Update packages with overrides (#1411)

* Update packages

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* docker extract improvements

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

.github/workflows/dockertests.yml

@@ -69,7 +69,7 @@ jobs:
           bin/cdxgen.js zookeeper@sha256:5bf00616677db5ef57d8a2da7c5dadf67f1a6be54b0c33a79be3332c9c80aeb6 -o bomresults/bom-zoo.json --validate
           docker rmi zookeeper@sha256:5bf00616677db5ef57d8a2da7c5dadf67f1a6be54b0c33a79be3332c9c80aeb6
           docker pull shiftleft/scan-slim:latest
-          docker save -o /tmp/scanslim.tar shiftleft/scan-slim:latest
+          docker save shiftleft/scan-slim:latest -o /tmp/scanslim.tar
           docker rmi shiftleft/scan-slim:latest
           bin/cdxgen.js /tmp/scanslim.tar -o bomresults/bom-scanarch.json --validate
           bin/cdxgen.js -t docker-compose test/data -o bomresults/bom-dc.json --validate
@@ -116,7 +116,6 @@ jobs:
           path: 'repotests/grafana-operator'
       - name: dockertests
         run: |
-          echo "Test docker container image using a `.tar` file"
           docker pull elasticsearch@sha256:3686a5757ed46c9dbcf00f6f71fce48ffc5413b193a80d1c46a21e7aad4c53ad
           docker save -o /tmp/elastic.tar elasticsearch@sha256:3686a5757ed46c9dbcf00f6f71fce48ffc5413b193a80d1c46a21e7aad4c53ad
           docker rmi elasticsearch@sha256:3686a5757ed46c9dbcf00f6f71fce48ffc5413b193a80d1c46a21e7aad4c53ad

deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.10.4",
+  "version": "10.10.5",
   "exports": "./lib/cli/index.js",
   "compilerOptions": {
     "allowJs": true,
@@ -54,7 +54,7 @@
     "@appthreat/cdx-proto": "npm:@appthreat/cdx-proto@1.0.1",
     "@babel/parser": "npm:@babel/parser@^7.24.8",
     "@babel/traverse": "npm:@babel/traverse@^7.24.8",
-    "@npmcli/arborist": "npm:@npmcli/arborist@7.5.4",
+    "@npmcli/arborist": "npm:@npmcli/arborist@8.0.0",
     "ajv": "npm:ajv@^8.16.0",
     "ajv-formats": "npm:ajv-formats@^3.0.1",
     "cheerio": "npm:cheerio@^1.0.0-rc.12",
@@ -71,9 +71,9 @@
     "prettify-xml": "npm:prettify-xml@^1.2.0",
     "properties-reader": "npm:properties-reader@^2.3.0",
     "semver": "npm:semver@^7.6.3",
-    "ssri": "npm:ssri@^11.0.0",
+    "ssri": "npm:ssri@^12.0.0",
     "table": "npm:table@^6.8.2",
-    "tar": "npm:tar@^6.2.1",
+    "tar": "npm:tar@^7.4.3",
     "uuid": "npm:uuid@^10.0.0",
     "xml-js": "npm:xml-js@^1.6.11",
     "yargs": "npm:yargs@^17.7.2",

jsr.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.10.4",
+  "version": "10.10.5",
   "exports": "./lib/cli/index.js",
   "include": ["*.js", "lib/**", "bin/**", "data/**", "types/**"],
   "exclude": [

lib/helpers/utils.js

@@ -456,9 +456,6 @@ export function hasAnyProjectType(projectTypes, options, defaultStatus = true) {
         .length
     );
   }
-  if (shouldInclude && DEBUG_MODE) {
-    console.log("Project types", projectTypes);
-  }
   return shouldInclude;
 }
 
@@ -9689,9 +9686,6 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
   } else {
     jarFiles = [join(tempDir, fname)];
   }
-  if (DEBUG_MODE) {
-    console.log(`List of jars: ${jarFiles}`);
-  }
   if (jarFiles?.length) {
     for (const jf of jarFiles) {
       // If the jar file doesn't exist at the point of use, skip it
@@ -9920,9 +9914,13 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
     } // for
   } // if
   if (jarFiles.length !== pkgList.length) {
-    console.log(
-      `Obtained only ${pkgList.length} components from ${jarFiles.length} jars.`,
-    );
+    if (pkgList.length) {
+      console.log(
+        `Obtained only ${pkgList.length} components from ${jarFiles.length} jars.`,
+      );
+    } else {
+      console.log("Unable to extract the component information from", jarFile);
+    }
   }
   return pkgList;
 }

lib/helpers/utils.test.js

@@ -3276,8 +3276,8 @@ test("parsePnpmLock", async () => {
   expect(parsedList.dependenciesList).toHaveLength(462);
   expect(parsedList.pkgList.filter((pkg) => !pkg.scope)).toHaveLength(3);
   parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-  expect(parsedList.pkgList.length).toEqual(647);
-  expect(parsedList.dependenciesList.length).toEqual(647);
+  expect(parsedList.pkgList.length).toEqual(632);
+  expect(parsedList.dependenciesList.length).toEqual(632);
   expect(parsedList.pkgList[0]).toEqual({
     group: "@ampproject",
     name: "remapping",

lib/managers/docker.js

@@ -156,7 +156,7 @@ export const getOnlyDirs = (srcpath, dirName) => {
               }
             }
           } catch (err) {
-            console.error(err);
+            // ignore
           }
         })
         .filter((p) => p !== undefined),
@@ -378,7 +378,7 @@ export const getConnection = async (options, forRegistry) => {
         }
         return dockerConn;
       } catch (err) {
-        // console.log(err, opts);
+        // ignore
       }
       try {
         if (isWin) {
@@ -402,7 +402,6 @@ export const getConnection = async (options, forRegistry) => {
           }
         }
       } catch (err) {
-        // console.log(err);
         try {
           opts.prefixUrl = opts.podmanPrefixUrl;
           await got.get("libpod/_ping", opts);
@@ -413,7 +412,6 @@ export const getConnection = async (options, forRegistry) => {
             "Podman in root mode detected. Consider switching to rootless mode to improve security. See https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md",
           );
         } catch (err) {
-          // console.log(err);
           if (_platform() === "win32") {
             console.warn(
               "Ensure Docker for Desktop is running as an administrator with 'Exposing daemon on TCP without TLS' setting turned on.",
@@ -630,7 +628,6 @@ export const getImage = async (fullImageName) => {
       }
     } catch (err) {
       // continue regardless of error
-      console.log(err);
     }
   }
   try {
@@ -766,7 +763,10 @@ export const extractTar = async (fullImageName, dir) => {
         filter: (path, entry) => {
           // Some files are known to cause issues with extract
           if (
-            path.endsWith("etc/machine-id") ||
+            path.includes("etc/machine-id") ||
+            path.includes("etc/gshadow") ||
+            path.includes("etc/shadow") ||
+            path.endsWith("etc/passwd") ||
             path.includes("usr/lib/systemd/") ||
             path.includes("usr/lib64/libdevmapper.so") ||
             path.includes("usr/sbin/") ||
@@ -892,7 +892,7 @@ export const exportArchive = async (fullImageName) => {
     }
     console.log(`Unable to extract image archive to ${tempDir}`);
   } catch (err) {
-    console.log(err);
+    // ignore
   }
   return undefined;
 };
@@ -984,7 +984,7 @@ export const extractFromManifest = async (
           ? join(allLayersExplodedDir, lastLayerConfig.config.WorkingDir)
           : "";
       } catch (err) {
-        console.log(err);
+        // ignore
       }
     }
   }
@@ -1105,7 +1105,7 @@ export const exportImage = async (fullImageName) => {
             }),
           );
         } catch (err) {
-          console.log(err);
+          // ignore
         }
       }
     }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.10.4",
+  "version": "10.10.5",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",
@@ -65,14 +65,14 @@
   "bugs": {
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
-  "packageManager": "pnpm@9.12.0",
+  "packageManager": "pnpm@9.12.1",
   "lint-staged": {
     "*": "biome check --fix --no-errors-on-unmatched"
   },
   "dependencies": {
     "@babel/parser": "^7.25.6",
     "@babel/traverse": "^7.25.6",
-    "@npmcli/arborist": "7.5.4",
+    "@npmcli/arborist": "8.0.0",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
     "cheerio": "^1.0.0",
@@ -89,9 +89,9 @@
     "prettify-xml": "^1.2.0",
     "properties-reader": "^2.3.0",
     "semver": "^7.6.3",
-    "ssri": "^11.0.0",
+    "ssri": "^12.0.0",
     "table": "^6.8.2",
-    "tar": "^6.2.1",
+    "tar": "^7.4.3",
     "toml": "^3.0.0",
     "uuid": "^10.0.0",
     "validate-iri": "^1.0.1",
@@ -112,7 +112,7 @@
     "compression": "^1.7.4",
     "connect": "^3.7.0",
     "jsonata": "^2.0.5",
-    "sequelize": "^6.37.3",
+    "sequelize": "^6.37.4",
     "sqlite3": "^5.1.7"
   },
   "files": ["*.js", "lib/**", "bin/", "data/", "types/"],
@@ -123,7 +123,9 @@
   },
   "pnpm": {
     "overrides": {
-      "glob": "^11.0.0"
+      "glob": "^11.0.0",
+      "node-gyp": "^10.2.0",
+      "prebuild": "^13.0.0"
     }
   }
 }