npm - @cyclonedx/cdxgen - Versions diffs - 9.9.8 → 9.9.9 - Mend

@cyclonedx/cdxgen 9.9.8 → 9.9.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -371,6 +371,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | GRADLE_DEPENDENCY_TASK       | By default cdxgen use the task "dependencies" to collect packages. Set to override the task name.                                    |
 | SBT_CACHE_DIR                | Specify sbt cache directory. Useful for class name resolving                                                                         |
 | FETCH_LICENSE                | Set this variable to `true` or `1` to fetch license information from the registry. npm and golang                                    |
+| SEARCH_MAVEN_ORG             | If maven metadata is missing in jar file, a search is performed on search.maven.org. Set to `false` or `0` to disable search.        |
 | USE_GOSUM                    | Set to `true` or `1` to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod          |
 | CDXGEN_TIMEOUT_MS            | Default timeout for known execution involving maven, gradle or sbt                                                                   |
 | CDXGEN_SERVER_TIMEOUT_MS     | Default timeout in server mode                                                                                                       |

package/index.js CHANGED Viewed

@@ -1085,7 +1085,7 @@ export const createJarBom = async (path, options) => {
       if (DEBUG_MODE) {
         console.log(`Parsing ${jar}`);
       }
-      const dlist = extractJarArchive(jar, tempDir);
+      const dlist = await extractJarArchive(jar, tempDir);
       if (dlist && dlist.length) {
         pkgList = pkgList.concat(dlist);
       }
@@ -1127,7 +1127,7 @@ export const createJavaBom = async (path, options) => {
       }
       const tempDir = mkdtempSync(join(tmpdir(), "war-deps-"));
       jarNSMapping = collectJarNS(tempDir);
-      pkgList = extractJarArchive(path, tempDir, jarNSMapping);
+      pkgList = await extractJarArchive(path, tempDir, jarNSMapping);
       if (pkgList.length) {
         pkgList = await getMvnMetadata(pkgList);
       }
@@ -3560,7 +3560,7 @@ export const createJenkinsBom = async (path, options) => {
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
-      const dlist = extractJarArchive(f, tempDir);
+      const dlist = await extractJarArchive(f, tempDir);
       if (dlist && dlist.length) {
         pkgList = pkgList.concat(dlist);
       }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.9.8",
+  "version": "9.9.9",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js CHANGED Viewed

@@ -19,8 +19,10 @@ import {
   readFileSync,
   rmSync,
   unlinkSync,
-  writeFileSync
+  writeFileSync,
+  createReadStream
 } from "node:fs";
+import { createHash } from "node:crypto";
 import got from "got";
 import Arborist from "@npmcli/arborist";
 import path from "node:path";
@@ -120,6 +122,19 @@ export const FETCH_LICENSE =
   process.env.FETCH_LICENSE &&
   ["true", "1"].includes(process.env.FETCH_LICENSE);
+// Wether search.maven.org will be used to identify jars without maven metadata; default, if unset shall be 'true'
+export const SEARCH_MAVEN_ORG =
+  !process.env.SEARCH_MAVEN_ORG ||
+  ["true", "1"].includes(process.env.SEARCH_MAVEN_ORG);
+// circuit breaker for search maven.org
+let search_maven_org_errors = 0;
+const MAX_SEARCH_MAVEN_ORG_ERRORS = 5;
+// circuit breaker for get repo license
+let get_repo_license_errors = 0;
+const MAX_GET_REPO_LICENSE_ERRORS = 5;
 const MAX_LICENSE_ID_LENGTH = 100;
 let PYTHON_CMD = "python";
@@ -3353,7 +3368,7 @@ export const toGitHubApiUrl = function (repoUrl, repoMetadata) {
 export const getRepoLicense = async function (repoUrl, repoMetadata) {
   let apiUrl = toGitHubApiUrl(repoUrl, repoMetadata);
   // Perform github lookups
-  if (apiUrl) {
+  if (apiUrl && get_repo_license_errors < MAX_GET_REPO_LICENSE_ERRORS) {
     let licenseUrl = apiUrl + "/license";
     const headers = {};
     if (process.env.GITHUB_TOKEN) {
@@ -3399,8 +3414,10 @@ export const getRepoLicense = async function (repoUrl, repoMetadata) {
               "Please ensure GITHUB_TOKEN is set as environment variable. " +
               "See: https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api"
           );
+          get_repo_license_errors++;
         } else if (!err.message.includes("404")) {
           console.log(err);
+          get_repo_license_errors++;
         }
       }
     }
@@ -6775,6 +6792,22 @@ export const getPomPropertiesFromMavenDir = function (mavenDir) {
   return pomProperties;
 };
+/**
+ *
+ * @param {string} hashName name of hash algorithm
+ * @param {string} path path to file
+ * @returns {Promise<String>} hex value of hash
+ */
+async function checksumFile(hashName, path) {
+  return new Promise((resolve, reject) => {
+    const hash = createHash(hashName);
+    const stream = createReadStream(path);
+    stream.on("error", (err) => reject(err));
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve(hash.digest("hex")));
+  });
+}
 /**
  * Method to extract a war or ear file
  *
@@ -6784,7 +6817,7 @@ export const getPomPropertiesFromMavenDir = function (mavenDir) {
  *
  * @return pkgList Package list
  */
-export const extractJarArchive = function (
+export const extractJarArchive = async function (
   jarFile,
   tempDir,
   jarNSMapping = {}
@@ -6882,6 +6915,35 @@ export const extractJarArchive = function (
           version = pomProperties["version"],
           confidence = 1,
           technique = "manifest-analysis";
+        if (
+          (!group || !name || !version) &&
+          SEARCH_MAVEN_ORG &&
+          search_maven_org_errors < MAX_SEARCH_MAVEN_ORG_ERRORS
+        ) {
+          try {
+            const sha = await checksumFile("sha1", jf);
+            const searchurl =
+              "https://search.maven.org/solrsearch/select?q=1:%22" +
+              sha +
+              "%22&rows=20&wt=json";
+            const res = await cdxgenAgent.get(searchurl, {
+              responseType: "json"
+            });
+            const data = res && res.body ? res.body["response"] : undefined;
+            if (data && data["numFound"] == 1) {
+              const jarInfo = data["docs"][0];
+              group = jarInfo["g"];
+              name = jarInfo["a"];
+              version = jarInfo["v"];
+              technique = "hash-comparison";
+            }
+          } catch (err) {
+            if (err && err.message && !err.message.includes("404")) {
+              console.log(err);
+              search_maven_org_errors++;
+            }
+          }
+        }
         if ((!group || !name || !version) && existsSync(manifestFile)) {
           confidence = 0.8;
           const jarMetadata = parseJarManifest(