From 2a4241a6808962da9306dcbccb4faa006a263578 Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Thu, 13 Feb 2025 21:33:02 +0000 Subject: [PATCH 1/6] Fixes #1622 Signed-off-by: Prabhu Subramanian --- lib/cli/index.js | 5 ++++- lib/helpers/validator.js | 23 +++++++++++++++++++++++ types/lib/cli/index.d.ts.map | 2 +- types/lib/helpers/validator.d.ts.map | 2 +- 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/lib/cli/index.js b/lib/cli/index.js index af2de430c..d0c1a2491 100644 --- a/lib/cli/index.js +++ b/lib/cli/index.js @@ -6724,7 +6724,10 @@ export async function createMultiXBom(pathList, options) { parentDependencies["dependsOn"] = []; } for (const parentSub of parentSubComponents) { - parentDependencies["dependsOn"].push(parentSub["bom-ref"]); + // Issue: 1622. We might have already captured this parent component dependency + if (!parentDependencies["dependsOn"].includes(parentSub["bom-ref"])) { + parentDependencies["dependsOn"].push(parentSub["bom-ref"]); + } } } // some cleanup, but not complete diff --git a/lib/helpers/validator.js b/lib/helpers/validator.js index b76d85e80..33c15c8c0 100644 --- a/lib/helpers/validator.js +++ b/lib/helpers/validator.js @@ -243,11 +243,34 @@ export const validateRefs = (bomJson) => { if (!refMap[dep.ref]) { warningsList.push(`Invalid ref in dependencies ${dep.ref}`); } + let parentPurlType; + try { + const purlObj = PackageURL.fromString(encodeURIComponent(dep.ref)); + parentPurlType = purlObj.type; + } catch (e) { + // pass + } if (dep.dependsOn) { for (const don of dep.dependsOn) { if (!refMap[don]) { warningsList.push(`Invalid ref in dependencies.dependsOn ${don}`); } + let childPurlType; + try { + const purlObj = PackageURL.fromString(encodeURIComponent(don)); + childPurlType = purlObj.type; + } catch (e) { + // pass + } + if ( + parentPurlType && + childPurlType && + parentPurlType !== childPurlType + ) { + warningsList.push( + `Parent with type '${parentPurlType}' has a dependency on child with a different type '${childPurlType}'. Possible bug in cdxgen.`, + ); + } } } if (dep.provides) { diff --git a/types/lib/cli/index.d.ts.map b/types/lib/cli/index.d.ts.map index ef4a20ec4..6bbf193ff 100644 --- a/types/lib/cli/index.d.ts.map +++ b/types/lib/cli/index.d.ts.map @@ -1 +1 @@ -{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/cli/index.js"],"names":[],"mappings":"AAsxBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAuXD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BA47BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAusBhB;AAED;;;;;;;;;;GAUG;AACH,+DAsEC;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA+dhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BA+YhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAkEhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BA6FhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAmUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAiJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqNhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAkahB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA+FC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BA2iBlB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAiUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBA8OhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CAwHxE"} \ No newline at end of file +{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/cli/index.js"],"names":[],"mappings":"AAsxBA;;;;;;;;GAQG;AACH,gFAFW,MAAM,SAchB;AAuXD;;;;;;;GAOG;AACH,mCALW,MAAM,qBAiEhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM;;;;EAKhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM;;;;EAkBhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BA47BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAusBhB;AAED;;;;;;;;;;GAUG;AACH,+DAsEC;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BA+dhB;AAED;;;;;GAKG;AACH,kCAHW,MAAM,8BA+YhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqIhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAkEhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBA+KhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBAsHhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,0CAHW,MAAM,qBAuBhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,8BAqDhB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,8BA4ChB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,qBA2BhB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,8BA6FhB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,qBAmUhB;AAED;;;;;GAKG;AACH,mCAHW,MAAM,qBAiJhB;AAED;;;;;GAKG;AACH,oCAHW,MAAM,8BAqNhB;AAED;;;;;GAKG;AACH,sCAHW,MAAM,8BAkahB;AAED;;;;;GAKG;AACH,2CAHW,MAAM;;;;;;;;;;;;;;;;;;;;GAoChB;AAED;;;;;;;;KA+DC;AAED;;;;;;GAMG;AACH,yDA+FC;AAED;;;;;;;;;GASG;AACH,2GA6BC;AAED;;;;;GAKG;AACH,0CAHW,MAAM,EAAE,8BA8iBlB;AAED;;;;;GAKG;AACH,iCAHW,MAAM,8BAiUhB;AAED;;;;;GAKG;AACH,gCAHW,MAAM,qBA8OhB;AAED;;;;;;GAMG;AACH,wDAFY,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,SAAS,CAAC,CAwHxE"} \ No newline at end of file diff --git a/types/lib/helpers/validator.d.ts.map b/types/lib/helpers/validator.d.ts.map index 4108aba99..c844cb970 100644 --- a/types/lib/helpers/validator.d.ts.map +++ b/types/lib/helpers/validator.d.ts.map @@ -1 +1 @@ -{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../../../lib/helpers/validator.js"],"names":[],"mappings":"AAgRA;;;;GAIG;AACH,uCAFW,MAAM,WAmEhB;AAnUM,qCAFI,MAAM,WAgDhB;AAOM,0CAFI,MAAM,WAwDhB;AAOM,uCAFI,MAAM,WAgEhB;AA6BM,sCAFI,MAAM,WAgDhB"} \ No newline at end of file +{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../../../lib/helpers/validator.js"],"names":[],"mappings":"AAuSA;;;;GAIG;AACH,uCAFW,MAAM,WAmEhB;AA1VM,qCAFI,MAAM,WAgDhB;AAOM,0CAFI,MAAM,WAwDhB;AAOM,uCAFI,MAAM,WAgEhB;AA6BM,sCAFI,MAAM,WAuEhB"} \ No newline at end of file From 7da275b296f8b5c2bf4bfd2eae7a98a1473a6e72 Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Thu, 13 Feb 2025 21:39:22 +0000 Subject: [PATCH 2/6] Tweaks Signed-off-by: Prabhu Subramanian --- lib/helpers/validator.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/helpers/validator.js b/lib/helpers/validator.js index 33c15c8c0..0378ee3e2 100644 --- a/lib/helpers/validator.js +++ b/lib/helpers/validator.js @@ -245,7 +245,7 @@ export const validateRefs = (bomJson) => { } let parentPurlType; try { - const purlObj = PackageURL.fromString(encodeURIComponent(dep.ref)); + const purlObj = PackageURL.fromString(dep.ref); parentPurlType = purlObj.type; } catch (e) { // pass @@ -257,7 +257,7 @@ export const validateRefs = (bomJson) => { } let childPurlType; try { - const purlObj = PackageURL.fromString(encodeURIComponent(don)); + const purlObj = PackageURL.fromString(don); childPurlType = purlObj.type; } catch (e) { // pass @@ -268,7 +268,7 @@ export const validateRefs = (bomJson) => { parentPurlType !== childPurlType ) { warningsList.push( - `Parent with type '${parentPurlType}' has a dependency on child with a different type '${childPurlType}'. Possible bug in cdxgen.`, + `The parent package '${dep.ref}' (type ${parentPurlType}) depends on the child package '${don}' (type ${childPurlType}). This is a bug in cdxgen if this project is not a monorepo.`, ); } } From 4919bcad236cb4721ece9a20cacaa579e21d8d8e Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Thu, 13 Feb 2025 21:41:05 +0000 Subject: [PATCH 3/6] Bump version Signed-off-by: Prabhu Subramanian --- deno.json | 2 +- jsr.json | 2 +- package.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deno.json b/deno.json index dd1de7f1d..49c53ce4b 100644 --- a/deno.json +++ b/deno.json @@ -1,6 +1,6 @@ { "name": "@cyclonedx/cdxgen", - "version": "11.1.7", + "version": "11.1.8", "exports": "./lib/cli/index.js", "compilerOptions": { "lib": ["deno.window"], diff --git a/jsr.json b/jsr.json index 7606728be..99c468b1c 100644 --- a/jsr.json +++ b/jsr.json @@ -1,6 +1,6 @@ { "name": "@cyclonedx/cdxgen", - "version": "11.1.7", + "version": "11.1.8", "exports": "./lib/cli/index.js", "include": ["*.js", "lib/**", "bin/**", "data/**", "types/**"], "exclude": [ diff --git a/package.json b/package.json index 4f85ca0e6..60c388329 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@cyclonedx/cdxgen", - "version": "11.1.7", + "version": "11.1.8", "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image", "homepage": "http://github.com/cyclonedx/cdxgen", "author": "Prabhu Subramanian ", From f8190284fa343b3d4a744bd5a0cc910658cebc86 Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Thu, 13 Feb 2025 22:18:32 +0000 Subject: [PATCH 4/6] Added SecObserve to repotests Signed-off-by: Prabhu Subramanian --- .github/workflows/repotests.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml index a4f1e4e9b..4bbaeea66 100644 --- a/.github/workflows/repotests.yml +++ b/.github/workflows/repotests.yml @@ -307,6 +307,11 @@ jobs: repository: 'caddyserver/caddy' path: 'repotests/caddy' ref: 'v2.9.1' + - uses: actions/checkout@v4 + with: + repository: 'MaibornWolff/SecObserve' + path: 'repotests/SecObserve' + ref: 'v1.28.0' - uses: dtolnay/rust-toolchain@stable - name: setup sdkman run: | @@ -531,23 +536,27 @@ jobs: shell: bash - name: repotests blint run: | - bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint.json + bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint.json --fail-on-error bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint-deep.json --deep bin/cdxgen.js -p -t java repotests/broken-mvn-wrapper -o bomresults/bom-broken-mvn-wrapper.json shell: bash - name: repotests expo run: | cd repotests/expo-test && npm ci && cd ../.. - GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo.json - GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo-npm.json - GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle -t npm repotests/expo-test -o bomresults/bom-expo-multi.json + GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo.json --fail-on-error + GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo-npm.json --fail-on-error + GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle -t npm repotests/expo-test -o bomresults/bom-expo-multi.json --fail-on-error shell: bash - name: repotests elasticsearch run: | - bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch.json + bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch.json --fail-on-error GRADLE_INCLUDED_BUILDS=:build-conventions,:build-tools,:build-tools-internal bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch-with-included-builds.json custom-json-diff -i bomresults/bom-elasticsearch.json bomresults/bom-elasticsearch-with-included-builds.json -o bomresults/diff-elasticsearch preset-diff shell: bash + - name: repotests SecObserve + run: | + bin/cdxgen.js repotests/SecObserve -o bomresults/bom-SecObserve.json --fail-on-error + shell: bash - name: jenkins plugins run: | mkdir -p jenkins From bfde45c9a10aaafcf1d91f37175efdddfd4df11a Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Thu, 13 Feb 2025 23:10:15 +0000 Subject: [PATCH 5/6] Expo repotests are not quite working on arm64 Signed-off-by: Prabhu Subramanian --- .github/workflows/repotests.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml index 4bbaeea66..920d7e5cc 100644 --- a/.github/workflows/repotests.yml +++ b/.github/workflows/repotests.yml @@ -543,9 +543,10 @@ jobs: - name: repotests expo run: | cd repotests/expo-test && npm ci && cd ../.. - GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo.json --fail-on-error - GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo-npm.json --fail-on-error - GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle -t npm repotests/expo-test -o bomresults/bom-expo-multi.json --fail-on-error + java --version + GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo.json + GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo-npm.json + GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle -t npm repotests/expo-test -o bomresults/bom-expo-multi.json shell: bash - name: repotests elasticsearch run: | From b8aaddab46d22990a2a96dabc5bff37cc4610b9d Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Fri, 14 Feb 2025 02:54:35 +0000 Subject: [PATCH 6/6] Expo repotests are not quite working on arm64 Signed-off-by: Prabhu Subramanian --- .github/workflows/repotests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml index 920d7e5cc..ae7e3eba2 100644 --- a/.github/workflows/repotests.yml +++ b/.github/workflows/repotests.yml @@ -550,7 +550,7 @@ jobs: shell: bash - name: repotests elasticsearch run: | - bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch.json --fail-on-error + bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch.json GRADLE_INCLUDED_BUILDS=:build-conventions,:build-tools,:build-tools-internal bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch-with-included-builds.json custom-json-diff -i bomresults/bom-elasticsearch.json bomresults/bom-elasticsearch-with-included-builds.json -o bomresults/diff-elasticsearch preset-diff shell: bash