@cyclonedx/cdxgen 9.8.6 → 9.8.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +1 -1
  2. package/index.js +24 -2
  3. package/package.json +2 -2
  4. package/server.js +7 -2
  5. package/utils.js +23 -5
  6. package/utils.test.js +15 -0
package/README.md CHANGED
@@ -27,7 +27,7 @@ A typical application might have several repos, components, and libraries. Tradi
27
27
  | go | binary, go.mod, go.sum, Gopkg.lock | Yes except binary |
28
28
  | ruby | Gemfile.lock, gemspec | Only for Gemfile.lock |
29
29
  | rust | binary, Cargo.toml, Cargo.lock | Only for Cargo.lock |
30
- | .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg | Only for project.assets.json, packages.lock.json |
30
+ | .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock | Only for project.assets.json, packages.lock.json, paket.lock |
31
31
  | dart | pubspec.lock, pubspec.yaml | Only for pubspec.lock |
32
32
  | haskell | cabal.project.freeze | Yes |
33
33
  | elixir | mix.lock | Yes |
package/index.js CHANGED
@@ -92,6 +92,7 @@ import {
92
92
  parseCsPkgLockData,
93
93
  parseCsPkgData,
94
94
  parseCsProjData,
95
+ parsePaketLockData,
95
96
  DEBUG_MODE,
96
97
  parsePyProjectToml,
97
98
  addEvidenceForImports,
@@ -3963,6 +3964,10 @@ export const createCsharpBom = async (
3963
3964
  path,
3964
3965
  (options.multiProject ? "**/" : "") + "packages.lock.json"
3965
3966
  );
3967
+ const paketLockFiles = getAllFiles(
3968
+ path,
3969
+ (options.multiProject ? "**/" : "") + "paket.lock"
3970
+ );
3966
3971
  const nupkgFiles = getAllFiles(
3967
3972
  path,
3968
3973
  (options.multiProject ? "**/" : "") + "*.nupkg"
@@ -4046,6 +4051,20 @@ export const createCsharpBom = async (
4046
4051
  }
4047
4052
  }
4048
4053
  }
4054
+ if (paketLockFiles.length) {
4055
+ manifestFiles = manifestFiles.concat(paketLockFiles);
4056
+ // paket.lock parsing
4057
+ for (const f of paketLockFiles) {
4058
+ if (DEBUG_MODE) {
4059
+ console.log(`Parsing ${f}`);
4060
+ }
4061
+ pkgData = readFileSync(f, { encoding: "utf-8" });
4062
+ const dlist = await parsePaketLockData(pkgData);
4063
+ if (dlist && dlist.length) {
4064
+ pkgList = pkgList.concat(dlist);
4065
+ }
4066
+ }
4067
+ }
4049
4068
  if (!parentComponent) {
4050
4069
  parentComponent = createDefaultParentComponent(path, options.type, options);
4051
4070
  }
@@ -4110,13 +4129,16 @@ export const trimComponents = (components, format) => {
4110
4129
  const filteredComponents = [];
4111
4130
  for (const comp of components) {
4112
4131
  if (format === "xml" && comp.component) {
4113
- const key = comp.component.purl || comp.component["bom-ref"];
4132
+ const key =
4133
+ comp.component.purl ||
4134
+ comp.component["bom-ref"] ||
4135
+ comp.name + comp.version;
4114
4136
  if (!keyCache[key]) {
4115
4137
  keyCache[key] = true;
4116
4138
  filteredComponents.push(comp);
4117
4139
  }
4118
4140
  } else {
4119
- const key = comp.purl || comp["bom-ref"];
4141
+ const key = comp.purl || comp["bom-ref"] || comp.name + comp.version;
4120
4142
  if (!keyCache[key]) {
4121
4143
  keyCache[key] = true;
4122
4144
  filteredComponents.push(comp);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cyclonedx/cdxgen",
3
- "version": "9.8.6",
3
+ "version": "9.8.7",
4
4
  "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
5
5
  "homepage": "http://github.com/cyclonedx/cdxgen",
6
6
  "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -82,7 +82,7 @@
82
82
  "yargs": "^17.7.2"
83
83
  },
84
84
  "optionalDependencies": {
85
- "@appthreat/atom": "^1.2.3",
85
+ "@appthreat/atom": "1.2.5",
86
86
  "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
87
87
  "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
88
88
  "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
package/server.js CHANGED
@@ -8,6 +8,7 @@ import fs from "node:fs";
8
8
  import path from "node:path";
9
9
  import { createBom, submitBom } from "./index.js";
10
10
  import compression from "compression";
11
+ import { URL } from "url";
11
12
 
12
13
  // Timeout milliseconds. Default 10 mins
13
14
  const TIMEOUT_MS =
@@ -24,10 +25,14 @@ app.use(
24
25
  app.use(compression());
25
26
 
26
27
  const gitClone = (repoUrl) => {
28
+ const parsedUrl = new URL(repoUrl);
29
+
30
+ const sanitizedRepoUrl = `${parsedUrl.protocol}//${parsedUrl.host}${parsedUrl.pathname}`;
31
+
27
32
  const tempDir = fs.mkdtempSync(
28
- path.join(os.tmpdir(), path.basename(repoUrl))
33
+ path.join(os.tmpdir(), path.basename(parsedUrl.pathname))
29
34
  );
30
- console.log("Cloning", repoUrl, "to", tempDir);
35
+ console.log("Cloning", sanitizedRepoUrl, "to", tempDir);
31
36
  const result = spawnSync("git", ["clone", repoUrl, "--depth", "1", tempDir], {
32
37
  encoding: "utf-8",
33
38
  shell: false
package/utils.js CHANGED
@@ -4639,6 +4639,28 @@ export const parseCsPkgLockData = async function (csLockData) {
4639
4639
  return pkgList;
4640
4640
  };
4641
4641
 
4642
+ export const parsePaketLockData = async function (paketLockData) {
4643
+ const pkgList = [];
4644
+ let pkg = null;
4645
+ if (!paketLockData) {
4646
+ return pkgList;
4647
+ }
4648
+ const pkgRegex = /\s+([a-zA-Z0-9-.]+) \(((?=.*?\.)[a-zA-Z0-9-.]+)\)/g;
4649
+ for (const [, name, version] of paketLockData.matchAll(pkgRegex)) {
4650
+ const purl = decodeURIComponent(
4651
+ new PackageURL("nuget", "", name, version, null, null).toString()
4652
+ );
4653
+ pkg = {
4654
+ group: "",
4655
+ name: name,
4656
+ version: version,
4657
+ purl: purl
4658
+ };
4659
+ pkgList.push(pkg);
4660
+ }
4661
+ return pkgList;
4662
+ };
4663
+
4642
4664
  /**
4643
4665
  * Parse composer lock file
4644
4666
  *
@@ -5381,11 +5403,7 @@ export const collectMvnDependencies = function (
5381
5403
  "-Dmdep.stripVersion=" + (process.env.MAVEN_STRIP_VERSION || "false")
5382
5404
  ];
5383
5405
  if (basePath && basePath !== MAVEN_CACHE_DIR) {
5384
- console.log(
5385
- `Executing '${mavenCmd} dependency:copy-dependencies ${copyArgs.join(
5386
- " "
5387
- )}' in ${basePath}`
5388
- );
5406
+ console.log(`Executing '${mavenCmd} ${copyArgs.join(" ")}' in ${basePath}`);
5389
5407
  const result = spawnSync(mavenCmd, copyArgs, {
5390
5408
  cwd: basePath,
5391
5409
  encoding: "utf-8",
package/utils.test.js CHANGED
@@ -32,6 +32,7 @@ import {
32
32
  parseCsProjData,
33
33
  parseCsProjAssetsData,
34
34
  parseCsPkgLockData,
35
+ parsePaketLockData,
35
36
  getNugetMetadata,
36
37
  parsePom,
37
38
  getMvnMetadata,
@@ -1246,6 +1247,20 @@ test("parse packages.lock.json", async () => {
1246
1247
  });
1247
1248
  });
1248
1249
 
1250
+ test("parse paket.lock", async () => {
1251
+ expect(await parsePaketLockData(null)).toEqual([]);
1252
+ const dep_list = await parsePaketLockData(
1253
+ readFileSync("./test/data/paket.lock", { encoding: "utf-8" })
1254
+ );
1255
+ expect(dep_list.length).toEqual(13);
1256
+ expect(dep_list[0]).toEqual({
1257
+ group: "",
1258
+ name: "0x53A.ReferenceAssemblies.Paket",
1259
+ version: "0.2",
1260
+ purl: "pkg:nuget/0x53A.ReferenceAssemblies.Paket@0.2"
1261
+ });
1262
+ });
1263
+
1249
1264
  test("parse .net cs proj", async () => {
1250
1265
  expect(await parseCsProjData(null)).toEqual([]);
1251
1266
  const dep_list = await parseCsProjData(