@cyclonedx/cdxgen 9.9.0 → 9.9.2

package/utils.js

@@ -51,6 +51,13 @@ if (!url.startsWith("file://")) {
 }
 const dirNameStr = import.meta ? dirname(fileURLToPath(url)) : __dirname;
 const isWin = platform() === "win32";
+const isMac = platform() === "darwin";
+export let ATOM_DB = join(homedir(), ".local", "share", ".atomdb");
+if (isWin) {
+  ATOM_DB = join(homedir(), "AppData", "Local", ".atomdb");
+} else if (isMac) {
+  ATOM_DB = join(homedir(), "Library", "Application Support", ".atomdb");
+}
 
 const licenseMapping = JSON.parse(
   readFileSync(join(dirNameStr, "data", "lic-mapping.json"))
@@ -116,6 +123,8 @@ const MAX_LICENSE_ID_LENGTH = 100;
 let PYTHON_CMD = "python";
 if (process.env.PYTHON_CMD) {
   PYTHON_CMD = process.env.PYTHON_CMD;
+} else if (process.env.CONDA_PYTHON_EXE) {
+  PYTHON_CMD = process.env.CONDA_PYTHON_EXE;
 }
 
 // Custom user-agent for cdxgen
@@ -330,8 +339,12 @@ export const getNpmMetadata = async function (pkgList) {
         body = res.body;
         metadata_cache[key] = body;
       }
-      p.description = body.description;
-      p.license = body.license;
+      p.description =
+        body.versions?.[p.version]?.description || body.description;
+      p.license =
+        body.versions?.[p.version]?.license ||
+        body.license ||
+        (await getRepoLicense(body.repository?.url, undefined));
       if (body.repository && body.repository.url) {
         p.repository = { url: body.repository.url };
       }
@@ -2282,46 +2295,24 @@ export const getMvnMetadata = async function (pkgList, jarNSMapping = {}) {
     if (group.indexOf("android") !== -1) {
       urlPrefix = ANDROID_MAVEN;
     }
-    const groupPart = group.replace(/\./g, "/");
     // Querying maven requires a valid group name
-    if (!groupPart || groupPart === "") {
+    if (!group || group === "") {
       cdepList.push(p);
       continue;
     }
-    const fullUrl =
-      urlPrefix +
-      groupPart +
-      "/" +
-      p.name +
-      "/" +
-      p.version +
-      "/" +
-      p.name +
-      "-" +
-      p.version +
-      ".pom";
+    const pomMetadata = {
+      urlPrefix: urlPrefix,
+      group: group,
+      name: p.name,
+      version: p.version
+    };
     try {
       if (DEBUG_MODE) {
-        console.log(`Querying ${fullUrl}`);
-      }
-      const res = await cdxgenAgent.get(fullUrl);
-      const bodyJson = xml2js(res.body, {
-        compact: true,
-        spaces: 4,
-        textKey: "_",
-        attributesKey: "$",
-        commentKey: "value"
-      }).project;
-      if (bodyJson && bodyJson.licenses && bodyJson.licenses.license) {
-        if (Array.isArray(bodyJson.licenses.license)) {
-          p.license = bodyJson.licenses.license.map((l) => {
-            return findLicenseId(l.name._);
-          });
-        } else if (Object.keys(bodyJson.licenses.license).length) {
-          const l = bodyJson.licenses.license;
-          p.license = [findLicenseId(l.name._)];
-        }
+        console.log(
+          `Querying ${pomMetadata} from ${composePomXmlUrl(pomMetadata)}`
+        );
       }
+      const bodyJson = await fetchPomXmlAsJson(pomMetadata);
       p.publisher =
         bodyJson.organization && bodyJson.organization.name
           ? bodyJson.organization.name._
@@ -2330,23 +2321,151 @@ export const getMvnMetadata = async function (pkgList, jarNSMapping = {}) {
       if (bodyJson.scm && bodyJson.scm.url) {
         p.repository = { url: bodyJson.scm.url._ };
       }
-      cdepList.push(p);
+      p.license =
+        parseLicenseEntryOrArrayFromPomXml(bodyJson?.licenses?.license) ||
+        (await extractLicenseCommentFromPomXml(pomMetadata)) ||
+        (await getRepoLicense(p.repository?.url, undefined));
     } catch (err) {
       if (DEBUG_MODE) {
         console.log(
-          "Unable to find metadata for",
-          group,
-          p.name,
-          p.version,
-          fullUrl
+          `An error occurred when trying to fetch metadata ${pomMetadata}`,
+          err
         );
       }
+    } finally {
       cdepList.push(p);
     }
   }
   return cdepList;
 };
 
+/**
+ * Method to compose URL of pom.xml
+ *
+ * @param {String} urlPrefix
+ * @param {String} group
+ * @param {String} name
+ * @param {String} version
+ *
+ * @return {String} fullUrl
+ */
+export const composePomXmlUrl = function ({ urlPrefix, group, name, version }) {
+  const groupPart = group.replace(/\./g, "/");
+  const fullUrl =
+    urlPrefix +
+    groupPart +
+    "/" +
+    name +
+    "/" +
+    version +
+    "/" +
+    name +
+    "-" +
+    version +
+    ".pom";
+  return fullUrl;
+};
+
+/**
+ * Method to fetch pom.xml data and parse it to JSON
+ *
+ * @param {String} urlPrefix
+ * @param {String} group
+ * @param {String} name
+ * @param {String} version
+ *
+ * @return {Object|undefined}
+ */
+export const fetchPomXmlAsJson = async function ({
+  urlPrefix,
+  group,
+  name,
+  version
+}) {
+  const pomXml = await fetchPomXml({ urlPrefix, group, name, version });
+  const options = {
+    compact: true,
+    spaces: 4,
+    textKey: "_",
+    attributesKey: "$",
+    commentKey: "value"
+  };
+  const pomJson = xml2js(pomXml, options).project;
+  if (pomJson?.parent) {
+    const parentXml = await fetchPomXml({
+      urlPrefix,
+      group: pomJson.parent.groupId?._,
+      name: pomJson.parent.artifactId?._,
+      version: pomJson.parent.version?._
+    });
+    const parentJson = xml2js(parentXml, options).project;
+    const result = { ...parentJson, ...pomJson };
+    return result;
+  }
+  return pomJson;
+};
+
+/**
+ * Method to fetch pom.xml data
+ *
+ * @param {String} urlPrefix
+ * @param {String} group
+ * @param {String} name
+ * @param {String} version
+ *
+ * @return {String}
+ */
+export const fetchPomXml = async function ({
+  urlPrefix,
+  group,
+  name,
+  version
+}) {
+  let fullUrl = composePomXmlUrl({ urlPrefix, group, name, version });
+  const res = await cdxgenAgent.get(fullUrl);
+  return res.body;
+};
+
+/**
+ * Method extract single or multiple license entries that might appear in pom.xml
+ *
+ * @param {Object|Array} license
+ */
+export const parseLicenseEntryOrArrayFromPomXml = function (license) {
+  if (!license) return;
+  if (Array.isArray(license)) {
+    return license.map((l) => {
+      return findLicenseId(l.name._);
+    });
+  } else if (Object.keys(license).length) {
+    return [findLicenseId(license.name._)];
+  }
+};
+
+/**
+ * Method to parse pom.xml in search of a comment containing license text
+ *
+ * @param {String} urlPrefix
+ * @param {String} group
+ * @param {String} name
+ * @param {String} version
+ *
+ * @return {String} License ID
+ */
+export const extractLicenseCommentFromPomXml = async function ({
+  urlPrefix,
+  group,
+  name,
+  version
+}) {
+  const pom_xml = await fetchPomXml({ urlPrefix, group, name, version });
+  const licenseRegex = /<!--([\s\S]*?)-->[\s\n]*<project/m;
+  const match = licenseRegex.exec(pom_xml);
+  if (match && match[1]) {
+    return findLicenseId(match[1].trim());
+  }
+};
+
 /**
  * Method to parse python requires_dist attribute found in pypi setup.py
  *
@@ -2422,13 +2541,23 @@ export const getPyMetadata = async function (pkgList, fetchDepsInfo) {
         cdepList.push(p);
         continue;
       }
+      const origName = p.name;
       // Some packages support extra modules
       if (p.name.includes("[")) {
         p.name = p.name.split("[")[0];
       }
-      const res = await cdxgenAgent.get(PYPI_URL + p.name + "/json", {
-        responseType: "json"
-      });
+      let res = undefined;
+      try {
+        res = await cdxgenAgent.get(PYPI_URL + p.name + "/json", {
+          responseType: "json"
+        });
+      } catch (err) {
+        // retry by prefixing django- to the package name
+        res = await cdxgenAgent.get(PYPI_URL + "django-" + p.name + "/json", {
+          responseType: "json"
+        });
+        p.name = "django-" + p.name;
+      }
       const body = res.body;
       if (body.info.author && body.info.author.trim() !== "") {
         if (body.info.author_email && body.info.author_email.trim() !== "") {
@@ -2443,7 +2572,24 @@ export const getPyMetadata = async function (pkgList, fetchDepsInfo) {
         p.author = body.info.author_email.trim();
       }
       p.description = body.info.summary;
-      p.license = findLicenseId(body.info.license);
+      p.license = [];
+      if (body.info.classifiers) {
+        for (const c of body.info.classifiers) {
+          if (c.startsWith("License :: ")) {
+            let licenseName = c.split("::").slice(-1)[0].trim();
+            let licenseId = findLicenseId(licenseName);
+            if (licenseId && !p.license.includes(licenseId)) {
+              p.license.push(licenseId);
+            }
+          }
+        }
+      }
+      if (body.info.license) {
+        let licenseId = findLicenseId(body.info.license);
+        if (licenseId && !p.license.includes(licenseId)) {
+          p.license.push(licenseId);
+        }
+      }
       if (body.info.home_page) {
         if (body.info.home_page.includes("git")) {
           p.repository = { url: body.info.home_page };
@@ -2517,6 +2663,10 @@ export const getPyMetadata = async function (pkgList, fetchDepsInfo) {
           name: "cdx:pypi:latest_version",
           value: body.info.version
         });
+        p.properties.push({
+          name: "cdx:pypi:resolved_from",
+          value: origName
+        });
       }
       if (
         body.releases &&
@@ -2530,12 +2680,22 @@ export const getPyMetadata = async function (pkgList, fetchDepsInfo) {
           p._integrity = "md5-" + digest["md5"];
         }
       }
+      const purlString = new PackageURL(
+        "pypi",
+        "",
+        p.name,
+        p.version,
+        null,
+        null
+      ).toString();
+      p.purl = purlString;
+      p["bom-ref"] = decodeURIComponent(purlString);
       cdepList.push(p);
     } catch (err) {
       if (DEBUG_MODE) {
         console.error(p.name, "is not found on PyPI.");
         console.log(
-          "If this package is available from PyPI or a registry, its name might be different to the module name. Raise a ticket at https://github.com/CycloneDX/cdxgen/issues so that this could be added to the mapping file pypi-pkg-aliases.json"
+          "If this package is available from PyPI or a registry, its name might be different from the module name. Raise a ticket at https://github.com/CycloneDX/cdxgen/issues so that this can be added to the mapping file pypi-pkg-aliases.json"
         );
         console.log(
           "Alternatively, if this is a package that gets installed directly in your environment and offers a python binding, then track such packages manually."
@@ -2563,6 +2723,16 @@ export const getPyMetadata = async function (pkgList, fetchDepsInfo) {
           }
         };
       }
+      const purlString = new PackageURL(
+        "pypi",
+        "",
+        p.name,
+        p.version,
+        null,
+        null
+      ).toString();
+      p.purl = purlString;
+      p["bom-ref"] = decodeURIComponent(purlString);
       cdepList.push(p);
     }
   }
@@ -2952,35 +3122,29 @@ export const getPyModules = async (src, epkgList, options) => {
   const allImports = {};
   const dependenciesList = [];
   let modList = [];
+  const slicesFile = resolve(
+    options.depsSlicesFile || options.usagesSlicesFile
+  );
   // Issue: 615 fix. Reuse existing slices file
-  // FIXME: The argument is called usagesSlicesFile while the atom command used is parsedeps.
-  // This logic could be rewritten while implementing evinse for python to that the analysis works for either type of slice
-  if (options.usagesSlicesFile && existsSync(options.usagesSlicesFile)) {
-    const slicesData = JSON.parse(
-      readFileSync(options.usagesSlicesFile, "utf-8")
-    );
+  if (slicesFile && existsSync(slicesFile)) {
+    const slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"));
     if (slicesData && Object.keys(slicesData) && slicesData.modules) {
       modList = slicesData.modules;
     } else {
       modList = slicesData;
     }
   } else {
-    modList = findAppModules(
-      src,
-      "python",
-      "parsedeps",
-      options.usagesSlicesFile
-    );
+    modList = findAppModules(src, "python", "parsedeps", slicesFile);
   }
   const pyDefaultModules = new Set(PYTHON_STD_MODULES);
-  const filteredModList = modList.filter(
+  modList = modList.filter(
     (x) =>
       !pyDefaultModules.has(x.name.toLowerCase()) &&
       !x.name.startsWith("_") &&
       !x.name.startsWith(".")
   );
-  let pkgList = filteredModList.map((p) => {
-    return {
+  let pkgList = modList.map((p) => {
+    const apkg = {
       name:
         PYPI_MODULE_PACKAGE_MAPPING[p.name.toLowerCase()] ||
         PYPI_MODULE_PACKAGE_MAPPING[p.name.replace(/_/g, "-").toLowerCase()] ||
@@ -2994,6 +3158,13 @@ export const getPyModules = async (src, epkgList, options) => {
         }
       ]
     };
+    if (p.importedSymbols) {
+      apkg.properties.push({
+        name: "ImportedModules",
+        value: p.importedSymbols
+      });
+    }
+    return apkg;
   });
   pkgList = pkgList.filter(
     (obj, index) => pkgList.findIndex((i) => i.name === obj.name) === index
@@ -3017,7 +3188,7 @@ export const getPyModules = async (src, epkgList, options) => {
       });
     }
   }
-  return { allImports, pkgList, dependenciesList };
+  return { allImports, pkgList, dependenciesList, modList };
 };
 
 /**
@@ -3049,14 +3220,15 @@ export const parseSetupPyFile = async function (setupPyData) {
 };
 
 /**
- * Method to construct a github url for the given repo
+ * Method to construct a GitHub API url for the given repo metadata
  * @param {Object} repoMetadata Repo metadata with group and name
+ * @return {String|undefined} github api url (or undefined - if not enough data)
  */
-export const toGitHubUrl = function (repoMetadata) {
+export const repoMetadataToGitHubApiUrl = function (repoMetadata) {
   if (repoMetadata) {
     const group = repoMetadata.group;
     const name = repoMetadata.name;
-    let ghUrl = "https://github.com";
+    let ghUrl = "https://api.github.com/repos";
     if (group && group !== "." && group != "") {
       ghUrl = ghUrl + "/" + group.replace("github.com/", "");
     }
@@ -3067,6 +3239,32 @@ export const toGitHubUrl = function (repoMetadata) {
   }
 };
 
+/**
+ * Method to construct GitHub api url from repo metadata or one of multiple formats of repo URLs
+ * @param {String} repoUrl Repository url
+ * @param {Object} repoMetadata Object containing group and package name strings
+ * @return {String|undefined} github api url (or undefined - if not a GitHub repo)
+ */
+export const toGitHubApiUrl = function (repoUrl, repoMetadata) {
+  if (!repoUrl || !repoUrl.includes("://github.com/")) {
+    return repoMetadataToGitHubApiUrl(repoMetadata);
+  }
+  if (repoUrl.toLowerCase().endsWith(".git")) {
+    repoUrl = repoUrl.slice(0, -4);
+  }
+  repoUrl.replace(/\/$/, "");
+  const parts = repoUrl.split("/");
+
+  if (parts.length < 5 || parts[2] !== "github.com") {
+    return undefined; // Not a valid GitHub repo URL
+  } else {
+    return repoMetadataToGitHubApiUrl({
+      group: parts[3],
+      name: parts[4]
+    });
+  }
+};
+
 /**
  * Method to retrieve repo license by querying github api
  *
@@ -3075,22 +3273,16 @@ export const toGitHubUrl = function (repoMetadata) {
  * @return {String} SPDX license id
  */
 export const getRepoLicense = async function (repoUrl, repoMetadata) {
-  if (!repoUrl) {
-    repoUrl = toGitHubUrl(repoMetadata);
-  }
+  let apiUrl = toGitHubApiUrl(repoUrl, repoMetadata);
   // Perform github lookups
-  if (repoUrl.indexOf("github.com") > -1) {
-    let apiUrl = repoUrl.replace(
-      "https://github.com",
-      "https://api.github.com/repos"
-    );
-    apiUrl += "/license";
+  if (apiUrl) {
+    let licenseUrl = apiUrl + "/license";
     const headers = {};
     if (process.env.GITHUB_TOKEN) {
       headers["Authorization"] = "Bearer " + process.env.GITHUB_TOKEN;
     }
     try {
-      const res = await cdxgenAgent.get(apiUrl, {
+      const res = await cdxgenAgent.get(licenseUrl, {
         responseType: "json",
         headers: headers
       });
@@ -4555,7 +4747,26 @@ export const parseConanLockData = function (conanLockData) {
     if (nodes[nk].ref) {
       const tmpA = nodes[nk].ref.split("/");
       if (tmpA.length === 2) {
-        pkgList.push({ name: tmpA[0], version: tmpA[1] });
+        let version = tmpA[1] || "latest";
+        if (tmpA[1].includes("@")) {
+          version = version.split("@")[0];
+        } else if (tmpA[1].includes("#")) {
+          version = version.split("#")[0];
+        }
+        const purlString = new PackageURL(
+          "conan",
+          "",
+          tmpA[0],
+          version,
+          null,
+          null
+        ).toString();
+        pkgList.push({
+          name: tmpA[0],
+          version,
+          purl: purlString,
+          "bom-ref": decodeURIComponent(purlString)
+        });
       }
     }
   }
@@ -4567,15 +4778,50 @@ export const parseConanData = function (conanData) {
   if (!conanData) {
     return pkgList;
   }
+  let scope = "required";
   conanData.split("\n").forEach((l) => {
     l = l.replace("\r", "");
+    if (l.includes("[build_requires]")) {
+      scope = "optional";
+    }
+    if (l.includes("[requires]")) {
+      scope = "required";
+    }
     if (!l.includes("/")) {
       return;
     }
     if (l.includes("/")) {
       const tmpA = l.trim().split("#")[0].split("/");
-      if (tmpA.length === 2 && /^\d+/.test(tmpA[1])) {
-        pkgList.push({ name: tmpA[0], version: tmpA[1] });
+      if (tmpA.length >= 2 && /^\d+/.test(tmpA[1])) {
+        let version = tmpA[1] || "latest";
+        let qualifiers = undefined;
+        if (tmpA[1].includes("#")) {
+          const tmpB = version.split("#");
+          version = tmpB[0];
+          qualifiers = { revision: tmpB[1] };
+        }
+        if (l.includes("#")) {
+          const tmpB = l.split("#");
+          qualifiers = { revision: tmpB[1] };
+        }
+        if (tmpA[1].includes("@")) {
+          version = version.split("@")[0];
+        }
+        const purlString = new PackageURL(
+          "conan",
+          "",
+          tmpA[0],
+          version,
+          qualifiers,
+          null
+        ).toString();
+        pkgList.push({
+          name: tmpA[0],
+          version,
+          purl: purlString,
+          "bom-ref": decodeURIComponent(purlString),
+          scope
+        });
       }
     }
   });
@@ -5911,7 +6157,7 @@ export const collectGradleDependencies = (
  * Method to collect class names from all jars in a directory
  *
  * @param {string} jarPath Path containing jars
- * @param {object} pomPathMap Map containing jar to pom names. Required to successful parse gradle cache.
+ * @param {object} pomPathMap Map containing jar to pom names. Required to successfully parse gradle cache.
  *
  * @return object containing jar name and class list
  */
@@ -6838,9 +7084,19 @@ const flattenDeps = (dependenciesMap, pkgList, reqOrSetupFile, t) => {
     if (!dependenciesMap[pkgRef]) {
       dependenciesMap[pkgRef] = [];
     }
+    const purlString = new PackageURL(
+      "pypi",
+      "",
+      d.name,
+      d.version,
+      null,
+      null
+    ).toString();
     pkgList.push({
       name: d.name,
       version: d.version,
+      purl: purlString,
+      "bom-ref": decodeURIComponent(purlString),
       properties: [
         {
           name: "SrcFile",
@@ -6850,11 +7106,11 @@ const flattenDeps = (dependenciesMap, pkgList, reqOrSetupFile, t) => {
       evidence: {
         identity: {
           field: "purl",
-          confidence: 1,
+          confidence: 0.8,
           methods: [
             {
               technique: "manifest-analysis",
-              confidence: 1,
+              confidence: 0.8,
               value: reqOrSetupFile
             }
           ]
@@ -6894,6 +7150,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
    */
   if (
     !process.env.VIRTUAL_ENV &&
+    !process.env.CONDA_PREFIX &&
     reqOrSetupFile &&
     !reqOrSetupFile.endsWith("poetry.lock")
   ) {
@@ -6904,7 +7161,10 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
     if (result.status !== 0 || result.error) {
       if (DEBUG_MODE) {
         console.log("Virtual env creation has failed");
-        if (result.error && result.error.includes("spawnSync python ENOENT")) {
+        if (
+          result.stderr &&
+          result.stderr.includes("spawnSync python ENOENT")
+        ) {
           console.log(
             "Install suitable version of python or set the environment variable PYTHON_CMD."
           );
@@ -7082,7 +7342,10 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
     }
   }
   // Bug #375. Attempt pip freeze on existing and new virtual environments
-  if (env.VIRTUAL_ENV && env.VIRTUAL_ENV.length) {
+  if (
+    (env.VIRTUAL_ENV && env.VIRTUAL_ENV.length) ||
+    (env.CONDA_PREFIX && env.CONDA_PREFIX.length)
+  ) {
     /**
      * At this point, the previous attempt to do a pip install might have failed and we might have an unclean virtual environment with an incomplete list
      * The position taken by cdxgen is "Some SBOM is better than no SBOM", so we proceed to collecting the dependencies that got installed with pip freeze
@@ -7112,9 +7375,19 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
       const version = t.version;
       let exclude = ["pip", "setuptools", "wheel"];
       if (!exclude.includes(name)) {
+        const purlString = new PackageURL(
+          "pypi",
+          "",
+          name,
+          version,
+          null,
+          null
+        ).toString();
         pkgList.push({
           name,
           version,
+          purl: purlString,
+          "bom-ref": decodeURIComponent(purlString),
           evidence: {
             identity: {
               field: "purl",
@@ -7123,7 +7396,7 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
                 {
                   technique: "instrumentation",
                   confidence: 1,
-                  value: env.VIRTUAL_ENV
+                  value: env.VIRTUAL_ENV || env.CONDA_PREFIX
                 }
               ]
             }
@@ -7139,12 +7412,6 @@ export const getPipFrozenTree = (basePath, reqOrSetupFile, tempVenvDir) => {
     for (const k of Object.keys(dependenciesMap)) {
       dependenciesList.push({ ref: k, dependsOn: dependenciesMap[k] });
     }
-  } else {
-    if (DEBUG_MODE) {
-      console.log(
-        "NOTE: Setup and activate a python virtual environment for this project prior to invoking cdxgen to improve SBOM accuracy."
-      );
-    }
   }
   return {
     pkgList,
@@ -7198,11 +7465,16 @@ export const addEvidenceForImports = (pkgList, allImports) => {
         ? [name, `${group}/${name}`, `@${group}/${name}`]
         : [name];
     for (const alias of aliases) {
-      if (impPkgs.includes(alias)) {
-        const evidences = allImports[alias];
-        if (evidences) {
-          pkg.scope = "required";
-          let importedModules = new Set();
+      const all_includes = impPkgs.filter(
+        (find_pkg) =>
+          find_pkg.startsWith(alias) &&
+          (find_pkg.length === alias.length || find_pkg[alias.length] === "/")
+      );
+      if (impPkgs.includes(alias) || all_includes.length) {
+        let importedModules = new Set();
+        pkg.scope = "required";
+        for (const subevidence of all_includes) {
+          const evidences = allImports[subevidence];
           for (const evidence of evidences) {
             if (evidence && Object.keys(evidence).length && evidence.fileName) {
               pkg.evidence = pkg.evidence || {};
@@ -7223,14 +7495,14 @@ export const addEvidenceForImports = (pkgList, allImports) => {
               }
             }
           }
-          importedModules = Array.from(importedModules);
-          if (importedModules.length) {
-            pkg.properties = pkg.properties || [];
-            pkg.properties.push({
-              name: "ImportedModules",
-              value: importedModules.join(",")
-            });
-          }
+        }
+        importedModules = Array.from(importedModules);
+        if (importedModules.length) {
+          pkg.properties = pkg.properties || [];
+          pkg.properties.push({
+            name: "ImportedModules",
+            value: importedModules.join(",")
+          });
         }
         break;
       }
@@ -7532,6 +7804,7 @@ export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
         !n.startsWith("@")
       ) {
         n = n.replace(/"/g, "");
+        // Can this be replaced with a db lookup?
         for (const wrapkey of Object.keys(mesonWrapDB)) {
           const awrap = mesonWrapDB[wrapkey];
           if (
@@ -7645,6 +7918,44 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
   const pkgAddedMap = {};
   let sliceData = {};
   const epkgMap = {};
+  let parentComponent = undefined;
+  const dependsOn = [];
+  // Let's look for any vcpkg.json file to tell us about the directory we're scanning
+  // users can use this file to give us a clue even if they do not use vcpkg library manager
+  if (existsSync(join(src, "vcpkg.json"))) {
+    const vcPkgData = JSON.parse(join(src, "vcpkg.json"));
+    if (
+      vcPkgData &&
+      Object.keys(vcPkgData).length &&
+      vcPkgData.name &&
+      vcPkgData.version
+    ) {
+      const parentPurl = new PackageURL(
+        pkgType,
+        "",
+        vcPkgData.name,
+        vcPkgData.version,
+        null,
+        null
+      ).toString();
+      parentComponent = {
+        name: vcPkgData.name,
+        version: vcPkgData.version,
+        description: vcPkgData.description,
+        license: vcPkgData.license,
+        purl: parentPurl,
+        "bom-ref": decodeURIComponent(parentPurl)
+      };
+      if (vcPkgData.homepage) {
+        parentComponent.homepage = { url: vcPkgData.homepage };
+      }
+    }
+  } else if (existsSync(join(src, "CMakeLists.txt"))) {
+    const retMap = parseCmakeLikeFile(join(src, "CMakeLists.txt"), pkgType);
+    if (retMap.parentComponent && Object.keys(retMap.parentComponent).length) {
+      parentComponent = retMap.parentComponent;
+    }
+  }
   (epkgList || []).forEach((p) => {
     epkgMap[p.name] = p;
   });
@@ -7717,15 +8028,14 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
     }
     if (usageData[afile]) {
       const usymbols = Array.from(usageData[afile]).filter(
-        (v) =>
-          !v.startsWith("<operator") &&
-          !v.startsWith("<global") &&
-          !v.startsWith("<empty")
+        (v) => !v.startsWith("<") && !v.startsWith("__")
       );
-      if (!apkg["properties"]) {
+      if (!apkg["properties"] && usymbols.length) {
         apkg["properties"] = [
           { name: "ImportedSymbols", value: usymbols.join(", ") }
         ];
+      } else {
+        apkg["properties"] = [];
       }
       const newProps = [];
       let symbolsPropertyFound = false;
@@ -7738,7 +8048,7 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
         }
         newProps.push(prop);
       }
-      if (!symbolsPropertyFound) {
+      if (!symbolsPropertyFound && usymbols.length) {
         apkg["properties"].push({
           name: "ImportedSymbols",
           value: usymbols.join(", ")
@@ -7746,10 +8056,40 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
       }
       apkg["properties"] = newProps;
     }
-    pkgList.push(apkg);
-    pkgAddedMap[name] = true;
+    // At this point, we have a package but we don't know what it's called
+    // So let's try to locate this generic package using some heuristics
+    apkg = locateGenericPackage(apkg);
+    if (!pkgAddedMap[name]) {
+      pkgList.push(apkg);
+      dependsOn.push(apkg["bom-ref"]);
+      pkgAddedMap[name] = true;
+    }
   }
-  return pkgList;
+  const dependenciesList =
+    dependsOn.length && parentComponent
+      ? [
+          {
+            ref: parentComponent["bom-ref"],
+            dependsOn
+          }
+        ]
+      : [];
+  return {
+    parentComponent,
+    pkgList,
+    dependenciesList
+  };
+};
+
+/**
+ * NOT IMPLEMENTED YET.
+ * A future method to locate a generic package given some name and properties
+ *
+ * @param {object} apkg Package to locate
+ * @returns Located project with precise purl or the original unmodified input.
+ */
+export const locateGenericPackage = (apkg) => {
+  return apkg;
 };
 
 export const parseCUsageSlice = (sliceData) => {