@trustify-da/trustify-da-javascript-client 0.2.4-ea.13

package/dist/src/providers/base_java.js

@@ -0,0 +1,191 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { PackageURL } from 'packageurl-js';
+import { getCustomPath, getGitRootDir, getWrapperPreference, invokeCommand } from "../tools.js";
+/** @typedef {import('../provider').Provider} */
+/** @typedef {import('../provider').Provided} Provided */
+/** @typedef {{name: string, version: string}} Package */
+/** @typedef {{groupId: string, artifactId: string, version: string, scope: string, ignore: boolean}} Dependency */
+/**
+ * @type {string} ecosystem for java maven packages.
+ * @private
+ */
+export const ecosystem_maven = 'maven';
+export const ecosystem_gradle = 'gradle';
+export default class Base_Java {
+    DEP_REGEX = /(([-a-zA-Z0-9._]{2,})|[0-9])/g;
+    CONFLICT_REGEX = /.*omitted for conflict with (\S+)\)/;
+    globalBinary;
+    localWrapper;
+    /**
+     *
+     * @param {string} globalBinary name of the global binary
+     * @param {string} localWrapper name of the local wrapper filename
+     */
+    constructor(globalBinary, localWrapper) {
+        this.globalBinary = globalBinary;
+        this.localWrapper = localWrapper;
+    }
+    /**
+     * Recursively populates the SBOM instance with the parsed graph
+     * @param {string} src - Source dependency to start the calculations from
+     * @param {number} srcDepth - Current depth in the graph for the given source
+     * @param {Array} lines - Array containing the text files being parsed
+     * @param {Sbom} sbom - The SBOM where the dependencies are being added
+     */
+    parseDependencyTree(src, srcDepth, lines, sbom) {
+        if (lines.length === 0) {
+            return;
+        }
+        if ((lines.length === 1 && lines[0].trim() === "")) {
+            return;
+        }
+        let index = 0;
+        let target = lines[index];
+        let targetDepth = this.#getDepth(target);
+        while (targetDepth > srcDepth && index < lines.length) {
+            if (targetDepth === srcDepth + 1) {
+                let from = this.parseDep(src);
+                let to = this.parseDep(target);
+                let matchedScope = target.match(/:compile|:provided|:runtime|:test|:system|:import/g);
+                let matchedScopeSrc = src.match(/:compile|:provided|:runtime|:test|:system|:import/g);
+                // only add dependency to sbom if it's not with test scope or if it's root
+                if ((matchedScope && matchedScope[0] !== ":test" && (matchedScopeSrc && matchedScopeSrc[0] !== ":test")) || (srcDepth === 0 && matchedScope && matchedScope[0] !== ":test")) {
+                    sbom.addDependency(from, to);
+                }
+            }
+            else {
+                this.parseDependencyTree(lines[index - 1], this.#getDepth(lines[index - 1]), lines.slice(index), sbom);
+            }
+            target = lines[++index];
+            targetDepth = this.#getDepth(target);
+        }
+    }
+    /**
+     * Calculates how deep in the graph is the given line
+     * @param {string} line - line to calculate the depth from
+     * @returns {number} The calculated depth
+     * @private
+     */
+    #getDepth(line) {
+        if (line === undefined) {
+            return -1;
+        }
+        return ((line.indexOf('-') - 1) / 3) + 1;
+    }
+    /**
+     * Create a PackageURL from any line in a Text Graph dependency tree for a manifest path.
+     * @param {string} line - line to parse from a dependencies.txt file
+     * @returns {PackageURL} The parsed packageURL
+     */
+    parseDep(line) {
+        let match = line.match(this.DEP_REGEX);
+        if (!match) {
+            throw new Error(`Unable generate SBOM from dependency tree. Line: ${line} cannot be parsed into a PackageURL`);
+        }
+        let version;
+        if (match.length >= 5 && ['compile', 'provided', 'runtime'].includes(match[5])) {
+            version = `${match[4]}-${match[3]}`;
+        }
+        else {
+            version = match[3];
+        }
+        let override = line.match(this.CONFLICT_REGEX);
+        if (override) {
+            version = override[1];
+        }
+        return this.toPurl(match[0], match[1], version);
+    }
+    /**
+     * Returns a PackageUrl For Java maven dependencies
+     * @param group
+     * @param artifact
+     * @param version
+     * @return {PackageURL}
+     */
+    toPurl(group, artifact, version) {
+        if (typeof version === "number") {
+            version = version.toString();
+        }
+        return new PackageURL('maven', group, artifact, version, undefined, undefined);
+    }
+    /** This method invokes command string in a process in a synchronous way.
+     * Exists for stubbing in tests.
+     * @param bin - the command to be invoked
+     * @param args - the args to pass to the binary
+     * @param {import('child_process').ExecFileOptionsWithStringEncoding} [opts={}]
+     * @protected
+     */
+    _invokeCommand(bin, args, opts = {}) { return invokeCommand(bin, args, opts); }
+    /**
+     *
+     * @param {string} manifestPath
+     * @param {{}} opts
+     * @returns string
+     */
+    selectToolBinary(manifestPath, opts) {
+        const manifestDir = path.dirname(manifestPath);
+        const toolPath = getCustomPath(this.globalBinary, opts);
+        const useWrapper = getWrapperPreference(this.globalBinary, opts);
+        if (useWrapper) {
+            const wrapper = this.traverseForWrapper(manifestPath);
+            if (wrapper !== undefined) {
+                try {
+                    this._invokeCommand(wrapper, ['--version'], { cwd: manifestDir });
+                }
+                catch (error) {
+                    throw new Error(`failed to check for ${this.localWrapper}`, { cause: error });
+                }
+                return wrapper;
+            }
+        }
+        // verify tool is accessible, if wrapper was not requested or not found
+        try {
+            this._invokeCommand(toolPath, ['--version'], { cwd: manifestDir });
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                throw new Error((useWrapper ? `${this.localWrapper} not found and ` : '') + `${this.globalBinary === 'mvn' ? 'maven' : 'gradle'} not found at ${toolPath}`);
+            }
+            else {
+                throw new Error(`failed to check for ${this.globalBinary === 'mvn' ? 'maven' : 'gradle'}`, { cause: error });
+            }
+        }
+        return toolPath;
+    }
+    /**
+     *
+     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
+     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
+     * to the root of the drive the manifest is on (assumes absolute path is given)
+     * @returns {string|undefined}
+     */
+    traverseForWrapper(startingManifest, repoRoot = undefined) {
+        const normalizedManifest = this.normalizePath(startingManifest);
+        const currentDir = this.normalizePath(path.dirname(normalizedManifest));
+        repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(normalizedManifest).root;
+        const wrapperPath = path.join(currentDir, this.localWrapper);
+        try {
+            fs.accessSync(wrapperPath, fs.constants.X_OK);
+            return wrapperPath;
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                const rootDir = path.parse(currentDir).root;
+                if (currentDir === repoRoot || currentDir === rootDir) {
+                    return undefined;
+                }
+                const parentDir = path.dirname(currentDir);
+                if (parentDir === currentDir || parentDir === rootDir) {
+                    return undefined;
+                }
+                return this.traverseForWrapper(path.join(parentDir, path.basename(normalizedManifest)), repoRoot);
+            }
+            throw new Error(`failure searching for ${this.localWrapper}`, { cause: error });
+        }
+    }
+    normalizePath(thePath) {
+        const normalized = path.resolve(thePath).normalize();
+        return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
+    }
+}

package/dist/src/providers/base_javascript.d.ts

@@ -0,0 +1,127 @@
+/** @typedef {import('../provider.js').Provider} Provider */
+/** @typedef {import('../provider.js').Provided} Provided */
+/**
+ * The ecosystem identifier for JavaScript/npm packages
+ * @type {string}
+ */
+export const purlType: string;
+/**
+ * Base class for JavaScript package manager providers.
+ * This class provides common functionality for different JavaScript package managers
+ * (npm, pnpm, yarn) to generate SBOMs and handle package dependencies.
+ * @abstract
+ */
+export default class Base_javascript {
+    /**
+   * Sets up the provider with the manifest path and options
+   * @param {string} manifestPath - Path to the package.json manifest file
+   * @param {Object} opts - Configuration options for the provider
+   * @protected
+   */
+    protected _setUp(manifestPath: string, opts: any): void;
+    /**
+     * Gets the current manifest object
+     * @returns {Manifest} The manifest object
+     * @protected
+     */
+    protected _getManifest(): Manifest;
+    /**
+    * Sets the ecosystem value
+    * @param {string} ecosystem - The ecosystem identifier
+    * @protected
+    */
+    protected _setEcosystem(ecosystem: string): void;
+    /**
+   * Returns the name of the lock file for the specific implementation
+   * @returns {string} The lock file name
+   * @abstract
+   * @protected
+   */
+    protected _lockFileName(): string;
+    /**
+   * Returns the command name to use for the specific JS package manager
+   * @returns {string} The command name
+   * @abstract
+   * @protected
+   */
+    protected _cmdName(): string;
+    /**
+   * Returns the command arguments for listing dependencies
+   * @returns {Array<string>} The command arguments
+   * @abstract
+   * @protected
+   */
+    protected _listCmdArgs(): Array<string>;
+    /**
+   * Returns the command arguments for updating the lock file
+   * @returns {Array<string>} The command arguments
+   * @abstract
+   * @protected
+   */
+    protected _updateLockFileCmdArgs(): Array<string>;
+    /**
+   * Checks if the provider supports the given manifest name
+   * @param {string} manifestName - The manifest name to check
+   * @returns {boolean} True if the manifest is supported
+   */
+    isSupported(manifestName: string): boolean;
+    /**
+   * Checks if a required lock file exists in the same path as the manifest
+   * @param {string} manifestDir - The base directory where the manifest is located
+   * @returns {boolean} True if the lock file exists
+   */
+    validateLockFile(manifestDir: string): boolean;
+    /**
+   * Provides content and content type for stack analysis
+   * @param {string} manifestPath - The manifest path or name
+   * @param {Object} [opts={}] - Optional configuration options
+   * @returns {Provided} The provided data for stack analysis
+   */
+    provideStack(manifestPath: string, opts?: any): Provided;
+    /**
+   * Provides content and content type for component analysis
+   * @param {string} manifestPath - Path to package.json for component report
+   * @param {Object} [opts={}] - Optional configuration options
+   * @returns {Provided} The provided data for component analysis
+   */
+    provideComponent(manifestPath: string, opts?: any): Provided;
+    /**
+   * Builds the dependency tree for the project
+   * @param {boolean} includeTransitive - Whether to include transitive dependencies
+   * @returns {Object} The dependency tree
+   * @protected
+   */
+    protected _buildDependencyTree(includeTransitive: boolean): any;
+    /**
+   * Recursively builds the Sbom from the JSON that npm listing returns
+   * @param {Sbom} sbom - The SBOM object to add dependencies to
+   * @param {Object} depTree - The current dependency tree
+   * @protected
+   */
+    protected _addDependenciesToSbom(sbom: Sbom, depTree: any): void;
+    /**
+   * Extracts root dependencies from the dependency tree
+   * @param {Object} depTree - The dependency tree object
+   * @returns {Map<string, PackageURL>} Map of dependency names to their PackageURL objects
+   * @protected
+   */
+    protected _getRootDependencies(depTree: any): Map<string, PackageURL>;
+    /**
+   * Gets the version of the package manager
+   * @returns {string} The version string of the package manager
+   * @protected
+   */
+    protected _version(): string;
+    /**
+   * Parses the dependency tree output
+   * @param {string} output - The output to parse
+   * @returns {string} The parsed output
+   * @protected
+   */
+    protected _parseDepTreeOutput(output: string): string;
+    #private;
+}
+export type Provider = import('../provider.js').Provider;
+export type Provided = import('../provider.js').Provided;
+import Manifest from './manifest.js';
+import Sbom from '../sbom.js';

package/dist/src/providers/base_javascript.js

@@ -0,0 +1,350 @@
+import fs from 'node:fs';
+import os from "node:os";
+import path from 'node:path';
+import Sbom from '../sbom.js';
+import { getCustom, getCustomPath, invokeCommand, toPurl, toPurlFromString } from "../tools.js";
+import Manifest from './manifest.js';
+/** @typedef {import('../provider.js').Provider} Provider */
+/** @typedef {import('../provider.js').Provided} Provided */
+/**
+ * The ecosystem identifier for JavaScript/npm packages
+ * @type {string}
+ */
+export const purlType = 'npm';
+/**
+ * Base class for JavaScript package manager providers.
+ * This class provides common functionality for different JavaScript package managers
+ * (npm, pnpm, yarn) to generate SBOMs and handle package dependencies.
+ * @abstract
+ */
+export default class Base_javascript {
+    /** @type {Manifest} */
+    #manifest;
+    /** @type {string} */
+    #cmd;
+    /** @type {string} */
+    #ecosystem;
+    /**
+   * Sets up the provider with the manifest path and options
+   * @param {string} manifestPath - Path to the package.json manifest file
+   * @param {Object} opts - Configuration options for the provider
+   * @protected
+   */
+    _setUp(manifestPath, opts) {
+        this.#cmd = getCustomPath(this._cmdName(), opts);
+        this.#manifest = new Manifest(manifestPath);
+        this.#ecosystem = purlType;
+    }
+    /**
+     * Gets the current manifest object
+     * @returns {Manifest} The manifest object
+     * @protected
+     */
+    _getManifest() {
+        return this.#manifest;
+    }
+    /**
+    * Sets the ecosystem value
+    * @param {string} ecosystem - The ecosystem identifier
+    * @protected
+    */
+    _setEcosystem(ecosystem) {
+        this.#ecosystem = ecosystem;
+    }
+    /**
+   * Returns the name of the lock file for the specific implementation
+   * @returns {string} The lock file name
+   * @abstract
+   * @protected
+   */
+    _lockFileName() {
+        throw new TypeError("_lockFileName must be implemented");
+    }
+    /**
+   * Returns the command name to use for the specific JS package manager
+   * @returns {string} The command name
+   * @abstract
+   * @protected
+   */
+    _cmdName() {
+        throw new TypeError("_cmdName must be implemented");
+    }
+    /**
+   * Returns the command arguments for listing dependencies
+   * @returns {Array<string>} The command arguments
+   * @abstract
+   * @protected
+   */
+    _listCmdArgs() {
+        throw new TypeError("_listCmdArgs must be implemented");
+    }
+    /**
+   * Returns the command arguments for updating the lock file
+   * @returns {Array<string>} The command arguments
+   * @abstract
+   * @protected
+   */
+    _updateLockFileCmdArgs() {
+        throw new TypeError("_updateLockFileCmdArgs must be implemented");
+    }
+    /**
+   * Checks if the provider supports the given manifest name
+   * @param {string} manifestName - The manifest name to check
+   * @returns {boolean} True if the manifest is supported
+   */
+    isSupported(manifestName) {
+        return 'package.json' === manifestName;
+    }
+    /**
+   * Checks if a required lock file exists in the same path as the manifest
+   * @param {string} manifestDir - The base directory where the manifest is located
+   * @returns {boolean} True if the lock file exists
+   */
+    validateLockFile(manifestDir) {
+        const lock = path.join(manifestDir, this._lockFileName());
+        return fs.existsSync(lock);
+    }
+    /**
+   * Provides content and content type for stack analysis
+   * @param {string} manifestPath - The manifest path or name
+   * @param {Object} [opts={}] - Optional configuration options
+   * @returns {Provided} The provided data for stack analysis
+   */
+    provideStack(manifestPath, opts = {}) {
+        this._setUp(manifestPath, opts);
+        return {
+            ecosystem: this.#ecosystem,
+            content: this.#getSBOM(opts),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    /**
+   * Provides content and content type for component analysis
+   * @param {string} manifestPath - Path to package.json for component report
+   * @param {Object} [opts={}] - Optional configuration options
+   * @returns {Provided} The provided data for component analysis
+   */
+    provideComponent(manifestPath, opts = {}) {
+        this._setUp(manifestPath, opts);
+        return {
+            ecosystem: this.#ecosystem,
+            content: this.#getDirectDependencySbom(opts),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    /**
+   * Builds the dependency tree for the project
+   * @param {boolean} includeTransitive - Whether to include transitive dependencies
+   * @returns {Object} The dependency tree
+   * @protected
+   */
+    _buildDependencyTree(includeTransitive) {
+        this._version();
+        let manifestDir = path.dirname(this.#manifest.manifestPath);
+        this.#createLockFile(manifestDir);
+        let output = this.#executeListCmd(includeTransitive, manifestDir);
+        output = this._parseDepTreeOutput(output);
+        return JSON.parse(output);
+    }
+    /**
+   * Creates SBOM json string for npm Package
+   * @param {Object} [opts={}] - Optional configuration options
+   * @returns {string} The SBOM json content
+   * @private
+   */
+    #getSBOM(opts = {}) {
+        const depsObject = this._buildDependencyTree(true);
+        let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        let sbom = new Sbom();
+        sbom.addRoot(mainComponent);
+        this._addDependenciesToSbom(sbom, depsObject);
+        sbom.filterIgnoredDeps(this.#manifest.ignored);
+        return sbom.getAsJsonString(opts);
+    }
+    /**
+   * Recursively builds the Sbom from the JSON that npm listing returns
+   * @param {Sbom} sbom - The SBOM object to add dependencies to
+   * @param {Object} depTree - The current dependency tree
+   * @protected
+   */
+    _addDependenciesToSbom(sbom, depTree) {
+        const dependencies = depTree["dependencies"] || {};
+        Object.entries(dependencies)
+            .forEach(entry => {
+            const [name, artifact] = entry;
+            const target = toPurl(purlType, name, artifact.version);
+            const rootPurl = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+            sbom.addDependency(rootPurl, target);
+            this.#addDependenciesOf(sbom, target, artifact);
+        });
+    }
+    /**
+   * Adds dependencies of a specific package to the SBOM
+   * @param {Sbom} sbom - The SBOM object to add dependencies to
+   * @param {PackageURL} from - The package URL to add dependencies for
+   * @param {Object} artifact - The artifact containing dependencies
+   * @private
+   */
+    #addDependenciesOf(sbom, from, artifact) {
+        const deps = artifact.dependencies || {};
+        Object.entries(deps)
+            .forEach(entry => {
+            const [name, depArtifact] = entry;
+            if (depArtifact.version !== undefined) {
+                const target = toPurl(purlType, name, depArtifact.version);
+                sbom.addDependency(from, target);
+                this.#addDependenciesOf(sbom, target, depArtifact);
+            }
+        });
+    }
+    /**
+   * Creates a SBOM containing only direct dependencies
+   * @param {Object} [opts={}] - Optional configuration options
+   * @returns {string} The SBOM as a JSON string
+   * @private
+   */
+    #getDirectDependencySbom(opts = {}) {
+        const depTree = this._buildDependencyTree(false);
+        let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        let sbom = new Sbom();
+        sbom.addRoot(mainComponent);
+        const rootDeps = this._getRootDependencies(depTree);
+        const sortedDepsKeys = Array
+            .from(rootDeps.keys())
+            .filter(key => this.#manifest.dependencies.includes(key))
+            .sort();
+        for (const key of sortedDepsKeys) {
+            const rootPurl = toPurlFromString(sbom.getRoot().purl);
+            sbom.addDependency(rootPurl, rootDeps.get(key));
+        }
+        sbom.filterIgnoredDeps(this.#manifest.ignored);
+        return sbom.getAsJsonString(opts);
+    }
+    /**
+   * Extracts root dependencies from the dependency tree
+   * @param {Object} depTree - The dependency tree object
+   * @returns {Map<string, PackageURL>} Map of dependency names to their PackageURL objects
+   * @protected
+   */
+    _getRootDependencies(depTree) {
+        if (!depTree.dependencies) {
+            return new Map();
+        }
+        return new Map(Object.entries(depTree.dependencies).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
+    }
+    /**
+   * Executes the list command to get dependencies
+   * @param {boolean} includeTransitive - Whether to include transitive dependencies
+   * @param {string} manifestDir - The manifest directory
+   * @returns {string} The command output
+   * @private
+   */
+    #executeListCmd(includeTransitive, manifestDir) {
+        const listArgs = this._listCmdArgs(includeTransitive, manifestDir);
+        return this.#invokeCommand(listArgs);
+    }
+    /**
+   * Gets the version of the package manager
+   * @returns {string} The version string of the package manager
+   * @protected
+   */
+    _version() {
+        return this.#invokeCommand(['--version']);
+    }
+    /**
+   * Creates or updates the lock file for the package manager
+   * @param {string} manifestDir - Directory containing the manifest file
+   * @private
+   */
+    #createLockFile(manifestDir) {
+        const originalDir = process.cwd();
+        const isWindows = os.platform() === 'win32';
+        if (isWindows) {
+            // On Windows, --prefix flag doesn't work as expected
+            // Instead of installing from the prefix folder, it installs from current working directory
+            process.chdir(manifestDir);
+        }
+        try {
+            const args = this._updateLockFileCmdArgs(manifestDir);
+            this.#invokeCommand(args);
+        }
+        finally {
+            if (isWindows) {
+                process.chdir(originalDir);
+            }
+        }
+    }
+    /**
+   * Invokes a command with the given arguments
+   * @param {string[]} args - Command arguments
+   * @param {Object} [opts={}] - Optional configuration options
+   * @returns {string} Command output
+   * @throws {Error} If command execution fails or command is not found
+   * @private
+   */
+    #invokeCommand(args, opts = {}) {
+        try {
+            if (!opts.cwd) {
+                opts.cwd = path.dirname(this.#manifest.manifestPath);
+            }
+            // Add version manager paths for JavaScript package managers
+            if (process.platform !== 'win32') {
+                const versionManagerPaths = [];
+                // Add fnm path if available
+                const fnmDir = getCustom('FNM_DIR', null, opts);
+                if (fnmDir) {
+                    versionManagerPaths.push(`${fnmDir}/current/bin`);
+                }
+                // Add nvm path if available
+                const nvmDir = getCustom('NVM_DIR', null, opts);
+                if (nvmDir) {
+                    versionManagerPaths.push(`${nvmDir}/current/bin`);
+                }
+                // Add local node_modules/.bin path
+                const localBinPath = path.join(opts.cwd, 'node_modules', '.bin');
+                if (fs.existsSync(localBinPath)) {
+                    versionManagerPaths.push(localBinPath);
+                }
+                if (versionManagerPaths.length > 0) {
+                    opts = {
+                        ...opts,
+                        env: {
+                            ...opts.env,
+                            PATH: `${versionManagerPaths.join(path.delimiter)}${path.delimiter}${process.env.PATH}`
+                        }
+                    };
+                }
+            }
+            // Try to find the command in the following order:
+            // 1. Custom path from environment/opts (via getCustomPath)
+            // 2. Local node_modules/.bin
+            // 3. Global installation
+            let cmd = this.#cmd;
+            if (!fs.existsSync(cmd)) {
+                const localCmd = path.join(opts.cwd, 'node_modules', '.bin', this._cmdName());
+                if (fs.existsSync(localCmd)) {
+                    cmd = localCmd;
+                }
+            }
+            return invokeCommand(cmd, args, opts);
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                throw new Error(`${this.#cmd} is not accessible. Please ensure it is installed via npm, corepack, or your version manager.`);
+            }
+            if (error.code === 'EACCES') {
+                throw new Error(`Permission denied when executing ${this.#cmd}. Please check file permissions.`);
+            }
+            throw new Error(`Failed to execute ${this.#cmd} ${args.join(' ')}`, { cause: error });
+        }
+    }
+    /**
+   * Parses the dependency tree output
+   * @param {string} output - The output to parse
+   * @returns {string} The parsed output
+   * @protected
+   */
+    _parseDepTreeOutput(output) {
+        return output;
+    }
+}