dotnet 9 deep improvements (#1459)

* Adds a case where the system dependencies may not include the .dll name in the slice Signed-off-by: Prabhu Subramanian <[email protected]> * Capture nuget tags Signed-off-by: Prabhu Subramanian <[email protected]> * Bump version Signed-off-by: Prabhu Subramanian <[email protected]> --------- Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Nov 17, 2024 · fdaf08d · fdaf08d
1 parent a07301b
commit fdaf08d
Show file tree

Hide file tree

Showing 12 changed files with 69 additions and 16 deletions.
diff --git a/data/component-tags.json b/data/component-tags.json
@@ -119,8 +119,7 @@
       "projections",
       "performance",
       "plugins",
-      "non-block",
-      "microsoft"
+      "non-block"
     ]
   },
   "properties": {
@@ -231,13 +230,21 @@
   },
   "name": {
     "sbom": [
-      { "test": ["(junit|xmlunit|testng|chai|mocha|jest|test4j)"] },
       {
-        "security": ["(boringssl|openssl|libressl|libssl|gnutls|jose|keyutils)"]
+        "test": [
+          "(junit|xmlunit|testng|chai|mocha|jest|test4j|xunit|coverlet|Test\\.Sdk)"
+        ]
+      },
+      {
+        "security": [
+          "(boringssl|openssl|libressl|libssl|gnutls|jose|keyutils|Azure\\.Security|System\\.Security)"
+        ]
       },
       { "native": ["(ffi|native)"] },
       { "parse": ["(parser)"] },
-      { "transform": ["(transformer)"] }
+      { "transform": ["(transformer)"] },
+      { "telemetry": ["(OpenTelemetry)"] },
+      { "logging": ["(Microsoft\\.Extensions\\.Logging|Log4net)"] }
     ],
     "obom": [
       {

diff --git a/data/frameworks-list.json b/data/frameworks-list.json
@@ -3,7 +3,9 @@
     "System.Web",
     "System.ServiceModel",
     "System.Data",
-    "spring",
+    "Microsoft.AspNetCore",
+    "Microsoft.NETCore",
+    "springframework",
     "pkg:pypi/flask",
     "pkg:pypi/django",
     "beego",

diff --git a/deno.json b/deno.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.0.1",
+  "version": "11.0.2",
   "exports": "./lib/cli/index.js",
   "compilerOptions": {
     "lib": ["deno.window"],

diff --git a/jsr.json b/jsr.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.0.1",
+  "version": "11.0.2",
   "exports": "./lib/cli/index.js",
   "include": ["*.js", "lib/**", "bin/**", "data/**", "types/**"],
   "exclude": [

diff --git a/lib/cli/index.js b/lib/cli/index.js
@@ -36,7 +36,6 @@ import {
   CARGO_CMD,
   CLJ_CMD,
   DEBUG_MODE,
-  FETCH_LICENSE,
   LEIN_CMD,
   MAX_BUFFER,
   PREFER_MAVEN_DEPS_TREE,
@@ -146,6 +145,7 @@ import {
   parseYarnLock,
   readZipEntry,
   recomputeScope,
+  shouldFetchLicense,
   splitOutputByGradleProjects,
 } from "../helpers/utils.js";
 import {
@@ -3163,7 +3163,7 @@ export async function createPythonBom(path, options) {
   }
   // Re-compute the component scope
   pkgList = recomputeScope(pkgList, dependencies);
-  if (FETCH_LICENSE) {
+  if (shouldFetchLicense()) {
     pkgList = await getPyMetadata(pkgList, false);
   }
   return buildBomNSData(options, pkgList, "pypi", {
@@ -4425,7 +4425,7 @@ export async function createSwiftBom(path, options) {
       }
     }
   }
-  if (FETCH_LICENSE) {
+  if (shouldFetchLicense()) {
     pkgList = await getSwiftPackageMetadata(pkgList);
   }
   return buildBomNSData(options, pkgList, "swift", {
@@ -5370,7 +5370,7 @@ export async function createCsharpBom(path, options) {
       dependsOn: Array.from(parentDependsOn).sort(),
     });
   }
-  if (FETCH_LICENSE) {
+  if (shouldFetchLicense()) {
     const retMap = await getNugetMetadata(pkgList, dependencies);
     if (retMap.dependencies?.length) {
       dependencies = mergeDependencies(

diff --git a/lib/helpers/utils.js b/lib/helpers/utils.js
@@ -135,7 +135,7 @@ export const PREFER_MAVEN_DEPS_TREE = !["false", "0"].includes(
   process.env?.PREFER_MAVEN_DEPS_TREE,
 );
 
-function shouldFetchLicense() {
+export function shouldFetchLicense() {
   return (
     process.env.FETCH_LICENSE &&
     ["true", "1"].includes(process.env.FETCH_LICENSE)
@@ -12429,6 +12429,15 @@ export async function getNugetMetadata(pkgList, dependencies = undefined) {
                 (await getRepoLicense(p.license, undefined)) || p.license;
             }
           }
+          // Capture the tags
+          if (
+            body.catalogEntry?.tags?.length &&
+            Array.isArray(body.catalogEntry.tags)
+          ) {
+            p.tags = body.catalogEntry.tags.map((t) =>
+              t.toLowerCase().replaceAll(" ", "-"),
+            );
+          }
           if (body.catalogEntry.projectUrl) {
             p.repository = { url: body.catalogEntry.projectUrl };
             p.homepage = {
@@ -12513,12 +12522,28 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
   if (slicesData && Object.keys(slicesData)) {
     if (slicesData.Dependencies) {
       for (const adep of slicesData.Dependencies) {
+        // Case 1: Dependencies slice has the .dll file
         if (adep.Module?.endsWith(".dll") && pkgFilePurlMap[adep.Module]) {
           const modPurl = pkgFilePurlMap[adep.Module];
           if (!purlLocationMap[modPurl]) {
             purlLocationMap[modPurl] = new Set();
           }
           purlLocationMap[modPurl].add(`${adep.Path}#${adep.LineNumber}`);
+        } else if (
+          adep?.Name &&
+          (adep?.Namespace?.startsWith("System") ||
+            adep?.Namespace?.startsWith("Microsoft"))
+        ) {
+          // Case 2: System packages where the .dll information is missing
+          // In this case, the dll file name is the name followed by dll.
+          const moduleDll = `${adep.Name}.dll`;
+          if (pkgFilePurlMap[moduleDll]) {
+            const modPurl = pkgFilePurlMap[moduleDll];
+            if (!purlLocationMap[modPurl]) {
+              purlLocationMap[modPurl] = new Set();
+            }
+            purlLocationMap[modPurl].add(`${adep.Path}#${adep.LineNumber}`);
+          }
         }
       }
     }

diff --git a/lib/helpers/utils.test.js b/lib/helpers/utils.test.js
@@ -2570,6 +2570,15 @@ test("get nget metadata", async () => {
       repository: {
         url: "http://www.castleproject.org/",
       },
+      tags: [
+        "castle",
+        "dynamicproxy",
+        "dynamic",
+        "proxy",
+        "dynamicproxy2",
+        "dictionaryadapter",
+        "emailsender",
+      ],
       version: "4.4.0",
     },
     {
@@ -2585,6 +2594,7 @@ test("get nget metadata", async () => {
       repository: {
         url: "https://serilog.net/",
       },
+      tags: ["serilog", "logging", "semantic", "structured"],
       version: "3.0.1",
     },
   ]);

diff --git a/lib/stages/postgen/annotator.js b/lib/stages/postgen/annotator.js
@@ -270,6 +270,14 @@ export function extractTags(
   }
   bomType = bomType?.toLowerCase();
   const tags = new Set();
+  if (component?.type !== "library") {
+    tags.add(component.type);
+  }
+  (component?.tags || []).forEach((tag) => {
+    if (tag.length) {
+      tags.add(tag);
+    }
+  });
   const desc = component?.description?.toLowerCase();
   const compProps = component.properties || [];
   // Collect both the BOM specific tags and all tags

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.0.1",
+  "version": "11.0.2",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <[email protected]>",

diff --git a/types/lib/helpers/utils.d.ts b/types/lib/helpers/utils.d.ts
@@ -1,3 +1,4 @@
+export function shouldFetchLicense(): boolean;
 export function getJavaCommand(): string;
 export function getPythonCommand(): string;
 /**

diff --git a/types/lib/helpers/utils.d.ts.map b/types/lib/helpers/utils.d.ts.map
diff --git a/types/lib/stages/postgen/annotator.d.ts.map b/types/lib/stages/postgen/annotator.d.ts.map