Collect more properties

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
CycloneDX · Dec 30, 2024 · f5261cb · f5261cb
1 parent 0d22d67
commit f5261cb
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 5 deletions.
diff --git a/bin/cdxgen.js b/bin/cdxgen.js
@@ -510,6 +510,15 @@ const applyAdvancedOptions = (options) => {
       options.installDeps = true;
       break;
   }
+  // When the user specifies source-code-analysis as a technique, then enable deep and evidence mode.
+  if (
+    options?.technique &&
+    Array.isArray(options.technique) &&
+    options?.technique?.includes("source-code-analysis")
+  ) {
+    options.deep = true;
+    options.evidence = true;
+  }
   return options;
 };
 applyAdvancedOptions(options);

diff --git a/lib/helpers/utils.js b/lib/helpers/utils.js
@@ -1120,6 +1120,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
         author: authorString,
         scope: scope,
         _integrity: integrity,
+        externalReferences: [],
         properties: [
           {
             name: "SrcFile",
@@ -1156,11 +1157,75 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
           value: node.location,
         });
       }
+      if (node?.installLinks) {
+        pkg.properties.push({
+          name: "cdx:npm:installLinks",
+          value: "true",
+        });
+      }
+      if (node?.binPaths?.length) {
+        pkg.properties.push({
+          name: "cdx:npm:binPaths",
+          value: node.binPaths.join(", "),
+        });
+      }
+      if (node?.hasInstallScript) {
+        pkg.properties.push({
+          name: "cdx:npm:hasInstallScript",
+          value: "true",
+        });
+      }
+      if (node?.isLink) {
+        pkg.properties.push({
+          name: "cdx:npm:isLink",
+          value: "true",
+        });
+      }
+      if (!node?.isRegistryDependency) {
+        pkg.properties.push({
+          name: "cdx:npm:isRegistryDependency",
+          value: "false",
+        });
+      }
+      if (node?.isWorkspace) {
+        pkg.properties.push({
+          name: "cdx:npm:isWorkspace",
+          value: "true",
+        });
+      }
+      if (node?.inBundle) {
+        pkg.properties.push({
+          name: "cdx:npm:inBundle",
+          value: "true",
+        });
+      }
+      if (node?.inDepBundle) {
+        pkg.properties.push({
+          name: "cdx:npm:inDepBundle",
+          value: "true",
+        });
+      }
+      if (node.package?.repository?.url) {
+        pkg.externalReferences.push({
+          type: "vcs",
+          url: node.package.repository.url,
+        });
+      }
+      if (node.package?.bugs?.url) {
+        pkg.externalReferences.push({
+          type: "issue-tracker",
+          url: node.package.bugs.url,
+        });
+      }
+      if (node?.package?.keywords?.length) {
+        pkg.tags = Array.isArray(node.package.keywords)
+          ? node.package.keywords.sort()
+          : node.package.keywords.split(",");
+      }
     }
-    const packageLicense = node.package.license;
-    if (packageLicense) {
+    if (node.package?.license) {
       // License will be overridden if shouldFetchLicense() is enabled
-      pkg.license = packageLicense;
+      pkg.license = node.package.license;
     }
     const deprecatedMessage = node.package?.deprecated;
     if (deprecatedMessage) {
@@ -1318,6 +1383,19 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       // if we can't find the version of the edge, continue
       // it may be an optional peer dependency
       if (!targetVersion || !targetName) {
+        if (DEBUG_MODE && !options.deep && edge?.type !== "optional") {
+          if (!targetVersion) {
+            console.log(
+              `Unable to determine the version for the dependency ${edge.name} from the path ${edge?.from?.path}. This is likely an edge case that is not handled.`,
+              edge,
+            );
+          } else if (!targetName) {
+            console.log(
+              `Unable to determine the name for the dependency from the edge from the path ${edge?.from?.path}. This is likely an edge case that is not handled.`,
+              edge,
+            );
+          }
+        }
         continue;
       }
       const depPurlString = decodeURIComponent(
@@ -1362,7 +1440,24 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
   });
   let tree = undefined;
   try {
-    tree = await arb.loadVirtual();
+    const rootNodeModulesDir = join(path.dirname(pkgLockFile), "node_modules");
+    if (existsSync(rootNodeModulesDir)) {
+      if (options.deep) {
+        console.log(
+          `Constructing the actual dependency hierarchy from ${rootNodeModulesDir}.`,
+        );
+        tree = await arb.loadActual();
+      } else {
+        if (DEBUG_MODE) {
+          console.log(
+            "Constructing virtual dependency tree based on the lock file. Pass --deep argument to construct the actual dependency tree from disk.",
+          );
+        }
+        tree = await arb.loadVirtual();
+      }
+    } else {
+      tree = await arb.loadVirtual();
+    }
   } catch (e) {
     console.log(
       `Unable to parse ${pkgLockFile} without legacy peer dependencies. Retrying ...`,

diff --git a/types/lib/helpers/utils.d.ts.map b/types/lib/helpers/utils.d.ts.map