Invoke atom parsedeps only in deep mode or as a fallback (#1290)

* Invoke atom parsedeps only in deep mode or as a fallback Signed-off-by: Prabhu Subramanian <[email protected]> * Tweaks Signed-off-by: Prabhu Subramanian <[email protected]> * Do not run bazel for oci type Signed-off-by: Prabhu Subramanian <[email protected]> --------- Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Aug 5, 2024 · 1a5dcb3 · 1a5dcb3
1 parent 8a96fe8
commit 1a5dcb3
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 44 deletions.
diff --git a/binary.js b/binary.js
@@ -271,6 +271,9 @@ const OS_DISTRO_ALIAS = {
   "debian-1.3": "bo",
   "debian-1.2": "rex",
   "debian-1.1": "buzz",
+  "red hat enterprise linux": "rhel",
+  "red hat enterprise linux 8": "rhel-8",
+  "red hat enterprise linux 9": "rhel-9",
 };
 
 export function getGoBuildInfo(src) {
@@ -421,9 +424,13 @@ export function getOSPackages(src) {
       let distro_codename =
         osReleaseData["VERSION_CODENAME"] ||
         osReleaseData["CENTOS_MANTISBT_PROJECT"] ||
+        osReleaseData["REDHAT_BUGZILLA_PRODUCT"] ||
         osReleaseData["REDHAT_SUPPORT_PRODUCT"] ||
         "";
       distro_codename = distro_codename.toLowerCase();
+      if (distro_codename.includes(" ") && OS_DISTRO_ALIAS[distro_codename]) {
+        distro_codename = OS_DISTRO_ALIAS[distro_codename];
+      }
       let distro_id = osReleaseData["ID"] || "";
       const distro_id_like = osReleaseData["ID_LIKE"] || "";
       let purl_type = "rpm";

diff --git a/deno.json b/deno.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.9.1",
+  "version": "10.9.2",
   "exports": "./index.js",
   "compilerOptions": {
     "allowJs": true,

diff --git a/index.js b/index.js
@@ -1943,13 +1943,15 @@ export async function createJavaBom(path, options) {
 
   // Bazel
   // Look for the BUILD file only in the root directory
+  // NOTE: This can match BUILD files used by perl, so could lead to errors in some projects
   const bazelFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}BUILD*`,
     options,
   );
   if (
     bazelFiles?.length &&
+    !hasAnyProjectType(["docker", "oci", "container", "os"], options, false) &&
     !options.projectType?.includes("maven") &&
     !options.projectType?.includes("gradle") &&
     !options.projectType?.includes("scala") &&
@@ -2837,7 +2839,7 @@ export async function createPythonBom(path, options) {
       const parentDependsOn = [];
       // Complete the dependency tree by making parent component depend on the first level
       for (const p of retMap.rootList) {
-        parentDependsOn.push(`pkg:pypi/${p.name}@${p.version}`);
+        parentDependsOn.push(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
       }
       const pdependencies = {
         ref: parentComponent["bom-ref"],
@@ -2985,50 +2987,63 @@ export async function createPythonBom(path, options) {
       } else {
         pkgMap = getPipFrozenTree(path, undefined, tempDir, parentComponent);
       }
+
       // Get the imported modules and a dedupe list of packages
       const parentDependsOn = new Set();
-      const retMap = await getPyModules(path, pkgList, options);
-      // We need to patch the existing package list to add ImportedModules for evinse to work
-      if (retMap.modList?.length) {
-        const iSymbolsMap = {};
-        retMap.modList.forEach((v) => {
-          iSymbolsMap[v.name] = v.importedSymbols;
-          iSymbolsMap[v.name.replace(/_/g, "-")] = v.importedSymbols;
-        });
-        for (const apkg of pkgList) {
-          if (iSymbolsMap[apkg.name]) {
-            apkg.properties = apkg.properties || [];
-            apkg.properties.push({
-              name: "ImportedModules",
-              value: iSymbolsMap[apkg.name],
-            });
+
+      // ATOM parsedeps block
+      // Atom parsedeps slices can be used to identify packages that are not declared in manifests
+      // Since it is a slow operation, we only use it as a fallback or in deep mode
+      // This change was made in 10.9.2 release onwards
+      if (options.deep || !pkgList.length) {
+        const retMap = await getPyModules(path, pkgList, options);
+        // We need to patch the existing package list to add ImportedModules for evinse to work
+        if (retMap.modList?.length) {
+          const iSymbolsMap = {};
+          retMap.modList.forEach((v) => {
+            iSymbolsMap[v.name] = v.importedSymbols;
+            iSymbolsMap[v.name.replace(/_/g, "-")] = v.importedSymbols;
+          });
+          for (const apkg of pkgList) {
+            if (iSymbolsMap[apkg.name]) {
+              apkg.properties = apkg.properties || [];
+              apkg.properties.push({
+                name: "ImportedModules",
+                value: iSymbolsMap[apkg.name],
+              });
+            }
           }
         }
-      }
-      if (retMap.pkgList?.length) {
-        pkgList = pkgList.concat(retMap.pkgList);
-        for (const p of retMap.pkgList) {
-          if (
-            !p.version ||
-            (parentComponent &&
-              p.name === parentComponent.name &&
-              (p.version === parentComponent.version || p.version === "latest"))
-          ) {
-            continue;
+        if (retMap.pkgList?.length) {
+          pkgList = pkgList.concat(retMap.pkgList);
+          for (const p of retMap.pkgList) {
+            if (
+              !p.version ||
+              (parentComponent &&
+                p.name === parentComponent.name &&
+                (p.version === parentComponent.version ||
+                  p.version === "latest"))
+            ) {
+              continue;
+            }
+            parentDependsOn.add(
+              `pkg:pypi/${p.name.toLowerCase()}@${p.version}`,
+            );
           }
-          parentDependsOn.add(`pkg:pypi/${p.name}@${p.version}`);
+        }
+        if (retMap.dependenciesList) {
+          dependencies = mergeDependencies(
+            dependencies,
+            retMap.dependenciesList,
+            parentComponent,
+          );
+        }
+        if (retMap.allImports) {
+          allImports = { ...allImports, ...retMap.allImports };
         }
       }
-      if (retMap.dependenciesList) {
-        dependencies = mergeDependencies(
-          dependencies,
-          retMap.dependenciesList,
-          parentComponent,
-        );
-      }
-      if (retMap.allImports) {
-        allImports = { ...allImports, ...retMap.allImports };
-      }
+      // ATOM parsedeps block
+
       // Complete the dependency tree by making parent component depend on the first level
       for (const p of pkgMap.rootList) {
         if (
@@ -3038,7 +3053,7 @@ export async function createPythonBom(path, options) {
         ) {
           continue;
         }
-        parentDependsOn.add(`pkg:pypi/${p.name}@${p.version}`);
+        parentDependsOn.add(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
       }
       if (pkgMap.pkgList?.length) {
         pkgList = pkgList.concat(pkgMap.pkgList);

diff --git a/jsr.json b/jsr.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.9.1",
+  "version": "10.9.2",
   "exports": "./index.js",
   "include": ["*.js", "bin/**", "data/**", "types/**"],
   "exclude": ["test/", "docs/", "contrib/", "ci/", "tools_config/"]

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.9.1",
+  "version": "10.9.2",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <[email protected]>",

diff --git a/types/binary.d.ts.map b/types/binary.d.ts.map
diff --git a/types/index.d.ts.map b/types/index.d.ts.map