From 3583761a422da48a4003427ca29e0d3c3c8da688 Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Wed, 11 Oct 2023 21:58:20 +0100 Subject: [PATCH] Trim dotnet sbom by tracking resolved versions. Fixes #631 Signed-off-by: Prabhu Subramanian --- package-lock.json | 4 ++-- package.json | 2 +- utils.js | 49 +++++++++++++++++++++++++++++++---------------- utils.test.js | 2 +- 4 files changed, 36 insertions(+), 21 deletions(-) diff --git a/package-lock.json b/package-lock.json index a787af5588..57242a9650 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@cyclonedx/cdxgen", - "version": "9.8.9", + "version": "9.8.10", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@cyclonedx/cdxgen", - "version": "9.8.9", + "version": "9.8.10", "license": "Apache-2.0", "dependencies": { "@babel/parser": "^7.23.0", diff --git a/package.json b/package.json index a18235a8e5..200b67630b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@cyclonedx/cdxgen", - "version": "9.8.9", + "version": "9.8.10", "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image", "homepage": "http://github.com/cyclonedx/cdxgen", "author": "Prabhu Subramanian ", diff --git a/utils.js b/utils.js index 1efbad3ef6..2f4b2e2c08 100644 --- a/utils.js +++ b/utils.js @@ -4719,6 +4719,9 @@ export const parseCsProjAssetsData = async function (csProjData) { const pkgList = []; let dependenciesList = []; let rootPkg = {}; + // This tracks the resolved version + const pkgNameVersionMap = {}; + const pkgAddedMap = {}; if (!csProjData) { return { pkgList, dependenciesList }; @@ -4784,12 +4787,12 @@ export const parseCsProjAssetsData = async function (csProjData) { if (csProjData.libraries && csProjData.targets) { const lib = csProjData.libraries; + // Pass 1: Construct pkgList alone and track name and resolved version for (const framework in csProjData.targets) { for (const rootDep of Object.keys(csProjData.targets[framework])) { // if (rootDep.startsWith("runtime")){ // continue; // } - const depList = new Set(); const [name, version] = rootDep.split("/"); const dpurl = decodeURIComponent( new PackageURL("nuget", "", name, version, null, null).toString() @@ -4810,29 +4813,41 @@ export const parseCsProjAssetsData = async function (csProjData) { } } pkgList.push(pkg); - + pkgNameVersionMap[name] = version; + pkgAddedMap[name] = true; + } + } + // Pass 2: Fix the dependency tree + for (const framework in csProjData.targets) { + for (const rootDep of Object.keys(csProjData.targets[framework])) { + const depList = new Set(); + const [name, version] = rootDep.split("/"); + const dpurl = decodeURIComponent( + new PackageURL("nuget", "", name, version, null, null).toString() + ); const dependencies = csProjData.targets[framework][rootDep].dependencies; if (dependencies) { for (const p of Object.keys(dependencies)) { + // This condition is not required for assets json that are well-formed. + if (!pkgNameVersionMap[p]) { + continue; + } + let dversion = pkgNameVersionMap[p]; const ipurl = decodeURIComponent( - new PackageURL( - "nuget", - "", - p, - dependencies[p], - null, - null - ).toString() + new PackageURL("nuget", "", p, dversion, null, null).toString() ); depList.add(ipurl); - pkgList.push({ - group: "", - name: p, - version: dependencies[p], - description: "", - "bom-ref": ipurl - }); + if (!pkgAddedMap[p]) { + pkgList.push({ + group: "", + name: p, + version: dversion, + description: "", + "bom-ref": ipurl + }); + pkgAddedMap[p] = true; + } } } dependenciesList.push({ diff --git a/utils.test.js b/utils.test.js index 710cb9191f..4289728ae4 100644 --- a/utils.test.js +++ b/utils.test.js @@ -1253,7 +1253,7 @@ test("parse project.assets.json", async () => { const dep_list = await parseCsProjAssetsData( readFileSync("./test/data/project.assets.json", { encoding: "utf-8" }) ); - expect(dep_list["pkgList"].length).toEqual(1460); + expect(dep_list["pkgList"].length).toEqual(302); expect(dep_list["pkgList"][0]).toEqual({ "bom-ref": "pkg:nuget/Castle.Core.Tests@0.0.0", group: "",