@cyclonedx/cdxgen 9.9.9 → 9.10.0

package/README.md

@@ -229,14 +229,14 @@ To generate SBOM for an older specification version, such as 1.4, pass the versi
 cdxgen -r -o bom.json --spec-version 1.4
 ```
 
-To generate SBOM for C or Python, ensure Java >= 17 is installed.
+To generate SBOM for C or Python, ensure Java >= 21 is installed.
 
 ```shell
-# Install java >= 17
+# Install java >= 21
 cdxgen -t c -o bom.json
 ```
 
-NOTE: cdxgen is known to freeze with Java 8 or 11, so ensure >= 17 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.
+NOTE: cdxgen is known to freeze with Java 8 or 11, so ensure >= 21 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.
 
 ## Universal SBOM
 

package/evinser.js

@@ -478,13 +478,15 @@ export const parseSliceUsages = async (
   purlLocationMap,
   purlImportsMap
 ) => {
-  const usages = slice.usages;
-  if (!usages || !usages.length) {
-    return undefined;
-  }
   const fileName = slice.fileName;
   const typesToLookup = new Set();
   const lKeyOverrides = {};
+  const usages = slice.usages || [];
+  // Annotations from usages
+  if (slice.signature && slice.signature.startsWith("@") && !usages.length) {
+    typesToLookup.add(slice.fullName);
+    addToOverrides(lKeyOverrides, slice.fullName, fileName, slice.lineNumber);
+  }
   for (const ausage of usages) {
     const ausageLine =
       ausage?.targetObj?.lineNumber || ausage?.definedBy?.lineNumber;
@@ -527,7 +529,17 @@ export const parseSliceUsages = async (
       .concat(ausage?.invokedCalls || [])
       .concat(ausage?.argToCalls || [])
       .concat(ausage?.procedures || [])) {
-      if (acall.isExternal == false) {
+      if (acall.resolvedMethod && acall.resolvedMethod.startsWith("@")) {
+        typesToLookup.add(acall.callName);
+        if (acall.lineNumber) {
+          addToOverrides(
+            lKeyOverrides,
+            acall.callName,
+            fileName,
+            acall.lineNumber
+          );
+        }
+      } else if (acall.isExternal == false) {
         continue;
       }
       if (

package/index.js

@@ -108,7 +108,8 @@ import {
   parseContainerFile,
   parseBitbucketPipelinesFile,
   getPyMetadata,
-  addEvidenceForDotnet
+  addEvidenceForDotnet,
+  getSwiftPackageMetadata
 } from "./utils.js";
 import { spawnSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
@@ -1266,7 +1267,7 @@ export const createJavaBom = async (path, options) => {
               );
             } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 20 with maven 3.9 which might be incompatible."
+                "1. Java version requirement: cdxgen container image bundles Java 21 with maven 3.9 which might be incompatible."
               );
             }
             console.log(
@@ -3169,7 +3170,7 @@ export const createCppBom = (path, options) => {
       }
     }
   }
-  // The need for java >= 17 with atom is causing confusions since there could be C projects
+  // The need for java >= 21 with atom is causing confusions since there could be C projects
   // inside of other project types. So we currently limit this analyis only when -t argument
   // is used.
   if (
@@ -3628,7 +3629,7 @@ export const createHelmBom = (path, options) => {
  * @param path to the project
  * @param options Parse options from the cli
  */
-export const createSwiftBom = (path, options) => {
+export const createSwiftBom = async (path, options) => {
   const swiftFiles = getAllFiles(
     path,
     (options.multiProject ? "**/" : "") + "Package*.swift",
@@ -3704,6 +3705,9 @@ export const createSwiftBom = (path, options) => {
       }
     }
   }
+  if (FETCH_LICENSE) {
+    pkgList = await getSwiftPackageMetadata(pkgList);
+  }
   return buildBomNSData(options, pkgList, "swift", {
     src: path,
     filename: swiftFiles.join(", "),
@@ -4899,7 +4903,7 @@ export const createMultiXBom = async (pathList, options) => {
         )
       );
     }
-    bomData = createSwiftBom(path, options);
+    bomData = await createSwiftBom(path, options);
     if (
       bomData &&
       bomData.bomJson &&
@@ -5329,7 +5333,7 @@ export const createXBom = async (path, options) => {
     options
   );
   if (swiftFiles.length || pkgResolvedFiles.length) {
-    return createSwiftBom(path, options);
+    return await createSwiftBom(path, options);
   }
 };
 
@@ -5585,7 +5589,7 @@ export const createBom = async (path, options) => {
     case "cloudbuild":
       return createCloudBuildBom(path, options);
     case "swift":
-      return createSwiftBom(path, options);
+      return await createSwiftBom(path, options);
     default:
       // In recurse mode return multi-language Bom
       // https://github.com/cyclonedx/cdxgen/issues/95

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.9.9",
+  "version": "9.10.0",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -83,7 +83,7 @@
     "yargs": "^17.7.2"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "1.7.2",
+    "@appthreat/atom": "1.7.5",
     "@cyclonedx/cdxgen-plugins-bin": "^1.5.4",
     "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "^1.5.4",
     "@cyclonedx/cdxgen-plugins-bin-arm64": "^1.5.4",
@@ -103,7 +103,7 @@
   "devDependencies": {
     "caxa": "^3.0.1",
     "docsify-cli": "^4.4.4",
-    "eslint": "^8.55.0",
+    "eslint": "^8.56.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-prettier": "^5.0.1",
     "jest": "^29.7.0",

package/utils.js

@@ -404,6 +404,34 @@ export function readLicenseText(
   return null;
 }
 
+export const getSwiftPackageMetadata = async (pkgList) => {
+  const cdepList = [];
+  for (const p of pkgList) {
+    if (p.repository && p.repository.url) {
+      if (p.repository.url.includes("://github.com/")) {
+        try {
+          p.license = await getRepoLicense(p.repository.url, undefined);
+        } catch (e) {
+          console.error("error fetching repo license from", p.repository.url);
+        }
+      } else {
+        if (DEBUG_MODE) {
+          console.log(
+            p.repository.url,
+            "is currently not supported to fetch for licenses"
+          );
+        }
+      }
+    } else {
+      if (DEBUG_MODE) {
+        console.warn("no repository url found for", p.name);
+      }
+    }
+    cdepList.push(p);
+  }
+  return cdepList;
+};
+
 /**
  * Method to retrieve metadata for npm packages by querying npmjs
  *
@@ -2107,7 +2135,7 @@ export const executeGradleProperties = function (dir, rootPath, subProject) {
       } else {
         console.error(result.stdout, result.stderr);
         console.log(
-          "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 20 with gradle 8 which might be incompatible."
+          "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 21 with gradle 8 which might be incompatible."
         );
       }
       if (result.stderr.includes("not get unknown property")) {
@@ -3333,21 +3361,30 @@ export const repoMetadataToGitHubApiUrl = function (repoMetadata) {
 };
 
 /**
- * Method to construct GitHub api url from repo metadata or one of multiple formats of repo URLs
+ * Method to split GitHub url into its parts
  * @param {String} repoUrl Repository url
- * @param {Object} repoMetadata Object containing group and package name strings
- * @return {String|undefined} github api url (or undefined - if not a GitHub repo)
+ * @return {[String]} parts from url
  */
-export const toGitHubApiUrl = function (repoUrl, repoMetadata) {
-  if (!repoUrl || !repoUrl.includes("://github.com/")) {
-    return repoMetadataToGitHubApiUrl(repoMetadata);
-  }
+export const getGithubUrlParts = (repoUrl) => {
   if (repoUrl.toLowerCase().endsWith(".git")) {
     repoUrl = repoUrl.slice(0, -4);
   }
   repoUrl.replace(/\/$/, "");
   const parts = repoUrl.split("/");
+  return parts;
+};
 
+/**
+ * Method to construct GitHub api url from repo metadata or one of multiple formats of repo URLs
+ * @param {String} repoUrl Repository url
+ * @param {Object} repoMetadata Object containing group and package name strings
+ * @return {String|undefined} github api url (or undefined - if not a GitHub repo)
+ */
+export const toGitHubApiUrl = function (repoUrl, repoMetadata) {
+  if (repoMetadata) {
+    return repoMetadataToGitHubApiUrl(repoMetadata);
+  }
+  const parts = getGithubUrlParts(repoUrl);
   if (parts.length < 5 || parts[2] !== "github.com") {
     return undefined; // Not a valid GitHub repo URL
   } else {
@@ -6122,87 +6159,89 @@ export const convertOSQueryResults = function (
   return pkgList;
 };
 
-export const _swiftDepPkgList = (
+const purlFromUrlString = (type, repoUrl, version) => {
+  let namespace = "",
+    name;
+  if (repoUrl && repoUrl.includes("://github.com/")) {
+    const parts = getGithubUrlParts(repoUrl);
+    if (parts.length < 5 || parts[2] !== "github.com") {
+      return undefined; // Not a valid GitHub repo URL
+    } else {
+      namespace = parts[2] + "/" + parts[3];
+      name = parts[4];
+    }
+  } else if (repoUrl && repoUrl.startsWith("/")) {
+    const parts = repoUrl.split("/");
+    name = parts[parts.length - 1];
+  } else {
+    if (DEBUG_MODE) {
+      console.warn("unsupported repo url for swift type");
+    }
+    return undefined;
+  }
+
+  const purl = new PackageURL(type, namespace, name, version, null, null);
+  return purl;
+};
+
+/**
+ * Parse swift dependency tree output json object
+ * @param {string} jsonObject Swift dependencies json object
+ * @param {string} pkgFile Package.swift file
+ */
+export const parseSwiftJsonTreeObject = (
   pkgList,
   dependenciesList,
-  depKeys,
-  jsonData
+  jsonObject,
+  pkgFile
 ) => {
-  if (jsonData && jsonData.dependencies) {
-    for (const adep of jsonData.dependencies) {
-      const urlOrPath = adep.url || adep.path;
-      const apkg = {
-        group: adep.identity || "",
-        name: adep.name,
-        version: adep.version
-      };
-      const purl = new PackageURL(
-        "swift",
-        apkg.group,
-        apkg.name,
-        apkg.version,
-        null,
-        null
-      );
-      const purlString = decodeURIComponent(purl.toString());
-      if (urlOrPath) {
-        if (urlOrPath.startsWith("http")) {
-          apkg.repository = { url: urlOrPath };
-          if (apkg.path) {
-            apkg.properties = [
-              {
-                name: "SrcPath",
-                value: apkg.path
-              }
-            ];
-          }
-        } else {
-          apkg.properties = [
-            {
-              name: "SrcPath",
-              value: urlOrPath
-            }
-          ];
-        }
-      }
-      pkgList.push(apkg);
-      // Handle the immediate dependencies before recursing
-      if (adep.dependencies && adep.dependencies.length) {
-        const deplist = [];
-        for (const cdep of adep.dependencies) {
-          const deppurl = new PackageURL(
-            "swift",
-            cdep.identity || "",
-            cdep.name,
-            cdep.version,
-            null,
-            null
-          );
-          const deppurlString = decodeURIComponent(deppurl.toString());
-          deplist.push(deppurlString);
-        }
-        if (!depKeys[purlString]) {
-          dependenciesList.push({
-            ref: purlString,
-            dependsOn: deplist
-          });
-          depKeys[purlString] = true;
-        }
-        if (adep.dependencies && adep.dependencies.length) {
-          _swiftDepPkgList(pkgList, dependenciesList, depKeys, adep);
-        }
-      } else {
-        if (!depKeys[purlString]) {
-          dependenciesList.push({
-            ref: purlString,
-            dependsOn: []
-          });
-          depKeys[purlString] = true;
-        }
+  const urlOrPath = jsonObject.url || jsonObject.path;
+  const version = jsonObject.version;
+  const purl = purlFromUrlString("swift", urlOrPath, version);
+  const purlString = decodeURIComponent(purl.toString());
+  const rootPkg = {
+    name: purl.name,
+    group: purl.namespace,
+    version: purl.version,
+    purl: purlString,
+    "bom-ref": purlString
+  };
+  if (urlOrPath) {
+    if (urlOrPath.startsWith("http")) {
+      rootPkg.repository = { url: urlOrPath };
+    } else {
+      const properties = [];
+      properties.push({
+        name: "SrcPath",
+        value: urlOrPath
+      });
+      if (pkgFile) {
+        properties.push({
+          name: "SrcFile",
+          value: pkgFile
+        });
       }
+      rootPkg.properties = properties;
     }
   }
-  return { pkgList, dependenciesList };
+  pkgList.push(rootPkg);
+  const depList = [];
+  if (jsonObject.dependencies) {
+    for (const dependency of jsonObject.dependencies) {
+      const res = parseSwiftJsonTreeObject(
+        pkgList,
+        dependenciesList,
+        dependency,
+        pkgFile
+      );
+      depList.push(res);
+    }
+  }
+  dependenciesList.push({
+    ref: purlString,
+    dependsOn: depList
+  });
+  return purlString;
 };
 
 /**
@@ -6216,64 +6255,9 @@ export const parseSwiftJsonTree = (rawOutput, pkgFile) => {
   }
   const pkgList = [];
   const dependenciesList = [];
-  const depKeys = {};
-  let rootPkg = {};
-  let jsonData = {};
   try {
-    jsonData = JSON.parse(rawOutput);
-    if (jsonData && jsonData.name) {
-      rootPkg = {
-        group: jsonData.identity || "",
-        name: jsonData.name,
-        version: jsonData.version
-      };
-      const urlOrPath = jsonData.url || jsonData.path;
-      if (urlOrPath) {
-        if (urlOrPath.startsWith("http")) {
-          rootPkg.repository = { url: urlOrPath };
-        } else {
-          rootPkg.properties = [
-            {
-              name: "SrcPath",
-              value: urlOrPath
-            },
-            {
-              name: "SrcFile",
-              value: pkgFile
-            }
-          ];
-        }
-      }
-      const purl = new PackageURL(
-        "swift",
-        rootPkg.group,
-        rootPkg.name,
-        rootPkg.version,
-        null,
-        null
-      );
-      const bomRefString = decodeURIComponent(purl.toString());
-      rootPkg["bom-ref"] = bomRefString;
-      pkgList.push(rootPkg);
-      const deplist = [];
-      for (const rd of jsonData.dependencies) {
-        const deppurl = new PackageURL(
-          "swift",
-          rd.identity || "",
-          rd.name,
-          rd.version,
-          null,
-          null
-        );
-        const deppurlString = decodeURIComponent(deppurl.toString());
-        deplist.push(deppurlString);
-      }
-      dependenciesList.push({
-        ref: bomRefString,
-        dependsOn: deplist
-      });
-      _swiftDepPkgList(pkgList, dependenciesList, depKeys, jsonData);
-    }
+    const jsonData = JSON.parse(rawOutput);
+    parseSwiftJsonTreeObject(pkgList, dependenciesList, jsonData, pkgFile);
   } catch (e) {
     if (DEBUG_MODE) {
       console.log(e);
@@ -6304,10 +6288,16 @@ export const parseSwiftResolved = (resolvedFile) => {
         resolvedList = pkgData.object.pins;
       }
       for (const adep of resolvedList) {
-        const apkg = {
-          name: adep.package || adep.identity,
-          group: "",
-          version: adep.state.version || adep.state.revision,
+        const locationOrUrl = adep.location || adep.repositoryURL;
+        const version = adep.state.version || adep.state.revision;
+        const purl = purlFromUrlString("swift", locationOrUrl, version);
+        const purlString = decodeURIComponent(purl.toString());
+        const rootPkg = {
+          name: purl.name,
+          group: purl.namespace,
+          version: purl.version,
+          purl: purlString,
+          "bom-ref": purlString,
           properties: [
             {
               name: "SrcFile",
@@ -6328,11 +6318,10 @@ export const parseSwiftResolved = (resolvedFile) => {
             }
           }
         };
-        const repLocation = adep.location || adep.repositoryURL;
-        if (repLocation) {
-          apkg.repository = { url: repLocation };
+        if (locationOrUrl) {
+          rootPkg.repository = { url: locationOrUrl };
         }
-        pkgList.push(apkg);
+        pkgList.push(rootPkg);
       }
     } catch (err) {
       // continue regardless of error
@@ -6595,7 +6584,7 @@ export const collectJarNS = function (jarPath, pomPathMap = {}) {
         ) {
           jarCommandAvailable = false;
           console.log(
-            "jar command is not available in PATH. Ensure JDK >= 17 is installed and set the environment variables JAVA_HOME and PATH to the bin directory inside JAVA_HOME."
+            "jar command is not available in PATH. Ensure JDK >= 21 is installed and set the environment variables JAVA_HOME and PATH to the bin directory inside JAVA_HOME."
           );
         }
         const consolelines = (jarResult.stdout || "").split("\n");

package/utils.test.js

@@ -2919,28 +2919,29 @@ test("parse swift deps files", () => {
   );
   expect(retData.pkgList.length).toEqual(5);
   expect(retData.pkgList[0]).toEqual({
-    group: "swift-markdown",
     name: "swift-markdown",
+    group: "",
+    purl: "pkg:swift/swift-markdown@unspecified",
     version: "unspecified",
     properties: [
       { name: "SrcPath", value: "/Volumes/Work/sandbox/swift-markdown" },
       { name: "SrcFile", value: "./test/data/swift-deps.json" }
     ],
-    "bom-ref": "pkg:swift/swift-markdown/swift-markdown@unspecified"
+    "bom-ref": "pkg:swift/swift-markdown@unspecified"
   });
   expect(retData.dependenciesList.length).toEqual(5);
   expect(retData.dependenciesList[0]).toEqual({
-    ref: "pkg:swift/swift-markdown/swift-markdown@unspecified",
-    dependsOn: [
-      "pkg:swift/swift-cmark/cmark-gfm@unspecified",
-      "pkg:swift/swift-argument-parser/swift-argument-parser@1.0.3",
-      "pkg:swift/swift-docc-plugin/SwiftDocCPlugin@1.1.0"
-    ]
+    ref: "pkg:swift/github.com/apple/swift-cmark@unspecified",
+    dependsOn: []
   });
   expect(retData.dependenciesList[retData.dependenciesList.length - 1]).toEqual(
     {
-      ref: "pkg:swift/swift-docc-symbolkit/SymbolKit@1.0.0",
-      dependsOn: []
+      ref: "pkg:swift/swift-markdown@unspecified",
+      dependsOn: [
+        "pkg:swift/github.com/apple/swift-cmark@unspecified",
+        "pkg:swift/github.com/apple/swift-argument-parser@1.0.3",
+        "pkg:swift/github.com/apple/swift-docc-plugin@1.1.0"
+      ]
     }
   );
   retData = parseSwiftJsonTree(
@@ -2949,8 +2950,9 @@ test("parse swift deps files", () => {
   );
   expect(retData.pkgList.length).toEqual(5);
   expect(retData.pkgList[0]).toEqual({
-    group: "swift-certificates",
     name: "swift-certificates",
+    group: "",
+    purl: "pkg:swift/swift-certificates@unspecified",
     version: "unspecified",
     properties: [
       {
@@ -2959,36 +2961,37 @@ test("parse swift deps files", () => {
       },
       { name: "SrcFile", value: "./test/data/swift-deps.json" }
     ],
-    "bom-ref": "pkg:swift/swift-certificates/swift-certificates@unspecified"
+    "bom-ref": "pkg:swift/swift-certificates@unspecified"
   });
   expect(retData.dependenciesList).toEqual([
     {
-      ref: "pkg:swift/swift-certificates/swift-certificates@unspecified",
-      dependsOn: ["pkg:swift/swift-crypto/swift-crypto@2.4.0"]
+      ref: "pkg:swift/github.com/apple/swift-docc-symbolkit@1.0.0",
+      dependsOn: []
     },
     {
-      ref: "pkg:swift/swift-crypto/swift-crypto@2.4.0",
-      dependsOn: ["pkg:swift/swift-asn1/swift-asn1@0.7.0"]
+      ref: "pkg:swift/github.com/apple/swift-docc-plugin@1.1.0",
+      dependsOn: ["pkg:swift/github.com/apple/swift-docc-symbolkit@1.0.0"]
     },
     {
-      ref: "pkg:swift/swift-asn1/swift-asn1@0.7.0",
-      dependsOn: ["pkg:swift/swift-docc-plugin/SwiftDocCPlugin@1.1.0"]
+      ref: "pkg:swift/github.com/apple/swift-asn1@0.7.0",
+      dependsOn: ["pkg:swift/github.com/apple/swift-docc-plugin@1.1.0"]
     },
     {
-      ref: "pkg:swift/swift-docc-plugin/SwiftDocCPlugin@1.1.0",
-      dependsOn: ["pkg:swift/swift-docc-symbolkit/SymbolKit@1.0.0"]
+      ref: "pkg:swift/github.com/apple/swift-crypto@2.4.0",
+      dependsOn: ["pkg:swift/github.com/apple/swift-asn1@0.7.0"]
     },
     {
-      ref: "pkg:swift/swift-docc-symbolkit/SymbolKit@1.0.0",
-      dependsOn: []
+      ref: "pkg:swift/swift-certificates@unspecified",
+      dependsOn: ["pkg:swift/github.com/apple/swift-crypto@2.4.0"]
     }
   ]);
   let pkgList = parseSwiftResolved("./test/data/Package.resolved");
   expect(pkgList.length).toEqual(4);
   expect(pkgList[0]).toEqual({
     name: "swift-argument-parser",
-    group: "",
+    group: "github.com/apple",
     version: "1.0.3",
+    purl: "pkg:swift/github.com/apple/swift-argument-parser@1.0.3",
     properties: [{ name: "SrcFile", value: "./test/data/Package.resolved" }],
     evidence: {
       identity: {
@@ -3003,14 +3006,16 @@ test("parse swift deps files", () => {
         ]
       }
     },
+    "bom-ref": "pkg:swift/github.com/apple/swift-argument-parser@1.0.3",
     repository: { url: "https://github.com/apple/swift-argument-parser" }
   });
   pkgList = parseSwiftResolved("./test/data/Package2.resolved");
   expect(pkgList.length).toEqual(4);
   expect(pkgList[0]).toEqual({
     name: "swift-argument-parser",
-    group: "",
+    group: "github.com/apple",
     version: "1.2.2",
+    purl: "pkg:swift/github.com/apple/swift-argument-parser@1.2.2",
     properties: [{ name: "SrcFile", value: "./test/data/Package2.resolved" }],
     evidence: {
       identity: {
@@ -3025,6 +3030,7 @@ test("parse swift deps files", () => {
         ]
       }
     },
+    "bom-ref": "pkg:swift/github.com/apple/swift-argument-parser@1.2.2",
     repository: { url: "https://github.com/apple/swift-argument-parser.git" }
   });
 });