@cyclonedx/cdxgen 9.9.5 → 9.9.6

package/README.md

@@ -86,10 +86,10 @@ For go, `go mod why` command is used to identify required packages. For php, com
 ## Installing
 
 ```shell
-sudo npm install -g @cyclonedx/cdxgen
+npm install -g @cyclonedx/cdxgen
 
 # For CycloneDX 1.4 compatibility use version 8.6.0 or pass the argument `--spec-version 1.4`
-sudo npm install -g @cyclonedx/cdxgen@8.6.0
+npm install -g @cyclonedx/cdxgen@8.6.0
 ```
 
 If you are a [Homebrew](https://brew.sh/) user, you can also install [cdxgen](https://formulae.brew.sh/formula/cdxgen) via:
@@ -327,7 +327,7 @@ This would create a bom.json.map file with the jar - class name mapping. Refer t
 
 ## Resolving licenses
 
-cdxgen can automatically query public registries such as maven, npm, or nuget to resolve the package licenses. This is a time-consuming operation and is disabled by default. To enable, set the environment variable `FETCH_LICENSE` to `true`, as shown.
+cdxgen can automatically query public registries such as maven, npm, or nuget to resolve the package licenses. This is a time-consuming operation and is disabled by default. To enable, set the environment variable `FETCH_LICENSE` to `true`, as shown. Ensure that `GITHUB_TOKEN` is set or provided by [built-in GITHUB_TOKEN in GitHub Actions](https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api#primary-rate-limit-for-github_token-in-github-actions), otherwise rate limiting might prevent license resolving.
 
 ```bash
 export FETCH_LICENSE=true

package/data/frameworks-list.json

@@ -141,6 +141,25 @@
     "pkg:cargo/nickel",
     "pkg:cargo/yew",
     "pkg:cargo/azul",
-    "pkg:cargo/conrod"
+    "pkg:cargo/conrod",
+    "pkg:generic/Aws",
+    "pkg:generic/Azure",
+    "pkg:generic/google",
+    "pkg:generic/CivetServer",
+    "pkg:generic/civetweb",
+    "pkg:generic/cpprest",
+    "pkg:generic/QCoreApplication",
+    "pkg:generic/drogon",
+    "pkg:generic/wfrest",
+    "pkg:generic/http",
+    "pkg:generic/fio",
+    "pkg:generic/onion",
+    "pkg:generic/lwan",
+    "pkg:generic/oatpp",
+    "pkg:generic/QDjango",
+    "pkg:generic/userver",
+    "pkg:generic/Wt/",
+    "pkg:generic/klone",
+    "pkg:generic/kcgi"
   ]
 }

package/data/known-licenses.json

@@ -1,31 +1,82 @@
 [
-  { "license": "Apache-2.0", "group": "cloud.google.com", "name": "go" },
-  { "license": "Apache-2.0", "group": "cloud.google.com/go", "name": "*" },
-  { "license": "Apache-2.0", "group": "cuelang.org", "name": "go" },
-  { "license": "MIT", "group": "pack.ag", "name": "amqp" },
-  { "license": "Apache-2.0", "group": "google.golang.org", "name": "*" },
-  { "license": "BSD-3-Clause", "group": "golang.org/x", "name": "*" },
   {
-    "license": "BSD-3-Clause",
-    "group": "dmitri.shuralyov.com/gpu",
-    "name": "*"
+    "packageNamespace": "*",
+    "knownLicenses": [{ "license": "MIT", "urlIncludes": "mit-license" }]
   },
-  { "license": "Apache-2.0", "group": "contrib.go.opencensus.io", "name": "*" },
-  { "license": "Apache-2.0", "group": "git.apache.org", "name": "*" },
-  { "license": "Apache-2.0", "group": ".", "name": "go.opencensus.io" },
-  { "license": "MIT", "group": "sigs.k8s.io", "name": "*" },
-  { "license": "BSD-3-Clause", "group": "rsc.io", "name": "*" },
-  { "license": "Apache-2.0", "group": "openpitrix.io", "name": "*" },
-  { "license": "BSD-3-Clause", "group": "modernc.org", "name": "*" },
-  { "license": "Apache-2.0", "group": "kubesphere.io", "name": "*" },
-  { "license": "Apache-2.0", "group": "k8s.io", "name": "*" },
-  { "license": "Apache-2.0", "group": "istio.io", "name": "*" },
-  { "license": "MIT", "group": "honnef.co/go", "name": "*" },
-  { "license": "Apache-2.0", "group": ".", "name": "gotest.tools" },
-  { "license": "Apache-2.0", "group": "gopkg.in", "name": "*" },
-  { "license": "Apache-2.0", "group": "code.cloudfoundry.org", "name": "*" },
-  { "license": "BSD-3-Clause", "group": "gonum.org/v1", "name": "*" },
-  { "license": "Apache-2.0", "group": "gomodules.xyz/jsonpatch", "name": "*" },
-  { "license": "MIT", "group": "go.uber.org", "name": "*" },
-  { "license": "MIT", "group": "go.etcd.io", "name": "*" }
+  {
+    "packageNamespace": "pkg:golang/",
+    "knownLicenses": [
+      { "license": "Apache-2.0", "group": "cloud.google.com", "name": "go" },
+      { "license": "Apache-2.0", "group": "cloud.google.com/go", "name": "*" },
+      { "license": "Apache-2.0", "group": "cuelang.org", "name": "go" },
+      { "license": "MIT", "group": "pack.ag", "name": "amqp" },
+      { "license": "Apache-2.0", "group": "google.golang.org", "name": "*" },
+      { "license": "BSD-3-Clause", "group": "golang.org/x", "name": "*" },
+      {
+        "license": "BSD-3-Clause",
+        "group": "dmitri.shuralyov.com/gpu",
+        "name": "*"
+      },
+      {
+        "license": "Apache-2.0",
+        "group": "contrib.go.opencensus.io",
+        "name": "*"
+      },
+      { "license": "Apache-2.0", "group": "git.apache.org", "name": "*" },
+      { "license": "Apache-2.0", "group": ".", "name": "go.opencensus.io" },
+      { "license": "MIT", "group": "sigs.k8s.io", "name": "*" },
+      { "license": "BSD-3-Clause", "group": "rsc.io", "name": "*" },
+      { "license": "Apache-2.0", "group": "openpitrix.io", "name": "*" },
+      { "license": "BSD-3-Clause", "group": "modernc.org", "name": "*" },
+      { "license": "Apache-2.0", "group": "kubesphere.io", "name": "*" },
+      { "license": "Apache-2.0", "group": "k8s.io", "name": "*" },
+      { "license": "Apache-2.0", "group": "istio.io", "name": "*" },
+      { "license": "MIT", "group": "honnef.co/go", "name": "*" },
+      { "license": "Apache-2.0", "group": ".", "name": "gotest.tools" },
+      { "license": "Apache-2.0", "group": "gopkg.in", "name": "*" },
+      {
+        "license": "Apache-2.0",
+        "group": "code.cloudfoundry.org",
+        "name": "*"
+      },
+      { "license": "BSD-3-Clause", "group": "gonum.org/v1", "name": "*" },
+      {
+        "license": "Apache-2.0",
+        "group": "gomodules.xyz/jsonpatch",
+        "name": "*"
+      },
+      { "license": "MIT", "group": "go.uber.org", "name": "*" },
+      { "license": "MIT", "group": "go.etcd.io", "name": "*" }
+    ]
+  },
+  {
+    "packageNamespace": "pkg:nuget/",
+    "knownLicenses": [
+      {
+        "license": "MIT",
+        "urlIncludes": "//github.com/dotnet/standard/",
+        "licenseEvidence": "https://github.com/dotnet/standard/blob/release/3.0/LICENSE.TXT"
+      },
+      {
+        "license": "MIT",
+        "urlIncludes": "//github.com/dotnet/corefx/",
+        "licenseEvidence": "https://github.com/dotnet/corefx/blob/release/2.0.0/LICENSE.TXT"
+      },
+      {
+        "license": "MIT",
+        "urlIncludes": "//github.com/dotnet/core-setup/",
+        "licenseEvidence": "https://github.com/dotnet/core-setup/blob/release/2.0.0/LICENSE.TXT"
+      },
+      {
+        "licenseName": ".NET Library License",
+        "urlEndswith": "?LinkId=329770",
+        "licenseEvidence": "https://go.microsoft.com/fwlink/?LinkId=329770"
+      },
+      {
+        "licenseName": ".NET Library License",
+        "urlEndswith": "dotnet_library_license.htm",
+        "licenseEvidence": "https://dotnet.microsoft.com/en-us/dotnet_library_license.htm"
+      }
+    ]
+  }
 ]

package/docker.js

@@ -416,11 +416,16 @@ export const parseImageName = (fullImageName) => {
     repo: "",
     tag: "",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "",
+    name: ""
   };
   if (!fullImageName) {
     return nameObj;
   }
+  // ensure it's lowercased
+  fullImageName = fullImageName.toLowerCase();
+
   // Extract registry name
   if (
     fullImageName.includes("/") &&
@@ -437,6 +442,7 @@ export const parseImageName = (fullImageName) => {
       fullImageName = fullImageName.replace(tmpA[0] + "/", "");
     }
   }
+
   // Extract digest name
   if (fullImageName.includes("@sha256:")) {
     const tmpA = fullImageName.split("@sha256:");
@@ -445,6 +451,7 @@ export const parseImageName = (fullImageName) => {
       fullImageName = fullImageName.replace("@sha256:" + nameObj.digest, "");
     }
   }
+
   // Extract tag name
   if (fullImageName.includes(":")) {
     const tmpA = fullImageName.split(":");
@@ -453,11 +460,20 @@ export const parseImageName = (fullImageName) => {
       fullImageName = fullImageName.replace(":" + nameObj.tag, "");
     }
   }
-  if (fullImageName && fullImageName.startsWith("library/")) {
-    fullImageName = fullImageName.replace("library/", "");
-  }
+
   // The left over string is the repo name
   nameObj.repo = fullImageName;
+  nameObj.name = fullImageName;
+
+  // extract group name
+  if (fullImageName.includes("/")) {
+    const tmpA = fullImageName.split("/");
+    if (tmpA.length > 1) {
+      nameObj.name = tmpA[tmpA.length - 1];
+      nameObj.group = fullImageName.replace("/" + tmpA[tmpA.length - 1], "");
+    }
+  }
+
   return nameObj;
 };
 

package/docker.test.js

@@ -24,35 +24,54 @@ test("parseImageName tests", () => {
     repo: "debian",
     tag: "",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "",
+    name: "debian"
   });
   expect(parseImageName("debian:latest")).toEqual({
     registry: "",
     repo: "debian",
     tag: "latest",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "",
+    name: "debian"
+  });
+  expect(parseImageName("library/debian:latest")).toEqual({
+    registry: "",
+    repo: "library/debian",
+    tag: "latest",
+    digest: "",
+    platform: "",
+    group: "library",
+    name: "debian"
   });
   expect(parseImageName("shiftleft/scan:v1.15.6")).toEqual({
     registry: "",
     repo: "shiftleft/scan",
     tag: "v1.15.6",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "shiftleft",
+    name: "scan"
   });
   expect(parseImageName("localhost:5000/shiftleft/scan:v1.15.6")).toEqual({
     registry: "localhost:5000",
     repo: "shiftleft/scan",
     tag: "v1.15.6",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "shiftleft",
+    name: "scan"
   });
   expect(parseImageName("localhost:5000/shiftleft/scan")).toEqual({
     registry: "localhost:5000",
     repo: "shiftleft/scan",
     tag: "",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "shiftleft",
+    name: "scan"
   });
   expect(
     parseImageName("foocorp.jfrog.io/docker/library/eclipse-temurin:latest")
@@ -61,7 +80,9 @@ test("parseImageName tests", () => {
     repo: "docker/library/eclipse-temurin",
     tag: "latest",
     digest: "",
-    platform: ""
+    platform: "",
+    group: "docker/library",
+    name: "eclipse-temurin"
   });
   expect(
     parseImageName(
@@ -72,7 +93,9 @@ test("parseImageName tests", () => {
     repo: "shiftleft/scan-java",
     tag: "",
     digest: "5d008306a7c5d09ba0161a3408fa3839dc2c9dd991ffb68adecc1040399fe9e1",
-    platform: ""
+    platform: "",
+    group: "shiftleft",
+    name: "scan-java"
   });
 }, 120000);
 

package/evinser.js

@@ -322,6 +322,29 @@ export const analyzeProject = async (dbObjMap, options) => {
   // Load any existing purl-location information from the sbom.
   // For eg: cdxgen populates this information for javascript projects
   let { purlLocationMap, purlImportsMap } = initFromSbom(components);
+  // Do reachables first so that usages slicing can reuse the atom file
+  if (options.withReachables) {
+    if (
+      options.reachablesSlicesFile &&
+      fs.existsSync(options.reachablesSlicesFile)
+    ) {
+      reachablesSlicesFile = options.reachablesSlicesFile;
+      reachablesSlice = JSON.parse(
+        fs.readFileSync(options.reachablesSlicesFile, "utf-8")
+      );
+    } else {
+      retMap = createSlice(language, dirPath, "reachables", options);
+      if (retMap && retMap.slicesFile && fs.existsSync(retMap.slicesFile)) {
+        reachablesSlicesFile = retMap.slicesFile;
+        reachablesSlice = JSON.parse(
+          fs.readFileSync(retMap.slicesFile, "utf-8")
+        );
+      }
+    }
+  }
+  if (reachablesSlice && Object.keys(reachablesSlice).length) {
+    dataFlowFrames = await collectReachableFrames(language, reachablesSlice);
+  }
   // Reuse existing usages slices
   if (options.usagesSlicesFile && fs.existsSync(options.usagesSlicesFile)) {
     usageSlice = JSON.parse(fs.readFileSync(options.usagesSlicesFile, "utf-8"));
@@ -374,28 +397,6 @@ export const analyzeProject = async (dbObjMap, options) => {
       purlImportsMap
     );
   }
-  if (options.withReachables) {
-    if (
-      options.reachablesSlicesFile &&
-      fs.existsSync(options.reachablesSlicesFile)
-    ) {
-      reachablesSlicesFile = options.reachablesSlicesFile;
-      reachablesSlice = JSON.parse(
-        fs.readFileSync(options.reachablesSlicesFile, "utf-8")
-      );
-    } else {
-      retMap = createSlice(language, dirPath, "reachables", options);
-      if (retMap && retMap.slicesFile && fs.existsSync(retMap.slicesFile)) {
-        reachablesSlicesFile = retMap.slicesFile;
-        reachablesSlice = JSON.parse(
-          fs.readFileSync(retMap.slicesFile, "utf-8")
-        );
-      }
-    }
-  }
-  if (reachablesSlice && Object.keys(reachablesSlice).length) {
-    dataFlowFrames = await collectReachableFrames(language, reachablesSlice);
-  }
   return {
     atomFile: retMap.atomFile,
     usagesSlicesFile,
@@ -776,15 +777,19 @@ export const detectServicesFromUDT = (
   servicesMap
 ) => {
   if (
-    ["python", "py"].includes(language) &&
+    ["python", "py", "c", "cpp", "c++"].includes(language) &&
     userDefinedTypes &&
     userDefinedTypes.length
   ) {
     for (const audt of userDefinedTypes) {
       if (
-        audt.name.includes("route") ||
-        audt.name.includes("path") ||
-        audt.name.includes("url")
+        audt.name.toLowerCase().includes("route") ||
+        audt.name.toLowerCase().includes("path") ||
+        audt.name.toLowerCase().includes("url") ||
+        audt.name.toLowerCase().includes("registerhandler") ||
+        audt.name.toLowerCase().includes("endpoint") ||
+        audt.name.toLowerCase().includes("api") ||
+        audt.name.toLowerCase().includes("add_method")
       ) {
         const fields = audt.fields || [];
         if (
@@ -875,14 +880,11 @@ export const extractEndpoints = (language, code) => {
           );
       }
       break;
-    case "py":
-    case "python":
+    default:
       endpoints = (code.match(/['"](.*?)['"]/gi) || [])
         .map((v) => v.replace(/["']/g, "").replace("\n", ""))
         .filter((v) => v.length > 2);
       break;
-    default:
-      break;
   }
   return endpoints;
 };
@@ -910,6 +912,7 @@ export const createEvinseFile = (sliceArtefacts, options) => {
   const components = bomJson.components || [];
   let occEvidencePresent = false;
   let csEvidencePresent = false;
+  let servicesPresent = false;
   for (const comp of components) {
     if (!comp.purl) {
       continue;
@@ -957,6 +960,7 @@ export const createEvinseFile = (sliceArtefacts, options) => {
     }
     // Add to existing services
     bomJson.services = (bomJson.services || []).concat(services);
+    servicesPresent = true;
   }
   if (options.annotate) {
     if (!bomJson.annotations) {
@@ -993,7 +997,7 @@ export const createEvinseFile = (sliceArtefacts, options) => {
   bomJson.metadata.timestamp = new Date().toISOString();
   delete bomJson.signature;
   fs.writeFileSync(evinseOutFile, JSON.stringify(bomJson, null, 2));
-  if (occEvidencePresent || csEvidencePresent) {
+  if (occEvidencePresent || csEvidencePresent || servicesPresent) {
     console.log(evinseOutFile, "created successfully.");
   } else {
     console.log(

package/index.js

@@ -105,7 +105,8 @@ import {
   MAX_BUFFER,
   getNugetMetadata,
   frameworksList,
-  parseContainerFile
+  parseContainerFile,
+  parseBitbucketPipelinesFile
 } from "./utils.js";
 import { spawnSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
@@ -3148,6 +3149,18 @@ export const createCppBom = (path, options) => {
         retMap.parentComponent.type = "library";
         pkgList.push(retMap.parentComponent);
       }
+      // Retain the dependency tree from cmake
+      if (retMap.dependenciesList) {
+        if (dependencies.length) {
+          dependencies = mergeDependencies(
+            dependencies,
+            retMap.dependenciesList,
+            parentComponent
+          );
+        } else {
+          dependencies = retMap.dependenciesList;
+        }
+      }
     }
   }
   // The need for java >= 17 with atom is causing confusions since there could be C projects
@@ -3719,6 +3732,11 @@ export const createContainerSpecLikeBom = async (path, options) => {
     (options.multiProject ? "**/" : "") + "*Dockerfile*",
     options
   );
+  const bbPipelineFiles = getAllFiles(
+    path,
+    (options.multiProject ? "**/" : "") + "bitbucket-pipelines.yml",
+    options
+  );
   const cfFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "*Containerfile*",
@@ -3747,27 +3765,35 @@ export const createContainerSpecLikeBom = async (path, options) => {
   }
   // Privado.ai json files
   const privadoFiles = getAllFiles(path, ".privado/" + "*.json", options);
-  // Parse yaml manifest files, dockerfiles or containerfiles
-  if (dcFiles.length || dfFiles.length || cfFiles.length) {
-    for (const f of [...dcFiles, ...dfFiles, ...cfFiles]) {
+
+  // Parse yaml manifest files, dockerfiles, containerfiles or bitbucket pipeline files
+  if (
+    dcFiles.length ||
+    dfFiles.length ||
+    cfFiles.length ||
+    bbPipelineFiles.length
+  ) {
+    for (const f of [...dcFiles, ...dfFiles, ...cfFiles, ...bbPipelineFiles]) {
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
 
       const dData = readFileSync(f, { encoding: "utf-8" });
-      let imglist = [];
+      let imgList = [];
       // parse yaml manifest files
-      if (f.endsWith(".yml") || f.endsWith(".yaml")) {
-        imglist = parseContainerSpecData(dData);
+      if (f.endsWith("bitbucket-pipelines.yml")) {
+        imgList = parseBitbucketPipelinesFile(dData);
+      } else if (f.endsWith(".yml") || f.endsWith(".yaml")) {
+        imgList = parseContainerSpecData(dData);
       } else {
-        imglist = parseContainerFile(dData);
+        imgList = parseContainerFile(dData);
       }
 
-      if (imglist && imglist.length) {
+      if (imgList && imgList.length) {
         if (DEBUG_MODE) {
-          console.log("Images identified in", f, "are", imglist);
+          console.log("Images identified in", f, "are", imgList);
         }
-        for (const img of imglist) {
+        for (const img of imgList) {
           const commonProperties = [
             {
               name: "SrcFile",
@@ -3832,20 +3858,26 @@ export const createContainerSpecLikeBom = async (path, options) => {
               console.log(`Parsing image ${img.image}`);
             }
             const imageObj = parseImageName(img.image);
+
             const pkg = {
-              name: imageObj.repo,
+              name: imageObj.name,
+              group: imageObj.group,
               version:
                 imageObj.tag ||
                 (imageObj.digest ? "sha256:" + imageObj.digest : "latest"),
               qualifiers: {},
-              properties: commonProperties
+              properties: commonProperties,
+              type: "container"
             };
             if (imageObj.registry) {
-              pkg["qualifiers"]["repository_url"] = imageObj.registry;
+              pkg["qualifiers"]["repository_url"] = img.image;
             }
             if (imageObj.platform) {
               pkg["qualifiers"]["platform"] = imageObj.platform;
             }
+            if (imageObj.tag) {
+              pkg["qualifiers"]["tag"] = imageObj.tag;
+            }
             // Create an entry for the oci image
             const imageBomData = buildBomNSData(options, [pkg], "oci", {
               src: img.image,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.9.5",
+  "version": "9.9.6",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -55,13 +55,13 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.23.3",
-    "@babel/traverse": "^7.23.3",
+    "@babel/parser": "^7.23.5",
+    "@babel/traverse": "^7.23.5",
     "@npmcli/arborist": "7.2.0",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
-    "edn-data": "^1.0.0",
+    "edn-data": "1.1.1",
     "find-up": "^6.3.0",
     "glob": "^10.3.10",
     "global-agent": "^3.0.0",
@@ -83,7 +83,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "1.6.4",
+    "@appthreat/atom": "1.7.2",
     "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
     "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
@@ -91,7 +91,7 @@
     "compression": "^1.7.4",
     "connect": "^3.7.0",
     "jsonata": "^2.0.3",
-    "sequelize": "^6.35.0",
+    "sequelize": "^6.35.1",
     "sqlite3": "^5.1.6"
   },
   "files": [
@@ -102,7 +102,7 @@
   "devDependencies": {
     "caxa": "^3.0.1",
     "docsify-cli": "^4.4.4",
-    "eslint": "^8.53.0",
+    "eslint": "^8.54.0",
     "eslint-config-prettier": "^9.0.0",
     "eslint-plugin-prettier": "^5.0.1",
     "jest": "^29.7.0",

package/server.js

@@ -83,7 +83,8 @@ const parseQueryString = (q, body, options = {}) => {
     "filter",
     "only",
     "autoCompositions",
-    "gitBranch"
+    "gitBranch",
+    "active"
   ];
 
   for (const param of queryParams) {

package/utils.js

@@ -217,20 +217,10 @@ export function getLicenses(pkg, format = "xml") {
             licenseContent.id = l;
             licenseContent.url = "https://opensource.org/licenses/" + l;
           } else if (l.startsWith("http")) {
-            if (!l.includes("opensource.org")) {
-              licenseContent.name = "CUSTOM";
-            } else {
-              const possibleId = l
-                .replace("http://www.opensource.org/licenses/", "")
-                .toUpperCase();
-              spdxLicenses.forEach((v) => {
-                if (v.toUpperCase() === possibleId) {
-                  licenseContent.id = v;
-                }
-              });
-            }
-            if (l.includes("mit-license")) {
-              licenseContent.id = "MIT";
+            let knownLicense = getKnownLicense(l, pkg);
+            if (knownLicense) {
+              licenseContent.id = knownLicense.id;
+              licenseContent.name = knownLicense.name;
             }
             // We always need a name to avoid validation errors
             // Issue: #469
@@ -252,10 +242,82 @@ export function getLicenses(pkg, format = "xml") {
         return licenseContent;
       })
       .map((l) => ({ license: l }));
+  } else {
+    let knownLicense = getKnownLicense(undefined, pkg);
+    if (knownLicense) {
+      return [{ license: knownLicense }];
+    }
   }
   return undefined;
 }
 
+/**
+ * Method to retrieve known license by known-licenses.json
+ *
+ * @param {String} repoUrl Repository url
+ * @param {String} pkg Bom ref
+ * @return {Object>} Objetct with SPDX license id or license name
+ */
+export const getKnownLicense = function (licenseUrl, pkg) {
+  if (licenseUrl && licenseUrl.includes("opensource.org")) {
+    const possibleId = licenseUrl
+      .toLowerCase()
+      .replace("https://", "http://")
+      .replace("http://www.opensource.org/licenses/", "");
+    for (const spdxLicense of spdxLicenses) {
+      if (spdxLicense.toLowerCase() === possibleId) {
+        return { id: spdxLicense };
+      }
+    }
+  } else if (licenseUrl && licenseUrl.includes("apache.org")) {
+    const possibleId = licenseUrl
+      .toLowerCase()
+      .replace("https://", "http://")
+      .replace("http://www.apache.org/licenses/license-", "apache-")
+      .replace(".txt", "");
+    for (const spdxLicense of spdxLicenses) {
+      if (spdxLicense.toLowerCase() === possibleId) {
+        return { id: spdxLicense };
+      }
+    }
+  }
+  for (const akLicGroup of knownLicenses) {
+    if (
+      akLicGroup.packageNamespace === "*" ||
+      (pkg.purl && pkg.purl.startsWith(akLicGroup.packageNamespace))
+    ) {
+      for (const akLic of akLicGroup.knownLicenses) {
+        if (akLic.group && akLic.name) {
+          if (akLic.group === "." && akLic.name === pkg.name) {
+            return { id: akLic.license, name: akLic.licenseName };
+          } else if (
+            pkg.group &&
+            pkg.group.includes(akLic.group) &&
+            (akLic.name === pkg.name || akLic.name === "*")
+          ) {
+            return { id: akLic.license, name: akLic.licenseName };
+          }
+        }
+        if (
+          akLic.urlIncludes &&
+          licenseUrl &&
+          licenseUrl.includes(akLic.urlIncludes)
+        ) {
+          return { id: akLic.license, name: akLic.licenseName };
+        }
+        if (
+          akLic.urlEndswith &&
+          licenseUrl &&
+          licenseUrl.endsWith(akLic.urlEndswith)
+        ) {
+          return { id: akLic.license, name: akLic.licenseName };
+        }
+      }
+    }
+  }
+  return undefined;
+};
+
 /**
  * Tries to find a file containing the license text based on commonly
  * used naming and content types. If a candidate file is found, add
@@ -2430,7 +2492,7 @@ export const fetchPomXmlAsJson = async function ({
  * @param {String} name
  * @param {String} version
  *
- * @return {String}
+ * @return {Promise<String>}
  */
 export const fetchPomXml = async function ({
   urlPrefix,
@@ -2467,7 +2529,7 @@ export const parseLicenseEntryOrArrayFromPomXml = function (license) {
  * @param {String} name
  * @param {String} version
  *
- * @return {String} License ID
+ * @return {Promise<String>} License ID
  */
 export const extractLicenseCommentFromPomXml = async function ({
   urlPrefix,
@@ -3287,7 +3349,7 @@ export const toGitHubApiUrl = function (repoUrl, repoMetadata) {
  *
  * @param {String} repoUrl Repository url
  * @param {Object} repoMetadata Object containing group and package name strings
- * @return {String} SPDX license id
+ * @return {Promise<String>} SPDX license id
  */
 export const getRepoLicense = async function (repoUrl, repoMetadata) {
   let apiUrl = toGitHubApiUrl(repoUrl, repoMetadata);
@@ -3323,23 +3385,23 @@ export const getRepoLicense = async function (repoUrl, repoMetadata) {
           }
         }
         licObj["id"] = licenseId;
-        return licObj;
+        if (licObj["id"] || licObj["name"]) {
+          return licObj;
+        }
       }
     } catch (err) {
-      return undefined;
-    }
-  } else if (repoMetadata) {
-    const group = repoMetadata.group;
-    const name = repoMetadata.name;
-    if (group && name) {
-      for (const akLic of knownLicenses) {
-        if (akLic.group === "." && akLic.name === name) {
-          return akLic.license;
-        } else if (
-          group.includes(akLic.group) &&
-          (akLic.name === name || akLic.name === "*")
+      if (err && err.message) {
+        if (
+          err.message.includes("rate limit exceeded") &&
+          !process.env.GITHUB_TOKEN
         ) {
-          return akLic.license;
+          console.log(
+            "Rate limit exceeded for REST API of github.com. " +
+              "Please ensure GITHUB_TOKEN is set as environment variable. " +
+              "See: https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api"
+          );
+        } else if (!err.message.includes("404")) {
+          console.log(err);
         }
       }
     }
@@ -4393,12 +4455,14 @@ export const parseContainerFile = function (fileContents) {
   const imgList = [];
 
   let buildStageNames = [];
-  for (const line of fileContents.split("\n")) {
-    if (line.trim().startsWith("#")) {
+  for (let line of fileContents.split("\n")) {
+    line = line.trim();
+
+    if (line.startsWith("#")) {
       continue; // skip commented out lines
     }
 
-    if (line.includes("FROM")) {
+    if (line.startsWith("FROM")) {
       const fromStatement = line.split("FROM")[1].split("AS");
 
       const imageStatement = fromStatement[0].trim();
@@ -4426,6 +4490,68 @@ export const parseContainerFile = function (fileContents) {
   return imgList;
 };
 
+export const parseBitbucketPipelinesFile = function (fileContents) {
+  const imgList = [];
+
+  let privateImageBlockFound = false;
+
+  for (let line of fileContents.split("\n")) {
+    line = line.trim();
+    if (line.startsWith("#")) {
+      continue; // skip commented out lines
+    }
+
+    // Assume this is a private build image object
+    if (line.startsWith("name:") && privateImageBlockFound) {
+      const imageName = line.split("name:").pop().trim();
+
+      imgList.push({
+        image: imageName
+      });
+
+      privateImageBlockFound = false;
+    }
+
+    // Docker image usage
+    if (line.startsWith("image:")) {
+      const imageName = line.split("image:").pop().trim();
+
+      /**
+       * Assume this is a private build image object
+       * See: https://support.atlassian.com/bitbucket-cloud/docs/use-docker-images-as-build-environments/#Using-private-build-images
+       */
+      if (imageName === "") {
+        privateImageBlockFound = true;
+        continue;
+      } else {
+        /**
+         * Assume this is a public build image
+         * See: https://support.atlassian.com/bitbucket-cloud/docs/use-docker-images-as-build-environments/#Using-public-build-images
+         */
+
+        imgList.push({
+          image: imageName
+        });
+      }
+    }
+
+    // Pipe usage
+    if (line.startsWith("- pipe:")) {
+      let pipeName = line.split("- pipe:").pop().trim();
+
+      if (pipeName.startsWith("docker://")) {
+        pipeName = pipeName.replace("docker://", "");
+      }
+
+      imgList.push({
+        image: pipeName
+      });
+    }
+  }
+
+  return imgList;
+};
+
 export const parseContainerSpecData = function (dcData) {
   const pkgList = [];
   const imgList = [];
@@ -4618,8 +4744,13 @@ export const parseOpenapiSpecData = function (oaData) {
   } catch (e) {
     return servlist;
   }
-  const name = oaData.info.title.replace(/ /g, "-");
-  const version = oaData.info.version || "latest";
+
+  const name =
+    oaData.info && oaData.info.title
+      ? oaData.info.title.replace(/ /g, "-")
+      : "default-name";
+  const version =
+    oaData.info && oaData.info.version ? oaData.info.version : "latest";
   const aservice = {
     "bom-ref": `urn:service:${name}:${version}`,
     name,
@@ -5405,7 +5536,7 @@ export const parseComposerLock = function (pkgLockFile) {
   if (existsSync(pkgLockFile)) {
     let lockData = {};
     try {
-      lockData = JSON.parse(readFileSync(pkgLockFile, "utf8"));
+      lockData = JSON.parse(readFileSync(pkgLockFile, { encoding: "utf-8" }));
     } catch (e) {
       console.error("Invalid composer.lock file:", pkgLockFile);
       return [];
@@ -5474,7 +5605,7 @@ export const parseSbtTree = (sbtTreeFile) => {
   const dependenciesList = [];
   const keys_cache = {};
   const level_trees = {};
-  const tmpA = readFileSync(sbtTreeFile, "utf-8").split("\n");
+  const tmpA = readFileSync(sbtTreeFile, { encoding: "utf-8" }).split("\n");
   let last_level = 0;
   let last_purl = "";
   let stack = [];
@@ -5606,7 +5737,9 @@ export const parseSbtTree = (sbtTreeFile) => {
 export const parseSbtLock = function (pkgLockFile) {
   const pkgList = [];
   if (existsSync(pkgLockFile)) {
-    const lockData = JSON.parse(readFileSync(pkgLockFile, "utf8"));
+    const lockData = JSON.parse(
+      readFileSync(pkgLockFile, { encoding: "utf-8" })
+    );
     if (lockData && lockData.dependencies) {
       for (const pkg of lockData.dependencies) {
         const artifacts = pkg.artifacts || undefined;
@@ -6063,7 +6196,9 @@ export const parseSwiftResolved = (resolvedFile) => {
   const pkgList = [];
   if (existsSync(resolvedFile)) {
     try {
-      const pkgData = JSON.parse(readFileSync(resolvedFile, "utf8"));
+      const pkgData = JSON.parse(
+        readFileSync(resolvedFile, { encoding: "utf-8" })
+      );
       let resolvedList = [];
       if (pkgData.pins) {
         resolvedList = pkgData.pins;
@@ -6256,7 +6391,7 @@ export const collectJarNS = function (jarPath, pomPathMap = {}) {
         }
       }
       if (existsSync(pomname)) {
-        pomData = parsePomXml(readFileSync(pomname, "utf-8"));
+        pomData = parsePomXml(readFileSync(pomname, { encoding: "utf-8" }));
         if (pomData) {
           const purlObj = new PackageURL(
             "maven",
@@ -7187,7 +7322,9 @@ export const findAppModules = function (
   ];
   executeAtom(src, args);
   if (existsSync(slicesFile)) {
-    const slicesData = JSON.parse(readFileSync(slicesFile), "utf8");
+    const slicesData = JSON.parse(readFileSync(slicesFile), {
+      encoding: "utf-8"
+    });
     if (slicesData && Object.keys(slicesData) && slicesData.modules) {
       retList = slicesData.modules;
     } else {
@@ -7660,7 +7797,7 @@ export const componentSorter = (a, b) => {
 };
 
 export const parseCmakeDotFile = (dotFile, pkgType, options = {}) => {
-  const dotGraphData = readFileSync(dotFile, "utf-8");
+  const dotGraphData = readFileSync(dotFile, { encoding: "utf-8" });
   const pkgList = [];
   const dependenciesMap = {};
   const pkgBomRefMap = {};
@@ -7769,12 +7906,13 @@ export const parseCmakeDotFile = (dotFile, pkgType, options = {}) => {
 };
 
 export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
-  let cmakeListData = readFileSync(cmakeListFile, "utf-8");
+  let cmakeListData = readFileSync(cmakeListFile, { encoding: "utf-8" });
   const pkgList = [];
   const pkgAddedMap = {};
   const versionSpecifiersMap = {};
   const versionsMap = {};
   let parentComponent = {};
+  const templateValues = {};
   cmakeListData = cmakeListData
     .replace(/^ {2}/g, "")
     .replace(/\(\r\n/g, "(")
@@ -7789,7 +7927,20 @@ export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
     let group = "";
     let path = undefined;
     let name_list = [];
-    if (l.startsWith("project") && !Object.keys(parentComponent).length) {
+    if (l.startsWith("set")) {
+      const tmpA = l.replace("set(", "").replace(")", "").trim().split(" ");
+      if (tmpA && tmpA.length === 2) {
+        templateValues[tmpA[0]] = tmpA[1];
+      }
+    } else if (
+      l.startsWith("project") &&
+      !Object.keys(parentComponent).length
+    ) {
+      if (l.includes("${")) {
+        for (const tmplKey of Object.keys(templateValues)) {
+          l = l.replace("${" + tmplKey + "}", templateValues[tmplKey] || "");
+        }
+      }
       const tmpA = l.replace("project (", "project(").split("project(");
       if (tmpA && tmpA.length > 1) {
         const tmpB = (tmpA[1] || "")
@@ -7807,7 +7958,7 @@ export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
         if (versionIndex > -1 && tmpB.length > versionIndex) {
           parentVersion = tmpB[versionIndex + 1];
         }
-        if (parentName && parentName.length) {
+        if (parentName && parentName.length && !parentName.includes("$")) {
           parentComponent = {
             group: options.projectGroup || "",
             name: parentName,
@@ -7989,7 +8140,7 @@ export const parseCmakeLikeFile = (cmakeListFile, pkgType, options = {}) => {
               methods: [
                 {
                   technique: "source-code-analysis",
-                  confidence: 0,
+                  confidence: 0.5,
                   value: `Filename ${cmakeListFile}`
                 }
               ]
@@ -8023,7 +8174,7 @@ export const getOSPackageForFile = (afile, osPkgsList) => {
         ospkg.evidence = {
           identity: {
             field: "purl",
-            confidence: 0,
+            confidence: 0.8,
             methods: [
               {
                 technique: "filename",
@@ -8057,47 +8208,122 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
   const epkgMap = {};
   let parentComponent = undefined;
   const dependsOn = [];
+  (epkgList || []).forEach((p) => {
+    epkgMap[p.group + "/" + p.name] = p;
+  });
   // Let's look for any vcpkg.json file to tell us about the directory we're scanning
   // users can use this file to give us a clue even if they do not use vcpkg library manager
   if (existsSync(join(src, "vcpkg.json"))) {
-    const vcPkgData = JSON.parse(join(src, "vcpkg.json"));
-    if (
-      vcPkgData &&
-      Object.keys(vcPkgData).length &&
-      vcPkgData.name &&
-      vcPkgData.version
-    ) {
+    const vcPkgData = JSON.parse(
+      readFileSync(join(src, "vcpkg.json"), { encoding: "utf-8" })
+    );
+    if (vcPkgData && Object.keys(vcPkgData).length && vcPkgData.name) {
       const parentPurl = new PackageURL(
         pkgType,
         "",
         vcPkgData.name,
-        vcPkgData.version,
+        vcPkgData.version || "",
         null,
         null
       ).toString();
       parentComponent = {
         name: vcPkgData.name,
-        version: vcPkgData.version,
+        version: vcPkgData.version || "",
         description: vcPkgData.description,
         license: vcPkgData.license,
         purl: parentPurl,
+        type: "application",
         "bom-ref": decodeURIComponent(parentPurl)
       };
       if (vcPkgData.homepage) {
         parentComponent.homepage = { url: vcPkgData.homepage };
       }
-    }
+      // Are there any dependencies declared in vcpkg.json
+      if (vcPkgData.dependencies && Array.isArray(vcPkgData.dependencies)) {
+        for (const avcdep of vcPkgData.dependencies) {
+          let avcpkgName = undefined;
+          let scope = undefined;
+          if (typeof avcdep === "string" || avcdep instanceof String) {
+            avcpkgName = avcdep;
+          } else if (Object.keys(avcdep).length && avcdep.name) {
+            avcpkgName = avcdep.name;
+            if (avcdep.host) {
+              scope = "optional";
+            }
+          }
+          // Is this a dependency we haven't seen before including the all lower and upper case version?
+          if (
+            avcpkgName &&
+            !epkgMap["/" + avcpkgName] &&
+            !epkgMap["/" + avcpkgName.toLowerCase()] &&
+            !epkgMap["/" + avcpkgName.toUpperCase()]
+          ) {
+            const pkgPurl = new PackageURL(
+              pkgType,
+              "",
+              avcpkgName,
+              "",
+              null,
+              null
+            ).toString();
+            const apkg = {
+              group: "",
+              name: avcpkgName,
+              type: pkgType,
+              version: "",
+              purl: pkgPurl,
+              scope,
+              "bom-ref": decodeURIComponent(pkgPurl),
+              evidence: {
+                identity: {
+                  field: "purl",
+                  confidence: 0.5,
+                  methods: [
+                    {
+                      technique: "source-code-analysis",
+                      confidence: 0.5,
+                      value: `Filename ${join(src, "vcpkg.json")}`
+                    }
+                  ]
+                }
+              }
+            };
+            if (!pkgAddedMap[avcpkgName]) {
+              pkgList.push(apkg);
+              dependsOn.push(apkg["bom-ref"]);
+              pkgAddedMap[avcpkgName] = true;
+            }
+          }
+        }
+      }
+    } // if
   } else if (existsSync(join(src, "CMakeLists.txt"))) {
     const retMap = parseCmakeLikeFile(join(src, "CMakeLists.txt"), pkgType);
     if (retMap.parentComponent && Object.keys(retMap.parentComponent).length) {
       parentComponent = retMap.parentComponent;
     }
+  } else if (options.projectName && options.projectVersion) {
+    parentComponent = {
+      group: options.projectGroup || "",
+      name: options.projectName || "",
+      version: "" + options.projectVersion || "latest",
+      type: "application"
+    };
+    const parentPurl = new PackageURL(
+      pkgType,
+      parentComponent.group,
+      parentComponent.name,
+      parentComponent.version,
+      null,
+      null
+    ).toString();
+    parentComponent.purl = parentPurl;
+    parentComponent["bom-ref"] = decodeURIComponent(parentPurl);
   }
-  (epkgList || []).forEach((p) => {
-    epkgMap[p.name] = p;
-  });
   if (options.usagesSlicesFile && existsSync(options.usagesSlicesFile)) {
-    sliceData = JSON.parse(readFileSync(options.usagesSlicesFile));
+    sliceData = JSON.parse(
+      readFileSync(options.usagesSlicesFile, { encoding: "utf-8" })
+    );
     if (DEBUG_MODE) {
       console.log("Re-using existing slices file", options.usagesSlicesFile);
     }
@@ -8110,7 +8336,9 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
     );
   }
   const usageData = parseCUsageSlice(sliceData);
-  for (const afile of Object.keys(usageData)) {
+  for (let afile of Object.keys(usageData)) {
+    // Normalize windows separator
+    afile = afile.replace("..\\", "").replace(/\\/g, "/");
     let fileName = basename(afile);
     if (!fileName || !fileName.length) {
       continue;
@@ -8129,14 +8357,14 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
     // We need to resolve the name to an os package here
     let name = fileName.replace(extn, "");
     let apkg = getOSPackageForFile(afile, osPkgsList) ||
-      epkgMap[name] || {
+      epkgMap[group + "/" + name] || {
         name,
         group,
         version: "",
         type: pkgType
       };
     // If this is a relative file, there is a good chance we can reuse the project group
-    if (!afile.startsWith(_sep)) {
+    if (!afile.startsWith(_sep) && !group.length) {
       group = options.projectGroup || "";
     }
     if (!apkg.purl) {
@@ -8164,9 +8392,16 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
       apkg["bom-ref"] = decodeURIComponent(apkg["purl"]);
     }
     if (usageData[afile]) {
-      const usymbols = Array.from(usageData[afile]).filter(
-        (v) => !v.startsWith("<") && !v.startsWith("__")
-      );
+      const usymbols = Array.from(usageData[afile])
+        .filter(
+          (v) =>
+            !v.startsWith("<") &&
+            !v.startsWith("__") &&
+            v !== "main" &&
+            !v.includes("anonymous_") &&
+            !v.includes(afile)
+        )
+        .sort();
       if (!apkg["properties"] && usymbols.length) {
         apkg["properties"] = [
           { name: "ImportedSymbols", value: usymbols.join(", ") }
@@ -8213,7 +8448,9 @@ export const getCppModules = (src, options, osPkgsList, epkgList) => {
       : [];
   return {
     parentComponent,
-    pkgList,
+    pkgList: pkgList.sort(function (a, b) {
+      return a.purl.localeCompare(b.purl);
+    }),
     dependenciesList
   };
 };
@@ -8246,34 +8483,21 @@ export const parseCUsageSlice = (sliceData) => {
         continue;
       }
       const slFileName = slice.fileName;
-      const slLineNumber = slice.lineNumber || 0;
       const allLines = usageData[slFileName] || new Set();
       if (slice.fullName && slice.fullName.length > 3) {
-        allLines.add(slice.fullName + "|" + slLineNumber);
         if (slice.code && slice.code.startsWith("#include")) {
           usageData[slice.fullName] = new Set();
+        } else {
+          allLines.add(slice.fullName);
         }
       }
       for (const ausage of slice.usages) {
-        if (ausage.targetObj.resolvedMethod) {
-          allLines.add(ausage.targetObj.resolvedMethod + "|" + slLineNumber);
-        } else {
-          const targetObjName = ausage.targetObj.name.replace(/\n/g, " ");
-          // We need to still filter out <global>, <clinit> style targets
-          if (
-            ausage.targetObj.lineNumber === slLineNumber ||
-            targetObjName.startsWith("<") ||
-            (slice.fullName.length > 3 &&
-              targetObjName.includes(slice.fullName))
-          ) {
-            continue;
-          }
-          allLines.add(targetObjName + "|" + slLineNumber);
-        }
         let calls = ausage?.invokedCalls || [];
         calls = calls.concat(ausage?.argToCalls || []);
         for (const acall of calls) {
-          allLines.add(acall.resolvedMethod + "|" + slLineNumber);
+          if (!acall.resolvedMethod.includes("->")) {
+            allLines.add(acall.resolvedMethod);
+          }
         }
       }
       if (Array.from(allLines).length) {
@@ -8465,6 +8689,13 @@ export const getNugetMetadata = async function (
             p.license = findLicenseId(body.catalogEntry.licenseExpression);
           } else if (body.catalogEntry.licenseUrl) {
             p.license = findLicenseId(body.catalogEntry.licenseUrl);
+            if (
+              typeof p.license === "string" &&
+              p.license.includes("://github.com/")
+            ) {
+              p.license =
+                (await getRepoLicense(p.license, undefined)) || p.license;
+            }
           }
           if (body.catalogEntry.projectUrl) {
             p.repository = { url: body.catalogEntry.projectUrl };
@@ -8476,6 +8707,17 @@ export const getNugetMetadata = async function (
                 p.version +
                 "/"
             };
+            if (
+              (!p.license || typeof p.license === "string") &&
+              typeof p.repository.url === "string" &&
+              p.repository.url.includes("://github.com/")
+            ) {
+              // license couldn't be properly identified and is still a url,
+              // therefore trying to resolve license via repository
+              p.license =
+                (await getRepoLicense(p.repository.url, undefined)) ||
+                p.license;
+            }
           }
           cdepList.push(p);
         }

package/utils.test.js

@@ -74,7 +74,8 @@ import {
   parseSbtTree,
   parseCmakeDotFile,
   parseCmakeLikeFile,
-  parseContainerFile
+  parseContainerFile,
+  parseBitbucketPipelinesFile
 } from "./utils.js";
 import { readFileSync } from "node:fs";
 import { parse } from "ssri";
@@ -2753,6 +2754,28 @@ test("parse containerfiles / dockerfiles", async () => {
   });
 });
 
+test("parse bitbucket-pipelines", async () => {
+  let dep_list = parseBitbucketPipelinesFile(
+    readFileSync("./test/data/bitbucket-pipelines.yml", { encoding: "utf-8" })
+  );
+  expect(dep_list.length).toEqual(5);
+  expect(dep_list[0]).toEqual({
+    image: "node:16"
+  });
+  expect(dep_list[1]).toEqual({
+    image: "node:18"
+  });
+  expect(dep_list[2]).toEqual({
+    image: "some.private.org/docker/library/node:20"
+  });
+  expect(dep_list[3]).toEqual({
+    image: "atlassian/aws/s3-deploy:0.2.2"
+  });
+  expect(dep_list[4]).toEqual({
+    image: "some.private.org/docker/library/some-pipe:1.0.0"
+  });
+});
+
 test("parse cloudbuild data", async () => {
   expect(parseCloudBuildData(null)).toEqual([]);
   const dep_list = parseCloudBuildData(
@@ -3083,6 +3106,18 @@ test("parseCmakeLikeFile tests", () => {
     type: "application",
     version: ""
   });
+  retMap = parseCmakeLikeFile(
+    "./test/data/cmakes/CMakeLists-tpl.txt",
+    "generic"
+  );
+  expect(retMap.parentComponent).toEqual({
+    "bom-ref": "pkg:generic/aurora-examples",
+    group: "",
+    name: "aurora-examples",
+    purl: "pkg:generic/aurora-examples",
+    type: "application",
+    version: ""
+  });
   retMap = parseCmakeLikeFile(
     "./test/data/cmakes/mongoc-config.cmake",
     "conan"