@cyclonedx/cdxgen 9.9.7 → 9.9.8

package/README.md

@@ -27,7 +27,7 @@ Most SBOM tools are like barcode scanners. They can scan a few package manifest
 | Go                              | binary, go.mod, go.sum, Gopkg.lock                                                                                | Yes except binary                                                                                 | Yes      |
 | Ruby                            | Gemfile.lock, gemspec                                                                                             | Only for Gemfile.lock                                                                             |          |
 | Rust                            | binary, Cargo.toml, Cargo.lock                                                                                    | Only for Cargo.lock                                                                               |          |
-| .Net                            | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock                         | Only for project.assets.json, packages.lock.json, paket.lock                                      |          |
+| .Net                            | .csproj, .vbproj, .fsproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock       | Only for project.assets.json, packages.lock.json, paket.lock                                      |          |
 | Dart                            | pubspec.lock, pubspec.yaml                                                                                        | Only for pubspec.lock                                                                             |          |
 | Haskell                         | cabal.project.freeze                                                                                              | Yes                                                                                               |          |
 | Elixir                          | mix.lock                                                                                                          | Yes                                                                                               |          |

package/binary.js

@@ -9,7 +9,7 @@ import {
 import { join, dirname, basename } from "node:path";
 import { spawnSync } from "node:child_process";
 import { PackageURL } from "packageurl-js";
-import { DEBUG_MODE, findLicenseId } from "./utils.js";
+import { DEBUG_MODE, TIMEOUT_MS, findLicenseId } from "./utils.js";
 
 import { fileURLToPath } from "node:url";
 
@@ -24,7 +24,7 @@ const isWin = _platform() === "win32";
 let platform = _platform();
 let extn = "";
 let pluginsBinSuffix = "";
-if (platform == "win32") {
+if (platform === "win32") {
   platform = "windows";
   extn = ".exe";
 }
@@ -36,6 +36,9 @@ switch (arch) {
     break;
   case "x64":
     arch = "amd64";
+    if (platform === "windows") {
+      pluginsBinSuffix = "-windows-amd64";
+    }
     break;
   case "arm64":
     pluginsBinSuffix = "-arm64";
@@ -165,7 +168,21 @@ if (existsSync(join(CDXGEN_PLUGINS_DIR, "osquery"))) {
 } else if (process.env.OSQUERY_CMD) {
   OSQUERY_BIN = process.env.OSQUERY_CMD;
 }
+let DOSAI_BIN = null;
+if (existsSync(join(CDXGEN_PLUGINS_DIR, "dosai"))) {
+  if (platform === "darwin") {
+    platform = "osx";
+  }
+  DOSAI_BIN = join(
+    CDXGEN_PLUGINS_DIR,
+    "dosai",
+    "dosai-" + platform + "-" + arch + extn
+  );
+} else if (process.env.DOSAI_CMD) {
+  DOSAI_BIN = process.env.DOSAI_CMD;
+}
 
+// Keep this list updated every year
 const OS_DISTRO_ALIAS = {
   "ubuntu-4.10": "warty",
   "ubuntu-5.04": "hoary",
@@ -692,3 +709,36 @@ export const executeOsQuery = (query) => {
   }
   return undefined;
 };
+
+/**
+ * Method to execute dosai to create slices for dotnet
+ *
+ * @param {string} src
+ * @param {string} slicesFile
+ * @returns boolean
+ */
+export const getDotnetSlices = (src, slicesFile) => {
+  if (!DOSAI_BIN) {
+    return false;
+  }
+  const args = ["methods", "--path", src, "--o", slicesFile];
+  if (DEBUG_MODE) {
+    console.log("Executing", DOSAI_BIN, args.join(" "));
+  }
+  const result = spawnSync(DOSAI_BIN, args, {
+    encoding: "utf-8",
+    timeout: TIMEOUT_MS,
+    cwd: src
+  });
+  if (result.status !== 0 || result.error) {
+    if (DEBUG_MODE && result.error) {
+      if (result.stderr) {
+        console.error(result.stdout, result.stderr);
+      } else {
+        console.log("Check if dosai plugin was installed successfully.");
+      }
+    }
+    return false;
+  }
+  return true;
+};

package/evinser.js

@@ -244,7 +244,9 @@ export const createSlice = (
   args.push(path.resolve(filePath));
   const result = executeAtom(filePath, args);
   if (!result || !fs.existsSync(slicesFile)) {
-    console.warn(`Unable to generate ${sliceType} slice using atom.`);
+    console.warn(
+      `Unable to generate ${sliceType} slice using atom. Check if this is a supported language.`
+    );
     console.log(
       "Set the environment variable CDXGEN_DEBUG_MODE=debug to troubleshoot."
     );

package/index.js

@@ -107,7 +107,8 @@ import {
   frameworksList,
   parseContainerFile,
   parseBitbucketPipelinesFile,
-  getPyMetadata
+  getPyMetadata,
+  addEvidenceForDotnet
 } from "./utils.js";
 import { spawnSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
@@ -131,7 +132,8 @@ import {
   getGoBuildInfo,
   getCargoAuditableInfo,
   executeOsQuery,
-  getOSPackages
+  getOSPackages,
+  getDotnetSlices
 } from "./binary.js";
 
 const isWin = _platform() === "win32";
@@ -4202,11 +4204,17 @@ export const createCsharpBom = async (
   let manifestFiles = [];
   let pkgData = undefined;
   let dependencies = [];
-  const csProjFiles = getAllFiles(
+  let csProjFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "*.csproj",
     options
   );
+  csProjFiles = csProjFiles.concat(
+    getAllFiles(path, (options.multiProject ? "**/" : "") + "*.vbproj", options)
+  );
+  csProjFiles = csProjFiles.concat(
+    getAllFiles(path, (options.multiProject ? "**/" : "") + "*.fsproj", options)
+  );
   const pkgConfigFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "packages.config",
@@ -4253,7 +4261,7 @@ export const createCsharpBom = async (
         console.log(`Parsing ${af}`);
       }
       pkgData = readFileSync(af, { encoding: "utf-8" });
-      let results = await parseCsProjAssetsData(pkgData);
+      let results = await parseCsProjAssetsData(pkgData, af);
       let deps = results["dependenciesList"];
       let dlist = results["pkgList"];
       if (dlist && dlist.length) {
@@ -4305,7 +4313,7 @@ export const createCsharpBom = async (
       if (csProjData.charCodeAt(0) === 0xfeff) {
         csProjData = csProjData.slice(1);
       }
-      const dlist = await parseCsProjData(csProjData);
+      const dlist = await parseCsProjData(csProjData, f);
       if (dlist && dlist.length) {
         pkgList = pkgList.concat(dlist);
       }
@@ -4336,6 +4344,22 @@ export const createCsharpBom = async (
   if (pkgList.length) {
     dependencies = mergeDependencies(dependencies, [], parentComponent);
     pkgList = trimComponents(pkgList, "json");
+    // Perform deep analysis using dosai
+    if (options.deep) {
+      const slicesFile = resolve(
+        options.depsSlicesFile || join(tmpdir(), "dosai.json")
+      );
+      // Create the slices file if it doesn't exist
+      if (!existsSync(slicesFile)) {
+        const sliceResult = getDotnetSlices(resolve(path), resolve(slicesFile));
+        if (!sliceResult && DEBUG_MODE) {
+          console.log(
+            "Slicing with dosai was unsuccessful. Check the errors reported in the logs above."
+          );
+        }
+      }
+      pkgList = addEvidenceForDotnet(pkgList, slicesFile, options);
+    }
   }
   if (FETCH_LICENSE) {
     const retMap = await getNugetMetadata(pkgList, dependencies);
@@ -5117,11 +5141,17 @@ export const createXBom = async (path, options) => {
   }
 
   // .Net
-  const csProjFiles = getAllFiles(
+  let csProjFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "*.csproj",
     options
   );
+  csProjFiles = csProjFiles.concat(
+    getAllFiles(path, (options.multiProject ? "**/" : "") + "*.vbproj", options)
+  );
+  csProjFiles = csProjFiles.concat(
+    getAllFiles(path, (options.multiProject ? "**/" : "") + "*.fsproj", options)
+  );
   if (csProjFiles.length) {
     return await createCsharpBom(path, options);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.9.7",
+  "version": "9.9.8",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -55,17 +55,17 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.23.5",
-    "@babel/traverse": "^7.23.5",
+    "@babel/parser": "^7.23.6",
+    "@babel/traverse": "^7.23.6",
     "@npmcli/arborist": "7.2.0",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",
     "edn-data": "1.1.1",
-    "find-up": "^6.3.0",
+    "find-up": "6.3.0",
     "glob": "^10.3.10",
     "global-agent": "^3.0.0",
-    "got": "^13.0.0",
+    "got": "13.0.0",
     "iconv-lite": "^0.6.3",
     "js-yaml": "^4.1.0",
     "jws": "^4.0.0",
@@ -84,14 +84,15 @@
   },
   "optionalDependencies": {
     "@appthreat/atom": "1.7.2",
-    "@cyclonedx/cdxgen-plugins-bin": "^1.4.0",
-    "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.4.0",
-    "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.4.0",
+    "@cyclonedx/cdxgen-plugins-bin": "^1.5.4",
+    "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "^1.5.4",
+    "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.5.4",
+    "@cyclonedx/cdxgen-plugins-bin-ppc64": "^1.5.4",
     "body-parser": "^1.20.2",
     "compression": "^1.7.4",
     "connect": "^3.7.0",
     "jsonata": "^2.0.3",
-    "sequelize": "^6.35.1",
+    "sequelize": "^6.35.2",
     "sqlite3": "^5.1.6"
   },
   "files": [
@@ -102,10 +103,10 @@
   "devDependencies": {
     "caxa": "^3.0.1",
     "docsify-cli": "^4.4.4",
-    "eslint": "^8.54.0",
-    "eslint-config-prettier": "^9.0.0",
+    "eslint": "^8.55.0",
+    "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-prettier": "^5.0.1",
     "jest": "^29.7.0",
-    "prettier": "3.1.0"
+    "prettier": "3.1.1"
   }
 }

package/utils.js

@@ -5189,7 +5189,7 @@ export const parseCsPkgData = async function (pkgData) {
   return pkgList;
 };
 
-export const parseCsProjData = async function (csProjData) {
+export const parseCsProjData = async function (csProjData, projFile) {
   const pkgList = [];
   if (!csProjData) {
     return pkgList;
@@ -5218,6 +5218,27 @@ export const parseCsProjData = async function (csProjData) {
         }
         pkg.name = pref.Include;
         pkg.version = pref.Version;
+        if (projFile) {
+          pkg.properties = [
+            {
+              name: "SrcFile",
+              value: projFile
+            }
+          ];
+          pkg.evidence = {
+            identity: {
+              field: "purl",
+              confidence: 0.7,
+              methods: [
+                {
+                  technique: "manifest-analysis",
+                  confidence: 0.7,
+                  value: projFile
+                }
+              ]
+            }
+          };
+        }
         pkgList.push(pkg);
       }
       // .net framework use Reference
@@ -5232,6 +5253,27 @@ export const parseCsProjData = async function (csProjData) {
         if (incParts.length > 1 && incParts[1].includes("Version")) {
           pkg.version = incParts[1].replace("Version=", "").trim();
         }
+        if (projFile) {
+          pkg.properties = [
+            {
+              name: "SrcFile",
+              value: projFile
+            }
+          ];
+          pkg.evidence = {
+            identity: {
+              field: "purl",
+              confidence: 0.7,
+              methods: [
+                {
+                  technique: "manifest-analysis",
+                  confidence: 0.7,
+                  value: projFile
+                }
+              ]
+            }
+          };
+        }
         pkgList.push(pkg);
       }
     }
@@ -5239,7 +5281,10 @@ export const parseCsProjData = async function (csProjData) {
   return pkgList;
 };
 
-export const parseCsProjAssetsData = async function (csProjData) {
+export const parseCsProjAssetsData = async function (
+  csProjData,
+  assetsJsonFile
+) {
   // extract name, operator, version from .NET package representation
   // like "NLog >= 4.5.0"
   function extractNameOperatorVersion(inputStr) {
@@ -5356,6 +5401,43 @@ export const parseCsProjAssetsData = async function (csProjData) {
           } else if (lib[rootDep].sha256) {
             pkg["_integrity"] = "sha256-" + lib[rootDep].sha256;
           }
+          if (lib[rootDep].files && Array.isArray(lib[rootDep].files)) {
+            const dllFiles = new Set();
+            lib[rootDep].files.forEach((f) => {
+              if (
+                f.endsWith(".dll") ||
+                f.endsWith(".exe") ||
+                f.endsWith(".so")
+              ) {
+                dllFiles.add(basename(f));
+              }
+            });
+            pkg.properties = [
+              {
+                name: "SrcFile",
+                value: assetsJsonFile
+              },
+              {
+                name: "PackageFiles",
+                value: Array.from(dllFiles).join(", ")
+              }
+            ];
+          }
+        }
+        if (assetsJsonFile) {
+          pkg.evidence = {
+            identity: {
+              field: "purl",
+              confidence: 1,
+              methods: [
+                {
+                  technique: "manifest-analysis",
+                  confidence: 1,
+                  value: assetsJsonFile
+                }
+              ]
+            }
+          };
         }
         pkgList.push(pkg);
         pkgNameVersionMap[name + framework] = version;
@@ -7208,6 +7290,7 @@ export const executeAtom = (src, args) => {
   let cwd =
     existsSync(src) && lstatSync(src).isDirectory() ? src : dirname(src);
   let ATOM_BIN = getAtomCommand();
+  let isSupported = true;
   if (ATOM_BIN.includes(" ")) {
     const tmpA = ATOM_BIN.split(" ");
     if (tmpA && tmpA.length > 1) {
@@ -7260,6 +7343,12 @@ export const executeAtom = (src, args) => {
       );
     }
   }
+  if (result.stdout) {
+    if (result.stdout.includes("No language frontend supported for language")) {
+      console.log("This language is not yet supported by atom.");
+      isSupported = false;
+    }
+  }
   if (DEBUG_MODE) {
     if (result.stdout) {
       console.log(result.stdout);
@@ -7268,7 +7357,7 @@ export const executeAtom = (src, args) => {
       console.log(result.stderr);
     }
   }
-  return !result.error;
+  return isSupported && !result.error;
 };
 
 /**
@@ -8736,3 +8825,103 @@ export const getNugetMetadata = async function (
     dependencies: newDependencies
   };
 };
+
+export const addEvidenceForDotnet = (pkgList, slicesFile) => {
+  // We need two datastructures.
+  // dll to purl mapping from the pkgList
+  // purl to occurrences list using the slicesFile
+  if (!slicesFile || !existsSync(slicesFile)) {
+    return pkgList;
+  }
+  const pkgFilePurlMap = {};
+  const purlLocationMap = {};
+  const purlModulesMap = {};
+  const purlMethodsMap = {};
+  for (const apkg of pkgList) {
+    if (apkg.properties && Array.isArray(apkg.properties)) {
+      apkg.properties
+        .filter((p) => p.name === "PackageFiles")
+        .forEach((aprop) => {
+          if (aprop.value) {
+            const tmpA = aprop.value.split(", ");
+            if (tmpA && tmpA.length) {
+              tmpA.forEach((dllFile) => {
+                pkgFilePurlMap[dllFile] = apkg.purl;
+              });
+            }
+          }
+        });
+    }
+  }
+  const slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"));
+  if (slicesData && Object.keys(slicesData)) {
+    if (slicesData.Dependencies) {
+      for (const adep of slicesData.Dependencies) {
+        if (
+          adep.Module &&
+          adep.Module.endsWith(".dll") &&
+          pkgFilePurlMap[adep.Module]
+        ) {
+          const modPurl = pkgFilePurlMap[adep.Module];
+          if (!purlLocationMap[modPurl]) {
+            purlLocationMap[modPurl] = new Set();
+          }
+          purlLocationMap[modPurl].add(`${adep.Path}#${adep.LineNumber}`);
+        }
+      }
+    }
+    if (slicesData.MethodCalls) {
+      for (const amethodCall of slicesData.MethodCalls) {
+        if (
+          amethodCall.Module &&
+          amethodCall.Module.endsWith(".dll") &&
+          pkgFilePurlMap[amethodCall.Module]
+        ) {
+          const modPurl = pkgFilePurlMap[amethodCall.Module];
+          if (!purlLocationMap[modPurl]) {
+            purlLocationMap[modPurl] = new Set();
+          }
+          if (!purlModulesMap[modPurl]) {
+            purlModulesMap[modPurl] = new Set();
+          }
+          if (!purlMethodsMap[modPurl]) {
+            purlMethodsMap[modPurl] = new Set();
+          }
+          purlLocationMap[modPurl].add(
+            `${amethodCall.Path}#${amethodCall.LineNumber}`
+          );
+          purlModulesMap[modPurl].add(amethodCall.ClassName);
+          purlMethodsMap[modPurl].add(amethodCall.CalledMethod);
+        }
+      }
+    }
+  }
+  if (Object.keys(purlLocationMap).length) {
+    for (const apkg of pkgList) {
+      if (purlLocationMap[apkg.purl]) {
+        const locationOccurrences = Array.from(
+          purlLocationMap[apkg.purl]
+        ).sort();
+        // Add the occurrences evidence
+        apkg.evidence.occurrences = locationOccurrences.map((l) => ({
+          location: l
+        }));
+      }
+      // Add the imported modules to properties
+      if (purlModulesMap[apkg.purl]) {
+        apkg.properties.push({
+          name: "ImportedModules",
+          value: Array.from(purlModulesMap[apkg.purl]).sort().join(", ")
+        });
+      }
+      // Add the called methods to properties
+      if (purlMethodsMap[apkg.purl]) {
+        apkg.properties.push({
+          name: "CalledMethods",
+          value: Array.from(purlMethodsMap[apkg.purl]).sort().join(", ")
+        });
+      }
+    }
+  }
+  return pkgList;
+};

package/utils.test.js

@@ -1272,8 +1272,9 @@ test("parse project.assets.json", async () => {
     dependenciesList: [],
     pkgList: []
   });
-  const dep_list = await parseCsProjAssetsData(
-    readFileSync("./test/data/project.assets.json", { encoding: "utf-8" })
+  let dep_list = await parseCsProjAssetsData(
+    readFileSync("./test/data/project.assets.json", { encoding: "utf-8" }),
+    "./test/data/project.assets.json"
   );
   expect(dep_list["pkgList"].length).toEqual(302);
   expect(dep_list["pkgList"][0]).toEqual({
@@ -1309,6 +1310,26 @@ test("parse project.assets.json", async () => {
     ],
     ref: "pkg:nuget/Castle.Core.Tests@0.0.0"
   });
+  dep_list = await parseCsProjAssetsData(
+    readFileSync("./test/data/project.assets1.json", { encoding: "utf-8" }),
+    "./test/data/project.assets1.json"
+  );
+  expect(dep_list["pkgList"].length).toEqual(43);
+  expect(dep_list["pkgList"][0]).toEqual({
+    "bom-ref": "pkg:nuget/Podcast.Server@1.0.0",
+    purl: "pkg:nuget/Podcast.Server@1.0.0",
+    group: "",
+    name: "Podcast.Server",
+    type: "application",
+    version: "1.0.0"
+  });
+  /*
+  const pkgList = addEvidenceForDotnet(
+    dep_list.pkgList,
+    "./test/data/dosai-methods.json"
+  );
+  expect(pkgList.length).toEqual(43);
+  */
 });
 
 test("parse packages.lock.json", async () => {
@@ -1725,8 +1746,8 @@ test("parsePkgLock v3", async () => {
     projectName: "cdxgen"
   });
   deps = parsedList.pkgList;
-  expect(deps.length).toEqual(1204);
-  expect(parsedList.dependenciesList.length).toEqual(1204);
+  expect(deps.length).toEqual(1205);
+  expect(parsedList.dependenciesList.length).toEqual(1205);
 });
 
 test("parseBowerJson", async () => {