@cyclonedx/cdxgen 9.9.4 → 9.9.6

package/docker.test.js

@@ -24,35 +24,65 @@ test("parseImageName tests", () => {
     repo: "debian",
     tag: "",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "",
+    name: "debian"
   });
   expect(parseImageName("debian:latest")).toEqual({
     registry: "",
     repo: "debian",
     tag: "latest",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "",
+    name: "debian"
+  });
+  expect(parseImageName("library/debian:latest")).toEqual({
+    registry: "",
+    repo: "library/debian",
+    tag: "latest",
+    digest: "",
+    platform: "",
+    group: "library",
+    name: "debian"
   });
   expect(parseImageName("shiftleft/scan:v1.15.6")).toEqual({
     registry: "",
     repo: "shiftleft/scan",
     tag: "v1.15.6",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "shiftleft",
+    name: "scan"
   });
   expect(parseImageName("localhost:5000/shiftleft/scan:v1.15.6")).toEqual({
     registry: "localhost:5000",
     repo: "shiftleft/scan",
     tag: "v1.15.6",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "shiftleft",
+    name: "scan"
   });
   expect(parseImageName("localhost:5000/shiftleft/scan")).toEqual({
     registry: "localhost:5000",
     repo: "shiftleft/scan",
     tag: "",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "shiftleft",
+    name: "scan"
+  });
+  expect(
+    parseImageName("foocorp.jfrog.io/docker/library/eclipse-temurin:latest")
+  ).toEqual({
+    registry: "foocorp.jfrog.io",
+    repo: "docker/library/eclipse-temurin",
+    tag: "latest",
+    digest: "",
+    platform: "",
+    group: "docker/library",
+    name: "eclipse-temurin"
   });
   expect(
     parseImageName(
@@ -63,7 +93,9 @@ test("parseImageName tests", () => {
     repo: "shiftleft/scan-java",
     tag: "",
     digest: "5d008306a7c5d09ba0161a3408fa3839dc2c9dd991ffb68adecc1040399fe9e1",
-    platform: ""
+    platform: "",
+    group: "shiftleft",
+    name: "scan-java"
   });
 }, 120000);
 

package/evinser.js

@@ -322,6 +322,29 @@ export const analyzeProject = async (dbObjMap, options) => {
   // Load any existing purl-location information from the sbom.
   // For eg: cdxgen populates this information for javascript projects
   let { purlLocationMap, purlImportsMap } = initFromSbom(components);
+  // Do reachables first so that usages slicing can reuse the atom file
+  if (options.withReachables) {
+    if (
+      options.reachablesSlicesFile &&
+      fs.existsSync(options.reachablesSlicesFile)
+    ) {
+      reachablesSlicesFile = options.reachablesSlicesFile;
+      reachablesSlice = JSON.parse(
+        fs.readFileSync(options.reachablesSlicesFile, "utf-8")
+      );
+    } else {
+      retMap = createSlice(language, dirPath, "reachables", options);
+      if (retMap && retMap.slicesFile && fs.existsSync(retMap.slicesFile)) {
+        reachablesSlicesFile = retMap.slicesFile;
+        reachablesSlice = JSON.parse(
+          fs.readFileSync(retMap.slicesFile, "utf-8")
+        );
+      }
+    }
+  }
+  if (reachablesSlice && Object.keys(reachablesSlice).length) {
+    dataFlowFrames = await collectReachableFrames(language, reachablesSlice);
+  }
   // Reuse existing usages slices
   if (options.usagesSlicesFile && fs.existsSync(options.usagesSlicesFile)) {
     usageSlice = JSON.parse(fs.readFileSync(options.usagesSlicesFile, "utf-8"));
@@ -374,28 +397,6 @@ export const analyzeProject = async (dbObjMap, options) => {
       purlImportsMap
     );
   }
-  if (options.withReachables) {
-    if (
-      options.reachablesSlicesFile &&
-      fs.existsSync(options.reachablesSlicesFile)
-    ) {
-      reachablesSlicesFile = options.reachablesSlicesFile;
-      reachablesSlice = JSON.parse(
-        fs.readFileSync(options.reachablesSlicesFile, "utf-8")
-      );
-    } else {
-      retMap = createSlice(language, dirPath, "reachables", options);
-      if (retMap && retMap.slicesFile && fs.existsSync(retMap.slicesFile)) {
-        reachablesSlicesFile = retMap.slicesFile;
-        reachablesSlice = JSON.parse(
-          fs.readFileSync(retMap.slicesFile, "utf-8")
-        );
-      }
-    }
-  }
-  if (reachablesSlice && Object.keys(reachablesSlice).length) {
-    dataFlowFrames = await collectReachableFrames(language, reachablesSlice);
-  }
   return {
     atomFile: retMap.atomFile,
     usagesSlicesFile,
@@ -776,15 +777,19 @@ export const detectServicesFromUDT = (
   servicesMap
 ) => {
   if (
-    ["python", "py"].includes(language) &&
+    ["python", "py", "c", "cpp", "c++"].includes(language) &&
     userDefinedTypes &&
     userDefinedTypes.length
   ) {
     for (const audt of userDefinedTypes) {
       if (
-        audt.name.includes("route") ||
-        audt.name.includes("path") ||
-        audt.name.includes("url")
+        audt.name.toLowerCase().includes("route") ||
+        audt.name.toLowerCase().includes("path") ||
+        audt.name.toLowerCase().includes("url") ||
+        audt.name.toLowerCase().includes("registerhandler") ||
+        audt.name.toLowerCase().includes("endpoint") ||
+        audt.name.toLowerCase().includes("api") ||
+        audt.name.toLowerCase().includes("add_method")
       ) {
         const fields = audt.fields || [];
         if (
@@ -875,14 +880,11 @@ export const extractEndpoints = (language, code) => {
           );
       }
       break;
-    case "py":
-    case "python":
+    default:
       endpoints = (code.match(/['"](.*?)['"]/gi) || [])
         .map((v) => v.replace(/["']/g, "").replace("\n", ""))
         .filter((v) => v.length > 2);
       break;
-    default:
-      break;
   }
   return endpoints;
 };
@@ -910,6 +912,7 @@ export const createEvinseFile = (sliceArtefacts, options) => {
   const components = bomJson.components || [];
   let occEvidencePresent = false;
   let csEvidencePresent = false;
+  let servicesPresent = false;
   for (const comp of components) {
     if (!comp.purl) {
       continue;
@@ -957,6 +960,7 @@ export const createEvinseFile = (sliceArtefacts, options) => {
     }
     // Add to existing services
     bomJson.services = (bomJson.services || []).concat(services);
+    servicesPresent = true;
   }
   if (options.annotate) {
     if (!bomJson.annotations) {
@@ -993,7 +997,7 @@ export const createEvinseFile = (sliceArtefacts, options) => {
   bomJson.metadata.timestamp = new Date().toISOString();
   delete bomJson.signature;
   fs.writeFileSync(evinseOutFile, JSON.stringify(bomJson, null, 2));
-  if (occEvidencePresent || csEvidencePresent) {
+  if (occEvidencePresent || csEvidencePresent || servicesPresent) {
     console.log(evinseOutFile, "created successfully.");
   } else {
     console.log(

package/index.js

@@ -105,7 +105,8 @@ import {
   MAX_BUFFER,
   getNugetMetadata,
   frameworksList,
-  parseContainerFile
+  parseContainerFile,
+  parseBitbucketPipelinesFile
 } from "./utils.js";
 import { spawnSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
@@ -1860,7 +1861,7 @@ export const createNodejsBom = async (path, options) => {
   const parentSubComponents = [];
   let ppurl = "";
   // Docker mode requires special handling
-  if (["docker", "oci", "os"].includes(options.projectType)) {
+  if (["docker", "oci", "container", "os"].includes(options.projectType)) {
     const pkgJsonFiles = getAllFiles(path, "**/package.json", options);
     // Are there any package.json files in the container?
     if (pkgJsonFiles.length) {
@@ -1880,7 +1881,7 @@ export const createNodejsBom = async (path, options) => {
   }
   let allImports = {};
   if (
-    !["docker", "oci", "os"].includes(options.projectType) &&
+    !["docker", "oci", "container", "os"].includes(options.projectType) &&
     !options.noBabel
   ) {
     if (DEBUG_MODE) {
@@ -2753,7 +2754,7 @@ export const createGoBom = async (path, options) => {
   if (gomodFiles.length) {
     let shouldManuallyParse = false;
     // Use the go list -deps and go mod why commands to generate a good quality BOM for non-docker invocations
-    if (!["docker", "oci", "os"].includes(options.projectType)) {
+    if (!["docker", "oci", "container", "os"].includes(options.projectType)) {
       for (const f of gomodFiles) {
         const basePath = dirname(f);
         // Ignore vendor packages
@@ -2865,7 +2866,7 @@ export const createGoBom = async (path, options) => {
       }
     }
     // Parse the gomod files manually. The resultant BOM would be incomplete
-    if (!["docker", "oci", "os"].includes(options.projectType)) {
+    if (!["docker", "oci", "container", "os"].includes(options.projectType)) {
       console.log(
         "Manually parsing go.mod files. The resultant BOM would be incomplete."
       );
@@ -3148,13 +3149,25 @@ export const createCppBom = (path, options) => {
         retMap.parentComponent.type = "library";
         pkgList.push(retMap.parentComponent);
       }
+      // Retain the dependency tree from cmake
+      if (retMap.dependenciesList) {
+        if (dependencies.length) {
+          dependencies = mergeDependencies(
+            dependencies,
+            retMap.dependenciesList,
+            parentComponent
+          );
+        } else {
+          dependencies = retMap.dependenciesList;
+        }
+      }
     }
   }
   // The need for java >= 17 with atom is causing confusions since there could be C projects
   // inside of other project types. So we currently limit this analyis only when -t argument
   // is used.
   if (
-    !["docker", "oci", "os"].includes(options.projectType) &&
+    !["docker", "oci", "container", "os"].includes(options.projectType) &&
     (!options.createMultiXBom || options.deep)
   ) {
     let osPkgsList = [];
@@ -3719,6 +3732,11 @@ export const createContainerSpecLikeBom = async (path, options) => {
     (options.multiProject ? "**/" : "") + "*Dockerfile*",
     options
   );
+  const bbPipelineFiles = getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "bitbucket-pipelines.yml",
+    options
+  );
   const cfFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "*Containerfile*",
@@ -3747,27 +3765,35 @@ export const createContainerSpecLikeBom = async (path, options) => {
   }
   // Privado.ai json files
   const privadoFiles = getAllFiles(path, ".privado/" + "*.json", options);
-  // Parse yaml manifest files, dockerfiles or containerfiles
-  if (dcFiles.length || dfFiles.length || cfFiles.length) {
-    for (const f of [...dcFiles, ...dfFiles, ...cfFiles]) {
+
+  // Parse yaml manifest files, dockerfiles, containerfiles or bitbucket pipeline files
+  if (
+    dcFiles.length ||
+    dfFiles.length ||
+    cfFiles.length ||
+    bbPipelineFiles.length
+  ) {
+    for (const f of [...dcFiles, ...dfFiles, ...cfFiles, ...bbPipelineFiles]) {
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
 
       const dData = readFileSync(f, { encoding: "utf-8" });
-      let imglist = [];
+      let imgList = [];
       // parse yaml manifest files
-      if (f.endsWith(".yml") || f.endsWith(".yaml")) {
-        imglist = parseContainerSpecData(dData);
+      if (f.endsWith("bitbucket-pipelines.yml")) {
+        imgList = parseBitbucketPipelinesFile(dData);
+      } else if (f.endsWith(".yml") || f.endsWith(".yaml")) {
+        imgList = parseContainerSpecData(dData);
       } else {
-        imglist = parseContainerFile(dData);
+        imgList = parseContainerFile(dData);
       }
 
-      if (imglist && imglist.length) {
+      if (imgList && imgList.length) {
         if (DEBUG_MODE) {
-          console.log("Images identified in", f, "are", imglist);
+          console.log("Images identified in", f, "are", imgList);
         }
-        for (const img of imglist) {
+        for (const img of imgList) {
           const commonProperties = [
             {
               name: "SrcFile",
@@ -3832,20 +3858,26 @@ export const createContainerSpecLikeBom = async (path, options) => {
               console.log(`Parsing image ${img.image}`);
             }
             const imageObj = parseImageName(img.image);
+
             const pkg = {
-              name: imageObj.repo,
+              name: imageObj.name,
+              group: imageObj.group,
               version:
                 imageObj.tag ||
                 (imageObj.digest ? "sha256:" + imageObj.digest : "latest"),
               qualifiers: {},
-              properties: commonProperties
+              properties: commonProperties,
+              type: "container"
             };
             if (imageObj.registry) {
-              pkg["qualifiers"]["repository_url"] = imageObj.registry;
+              pkg["qualifiers"]["repository_url"] = img.image;
             }
             if (imageObj.platform) {
               pkg["qualifiers"]["platform"] = imageObj.platform;
             }
+            if (imageObj.tag) {
+              pkg["qualifiers"]["tag"] = imageObj.tag;
+            }
             // Create an entry for the oci image
             const imageBomData = buildBomNSData(options, [pkg], "oci", {
               src: img.image,
@@ -5296,6 +5328,7 @@ export const createBom = async (path, options) => {
     projectType === "docker" ||
     projectType === "podman" ||
     projectType === "oci" ||
+    projectType === "container" ||
     path.startsWith("docker.io") ||
     path.startsWith("quay.io") ||
     path.startsWith("ghcr.io") ||
@@ -5544,19 +5577,36 @@ export async function submitBom(args, bomContents) {
   if (encodedBomContents.startsWith("77u/")) {
     encodedBomContents = encodedBomContents.substring(4);
   }
-  let projectVersion = args.projectVersion || "master";
-  if (projectVersion == true) {
-    projectVersion = "master";
-  }
   const bomPayload = {
-    project: args.projectId,
-    projectName: args.projectName,
-    projectVersion: projectVersion,
     autoCreate: "true",
     bom: encodedBomContents
   };
-  if (typeof args.parentProjectId !== "undefined") {
-    bomPayload.parentUUID = args.parentProjectId;
+  let projectVersion = args.projectVersion || "master";
+  if (
+    typeof args.projectId !== "undefined" ||
+    (typeof args.projectName !== "undefined" &&
+      typeof projectVersion !== "undefined")
+  ) {
+    if (typeof args.projectId !== "undefined") {
+      bomPayload.project = args.projectId;
+    }
+    if (typeof args.projectName !== "undefined") {
+      bomPayload.projectName = args.projectName;
+    }
+    if (typeof projectVersion !== "undefined") {
+      bomPayload.projectVersion = projectVersion;
+    }
+  } else {
+    console.log(
+      "projectId, projectName and projectVersion, or all three must be provided."
+    );
+    return;
+  }
+  if (
+    typeof args.parentProjectId !== "undefined" ||
+    typeof args.parentUUID !== "undefined"
+  ) {
+    bomPayload.parentUUID = args.parentProjectId || args.parentUUID;
   }
   if (DEBUG_MODE) {
     console.log(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.9.4",
+  "version": "9.9.6",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -55,13 +55,13 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.23.3",
-    "@babel/traverse": "^7.23.3",
+    "@babel/parser": "^7.23.5",
+    "@babel/traverse": "^7.23.5",
     "@npmcli/arborist": "7.2.0",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
-    "edn-data": "^1.0.0",
+    "edn-data": "1.1.1",
     "find-up": "^6.3.0",
     "glob": "^10.3.10",
     "global-agent": "^3.0.0",
@@ -83,7 +83,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "1.6.3",
+    "@appthreat/atom": "1.7.2",
     "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
@@ -91,7 +91,7 @@
     "compression": "^1.7.4",
     "connect": "^3.7.0",
     "jsonata": "^2.0.3",
-    "sequelize": "^6.35.0",
+    "sequelize": "^6.35.1",
     "sqlite3": "^5.1.6"
   },
   "files": [
@@ -102,7 +102,7 @@
   "devDependencies": {
     "caxa": "^3.0.1",
     "docsify-cli": "^4.4.4",
-    "eslint": "^8.53.0",
+    "eslint": "^8.54.0",
     "eslint-config-prettier": "^9.0.0",
     "eslint-plugin-prettier": "^5.0.1",
     "jest": "^29.7.0",

package/server.js

@@ -72,7 +72,7 @@ const parseQueryString = (q, body, options = {}) => {
     "requiredOnly",
     "noBabel",
     "installDeps",
-    "project",
+    "projectId",
     "projectName",
     "projectGroup",
     "projectVersion",
@@ -83,7 +83,8 @@ const parseQueryString = (q, body, options = {}) => {
     "filter",
     "only",
     "autoCompositions",
-    "gitBranch"
+    "gitBranch",
+    "active"
   ];
 
   for (const param of queryParams) {