Skip to content

Commit

Permalink
Merge branch 'master' into search-maven-org
Browse files Browse the repository at this point in the history
  • Loading branch information
Nikemare authored Dec 12, 2023
2 parents 5faf4f4 + 0da91a5 commit 60dab7a
Show file tree
Hide file tree
Showing 11 changed files with 2,279 additions and 97 deletions.
8 changes: 6 additions & 2 deletions .github/workflows/repotests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,6 @@ jobs:
run: |
npm install
npm run build --if-present
npm run lint
npm test
mkdir -p repotests
mkdir -p bomresults
Expand Down Expand Up @@ -184,6 +183,10 @@ jobs:
with:
repository: 'hritik14/broken-mvn-wrapper'
path: 'repotests/broken-mvn-wrapper'
- uses: actions/checkout@v3
with:
repository: 'microsoft/dotnet-podcasts'
path: 'repotests/dotnet-podcasts'
- uses: dtolnay/rust-toolchain@stable
- name: repotests evidence
run: |
Expand All @@ -192,7 +195,7 @@ jobs:
- name: repotests java-sec-code
run: |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-1.json
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-2.json --author foo --author bar
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-2.json --author foo --author bar
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-3.json --required-only
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-4.json --filter postgres --filter json
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-5.json --only spring
Expand Down Expand Up @@ -302,6 +305,7 @@ jobs:
run: |
bin/cdxgen.js -p -r -t dotnet repotests/dotnet-paket -o bomresults/bom-dotnet-paket.json --validate
FETCH_LICENSE=true bin/cdxgen.js -p -r -t dotnet repotests/dotnet-paket -o bomresults/bom-dotnet-paket-2.json --validate
bin/cdxgen.js -p -r -t dotnet repotests/dotnet-podcasts -o bomresults/bom-dotnet-podcasts.json --profile research
shell: bash
- name: repotests blint
run: |
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Most SBOM tools are like barcode scanners. They can scan a few package manifest
| Go | binary, go.mod, go.sum, Gopkg.lock | Yes except binary | Yes |
| Ruby | Gemfile.lock, gemspec | Only for Gemfile.lock | |
| Rust | binary, Cargo.toml, Cargo.lock | Only for Cargo.lock | |
| .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock | Only for project.assets.json, packages.lock.json, paket.lock | |
| .Net | .csproj, .vbproj, .fsproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock | Only for project.assets.json, packages.lock.json, paket.lock | |
| Dart | pubspec.lock, pubspec.yaml | Only for pubspec.lock | |
| Haskell | cabal.project.freeze | Yes | |
| Elixir | mix.lock | Yes | |
Expand Down
54 changes: 52 additions & 2 deletions binary.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import {
import { join, dirname, basename } from "node:path";
import { spawnSync } from "node:child_process";
import { PackageURL } from "packageurl-js";
import { DEBUG_MODE, findLicenseId } from "./utils.js";
import { DEBUG_MODE, TIMEOUT_MS, findLicenseId } from "./utils.js";

import { fileURLToPath } from "node:url";

Expand All @@ -24,7 +24,7 @@ const isWin = _platform() === "win32";
let platform = _platform();
let extn = "";
let pluginsBinSuffix = "";
if (platform == "win32") {
if (platform === "win32") {
platform = "windows";
extn = ".exe";
}
Expand All @@ -36,6 +36,9 @@ switch (arch) {
break;
case "x64":
arch = "amd64";
if (platform === "windows") {
pluginsBinSuffix = "-windows-amd64";
}
break;
case "arm64":
pluginsBinSuffix = "-arm64";
Expand Down Expand Up @@ -165,7 +168,21 @@ if (existsSync(join(CDXGEN_PLUGINS_DIR, "osquery"))) {
} else if (process.env.OSQUERY_CMD) {
OSQUERY_BIN = process.env.OSQUERY_CMD;
}
let DOSAI_BIN = null;
if (existsSync(join(CDXGEN_PLUGINS_DIR, "dosai"))) {
if (platform === "darwin") {
platform = "osx";
}
DOSAI_BIN = join(
CDXGEN_PLUGINS_DIR,
"dosai",
"dosai-" + platform + "-" + arch + extn
);
} else if (process.env.DOSAI_CMD) {
DOSAI_BIN = process.env.DOSAI_CMD;
}

// Keep this list updated every year
const OS_DISTRO_ALIAS = {
"ubuntu-4.10": "warty",
"ubuntu-5.04": "hoary",
Expand Down Expand Up @@ -692,3 +709,36 @@ export const executeOsQuery = (query) => {
}
return undefined;
};

/**
* Method to execute dosai to create slices for dotnet
*
* @param {string} src
* @param {string} slicesFile
* @returns boolean
*/
export const getDotnetSlices = (src, slicesFile) => {
if (!DOSAI_BIN) {
return false;
}
const args = ["methods", "--path", src, "--o", slicesFile];
if (DEBUG_MODE) {
console.log("Executing", DOSAI_BIN, args.join(" "));
}
const result = spawnSync(DOSAI_BIN, args, {
encoding: "utf-8",
timeout: TIMEOUT_MS,
cwd: src
});
if (result.status !== 0 || result.error) {
if (DEBUG_MODE && result.error) {
if (result.stderr) {
console.error(result.stdout, result.stderr);
} else {
console.log("Check if dosai plugin was installed successfully.");
}
}
return false;
}
return true;
};
2 changes: 1 addition & 1 deletion docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ cdxgen -t java -o bom.json --server-url https://deptrack.server.com --api-key "t
| go | binary, go.mod, go.sum, Gopkg.lock | Yes except binary | Yes |
| ruby | Gemfile.lock, gemspec | Only for Gemfile.lock | |
| rust | binary, Cargo.toml, Cargo.lock | Only for Cargo.lock | |
| .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock | Only for project.assets.json, packages.lock.json, paket.lock | |
| .Net | .csproj, .vbproj, .fsproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg, paket.lock | Only for project.assets.json, packages.lock.json, paket.lock | |
| dart | pubspec.lock, pubspec.yaml | Only for pubspec.lock | |
| haskell | cabal.project.freeze | Yes | |
| elixir | mix.lock | Yes | |
Expand Down
4 changes: 3 additions & 1 deletion evinser.js
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,9 @@ export const createSlice = (
args.push(path.resolve(filePath));
const result = executeAtom(filePath, args);
if (!result || !fs.existsSync(slicesFile)) {
console.warn(`Unable to generate ${sliceType} slice using atom.`);
console.warn(
`Unable to generate ${sliceType} slice using atom. Check if this is a supported language.`
);
console.log(
"Set the environment variable CDXGEN_DEBUG_MODE=debug to troubleshoot."
);
Expand Down
42 changes: 36 additions & 6 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,8 @@ import {
frameworksList,
parseContainerFile,
parseBitbucketPipelinesFile,
getPyMetadata
getPyMetadata,
addEvidenceForDotnet
} from "./utils.js";
import { spawnSync } from "node:child_process";
import { fileURLToPath } from "node:url";
Expand All @@ -131,7 +132,8 @@ import {
getGoBuildInfo,
getCargoAuditableInfo,
executeOsQuery,
getOSPackages
getOSPackages,
getDotnetSlices
} from "./binary.js";

const isWin = _platform() === "win32";
Expand Down Expand Up @@ -4202,11 +4204,17 @@ export const createCsharpBom = async (
let manifestFiles = [];
let pkgData = undefined;
let dependencies = [];
const csProjFiles = getAllFiles(
let csProjFiles = getAllFiles(
path,
(options.multiProject ? "**/" : "") + "*.csproj",
options
);
csProjFiles = csProjFiles.concat(
getAllFiles(path, (options.multiProject ? "**/" : "") + "*.vbproj", options)
);
csProjFiles = csProjFiles.concat(
getAllFiles(path, (options.multiProject ? "**/" : "") + "*.fsproj", options)
);
const pkgConfigFiles = getAllFiles(
path,
(options.multiProject ? "**/" : "") + "packages.config",
Expand Down Expand Up @@ -4253,7 +4261,7 @@ export const createCsharpBom = async (
console.log(`Parsing ${af}`);
}
pkgData = readFileSync(af, { encoding: "utf-8" });
let results = await parseCsProjAssetsData(pkgData);
let results = await parseCsProjAssetsData(pkgData, af);
let deps = results["dependenciesList"];
let dlist = results["pkgList"];
if (dlist && dlist.length) {
Expand Down Expand Up @@ -4305,7 +4313,7 @@ export const createCsharpBom = async (
if (csProjData.charCodeAt(0) === 0xfeff) {
csProjData = csProjData.slice(1);
}
const dlist = await parseCsProjData(csProjData);
const dlist = await parseCsProjData(csProjData, f);
if (dlist && dlist.length) {
pkgList = pkgList.concat(dlist);
}
Expand Down Expand Up @@ -4336,6 +4344,22 @@ export const createCsharpBom = async (
if (pkgList.length) {
dependencies = mergeDependencies(dependencies, [], parentComponent);
pkgList = trimComponents(pkgList, "json");
// Perform deep analysis using dosai
if (options.deep) {
const slicesFile = resolve(
options.depsSlicesFile || join(tmpdir(), "dosai.json")
);
// Create the slices file if it doesn't exist
if (!existsSync(slicesFile)) {
const sliceResult = getDotnetSlices(resolve(path), resolve(slicesFile));
if (!sliceResult && DEBUG_MODE) {
console.log(
"Slicing with dosai was unsuccessful. Check the errors reported in the logs above."
);
}
}
pkgList = addEvidenceForDotnet(pkgList, slicesFile, options);
}
}
if (FETCH_LICENSE) {
const retMap = await getNugetMetadata(pkgList, dependencies);
Expand Down Expand Up @@ -5117,11 +5141,17 @@ export const createXBom = async (path, options) => {
}

// .Net
const csProjFiles = getAllFiles(
let csProjFiles = getAllFiles(
path,
(options.multiProject ? "**/" : "") + "*.csproj",
options
);
csProjFiles = csProjFiles.concat(
getAllFiles(path, (options.multiProject ? "**/" : "") + "*.vbproj", options)
);
csProjFiles = csProjFiles.concat(
getAllFiles(path, (options.multiProject ? "**/" : "") + "*.fsproj", options)
);
if (csProjFiles.length) {
return await createCsharpBom(path, options);
}
Expand Down
Loading

0 comments on commit 60dab7a

Please sign in to comment.