@cyclonedx/cdxgen 9.9.4 → 9.9.6

package/utils.js

@@ -19,7 +19,8 @@ import {
   readFileSync,
   rmSync,
   unlinkSync,
-  writeFileSync
+  writeFileSync,
+  readdirSync
 } from "node:fs";
 import got from "got";
 import Arborist from "@npmcli/arborist";
@@ -216,20 +217,10 @@ export function getLicenses(pkg, format = "xml") {
             licenseContent.id = l;
             licenseContent.url = "https://opensource.org/licenses/" + l;
           } else if (l.startsWith("http")) {
-            if (!l.includes("opensource.org")) {
-              licenseContent.name = "CUSTOM";
-            } else {
-              const possibleId = l
-                .replace("http://www.opensource.org/licenses/", "")
-                .toUpperCase();
-              spdxLicenses.forEach((v) => {
-                if (v.toUpperCase() === possibleId) {
-                  licenseContent.id = v;
-                }
-              });
-            }
-            if (l.includes("mit-license")) {
-              licenseContent.id = "MIT";
+            let knownLicense = getKnownLicense(l, pkg);
+            if (knownLicense) {
+              licenseContent.id = knownLicense.id;
+              licenseContent.name = knownLicense.name;
             }
             // We always need a name to avoid validation errors
             // Issue: #469
@@ -251,10 +242,82 @@ export function getLicenses(pkg, format = "xml") {
         return licenseContent;
       })
       .map((l) => ({ license: l }));
+  } else {
+    let knownLicense = getKnownLicense(undefined, pkg);
+    if (knownLicense) {
+      return [{ license: knownLicense }];
+    }
   }
   return undefined;
 }
 
+/**
+ * Method to retrieve known license by known-licenses.json
+ *
+ * @param {String} repoUrl Repository url
+ * @param {String} pkg Bom ref
+ * @return {Object>} Objetct with SPDX license id or license name
+ */
+export const getKnownLicense = function (licenseUrl, pkg) {
+  if (licenseUrl && licenseUrl.includes("opensource.org")) {
+    const possibleId = licenseUrl
+      .toLowerCase()
+      .replace("https://", "http://")
+      .replace("http://www.opensource.org/licenses/", "");
+    for (const spdxLicense of spdxLicenses) {
+      if (spdxLicense.toLowerCase() === possibleId) {
+        return { id: spdxLicense };
+      }
+    }
+  } else if (licenseUrl && licenseUrl.includes("apache.org")) {
+    const possibleId = licenseUrl
+      .toLowerCase()
+      .replace("https://", "http://")
+      .replace("http://www.apache.org/licenses/license-", "apache-")
+      .replace(".txt", "");
+    for (const spdxLicense of spdxLicenses) {
+      if (spdxLicense.toLowerCase() === possibleId) {
+        return { id: spdxLicense };
+      }
+    }
+  }
+  for (const akLicGroup of knownLicenses) {
+    if (
+      akLicGroup.packageNamespace === "*" ||
+      (pkg.purl && pkg.purl.startsWith(akLicGroup.packageNamespace))
+    ) {
+      for (const akLic of akLicGroup.knownLicenses) {
+        if (akLic.group && akLic.name) {
+          if (akLic.group === "." && akLic.name === pkg.name) {
+            return { id: akLic.license, name: akLic.licenseName };
+          } else if (
+            pkg.group &&
+            pkg.group.includes(akLic.group) &&
+            (akLic.name === pkg.name || akLic.name === "*")
+          ) {
+            return { id: akLic.license, name: akLic.licenseName };
+          }
+        }
+        if (
+          akLic.urlIncludes &&
+          licenseUrl &&
+          licenseUrl.includes(akLic.urlIncludes)
+        ) {
+          return { id: akLic.license, name: akLic.licenseName };
+        }
+        if (
+          akLic.urlEndswith &&
+          licenseUrl &&
+          licenseUrl.endsWith(akLic.urlEndswith)
+        ) {
+          return { id: akLic.license, name: akLic.licenseName };
+        }
+      }
+    }
+  }
+  return undefined;
+};
+
 /**
  * Tries to find a file containing the license text based on commonly
  * used naming and content types. If a candidate file is found, add
@@ -2429,7 +2492,7 @@ export const fetchPomXmlAsJson = async function ({
  * @param {String} name
  * @param {String} version
  *
- * @return {String}
+ * @return {Promise<String>}
  */
 export const fetchPomXml = async function ({
   urlPrefix,
@@ -2466,7 +2529,7 @@ export const parseLicenseEntryOrArrayFromPomXml = function (license) {
  * @param {String} name
  * @param {String} version
  *
- * @return {String} License ID
+ * @return {Promise<String>} License ID
  */
 export const extractLicenseCommentFromPomXml = async function ({
   urlPrefix,
@@ -3286,7 +3349,7 @@ export const toGitHubApiUrl = function (repoUrl, repoMetadata) {
  *
  * @param {String} repoUrl Repository url
  * @param {Object} repoMetadata Object containing group and package name strings
- * @return {String} SPDX license id
+ * @return {Promise<String>} SPDX license id
  */
 export const getRepoLicense = async function (repoUrl, repoMetadata) {
   let apiUrl = toGitHubApiUrl(repoUrl, repoMetadata);
@@ -3322,23 +3385,23 @@ export const getRepoLicense = async function (repoUrl, repoMetadata) {
           }
         }
         licObj["id"] = licenseId;
-        return licObj;
+        if (licObj["id"] || licObj["name"]) {
+          return licObj;
+        }
       }
     } catch (err) {
-      return undefined;
-    }
-  } else if (repoMetadata) {
-    const group = repoMetadata.group;
-    const name = repoMetadata.name;
-    if (group && name) {
-      for (const akLic of knownLicenses) {
-        if (akLic.group === "." && akLic.name === name) {
-          return akLic.license;
-        } else if (
-          group.includes(akLic.group) &&
-          (akLic.name === name || akLic.name === "*")
+      if (err && err.message) {
+        if (
+          err.message.includes("rate limit exceeded") &&
+          !process.env.GITHUB_TOKEN
         ) {
-          return akLic.license;
+          console.log(
+            "Rate limit exceeded for REST API of github.com. " +
+              "Please ensure GITHUB_TOKEN is set as environment variable. " +
+              "See: https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api"
+          );
+        } else if (!err.message.includes("404")) {
+          console.log(err);
         }
       }
     }
@@ -4392,12 +4455,14 @@ export const parseContainerFile = function (fileContents) {
   const imgList = [];
 
   let buildStageNames = [];
-  for (const line of fileContents.split("\n")) {
-    if (line.trim().startsWith("#")) {
+  for (let line of fileContents.split("\n")) {
+    line = line.trim();
+
+    if (line.startsWith("#")) {
       continue; // skip commented out lines
     }
 
-    if (line.includes("FROM")) {
+    if (line.startsWith("FROM")) {
       const fromStatement = line.split("FROM")[1].split("AS");
 
       const imageStatement = fromStatement[0].trim();
@@ -4425,6 +4490,68 @@ export const parseContainerFile = function (fileContents) {
   return imgList;
 };
 
+export const parseBitbucketPipelinesFile = function (fileContents) {
+  const imgList = [];
+
+  let privateImageBlockFound = false;
+
+  for (let line of fileContents.split("\n")) {
+    line = line.trim();
+    if (line.startsWith("#")) {
+      continue; // skip commented out lines
+    }
+
+    // Assume this is a private build image object
+    if (line.startsWith("name:") && privateImageBlockFound) {
+      const imageName = line.split("name:").pop().trim();
+
+      imgList.push({
+        image: imageName
+      });
+
+      privateImageBlockFound = false;
+    }
+
+    // Docker image usage
+    if (line.startsWith("image:")) {
+      const imageName = line.split("image:").pop().trim();
+
+      /**
+       * Assume this is a private build image object
+       * See: https://support.atlassian.com/bitbucket-cloud/docs/use-docker-images-as-build-environments/#Using-private-build-images
+       */
+      if (imageName === "") {
+        privateImageBlockFound = true;
+        continue;
+      } else {
+        /**
+         * Assume this is a public build image
+         * See: https://support.atlassian.com/bitbucket-cloud/docs/use-docker-images-as-build-environments/#Using-public-build-images
+         */
+
+        imgList.push({
+          image: imageName
+        });
+      }
+    }
+
+    // Pipe usage
+    if (line.startsWith("- pipe:")) {
+      let pipeName = line.split("- pipe:").pop().trim();
+
+      if (pipeName.startsWith("docker://")) {
+        pipeName = pipeName.replace("docker://", "");
+      }
+
+      imgList.push({
+        image: pipeName
+      });
+    }
+  }
+
+  return imgList;
+};
+
 export const parseContainerSpecData = function (dcData) {
   const pkgList = [];
   const imgList = [];
@@ -4617,8 +4744,13 @@ export const parseOpenapiSpecData = function (oaData) {
   } catch (e) {
     return servlist;
   }
-  const name = oaData.info.title.replace(/ /g, "-");
-  const version = oaData.info.version || "latest";
+
+  const name =
+    oaData.info && oaData.info.title
+      ? oaData.info.title.replace(/ /g, "-")
+      : "default-name";
+  const version =
+    oaData.info && oaData.info.version ? oaData.info.version : "latest";
   const aservice = {
     "bom-ref": `urn:service:${name}:${version}`,
     name,
@@ -5404,7 +5536,7 @@ export const parseComposerLock = function (pkgLockFile) {
   if (existsSync(pkgLockFile)) {
     let lockData = {};
     try {
-      lockData = JSON.parse(readFileSync(pkgLockFile, "utf8"));
+      lockData = JSON.parse(readFileSync(pkgLockFile, { encoding: "utf-8" }));
     } catch (e) {
       console.error("Invalid composer.lock file:", pkgLockFile);
       return [];
@@ -5473,7 +5605,7 @@ export const parseSbtTree = (sbtTreeFile) => {
   const dependenciesList = [];
   const keys_cache = {};
   const level_trees = {};
-  const tmpA = readFileSync(sbtTreeFile, "utf-8").split("\n");
+  const tmpA = readFileSync(sbtTreeFile, { encoding: "utf-8" }).split("\n");
   let last_level = 0;
   let last_purl = "";
   let stack = [];
@@ -5605,7 +5737,9 @@ export const parseSbtTree = (sbtTreeFile) => {
 export const parseSbtLock = function (pkgLockFile) {
   const pkgList = [];
   if (existsSync(pkgLockFile)) {
-    const lockData = JSON.parse(readFileSync(pkgLockFile, "utf8"));
+    const lockData = JSON.parse(
+      readFileSync(pkgLockFile, { encoding: "utf-8" })
+    );
     if (lockData && lockData.dependencies) {
       for (const pkg of lockData.dependencies) {
         const artifacts = pkg.artifacts || undefined;
@@ -6062,7 +6196,9 @@ export const parseSwiftResolved = (resolvedFile) => {
   const pkgList = [];
   if (existsSync(resolvedFile)) {
     try {
-      const pkgData = JSON.parse(readFileSync(resolvedFile, "utf8"));
+      const pkgData = JSON.parse(
+        readFileSync(resolvedFile, { encoding: "utf-8" })
+      );
       let resolvedList = [];
       if (pkgData.pins) {
         resolvedList = pkgData.pins;
@@ -6255,7 +6391,7 @@ export const collectJarNS = function (jarPath, pomPathMap = {}) {
         }
       }
       if (existsSync(pomname)) {
-        pomData = parsePomXml(readFileSync(pomname, "utf-8"));
+        pomData = parsePomXml(readFileSync(pomname, { encoding: "utf-8" }));
         if (pomData) {
           const purlObj = new PackageURL(
             "maven",
@@ -6514,12 +6650,67 @@ export const parseJarManifest = function (jarMetadata) {
   return metadata;
 };
 
+export const parsePomProperties = function (pomProperties) {
+  const properties = {};
+  if (!pomProperties) {
+    return properties;
+  }
+  pomProperties.split("\n").forEach((l) => {
+    l = l.replace("\r", "");
+    if (l.includes("=")) {
+      const tmpA = l.split("=");
+      if (tmpA && tmpA.length === 2) {
+        properties[tmpA[0]] = tmpA[1].replace("\r", "");
+      }
+    }
+  });
+  return properties;
+};
+
 export const encodeForPurl = (s) => {
   return s && !s.includes("%40")
     ? encodeURIComponent(s).replace(/%3A/g, ":").replace(/%2F/g, "/")
     : s;
 };
 
+/**
+ * Method to get pom properties from maven directory
+ *
+ * @param {string} mavenDir Path to maven directory
+ *
+ * @return array with pom properties
+ */
+export const getPomPropertiesFromMavenDir = function (mavenDir) {
+  let pomProperties = {};
+  if (existsSync(mavenDir) && lstatSync(mavenDir).isDirectory()) {
+    let mavenDirEntries = readdirSync(mavenDir, { withFileTypes: true });
+    mavenDirEntries.forEach((mavenDirEntry) => {
+      if (mavenDirEntry.isDirectory()) {
+        let groupDirEntries = readdirSync(
+          join(mavenDirEntry.path, mavenDirEntry.name),
+          { withFileTypes: true }
+        );
+        groupDirEntries.forEach((groupDirEntry) => {
+          if (groupDirEntry.isDirectory()) {
+            let pomPropertiesFile = join(
+              groupDirEntry.path,
+              groupDirEntry.name,
+              "pom.properties"
+            );
+            if (existsSync(pomPropertiesFile)) {
+              const pomPropertiesString = readFileSync(pomPropertiesFile, {
+                encoding: "utf-8"
+              });
+              pomProperties = parsePomProperties(pomPropertiesString);
+            }
+          }
+        });
+      }
+    });
+  }
+  return pomProperties;
+};
+
 /**
  * Method to extract a war or ear file
  *
@@ -6601,13 +6792,14 @@ export const extractJarArchive = function (
       }
       const manifestDir = join(tempDir, "META-INF");
       const manifestFile = join(manifestDir, "MANIFEST.MF");
+      const mavenDir = join(manifestDir, "maven");
       let jarResult = {
         status: 1
       };
       if (existsSync(pomname)) {
         jarResult = { status: 0 };
       } else {
-        jarResult = spawnSync("jar", ["-xf", jf], {
+        jarResult = spawnSync("jar", ["-xf", jf, "META-INF"], {
           encoding: "utf-8",
           cwd: tempDir,
           shell: isWin,
@@ -6617,29 +6809,42 @@ export const extractJarArchive = function (
       if (jarResult.status !== 0) {
         console.error(jarResult.stdout, jarResult.stderr);
       } else {
-        if (existsSync(manifestFile)) {
+        // When maven descriptor is available take group, name and version from pom.properties
+        // META-INF/maven/${groupId}/${artifactId}/pom.properties
+        // see https://maven.apache.org/shared/maven-archiver/index.html
+        const pomProperties = getPomPropertiesFromMavenDir(mavenDir);
+        let group = pomProperties["groupId"],
+          name = pomProperties["artifactId"],
+          version = pomProperties["version"],
+          confidence = 1,
+          technique = "manifest-analysis";
+        if ((!group || !name || !version) && existsSync(manifestFile)) {
+          confidence = 0.8;
           const jarMetadata = parseJarManifest(
             readFileSync(manifestFile, {
               encoding: "utf-8"
             })
           );
-          let group =
+          group =
+            group ||
             jarMetadata["Extension-Name"] ||
             jarMetadata["Implementation-Vendor-Id"] ||
             jarMetadata["Bundle-SymbolicName"] ||
             jarMetadata["Bundle-Vendor"] ||
             jarMetadata["Automatic-Module-Name"] ||
             "";
-          let version =
+          version =
+            version ||
             jarMetadata["Bundle-Version"] ||
             jarMetadata["Implementation-Version"] ||
             jarMetadata["Specification-Version"];
           if (version && version.includes(" ")) {
             version = version.split(" ")[0];
           }
-          let name = "";
           // Prefer jar filename to construct name and version
           if (!name || !version || name === "" || version === "") {
+            confidence = 0.5;
+            technique = "filename";
             const tmpA = jarname.split("-");
             if (tmpA && tmpA.length > 1) {
               const lastPart = tmpA[tmpA.length - 1];
@@ -6688,56 +6893,56 @@ export const extractJarArchive = function (
               break;
             }
           }
-          if (name && version) {
-            // if group is empty use name as group
-            group = encodeForPurl(group === "." ? name : group || name) || "";
-            let apkg = {
+          // if group is empty use name as group
+          group = group === "." ? name : group || name;
+        }
+        if (name && version) {
+          let apkg = {
+            group: group ? encodeForPurl(group) : "",
+            name: name ? encodeForPurl(name) : "",
+            version,
+            purl: new PackageURL(
+              "maven",
               group,
-              name: name ? encodeForPurl(name) : "",
+              name,
               version,
-              purl: new PackageURL(
-                "maven",
-                group,
-                name,
-                version,
-                { type: "jar" },
-                null
-              ).toString(),
-              evidence: {
-                identity: {
-                  field: "purl",
-                  confidence: 0.5,
-                  methods: [
-                    {
-                      technique: "filename",
-                      confidence: 0.5,
-                      value: jarname
-                    }
-                  ]
-                }
-              },
-              properties: [
-                {
-                  name: "SrcFile",
-                  value: jarname
-                }
-              ]
-            };
-            if (
-              jarNSMapping &&
-              jarNSMapping[apkg.purl] &&
-              jarNSMapping[apkg.purl].namespaces
-            ) {
-              apkg.properties.push({
-                name: "Namespaces",
-                value: jarNSMapping[apkg.purl].namespaces.join("\n")
-              });
-            }
-            pkgList.push(apkg);
-          } else {
-            if (DEBUG_MODE) {
-              console.log(`Ignored jar ${jarname}`, jarMetadata, name, version);
-            }
+              { type: "jar" },
+              null
+            ).toString(),
+            evidence: {
+              identity: {
+                field: "purl",
+                confidence: confidence,
+                methods: [
+                  {
+                    technique: technique,
+                    confidence: confidence,
+                    value: jarname
+                  }
+                ]
+              }
+            },
+            properties: [
+              {
+                name: "SrcFile",
+                value: jarname
+              }
+            ]
+          };
+          if (
+            jarNSMapping &&
+            jarNSMapping[apkg.purl] &&
+            jarNSMapping[apkg.purl].namespaces
+          ) {
+            apkg.properties.push({
+              name: "Namespaces",
+              value: jarNSMapping[apkg.purl].namespaces.join("\n")
+            });
+          }
+          pkgList.push(apkg);
+        } else {
+          if (DEBUG_MODE) {
+            console.log(`Ignored jar ${jarname}`, name, version);
           }
         }
         try {
@@ -6929,6 +7134,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
   let isWrapperReady = false;
   let isWrapperFound = false;
   let findMavenFile = "mvnw";
+  let mavenWrapperCmd = null;
   if (platform() == "win32") {
     findMavenFile = "mvnw.bat";
     if (
@@ -6947,7 +7153,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
     } catch (e) {
       // continue regardless of error
     }
-    mavenCmd = resolve(join(srcPath, findMavenFile));
+    mavenWrapperCmd = resolve(join(srcPath, findMavenFile));
     isWrapperFound = true;
   } else if (rootPath && existsSync(join(rootPath, findMavenFile))) {
     // Check if the root directory has a wrapper script
@@ -6956,7 +7162,7 @@ export const getMavenCommand = (srcPath, rootPath) => {
     } catch (e) {
       // continue regardless of error
     }
-    mavenCmd = resolve(join(rootPath, findMavenFile));
+    mavenWrapperCmd = resolve(join(rootPath, findMavenFile));
     isWrapperFound = true;
   }
   if (isWrapperFound) {
@@ -6965,14 +7171,15 @@ export const getMavenCommand = (srcPath, rootPath) => {
         "Testing the wrapper script by invoking wrapper:wrapper task"
       );
     }
-    const result = spawnSync(mavenCmd, ["wrapper:wrapper"], {
+    const result = spawnSync(mavenWrapperCmd, ["wrapper:wrapper"], {
       encoding: "utf-8",
       cwd: rootPath,
       timeout: TIMEOUT_MS,
       shell: isWin
     });
-    if (!result.error) {
+    if (!result.error && !result.status) {
       isWrapperReady = true;
+      mavenCmd = mavenWrapperCmd;
     } else {
       if (DEBUG_MODE) {
         console.log(
@@ -7115,7 +7322,9 @@ export const findAppModules = function (
   ];
   executeAtom(src, args);
   if (existsSync(slicesFile)) {
-    const slicesData = JSON.parse(readFileSync(slicesFile), "utf8");
+    const slicesData = JSON.parse(readFileSync(slicesFile), {
+      encoding: "utf-8"
+    });
     if (slicesData && Object.keys(slicesData) && slicesData.modules) {
       retList = slicesData.modules;
     } else {
@@ -7588,7 +7797,7 @@ export const componentSorter = (a, b) => {
 };
 
 export const parseCmakeDotFile = (dotFile, pkgType, options = {}) => {
-  const dotGraphData = readFileSync(dotFile, "utf-8");
+  const dotGraphData = readFileSync(dotFile, { encoding: "utf-8" });
   const pkgList = [];
   const dependenciesMap = {};
   const pkgBomRefMap = {};
@@ -7697,12 +7906,13 @@ export const parseCmakeDotFile = (dotFile, pkgType, options = {}) => {
 };
 
 export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
-  let cmakeListData = readFileSync(cmakeListFile, "utf-8");
+  let cmakeListData = readFileSync(cmakeListFile, { encoding: "utf-8" });
   const pkgList = [];
   const pkgAddedMap = {};
   const versionSpecifiersMap = {};
   const versionsMap = {};
   let parentComponent = {};
+  const templateValues = {};
   cmakeListData = cmakeListData
     .replace(/^ {2}/g, "")
     .replace(/\(\r\n/g, "(")
@@ -7717,7 +7927,20 @@ export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
     let group = "";
     let path = undefined;
     let name_list = [];
-    if (l.startsWith("project") && !Object.keys(parentComponent).length) {
+    if (l.startsWith("set")) {
+      const tmpA = l.replace("set(", "").replace(")", "").trim().split(" ");
+      if (tmpA && tmpA.length === 2) {
+        templateValues[tmpA[0]] = tmpA[1];
+      }
+    } else if (
+      l.startsWith("project") &&
+      !Object.keys(parentComponent).length
+    ) {
+      if (l.includes("${")) {
+        for (const tmplKey of Object.keys(templateValues)) {
+          l = l.replace("${" + tmplKey + "}", templateValues[tmplKey] || "");
+        }
+      }
       const tmpA = l.replace("project (", "project(").split("project(");
       if (tmpA && tmpA.length > 1) {
         const tmpB = (tmpA[1] || "")
@@ -7735,7 +7958,7 @@ export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
         if (versionIndex > -1 && tmpB.length > versionIndex) {
           parentVersion = tmpB[versionIndex + 1];
         }
-        if (parentName && parentName.length) {
+        if (parentName && parentName.length && !parentName.includes("$")) {
           parentComponent = {
             group: options.projectGroup || "",
             name: parentName,
@@ -7917,7 +8140,7 @@ export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
               methods: [
                 {
                   technique: "source-code-analysis",
-                  confidence: 0,
+                  confidence: 0.5,
                   value: `Filename ${cmakeListFile}`
                 }
               ]
@@ -7951,7 +8174,7 @@ export const getOSPackageForFile = (afile, osPkgsList) => {
         ospkg.evidence = {
           identity: {
             field: "purl",
-            confidence: 0,
+            confidence: 0.8,
             methods: [
               {
                 technique: "filename",
@@ -7985,47 +8208,122 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
   const epkgMap = {};
   let parentComponent = undefined;
   const dependsOn = [];
+  (epkgList || []).forEach((p) => {
+    epkgMap[p.group + "/" + p.name] = p;
+  });
   // Let's look for any vcpkg.json file to tell us about the directory we're scanning
   // users can use this file to give us a clue even if they do not use vcpkg library manager
   if (existsSync(join(src, "vcpkg.json"))) {
-    const vcPkgData = JSON.parse(join(src, "vcpkg.json"));
-    if (
-      vcPkgData &&
-      Object.keys(vcPkgData).length &&
-      vcPkgData.name &&
-      vcPkgData.version
-    ) {
+    const vcPkgData = JSON.parse(
+      readFileSync(join(src, "vcpkg.json"), { encoding: "utf-8" })
+    );
+    if (vcPkgData && Object.keys(vcPkgData).length && vcPkgData.name) {
       const parentPurl = new PackageURL(
         pkgType,
         "",
         vcPkgData.name,
-        vcPkgData.version,
+        vcPkgData.version || "",
         null,
         null
       ).toString();
       parentComponent = {
         name: vcPkgData.name,
-        version: vcPkgData.version,
+        version: vcPkgData.version || "",
         description: vcPkgData.description,
         license: vcPkgData.license,
         purl: parentPurl,
+        type: "application",
         "bom-ref": decodeURIComponent(parentPurl)
       };
       if (vcPkgData.homepage) {
         parentComponent.homepage = { url: vcPkgData.homepage };
       }
-    }
+      // Are there any dependencies declared in vcpkg.json
+      if (vcPkgData.dependencies && Array.isArray(vcPkgData.dependencies)) {
+        for (const avcdep of vcPkgData.dependencies) {
+          let avcpkgName = undefined;
+          let scope = undefined;
+          if (typeof avcdep === "string" || avcdep instanceof String) {
+            avcpkgName = avcdep;
+          } else if (Object.keys(avcdep).length && avcdep.name) {
+            avcpkgName = avcdep.name;
+            if (avcdep.host) {
+              scope = "optional";
+            }
+          }
+          // Is this a dependency we haven't seen before including the all lower and upper case version?
+          if (
+            avcpkgName &&
+            !epkgMap["/" + avcpkgName] &&
+            !epkgMap["/" + avcpkgName.toLowerCase()] &&
+            !epkgMap["/" + avcpkgName.toUpperCase()]
+          ) {
+            const pkgPurl = new PackageURL(
+              pkgType,
+              "",
+              avcpkgName,
+              "",
+              null,
+              null
+            ).toString();
+            const apkg = {
+              group: "",
+              name: avcpkgName,
+              type: pkgType,
+              version: "",
+              purl: pkgPurl,
+              scope,
+              "bom-ref": decodeURIComponent(pkgPurl),
+              evidence: {
+                identity: {
+                  field: "purl",
+                  confidence: 0.5,
+                  methods: [
+                    {
+                      technique: "source-code-analysis",
+                      confidence: 0.5,
+                      value: `Filename ${join(src, "vcpkg.json")}`
+                    }
+                  ]
+                }
+              }
+            };
+            if (!pkgAddedMap[avcpkgName]) {
+              pkgList.push(apkg);
+              dependsOn.push(apkg["bom-ref"]);
+              pkgAddedMap[avcpkgName] = true;
+            }
+          }
+        }
+      }
+    } // if
   } else if (existsSync(join(src, "CMakeLists.txt"))) {
     const retMap = parseCmakeLikeFile(join(src, "CMakeLists.txt"), pkgType);
     if (retMap.parentComponent && Object.keys(retMap.parentComponent).length) {
       parentComponent = retMap.parentComponent;
     }
+  } else if (options.projectName && options.projectVersion) {
+    parentComponent = {
+      group: options.projectGroup || "",
+      name: options.projectName || "",
+      version: "" + options.projectVersion || "latest",
+      type: "application"
+    };
+    const parentPurl = new PackageURL(
+      pkgType,
+      parentComponent.group,
+      parentComponent.name,
+      parentComponent.version,
+      null,
+      null
+    ).toString();
+    parentComponent.purl = parentPurl;
+    parentComponent["bom-ref"] = decodeURIComponent(parentPurl);
   }
-  (epkgList || []).forEach((p) => {
-    epkgMap[p.name] = p;
-  });
   if (options.usagesSlicesFile && existsSync(options.usagesSlicesFile)) {
-    sliceData = JSON.parse(readFileSync(options.usagesSlicesFile));
+    sliceData = JSON.parse(
+      readFileSync(options.usagesSlicesFile, { encoding: "utf-8" })
+    );
     if (DEBUG_MODE) {
       console.log("Re-using existing slices file", options.usagesSlicesFile);
     }
@@ -8038,7 +8336,9 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
     );
   }
   const usageData = parseCUsageSlice(sliceData);
-  for (const afile of Object.keys(usageData)) {
+  for (let afile of Object.keys(usageData)) {
+    // Normalize windows separator
+    afile = afile.replace("..\\", "").replace(/\\/g, "/");
     let fileName = basename(afile);
     if (!fileName || !fileName.length) {
       continue;
@@ -8057,14 +8357,14 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
     // We need to resolve the name to an os package here
     let name = fileName.replace(extn, "");
     let apkg = getOSPackageForFile(afile, osPkgsList) ||
-      epkgMap[name] || {
+      epkgMap[group + "/" + name] || {
         name,
         group,
         version: "",
         type: pkgType
       };
     // If this is a relative file, there is a good chance we can reuse the project group
-    if (!afile.startsWith(_sep)) {
+    if (!afile.startsWith(_sep) && !group.length) {
       group = options.projectGroup || "";
     }
     if (!apkg.purl) {
@@ -8092,9 +8392,16 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
       apkg["bom-ref"] = decodeURIComponent(apkg["purl"]);
     }
     if (usageData[afile]) {
-      const usymbols = Array.from(usageData[afile]).filter(
-        (v) => !v.startsWith("<") && !v.startsWith("__")
-      );
+      const usymbols = Array.from(usageData[afile])
+        .filter(
+          (v) =>
+            !v.startsWith("<") &&
+            !v.startsWith("__") &&
+            v !== "main" &&
+            !v.includes("anonymous_") &&
+            !v.includes(afile)
+        )
+        .sort();
       if (!apkg["properties"] && usymbols.length) {
         apkg["properties"] = [
           { name: "ImportedSymbols", value: usymbols.join(", ") }
@@ -8141,7 +8448,9 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
       : [];
   return {
     parentComponent,
-    pkgList,
+    pkgList: pkgList.sort(function (a, b) {
+      return a.purl.localeCompare(b.purl);
+    }),
     dependenciesList
   };
 };
@@ -8174,34 +8483,21 @@ export const parseCUsageSlice = (sliceData) => {
         continue;
       }
       const slFileName = slice.fileName;
-      const slLineNumber = slice.lineNumber || 0;
       const allLines = usageData[slFileName] || new Set();
       if (slice.fullName && slice.fullName.length > 3) {
-        allLines.add(slice.fullName + "|" + slLineNumber);
         if (slice.code && slice.code.startsWith("#include")) {
           usageData[slice.fullName] = new Set();
+        } else {
+          allLines.add(slice.fullName);
         }
       }
       for (const ausage of slice.usages) {
-        if (ausage.targetObj.resolvedMethod) {
-          allLines.add(ausage.targetObj.resolvedMethod + "|" + slLineNumber);
-        } else {
-          const targetObjName = ausage.targetObj.name.replace(/\n/g, " ");
-          // We need to still filter out <global>, <clinit> style targets
-          if (
-            ausage.targetObj.lineNumber === slLineNumber ||
-            targetObjName.startsWith("<") ||
-            (slice.fullName.length > 3 &&
-              targetObjName.includes(slice.fullName))
-          ) {
-            continue;
-          }
-          allLines.add(targetObjName + "|" + slLineNumber);
-        }
         let calls = ausage?.invokedCalls || [];
         calls = calls.concat(ausage?.argToCalls || []);
         for (const acall of calls) {
-          allLines.add(acall.resolvedMethod + "|" + slLineNumber);
+          if (!acall.resolvedMethod.includes("->")) {
+            allLines.add(acall.resolvedMethod);
+          }
         }
       }
       if (Array.from(allLines).length) {
@@ -8393,6 +8689,13 @@ export const getNugetMetadata = async function (
             p.license = findLicenseId(body.catalogEntry.licenseExpression);
           } else if (body.catalogEntry.licenseUrl) {
             p.license = findLicenseId(body.catalogEntry.licenseUrl);
+            if (
+              typeof p.license === "string" &&
+              p.license.includes("://github.com/")
+            ) {
+              p.license =
+                (await getRepoLicense(p.license, undefined)) || p.license;
+            }
           }
           if (body.catalogEntry.projectUrl) {
             p.repository = { url: body.catalogEntry.projectUrl };
@@ -8404,6 +8707,17 @@ export const getNugetMetadata = async function (
                 p.version +
                 "/"
             };
+            if (
+              (!p.license || typeof p.license === "string") &&
+              typeof p.repository.url === "string" &&
+              p.repository.url.includes("://github.com/")
+            ) {
+              // license couldn't be properly identified and is still a url,
+              // therefore trying to resolve license via repository
+              p.license =
+                (await getRepoLicense(p.repository.url, undefined)) ||
+                p.license;
+            }
           }
           cdepList.push(p);
         }