@cyclonedx/cdxgen 9.9.4 → 9.9.5

package/README.md

@@ -445,7 +445,7 @@ This feature is powered by osquery, which is [installed](https://github.com/cycl
 
 See [evinse mode](./ADVANCED.md) in the advanced documentation.
 
-## BoM signing
+## BOM signing
 
 cdxgen can sign the generated BOM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
 

package/analyzer.js

@@ -108,7 +108,7 @@ const setFileRef = (allImports, src, file, pathnode, specifiers = []) => {
   }
   const fileRelativeLoc = relative(src, file);
   // remove unexpected extension imports
-  if (/\.(svg|png|jpg|d\.ts)/.test(pathway)) {
+  if (/\.(svg|png|jpg|json|d\.ts)/.test(pathway)) {
     return;
   }
   const importedModules = specifiers

package/docker.js

@@ -30,9 +30,25 @@ let dockerConn = undefined;
 let isPodman = false;
 let isPodmanRootless = true;
 let isDockerRootless = false;
+// https://github.com/containerd/containerd
+let isContainerd = !!process.env.CONTAINERD_ADDRESS;
 const WIN_LOCAL_TLS = "http://localhost:2375";
 let isWinLocalTLS = false;
 
+if (
+  !process.env.DOCKER_HOST &&
+  (process.env.CONTAINERD_ADDRESS ||
+    (process.env.XDG_RUNTIME_DIR &&
+      existsSync(
+        join(process.env.XDG_RUNTIME_DIR, "containerd-rootless", "api.sock")
+      )))
+) {
+  isContainerd = true;
+}
+
+// Cache the registry auth keys
+const registry_auth_keys = {};
+
 /**
  * Method to get all dirs matching a name
  *
@@ -94,7 +110,17 @@ export const getOnlyDirs = (srcpath, dirName) => {
   ].filter((d) => d.endsWith(dirName));
 };
 
-const getDefaultOptions = () => {
+const getDefaultOptions = (forRegistry) => {
+  let authTokenSet = false;
+  if (!forRegistry && process.env.DOCKER_SERVER_ADDRESS) {
+    forRegistry = process.env.DOCKER_SERVER_ADDRESS;
+  }
+  if (forRegistry) {
+    forRegistry = forRegistry.replace("http://", "").replace("https://", "");
+    if (forRegistry.includes("/")) {
+      forRegistry = forRegistry.split("/")[0];
+    }
+  }
   const opts = {
     enableUnixSockets: true,
     throwHttpErrors: true,
@@ -102,6 +128,97 @@ const getDefaultOptions = () => {
     hooks: { beforeError: [] },
     mutableDefaults: true
   };
+  const DOCKER_CONFIG = process.env.DOCKER_CONFIG || join(homedir(), ".docker");
+  // Support for private registry
+  if (process.env.DOCKER_AUTH_CONFIG) {
+    opts.headers = {
+      "X-Registry-Auth": process.env.DOCKER_AUTH_CONFIG
+    };
+    authTokenSet = true;
+  }
+  if (
+    !authTokenSet &&
+    process.env.DOCKER_USER &&
+    process.env.DOCKER_PASSWORD &&
+    process.env.DOCKER_EMAIL &&
+    forRegistry
+  ) {
+    const authPayload = {
+      username: process.env.DOCKER_USER,
+      email: process.env.DOCKER_EMAIL,
+      serveraddress: forRegistry
+    };
+    if (process.env.DOCKER_USER === "<token>") {
+      authPayload.IdentityToken = process.env.DOCKER_PASSWORD;
+    } else {
+      authPayload.password = process.env.DOCKER_PASSWORD;
+    }
+    opts.headers = {
+      "X-Registry-Auth": Buffer.from(JSON.stringify(authPayload)).toString(
+        "base64"
+      )
+    };
+  }
+  if (!authTokenSet && existsSync(join(DOCKER_CONFIG, "config.json"))) {
+    const configData = readFileSync(
+      join(DOCKER_CONFIG, "config.json"),
+      "utf-8"
+    );
+    if (configData) {
+      try {
+        const configJson = JSON.parse(configData);
+        if (configJson.auths) {
+          // Check if there are hardcoded tokens
+          for (const serverAddress of Object.keys(configJson.auths)) {
+            if (forRegistry && !serverAddress.includes(forRegistry)) {
+              continue;
+            }
+            if (configJson.auths[serverAddress].auth) {
+              opts.headers = {
+                "X-Registry-Auth": configJson.auths[serverAddress].auth
+              };
+              authTokenSet = true;
+              break;
+            } else if (configJson.credsStore) {
+              const helperAuthToken = getCredsFromHelper(
+                configJson.credsStore,
+                serverAddress
+              );
+              if (helperAuthToken) {
+                opts.headers = {
+                  "X-Registry-Auth": helperAuthToken
+                };
+                authTokenSet = true;
+                break;
+              }
+            }
+          }
+        } else if (configJson.credHelpers) {
+          // Support for credential helpers
+          for (const serverAddress of Object.keys(configJson.credHelpers)) {
+            if (forRegistry && !serverAddress.includes(forRegistry)) {
+              continue;
+            }
+            if (configJson.credHelpers[serverAddress]) {
+              const helperAuthToken = getCredsFromHelper(
+                configJson.credHelpers[serverAddress],
+                serverAddress
+              );
+              if (helperAuthToken) {
+                opts.headers = {
+                  "X-Registry-Auth": helperAuthToken
+                };
+                authTokenSet = true;
+                break;
+              }
+            }
+          }
+        }
+      } catch (err) {
+        // pass
+      }
+    }
+  }
   const userInfo = _userInfo();
   opts.podmanPrefixUrl = isWin ? "" : `http://unix:/run/podman/podman.sock:`;
   opts.podmanRootlessPrefixUrl = isWin
@@ -148,22 +265,34 @@ const getDefaultOptions = () => {
         ),
         key: readFileSync(join(process.env.DOCKER_CERT_PATH, "key.pem"), "utf8")
       };
+      // Disable tls on empty values
+      // From the docker docs: Setting the DOCKER_TLS_VERIFY environment variable to any value other than the empty string is equivalent to setting the --tlsverify flag
+      if (
+        process.env.DOCKER_TLS_VERIFY &&
+        process.env.DOCKER_TLS_VERIFY === ""
+      ) {
+        opts.https.rejectUnauthorized = false;
+        console.log("TLS Verification disabled for", hostStr);
+      }
     }
   }
 
   return opts;
 };
 
-export const getConnection = async (options) => {
-  if (!dockerConn) {
-    const defaultOptions = getDefaultOptions();
+export const getConnection = async (options, forRegistry) => {
+  if (isContainerd) {
+    return undefined;
+  } else if (!dockerConn) {
+    const defaultOptions = getDefaultOptions(forRegistry);
     const opts = Object.assign(
       {},
       {
         enableUnixSockets: defaultOptions.enableUnixSockets,
         throwHttpErrors: defaultOptions.throwHttpErrors,
         method: defaultOptions.method,
-        prefixUrl: defaultOptions.prefixUrl
+        prefixUrl: defaultOptions.prefixUrl,
+        headers: defaultOptions.headers
       },
       options
     );
@@ -247,8 +376,8 @@ export const getConnection = async (options) => {
   return dockerConn;
 };
 
-export const makeRequest = async (path, method = "GET") => {
-  const client = await getConnection();
+export const makeRequest = async (path, method = "GET", forRegistry) => {
+  const client = await getConnection({}, forRegistry);
   if (!client) {
     return undefined;
   }
@@ -258,14 +387,15 @@ export const makeRequest = async (path, method = "GET") => {
     enableUnixSockets: true,
     method
   };
-  const defaultOptions = getDefaultOptions();
+  const defaultOptions = getDefaultOptions(forRegistry);
   const opts = Object.assign(
     {},
     {
       enableUnixSockets: defaultOptions.enableUnixSockets,
       throwHttpErrors: defaultOptions.throwHttpErrors,
       method: defaultOptions.method,
-      prefixUrl: defaultOptions.prefixUrl
+      prefixUrl: defaultOptions.prefixUrl,
+      headers: defaultOptions.headers
     },
     extraOptions
   );
@@ -331,20 +461,44 @@ export const parseImageName = (fullImageName) => {
   return nameObj;
 };
 
+/**
+ * Prefer cli on windows or when using tcp/ssh based host.
+ *
+ * @returns boolean true if we should use the cli. false otherwise
+ */
+const needsCliFallback = () => {
+  return (
+    isWin ||
+    (process.env.DOCKER_HOST &&
+      (process.env.DOCKER_HOST.startsWith("tcp://") ||
+        process.env.DOCKER_HOST.startsWith("ssh://")))
+  );
+};
+
 /**
  * Method to get image to the local registry by pulling from the remote if required
  */
 export const getImage = async (fullImageName) => {
   let localData = undefined;
   let pullData = undefined;
-  const { repo, tag, digest } = parseImageName(fullImageName);
-  let repoWithTag = `${repo}:${tag !== "" ? tag : ":latest"}`;
+  const { registry, repo, tag, digest } = parseImageName(fullImageName);
+  let repoWithTag =
+    registry && registry !== "docker.io"
+      ? fullImageName
+      : `${repo}:${tag !== "" ? tag : ":latest"}`;
   // Fetch only the latest tag if none is specified
   if (tag === "" && digest === "") {
     fullImageName = fullImageName + ":latest";
   }
-  if (isWin) {
-    let result = spawnSync("docker", ["pull", fullImageName], {
+  if (isContainerd) {
+    console.log(
+      "containerd/nerdctl is currently unsupported. Export the image manually and run cdxgen against the tar image."
+    );
+    return undefined;
+  }
+  if (needsCliFallback()) {
+    const dockerCmd = process.env.DOCKER_CMD || "docker";
+    let result = spawnSync(dockerCmd, ["pull", fullImageName], {
       encoding: "utf-8"
     });
     if (result.status !== 0 || result.error) {
@@ -355,12 +509,16 @@ export const getImage = async (fullImageName) => {
         console.log(
           "Ensure Docker for Desktop is running as an administrator with 'Exposing daemon on TCP without TLS' setting turned on."
         );
+      } else if (result.stderr && result.stderr.includes("not found")) {
+        console.log(
+          "Set the environment variable DOCKER_CMD to use an alternative command such as nerdctl or podman."
+        );
       } else {
         console.log(result.stderr);
       }
       return localData;
     } else {
-      result = spawnSync("docker", ["inspect", fullImageName], {
+      result = spawnSync(dockerCmd, ["inspect", fullImageName], {
         encoding: "utf-8"
       });
       if (result.status !== 0 || result.error) {
@@ -385,7 +543,11 @@ export const getImage = async (fullImageName) => {
     }
   }
   try {
-    localData = await makeRequest(`images/${repoWithTag}/json`);
+    localData = await makeRequest(
+      `images/${repoWithTag}/json`,
+      "GET",
+      registry
+    );
     if (localData) {
       return localData;
     }
@@ -393,10 +555,14 @@ export const getImage = async (fullImageName) => {
     // ignore
   }
   try {
-    localData = await makeRequest(`images/${repo}/json`);
+    localData = await makeRequest(`images/${repo}/json`, "GET", registry);
   } catch (err) {
     try {
-      localData = await makeRequest(`images/${fullImageName}/json`);
+      localData = await makeRequest(
+        `images/${fullImageName}/json`,
+        "GET",
+        registry
+      );
       if (localData) {
         return localData;
       }
@@ -412,7 +578,8 @@ export const getImage = async (fullImageName) => {
     try {
       pullData = await makeRequest(
         `images/create?fromImage=${fullImageName}`,
-        "POST"
+        "POST",
+        registry
       );
       if (
         pullData &&
@@ -434,7 +601,8 @@ export const getImage = async (fullImageName) => {
         }
         pullData = await makeRequest(
           `images/create?fromImage=${repoWithTag}`,
-          "POST"
+          "POST",
+          registry
         );
       } catch (err) {
         // continue regardless of error
@@ -444,7 +612,11 @@ export const getImage = async (fullImageName) => {
       if (DEBUG_MODE) {
         console.log(`Trying with ${repoWithTag}`);
       }
-      localData = await makeRequest(`images/${repoWithTag}/json`);
+      localData = await makeRequest(
+        `images/${repoWithTag}/json`,
+        "GET",
+        registry
+      );
       if (localData) {
         return localData;
       }
@@ -453,7 +625,7 @@ export const getImage = async (fullImageName) => {
         if (DEBUG_MODE) {
           console.log(`Trying with ${repo}`);
         }
-        localData = await makeRequest(`images/${repo}/json`);
+        localData = await makeRequest(`images/${repo}/json`, "GET", registry);
         if (localData) {
           return localData;
         }
@@ -464,7 +636,11 @@ export const getImage = async (fullImageName) => {
         if (DEBUG_MODE) {
           console.log(`Trying with ${fullImageName}`);
         }
-        localData = await makeRequest(`images/${fullImageName}/json`);
+        localData = await makeRequest(
+          `images/${fullImageName}/json`,
+          "GET",
+          registry
+        );
       } catch (err) {
         // continue regardless of error
       }
@@ -684,7 +860,7 @@ export const exportImage = async (fullImageName) => {
   if (!localData) {
     return undefined;
   }
-  const { tag, digest } = parseImageName(fullImageName);
+  const { registry, tag, digest } = parseImageName(fullImageName);
   // Fetch only the latest tag if none is specified
   if (tag === "" && digest === "") {
     fullImageName = fullImageName + ":latest";
@@ -695,7 +871,7 @@ export const exportImage = async (fullImageName) => {
   // Windows containers use index.json
   const manifestIndexFile = join(tempDir, "index.json");
   // On Windows, fallback to invoking cli
-  if (isWin) {
+  if (needsCliFallback()) {
     const imageTarFile = join(tempDir, "image.tar");
     console.log(
       `About to export image ${fullImageName} to ${imageTarFile} using docker cli`
@@ -722,10 +898,16 @@ export const exportImage = async (fullImageName) => {
       }
     }
   } else {
-    const client = await getConnection();
+    const client = await getConnection({}, registry);
     try {
       if (DEBUG_MODE) {
-        console.log(`About to export image ${fullImageName} to ${tempDir}`);
+        if (registry && registry.trim().length) {
+          console.log(
+            `About to export image ${fullImageName} from ${registry} to ${tempDir}`
+          );
+        } else {
+          console.log(`About to export image ${fullImageName} to ${tempDir}`);
+        }
       }
       await stream.pipeline(
         client.stream(`images/${fullImageName}/get`),
@@ -896,3 +1078,46 @@ export const removeImage = async (fullImageName, force = false) => {
   );
   return removeData;
 };
+
+export const getCredsFromHelper = (exeSuffix, serverAddress) => {
+  if (registry_auth_keys[serverAddress]) {
+    return registry_auth_keys[serverAddress];
+  }
+  let credHelperExe = `docker-credential-${exeSuffix}`;
+  if (isWin) {
+    credHelperExe = credHelperExe + ".exe";
+  }
+  const result = spawnSync(credHelperExe, ["get"], {
+    input: serverAddress,
+    encoding: "utf-8"
+  });
+  if (result.status !== 0 || result.error) {
+    console.log(result.stdout, result.stderr);
+  } else if (result.stdout) {
+    const cmdOutput = Buffer.from(result.stdout).toString();
+    try {
+      const authPayload = JSON.parse(cmdOutput);
+      const fixedAuthPayload = {
+        username:
+          authPayload.username ||
+          authPayload.Username ||
+          process.env.DOCKER_USER,
+        password:
+          authPayload.password ||
+          authPayload.Secret ||
+          process.env.DOCKER_PASSWORD,
+        email:
+          authPayload.email || authPayload.username || process.env.DOCKER_USER,
+        serveraddress: serverAddress
+      };
+      const authKey = Buffer.from(JSON.stringify(fixedAuthPayload)).toString(
+        "base64"
+      );
+      registry_auth_keys[serverAddress] = authKey;
+      return authKey;
+    } catch (err) {
+      return undefined;
+    }
+  }
+  return undefined;
+};

package/docker.test.js

@@ -54,6 +54,15 @@ test("parseImageName tests", () => {
     digest: "",
     platform: ""
   });
+  expect(
+    parseImageName("foocorp.jfrog.io/docker/library/eclipse-temurin:latest")
+  ).toEqual({
+    registry: "foocorp.jfrog.io",
+    repo: "docker/library/eclipse-temurin",
+    tag: "latest",
+    digest: "",
+    platform: ""
+  });
   expect(
     parseImageName(
       "quay.io/shiftleft/scan-java@sha256:5d008306a7c5d09ba0161a3408fa3839dc2c9dd991ffb68adecc1040399fe9e1"

package/index.js

@@ -1860,7 +1860,7 @@ export const createNodejsBom = async (path, options) => {
   const parentSubComponents = [];
   let ppurl = "";
   // Docker mode requires special handling
-  if (["docker", "oci", "os"].includes(options.projectType)) {
+  if (["docker", "oci", "container", "os"].includes(options.projectType)) {
     const pkgJsonFiles = getAllFiles(path, "**/package.json", options);
     // Are there any package.json files in the container?
     if (pkgJsonFiles.length) {
@@ -1880,7 +1880,7 @@ export const createNodejsBom = async (path, options) => {
   }
   let allImports = {};
   if (
-    !["docker", "oci", "os"].includes(options.projectType) &&
+    !["docker", "oci", "container", "os"].includes(options.projectType) &&
     !options.noBabel
   ) {
     if (DEBUG_MODE) {
@@ -2753,7 +2753,7 @@ export const createGoBom = async (path, options) => {
   if (gomodFiles.length) {
     let shouldManuallyParse = false;
     // Use the go list -deps and go mod why commands to generate a good quality BOM for non-docker invocations
-    if (!["docker", "oci", "os"].includes(options.projectType)) {
+    if (!["docker", "oci", "container", "os"].includes(options.projectType)) {
       for (const f of gomodFiles) {
         const basePath = dirname(f);
         // Ignore vendor packages
@@ -2865,7 +2865,7 @@ export const createGoBom = async (path, options) => {
       }
     }
     // Parse the gomod files manually. The resultant BOM would be incomplete
-    if (!["docker", "oci", "os"].includes(options.projectType)) {
+    if (!["docker", "oci", "container", "os"].includes(options.projectType)) {
       console.log(
         "Manually parsing go.mod files. The resultant BOM would be incomplete."
       );
@@ -3154,7 +3154,7 @@ export const createCppBom = (path, options) => {
   // inside of other project types. So we currently limit this analyis only when -t argument
   // is used.
   if (
-    !["docker", "oci", "os"].includes(options.projectType) &&
+    !["docker", "oci", "container", "os"].includes(options.projectType) &&
     (!options.createMultiXBom || options.deep)
   ) {
     let osPkgsList = [];
@@ -5296,6 +5296,7 @@ export const createBom = async (path, options) => {
     projectType === "docker" ||
     projectType === "podman" ||
     projectType === "oci" ||
+    projectType === "container" ||
     path.startsWith("docker.io") ||
     path.startsWith("quay.io") ||
     path.startsWith("ghcr.io") ||
@@ -5544,19 +5545,36 @@ export async function submitBom(args, bomContents) {
   if (encodedBomContents.startsWith("77u/")) {
     encodedBomContents = encodedBomContents.substring(4);
   }
-  let projectVersion = args.projectVersion || "master";
-  if (projectVersion == true) {
-    projectVersion = "master";
-  }
   const bomPayload = {
-    project: args.projectId,
-    projectName: args.projectName,
-    projectVersion: projectVersion,
     autoCreate: "true",
     bom: encodedBomContents
   };
-  if (typeof args.parentProjectId !== "undefined") {
-    bomPayload.parentUUID = args.parentProjectId;
+  let projectVersion = args.projectVersion || "master";
+  if (
+    typeof args.projectId !== "undefined" ||
+    (typeof args.projectName !== "undefined" &&
+      typeof projectVersion !== "undefined")
+  ) {
+    if (typeof args.projectId !== "undefined") {
+      bomPayload.project = args.projectId;
+    }
+    if (typeof args.projectName !== "undefined") {
+      bomPayload.projectName = args.projectName;
+    }
+    if (typeof projectVersion !== "undefined") {
+      bomPayload.projectVersion = projectVersion;
+    }
+  } else {
+    console.log(
+      "projectId, projectName and projectVersion, or all three must be provided."
+    );
+    return;
+  }
+  if (
+    typeof args.parentProjectId !== "undefined" ||
+    typeof args.parentUUID !== "undefined"
+  ) {
+    bomPayload.parentUUID = args.parentProjectId || args.parentUUID;
   }
   if (DEBUG_MODE) {
     console.log(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.9.4",
+  "version": "9.9.5",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -83,7 +83,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "1.6.3",
+    "@appthreat/atom": "1.6.4",
     "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",

package/server.js

@@ -72,7 +72,7 @@ const parseQueryString = (q, body, options = {}) => {
     "requiredOnly",
     "noBabel",
     "installDeps",
-    "project",
+    "projectId",
     "projectName",
     "projectGroup",
     "projectVersion",

package/utils.js

@@ -19,7 +19,8 @@ import {
   readFileSync,
   rmSync,
   unlinkSync,
-  writeFileSync
+  writeFileSync,
+  readdirSync
 } from "node:fs";
 import got from "got";
 import Arborist from "@npmcli/arborist";
@@ -6514,12 +6515,67 @@ export const parseJarManifest = function (jarMetadata) {
   return metadata;
 };
 
+export const parsePomProperties = function (pomProperties) {
+  const properties = {};
+  if (!pomProperties) {
+    return properties;
+  }
+  pomProperties.split("\n").forEach((l) => {
+    l = l.replace("\r", "");
+    if (l.includes("=")) {
+      const tmpA = l.split("=");
+      if (tmpA && tmpA.length === 2) {
+        properties[tmpA[0]] = tmpA[1].replace("\r", "");
+      }
+    }
+  });
+  return properties;
+};
+
 export const encodeForPurl = (s) => {
   return s && !s.includes("%40")
     ? encodeURIComponent(s).replace(/%3A/g, ":").replace(/%2F/g, "/")
     : s;
 };
 
+/**
+ * Method to get pom properties from maven directory
+ *
+ * @param {string} mavenDir Path to maven directory
+ *
+ * @return array with pom properties
+ */
+export const getPomPropertiesFromMavenDir = function (mavenDir) {
+  let pomProperties = {};
+  if (existsSync(mavenDir) && lstatSync(mavenDir).isDirectory()) {
+    let mavenDirEntries = readdirSync(mavenDir, { withFileTypes: true });
+    mavenDirEntries.forEach((mavenDirEntry) => {
+      if (mavenDirEntry.isDirectory()) {
+        let groupDirEntries = readdirSync(
+          join(mavenDirEntry.path, mavenDirEntry.name),
+          { withFileTypes: true }
+        );
+        groupDirEntries.forEach((groupDirEntry) => {
+          if (groupDirEntry.isDirectory()) {
+            let pomPropertiesFile = join(
+              groupDirEntry.path,
+              groupDirEntry.name,
+              "pom.properties"
+            );
+            if (existsSync(pomPropertiesFile)) {
+              const pomPropertiesString = readFileSync(pomPropertiesFile, {
+                encoding: "utf-8"
+              });
+              pomProperties = parsePomProperties(pomPropertiesString);
+            }
+          }
+        });
+      }
+    });
+  }
+  return pomProperties;
+};
+
 /**
  * Method to extract a war or ear file
  *
@@ -6601,13 +6657,14 @@ export const extractJarArchive = function (
       }
       const manifestDir = join(tempDir, "META-INF");
       const manifestFile = join(manifestDir, "MANIFEST.MF");
+      const mavenDir = join(manifestDir, "maven");
       let jarResult = {
         status: 1
       };
       if (existsSync(pomname)) {
         jarResult = { status: 0 };
       } else {
-        jarResult = spawnSync("jar", ["-xf", jf], {
+        jarResult = spawnSync("jar", ["-xf", jf, "META-INF"], {
           encoding: "utf-8",
           cwd: tempDir,
           shell: isWin,
@@ -6617,29 +6674,42 @@ export const extractJarArchive = function (
       if (jarResult.status !== 0) {
         console.error(jarResult.stdout, jarResult.stderr);
       } else {
-        if (existsSync(manifestFile)) {
+        // When maven descriptor is available take group, name and version from pom.properties
+        // META-INF/maven/${groupId}/${artifactId}/pom.properties
+        // see https://maven.apache.org/shared/maven-archiver/index.html
+        const pomProperties = getPomPropertiesFromMavenDir(mavenDir);
+        let group = pomProperties["groupId"],
+          name = pomProperties["artifactId"],
+          version = pomProperties["version"],
+          confidence = 1,
+          technique = "manifest-analysis";
+        if ((!group || !name || !version) && existsSync(manifestFile)) {
+          confidence = 0.8;
           const jarMetadata = parseJarManifest(
             readFileSync(manifestFile, {
               encoding: "utf-8"
             })
           );
-          let group =
+          group =
+            group ||
             jarMetadata["Extension-Name"] ||
             jarMetadata["Implementation-Vendor-Id"] ||
             jarMetadata["Bundle-SymbolicName"] ||
             jarMetadata["Bundle-Vendor"] ||
             jarMetadata["Automatic-Module-Name"] ||
             "";
-          let version =
+          version =
+            version ||
             jarMetadata["Bundle-Version"] ||
             jarMetadata["Implementation-Version"] ||
             jarMetadata["Specification-Version"];
           if (version && version.includes(" ")) {
             version = version.split(" ")[0];
           }
-          let name = "";
           // Prefer jar filename to construct name and version
           if (!name || !version || name === "" || version === "") {
+            confidence = 0.5;
+            technique = "filename";
             const tmpA = jarname.split("-");
             if (tmpA && tmpA.length > 1) {
               const lastPart = tmpA[tmpA.length - 1];
@@ -6688,56 +6758,56 @@ export const extractJarArchive = function (
               break;
             }
           }
-          if (name && version) {
-            // if group is empty use name as group
-            group = encodeForPurl(group === "." ? name : group || name) || "";
-            let apkg = {
+          // if group is empty use name as group
+          group = group === "." ? name : group || name;
+        }
+        if (name && version) {
+          let apkg = {
+            group: group ? encodeForPurl(group) : "",
+            name: name ? encodeForPurl(name) : "",
+            version,
+            purl: new PackageURL(
+              "maven",
               group,
-              name: name ? encodeForPurl(name) : "",
+              name,
               version,
-              purl: new PackageURL(
-                "maven",
-                group,
-                name,
-                version,
-                { type: "jar" },
-                null
-              ).toString(),
-              evidence: {
-                identity: {
-                  field: "purl",
-                  confidence: 0.5,
-                  methods: [
-                    {
-                      technique: "filename",
-                      confidence: 0.5,
-                      value: jarname
-                    }
-                  ]
-                }
-              },
-              properties: [
-                {
-                  name: "SrcFile",
-                  value: jarname
-                }
-              ]
-            };
-            if (
-              jarNSMapping &&
-              jarNSMapping[apkg.purl] &&
-              jarNSMapping[apkg.purl].namespaces
-            ) {
-              apkg.properties.push({
-                name: "Namespaces",
-                value: jarNSMapping[apkg.purl].namespaces.join("\n")
-              });
-            }
-            pkgList.push(apkg);
-          } else {
-            if (DEBUG_MODE) {
-              console.log(`Ignored jar ${jarname}`, jarMetadata, name, version);
-            }
+              { type: "jar" },
+              null
+            ).toString(),
+            evidence: {
+              identity: {
+                field: "purl",
+                confidence: confidence,
+                methods: [
+                  {
+                    technique: technique,
+                    confidence: confidence,
+                    value: jarname
+                  }
+                ]
+              }
+            },
+            properties: [
+              {
+                name: "SrcFile",
+                value: jarname
+              }
+            ]
+          };
+          if (
+            jarNSMapping &&
+            jarNSMapping[apkg.purl] &&
+            jarNSMapping[apkg.purl].namespaces
+          ) {
+            apkg.properties.push({
+              name: "Namespaces",
+              value: jarNSMapping[apkg.purl].namespaces.join("\n")
+            });
+          }
+          pkgList.push(apkg);
+        } else {
+          if (DEBUG_MODE) {
+            console.log(`Ignored jar ${jarname}`, name, version);
           }
         }
         try {
@@ -6929,6 +6999,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
   let isWrapperReady = false;
   let isWrapperFound = false;
   let findMavenFile = "mvnw";
+  let mavenWrapperCmd = null;
   if (platform() == "win32") {
     findMavenFile = "mvnw.bat";
     if (
@@ -6947,7 +7018,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
     } catch (e) {
       // continue regardless of error
     }
-    mavenCmd = resolve(join(srcPath, findMavenFile));
+    mavenWrapperCmd = resolve(join(srcPath, findMavenFile));
     isWrapperFound = true;
   } else if (rootPath && existsSync(join(rootPath, findMavenFile))) {
     // Check if the root directory has a wrapper script
@@ -6956,7 +7027,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
     } catch (e) {
       // continue regardless of error
     }
-    mavenCmd = resolve(join(rootPath, findMavenFile));
+    mavenWrapperCmd = resolve(join(rootPath, findMavenFile));
     isWrapperFound = true;
   }
   if (isWrapperFound) {
@@ -6965,14 +7036,15 @@ export const getMavenCommand = (srcPath, rootPath) => {
         "Testing the wrapper script by invoking wrapper:wrapper task"
       );
     }
-    const result = spawnSync(mavenCmd, ["wrapper:wrapper"], {
+    const result = spawnSync(mavenWrapperCmd, ["wrapper:wrapper"], {
       encoding: "utf-8",
       cwd: rootPath,
       timeout: TIMEOUT_MS,
       shell: isWin
     });
-    if (!result.error) {
+    if (!result.error && !result.status) {
       isWrapperReady = true;
+      mavenCmd = mavenWrapperCmd;
     } else {
       if (DEBUG_MODE) {
         console.log(