Perform bom-ref decode during creation at source (#644)

* Perform bom-ref decode during creation at source Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Bug fix. With yarn v1 packages without integrity wasn't included Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Aggressively mark packages as optional in evidence mode. See discussion in #466 Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> --------- Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
CycloneDX · Oct 19, 2023 · 439f871 · 439f871
1 parent 9accbf6
commit 439f871
Show file tree

Hide file tree

Showing 6 changed files with 27,984 additions and 69 deletions.
diff --git a/index.js b/index.js
@@ -373,7 +373,7 @@ function addMetadata(parentComponent = {}, format = "xml", options = {}) {
     if (parentComponent) {
       cleanParentComponent(parentComponent);
       if (!parentComponent["purl"] && parentComponent["bom-ref"]) {
-        parentComponent["purl"] = parentComponent["bom-ref"];
+        parentComponent["purl"] = encodeForPurl(parentComponent["bom-ref"]);
       }
     }
     if (parentComponent && parentComponent.components) {
@@ -400,7 +400,9 @@ function addMetadata(parentComponent = {}, format = "xml", options = {}) {
             )
           ) {
             if (!comp["bom-ref"]) {
-              comp["bom-ref"] = `pkg:${comp.type}/${fullName}`;
+              comp["bom-ref"] = `pkg:${comp.type}/${decodeURIComponent(
+                fullName
+              )}`;
             }
             if (!addedSubComponents[comp["bom-ref"]]) {
               subComponents.push(comp);
@@ -2130,7 +2132,7 @@ export const createNodejsBom = async (path, options) => {
           null,
           null
         ).toString();
-        tmpParentComponent["bom-ref"] = ppurl;
+        tmpParentComponent["bom-ref"] = decodeURIComponent(ppurl);
         tmpParentComponent["purl"] = ppurl;
         if (!Object.keys(parentComponent).length) {
           parentComponent = tmpParentComponent;
@@ -2154,12 +2156,13 @@ export const createNodejsBom = async (path, options) => {
           rdeplist.push(dobj.ref);
         }
         // Fixes: 212. Handle case where there are no package.json to determine the parent package
+        // Bug fix: We need to consistently override the parent component group, name and version here
         if (Object.keys(parentComponent).length && parentComponent.name) {
           const ppurl = new PackageURL(
             "npm",
-            parentComponent.group,
-            parentComponent.name,
-            parentComponent.version,
+            options.projectGroup || parentComponent.group,
+            options.projectName || parentComponent.name,
+            options.projectVersion || parentComponent.version,
             null,
             null
           ).toString();
@@ -5161,7 +5164,9 @@ export const createBom = async (path, options) => {
             purl: "pkg:oci/" + inspectData.RepoDigests[0],
             _integrity: inspectData.RepoDigests[0].replace("sha256:", "sha256-")
           };
-          options.parentComponent["bom-ref"] = options.parentComponent.purl;
+          options.parentComponent["bom-ref"] = decodeURIComponent(
+            options.parentComponent.purl
+          );
         }
       } else if (inspectData.Id) {
         options.parentComponent = {
@@ -5173,7 +5178,9 @@ export const createBom = async (path, options) => {
           purl: "pkg:oci/" + inspectData.RepoDigests[0],
           _integrity: inspectData.RepoDigests[0].replace("sha256:", "sha256-")
         };
-        options.parentComponent["bom-ref"] = options.parentComponent.purl;
+        options.parentComponent["bom-ref"] = decodeURIComponent(
+          options.parentComponent.purl
+        );
       }
     } else {
       options.parentComponent = createDefaultParentComponent(

diff --git a/test/data/conda-list.json b/test/data/conda-list.json
@@ -0,0 +1,222 @@
+[
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "main",
+    "channel": "pkgs/main",
+    "dist_name": "_libgcc_mutex-0.1-main",
+    "name": "_libgcc_mutex",
+    "platform": "linux-64",
+    "version": "0.1"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "1_gnu",
+    "channel": "pkgs/main",
+    "dist_name": "_openmp_mutex-5.1-1_gnu",
+    "name": "_openmp_mutex",
+    "platform": "linux-64",
+    "version": "5.1"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h7b6447c_0",
+    "channel": "pkgs/main",
+    "dist_name": "bzip2-1.0.8-h7b6447c_0",
+    "name": "bzip2",
+    "platform": "linux-64",
+    "version": "1.0.8"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h06a4308_0",
+    "channel": "pkgs/main",
+    "dist_name": "ca-certificates-2023.08.22-h06a4308_0",
+    "name": "ca-certificates",
+    "platform": "linux-64",
+    "version": "2023.08.22"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 1,
+    "build_string": "h1181459_1",
+    "channel": "pkgs/main",
+    "dist_name": "ld_impl_linux-64-2.38-h1181459_1",
+    "name": "ld_impl_linux-64",
+    "platform": "linux-64",
+    "version": "2.38"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h6a678d5_0",
+    "channel": "pkgs/main",
+    "dist_name": "libffi-3.4.4-h6a678d5_0",
+    "name": "libffi",
+    "platform": "linux-64",
+    "version": "3.4.4"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 1,
+    "build_string": "h1234567_1",
+    "channel": "pkgs/main",
+    "dist_name": "libgcc-ng-11.2.0-h1234567_1",
+    "name": "libgcc-ng",
+    "platform": "linux-64",
+    "version": "11.2.0"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 1,
+    "build_string": "h1234567_1",
+    "channel": "pkgs/main",
+    "dist_name": "libgomp-11.2.0-h1234567_1",
+    "name": "libgomp",
+    "platform": "linux-64",
+    "version": "11.2.0"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 1,
+    "build_string": "h1234567_1",
+    "channel": "pkgs/main",
+    "dist_name": "libstdcxx-ng-11.2.0-h1234567_1",
+    "name": "libstdcxx-ng",
+    "platform": "linux-64",
+    "version": "11.2.0"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h5eee18b_0",
+    "channel": "pkgs/main",
+    "dist_name": "libuuid-1.41.5-h5eee18b_0",
+    "name": "libuuid",
+    "platform": "linux-64",
+    "version": "1.41.5"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h6a678d5_0",
+    "channel": "pkgs/main",
+    "dist_name": "ncurses-6.4-h6a678d5_0",
+    "name": "ncurses",
+    "platform": "linux-64",
+    "version": "6.4"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 2,
+    "build_string": "h7f8727e_2",
+    "channel": "pkgs/main",
+    "dist_name": "openssl-3.0.11-h7f8727e_2",
+    "name": "openssl",
+    "platform": "linux-64",
+    "version": "3.0.11"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "py311h06a4308_0",
+    "channel": "pkgs/main",
+    "dist_name": "pip-23.2.1-py311h06a4308_0",
+    "name": "pip",
+    "platform": "linux-64",
+    "version": "23.2.1"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h955ad1f_0",
+    "channel": "pkgs/main",
+    "dist_name": "python-3.11.5-h955ad1f_0",
+    "name": "python",
+    "platform": "linux-64",
+    "version": "3.11.5"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h5eee18b_0",
+    "channel": "pkgs/main",
+    "dist_name": "readline-8.2-h5eee18b_0",
+    "name": "readline",
+    "platform": "linux-64",
+    "version": "8.2"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "py311h06a4308_0",
+    "channel": "pkgs/main",
+    "dist_name": "setuptools-68.0.0-py311h06a4308_0",
+    "name": "setuptools",
+    "platform": "linux-64",
+    "version": "68.0.0"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h5eee18b_0",
+    "channel": "pkgs/main",
+    "dist_name": "sqlite-3.41.2-h5eee18b_0",
+    "name": "sqlite",
+    "platform": "linux-64",
+    "version": "3.41.2"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h1ccaba5_0",
+    "channel": "pkgs/main",
+    "dist_name": "tk-8.6.12-h1ccaba5_0",
+    "name": "tk",
+    "platform": "linux-64",
+    "version": "8.6.12"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h04d1e81_0",
+    "channel": "pkgs/main",
+    "dist_name": "tzdata-2023c-h04d1e81_0",
+    "name": "tzdata",
+    "platform": "noarch",
+    "version": "2023c"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "py311h06a4308_0",
+    "channel": "pkgs/main",
+    "dist_name": "wheel-0.41.2-py311h06a4308_0",
+    "name": "wheel",
+    "platform": "linux-64",
+    "version": "0.41.2"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h5eee18b_0",
+    "channel": "pkgs/main",
+    "dist_name": "xz-5.4.2-h5eee18b_0",
+    "name": "xz",
+    "platform": "linux-64",
+    "version": "5.4.2"
+  },
+  {
+    "base_url": "https://repo.anaconda.com/pkgs/main",
+    "build_number": 0,
+    "build_string": "h5eee18b_0",
+    "channel": "pkgs/main",
+    "dist_name": "zlib-1.2.13-h5eee18b_0",
+    "name": "zlib",
+    "platform": "linux-64",
+    "version": "1.2.13"
+  }
+]