@cyclonedx/cdxgen 9.9.8 → 9.10.0

package/README.md

@@ -229,14 +229,14 @@ To generate SBOM for an older specification version, such as 1.4, pass the versi
 cdxgen -r -o bom.json --spec-version 1.4
 ```
 
-To generate SBOM for C or Python, ensure Java >= 17 is installed.
+To generate SBOM for C or Python, ensure Java >= 21 is installed.
 
 ```shell
-# Install java >= 17
+# Install java >= 21
 cdxgen -t c -o bom.json
 ```
 
-NOTE: cdxgen is known to freeze with Java 8 or 11, so ensure >= 17 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.
+NOTE: cdxgen is known to freeze with Java 8 or 11, so ensure >= 21 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.
 
 ## Universal SBOM
 
@@ -371,6 +371,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | GRADLE_DEPENDENCY_TASK       | By default cdxgen use the task "dependencies" to collect packages. Set to override the task name.                                    |
 | SBT_CACHE_DIR                | Specify sbt cache directory. Useful for class name resolving                                                                         |
 | FETCH_LICENSE                | Set this variable to `true` or `1` to fetch license information from the registry. npm and golang                                    |
+| SEARCH_MAVEN_ORG             | If maven metadata is missing in jar file, a search is performed on search.maven.org. Set to `false` or `0` to disable search.        |
 | USE_GOSUM                    | Set to `true` or `1` to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod          |
 | CDXGEN_TIMEOUT_MS            | Default timeout for known execution involving maven, gradle or sbt                                                                   |
 | CDXGEN_SERVER_TIMEOUT_MS     | Default timeout in server mode                                                                                                       |

package/evinser.js

@@ -478,13 +478,15 @@ export const parseSliceUsages = async (
   purlLocationMap,
   purlImportsMap
 ) => {
-  const usages = slice.usages;
-  if (!usages || !usages.length) {
-    return undefined;
-  }
   const fileName = slice.fileName;
   const typesToLookup = new Set();
   const lKeyOverrides = {};
+  const usages = slice.usages || [];
+  // Annotations from usages
+  if (slice.signature && slice.signature.startsWith("@") && !usages.length) {
+    typesToLookup.add(slice.fullName);
+    addToOverrides(lKeyOverrides, slice.fullName, fileName, slice.lineNumber);
+  }
   for (const ausage of usages) {
     const ausageLine =
       ausage?.targetObj?.lineNumber || ausage?.definedBy?.lineNumber;
@@ -527,7 +529,17 @@ export const parseSliceUsages = async (
       .concat(ausage?.invokedCalls || [])
       .concat(ausage?.argToCalls || [])
       .concat(ausage?.procedures || [])) {
-      if (acall.isExternal == false) {
+      if (acall.resolvedMethod && acall.resolvedMethod.startsWith("@")) {
+        typesToLookup.add(acall.callName);
+        if (acall.lineNumber) {
+          addToOverrides(
+            lKeyOverrides,
+            acall.callName,
+            fileName,
+            acall.lineNumber
+          );
+        }
+      } else if (acall.isExternal == false) {
         continue;
       }
       if (

package/index.js

@@ -108,7 +108,8 @@ import {
   parseContainerFile,
   parseBitbucketPipelinesFile,
   getPyMetadata,
-  addEvidenceForDotnet
+  addEvidenceForDotnet,
+  getSwiftPackageMetadata
 } from "./utils.js";
 import { spawnSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
@@ -1085,7 +1086,7 @@ export const createJarBom = async (path, options) => {
       if (DEBUG_MODE) {
         console.log(`Parsing ${jar}`);
       }
-      const dlist = extractJarArchive(jar, tempDir);
+      const dlist = await extractJarArchive(jar, tempDir);
       if (dlist && dlist.length) {
         pkgList = pkgList.concat(dlist);
       }
@@ -1127,7 +1128,7 @@ export const createJavaBom = async (path, options) => {
       }
       const tempDir = mkdtempSync(join(tmpdir(), "war-deps-"));
       jarNSMapping = collectJarNS(tempDir);
-      pkgList = extractJarArchive(path, tempDir, jarNSMapping);
+      pkgList = await extractJarArchive(path, tempDir, jarNSMapping);
       if (pkgList.length) {
         pkgList = await getMvnMetadata(pkgList);
       }
@@ -1266,7 +1267,7 @@ export const createJavaBom = async (path, options) => {
               );
             } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 20 with maven 3.9 which might be incompatible."
+                "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible."
               );
             }
             console.log(
@@ -3169,7 +3170,7 @@ export const createCppBom = (path, options) => {
       }
     }
   }
-  // The need for java >= 17 with atom is causing confusions since there could be C projects
+  // The need for java >= 21 with atom is causing confusions since there could be C projects
   // inside of other project types. So we currently limit this analyis only when -t argument
   // is used.
   if (
@@ -3560,7 +3561,7 @@ export const createJenkinsBom = async (path, options) => {
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
-      const dlist = extractJarArchive(f, tempDir);
+      const dlist = await extractJarArchive(f, tempDir);
       if (dlist && dlist.length) {
         pkgList = pkgList.concat(dlist);
       }
@@ -3628,7 +3629,7 @@ export const createHelmBom = (path, options) => {
  * @param path to the project
  * @param options Parse options from the cli
  */
-export const createSwiftBom = (path, options) => {
+export const createSwiftBom = async (path, options) => {
   const swiftFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "Package*.swift",
@@ -3704,6 +3705,9 @@ export const createSwiftBom = (path, options) => {
       }
     }
   }
+  if (FETCH_LICENSE) {
+    pkgList = await getSwiftPackageMetadata(pkgList);
+  }
   return buildBomNSData(options, pkgList, "swift", {
     src: path,
     filename: swiftFiles.join(", "),
@@ -4899,7 +4903,7 @@ export const createMultiXBom = async (pathList, options) => {
         )
       );
     }
-    bomData = createSwiftBom(path, options);
+    bomData = await createSwiftBom(path, options);
     if (
       bomData &&
       bomData.bomJson &&
@@ -5329,7 +5333,7 @@ export const createXBom = async (path, options) => {
     options
   );
   if (swiftFiles.length || pkgResolvedFiles.length) {
-    return createSwiftBom(path, options);
+    return await createSwiftBom(path, options);
   }
 };
 
@@ -5585,7 +5589,7 @@ export const createBom = async (path, options) => {
     case "cloudbuild":
       return createCloudBuildBom(path, options);
     case "swift":
-      return createSwiftBom(path, options);
+      return await createSwiftBom(path, options);
     default:
       // In recurse mode return multi-language Bom
       // https://github.com/cyclonedx/cdxgen/issues/95

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.9.8",
+  "version": "9.10.0",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -83,7 +83,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "1.7.2",
+    "@appthreat/atom": "1.7.5",
     "@cyclonedx/cdxgen-plugins-bin": "^1.5.4",
     "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "^1.5.4",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.5.4",
@@ -103,7 +103,7 @@
   "devDependencies": {
     "caxa": "^3.0.1",
     "docsify-cli": "^4.4.4",
-    "eslint": "^8.55.0",
+    "eslint": "^8.56.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-prettier": "^5.0.1",
     "jest": "^29.7.0",

package/utils.js

@@ -19,8 +19,10 @@ import {
   readFileSync,
   rmSync,
   unlinkSync,
-  writeFileSync
+  writeFileSync,
+  createReadStream
 } from "node:fs";
+import { createHash } from "node:crypto";
 import got from "got";
 import Arborist from "@npmcli/arborist";
 import path from "node:path";
@@ -120,6 +122,19 @@ export const FETCH_LICENSE =
   process.env.FETCH_LICENSE &&
   ["true", "1"].includes(process.env.FETCH_LICENSE);
 
+// Wether search.maven.org will be used to identify jars without maven metadata; default, if unset shall be 'true'
+export const SEARCH_MAVEN_ORG =
+  !process.env.SEARCH_MAVEN_ORG ||
+  ["true", "1"].includes(process.env.SEARCH_MAVEN_ORG);
+
+// circuit breaker for search maven.org
+let search_maven_org_errors = 0;
+const MAX_SEARCH_MAVEN_ORG_ERRORS = 5;
+
+// circuit breaker for get repo license
+let get_repo_license_errors = 0;
+const MAX_GET_REPO_LICENSE_ERRORS = 5;
+
 const MAX_LICENSE_ID_LENGTH = 100;
 
 let PYTHON_CMD = "python";
@@ -389,6 +404,34 @@ export function readLicenseText(
   return null;
 }
 
+export const getSwiftPackageMetadata = async (pkgList) => {
+  const cdepList = [];
+  for (const p of pkgList) {
+    if (p.repository && p.repository.url) {
+      if (p.repository.url.includes("://github.com/")) {
+        try {
+          p.license = await getRepoLicense(p.repository.url, undefined);
+        } catch (e) {
+          console.error("error fetching repo license from", p.repository.url);
+        }
+      } else {
+        if (DEBUG_MODE) {
+          console.log(
+            p.repository.url,
+            "is currently not supported to fetch for licenses"
+          );
+        }
+      }
+    } else {
+      if (DEBUG_MODE) {
+        console.warn("no repository url found for", p.name);
+      }
+    }
+    cdepList.push(p);
+  }
+  return cdepList;
+};
+
 /**
  * Method to retrieve metadata for npm packages by querying npmjs
  *
@@ -2092,7 +2135,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
       } else {
         console.error(result.stdout, result.stderr);
         console.log(
-          "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 20 with gradle 8 which might be incompatible."
+          "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 21 with gradle 8 which might be incompatible."
         );
       }
       if (result.stderr.includes("not get unknown property")) {
@@ -3318,21 +3361,30 @@ export const repoMetadataToGitHubApiUrl = function (repoMetadata) {
 };
 
 /**
- * Method to construct GitHub api url from repo metadata or one of multiple formats of repo URLs
+ * Method to split GitHub url into its parts
  * @param {String} repoUrl Repository url
- * @param {Object} repoMetadata Object containing group and package name strings
- * @return {String|undefined} github api url (or undefined - if not a GitHub repo)
+ * @return {[String]} parts from url
  */
-export const toGitHubApiUrl = function (repoUrl, repoMetadata) {
-  if (!repoUrl || !repoUrl.includes("://github.com/")) {
-    return repoMetadataToGitHubApiUrl(repoMetadata);
-  }
+export const getGithubUrlParts = (repoUrl) => {
   if (repoUrl.toLowerCase().endsWith(".git")) {
     repoUrl = repoUrl.slice(0, -4);
   }
   repoUrl.replace(/\/$/, "");
   const parts = repoUrl.split("/");
+  return parts;
+};
 
+/**
+ * Method to construct GitHub api url from repo metadata or one of multiple formats of repo URLs
+ * @param {String} repoUrl Repository url
+ * @param {Object} repoMetadata Object containing group and package name strings
+ * @return {String|undefined} github api url (or undefined - if not a GitHub repo)
+ */
+export const toGitHubApiUrl = function (repoUrl, repoMetadata) {
+  if (repoMetadata) {
+    return repoMetadataToGitHubApiUrl(repoMetadata);
+  }
+  const parts = getGithubUrlParts(repoUrl);
   if (parts.length < 5 || parts[2] !== "github.com") {
     return undefined; // Not a valid GitHub repo URL
   } else {
@@ -3353,7 +3405,7 @@ export const toGitHubApiUrl = function (repoUrl, repoMetadata) {
 export const getRepoLicense = async function (repoUrl, repoMetadata) {
   let apiUrl = toGitHubApiUrl(repoUrl, repoMetadata);
   // Perform github lookups
-  if (apiUrl) {
+  if (apiUrl && get_repo_license_errors < MAX_GET_REPO_LICENSE_ERRORS) {
     let licenseUrl = apiUrl + "/license";
     const headers = {};
     if (process.env.GITHUB_TOKEN) {
@@ -3399,8 +3451,10 @@ export const getRepoLicense = async function (repoUrl, repoMetadata) {
               "Please ensure GITHUB_TOKEN is set as environment variable. " +
               "See: https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api"
           );
+          get_repo_license_errors++;
         } else if (!err.message.includes("404")) {
           console.log(err);
+          get_repo_license_errors++;
         }
       }
     }
@@ -6105,87 +6159,89 @@ export const convertOSQueryResults = function (
   return pkgList;
 };
 
-export const _swiftDepPkgList = (
+const purlFromUrlString = (type, repoUrl, version) => {
+  let namespace = "",
+    name;
+  if (repoUrl && repoUrl.includes("://github.com/")) {
+    const parts = getGithubUrlParts(repoUrl);
+    if (parts.length < 5 || parts[2] !== "github.com") {
+      return undefined; // Not a valid GitHub repo URL
+    } else {
+      namespace = parts[2] + "/" + parts[3];
+      name = parts[4];
+    }
+  } else if (repoUrl && repoUrl.startsWith("/")) {
+    const parts = repoUrl.split("/");
+    name = parts[parts.length - 1];
+  } else {
+    if (DEBUG_MODE) {
+      console.warn("unsupported repo url for swift type");
+    }
+    return undefined;
+  }
+
+  const purl = new PackageURL(type, namespace, name, version, null, null);
+  return purl;
+};
+
+/**
+ * Parse swift dependency tree output json object
+ * @param {string} jsonObject Swift dependencies json object
+ * @param {string} pkgFile Package.swift file
+ */
+export const parseSwiftJsonTreeObject = (
   pkgList,
   dependenciesList,
-  depKeys,
-  jsonData
+  jsonObject,
+  pkgFile
 ) => {
-  if (jsonData && jsonData.dependencies) {
-    for (const adep of jsonData.dependencies) {
-      const urlOrPath = adep.url || adep.path;
-      const apkg = {
-        group: adep.identity || "",
-        name: adep.name,
-        version: adep.version
-      };
-      const purl = new PackageURL(
-        "swift",
-        apkg.group,
-        apkg.name,
-        apkg.version,
-        null,
-        null
-      );
-      const purlString = decodeURIComponent(purl.toString());
-      if (urlOrPath) {
-        if (urlOrPath.startsWith("http")) {
-          apkg.repository = { url: urlOrPath };
-          if (apkg.path) {
-            apkg.properties = [
-              {
-                name: "SrcPath",
-                value: apkg.path
-              }
-            ];
-          }
-        } else {
-          apkg.properties = [
-            {
-              name: "SrcPath",
-              value: urlOrPath
-            }
-          ];
-        }
-      }
-      pkgList.push(apkg);
-      // Handle the immediate dependencies before recursing
-      if (adep.dependencies && adep.dependencies.length) {
-        const deplist = [];
-        for (const cdep of adep.dependencies) {
-          const deppurl = new PackageURL(
-            "swift",
-            cdep.identity || "",
-            cdep.name,
-            cdep.version,
-            null,
-            null
-          );
-          const deppurlString = decodeURIComponent(deppurl.toString());
-          deplist.push(deppurlString);
-        }
-        if (!depKeys[purlString]) {
-          dependenciesList.push({
-            ref: purlString,
-            dependsOn: deplist
-          });
-          depKeys[purlString] = true;
-        }
-        if (adep.dependencies && adep.dependencies.length) {
-          _swiftDepPkgList(pkgList, dependenciesList, depKeys, adep);
-        }
-      } else {
-        if (!depKeys[purlString]) {
-          dependenciesList.push({
-            ref: purlString,
-            dependsOn: []
-          });
-          depKeys[purlString] = true;
-        }
+  const urlOrPath = jsonObject.url || jsonObject.path;
+  const version = jsonObject.version;
+  const purl = purlFromUrlString("swift", urlOrPath, version);
+  const purlString = decodeURIComponent(purl.toString());
+  const rootPkg = {
+    name: purl.name,
+    group: purl.namespace,
+    version: purl.version,
+    purl: purlString,
+    "bom-ref": purlString
+  };
+  if (urlOrPath) {
+    if (urlOrPath.startsWith("http")) {
+      rootPkg.repository = { url: urlOrPath };
+    } else {
+      const properties = [];
+      properties.push({
+        name: "SrcPath",
+        value: urlOrPath
+      });
+      if (pkgFile) {
+        properties.push({
+          name: "SrcFile",
+          value: pkgFile
+        });
       }
+      rootPkg.properties = properties;
     }
   }
-  return { pkgList, dependenciesList };
+  pkgList.push(rootPkg);
+  const depList = [];
+  if (jsonObject.dependencies) {
+    for (const dependency of jsonObject.dependencies) {
+      const res = parseSwiftJsonTreeObject(
+        pkgList,
+        dependenciesList,
+        dependency,
+        pkgFile
+      );
+      depList.push(res);
+    }
+  }
+  dependenciesList.push({
+    ref: purlString,
+    dependsOn: depList
+  });
+  return purlString;
 };
 
 /**
@@ -6199,64 +6255,9 @@ export const parseSwiftJsonTree = (rawOutput, pkgFile) => {
   }
   const pkgList = [];
   const dependenciesList = [];
-  const depKeys = {};
-  let rootPkg = {};
-  let jsonData = {};
   try {
-    jsonData = JSON.parse(rawOutput);
-    if (jsonData && jsonData.name) {
-      rootPkg = {
-        group: jsonData.identity || "",
-        name: jsonData.name,
-        version: jsonData.version
-      };
-      const urlOrPath = jsonData.url || jsonData.path;
-      if (urlOrPath) {
-        if (urlOrPath.startsWith("http")) {
-          rootPkg.repository = { url: urlOrPath };
-        } else {
-          rootPkg.properties = [
-            {
-              name: "SrcPath",
-              value: urlOrPath
-            },
-            {
-              name: "SrcFile",
-              value: pkgFile
-            }
-          ];
-        }
-      }
-      const purl = new PackageURL(
-        "swift",
-        rootPkg.group,
-        rootPkg.name,
-        rootPkg.version,
-        null,
-        null
-      );
-      const bomRefString = decodeURIComponent(purl.toString());
-      rootPkg["bom-ref"] = bomRefString;
-      pkgList.push(rootPkg);
-      const deplist = [];
-      for (const rd of jsonData.dependencies) {
-        const deppurl = new PackageURL(
-          "swift",
-          rd.identity || "",
-          rd.name,
-          rd.version,
-          null,
-          null
-        );
-        const deppurlString = decodeURIComponent(deppurl.toString());
-        deplist.push(deppurlString);
-      }
-      dependenciesList.push({
-        ref: bomRefString,
-        dependsOn: deplist
-      });
-      _swiftDepPkgList(pkgList, dependenciesList, depKeys, jsonData);
-    }
+    const jsonData = JSON.parse(rawOutput);
+    parseSwiftJsonTreeObject(pkgList, dependenciesList, jsonData, pkgFile);
   } catch (e) {
     if (DEBUG_MODE) {
       console.log(e);
@@ -6287,10 +6288,16 @@ export const parseSwiftResolved = (resolvedFile) => {
         resolvedList = pkgData.object.pins;
       }
       for (const adep of resolvedList) {
-        const apkg = {
-          name: adep.package || adep.identity,
-          group: "",
-          version: adep.state.version || adep.state.revision,
+        const locationOrUrl = adep.location || adep.repositoryURL;
+        const version = adep.state.version || adep.state.revision;
+        const purl = purlFromUrlString("swift", locationOrUrl, version);
+        const purlString = decodeURIComponent(purl.toString());
+        const rootPkg = {
+          name: purl.name,
+          group: purl.namespace,
+          version: purl.version,
+          purl: purlString,
+          "bom-ref": purlString,
           properties: [
             {
               name: "SrcFile",
@@ -6311,11 +6318,10 @@ export const parseSwiftResolved = (resolvedFile) => {
             }
           }
         };
-        const repLocation = adep.location || adep.repositoryURL;
-        if (repLocation) {
-          apkg.repository = { url: repLocation };
+        if (locationOrUrl) {
+          rootPkg.repository = { url: locationOrUrl };
         }
-        pkgList.push(apkg);
+        pkgList.push(rootPkg);
       }
     } catch (err) {
       // continue regardless of error
@@ -6578,7 +6584,7 @@ export const collectJarNS = function (jarPath, pomPathMap = {}) {
         ) {
           jarCommandAvailable = false;
           console.log(
-            "jar command is not available in PATH. Ensure JDK >= 17 is installed and set the environment variables JAVA_HOME and PATH to the bin directory inside JAVA_HOME."
+            "jar command is not available in PATH. Ensure JDK >= 21 is installed and set the environment variables JAVA_HOME and PATH to the bin directory inside JAVA_HOME."
           );
         }
         const consolelines = (jarResult.stdout || "").split("\n");
@@ -6775,6 +6781,22 @@ export const getPomPropertiesFromMavenDir = function (mavenDir) {
   return pomProperties;
 };
 
+/**
+ *
+ * @param {string} hashName name of hash algorithm
+ * @param {string} path path to file
+ * @returns {Promise<String>} hex value of hash
+ */
+async function checksumFile(hashName, path) {
+  return new Promise((resolve, reject) => {
+    const hash = createHash(hashName);
+    const stream = createReadStream(path);
+    stream.on("error", (err) => reject(err));
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve(hash.digest("hex")));
+  });
+}
+
 /**
  * Method to extract a war or ear file
  *
@@ -6784,7 +6806,7 @@ export const getPomPropertiesFromMavenDir = function (mavenDir) {
  *
  * @return pkgList Package list
  */
-export const extractJarArchive = function (
+export const extractJarArchive = async function (
   jarFile,
   tempDir,
   jarNSMapping = {}
@@ -6882,6 +6904,35 @@ export const extractJarArchive = function (
           version = pomProperties["version"],
           confidence = 1,
           technique = "manifest-analysis";
+        if (
+          (!group || !name || !version) &&
+          SEARCH_MAVEN_ORG &&
+          search_maven_org_errors < MAX_SEARCH_MAVEN_ORG_ERRORS
+        ) {
+          try {
+            const sha = await checksumFile("sha1", jf);
+            const searchurl =
+              "https://search.maven.org/solrsearch/select?q=1:%22" +
+              sha +
+              "%22&rows=20&wt=json";
+            const res = await cdxgenAgent.get(searchurl, {
+              responseType: "json"
+            });
+            const data = res && res.body ? res.body["response"] : undefined;
+            if (data && data["numFound"] == 1) {
+              const jarInfo = data["docs"][0];
+              group = jarInfo["g"];
+              name = jarInfo["a"];
+              version = jarInfo["v"];
+              technique = "hash-comparison";
+            }
+          } catch (err) {
+            if (err && err.message && !err.message.includes("404")) {
+              console.log(err);
+              search_maven_org_errors++;
+            }
+          }
+        }
         if ((!group || !name || !version) && existsSync(manifestFile)) {
           confidence = 0.8;
           const jarMetadata = parseJarManifest(

package/utils.test.js

@@ -2919,28 +2919,29 @@ test("parse swift deps files", () => {
   );
   expect(retData.pkgList.length).toEqual(5);
   expect(retData.pkgList[0]).toEqual({
-    group: "swift-markdown",
     name: "swift-markdown",
+    group: "",
+    purl: "pkg:swift/swift-markdown@unspecified",
     version: "unspecified",
     properties: [
       { name: "SrcPath", value: "/Volumes/Work/sandbox/swift-markdown" },
       { name: "SrcFile", value: "./test/data/swift-deps.json" }
     ],
-    "bom-ref": "pkg:swift/swift-markdown/swift-markdown@unspecified"
+    "bom-ref": "pkg:swift/swift-markdown@unspecified"
   });
   expect(retData.dependenciesList.length).toEqual(5);
   expect(retData.dependenciesList[0]).toEqual({
-    ref: "pkg:swift/swift-markdown/swift-markdown@unspecified",
-    dependsOn: [
-      "pkg:swift/swift-cmark/cmark-gfm@unspecified",
-      "pkg:swift/swift-argument-parser/swift-argument-parser@1.0.3",
-      "pkg:swift/swift-docc-plugin/SwiftDocCPlugin@1.1.0"
-    ]
+    ref: "pkg:swift/github.com/apple/swift-cmark@unspecified",
+    dependsOn: []
   });
   expect(retData.dependenciesList[retData.dependenciesList.length - 1]).toEqual(
     {
-      ref: "pkg:swift/swift-docc-symbolkit/SymbolKit@1.0.0",
-      dependsOn: []
+      ref: "pkg:swift/swift-markdown@unspecified",
+      dependsOn: [
+        "pkg:swift/github.com/apple/swift-cmark@unspecified",
+        "pkg:swift/github.com/apple/swift-argument-parser@1.0.3",
+        "pkg:swift/github.com/apple/swift-docc-plugin@1.1.0"
+      ]
     }
   );
   retData = parseSwiftJsonTree(
@@ -2949,8 +2950,9 @@ test("parse swift deps files", () => {
   );
   expect(retData.pkgList.length).toEqual(5);
   expect(retData.pkgList[0]).toEqual({
-    group: "swift-certificates",
     name: "swift-certificates",
+    group: "",
+    purl: "pkg:swift/swift-certificates@unspecified",
     version: "unspecified",
     properties: [
       {
@@ -2959,36 +2961,37 @@ test("parse swift deps files", () => {
       },
       { name: "SrcFile", value: "./test/data/swift-deps.json" }
     ],
-    "bom-ref": "pkg:swift/swift-certificates/swift-certificates@unspecified"
+    "bom-ref": "pkg:swift/swift-certificates@unspecified"
   });
   expect(retData.dependenciesList).toEqual([
     {
-      ref: "pkg:swift/swift-certificates/swift-certificates@unspecified",
-      dependsOn: ["pkg:swift/swift-crypto/swift-crypto@2.4.0"]
+      ref: "pkg:swift/github.com/apple/swift-docc-symbolkit@1.0.0",
+      dependsOn: []
     },
     {
-      ref: "pkg:swift/swift-crypto/swift-crypto@2.4.0",
-      dependsOn: ["pkg:swift/swift-asn1/swift-asn1@0.7.0"]
+      ref: "pkg:swift/github.com/apple/swift-docc-plugin@1.1.0",
+      dependsOn: ["pkg:swift/github.com/apple/swift-docc-symbolkit@1.0.0"]
     },
     {
-      ref: "pkg:swift/swift-asn1/swift-asn1@0.7.0",
-      dependsOn: ["pkg:swift/swift-docc-plugin/SwiftDocCPlugin@1.1.0"]
+      ref: "pkg:swift/github.com/apple/swift-asn1@0.7.0",
+      dependsOn: ["pkg:swift/github.com/apple/swift-docc-plugin@1.1.0"]
     },
     {
-      ref: "pkg:swift/swift-docc-plugin/SwiftDocCPlugin@1.1.0",
-      dependsOn: ["pkg:swift/swift-docc-symbolkit/SymbolKit@1.0.0"]
+      ref: "pkg:swift/github.com/apple/swift-crypto@2.4.0",
+      dependsOn: ["pkg:swift/github.com/apple/swift-asn1@0.7.0"]
     },
     {
-      ref: "pkg:swift/swift-docc-symbolkit/SymbolKit@1.0.0",
-      dependsOn: []
+      ref: "pkg:swift/swift-certificates@unspecified",
+      dependsOn: ["pkg:swift/github.com/apple/swift-crypto@2.4.0"]
     }
   ]);
   let pkgList = parseSwiftResolved("./test/data/Package.resolved");
   expect(pkgList.length).toEqual(4);
   expect(pkgList[0]).toEqual({
     name: "swift-argument-parser",
-    group: "",
+    group: "github.com/apple",
     version: "1.0.3",
+    purl: "pkg:swift/github.com/apple/swift-argument-parser@1.0.3",
     properties: [{ name: "SrcFile", value: "./test/data/Package.resolved" }],
     evidence: {
       identity: {
@@ -3003,14 +3006,16 @@ test("parse swift deps files", () => {
         ]
       }
     },
+    "bom-ref": "pkg:swift/github.com/apple/swift-argument-parser@1.0.3",
     repository: { url: "https://github.com/apple/swift-argument-parser" }
   });
   pkgList = parseSwiftResolved("./test/data/Package2.resolved");
   expect(pkgList.length).toEqual(4);
   expect(pkgList[0]).toEqual({
     name: "swift-argument-parser",
-    group: "",
+    group: "github.com/apple",
     version: "1.2.2",
+    purl: "pkg:swift/github.com/apple/swift-argument-parser@1.2.2",
     properties: [{ name: "SrcFile", value: "./test/data/Package2.resolved" }],
     evidence: {
       identity: {
@@ -3025,6 +3030,7 @@ test("parse swift deps files", () => {
         ]
       }
     },
+    "bom-ref": "pkg:swift/github.com/apple/swift-argument-parser@1.2.2",
     repository: { url: "https://github.com/apple/swift-argument-parser.git" }
   });
 });