@cyclonedx/cdxgen 9.8.4 → 9.8.6

package/README.md

@@ -2,9 +2,9 @@
 
 ![cdxgen logo](cdxgen.png)
 
-cdxgen is a cli tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
+cdxgen is a cli tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill of Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
 
-When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBoM for some languages.
+When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBOM for some languages.
 
 NOTE:
 
@@ -12,7 +12,7 @@ CycloneDX 1.5 specification is new and unsupported by many downstream tools. Use
 
 ## Why cdxgen?
 
-A typical application might have several repos, components, and libraries. Traditional techniques to generate a single SBoM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBoM generator!
+A typical application might have several repos, components, and libraries. Traditional techniques to generate a single SBOM per language or package manifest do not work in enterprise environments. So we built cdxgen - the universal polyglot SBOM generator!
 
 <img src="./docs/why-cdxgen.jpg" alt="why cdxgen" width="256">
 
@@ -71,11 +71,11 @@ Footnotes:
 
 ### Automatic usage detection
 
-For node.js projects, lock files are parsed initially, so the SBoM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBoM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
+For node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBOM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
 
 This attribute can be later used for various purposes. For example, [dep-scan](https://github.com/cyclonedx/dep-scan) uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.
 
-By passing the argument `--required-only`, you can limit the SBoM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
+By passing the argument `--required-only`, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
 
 For go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).
 
@@ -132,7 +132,7 @@ $ cdxgen -h
   -r, --recurse                Recurse mode suitable for mono-repos. Defaults to
                                 true. Pass --no-recurse to disable.
                                                        [boolean] [default: true]
-  -p, --print                  Print the SBoM as a table with tree.    [boolean]
+  -p, --print                  Print the SBOM as a table with tree.    [boolean]
   -c, --resolve-class          Resolve class names for packages. jars only for n
                                ow.                                     [boolean]
       --deep                   Perform deep searches for components. Useful whil
@@ -149,12 +149,12 @@ $ cdxgen -h
                                d or the project name and version together
       --parent-project-id      Dependency track parent project id
       --required-only          Include only the packages with required scope on
-                               the SBoM.                               [boolean]
+                               the SBOM.                               [boolean]
       --fail-on-error          Fail if any dependency extractor fails. [boolean]
       --no-babel               Do not use babel to perform usage analysis for Ja
                                vaScript/TypeScript projects.           [boolean]
       --generate-key-and-sign  Generate an RSA public/private key pair and then
-                               sign the generated SBoM using JSON Web Signatures
+                               sign the generated SBOM using JSON Web Signatures
                                .                                       [boolean]
       --server                 Run cdxgen as a server                  [boolean]
       --server-host            Listen address             [default: "127.0.0.1"]
@@ -163,7 +163,7 @@ $ cdxgen -h
                                cts. Defaults to true but disabled for containers
                                 and oci scans. Use --no-install-deps to disable
                                this feature.           [boolean] [default: true]
-      --validate               Validate the generated SBoM using json schema. De
+      --validate               Validate the generated SBOM using json schema. De
                                faults to true. Pass --no-validate to disable.
                                                        [boolean] [default: true]
       --usages-slices-file     Path for the usages slice file created by atom.
@@ -191,7 +191,7 @@ For a java project. cdxgen would automatically detect maven, gradle, or sbt and
 cdxgen -t java -o bom.json
 ```
 
-To print the SBoM as a table pass `-p` argument.
+To print the SBOM as a table pass `-p` argument.
 
 ```shell
 cdxgen -t java -o bom.json -p
@@ -203,13 +203,13 @@ To recursively generate a single BoM for all languages pass `-r` argument.
 cdxgen -r -o bom.json
 ```
 
-To generate SBoM for an older specification version, such as 1.4, pass the version number using the `--spec-version` argument.
+To generate SBOM for an older specification version, such as 1.4, pass the version number using the `--spec-version` argument.
 
 ```shell
 cdxgen -r -o bom.json --spec-version 1.4
 ```
 
-To generate SBoM for C or Python, ensure Java >= 17 is installed.
+To generate SBOM for C or Python, ensure Java >= 17 is installed.
 
 ```shell
 # Install java >= 17
@@ -218,11 +218,11 @@ cdxgen -t c -o bom.json
 
 NOTE: cdxgen is known to freeze with Java 8 or 11, so ensure >= 17 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.
 
-## Universal SBoM
+## Universal SBOM
 
-By passing the type argument `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container, and Kubernetes manifests. The resulting SBoM could have over a thousand components, thus requiring additional triaging before use with traditional SCA tools.
+By passing the type argument `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container, and Kubernetes manifests. The resulting SBOM could have over a thousand components, thus requiring additional triaging before use with traditional SCA tools.
 
-## SBoM server
+## SBOM server
 
 Invoke cdxgen with `--server` argument to run it in server mode. By default, it listens to port `9090`, which can be customized with the arguments `--server-host` and `--server-port`.
 
@@ -246,7 +246,7 @@ Arguments can be passed either via the query string or as a JSON body. The follo
 | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
 | type           | Project type                                                                                                                                |
 | multiProject   | [boolean]                                                                                                                                   |
-| requiredOnly   | Include only the packages with required scope on the SBoM. [boolean]                                                                        |
+| requiredOnly   | Include only the packages with required scope on the SBOM. [boolean]                                                                        |
 | noBabel        | Do not use babel to perform usage analysis for JavaScript/TypeScript projects. [boolean]                                                    |
 | installDeps    | Install dependencies automatically for some projects. Defaults to true but disabled for containers and oci scans. [boolean] [default: true] |
 | project        |                                                                                                                                             |
@@ -349,7 +349,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | LEIN_CMD                     | Set to override the leiningen command                                                                                                |
 | SBOM_SIGN_ALGORITHM          | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc                                       |
 | SBOM_SIGN_PRIVATE_KEY        | Private key to use for signing                                                                                                       |
-| SBOM_SIGN_PUBLIC_KEY         | Optional. Public key to include in the SBoM signature                                                                                |
+| SBOM_SIGN_PUBLIC_KEY         | Optional. Public key to include in the SBOM signature                                                                                |
 | CDX_MAVEN_PLUGIN             | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.8"                                                  |
 | CDX_MAVEN_GOAL               | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom                                 |
 | CDX_MAVEN_INCLUDE_TEST_SCOPE | Whether test scoped dependencies should be included from Maven projects, Default: true                                               |
@@ -358,7 +358,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 
 ## Plugins
 
-cdxgen could be extended with external binary plugins to support more SBoM use cases. These are now installed as an optional dependency.
+cdxgen could be extended with external binary plugins to support more SBOM use cases. These are now installed as an optional dependency.
 
 ```shell
 sudo npm install -g @cyclonedx/cdxgen-plugins-bin
@@ -409,9 +409,9 @@ obom
 # cdxgen -t os
 ```
 
-This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types, such as operating-system, device-drivers, files, and data.
+This feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBOM file with thousands of components of various types, such as operating-system, device-drivers, files, and data.
 
-## Generating SaaSBoM and component evidences
+## Generating SaaSBOM and component evidences
 
 See [evinse mode](./ADVANCED.md) in the advanced documentation.
 
@@ -425,7 +425,7 @@ cdxgen can sign the generated BoM json file to increase authenticity and non-rep
 
 To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature`, which could be used for validation. [jwt.io](https://jwt.io) is a known site that could be used for such signature validation.
 
-![SBoM signing](sbom-sign.jpg)
+![SBOM signing](sbom-sign.jpg)
 
 ### Verifying the signature
 
@@ -444,7 +444,7 @@ There are many [libraries](https://jwt.io/#libraries-io) available to validate J
 # npm install jws
 const jws = require("jws");
 const fs = require("fs");
-// Location of the SBoM json file
+// Location of the SBOM json file
 const bomJsonFile = "bom.json";
 // Location of the public key
 const publicKeyFile = "public.key";
@@ -455,13 +455,13 @@ const validationResult = jws.verify(bomSignature, bomJson.signature.algorithm, f
 if (validationResult) {
   console.log("Signature is valid!");
 } else {
-  console.log("SBoM signature is invalid :(");
+  console.log("SBOM signature is invalid :(");
 }
 ```
 
 ## Automatic services detection
 
-cdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the `services` attribute in the generated SBoM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code.
+cdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the `services` attribute in the generated SBOM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code.
 
 ## Conversion to SPDX format
 

package/bin/cdxgen.js

@@ -41,7 +41,7 @@ const args = yargs(hideBin(process.argv))
   .option("print", {
     alias: "p",
     type: "boolean",
-    description: "Print the SBoM as a table with tree."
+    description: "Print the SBOM as a table with tree."
   })
   .option("resolve-class", {
     alias: "c",
@@ -78,7 +78,7 @@ const args = yargs(hideBin(process.argv))
   })
   .option("required-only", {
     type: "boolean",
-    description: "Include only the packages with required scope on the SBoM."
+    description: "Include only the packages with required scope on the SBOM."
   })
   .option("fail-on-error", {
     type: "boolean",
@@ -92,7 +92,7 @@ const args = yargs(hideBin(process.argv))
   .option("generate-key-and-sign", {
     type: "boolean",
     description:
-      "Generate an RSA public/private key pair and then sign the generated SBoM using JSON Web Signatures."
+      "Generate an RSA public/private key pair and then sign the generated SBOM using JSON Web Signatures."
   })
   .option("server", {
     type: "boolean",
@@ -116,12 +116,12 @@ const args = yargs(hideBin(process.argv))
     type: "boolean",
     default: true,
     description:
-      "Validate the generated SBoM using json schema. Defaults to true. Pass --no-validate to disable."
+      "Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to disable."
   })
   .option("evidence", {
     type: "boolean",
     default: false,
-    description: "Generate SBoM with evidence for supported languages. WIP"
+    description: "Generate SBOM with evidence for supported languages. WIP"
   })
   .option("usages-slices-file", {
     description: "Path for the usages slice file created by atom."
@@ -241,7 +241,7 @@ const checkPermissions = (filePath) => {
  * Method to start the bom creation process
  */
 (async () => {
-  // Start SBoM server
+  // Start SBOM server
   if (args.server) {
     return await _serverStart(options);
   }
@@ -384,12 +384,12 @@ const checkPermissions = (filePath) => {
                 );
                 if (signatureVerification) {
                   console.log(
-                    "SBoM signature is verifiable with the public key and the algorithm",
+                    "SBOM signature is verifiable with the public key and the algorithm",
                     publicKeyFile,
                     alg
                   );
                 } else {
-                  console.log("SBoM signature verification was unsuccessful");
+                  console.log("SBOM signature verification was unsuccessful");
                   console.log(
                     "Check if the public key was exported in PEM format"
                   );
@@ -397,7 +397,7 @@ const checkPermissions = (filePath) => {
               }
             }
           } catch (ex) {
-            console.log("SBoM signing was unsuccessful", ex);
+            console.log("SBOM signing was unsuccessful", ex);
             console.log("Check if the private key was exported in PEM format");
           }
         }

package/bin/evinse.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-// Evinse (Evinse Verification Is Nearly SBoM Evidence)
+// Evinse (Evinse Verification Is Nearly SBOM Evidence)
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 import { join } from "node:path";
@@ -30,7 +30,7 @@ if (!process.env.ATOM_DB && !fs.existsSync(ATOM_DB)) {
 const args = yargs(hideBin(process.argv))
   .option("input", {
     alias: "i",
-    description: "Input SBoM file. Default bom.json",
+    description: "Input SBOM file. Default bom.json",
     default: "bom.json"
   })
   .option("output", {
@@ -108,9 +108,9 @@ console.log(evinseArt);
   if (dbObjMap) {
     // Analyze the project using atom. Convert package namespaces to purl using the db
     const sliceArtefacts = await analyzeProject(dbObjMap, args);
-    // Create the SBoM with Evidence
+    // Create the SBOM with Evidence
     const bomJson = createEvinseFile(sliceArtefacts, args);
-    // Validate our final SBoM
+    // Validate our final SBOM
     if (!validateBom(bomJson)) {
       process.exit(1);
     }

package/bin/repl.js

@@ -61,10 +61,10 @@ export const importSbom = (sbomOrPath) => {
   if (sbomOrPath && sbomOrPath.endsWith(".json") && fs.existsSync(sbomOrPath)) {
     try {
       sbom = JSON.parse(fs.readFileSync(sbomOrPath, "utf-8"));
-      console.log(`✅ SBoM imported successfully from ${sbomOrPath}`);
+      console.log(`✅ SBOM imported successfully from ${sbomOrPath}`);
     } catch (e) {
       console.log(
-        `⚠ Unable to import the SBoM from ${sbomOrPath} due to ${e}`
+        `⚠ Unable to import the SBOM from ${sbomOrPath} due to ${e}`
       );
     }
   } else {
@@ -74,13 +74,13 @@ export const importSbom = (sbomOrPath) => {
 // Load any sbom passed from the command line
 if (process.argv.length > 2) {
   importSbom(process.argv[process.argv.length - 1]);
-  console.log("💭 Type .print to view the SBoM as a table");
+  console.log("💭 Type .print to view the SBOM as a table");
 } else if (fs.existsSync("bom.json")) {
   // If the current directory has a bom.json load it
   importSbom("bom.json");
 } else {
-  console.log("💭 Use .create <path> to create an SBoM for the given path.");
-  console.log("💭 Use .import <json> to import an existing SBoM.");
+  console.log("💭 Use .create <path> to create an SBOM for the given path.");
+  console.log("💭 Use .import <json> to import an existing SBOM.");
   console.log("💭 Type .exit or press ctrl+d to close.");
 }
 
@@ -98,7 +98,7 @@ if (historyFile) {
   );
 }
 cdxgenRepl.defineCommand("create", {
-  help: "create an SBoM for the given path",
+  help: "create an SBOM for the given path",
   async action(sbomOrPath) {
     this.clearBufferedCommand();
     const tempDir = fs.mkdtempSync(join(tmpdir(), "cdxgen-repl-"));
@@ -267,7 +267,7 @@ cdxgenRepl.defineCommand("validate", {
     if (sbom) {
       const result = validateBom(sbom);
       if (result) {
-        console.log("SBoM is valid!");
+        console.log("SBOM is valid!");
       }
     } else {
       console.log(
@@ -379,7 +379,7 @@ cdxgenRepl.defineCommand("callstack", {
         let components = await expression.evaluate(sbom);
         if (!components) {
           console.log(
-            "callstack evidence was not found. Use evinse command to generate an SBoM with evidence."
+            "callstack evidence was not found. Use evinse command to generate an SBOM with evidence."
           );
         } else {
           if (!Array.isArray(components)) {
@@ -392,7 +392,7 @@ cdxgenRepl.defineCommand("callstack", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an evinse SBoM"
+        "⚠ No SBOM is loaded. Use .import command to import an evinse SBOM"
       );
     }
     this.displayPrompt();
@@ -407,7 +407,7 @@ cdxgenRepl.defineCommand("services", {
         let services = await expression.evaluate(sbom);
         if (!services) {
           console.log(
-            "No services found. Use evinse command to generate an SBoM with evidence."
+            "No services found. Use evinse command to generate an SBOM with evidence."
           );
         } else {
           if (!Array.isArray(services)) {
@@ -420,7 +420,7 @@ cdxgenRepl.defineCommand("services", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an evinse SBoM"
+        "⚠ No SBOM is loaded. Use .import command to import an evinse SBOM"
       );
     }
     this.displayPrompt();

package/bin/verify.js

@@ -74,7 +74,7 @@ if (!bomSignature) {
   if (validationResult) {
     console.log("Signature is valid!");
   } else {
-    console.log("SBoM signature is invalid!");
+    console.log("SBOM signature is invalid!");
     process.exit(1);
   }
 }

package/evinser.js

@@ -31,7 +31,7 @@ export const prepareDB = async (options) => {
   const bomJson = JSON.parse(fs.readFileSync(bomJsonFile, "utf8"));
   if (bomJson.specVersion < 1.5) {
     console.log(
-      "Evinse requires the input SBoM in CycloneDX 1.5 format or above. You can generate one by invoking cdxgen without any --spec-version argument."
+      "Evinse requires the input SBOM in CycloneDX 1.5 format or above. You can generate one by invoking cdxgen without any --spec-version argument."
     );
     process.exit(0);
   }
@@ -741,7 +741,7 @@ export const isSlicingRequired = (purl) => {
 };
 
 /**
- * Method to create the SBoM with evidence file called evinse file.
+ * Method to create the SBOM with evidence file called evinse file.
  *
  * @param {object} sliceArtefacts Various artefacts from the slice operation
  * @param {object} options Command line options
@@ -841,7 +841,7 @@ export const createEvinseFile = (sliceArtefacts, options) => {
     console.log(evinseOutFile, "created successfully.");
   } else {
     console.log(
-      "Unable to identify component evidence for the input SBoM. Only java, javascript and python projects are supported by evinse."
+      "Unable to identify component evidence for the input SBOM. Only java, javascript and python projects are supported by evinse."
     );
   }
   if (tempDir && tempDir.startsWith(tmpdir())) {

package/index.js

@@ -686,7 +686,6 @@ function addComponent(
         encodeForPurl(pkg.subpath)
       );
     let purlString = purl.toString();
-    purlString = decodeURIComponent(purlString);
     let description = { "#cdata": pkg.description };
     if (format === "json") {
       description = pkg.description || undefined;
@@ -1128,17 +1127,11 @@ export const createJavaBom = async (path, options) => {
         console.log(`Retrieving packages from ${path}`);
       }
       const tempDir = mkdtempSync(join(tmpdir(), "war-deps-"));
-      pkgList = extractJarArchive(path, tempDir);
+      jarNSMapping = collectJarNS(tempDir);
+      pkgList = extractJarArchive(path, tempDir, jarNSMapping);
       if (pkgList.length) {
         pkgList = await getMvnMetadata(pkgList);
       }
-      // Should we attempt to resolve class names
-      if (options.resolveClass) {
-        console.log(
-          "Creating class names list based on available jars. This might take a few mins ..."
-        );
-        jarNSMapping = collectJarNS(tempDir);
-      }
       // Clean up
       if (tempDir && tempDir.startsWith(tmpdir()) && rmSync) {
         console.log(`Cleaning up ${tempDir}`);
@@ -1193,7 +1186,7 @@ export const createJavaBom = async (path, options) => {
         }
         const mavenCmd = getMavenCommand(basePath, path);
         // Should we attempt to resolve class names
-        if (options.resolveClass) {
+        if (options.resolveClass || options.deep) {
           console.log(
             "Creating class names list based on available jars. This might take a few mins ..."
           );
@@ -1352,7 +1345,7 @@ export const createJavaBom = async (path, options) => {
       }
       if (pkgList) {
         pkgList = trimComponents(pkgList, "json");
-        pkgList = await getMvnMetadata(pkgList);
+        pkgList = await getMvnMetadata(pkgList, jarNSMapping);
         return buildBomNSData(options, pkgList, "maven", {
           src: path,
           filename: pomFiles.join(", "),
@@ -1552,15 +1545,14 @@ export const createJavaBom = async (path, options) => {
         );
         options.failOnError && process.exit(1);
       }
-
-      pkgList = await getMvnMetadata(pkgList);
       // Should we attempt to resolve class names
-      if (options.resolveClass) {
+      if (options.resolveClass || options.deep) {
         console.log(
           "Creating class names list based on available jars. This might take a few mins ..."
         );
         jarNSMapping = collectJarNS(GRADLE_CACHE_DIR);
       }
+      pkgList = await getMvnMetadata(pkgList, jarNSMapping);
       return buildBomNSData(options, pkgList, "maven", {
         src: path,
         filename: gradleFiles.join(", "),
@@ -1655,7 +1647,8 @@ export const createJavaBom = async (path, options) => {
             console.log("Bazel unexpectedly didn't produce any output");
             options.failOnError && process.exit(1);
           }
-          pkgList = await getMvnMetadata(pkgList);
+          // FIXME: How do we retrieve jarNSMapping for bazel projects?
+          pkgList = await getMvnMetadata(pkgList, jarNSMapping);
           return buildBomNSData(options, pkgList, "maven", {
             src: path,
             filename: "BUILD",
@@ -1836,14 +1829,14 @@ export const createJavaBom = async (path, options) => {
       if (DEBUG_MODE) {
         console.log(`Found ${pkgList.length} packages`);
       }
-      pkgList = await getMvnMetadata(pkgList);
       // Should we attempt to resolve class names
-      if (options.resolveClass) {
+      if (options.resolveClass || options.deep) {
         console.log(
           "Creating class names list based on available jars. This might take a few mins ..."
         );
         jarNSMapping = collectJarNS(SBT_CACHE_DIR);
       }
+      pkgList = await getMvnMetadata(pkgList, jarNSMapping);
       return buildBomNSData(options, pkgList, "maven", {
         src: path,
         filename: sbtProjects.join(", "),
@@ -3584,7 +3577,7 @@ export const createContainerSpecLikeBom = async (path, options) => {
           // img could have .service, .ociSpec or .image
           if (img.ociSpec) {
             console.log(
-              `NOTE: ${img.ociSpec} needs to built using docker or podman and referred with a name to get included in this SBoM.`
+              `NOTE: ${img.ociSpec} needs to built using docker or podman and referred with a name to get included in this SBOM.`
             );
             ociSpecs.push({
               group: "",
@@ -3706,7 +3699,7 @@ export const createContainerSpecLikeBom = async (path, options) => {
   // Parse privado files
   if (privadoFiles.length) {
     console.log(
-      "Enriching your SBoM with information from privado.ai scan reports"
+      "Enriching your SBOM with information from privado.ai scan reports"
     );
     let rows = [["Classification", "Flow"]];
     const config = {
@@ -5294,12 +5287,12 @@ export async function submitBom(args, bomContents) {
         }).json();
       } catch (error) {
         console.log(
-          "Unable to submit the SBoM to the Dependency-Track server using POST method"
+          "Unable to submit the SBOM to the Dependency-Track server using POST method"
         );
         console.log(error);
       }
     } else {
-      console.log("Unable to submit the SBoM to the Dependency-Track server");
+      console.log("Unable to submit the SBOM to the Dependency-Track server");
       console.log(error);
     }
   }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.8.4",
-  "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
+  "version": "9.8.6",
+  "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
   "license": "Apache-2.0",
@@ -42,7 +42,7 @@
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false docker.test.js utils.test.js display.test.js",
     "watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch --inject-globals false",
     "lint": "eslint *.js *.test.js bin/*.js",
-    "pretty": "prettier --write *.js data/*.json bin/*.js --trailing-comma=none"
+    "pretty": "prettier --write *.js data/*.json bin/*.js"
   },
   "engines": {
     "node": ">=16"
@@ -55,21 +55,21 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.22.16",
-    "@babel/traverse": "^7.22.19",
+    "@babel/parser": "^7.23.0",
+    "@babel/traverse": "^7.23.0",
     "@npmcli/arborist": "^7.1.0",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
     "edn-data": "^1.0.0",
-    "glob": "^10.3.4",
+    "glob": "^10.3.10",
     "global-agent": "^3.0.0",
     "got": "^13.0.0",
     "iconv-lite": "^0.6.3",
     "js-yaml": "^4.1.0",
     "jws": "^4.0.0",
     "node-stream-zip": "^1.15.0",
-    "packageurl-js": "^1.0.2",
+    "packageurl-js": "1.0.2",
     "prettify-xml": "^1.2.0",
     "properties-reader": "^2.3.0",
     "semver": "^7.5.3",
@@ -82,7 +82,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "^1.2.1",
+    "@appthreat/atom": "^1.2.3",
     "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
@@ -101,7 +101,9 @@
   "devDependencies": {
     "caxa": "^3.0.1",
     "docsify-cli": "^4.4.4",
-    "eslint": "^8.49.0",
+    "eslint": "^8.50.0",
+    "eslint-config-prettier": "^9.0.0",
+    "eslint-plugin-prettier": "^5.0.0",
     "jest": "^29.7.0",
     "prettier": "3.0.3"
   }

package/server.js

@@ -55,7 +55,8 @@ const parseQueryString = (q, body, options = {}) => {
     "projectVersion",
     "parentUUID",
     "serverUrl",
-    "apiKey"
+    "apiKey",
+    "specVersion"
   ];
 
   for (const param of queryParams) {
@@ -88,6 +89,12 @@ const start = (options) => {
     .createServer(app)
     .listen(options.serverPort, options.serverHost);
   configureServer(cdxgenServer);
+
+  app.use("/health", async function (req, res) {
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({ status: "OK" }, null, 2));
+  });
+
   app.use("/sbom", async function (req, res) {
     const q = url.parse(req.url, true).query;
     let cleanup = false;
@@ -105,7 +112,7 @@ const start = (options) => {
       srcDir = gitClone(filePath);
       cleanup = true;
     }
-    console.log("Generating SBoM for", srcDir);
+    console.log("Generating SBOM for", srcDir);
     const bomNSData = (await createBom(srcDir, options)) || {};
     if (bomNSData.bomJson) {
       if (
@@ -118,7 +125,7 @@ const start = (options) => {
       }
     }
     if (options.serverUrl && options.apiKey) {
-      console.log("Publishing SBoM to Dependency Track");
+      console.log("Publishing SBOM to Dependency Track");
       submitBom(options, bomNSData.bomJson);
     }
     res.end("\n");

package/utils.js

@@ -1886,7 +1886,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
       }
       if (result.stderr.includes("not get unknown property")) {
         console.log(
-          "2. Check if the SBoM is generated for the correct root project for your application."
+          "2. Check if the SBOM is generated for the correct root project for your application."
         );
       }
     }
@@ -2104,8 +2104,9 @@ export const guessLicenseId = function (content) {
  * Method to retrieve metadata for maven packages by querying maven central
  *
  * @param {Array} pkgList Package list
+ * @param {Object} jarNSMapping Jar Namespace mapping object
  */
-export const getMvnMetadata = async function (pkgList) {
+export const getMvnMetadata = async function (pkgList, jarNSMapping = {}) {
   const MAVEN_CENTRAL_URL =
     process.env.MAVEN_CENTRAL_URL || "https://repo1.maven.org/maven2/";
   const ANDROID_MAVEN = "https://maven.google.com/";
@@ -2117,6 +2118,36 @@ export const getMvnMetadata = async function (pkgList) {
     console.log(`About to query maven for ${pkgList.length} packages`);
   }
   for (const p of pkgList) {
+    // Reuse any namespace data from jarNSMapping
+    if (jarNSMapping && p.purl && jarNSMapping[p.purl]) {
+      if (jarNSMapping[p.purl].jarFile) {
+        p.evidence = {
+          identity: {
+            field: "purl",
+            confidence: 0.8,
+            methods: [
+              {
+                technique: "binary-analysis",
+                confidence: 0.8,
+                value: jarNSMapping[p.purl].jarFile
+              }
+            ]
+          }
+        };
+      }
+      if (
+        jarNSMapping[p.purl].namespaces &&
+        jarNSMapping[p.purl].namespaces.length
+      ) {
+        if (!p.properties) {
+          p.properties = [];
+        }
+        p.properties.push({
+          name: "Namespaces",
+          value: jarNSMapping[p.purl].namespaces.join("\n")
+        });
+      }
+    }
     let group = p.group || "";
     // If the package already has key metadata skip querying maven
     if (group && p.name && p.version && !FETCH_LICENSE) {
@@ -2577,89 +2608,66 @@ export const parsePoetrylockData = async function (lockData, lockFile) {
 export async function parseReqFile(reqData, fetchDepsInfo) {
   const pkgList = [];
   let compScope = undefined;
-  reqData.split("\n").forEach((l) => {
-    l = l.replace("\r", "");
-    l = l.trim();
-    if (l.startsWith("Skipping line") || l.startsWith("(add")) {
-      return;
-    }
-    if (l.includes("# Basic requirements")) {
-      compScope = "required";
-    } else if (l.includes("added by pip freeze")) {
-      compScope = undefined;
-    }
-    if (!l.startsWith("#") && !l.startsWith("-")) {
-      if (l.includes(" ")) {
-        l = l.split(" ")[0];
-      }
-      if (l.indexOf("=") > -1) {
-        let tmpA = l.split(/(==|<=|~=|>=)/);
-        if (tmpA.includes("#")) {
-          tmpA = tmpA.split("#")[0];
-        }
-        let versionStr = tmpA[tmpA.length - 1].trim().replace("*", "0");
-        if (versionStr.indexOf(" ") > -1) {
-          versionStr = versionStr.split(" ")[0];
+  reqData
+    .replace(/\r/g, "")
+    .replace(/ [\\]\n/g, "")
+    .replace(/ {4}/g, " ")
+    .split("\n")
+    .forEach((l) => {
+      l = l.trim();
+      let markers = undefined;
+      if (l.includes(" ; ")) {
+        const tmpA = l.split(" ; ");
+        if (tmpA && tmpA.length === 2) {
+          l = tmpA[0];
+          markers = tmpA[1];
         }
-        if (versionStr === "0") {
-          versionStr = null;
+      }
+      if (l.startsWith("Skipping line") || l.startsWith("(add")) {
+        return;
+      }
+      if (l.includes("# Basic requirements")) {
+        compScope = "required";
+      } else if (l.includes("added by pip freeze")) {
+        compScope = undefined;
+      }
+      if (!l.startsWith("#") && !l.startsWith("-")) {
+        if (l.includes(" ")) {
+          l = l.split(" ")[0];
         }
-        if (!tmpA[0].includes("=") && !tmpA[0].trim().includes(" ")) {
-          const name = tmpA[0].trim().replace(";", "");
-          if (!PYTHON_STD_MODULES.includes(name)) {
-            pkgList.push({
-              name,
-              version: versionStr,
-              scope: compScope
-            });
+        if (l.indexOf("=") > -1) {
+          let tmpA = l.split(/(==|<=|~=|>=)/);
+          if (tmpA.includes("#")) {
+            tmpA = tmpA.split("#")[0];
           }
-        }
-      } else if (l.includes("<") && l.includes(">")) {
-        const tmpA = l.split(">");
-        const name = tmpA[0].trim().replace(";", "");
-        const versionSpecifiers = l.replace(name, "");
-        if (!PYTHON_STD_MODULES.includes(name)) {
-          pkgList.push({
-            name,
-            version: undefined,
-            scope: compScope,
-            properties: [
-              {
-                name: "cdx:pypi:versionSpecifiers",
-                value: versionSpecifiers
+          let versionStr = tmpA[tmpA.length - 1].trim().replace("*", "0");
+          if (versionStr.indexOf(" ") > -1) {
+            versionStr = versionStr.split(" ")[0];
+          }
+          if (versionStr === "0") {
+            versionStr = null;
+          }
+          if (!tmpA[0].includes("=") && !tmpA[0].trim().includes(" ")) {
+            const name = tmpA[0].trim().replace(";", "");
+            if (!PYTHON_STD_MODULES.includes(name)) {
+              const apkg = {
+                name,
+                version: versionStr,
+                scope: compScope
+              };
+              if (markers) {
+                apkg.properties = [
+                  {
+                    name: "cdx:pip:markers",
+                    value: markers
+                  }
+                ];
               }
-            ]
-          });
-        }
-      } else if (/[>|[|@]/.test(l)) {
-        let tmpA = l.split(/(>|\[|@)/);
-        if (tmpA.includes("#")) {
-          tmpA = tmpA.split("#")[0];
-        }
-        if (!tmpA[0].trim().includes(" ")) {
-          const name = tmpA[0].trim().replace(";", "");
-          const versionSpecifiers = l.replace(name, "");
-          if (!PYTHON_STD_MODULES.includes(name)) {
-            pkgList.push({
-              name,
-              version: undefined,
-              scope: compScope,
-              properties: [
-                {
-                  name: "cdx:pypi:versionSpecifiers",
-                  value: versionSpecifiers
-                }
-              ]
-            });
+              pkgList.push(apkg);
+            }
           }
-        }
-      } else if (l) {
-        if (l.includes("#")) {
-          l = l.split("#")[0];
-        }
-        l = l.trim();
-        const tmpA = l.split(/(<|>)/);
-        if (tmpA && tmpA.length === 3) {
+        } else if (l.includes("<") && l.includes(">")) {
+          const tmpA = l.split(">");
           const name = tmpA[0].trim().replace(";", "");
           const versionSpecifiers = l.replace(name, "");
           if (!PYTHON_STD_MODULES.includes(name)) {
@@ -2675,26 +2683,70 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
               ]
             });
           }
-        } else if (!l.includes(" ")) {
-          const name = l.replace(";", "");
-          const versionSpecifiers = l.replace(name, "");
-          if (!PYTHON_STD_MODULES.includes(name)) {
-            pkgList.push({
-              name,
-              version: null,
-              scope: compScope,
-              properties: [
-                {
-                  name: "cdx:pypi:versionSpecifiers",
-                  value: versionSpecifiers
-                }
-              ]
-            });
+        } else if (/[>|[|@]/.test(l)) {
+          let tmpA = l.split(/(>|\[|@)/);
+          if (tmpA.includes("#")) {
+            tmpA = tmpA.split("#")[0];
+          }
+          if (!tmpA[0].trim().includes(" ")) {
+            const name = tmpA[0].trim().replace(";", "");
+            const versionSpecifiers = l.replace(name, "");
+            if (!PYTHON_STD_MODULES.includes(name)) {
+              pkgList.push({
+                name,
+                version: undefined,
+                scope: compScope,
+                properties: [
+                  {
+                    name: "cdx:pypi:versionSpecifiers",
+                    value: versionSpecifiers
+                  }
+                ]
+              });
+            }
+          }
+        } else if (l) {
+          if (l.includes("#")) {
+            l = l.split("#")[0];
+          }
+          l = l.trim();
+          const tmpA = l.split(/(<|>)/);
+          if (tmpA && tmpA.length === 3) {
+            const name = tmpA[0].trim().replace(";", "");
+            const versionSpecifiers = l.replace(name, "");
+            if (!PYTHON_STD_MODULES.includes(name)) {
+              pkgList.push({
+                name,
+                version: undefined,
+                scope: compScope,
+                properties: [
+                  {
+                    name: "cdx:pypi:versionSpecifiers",
+                    value: versionSpecifiers
+                  }
+                ]
+              });
+            }
+          } else if (!l.includes(" ")) {
+            const name = l.replace(";", "");
+            const versionSpecifiers = l.replace(name, "");
+            if (!PYTHON_STD_MODULES.includes(name)) {
+              pkgList.push({
+                name,
+                version: null,
+                scope: compScope,
+                properties: [
+                  {
+                    name: "cdx:pypi:versionSpecifiers",
+                    value: versionSpecifiers
+                  }
+                ]
+              });
+            }
           }
         }
       }
-    }
-  });
+    });
   return await getPyMetadata(pkgList, fetchDepsInfo);
 }
 
@@ -5710,10 +5762,15 @@ export const encodeForPurl = (s) => {
  *
  * @param {string} jarFile Path to jar file
  * @param {string} tempDir Temporary directory to use for extraction
+ * @param {object} jarNSMapping Jar class names mapping object
  *
  * @return pkgList Package list
  */
-export const extractJarArchive = function (jarFile, tempDir) {
+export const extractJarArchive = function (
+  jarFile,
+  tempDir,
+  jarNSMapping = {}
+) {
   const pkgList = [];
   let jarFiles = [];
   const fname = basename(jarFile);
@@ -5873,10 +5930,19 @@ export const extractJarArchive = function (jarFile, tempDir) {
             if (group == name) {
               group = "";
             }
-            pkgList.push({
-              group: group === "." ? "" : encodeForPurl(group || "") || "",
+            group = group === "." ? "" : encodeForPurl(group || "") || "";
+            let apkg = {
+              group,
               name: name ? encodeForPurl(name) : "",
               version,
+              purl: new PackageURL(
+                "maven",
+                group,
+                name,
+                version,
+                { type: "jar" },
+                null
+              ).toString(),
               evidence: {
                 identity: {
                   field: "purl",
@@ -5896,7 +5962,18 @@ export const extractJarArchive = function (jarFile, tempDir) {
                   value: jarname
                 }
               ]
-            });
+            };
+            if (
+              jarNSMapping &&
+              jarNSMapping[apkg.purl] &&
+              jarNSMapping[apkg.purl].namespaces
+            ) {
+              apkg.properties.push({
+                name: "Namespaces",
+                value: jarNSMapping[apkg.purl].namespaces.join("\n")
+              });
+            }
+            pkgList.push(apkg);
           } else {
             if (DEBUG_MODE) {
               console.log(`Ignored jar ${jarname}`, jarMetadata, name, version);
@@ -6225,7 +6302,7 @@ export const executeAtom = (src, args) => {
       result.stderr.includes("Error: Could not create the Java Virtual Machine")
     ) {
       console.log(
-        "Atom requires Java 17 or above. To improve the SBoM accuracy, please install a suitable version, set the JAVA_HOME environment variable, and re-run cdxgen.\nAlternatively, use the cdxgen container image."
+        "Atom requires Java 17 or above. To improve the SBOM accuracy, please install a suitable version, set the JAVA_HOME environment variable, and re-run cdxgen.\nAlternatively, use the cdxgen container image."
       );
       console.log(`Current JAVA_HOME: ${env["JAVA_HOME"] || ""}`);
     } else if (result.stderr.includes("astgen")) {
@@ -6510,7 +6587,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
         ) {
           versionRelatedError = true;
           console.log(
-            "The version or the version specifiers used for a dependency is invalid. Resolve the below error to improve SBoM accuracy."
+            "The version or the version specifiers used for a dependency is invalid. Resolve the below error to improve SBOM accuracy."
           );
           console.log(result.stderr);
         }
@@ -6518,7 +6595,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
           console.log("args used:", pipInstallArgs);
           console.log(result.stdout, result.stderr);
           console.log(
-            "Possible build errors detected. The resulting list in the SBoM would therefore be incomplete.\nTry installing any missing build tools or development libraries to improve the accuracy."
+            "Possible build errors detected. The resulting list in the SBOM would therefore be incomplete.\nTry installing any missing build tools or development libraries to improve the accuracy."
           );
           if (platform() === "win32") {
             console.log(
@@ -6541,7 +6618,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
   if (env.VIRTUAL_ENV && env.VIRTUAL_ENV.length) {
     /**
      * At this point, the previous attempt to do a pip install might have failed and we might have an unclean virtual environment with an incomplete list
-     * The position taken by cdxgen is "Some SBoM is better than no SBoM", so we proceed to collecting the dependencies that got installed with pip freeze
+     * The position taken by cdxgen is "Some SBOM is better than no SBOM", so we proceed to collecting the dependencies that got installed with pip freeze
      */
     if (DEBUG_MODE) {
       console.log(
@@ -6597,7 +6674,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
   } else {
     if (DEBUG_MODE) {
       console.log(
-        "NOTE: Setup and activate a python virtual environment for this project prior to invoking cdxgen to improve SBoM accuracy."
+        "NOTE: Setup and activate a python virtual environment for this project prior to invoking cdxgen to improve SBOM accuracy."
       );
     }
   }

package/utils.test.js

@@ -1143,7 +1143,7 @@ test("parse github actions workflow data", async () => {
   dep_list = parseGitHubWorkflowData(
     readFileSync("./.github/workflows/repotests.yml", { encoding: "utf-8" })
   );
-  expect(dep_list.length).toEqual(6);
+  expect(dep_list.length).toEqual(7);
   expect(dep_list[0]).toEqual({
     group: "actions",
     name: "checkout",
@@ -1270,7 +1270,7 @@ test("get nget metadata", async () => {
         "pkg:nuget/NUnit.Console@3.11.1",
         "pkg:nuget/NUnit3TestAdapter@3.16.1",
         "pkg:nuget/NUnitLite@3.13.3",
-        "pkg:nuget/Serilog@0.0.0",
+        "pkg:nuget/Serilog@3.0.1",
         "pkg:nuget/Serilog.Sinks.TextWriter@2.0.0",
         "pkg:nuget/System.Security.Permissions@4.7.0",
         "pkg:nuget/log4net@2.0.13",
@@ -1295,7 +1295,7 @@ test("get nget metadata", async () => {
         "pkg:nuget/System.Text.RegularExpressions@4.1.0",
         "pkg:nuget/System.Threading@4.0.11"
       ],
-      ref: "pkg:nuget/Serilog@0.0.0"
+      ref: "pkg:nuget/Serilog@3.0.1"
     }
   ];
   let pkg_list = [
@@ -1308,8 +1308,8 @@ test("get nget metadata", async () => {
     {
       group: "",
       name: "Serilog",
-      version: "0.0.0",
-      "bom-ref": "pkg:nuget/Serilog@0.0.0"
+      version: "3.0.1",
+      "bom-ref": "pkg:nuget/Serilog@3.0.1"
     }
   ];
   const { pkgList, dependencies } = await getNugetMetadata(pkg_list, dep_list);
@@ -2261,6 +2261,25 @@ test("parse requirements.txt", async () => {
     version: "8.6.2",
     scope: "required"
   });
+  deps = await parseReqFile(
+    readFileSync("./test/data/chen-science-requirements.txt", {
+      encoding: "utf-8"
+    }),
+    false
+  );
+  expect(deps.length).toEqual(87);
+  expect(deps[0]).toEqual({
+    name: "aiofiles",
+    version: "23.2.1",
+    scope: undefined,
+    properties: [
+      {
+        name: "cdx:pip:markers",
+        value:
+          'python_full_version >= "3.8.1" and python_version < "3.12" --hash=sha256:19297512c647d4b27a2cf7c34caa7e405c0d60b5560618a29a9fe027b18b0107 --hash=sha256:84ec2218d8419404abcb9f0c02df3f34c6e0a68ed41072acfb1cef5cbc29051a'
+      }
+    ]
+  });
 });
 
 test("parse pyproject.toml", async () => {