@cyclonedx/cdxgen 9.9.3 → 9.9.5

package/README.md

@@ -49,6 +49,8 @@ Most SBOM tools are like barcode scanners. They can scan a few package manifest
 | Gradle Cache                    | $HOME/caches/modules-2/files-2.1/\*\*/\*.jar                                                                      | N/A                                                                                               |          |
 | Helm Index                      | $HOME/.cache/helm/repository/\*\*/\*.yaml                                                                         | N/A                                                                                               |          |
 | Docker compose                  | docker-compose\*.yml. Images would also be scanned.                                                               | N/A                                                                                               |          |
+| Dockerfile                      | `*Dockerfile*` Images would also be scanned.                                                                      | N/A                                                                                               |          |
+| Containerfile                   | `*Containerfile*`. Images would also be scanned.                                                                  | N/A                                                                                               |          |
 | Google CloudBuild configuration | cloudbuild.yaml                                                                                                   | N/A                                                                                               |          |
 | OpenAPI                         | openapi\*.json, openapi\*.yaml                                                                                    | N/A                                                                                               |          |
 
@@ -173,9 +175,9 @@ Options:
                                es.                    [boolean] [default: false]
       --spec-version           CycloneDX Specification version to use. Defaults
                                to 1.5                             [default: 1.5]
-      --filter                 Filter components containining this word in purl.
+      --filter                 Filter components containing this word in purl.
                                 Multiple values allowed.                 [array]
-      --only                   Include components only containining this word in
+      --only                   Include components only containing this word in
                                 purl. Useful to generate BOM with first party co
                                mponents alone. Multiple values allowed.  [array]
       --author                 The person(s) who created the BOM. Set this value
@@ -443,7 +445,7 @@ This feature is powered by osquery, which is [installed](https://github.com/cycl
 
 See [evinse mode](./ADVANCED.md) in the advanced documentation.
 
-## BoM signing
+## BOM signing
 
 cdxgen can sign the generated BOM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
 

package/analyzer.js

@@ -108,7 +108,7 @@ const setFileRef = (allImports, src, file, pathnode, specifiers = []) => {
   }
   const fileRelativeLoc = relative(src, file);
   // remove unexpected extension imports
-  if (/\.(svg|png|jpg|d\.ts)/.test(pathway)) {
+  if (/\.(svg|png|jpg|json|d\.ts)/.test(pathway)) {
     return;
   }
   const importedModules = specifiers

package/bin/cdxgen.js

@@ -193,11 +193,11 @@ const args = yargs(hideBin(process.argv))
   })
   .option("filter", {
     description:
-      "Filter components containining this word in purl. Multiple values allowed."
+      "Filter components containing this word in purl. Multiple values allowed."
   })
   .option("only", {
     description:
-      "Include components only containining this word in purl. Useful to generate BOM with first party components alone. Multiple values allowed."
+      "Include components only containing this word in purl. Useful to generate BOM with first party components alone. Multiple values allowed."
   })
   .option("author", {
     description:
@@ -520,7 +520,6 @@ const checkPermissions = (filePath) => {
       if (bomNSData.nsMapping && Object.keys(bomNSData.nsMapping).length) {
         const nsFile = jsonFile + ".map";
         fs.writeFileSync(nsFile, JSON.stringify(bomNSData.nsMapping));
-        console.log("Namespace mapping file written to", nsFile);
       }
     }
   } else if (!options.print) {

package/docker.js

@@ -30,9 +30,25 @@ let dockerConn = undefined;
 let isPodman = false;
 let isPodmanRootless = true;
 let isDockerRootless = false;
+// https://github.com/containerd/containerd
+let isContainerd = !!process.env.CONTAINERD_ADDRESS;
 const WIN_LOCAL_TLS = "http://localhost:2375";
 let isWinLocalTLS = false;
 
+if (
+  !process.env.DOCKER_HOST &&
+  (process.env.CONTAINERD_ADDRESS ||
+    (process.env.XDG_RUNTIME_DIR &&
+      existsSync(
+        join(process.env.XDG_RUNTIME_DIR, "containerd-rootless", "api.sock")
+      )))
+) {
+  isContainerd = true;
+}
+
+// Cache the registry auth keys
+const registry_auth_keys = {};
+
 /**
  * Method to get all dirs matching a name
  *
@@ -94,7 +110,17 @@ export const getOnlyDirs = (srcpath, dirName) => {
   ].filter((d) => d.endsWith(dirName));
 };
 
-const getDefaultOptions = () => {
+const getDefaultOptions = (forRegistry) => {
+  let authTokenSet = false;
+  if (!forRegistry && process.env.DOCKER_SERVER_ADDRESS) {
+    forRegistry = process.env.DOCKER_SERVER_ADDRESS;
+  }
+  if (forRegistry) {
+    forRegistry = forRegistry.replace("http://", "").replace("https://", "");
+    if (forRegistry.includes("/")) {
+      forRegistry = forRegistry.split("/")[0];
+    }
+  }
   const opts = {
     enableUnixSockets: true,
     throwHttpErrors: true,
@@ -102,6 +128,97 @@ const getDefaultOptions = () => {
     hooks: { beforeError: [] },
     mutableDefaults: true
   };
+  const DOCKER_CONFIG = process.env.DOCKER_CONFIG || join(homedir(), ".docker");
+  // Support for private registry
+  if (process.env.DOCKER_AUTH_CONFIG) {
+    opts.headers = {
+      "X-Registry-Auth": process.env.DOCKER_AUTH_CONFIG
+    };
+    authTokenSet = true;
+  }
+  if (
+    !authTokenSet &&
+    process.env.DOCKER_USER &&
+    process.env.DOCKER_PASSWORD &&
+    process.env.DOCKER_EMAIL &&
+    forRegistry
+  ) {
+    const authPayload = {
+      username: process.env.DOCKER_USER,
+      email: process.env.DOCKER_EMAIL,
+      serveraddress: forRegistry
+    };
+    if (process.env.DOCKER_USER === "<token>") {
+      authPayload.IdentityToken = process.env.DOCKER_PASSWORD;
+    } else {
+      authPayload.password = process.env.DOCKER_PASSWORD;
+    }
+    opts.headers = {
+      "X-Registry-Auth": Buffer.from(JSON.stringify(authPayload)).toString(
+        "base64"
+      )
+    };
+  }
+  if (!authTokenSet && existsSync(join(DOCKER_CONFIG, "config.json"))) {
+    const configData = readFileSync(
+      join(DOCKER_CONFIG, "config.json"),
+      "utf-8"
+    );
+    if (configData) {
+      try {
+        const configJson = JSON.parse(configData);
+        if (configJson.auths) {
+          // Check if there are hardcoded tokens
+          for (const serverAddress of Object.keys(configJson.auths)) {
+            if (forRegistry && !serverAddress.includes(forRegistry)) {
+              continue;
+            }
+            if (configJson.auths[serverAddress].auth) {
+              opts.headers = {
+                "X-Registry-Auth": configJson.auths[serverAddress].auth
+              };
+              authTokenSet = true;
+              break;
+            } else if (configJson.credsStore) {
+              const helperAuthToken = getCredsFromHelper(
+                configJson.credsStore,
+                serverAddress
+              );
+              if (helperAuthToken) {
+                opts.headers = {
+                  "X-Registry-Auth": helperAuthToken
+                };
+                authTokenSet = true;
+                break;
+              }
+            }
+          }
+        } else if (configJson.credHelpers) {
+          // Support for credential helpers
+          for (const serverAddress of Object.keys(configJson.credHelpers)) {
+            if (forRegistry && !serverAddress.includes(forRegistry)) {
+              continue;
+            }
+            if (configJson.credHelpers[serverAddress]) {
+              const helperAuthToken = getCredsFromHelper(
+                configJson.credHelpers[serverAddress],
+                serverAddress
+              );
+              if (helperAuthToken) {
+                opts.headers = {
+                  "X-Registry-Auth": helperAuthToken
+                };
+                authTokenSet = true;
+                break;
+              }
+            }
+          }
+        }
+      } catch (err) {
+        // pass
+      }
+    }
+  }
   const userInfo = _userInfo();
   opts.podmanPrefixUrl = isWin ? "" : `http://unix:/run/podman/podman.sock:`;
   opts.podmanRootlessPrefixUrl = isWin
@@ -126,8 +243,8 @@ const getDefaultOptions = () => {
         opts.prefixUrl = isWin
           ? WIN_LOCAL_TLS
           : isDockerRootless
-          ? `http://unix:${homedir()}/.docker/run/docker.sock:`
-          : "http://unix:/var/run/docker.sock:";
+            ? `http://unix:${homedir()}/.docker/run/docker.sock:`
+            : "http://unix:/var/run/docker.sock:";
       }
     }
   } else {
@@ -148,22 +265,34 @@ const getDefaultOptions = () => {
         ),
         key: readFileSync(join(process.env.DOCKER_CERT_PATH, "key.pem"), "utf8")
       };
+      // Disable tls on empty values
+      // From the docker docs: Setting the DOCKER_TLS_VERIFY environment variable to any value other than the empty string is equivalent to setting the --tlsverify flag
+      if (
+        process.env.DOCKER_TLS_VERIFY &&
+        process.env.DOCKER_TLS_VERIFY === ""
+      ) {
+        opts.https.rejectUnauthorized = false;
+        console.log("TLS Verification disabled for", hostStr);
+      }
     }
   }
 
   return opts;
 };
 
-export const getConnection = async (options) => {
-  if (!dockerConn) {
-    const defaultOptions = getDefaultOptions();
+export const getConnection = async (options, forRegistry) => {
+  if (isContainerd) {
+    return undefined;
+  } else if (!dockerConn) {
+    const defaultOptions = getDefaultOptions(forRegistry);
     const opts = Object.assign(
       {},
       {
         enableUnixSockets: defaultOptions.enableUnixSockets,
         throwHttpErrors: defaultOptions.throwHttpErrors,
         method: defaultOptions.method,
-        prefixUrl: defaultOptions.prefixUrl
+        prefixUrl: defaultOptions.prefixUrl,
+        headers: defaultOptions.headers
       },
       options
     );
@@ -247,8 +376,8 @@ export const getConnection = async (options) => {
   return dockerConn;
 };
 
-export const makeRequest = async (path, method = "GET") => {
-  const client = await getConnection();
+export const makeRequest = async (path, method = "GET", forRegistry) => {
+  const client = await getConnection({}, forRegistry);
   if (!client) {
     return undefined;
   }
@@ -258,14 +387,15 @@ export const makeRequest = async (path, method = "GET") => {
     enableUnixSockets: true,
     method
   };
-  const defaultOptions = getDefaultOptions();
+  const defaultOptions = getDefaultOptions(forRegistry);
   const opts = Object.assign(
     {},
     {
       enableUnixSockets: defaultOptions.enableUnixSockets,
       throwHttpErrors: defaultOptions.throwHttpErrors,
       method: defaultOptions.method,
-      prefixUrl: defaultOptions.prefixUrl
+      prefixUrl: defaultOptions.prefixUrl,
+      headers: defaultOptions.headers
     },
     extraOptions
   );
@@ -331,20 +461,44 @@ export const parseImageName = (fullImageName) => {
   return nameObj;
 };
 
+/**
+ * Prefer cli on windows or when using tcp/ssh based host.
+ *
+ * @returns boolean true if we should use the cli. false otherwise
+ */
+const needsCliFallback = () => {
+  return (
+    isWin ||
+    (process.env.DOCKER_HOST &&
+      (process.env.DOCKER_HOST.startsWith("tcp://") ||
+        process.env.DOCKER_HOST.startsWith("ssh://")))
+  );
+};
+
 /**
  * Method to get image to the local registry by pulling from the remote if required
  */
 export const getImage = async (fullImageName) => {
   let localData = undefined;
   let pullData = undefined;
-  const { repo, tag, digest } = parseImageName(fullImageName);
-  let repoWithTag = `${repo}:${tag !== "" ? tag : ":latest"}`;
+  const { registry, repo, tag, digest } = parseImageName(fullImageName);
+  let repoWithTag =
+    registry && registry !== "docker.io"
+      ? fullImageName
+      : `${repo}:${tag !== "" ? tag : ":latest"}`;
   // Fetch only the latest tag if none is specified
   if (tag === "" && digest === "") {
     fullImageName = fullImageName + ":latest";
   }
-  if (isWin) {
-    let result = spawnSync("docker", ["pull", fullImageName], {
+  if (isContainerd) {
+    console.log(
+      "containerd/nerdctl is currently unsupported. Export the image manually and run cdxgen against the tar image."
+    );
+    return undefined;
+  }
+  if (needsCliFallback()) {
+    const dockerCmd = process.env.DOCKER_CMD || "docker";
+    let result = spawnSync(dockerCmd, ["pull", fullImageName], {
       encoding: "utf-8"
     });
     if (result.status !== 0 || result.error) {
@@ -355,12 +509,16 @@ export const getImage = async (fullImageName) => {
         console.log(
           "Ensure Docker for Desktop is running as an administrator with 'Exposing daemon on TCP without TLS' setting turned on."
         );
+      } else if (result.stderr && result.stderr.includes("not found")) {
+        console.log(
+          "Set the environment variable DOCKER_CMD to use an alternative command such as nerdctl or podman."
+        );
       } else {
         console.log(result.stderr);
       }
       return localData;
     } else {
-      result = spawnSync("docker", ["inspect", fullImageName], {
+      result = spawnSync(dockerCmd, ["inspect", fullImageName], {
         encoding: "utf-8"
       });
       if (result.status !== 0 || result.error) {
@@ -385,7 +543,11 @@ export const getImage = async (fullImageName) => {
     }
   }
   try {
-    localData = await makeRequest(`images/${repoWithTag}/json`);
+    localData = await makeRequest(
+      `images/${repoWithTag}/json`,
+      "GET",
+      registry
+    );
     if (localData) {
       return localData;
     }
@@ -393,10 +555,14 @@ export const getImage = async (fullImageName) => {
     // ignore
   }
   try {
-    localData = await makeRequest(`images/${repo}/json`);
+    localData = await makeRequest(`images/${repo}/json`, "GET", registry);
   } catch (err) {
     try {
-      localData = await makeRequest(`images/${fullImageName}/json`);
+      localData = await makeRequest(
+        `images/${fullImageName}/json`,
+        "GET",
+        registry
+      );
       if (localData) {
         return localData;
       }
@@ -412,7 +578,8 @@ export const getImage = async (fullImageName) => {
     try {
       pullData = await makeRequest(
         `images/create?fromImage=${fullImageName}`,
-        "POST"
+        "POST",
+        registry
       );
       if (
         pullData &&
@@ -434,7 +601,8 @@ export const getImage = async (fullImageName) => {
         }
         pullData = await makeRequest(
           `images/create?fromImage=${repoWithTag}`,
-          "POST"
+          "POST",
+          registry
         );
       } catch (err) {
         // continue regardless of error
@@ -444,7 +612,11 @@ export const getImage = async (fullImageName) => {
       if (DEBUG_MODE) {
         console.log(`Trying with ${repoWithTag}`);
       }
-      localData = await makeRequest(`images/${repoWithTag}/json`);
+      localData = await makeRequest(
+        `images/${repoWithTag}/json`,
+        "GET",
+        registry
+      );
       if (localData) {
         return localData;
       }
@@ -453,7 +625,7 @@ export const getImage = async (fullImageName) => {
         if (DEBUG_MODE) {
           console.log(`Trying with ${repo}`);
         }
-        localData = await makeRequest(`images/${repo}/json`);
+        localData = await makeRequest(`images/${repo}/json`, "GET", registry);
         if (localData) {
           return localData;
         }
@@ -464,7 +636,11 @@ export const getImage = async (fullImageName) => {
         if (DEBUG_MODE) {
           console.log(`Trying with ${fullImageName}`);
         }
-        localData = await makeRequest(`images/${fullImageName}/json`);
+        localData = await makeRequest(
+          `images/${fullImageName}/json`,
+          "GET",
+          registry
+        );
       } catch (err) {
         // continue regardless of error
       }
@@ -684,7 +860,7 @@ export const exportImage = async (fullImageName) => {
   if (!localData) {
     return undefined;
   }
-  const { tag, digest } = parseImageName(fullImageName);
+  const { registry, tag, digest } = parseImageName(fullImageName);
   // Fetch only the latest tag if none is specified
   if (tag === "" && digest === "") {
     fullImageName = fullImageName + ":latest";
@@ -695,7 +871,7 @@ export const exportImage = async (fullImageName) => {
   // Windows containers use index.json
   const manifestIndexFile = join(tempDir, "index.json");
   // On Windows, fallback to invoking cli
-  if (isWin) {
+  if (needsCliFallback()) {
     const imageTarFile = join(tempDir, "image.tar");
     console.log(
       `About to export image ${fullImageName} to ${imageTarFile} using docker cli`
@@ -722,10 +898,16 @@ export const exportImage = async (fullImageName) => {
       }
     }
   } else {
-    const client = await getConnection();
+    const client = await getConnection({}, registry);
     try {
       if (DEBUG_MODE) {
-        console.log(`About to export image ${fullImageName} to ${tempDir}`);
+        if (registry && registry.trim().length) {
+          console.log(
+            `About to export image ${fullImageName} from ${registry} to ${tempDir}`
+          );
+        } else {
+          console.log(`About to export image ${fullImageName} to ${tempDir}`);
+        }
       }
       await stream.pipeline(
         client.stream(`images/${fullImageName}/get`),
@@ -896,3 +1078,46 @@ export const removeImage = async (fullImageName, force = false) => {
   );
   return removeData;
 };
+
+export const getCredsFromHelper = (exeSuffix, serverAddress) => {
+  if (registry_auth_keys[serverAddress]) {
+    return registry_auth_keys[serverAddress];
+  }
+  let credHelperExe = `docker-credential-${exeSuffix}`;
+  if (isWin) {
+    credHelperExe = credHelperExe + ".exe";
+  }
+  const result = spawnSync(credHelperExe, ["get"], {
+    input: serverAddress,
+    encoding: "utf-8"
+  });
+  if (result.status !== 0 || result.error) {
+    console.log(result.stdout, result.stderr);
+  } else if (result.stdout) {
+    const cmdOutput = Buffer.from(result.stdout).toString();
+    try {
+      const authPayload = JSON.parse(cmdOutput);
+      const fixedAuthPayload = {
+        username:
+          authPayload.username ||
+          authPayload.Username ||
+          process.env.DOCKER_USER,
+        password:
+          authPayload.password ||
+          authPayload.Secret ||
+          process.env.DOCKER_PASSWORD,
+        email:
+          authPayload.email || authPayload.username || process.env.DOCKER_USER,
+        serveraddress: serverAddress
+      };
+      const authKey = Buffer.from(JSON.stringify(fixedAuthPayload)).toString(
+        "base64"
+      );
+      registry_auth_keys[serverAddress] = authKey;
+      return authKey;
+    } catch (err) {
+      return undefined;
+    }
+  }
+  return undefined;
+};

package/docker.test.js

@@ -54,6 +54,15 @@ test("parseImageName tests", () => {
     digest: "",
     platform: ""
   });
+  expect(
+    parseImageName("foocorp.jfrog.io/docker/library/eclipse-temurin:latest")
+  ).toEqual({
+    registry: "foocorp.jfrog.io",
+    repo: "docker/library/eclipse-temurin",
+    tag: "latest",
+    digest: "",
+    platform: ""
+  });
   expect(
     parseImageName(
       "quay.io/shiftleft/scan-java@sha256:5d008306a7c5d09ba0161a3408fa3839dc2c9dd991ffb68adecc1040399fe9e1"

package/evinser.js

@@ -498,14 +498,16 @@ export const parseSliceUsages = async (
         !isFilterableType(language, userDefinedTypesMap, atype[1])
       ) {
         if (!atype[1].includes("(") && !atype[1].includes(".py")) {
-          typesToLookup.add(atype[1]);
+          typesToLookup.add(simplifyType(atype[1]));
           // Javascript calls can be resolved to a precise line number only from the call nodes
           if (
             ["javascript", "js", "ts", "typescript"].includes(language) &&
             ausageLine
           ) {
             if (atype[1].includes(":")) {
-              typesToLookup.add(atype[1].split("::")[0].replace(/:/g, "/"));
+              typesToLookup.add(
+                simplifyType(atype[1].split("::")[0].replace(/:/g, "/"))
+              );
             }
             addToOverrides(lKeyOverrides, atype[1], fileName, ausageLine);
           }
@@ -532,7 +534,7 @@ export const parseSliceUsages = async (
           !acall?.resolvedMethod.includes("(") &&
           !acall?.resolvedMethod.includes(".py")
         ) {
-          typesToLookup.add(acall?.resolvedMethod);
+          typesToLookup.add(simplifyType(acall?.resolvedMethod));
           // Javascript calls can be resolved to a precise line number only from the call nodes
           if (acall.lineNumber) {
             addToOverrides(
@@ -560,10 +562,12 @@ export const parseSliceUsages = async (
       for (const aparamType of acall?.paramTypes || []) {
         if (!isFilterableType(language, userDefinedTypesMap, aparamType)) {
           if (!aparamType.includes("(") && !aparamType.includes(".py")) {
-            typesToLookup.add(aparamType);
+            typesToLookup.add(simplifyType(aparamType));
             if (acall.lineNumber) {
               if (aparamType.includes(":")) {
-                typesToLookup.add(aparamType.split("::")[0].replace(/:/g, "/"));
+                typesToLookup.add(
+                  simplifyType(aparamType.split("::")[0].replace(/:/g, "/"))
+                );
               }
               addToOverrides(
                 lKeyOverrides,
@@ -609,7 +613,7 @@ export const parseSliceUsages = async (
     } else {
       // Check the namespaces db
       let nsHits = typePurlsCache[atype];
-      if (["java", "jar"].includes(language)) {
+      if (!nsHits && ["java", "jar"].includes(language)) {
         nsHits = await dbObjMap.Namespaces.findAll({
           attributes: ["purl"],
           where: {
@@ -629,6 +633,9 @@ export const parseSliceUsages = async (
           }
         }
         typePurlsCache[atype] = nsHits;
+      } else {
+        // Avoid persistent lookups
+        typePurlsCache[atype] = [];
       }
     }
   }
@@ -834,7 +841,7 @@ export const extractEndpoints = (language, code) => {
     case "jar":
       if (
         code.startsWith("@") &&
-        code.includes("Mapping") &&
+        (code.includes("Mapping") || code.includes("Path")) &&
         code.includes("(")
       ) {
         const matches = code.match(/['"](.*?)['"]/gi) || [];
@@ -1190,6 +1197,16 @@ export const framePicker = (dfFrames) => {
   return aframe;
 };
 
+/**
+ * Method to simplify types. For example, arrays ending with [] could be simplified.
+ *
+ * @param {string} typeFullName Full name of the type to simplify
+ * @returns Simplified type string
+ */
+export const simplifyType = (typeFullName) => {
+  return typeFullName.replace("[]", "");
+};
+
 export const getClassTypeFromSignature = (language, typeFullName) => {
   if (["java", "jar"].includes(language) && typeFullName.includes(":")) {
     typeFullName = typeFullName.split(":")[0];
@@ -1225,7 +1242,7 @@ export const getClassTypeFromSignature = (language, typeFullName) => {
   if (typeFullName.includes("$")) {
     typeFullName = typeFullName.split("$")[0];
   }
-  return typeFullName;
+  return simplifyType(typeFullName);
 };
 
 const addToOverrides = (lKeyOverrides, atype, fileName, ausageLineNumber) => {

package/index.js

@@ -104,7 +104,8 @@ import {
   TIMEOUT_MS,
   MAX_BUFFER,
   getNugetMetadata,
-  frameworksList
+  frameworksList,
+  parseContainerFile
 } from "./utils.js";
 import { spawnSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
@@ -1859,7 +1860,7 @@ export const createNodejsBom = async (path, options) => {
   const parentSubComponents = [];
   let ppurl = "";
   // Docker mode requires special handling
-  if (["docker", "oci", "os"].includes(options.projectType)) {
+  if (["docker", "oci", "container", "os"].includes(options.projectType)) {
     const pkgJsonFiles = getAllFiles(path, "**/package.json", options);
     // Are there any package.json files in the container?
     if (pkgJsonFiles.length) {
@@ -1879,7 +1880,7 @@ export const createNodejsBom = async (path, options) => {
   }
   let allImports = {};
   if (
-    !["docker", "oci", "os"].includes(options.projectType) &&
+    !["docker", "oci", "container", "os"].includes(options.projectType) &&
     !options.noBabel
   ) {
     if (DEBUG_MODE) {
@@ -2752,7 +2753,7 @@ export const createGoBom = async (path, options) => {
   if (gomodFiles.length) {
     let shouldManuallyParse = false;
     // Use the go list -deps and go mod why commands to generate a good quality BOM for non-docker invocations
-    if (!["docker", "oci", "os"].includes(options.projectType)) {
+    if (!["docker", "oci", "container", "os"].includes(options.projectType)) {
       for (const f of gomodFiles) {
         const basePath = dirname(f);
         // Ignore vendor packages
@@ -2864,7 +2865,7 @@ export const createGoBom = async (path, options) => {
       }
     }
     // Parse the gomod files manually. The resultant BOM would be incomplete
-    if (!["docker", "oci", "os"].includes(options.projectType)) {
+    if (!["docker", "oci", "container", "os"].includes(options.projectType)) {
       console.log(
         "Manually parsing go.mod files. The resultant BOM would be incomplete."
       );
@@ -3153,7 +3154,7 @@ export const createCppBom = (path, options) => {
   // inside of other project types. So we currently limit this analyis only when -t argument
   // is used.
   if (
-    !["docker", "oci", "os"].includes(options.projectType) &&
+    !["docker", "oci", "container", "os"].includes(options.projectType) &&
     (!options.createMultiXBom || options.deep)
   ) {
     let osPkgsList = [];
@@ -3713,6 +3714,16 @@ export const createContainerSpecLikeBom = async (path, options) => {
     (options.multiProject ? "**/" : "") + "*.yml",
     options
   );
+  const dfFiles = getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "*Dockerfile*",
+    options
+  );
+  const cfFiles = getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "*Containerfile*",
+    options
+  );
   const yamlFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "*.yaml",
@@ -3736,14 +3747,22 @@ export const createContainerSpecLikeBom = async (path, options) => {
   }
   // Privado.ai json files
   const privadoFiles = getAllFiles(path, ".privado/" + "*.json", options);
-  // parse yaml manifest files
-  if (dcFiles.length) {
-    for (const f of dcFiles) {
+  // Parse yaml manifest files, dockerfiles or containerfiles
+  if (dcFiles.length || dfFiles.length || cfFiles.length) {
+    for (const f of [...dcFiles, ...dfFiles, ...cfFiles]) {
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
-      const dcData = readFileSync(f, { encoding: "utf-8" });
-      const imglist = parseContainerSpecData(dcData);
+
+      const dData = readFileSync(f, { encoding: "utf-8" });
+      let imglist = [];
+      // parse yaml manifest files
+      if (f.endsWith(".yml") || f.endsWith(".yaml")) {
+        imglist = parseContainerSpecData(dData);
+      } else {
+        imglist = parseContainerFile(dData);
+      }
+
       if (imglist && imglist.length) {
         if (DEBUG_MODE) {
           console.log("Images identified in", f, "are", imglist);
@@ -5186,12 +5205,22 @@ export const createXBom = async (path, options) => {
     return createHelmBom(path, options);
   }
 
-  // Docker compose, kubernetes and skaffold
+  // Docker compose, dockerfile, containerfile, kubernetes and skaffold
   const dcFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "docker-compose*.yml",
     options
   );
+  const dfFiles = getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "*Dockerfile*",
+    options
+  );
+  const cfFiles = getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "*Containerfile*",
+    options
+  );
   const skFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "skaffold.yaml",
@@ -5202,7 +5231,13 @@ export const createXBom = async (path, options) => {
     (options.multiProject ? "**/" : "") + "deployment.yaml",
     options
   );
-  if (dcFiles.length || skFiles.length || deplFiles.length) {
+  if (
+    dcFiles.length ||
+    dfFiles.length ||
+    cfFiles.length ||
+    skFiles.length ||
+    deplFiles.length
+  ) {
     return await createContainerSpecLikeBom(path, options);
   }
 
@@ -5261,6 +5296,7 @@ export const createBom = async (path, options) => {
     projectType === "docker" ||
     projectType === "podman" ||
     projectType === "oci" ||
+    projectType === "container" ||
     path.startsWith("docker.io") ||
     path.startsWith("quay.io") ||
     path.startsWith("ghcr.io") ||
@@ -5468,7 +5504,9 @@ export const createBom = async (path, options) => {
         options
       );
     case "universal":
+    case "containerfile":
     case "docker-compose":
+    case "dockerfile":
     case "swarm":
     case "tekton":
     case "kustomize":
@@ -5507,19 +5545,36 @@ export async function submitBom(args, bomContents) {
   if (encodedBomContents.startsWith("77u/")) {
     encodedBomContents = encodedBomContents.substring(4);
   }
-  let projectVersion = args.projectVersion || "master";
-  if (projectVersion == true) {
-    projectVersion = "master";
-  }
   const bomPayload = {
-    project: args.projectId,
-    projectName: args.projectName,
-    projectVersion: projectVersion,
     autoCreate: "true",
     bom: encodedBomContents
   };
-  if (typeof args.parentProjectId !== "undefined") {
-    bomPayload.parentUUID = args.parentProjectId;
+  let projectVersion = args.projectVersion || "master";
+  if (
+    typeof args.projectId !== "undefined" ||
+    (typeof args.projectName !== "undefined" &&
+      typeof projectVersion !== "undefined")
+  ) {
+    if (typeof args.projectId !== "undefined") {
+      bomPayload.project = args.projectId;
+    }
+    if (typeof args.projectName !== "undefined") {
+      bomPayload.projectName = args.projectName;
+    }
+    if (typeof projectVersion !== "undefined") {
+      bomPayload.projectVersion = projectVersion;
+    }
+  } else {
+    console.log(
+      "projectId, projectName and projectVersion, or all three must be provided."
+    );
+    return;
+  }
+  if (
+    typeof args.parentProjectId !== "undefined" ||
+    typeof args.parentUUID !== "undefined"
+  ) {
+    bomPayload.parentUUID = args.parentProjectId || args.parentUUID;
   }
   if (DEBUG_MODE) {
     console.log(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.9.3",
+  "version": "9.9.5",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -55,8 +55,8 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.23.0",
-    "@babel/traverse": "^7.23.2",
+    "@babel/parser": "^7.23.3",
+    "@babel/traverse": "^7.23.3",
     "@npmcli/arborist": "7.2.0",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
@@ -83,7 +83,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "1.5.6",
+    "@appthreat/atom": "1.6.4",
     "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
@@ -91,7 +91,7 @@
     "compression": "^1.7.4",
     "connect": "^3.7.0",
     "jsonata": "^2.0.3",
-    "sequelize": "^6.33.0",
+    "sequelize": "^6.35.0",
     "sqlite3": "^5.1.6"
   },
   "files": [
@@ -102,10 +102,10 @@
   "devDependencies": {
     "caxa": "^3.0.1",
     "docsify-cli": "^4.4.4",
-    "eslint": "^8.52.0",
+    "eslint": "^8.53.0",
     "eslint-config-prettier": "^9.0.0",
     "eslint-plugin-prettier": "^5.0.1",
     "jest": "^29.7.0",
-    "prettier": "3.0.3"
+    "prettier": "3.1.0"
   }
 }

package/server.js

@@ -72,7 +72,7 @@ const parseQueryString = (q, body, options = {}) => {
     "requiredOnly",
     "noBabel",
     "installDeps",
-    "project",
+    "projectId",
     "projectName",
     "projectGroup",
     "projectVersion",

package/utils.js

@@ -19,7 +19,8 @@ import {
   readFileSync,
   rmSync,
   unlinkSync,
-  writeFileSync
+  writeFileSync,
+  readdirSync
 } from "node:fs";
 import got from "got";
 import Arborist from "@npmcli/arborist";
@@ -4388,6 +4389,43 @@ export const recurseImageNameLookup = (keyValueObj, pkgList, imgList) => {
   return imgList;
 };
 
+export const parseContainerFile = function (fileContents) {
+  const imgList = [];
+
+  let buildStageNames = [];
+  for (const line of fileContents.split("\n")) {
+    if (line.trim().startsWith("#")) {
+      continue; // skip commented out lines
+    }
+
+    if (line.includes("FROM")) {
+      const fromStatement = line.split("FROM")[1].split("AS");
+
+      const imageStatement = fromStatement[0].trim();
+      const buildStageName = fromStatement[1]?.trim();
+
+      if (buildStageNames.includes(imageStatement)) {
+        if (DEBUG_MODE) {
+          console.log(
+            `Skipping image ${imageStatement} which uses previously seen build stage name.`
+          );
+        }
+        continue;
+      }
+
+      imgList.push({
+        image: imageStatement
+      });
+
+      if (buildStageName) {
+        buildStageNames.push(buildStageName);
+      }
+    }
+  }
+
+  return imgList;
+};
+
 export const parseContainerSpecData = function (dcData) {
   const pkgList = [];
   const imgList = [];
@@ -6477,12 +6515,67 @@ export const parseJarManifest = function (jarMetadata) {
   return metadata;
 };
 
+export const parsePomProperties = function (pomProperties) {
+  const properties = {};
+  if (!pomProperties) {
+    return properties;
+  }
+  pomProperties.split("\n").forEach((l) => {
+    l = l.replace("\r", "");
+    if (l.includes("=")) {
+      const tmpA = l.split("=");
+      if (tmpA && tmpA.length === 2) {
+        properties[tmpA[0]] = tmpA[1].replace("\r", "");
+      }
+    }
+  });
+  return properties;
+};
+
 export const encodeForPurl = (s) => {
   return s && !s.includes("%40")
     ? encodeURIComponent(s).replace(/%3A/g, ":").replace(/%2F/g, "/")
     : s;
 };
 
+/**
+ * Method to get pom properties from maven directory
+ *
+ * @param {string} mavenDir Path to maven directory
+ *
+ * @return array with pom properties
+ */
+export const getPomPropertiesFromMavenDir = function (mavenDir) {
+  let pomProperties = {};
+  if (existsSync(mavenDir) && lstatSync(mavenDir).isDirectory()) {
+    let mavenDirEntries = readdirSync(mavenDir, { withFileTypes: true });
+    mavenDirEntries.forEach((mavenDirEntry) => {
+      if (mavenDirEntry.isDirectory()) {
+        let groupDirEntries = readdirSync(
+          join(mavenDirEntry.path, mavenDirEntry.name),
+          { withFileTypes: true }
+        );
+        groupDirEntries.forEach((groupDirEntry) => {
+          if (groupDirEntry.isDirectory()) {
+            let pomPropertiesFile = join(
+              groupDirEntry.path,
+              groupDirEntry.name,
+              "pom.properties"
+            );
+            if (existsSync(pomPropertiesFile)) {
+              const pomPropertiesString = readFileSync(pomPropertiesFile, {
+                encoding: "utf-8"
+              });
+              pomProperties = parsePomProperties(pomPropertiesString);
+            }
+          }
+        });
+      }
+    });
+  }
+  return pomProperties;
+};
+
 /**
  * Method to extract a war or ear file
  *
@@ -6564,13 +6657,14 @@ export const extractJarArchive = function (
       }
       const manifestDir = join(tempDir, "META-INF");
       const manifestFile = join(manifestDir, "MANIFEST.MF");
+      const mavenDir = join(manifestDir, "maven");
       let jarResult = {
         status: 1
       };
       if (existsSync(pomname)) {
         jarResult = { status: 0 };
       } else {
-        jarResult = spawnSync("jar", ["-xf", jf], {
+        jarResult = spawnSync("jar", ["-xf", jf, "META-INF"], {
           encoding: "utf-8",
           cwd: tempDir,
           shell: isWin,
@@ -6580,29 +6674,42 @@ export const extractJarArchive = function (
       if (jarResult.status !== 0) {
         console.error(jarResult.stdout, jarResult.stderr);
       } else {
-        if (existsSync(manifestFile)) {
+        // When maven descriptor is available take group, name and version from pom.properties
+        // META-INF/maven/${groupId}/${artifactId}/pom.properties
+        // see https://maven.apache.org/shared/maven-archiver/index.html
+        const pomProperties = getPomPropertiesFromMavenDir(mavenDir);
+        let group = pomProperties["groupId"],
+          name = pomProperties["artifactId"],
+          version = pomProperties["version"],
+          confidence = 1,
+          technique = "manifest-analysis";
+        if ((!group || !name || !version) && existsSync(manifestFile)) {
+          confidence = 0.8;
           const jarMetadata = parseJarManifest(
             readFileSync(manifestFile, {
               encoding: "utf-8"
             })
           );
-          let group =
+          group =
+            group ||
             jarMetadata["Extension-Name"] ||
             jarMetadata["Implementation-Vendor-Id"] ||
             jarMetadata["Bundle-SymbolicName"] ||
             jarMetadata["Bundle-Vendor"] ||
             jarMetadata["Automatic-Module-Name"] ||
             "";
-          let version =
+          version =
+            version ||
             jarMetadata["Bundle-Version"] ||
             jarMetadata["Implementation-Version"] ||
             jarMetadata["Specification-Version"];
           if (version && version.includes(" ")) {
             version = version.split(" ")[0];
           }
-          let name = "";
           // Prefer jar filename to construct name and version
           if (!name || !version || name === "" || version === "") {
+            confidence = 0.5;
+            technique = "filename";
             const tmpA = jarname.split("-");
             if (tmpA && tmpA.length > 1) {
               const lastPart = tmpA[tmpA.length - 1];
@@ -6651,56 +6758,56 @@ export const extractJarArchive = function (
               break;
             }
           }
-          if (name && version) {
-            // if group is empty use name as group
-            group = encodeForPurl(group === "." ? name : group || name) || "";
-            let apkg = {
+          // if group is empty use name as group
+          group = group === "." ? name : group || name;
+        }
+        if (name && version) {
+          let apkg = {
+            group: group ? encodeForPurl(group) : "",
+            name: name ? encodeForPurl(name) : "",
+            version,
+            purl: new PackageURL(
+              "maven",
               group,
-              name: name ? encodeForPurl(name) : "",
+              name,
               version,
-              purl: new PackageURL(
-                "maven",
-                group,
-                name,
-                version,
-                { type: "jar" },
-                null
-              ).toString(),
-              evidence: {
-                identity: {
-                  field: "purl",
-                  confidence: 0.5,
-                  methods: [
-                    {
-                      technique: "filename",
-                      confidence: 0.5,
-                      value: jarname
-                    }
-                  ]
-                }
-              },
-              properties: [
-                {
-                  name: "SrcFile",
-                  value: jarname
-                }
-              ]
-            };
-            if (
-              jarNSMapping &&
-              jarNSMapping[apkg.purl] &&
-              jarNSMapping[apkg.purl].namespaces
-            ) {
-              apkg.properties.push({
-                name: "Namespaces",
-                value: jarNSMapping[apkg.purl].namespaces.join("\n")
-              });
-            }
-            pkgList.push(apkg);
-          } else {
-            if (DEBUG_MODE) {
-              console.log(`Ignored jar ${jarname}`, jarMetadata, name, version);
-            }
+              { type: "jar" },
+              null
+            ).toString(),
+            evidence: {
+              identity: {
+                field: "purl",
+                confidence: confidence,
+                methods: [
+                  {
+                    technique: technique,
+                    confidence: confidence,
+                    value: jarname
+                  }
+                ]
+              }
+            },
+            properties: [
+              {
+                name: "SrcFile",
+                value: jarname
+              }
+            ]
+          };
+          if (
+            jarNSMapping &&
+            jarNSMapping[apkg.purl] &&
+            jarNSMapping[apkg.purl].namespaces
+          ) {
+            apkg.properties.push({
+              name: "Namespaces",
+              value: jarNSMapping[apkg.purl].namespaces.join("\n")
+            });
+          }
+          pkgList.push(apkg);
+        } else {
+          if (DEBUG_MODE) {
+            console.log(`Ignored jar ${jarname}`, name, version);
           }
         }
         try {
@@ -6892,6 +6999,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
   let isWrapperReady = false;
   let isWrapperFound = false;
   let findMavenFile = "mvnw";
+  let mavenWrapperCmd = null;
   if (platform() == "win32") {
     findMavenFile = "mvnw.bat";
     if (
@@ -6910,7 +7018,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
     } catch (e) {
       // continue regardless of error
     }
-    mavenCmd = resolve(join(srcPath, findMavenFile));
+    mavenWrapperCmd = resolve(join(srcPath, findMavenFile));
     isWrapperFound = true;
   } else if (rootPath && existsSync(join(rootPath, findMavenFile))) {
     // Check if the root directory has a wrapper script
@@ -6919,7 +7027,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
     } catch (e) {
       // continue regardless of error
     }
-    mavenCmd = resolve(join(rootPath, findMavenFile));
+    mavenWrapperCmd = resolve(join(rootPath, findMavenFile));
     isWrapperFound = true;
   }
   if (isWrapperFound) {
@@ -6928,14 +7036,15 @@ export const getMavenCommand = (srcPath, rootPath) => {
         "Testing the wrapper script by invoking wrapper:wrapper task"
       );
     }
-    const result = spawnSync(mavenCmd, ["wrapper:wrapper"], {
+    const result = spawnSync(mavenWrapperCmd, ["wrapper:wrapper"], {
       encoding: "utf-8",
       cwd: rootPath,
       timeout: TIMEOUT_MS,
       shell: isWin
     });
-    if (!result.error) {
+    if (!result.error && !result.status) {
       isWrapperReady = true;
+      mavenCmd = mavenWrapperCmd;
     } else {
       if (DEBUG_MODE) {
         console.log(
@@ -7690,7 +7799,7 @@ export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
           .split(")")[0]
           .split(",")
           .filter((v) => v.length > 1);
-        const parentName = tmpB[0];
+        const parentName = tmpB[0].replace(":", "");
         let parentVersion = undefined;
         // In case of meson.build we can find the version number after the word version
         // thanks to our replaces and splits

package/utils.test.js

@@ -73,7 +73,8 @@ import {
   parsePyProjectToml,
   parseSbtTree,
   parseCmakeDotFile,
-  parseCmakeLikeFile
+  parseCmakeLikeFile,
+  parseContainerFile
 } from "./utils.js";
 import { readFileSync } from "node:fs";
 import { parse } from "ssri";
@@ -2727,6 +2728,31 @@ test("parse container spec like files", async () => {
   });
 });
 
+test("parse containerfiles / dockerfiles", async () => {
+  let dep_list = parseContainerFile(
+    readFileSync("./test/data/Dockerfile", { encoding: "utf-8" })
+  );
+  expect(dep_list.length).toEqual(5);
+  expect(dep_list[0]).toEqual({
+    image: "hello-world"
+  });
+  expect(dep_list[0]).toEqual({
+    image: "hello-world"
+  });
+  expect(dep_list[1]).toEqual({
+    image: "hello-world"
+  });
+  expect(dep_list[2]).toEqual({
+    image: "hello-world:latest"
+  });
+  expect(dep_list[3]).toEqual({
+    image: "hello-world@sha256:1234567890abcdef"
+  });
+  expect(dep_list[4]).toEqual({
+    image: "hello-world:latest@sha256:1234567890abcdef"
+  });
+});
+
 test("parse cloudbuild data", async () => {
   expect(parseCloudBuildData(null)).toEqual([]);
   const dep_list = parseCloudBuildData(