  }
   if (jarFile.endsWith(".war") || jarFile.endsWith(".hpi")) {
     const jarResult = spawnSync("jar", ["-xf", join(tempDir, fname)], {
       encoding: "utf-8",
-      cwd: tempDir
+      cwd: tempDir,
+      shell: isWin,
+      env
     });
     if (jarResult.status !== 0) {
       console.error(jarResult.stdout, jarResult.stderr);
@@ -5718,7 +5789,9 @@ export const extractJarArchive = function (jarFile, tempDir) {
       } else {
         jarResult = spawnSync("jar", ["-xf", jf], {
           encoding: "utf-8",
-          cwd: tempDir
+          cwd: tempDir,
+          shell: isWin,
+          env
         });
       }
       if (jarResult.status !== 0) {
@@ -6058,7 +6131,8 @@ export const getMavenCommand = (srcPath, rootPath) => {
     const result = spawnSync(mavenCmd, ["wrapper:wrapper"], {
       encoding: "utf-8",
       cwd: rootPath,
-      timeout: TIMEOUT_MS
+      timeout: TIMEOUT_MS,
+      shell: isWin
     });
     if (!result.error) {
       isWrapperReady = true;
@@ -6121,16 +6195,26 @@ export const executeAtom = (src, args) => {
   const env = {
     ...process.env
   };
-  env.PATH = `${env.PATH}${_delimiter}${join(
-    dirNameStr,
-    "node_modules",
-    ".bin"
-  )}`;
+  if (isWin) {
+    env.PATH = `${env.PATH || env.Path}${_delimiter}${join(
+      dirNameStr,
+      "node_modules",
+      ".bin"
+    )}`;
+  } else {
+    env.PATH = `${env.PATH}${_delimiter}${join(
+      dirNameStr,
+      "node_modules",
+      ".bin"
+    )}`;
+  }
   const result = spawnSync(ATOM_BIN, args, {
     cwd,
     encoding: "utf-8",
     timeout: TIMEOUT_MS,
-    detached: true,
+    detached: !isWin && !process.env.CI,
+    shell: isWin,
     env
   });
   if (result.stderr) {
@@ -6288,7 +6372,8 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
     !reqOrSetupFile.endsWith("poetry.lock")
   ) {
     result = spawnSync(PYTHON_CMD, ["-m", "venv", tempVenvDir], {
-      encoding: "utf-8"
+      encoding: "utf-8",
+      shell: isWin
     });
     if (result.status !== 0 || result.error) {
       if (DEBUG_MODE) {
@@ -6329,14 +6414,16 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
       result = spawnSync("poetry", poetryConfigArgs, {
         cwd: basePath,
         encoding: "utf-8",
-        timeout: TIMEOUT_MS
+        timeout: TIMEOUT_MS,
+        shell: isWin
       });
       let poetryInstallArgs = ["install", "-n", "--no-root"];
       // Attempt to perform poetry install
       result = spawnSync("poetry", poetryInstallArgs, {
         cwd: basePath,
         encoding: "utf-8",
-        timeout: TIMEOUT_MS
+        timeout: TIMEOUT_MS,
+        shell: isWin
       });
       if (result.status !== 0 || result.error) {
         if (result.stderr && result.stderr.includes("No module named poetry")) {
@@ -6346,6 +6433,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
             cwd: basePath,
             encoding: "utf-8",
             timeout: TIMEOUT_MS,
+            shell: isWin,
             env
           });
           if (result.status !== 0 || result.error) {
@@ -6374,6 +6462,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
           cwd: basePath,
           encoding: "utf-8",
           timeout: TIMEOUT_MS,
+          shell: isWin,
           env
         });
         tempVenvDir = result.stdout.replaceAll(/[\r\n]+/g, "");
@@ -6407,6 +6496,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
         cwd: basePath,
         encoding: "utf-8",
         timeout: TIMEOUT_MS,
+        shell: isWin,
         env
       });
       if (result.status !== 0 || result.error) {

package/utils.test.js CHANGED Viewed

@@ -1143,7 +1143,7 @@ test("parse github actions workflow data", async () => {
   dep_list = parseGitHubWorkflowData(
     readFileSync("./.github/workflows/repotests.yml", { encoding: "utf-8" })
   );
-  expect(dep_list.length).toEqual(5);
+  expect(dep_list.length).toEqual(6);
   expect(dep_list[0]).toEqual({
     group: "actions",
     name: "checkout",
@@ -1533,11 +1533,13 @@ test("parsePkgLock v2", async () => {
   expect(deps[1]._integrity).toEqual(
     "sha512-x9yaMvEh5BEaZKeVQC4vp3l+QoFj3BXcd4aYfuKSzIIyihjdVARAadYy3SMNIz0WCCdS2vB9JL/U6GQk5PaxQw=="
   );
+  expect(deps[1].license).toEqual("Apache-2.0");
   expect(deps[0]).toEqual({
     "bom-ref": "pkg:npm/shopify-theme-tailwindcss@2.2.1",
     author: "Wessel van Ree <hello@wesselvanree.com>",
     group: "",
     name: "shopify-theme-tailwindcss",
+    license: "MIT",
     type: "application",
     version: "2.2.1"
   });
@@ -1568,6 +1570,7 @@ test("parsePkgLock v2 workspace", async () => {
   let pkgs = parsedList.pkgList;
   let deps = parsedList.dependenciesList;
   expect(pkgs.length).toEqual(1032);
+  expect(pkgs[0].license).toEqual("MIT");
   let hasAppWorkspacePkg = pkgs.some(
     (obj) => obj["bom-ref"] === "pkg:npm/app@0.0.0"
   );
@@ -1605,6 +1608,7 @@ test("parsePkgLock v3", async () => {
     "bom-ref": "pkg:npm/cdxgen@latest",
     group: "",
     author: "",
+    license: "ISC",
     name: "cdxgen",
     type: "application",
     version: "latest"