@cyclonedx/cdxgen 9.8.8 → 9.8.10

package/README.md

@@ -126,6 +126,7 @@ import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
 
 ```text
 $ cdxgen -h
+Options:
   -o, --output                 Output file for bom.xml or bom.json. Default bom.
                                json
   -t, --type                   Project type
@@ -149,7 +150,9 @@ $ cdxgen -h
                                d or the project name and version together
       --parent-project-id      Dependency track parent project id
       --required-only          Include only the packages with required scope on
-                               the SBOM.                               [boolean]
+                               the SBOM. Would set compositions.aggregate to inc
+                               omplete unless --no-auto-compositions is passed.
+                                                                       [boolean]
       --fail-on-error          Fail if any dependency extractor fails. [boolean]
       --no-babel               Do not use babel to perform usage analysis for Ja
                                vaScript/TypeScript projects.           [boolean]
@@ -166,11 +169,21 @@ $ cdxgen -h
       --validate               Validate the generated SBOM using json schema. De
                                faults to true. Pass --no-validate to disable.
                                                        [boolean] [default: true]
+      --evidence               Generate SBOM with evidence for supported languag
+                               es. WIP                [boolean] [default: false]
       --usages-slices-file     Path for the usages slice file created by atom.
       --data-flow-slices-file  Path for the data-flow slice file created by atom
                                .
       --spec-version           CycloneDX Specification version to use. Defaults
                                to 1.5                             [default: 1.5]
+      --filter                 Filter components containining this word in purl.
+                                Multiple values allowed.                 [array]
+      --only                   Include components only containining this word in
+                                purl. Useful to generate BOM with first party co
+                               mponents alone. Multiple values allowed.  [array]
+      --auto-compositions      Automatically set compositions when the BOM was f
+                               iltered. Defaults to true
+                                                       [boolean] [default: true]
   -h, --help                   Show help                               [boolean]
   -v, --version                Show version number                     [boolean]
 ```

package/bin/cdxgen.js

@@ -11,6 +11,29 @@ import { fileURLToPath } from "node:url";
 import globalAgent from "global-agent";
 import process from "node:process";
 import { printTable, printDependencyTree } from "../display.js";
+import { findUpSync } from "find-up";
+import { load as _load } from "js-yaml";
+import { postProcess } from "../postgen.js";
+
+// Support for config files
+const configPath = findUpSync([
+  ".cdxgenrc",
+  ".cdxgen.json",
+  ".cdxgen.yml",
+  ".cdxgen.yaml"
+]);
+let config = {};
+if (configPath) {
+  try {
+    if (configPath.endsWith(".yml") || configPath.endsWith(".yaml")) {
+      config = _load(fs.readFileSync(configPath, "utf-8"));
+    } else {
+      config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+    }
+  } catch (e) {
+    console.log("Invalid config file", configPath);
+  }
+}
 
 let url = import.meta.url;
 if (!url.startsWith("file://")) {
@@ -22,6 +45,7 @@ import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 
 const args = yargs(hideBin(process.argv))
+  .env("CDXGEN")
   .option("output", {
     alias: "o",
     description: "Output file for bom.xml or bom.json. Default bom.json"
@@ -77,7 +101,8 @@ const args = yargs(hideBin(process.argv))
   })
   .option("required-only", {
     type: "boolean",
-    description: "Include only the packages with required scope on the SBOM."
+    description:
+      "Include only the packages with required scope on the SBOM. Would set compositions.aggregate to incomplete unless --no-auto-compositions is passed."
   })
   .option("fail-on-error", {
     type: "boolean",
@@ -132,6 +157,28 @@ const args = yargs(hideBin(process.argv))
     description: "CycloneDX Specification version to use. Defaults to 1.5",
     default: 1.5
   })
+  .option("filter", {
+    description:
+      "Filter components containining this word in purl. Multiple values allowed."
+  })
+  .option("only", {
+    description:
+      "Include components only containining this word in purl. Useful to generate BOM with first party components alone. Multiple values allowed."
+  })
+  .array("filter")
+  .array("only")
+  .option("auto-compositions", {
+    type: "boolean",
+    default: true,
+    description:
+      "Automatically set compositions when the BOM was filtered. Defaults to true"
+  })
+  .example([
+    ["$0 -t java .", "Generate a Java SBOM for the current directory"],
+    ["$0 --server", "Run cdxgen as a server"]
+  ])
+  .epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
+  .config(config)
   .scriptName("cdxgen")
   .version()
   .alias("v", "version")
@@ -177,32 +224,14 @@ if (process.argv[1].includes("obom") && !args.type) {
 }
 
 /**
- * projectType: python, nodejs, java, golang
- * multiProject: Boolean to indicate monorepo or multi-module projects
+ * Command line options
  */
-const options = {
+const options = Object.assign({}, args, {
   projectType: args.type,
   multiProject: args.recurse,
-  output: args.output,
-  resolveClass: args.resolveClass,
-  installDeps: args.installDeps,
-  requiredOnly: args.requiredOnly,
-  failOnError: args.failOnError,
   noBabel: args.noBabel || args.babel === false,
-  deep: args.deep,
-  generateKeyAndSign: args.generateKeyAndSign,
-  project: args.projectId,
-  projectName: args.projectName,
-  projectGroup: args.projectGroup,
-  projectVersion: args.projectVersion,
-  server: args.server,
-  serverHost: args.serverHost,
-  serverPort: args.serverPort,
-  specVersion: args.specVersion,
-  evidence: args.evidence,
-  usagesSlicesFile: args.usagesSlicesFile,
-  dataFlowSlicesFile: args.dataFlowSlicesFile
-};
+  project: args.projectId
+});
 
 /**
  * Check for node >= 20 permissions
@@ -243,7 +272,7 @@ const checkPermissions = (filePath) => {
   // Start SBOM server
   if (args.server) {
     const serverModule = await import("../server.js");
-    return await serverModule.start(options);
+    return serverModule.start(options);
   }
   // Check if cdxgen has the required permissions
   if (!checkPermissions(filePath)) {
@@ -253,7 +282,10 @@ const checkPermissions = (filePath) => {
   if (!options.usagesSlicesFile) {
     options.usagesSlicesFile = `${options.projectName}-usages.json`;
   }
-  const bomNSData = (await createBom(filePath, options)) || {};
+  let bomNSData = (await createBom(filePath, options)) || {};
+  if (options.requiredOnly || options["filter"] || options["only"]) {
+    bomNSData = postProcess(bomNSData, options);
+  }
   if (!args.output) {
     args.output = "bom.json";
   }

package/bin/evinse.js

@@ -10,6 +10,28 @@ import process from "node:process";
 import { analyzeProject, createEvinseFile, prepareDB } from "../evinser.js";
 import { validateBom } from "../validator.js";
 import { printCallStack, printOccurrences, printServices } from "../display.js";
+import { findUpSync } from "find-up";
+import { load as _load } from "js-yaml";
+
+// Support for config files
+const configPath = findUpSync([
+  ".cdxgenrc",
+  ".cdxgen.json",
+  ".cdxgen.yml",
+  ".cdxgen.yaml"
+]);
+let config = {};
+if (configPath) {
+  try {
+    if (configPath.endsWith(".yml") || configPath.endsWith(".yaml")) {
+      config = _load(fs.readFileSync(configPath, "utf-8"));
+    } else {
+      config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+    }
+  } catch (e) {
+    console.log("Invalid config file", configPath);
+  }
+}
 
 const isWin = _platform() === "win32";
 const isMac = _platform() === "darwin";
@@ -28,6 +50,7 @@ if (!process.env.ATOM_DB && !fs.existsSync(ATOM_DB)) {
   }
 }
 const args = yargs(hideBin(process.argv))
+  .env("EVINSE")
   .option("input", {
     alias: "i",
     description: "Input SBOM file. Default bom.json",
@@ -88,6 +111,7 @@ const args = yargs(hideBin(process.argv))
     type: "boolean",
     description: "Print the evidences as table"
   })
+  .config(config)
   .scriptName("evinse")
   .version()
   .help("h").argv;

package/index.js

@@ -707,9 +707,6 @@ function addComponent(
         compScope = "optional";
       }
     }
-    if (options.requiredOnly && ["optional", "excluded"].includes(compScope)) {
-      return;
-    }
     const component = {
       author,
       publisher,
@@ -1016,7 +1013,7 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
     allImports = context.allImports;
   }
   const nsMapping = context.nsMapping || {};
-  const dependencies = !options.requiredOnly ? context.dependencies || [] : [];
+  const dependencies = context.dependencies || [];
   const parentComponent =
     determineParentComponent(options) || context.parentComponent;
   const metadata = addMetadata(parentComponent, "json", options);
@@ -1330,7 +1327,7 @@ export const createJavaBom = async (path, options) => {
             if (bomJsonObj.components) {
               pkgList = pkgList.concat(bomJsonObj.components);
             }
-            if (bomJsonObj.dependencies && !options.requiredOnly) {
+            if (bomJsonObj.dependencies) {
               dependencies = mergeDependencies(
                 dependencies,
                 bomJsonObj.dependencies,
@@ -2697,7 +2694,7 @@ export const createGoBom = async (path, options) => {
       const dlist = await parseGosumData(gosumData);
       if (dlist && dlist.length) {
         dlist.forEach((pkg) => {
-          gosumMap[`${pkg.group}/${pkg.name}@${pkg.version}`] = pkg._integrity;
+          gosumMap[`${pkg.name}@${pkg.version}`] = pkg._integrity;
         });
       }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.8.8",
+  "version": "9.8.10",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -39,10 +39,10 @@
   },
   "scripts": {
     "docs": "docsify serve docs",
-    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false docker.test.js utils.test.js display.test.js",
+    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --inject-globals false docker.test.js utils.test.js display.test.js postgen.test.js",
     "watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch --inject-globals false",
     "lint": "eslint *.js *.test.js bin/*.js",
-    "pretty": "prettier --write *.js data/*.json bin/*.js"
+    "pretty": "prettier --write *.js data/*.json bin/*.js *.md docs/*.md"
   },
   "engines": {
     "node": ">=16"
@@ -57,11 +57,12 @@
   "dependencies": {
     "@babel/parser": "^7.23.0",
     "@babel/traverse": "^7.23.0",
-    "@npmcli/arborist": "^7.1.0",
+    "@npmcli/arborist": "^7.2.0",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
     "edn-data": "^1.0.0",
+    "find-up": "^6.3.0",
     "glob": "^10.3.10",
     "global-agent": "^3.0.0",
     "got": "^13.0.0",
@@ -101,9 +102,9 @@
   "devDependencies": {
     "caxa": "^3.0.1",
     "docsify-cli": "^4.4.4",
-    "eslint": "^8.50.0",
+    "eslint": "^8.51.0",
     "eslint-config-prettier": "^9.0.0",
-    "eslint-plugin-prettier": "^5.0.0",
+    "eslint-plugin-prettier": "^5.0.1",
     "jest": "^29.7.0",
     "prettier": "3.0.3"
   }

package/postgen.js

@@ -0,0 +1,92 @@
+export const postProcess = (bomNSData, options) => {
+  let jsonPayload = bomNSData.bomJson;
+  if (
+    typeof bomNSData.bomJson === "string" ||
+    bomNSData.bomJson instanceof String
+  ) {
+    jsonPayload = JSON.parse(bomNSData.bomJson);
+  }
+  bomNSData.bomJson = filterBom(jsonPayload, options);
+  return bomNSData;
+};
+
+export const filterBom = (bomJson, options) => {
+  const newPkgMap = {};
+  let filtered = false;
+  for (const comp of bomJson.components) {
+    if (
+      options.requiredOnly &&
+      comp.scope &&
+      ["optional", "excluded"].includes(comp.scope)
+    ) {
+      filtered = true;
+      continue;
+    } else if (options.only && options.only.length) {
+      if (!Array.isArray(options.only)) {
+        options.only = [options.only];
+      }
+      let purlfiltered = false;
+      for (const filterstr of options.only) {
+        if (filterstr.length && !comp.purl.toLowerCase().includes(filterstr)) {
+          filtered = true;
+          purlfiltered = true;
+          continue;
+        }
+      }
+      if (!purlfiltered) {
+        newPkgMap[comp["bom-ref"]] = comp;
+      }
+    } else if (options.filter && options.filter.length) {
+      if (!Array.isArray(options.filter)) {
+        options.filter = [options.filter];
+      }
+      let purlfiltered = false;
+      for (const filterstr of options.filter) {
+        if (filterstr.length && comp.purl.toLowerCase().includes(filterstr)) {
+          filtered = true;
+          purlfiltered = true;
+          continue;
+        }
+      }
+      if (!purlfiltered) {
+        newPkgMap[comp["bom-ref"]] = comp;
+      }
+    } else {
+      newPkgMap[comp["bom-ref"]] = comp;
+    }
+  }
+  if (filtered) {
+    const newcomponents = [];
+    const newdependencies = [];
+    for (const aref of Object.keys(newPkgMap).sort()) {
+      newcomponents.push(newPkgMap[aref]);
+    }
+    for (const adep of bomJson.dependencies) {
+      if (newPkgMap[adep.ref]) {
+        const newdepson = (adep.dependsOn || []).filter((d) => newPkgMap[d]);
+        newdependencies.push({
+          ref: adep.ref,
+          dependsOn: newdepson
+        });
+      }
+    }
+    bomJson.components = newcomponents;
+    bomJson.dependencies = newdependencies;
+    // We set the compositions.aggregate to incomplete by default
+    if (
+      options.specVersion >= 1.5 &&
+      options.autoCompositions &&
+      bomJson.metadata &&
+      bomJson.metadata.component
+    ) {
+      if (!bomJson.compositions) {
+        bomJson.compositions = [];
+      }
+      bomJson.compositions.push({
+        "bom-ref": bomJson.metadata.component["bom-ref"],
+        aggregate: options.only ? "incomplete_first_party_only" : "incomplete"
+      });
+    }
+  }
+  return bomJson;
+};

package/postgen.test.js

@@ -0,0 +1,70 @@
+import { filterBom } from "./postgen.js";
+
+import { readFileSync } from "node:fs";
+import { expect, test } from "@jest/globals";
+
+test("filter bom tests", () => {
+  const bomJson = JSON.parse(
+    readFileSync("./test/data/bom-postgen-test.json", "utf-8")
+  );
+  let newBom = filterBom(bomJson, {});
+  expect(bomJson).toEqual(newBom);
+  expect(newBom.components.length).toEqual(1060);
+  newBom = filterBom(bomJson, { requiredOnly: true });
+  for (const comp of newBom.components) {
+    if (comp.scope && comp.scope !== "required") {
+      throw new Error(`${comp.scope} is unexpected`);
+    }
+  }
+  expect(newBom.components.length).toEqual(345);
+});
+
+test("filter bom tests2", () => {
+  const bomJson = JSON.parse(
+    readFileSync("./test/data/bom-postgen-test2.json", "utf-8")
+  );
+  let newBom = filterBom(bomJson, {});
+  expect(bomJson).toEqual(newBom);
+  expect(newBom.components.length).toEqual(199);
+  newBom = filterBom(bomJson, { requiredOnly: true });
+  for (const comp of newBom.components) {
+    if (comp.scope && comp.scope !== "required") {
+      throw new Error(`${comp.scope} is unexpected`);
+    }
+  }
+  expect(newBom.components.length).toEqual(199);
+  newBom = filterBom(bomJson, { filter: [""] });
+  expect(newBom.components.length).toEqual(199);
+  newBom = filterBom(bomJson, { filter: ["apache"] });
+  for (const comp of newBom.components) {
+    if (comp.purl.includes("apache")) {
+      throw new Error(`${comp.purl} is unexpected`);
+    }
+  }
+  expect(newBom.components.length).toEqual(177);
+  newBom = filterBom(bomJson, { filter: ["apache", "json"] });
+  for (const comp of newBom.components) {
+    if (comp.purl.includes("apache") || comp.purl.includes("json")) {
+      throw new Error(`${comp.purl} is unexpected`);
+    }
+  }
+  expect(newBom.components.length).toEqual(172);
+  expect(newBom.compositions).toBeUndefined();
+  newBom = filterBom(bomJson, {
+    only: ["org.springframework"],
+    specVersion: 1.5,
+    autoCompositions: true
+  });
+  for (const comp of newBom.components) {
+    if (!comp.purl.includes("org.springframework")) {
+      throw new Error(`${comp.purl} is unexpected`);
+    }
+  }
+  expect(newBom.components.length).toEqual(37);
+  expect(newBom.compositions).toEqual([
+    {
+      aggregate: "incomplete_first_party_only",
+      "bom-ref": "pkg:maven/sec/java-sec-code@1.0.0?type=jar"
+    }
+  ]);
+});

package/server.js

@@ -7,6 +7,8 @@ import os from "node:os";
 import fs from "node:fs";
 import path from "node:path";
 import { createBom, submitBom } from "./index.js";
+import { postProcess } from "./postgen.js";
+
 import compression from "compression";
 
 // Timeout milliseconds. Default 10 mins
@@ -60,7 +62,10 @@ const parseQueryString = (q, body, options = {}) => {
     "parentUUID",
     "serverUrl",
     "apiKey",
-    "specVersion"
+    "specVersion",
+    "filter",
+    "only",
+    "autoCompositions"
   ];
 
   for (const param of queryParams) {
@@ -94,7 +99,7 @@ const start = (options) => {
     .listen(options.serverPort, options.serverHost);
   configureServer(cdxgenServer);
 
-  app.use("/health", async function (req, res) {
+  app.use("/health", async function (_req, res) {
     res.setHeader("Content-Type", "application/json");
     res.end(JSON.stringify({ status: "OK" }, null, 2));
   });
@@ -102,7 +107,11 @@ const start = (options) => {
   app.use("/sbom", async function (req, res) {
     const q = url.parse(req.url, true).query;
     let cleanup = false;
-    options = parseQueryString(q, req.body, options);
+    const reqOptions = parseQueryString(
+      q,
+      req.body,
+      Object.assign({}, options)
+    );
     const filePath = q.path || q.url || req.body.path || req.body.url;
     if (!filePath) {
       res.writeHead(500, { "Content-Type": "application/json" });
@@ -117,7 +126,10 @@ const start = (options) => {
       cleanup = true;
     }
     console.log("Generating SBOM for", srcDir);
-    const bomNSData = (await createBom(srcDir, options)) || {};
+    let bomNSData = (await createBom(srcDir, reqOptions)) || {};
+    if (reqOptions.requiredOnly || reqOptions["filter"] || reqOptions["only"]) {
+      bomNSData = postProcess(bomNSData, reqOptions);
+    }
     if (bomNSData.bomJson) {
       if (
         typeof bomNSData.bomJson === "string" ||
@@ -128,9 +140,9 @@ const start = (options) => {
         res.write(JSON.stringify(bomNSData.bomJson, null, 2));
       }
     }
-    if (options.serverUrl && options.apiKey) {
+    if (reqOptions.serverUrl && reqOptions.apiKey) {
       console.log("Publishing SBOM to Dependency Track");
-      submitBom(options, bomNSData.bomJson);
+      submitBom(reqOptions, bomNSData.bomJson);
     }
     res.end("\n");
     if (cleanup && srcDir && srcDir.startsWith(os.tmpdir()) && fs.rmSync) {

package/utils.js

@@ -4634,7 +4634,7 @@ export const parseCsPkgData = async function (pkgData) {
     attributesKey: "$",
     commentKey: "value"
   }).packages;
-  if (packages.length == 0) {
+  if (!packages || packages.length == 0) {
     return pkgList;
   }
   packages = packages[0].package;
@@ -4661,7 +4661,7 @@ export const parseCsProjData = async function (csProjData) {
     attributesKey: "$",
     commentKey: "value"
   }).Project;
-  if (projects.length == 0) {
+  if (!projects || projects.length == 0) {
     return pkgList;
   }
   const project = projects[0];
@@ -4719,6 +4719,9 @@ export const parseCsProjAssetsData = async function (csProjData) {
   const pkgList = [];
   let dependenciesList = [];
   let rootPkg = {};
+  // This tracks the resolved version
+  const pkgNameVersionMap = {};
+  const pkgAddedMap = {};
 
   if (!csProjData) {
     return { pkgList, dependenciesList };
@@ -4784,12 +4787,12 @@ export const parseCsProjAssetsData = async function (csProjData) {
 
   if (csProjData.libraries && csProjData.targets) {
     const lib = csProjData.libraries;
+    // Pass 1: Construct pkgList alone and track name and resolved version
     for (const framework in csProjData.targets) {
       for (const rootDep of Object.keys(csProjData.targets[framework])) {
         // if (rootDep.startsWith("runtime")){
         //   continue;
         // }
-        const depList = new Set();
         const [name, version] = rootDep.split("/");
         const dpurl = decodeURIComponent(
           new PackageURL("nuget", "", name, version, null, null).toString()
@@ -4810,29 +4813,41 @@ export const parseCsProjAssetsData = async function (csProjData) {
           }
         }
         pkgList.push(pkg);
-
+        pkgNameVersionMap[name] = version;
+        pkgAddedMap[name] = true;
+      }
+    }
+    // Pass 2: Fix the dependency tree
+    for (const framework in csProjData.targets) {
+      for (const rootDep of Object.keys(csProjData.targets[framework])) {
+        const depList = new Set();
+        const [name, version] = rootDep.split("/");
+        const dpurl = decodeURIComponent(
+          new PackageURL("nuget", "", name, version, null, null).toString()
+        );
         const dependencies =
           csProjData.targets[framework][rootDep].dependencies;
         if (dependencies) {
           for (const p of Object.keys(dependencies)) {
+            // This condition is not required for assets json that are well-formed.
+            if (!pkgNameVersionMap[p]) {
+              continue;
+            }
+            let dversion = pkgNameVersionMap[p];
             const ipurl = decodeURIComponent(
-              new PackageURL(
-                "nuget",
-                "",
-                p,
-                dependencies[p],
-                null,
-                null
-              ).toString()
+              new PackageURL("nuget", "", p, dversion, null, null).toString()
             );
             depList.add(ipurl);
-            pkgList.push({
-              group: "",
-              name: p,
-              version: dependencies[p],
-              description: "",
-              "bom-ref": ipurl
-            });
+            if (!pkgAddedMap[p]) {
+              pkgList.push({
+                group: "",
+                name: p,
+                version: dversion,
+                description: "",
+                "bom-ref": ipurl
+              });
+              pkgAddedMap[p] = true;
+            }
           }
         }
         dependenciesList.push({

package/utils.test.js

@@ -1253,7 +1253,7 @@ test("parse project.assets.json", async () => {
   const dep_list = await parseCsProjAssetsData(
     readFileSync("./test/data/project.assets.json", { encoding: "utf-8" })
   );
-  expect(dep_list["pkgList"].length).toEqual(1460);
+  expect(dep_list["pkgList"].length).toEqual(302);
   expect(dep_list["pkgList"][0]).toEqual({
     "bom-ref": "pkg:nuget/Castle.Core.Tests@0.0.0",
     group: "",