Retain license and external references for parent components (#1520)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
CycloneDX · Dec 27, 2024 · ef0a765 · ef0a765
1 parent 1e942a7
commit ef0a765
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 20 deletions.
diff --git a/lib/cli/index.js b/lib/cli/index.js
@@ -242,7 +242,7 @@ const createDefaultParentComponent = (
       : dirname(path);
   const tmpA = dirNameStr.split(sep);
   dirNameStr = tmpA[tmpA.length - 1];
-  const compName = options.projectName || dirNameStr;
+  const compName = "project-name" in options ? options.projectName : dirNameStr;
   const parentComponent = {
     group: options.projectGroup || "",
     name: compName,
@@ -343,11 +343,24 @@ const componentToSimpleFullName = (comp) => {
 };
 
 // Remove unwanted properties from parent component
+// Bug #1519 - Retain licenses and external references
 const cleanParentComponent = (comp) => {
   delete comp.evidence;
   delete comp._integrity;
+  if (comp.license) {
+    const licenses = getLicenses(comp);
+    if (licenses?.length) {
+      comp.licenses = licenses;
+    }
+  }
   delete comp.license;
   delete comp.qualifiers;
+  if (comp.repository || comp.homepage) {
+    const externalReferences = addExternalReferences(comp);
+    if (externalReferences?.length) {
+      comp.externalReferences = externalReferences;
+    }
+  }
   delete comp.repository;
   delete comp.homepage;
   return comp;
@@ -2482,8 +2495,8 @@ export async function createNodejsBom(path, options) {
       if (!Object.keys(parentComponent).length) {
         if (existsSync(packageJsonF)) {
           const pcs = await parsePkgJson(packageJsonF, true);
-          if (pcs.length) {
-            parentComponent = pcs[0];
+          if (pcs.length && Object.keys(pcs[0]).length) {
+            parentComponent = { ...pcs[0] };
             parentComponent.type = "application";
             ppurl = new PackageURL(
               "npm",
@@ -2508,7 +2521,9 @@ export async function createNodejsBom(path, options) {
           ppurl = new PackageURL(
             "npm",
             options.projectGroup || parentComponent.group,
-            options.projectName || parentComponent.name,
+            "project-name" in options
+              ? options.projectName
+              : parentComponent.name,
             options.projectVersion || parentComponent.version,
             null,
             null,
@@ -2553,8 +2568,8 @@ export async function createNodejsBom(path, options) {
         const packageJsonF = join(basePath, "package.json");
         if (existsSync(packageJsonF)) {
           const pcs = await parsePkgJson(packageJsonF, true);
-          if (pcs.length) {
-            tmpParentComponent = pcs[0];
+          if (pcs.length && Object.keys(pcs[0]).length) {
+            tmpParentComponent = { ...pcs[0] };
             tmpParentComponent.type = "application";
             tmpParentComponent.name =
               "project-name" in options
@@ -2678,8 +2693,8 @@ export async function createNodejsBom(path, options) {
       const packageJsonF = join(basePath, "package.json");
       if (existsSync(packageJsonF)) {
         const pcs = await parsePkgJson(packageJsonF, true);
-        if (pcs.length) {
-          const tmpParentComponent = pcs[0];
+        if (pcs.length && Object.keys(pcs[0]).length) {
+          const tmpParentComponent = { ...pcs[0] };
           tmpParentComponent.type = "application";
           ppurl = new PackageURL(
             "npm",
@@ -2703,7 +2718,7 @@ export async function createNodejsBom(path, options) {
         dirName = tmpA[tmpA.length - 1];
         const tmpParentComponent = {
           group: options.projectGroup || "",
-          name: options.projectName || dirName,
+          name: "project-name" in options ? options.projectName : dirName,
           type: "application",
         };
         ppurl = new PackageURL(
@@ -2780,8 +2795,8 @@ export async function createNodejsBom(path, options) {
     if (!parentComponent || !Object.keys(parentComponent).length) {
       if (existsSync(join(path, "package.json"))) {
         const pcs = await parsePkgJson(join(path, "package.json"), true);
-        if (pcs.length) {
-          parentComponent = pcs[0];
+        if (pcs.length && Object.keys(pcs[0]).length) {
+          parentComponent = { ...pcs[0] };
           parentComponent.type = "application";
           ppurl = new PackageURL(
             "npm",

diff --git a/lib/helpers/utils.js b/lib/helpers/utils.js
@@ -1080,7 +1080,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       purlString = new PackageURL(
         "npm",
         options.projectGroup || "",
-        options.projectName || node.packageName,
+        "project-name" in options ? options.projectName : node.packageName,
         options.projectVersion || node.version,
         null,
         null,
@@ -1090,7 +1090,8 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       pkg = {
         author: authorString,
         group: options.projectGroup || "",
-        name: options.projectName || node.packageName,
+        name:
+          "project-name" in options ? options.projectName : node.packageName,
         version: options.projectVersion || node.version,
         type: "application",
         purl: purlString,
@@ -10687,7 +10688,7 @@ export async function buildObjectForGradleModule(name, metadata) {
       do {
         const npmPackages = await parsePkgJson(join(tmpDir, "package.json"));
         if (npmPackages.length === 1) {
-          component = npmPackages[0];
+          component = { ...npmPackages[0] };
           component.type = "library";
           component.properties = component.properties.concat(
             metadata.properties,
@@ -11907,7 +11908,7 @@ export function parseCmakeDotFile(dotFile, pkgType, options = {}) {
     if (!Object.keys(parentComponent).length) {
       parentComponent = {
         group: options.projectGroup || "",
-        name: options.projectName || name,
+        name: "project-name" in options ? options.projectName : name,
         version: options.projectVersion || "",
         type: "application",
       };

diff --git a/lib/helpers/utils.test.js b/lib/helpers/utils.test.js
@@ -3358,12 +3358,12 @@ test("parsePkgLock v3", async () => {
     "sha512-s93jiP6GkRApn5duComx6RLwtP23YrulPxShz+8peX7svd6Q+MS8nKLhKCCazbP92C13eTVaIOxgeLt0ezIiCg==",
   );
   expect(deps[0]).toEqual({
-    "bom-ref": "pkg:npm/cdxgen@latest",
-    purl: "pkg:npm/cdxgen@latest",
+    "bom-ref": "pkg:npm/clase-21---jwt@latest",
+    purl: "pkg:npm/clase-21---jwt@latest",
     group: "",
     author: "",
     license: "ISC",
-    name: "cdxgen",
+    name: "clase-21---jwt",
     type: "application",
     version: "latest",
   });

diff --git a/types/lib/cli/index.d.ts.map b/types/lib/cli/index.d.ts.map