@cyclonedx/cdxgen 9.8.7 → 9.8.8

package/README.md

@@ -4,7 +4,7 @@
 
 cdxgen is a cli tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill of Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
 
-When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBOM for some languages.
+When used with plugins, cdxgen could generate an OBOM for Linux docker images and even VMs running Linux or Windows operating systems. cdxgen also includes an evinse tool to generate component evidence and SaaSBOM for some languages.
 
 NOTE:
 
@@ -61,7 +61,7 @@ NOTE:
 
 Footnotes:
 
-- [1] - For multi-module applications, the BoM file could include components not included in the packaged war or ear file.
+- [1] - For multi-module applications, the BOM file could include components not included in the packaged war or ear file.
 - [2] - Pip freeze is automatically performed to improve precision. Requires virtual environment.
 - [3] - Perform dotnet or nuget restore to generate project.assets.json. Without this file, cdxgen would not include indirect dependencies.
 - [4] - See the section on plugins
@@ -197,7 +197,7 @@ To print the SBOM as a table pass `-p` argument.
 cdxgen -t java -o bom.json -p
 ```
 
-To recursively generate a single BoM for all languages pass `-r` argument.
+To recursively generate a single BOM for all languages pass `-r` argument.
 
 ```shell
 cdxgen -r -o bom.json
@@ -254,6 +254,14 @@ Arguments can be passed either via the query string or as a JSON body. The follo
 | projectGroup   | Dependency track project group                                                                                                              |
 | projectVersion | Dependency track project version [default: ""]                                                                                              |
 
+### Health endpoint
+
+Use the /health endpoint to check if the SBOM server is up and running.
+
+```shell
+curl "http://127.0.0.1:9090/health"
+```
+
 ### Scanning a local path
 
 ```shell
@@ -281,7 +289,7 @@ docker compose up
 
 ## War file support
 
-cdxgen can generate a BoM file from a given war file.
+cdxgen can generate a BOM file from a given war file.
 
 ```shell
 # cdxgen -t java app.war
@@ -318,6 +326,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Scala SBT
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
 - csharp (projects.assets.json)
+- Go (go.mod)
 
 ## Environment variables
 
@@ -399,9 +408,9 @@ systemctl --user start podman.socket
 podman system service -t 0 &
 ```
 
-### Generate OBoM for a live system
+### Generate OBOM for a live system
 
-You can use the `obom` command to generate an OBoM for a live system or a VM for compliance and vulnerability management purposes. Windows and Linux operating systems are supported in this mode.
+You can use the `obom` command to generate an OBOM for a live system or a VM for compliance and vulnerability management purposes. Windows and Linux operating systems are supported in this mode.
 
 ```shell
 # obom is an alias for cdxgen -t os
@@ -417,7 +426,7 @@ See [evinse mode](./ADVANCED.md) in the advanced documentation.
 
 ## BoM signing
 
-cdxgen can sign the generated BoM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
+cdxgen can sign the generated BOM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
 
 - SBOM_SIGN_ALGORITHM: Algorithm. Example: RS512
 - SBOM_SIGN_PRIVATE_KEY: Location to the RSA private key

package/analyzer.js

@@ -1,8 +1,8 @@
 import { parse } from "@babel/parser";
 import traverse from "@babel/traverse";
-import { join } from "path";
-import { readdirSync, statSync, readFileSync } from "fs";
-import { basename, resolve, isAbsolute, relative } from "path";
+import { join } from "node:path";
+import { readdirSync, statSync, readFileSync } from "node:fs";
+import { basename, resolve, isAbsolute, relative } from "node:path";
 
 const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
   ? process.env.ASTGEN_IGNORE_DIRS.split(",")

package/bin/cdxgen.js

@@ -6,8 +6,7 @@ import fs from "node:fs";
 import { tmpdir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
 import jws from "jws";
-import crypto from "crypto";
-import { start as _serverStart } from "../server.js";
+import crypto from "node:crypto";
 import { fileURLToPath } from "node:url";
 import globalAgent from "global-agent";
 import process from "node:process";
@@ -243,7 +242,8 @@ const checkPermissions = (filePath) => {
 (async () => {
   // Start SBOM server
   if (args.server) {
-    return await _serverStart(options);
+    const serverModule = await import("../server.js");
+    return await serverModule.start(options);
   }
   // Check if cdxgen has the required permissions
   if (!checkPermissions(filePath)) {

package/bin/repl.js

@@ -110,16 +110,16 @@ cdxgenRepl.defineCommand("create", {
     });
     if (bomNSData) {
       sbom = bomNSData.bomJson;
-      console.log("✅ BoM imported successfully.");
-      console.log("💭 Type .print to view the BoM as a table");
+      console.log("✅ BOM imported successfully.");
+      console.log("💭 Type .print to view the BOM as a table");
     } else {
-      console.log("BoM was not generated successfully");
+      console.log("BOM was not generated successfully");
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("import", {
-  help: "import an existing BoM",
+  help: "import an existing BOM",
   action(sbomOrPath) {
     this.clearBufferedCommand();
     importSbom(sbomOrPath);
@@ -139,7 +139,7 @@ cdxgenRepl.defineCommand("sbom", {
       console.log(sbom);
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -171,7 +171,7 @@ cdxgenRepl.defineCommand("search", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -205,7 +205,7 @@ cdxgenRepl.defineCommand("sort", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -229,7 +229,7 @@ cdxgenRepl.defineCommand("query", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -242,7 +242,7 @@ cdxgenRepl.defineCommand("print", {
       printTable(sbom);
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -255,7 +255,7 @@ cdxgenRepl.defineCommand("tree", {
       printDependencyTree(sbom);
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -271,7 +271,7 @@ cdxgenRepl.defineCommand("validate", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -285,10 +285,10 @@ cdxgenRepl.defineCommand("save", {
         saveToFile = "bom.json";
       }
       fs.writeFileSync(saveToFile, JSON.stringify(sbom, null, 2));
-      console.log(`BoM saved successfully to ${saveToFile}`);
+      console.log(`BOM saved successfully to ${saveToFile}`);
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -313,10 +313,10 @@ cdxgenRepl.defineCommand("update", {
       if (newSbom && newSbom.components.length <= sbom.components.length) {
         sbom = newSbom;
       }
-      console.log("BoM updated successfully.");
+      console.log("BOM updated successfully.");
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM"
       );
     }
     this.displayPrompt();
@@ -333,7 +333,7 @@ cdxgenRepl.defineCommand("occurrences", {
         let components = await expression.evaluate(sbom);
         if (!components) {
           console.log(
-            "No results found. Use evinse command to generate an BoM with evidence."
+            "No results found. Use evinse command to generate an BOM with evidence."
           );
         } else {
           if (!Array.isArray(components)) {
@@ -346,7 +346,7 @@ cdxgenRepl.defineCommand("occurrences", {
       }
     } else {
       console.log(
-        "⚠ No BoM is loaded. Use .import command to import an evinse BoM"
+        "⚠ No BOM is loaded. Use .import command to import an evinse BOM"
       );
     }
     this.displayPrompt();
@@ -437,7 +437,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
         let catgories = await expression.evaluate(sbom);
         if (!catgories) {
           console.log(
-            "Unable to retrieve the os info categories. Only OBoMs generated by cdxgen are supported by this tool."
+            "Unable to retrieve the os info categories. Only OBOMs generated by cdxgen are supported by this tool."
           );
         } else {
           console.log(catgories.join("\n"));
@@ -447,7 +447,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
       }
     } else {
       console.log(
-        "⚠ No OBoM is loaded. Use .import command to import an OBoM"
+        "⚠ No OBOM is loaded. Use .import command to import an OBOM"
       );
     }
     this.displayPrompt();
@@ -546,7 +546,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
         }
       } else {
         console.log(
-          "⚠ No OBoM is loaded. Use .import command to import an OBoM"
+          "⚠ No OBOM is loaded. Use .import command to import an OBOM"
         );
       }
       this.displayPrompt();

package/binary.js

@@ -230,7 +230,7 @@ export const getGoBuildInfo = (src) => {
     let result = spawnSync(GOVERSION_BIN, [src], {
       encoding: "utf-8"
     });
-    if (result.status !== 0 || result.error) {
+    if (result.status !== 0 || result.error || !result.stdout) {
       if (result.stdout || result.stderr) {
         console.error(result.stdout, result.stderr);
       }

package/docker.js

@@ -1,6 +1,6 @@
 import got from "got";
 import { globSync } from "glob";
-import { parse } from "url";
+import { parse } from "node:url";
 import stream from "node:stream/promises";
 import {
   existsSync,

package/index.js

@@ -60,6 +60,7 @@ import {
   parseGoVersionData,
   parseGosumData,
   parseGoListDep,
+  parseGoModGraph,
   parseGoModWhy,
   parseGoModData,
   parseGopkgData,
@@ -2309,24 +2310,36 @@ export const createPythonBom = async (path, options) => {
     for (const f of poetryFiles) {
       const basePath = dirname(f);
       const lockData = readFileSync(f, { encoding: "utf-8" });
-      const dlist = await parsePoetrylockData(lockData, f);
-      if (dlist && dlist.length) {
-        pkgList = pkgList.concat(dlist);
-      }
-      const pkgMap = getPipFrozenTree(basePath, f, tempDir);
-      if (pkgMap.pkgList && pkgMap.pkgList.length) {
-        pkgList = pkgList.concat(pkgMap.pkgList);
+      let retMap = await parsePoetrylockData(lockData, f);
+      if (retMap.pkgList && retMap.pkgList.length) {
+        pkgList = pkgList.concat(retMap.pkgList);
+        pkgList = trimComponents(pkgList, "json");
       }
-      if (pkgMap.dependenciesList) {
+      if (retMap.dependenciesList && retMap.dependenciesList.length) {
         dependencies = mergeDependencies(
           dependencies,
-          pkgMap.dependenciesList,
+          retMap.dependenciesList,
           parentComponent
         );
       }
+      // Retrieve the tree using virtualenv in deep mode and as a fallback
+      // This is a slow operation
+      if (options.deep || !dependencies.length) {
+        retMap = getPipFrozenTree(basePath, f, tempDir);
+        if (retMap.pkgList && retMap.pkgList.length) {
+          pkgList = pkgList.concat(retMap.pkgList);
+        }
+        if (retMap.dependenciesList) {
+          dependencies = mergeDependencies(
+            dependencies,
+            retMap.dependenciesList,
+            parentComponent
+          );
+        }
+      }
       const parentDependsOn = [];
       // Complete the dependency tree by making parent component depend on the first level
-      for (const p of pkgMap.rootList) {
+      for (const p of retMap.rootList) {
         parentDependsOn.push(`pkg:pypi/${p.name}@${p.version}`);
       }
       const pdependencies = {
@@ -2397,6 +2410,8 @@ export const createPythonBom = async (path, options) => {
           let frozen = false;
           // Attempt to pip freeze in a virtualenv to improve precision
           if (options.installDeps) {
+            // If there are multiple requirements files then the tree is getting constructed for each one
+            // adding to the delay.
             const pkgMap = getPipFrozenTree(basePath, f, tempDir);
             if (pkgMap.pkgList && pkgMap.pkgList.length) {
               pkgList = pkgList.concat(pkgMap.pkgList);
@@ -2454,7 +2469,7 @@ export const createPythonBom = async (path, options) => {
       }
       // Get the imported modules and a dedupe list of packages
       const parentDependsOn = new Set();
-      const retMap = await getPyModules(path, pkgList);
+      const retMap = await getPyModules(path, pkgList, options);
       if (retMap.pkgList && retMap.pkgList.length) {
         pkgList = pkgList.concat(retMap.pkgList);
         for (const p of retMap.pkgList) {
@@ -2548,6 +2563,9 @@ export const createPythonBom = async (path, options) => {
  */
 export const createGoBom = async (path, options) => {
   let pkgList = [];
+  let dependencies = [];
+  const allImports = {};
+  let parentComponent = createDefaultParentComponent(path, "golang", options);
   // Is this a binary file
   let maybeBinary = false;
   try {
@@ -2569,6 +2587,8 @@ export const createGoBom = async (path, options) => {
     }
     return buildBomNSData(options, pkgList, "golang", {
       allImports,
+      dependencies,
+      parentComponent,
       src: path,
       filename: path
     });
@@ -2598,8 +2618,70 @@ export const createGoBom = async (path, options) => {
         pkgList = pkgList.concat(dlist);
       }
     }
+    const doneList = {};
+    let circuitBreak = false;
+    if (DEBUG_MODE) {
+      console.log(
+        `Attempting to detect required packages using "go mod why" command for ${pkgList.length} packages`
+      );
+    }
+    // Using go mod why detect required packages
+    for (const apkg of pkgList) {
+      if (circuitBreak) {
+        break;
+      }
+      const pkgFullName = `${apkg.name}`;
+      if (apkg.scope === "required") {
+        allImports[pkgFullName] = true;
+        continue;
+      }
+      if (
+        apkg.scope === "optional" ||
+        allImports[pkgFullName] ||
+        doneList[pkgFullName]
+      ) {
+        continue;
+      }
+      if (DEBUG_MODE) {
+        console.log(`go mod why -m -vendor ${pkgFullName}`);
+      }
+      const mresult = spawnSync(
+        "go",
+        ["mod", "why", "-m", "-vendor", pkgFullName],
+        { cwd: path, encoding: "utf-8", timeout: TIMEOUT_MS }
+      );
+      if (mresult.status !== 0 || mresult.error) {
+        if (DEBUG_MODE) {
+          if (mresult.stdout) {
+            console.log(mresult.stdout);
+          }
+          if (mresult.stderr) {
+            console.log(mresult.stderr);
+          }
+        }
+        circuitBreak = true;
+      } else {
+        const mstdout = mresult.stdout;
+        if (mstdout) {
+          const cmdOutput = Buffer.from(mstdout).toString();
+          const whyPkg = parseGoModWhy(cmdOutput);
+          // whyPkg would include this package string
+          // github.com/golang/protobuf/proto github.com/golang/protobuf
+          // golang.org/x/tools/cmd/goimports golang.org/x/tools
+          if (whyPkg && whyPkg.includes(pkgFullName)) {
+            allImports[pkgFullName] = true;
+          }
+          doneList[pkgFullName] = true;
+        }
+      }
+    }
+    if (DEBUG_MODE) {
+      console.log(`Required packages: ${Object.keys(allImports).length}`);
+    }
     return buildBomNSData(options, pkgList, "golang", {
       src: path,
+      dependencies,
+      parentComponent,
       filename: gosumFiles.join(", ")
     });
   }
@@ -2615,7 +2697,7 @@ export const createGoBom = async (path, options) => {
       const dlist = await parseGosumData(gosumData);
       if (dlist && dlist.length) {
         dlist.forEach((pkg) => {
-          gosumMap[`${pkg.group}/${pkg.name}/${pkg.version}`] = pkg._integrity;
+          gosumMap[`${pkg.group}/${pkg.name}@${pkg.version}`] = pkg._integrity;
         });
       }
     }
@@ -2634,7 +2716,7 @@ export const createGoBom = async (path, options) => {
   );
   if (gomodFiles.length) {
     let shouldManuallyParse = false;
-    // Use the go list -deps and go mod why commands to generate a good quality BoM for non-docker invocations
+    // Use the go list -deps and go mod why commands to generate a good quality BOM for non-docker invocations
     if (!["docker", "oci", "os"].includes(options.projectType)) {
       for (const f of gomodFiles) {
         const basePath = dirname(f);
@@ -2642,36 +2724,85 @@ export const createGoBom = async (path, options) => {
         if (basePath.includes("/vendor/") || basePath.includes("/build/")) {
           continue;
         }
+        // First we execute the go list -deps command which gives the correct list of dependencies
         if (DEBUG_MODE) {
           console.log("Executing go list -deps in", basePath);
         }
-        const result = spawnSync(
+        let result = spawnSync(
           "go",
           [
             "list",
             "-deps",
             "-f",
-            "'{{with .Module}}{{.Path}} {{.Version}} {{.Indirect}} {{.GoMod}} {{.GoVersion}}{{end}}'",
+            "'{{with .Module}}{{.Path}} {{.Version}} {{.Indirect}} {{.GoMod}} {{.GoVersion}} {{.Main}}{{end}}'",
             "./..."
           ],
           { cwd: basePath, encoding: "utf-8", timeout: TIMEOUT_MS }
         );
+        if (DEBUG_MODE) {
+          console.log("Executing go mod graph in", basePath);
+        }
         if (result.status !== 0 || result.error) {
           shouldManuallyParse = true;
-          if (result.stdout) {
+          if (DEBUG_MODE && result.stdout) {
             console.log(result.stdout);
           }
-          if (result.stderr) {
+          if (DEBUG_MODE && result.stderr) {
             console.log(result.stderr);
           }
           options.failOnError && process.exit(1);
         }
         const stdout = result.stdout;
         if (stdout) {
-          const cmdOutput = Buffer.from(stdout).toString();
-          const dlist = await parseGoListDep(cmdOutput, gosumMap);
-          if (dlist && dlist.length) {
-            pkgList = pkgList.concat(dlist);
+          let cmdOutput = Buffer.from(stdout).toString();
+          const retMap = await parseGoListDep(cmdOutput, gosumMap);
+          if (retMap.pkgList && retMap.pkgList.length) {
+            pkgList = pkgList.concat(retMap.pkgList);
+          }
+          // We treat the main module as our parent
+          if (
+            retMap.parentComponent &&
+            Object.keys(retMap.parentComponent).length
+          ) {
+            parentComponent = retMap.parentComponent;
+            parentComponent.type = "application";
+          }
+          // Next we use the go mod graph command to construct the dependency tree
+          result = spawnSync("go", ["mod", "graph"], {
+            cwd: basePath,
+            encoding: "utf-8",
+            timeout: TIMEOUT_MS
+          });
+          // Check if got a mod graph successfully
+          if (result.status !== 0 || result.error) {
+            if (DEBUG_MODE && result.stdout) {
+              console.log(result.stdout);
+            }
+            if (DEBUG_MODE && result.stderr) {
+              console.log(result.stderr);
+            }
+            options.failOnError && process.exit(1);
+          }
+          if (result.stdout) {
+            cmdOutput = Buffer.from(result.stdout).toString();
+            const retMap = await parseGoModGraph(
+              cmdOutput,
+              f,
+              gosumMap,
+              pkgList,
+              parentComponent
+            );
+            if (retMap.pkgList && retMap.pkgList.length) {
+              pkgList = pkgList.concat(retMap.pkgList);
+              pkgList = trimComponents(pkgList, "json");
+            }
+            if (retMap.dependenciesList && retMap.dependenciesList.length) {
+              dependencies = mergeDependencies(
+                dependencies,
+                retMap.dependenciesList,
+                parentComponent
+              );
+            }
           }
         } else {
           shouldManuallyParse = true;
@@ -2681,67 +2812,20 @@ export const createGoBom = async (path, options) => {
           options.failOnError && process.exit(1);
         }
       }
-      const allImports = {};
-      let circuitBreak = false;
-      if (DEBUG_MODE) {
-        console.log(
-          `Attempting to detect required packages using "go mod why" command for ${pkgList.length} packages`
-        );
-      }
-      // Using go mod why detect required packages
-      for (const apkg of pkgList) {
-        if (circuitBreak) {
-          break;
-        }
-        const pkgFullName = `${apkg.name}`;
-        if (apkg.scope === "required") {
-          allImports[pkgFullName] = true;
-          continue;
-        }
-        if (DEBUG_MODE) {
-          console.log(`go mod why -m -vendor ${pkgFullName}`);
-        }
-        const mresult = spawnSync(
-          "go",
-          ["mod", "why", "-m", "-vendor", pkgFullName],
-          { cwd: path, encoding: "utf-8", timeout: TIMEOUT_MS }
-        );
-        if (mresult.status !== 0 || mresult.error) {
-          if (DEBUG_MODE) {
-            if (mresult.stdout) {
-              console.log(mresult.stdout);
-            }
-            if (mresult.stderr) {
-              console.log(mresult.stderr);
-            }
-          }
-          circuitBreak = true;
-        } else {
-          const mstdout = mresult.stdout;
-          if (mstdout) {
-            const cmdOutput = Buffer.from(mstdout).toString();
-            const whyPkg = parseGoModWhy(cmdOutput);
-            if (whyPkg == pkgFullName) {
-              allImports[pkgFullName] = true;
-            }
-          }
-        }
-      }
-      if (DEBUG_MODE) {
-        console.log(`Required packages: ${Object.keys(allImports).length}`);
-      }
       if (pkgList.length && !shouldManuallyParse) {
         return buildBomNSData(options, pkgList, "golang", {
           allImports,
+          dependencies,
+          parentComponent,
           src: path,
           filename: gomodFiles.join(", ")
         });
       }
     }
-    // Parse the gomod files manually. The resultant BoM would be incomplete
+    // Parse the gomod files manually. The resultant BOM would be incomplete
     if (!["docker", "oci", "os"].includes(options.projectType)) {
       console.log(
-        "Manually parsing go.mod files. The resultant BoM would be incomplete."
+        "Manually parsing go.mod files. The resultant BOM would be incomplete."
       );
     }
     for (const f of gomodFiles) {
@@ -2756,6 +2840,8 @@ export const createGoBom = async (path, options) => {
     }
     return buildBomNSData(options, pkgList, "golang", {
       src: path,
+      dependencies,
+      parentComponent,
       filename: gomodFiles.join(", ")
     });
   } else if (gopkgLockFiles.length) {
@@ -2773,6 +2859,8 @@ export const createGoBom = async (path, options) => {
     }
     return buildBomNSData(options, pkgList, "golang", {
       src: path,
+      dependencies,
+      parentComponent,
       filename: gopkgLockFiles.join(", ")
     });
   }
@@ -3285,7 +3373,7 @@ export const createCloudBuildBom = (path, options) => {
  */
 export const createOSBom = (path, options) => {
   console.warn(
-    "About to generate OBoM for the current OS installation. This will take several minutes ..."
+    "About to generate OBOM for the current OS installation. This will take several minutes ..."
   );
   let pkgList = [];
   let bomData = {};
@@ -4165,7 +4253,7 @@ export const dedupeBom = (
   componentsXmls = trimComponents(componentsXmls, "xml");
   if (DEBUG_MODE) {
     console.log(
-      `BoM includes ${components.length} components and ${dependencies.length} dependencies after dedupe`
+      `BOM includes ${components.length} components and ${dependencies.length} dependencies after dedupe`
     );
   }
   const serialNum = "urn:uuid:" + uuidv4();