Recover dependency tree from nuspec files (#1374)

* Recover dependency tree from nuspec files Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Recover dependency tree from nuspec files Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Retain all target frameworks Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Track target framework for system packages from GAC Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Adds mono namespace prefix for GAC Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Track hint path as a property Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Remove netty from snapshot tests for now Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Bug fix for windows Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> --------- Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
CycloneDX · Sep 12, 2024 · 041635c · 041635c
1 parent 2748c13
commit 041635c
Show file tree

Hide file tree

Showing 9 changed files with 242 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -312,7 +312,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Gradle
 - Scala SBT
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
-- .NET (packages.lock.json, project.assets.json, paket.lock)
+- .NET (packages.lock.json, project.assets.json, paket.lock, .nuspec/.nupkg)
 - Go (go.mod)
 - PHP (composer.lock)
 - Ruby (Gemfile.lock)

diff --git a/test/data/xunit.nuspec b/test/data/xunit.nuspec
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+  <metadata minClientVersion="2.12">
+    <id>xunit</id>
+    <version>2.2.0</version>
+    <title>xUnit.net</title>
+    <authors>James Newkirk,Brad Wilson</authors>
+    <owners>James Newkirk,Brad Wilson</owners>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <licenseUrl>https://raw.githubusercontent.com/xunit/xunit/master/license.txt</licenseUrl>
+    <projectUrl>https://github.com/xunit/xunit</projectUrl>
+    <iconUrl>https://raw.githubusercontent.com/xunit/media/master/logo-512-transparent.png</iconUrl>
+    <description>xUnit.net is a developer testing framework, built to support Test Driven Development, with a design goal of extreme simplicity and alignment with framework features.
+
+Installing this package installs xunit.core and xunit.assert.</description>
+    <summary>xUnit.net is a developer testing framework, built to support Test Driven Development.</summary>
+    <language>en-US</language>
+    <dependencies>
+      <dependency id="xunit.core" version="[2.2.0]" />
+      <dependency id="xunit.assert" version="[2.2.0]" />
+    </dependencies>
+  </metadata>
+</package>
diff --git a/test/data/xunit.runner.utility.nuspec b/test/data/xunit.runner.utility.nuspec
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+  <metadata minClientVersion="2.12">
+    <id>xunit.runner.utility</id>
+    <version>2.2.0</version>
+    <title>xUnit.net [Runner Utility]</title>
+    <authors>James Newkirk,Brad Wilson</authors>
+    <owners>James Newkirk,Brad Wilson</owners>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <licenseUrl>https://raw.githubusercontent.com/xunit/xunit/master/license.txt</licenseUrl>
+    <projectUrl>https://github.com/xunit/xunit</projectUrl>
+    <iconUrl>https://raw.githubusercontent.com/xunit/media/master/logo-512-transparent.png</iconUrl>
+    <description>Includes the version-independent runner for xUnit.net to run both v1.9.2 and v2.0+ tests (xunit.runner.utility.*.dll).</description>
+    <summary>Includes the version-independent runner for xUnit.net (xunit.runner.utility.*.dll).</summary>
+    <language>en-US</language>
+    <dependencies>
+      <group targetFramework=".NETFramework3.5">
+        <dependency id="xunit.abstractions" version="2.0.1" />
+      </group>
+      <group targetFramework=".NETStandard1.1">
+        <dependency id="NETStandard.Library" version="1.6.0" />
+        <dependency id="xunit.abstractions" version="2.0.1" />
+        <dependency id="xunit.extensibility.core" version="[2.2.0]" />
+      </group>
+      <group targetFramework=".NETStandard1.5">
+        <dependency id="NETStandard.Library" version="1.6.0" />
+        <dependency id="System.Reflection.TypeExtensions" version="4.1.0" />
+        <dependency id="xunit.abstractions" version="2.0.1" />
+      </group>
+    </dependencies>
+  </metadata>
+</package>
diff --git a/test/diff/repos.csv b/test/diff/repos.csv
@@ -1,8 +1,7 @@
 project,link,language,pre_build_cmd,build_cmd,commit
-"netty","https://github.com/netty/netty.git","java8","","","ffee1746f85cb3e0d74801abe77ab30f49221185"
 "django-goat","https://github.com/red-and-black/DjangoGoat.git","python","","python -m venv venv; source venv/bin/activate && pip install -r requirements_app.txt","5e6aaa6d0497bf24abd179304e6ca51295a8091d"
 "java-sec-code","https://github.com/JoyChou93/java-sec-code.git","java8","","mvn -B clean compile -DskipTests=true","457d703e8f89bff657c6c51151ada71ebd09a1c6"
 "rasa","https://github.com/RasaHQ/rasa.git","python","pipx install poetry","","7807b19ad5fffab73ca1a04dc710f812115a9288"
 "restic","https://github.com/restic/restic.git","go","","go run build.go","3786536dc18ef27aedcfa8e4c6953b48353eee79"
 "syncthing","https://github.com/syncthing/syncthing.git","go","","go run build.go","ba6ac2f604eb1cd27764460b687537c5e40aaaf8"
-"tinydb","https://github.com/msiemens/tinydb.git","python","","python -m venv venv; source venv/bin/activate && pip install .","3dc6a952ef8700706909bf60a1b15cf21af47608"
+"tinydb","https://github.com/msiemens/tinydb.git","python","","python -m venv venv; source venv/bin/activate && pip install .","3dc6a952ef8700706909bf60a1b15cf21af47608"
diff --git a/types/index.d.ts.map b/types/index.d.ts.map
diff --git a/types/utils.d.ts b/types/utils.d.ts
@@ -214,7 +214,7 @@ export function parseMavenTree(rawOutput: string, pomFile: string): any;
  * @param {map} gradleModules Cache with all gradle modules that have already been read
  * @param {string} gradleRootPath Root path where Gradle is to be run when getting module information
  */
-export function parseGradleDep(rawOutput: string, rootProjectName?: string, gradleModules?: map, gradleRootPath?: string): {
+export function parseGradleDep(rawOutput: string, rootProjectName?: string, gradleModules?: map, gradleRootPath?: string): Promise<{
     pkgList: any[];
     dependenciesList: {
         ref: string;
@@ -223,7 +223,7 @@ export function parseGradleDep(rawOutput: string, rootProjectName?: string, grad
 } | {
     pkgList?: undefined;
     dependenciesList?: undefined;
-};
+}>;
 /**
  * Parse clojure cli dependencies output
  * @param {string} rawOutput Raw string output
@@ -1061,6 +1061,14 @@ export function buildGradleCommandArguments(gradleArguments: string[], gradleSub
  * @returns {map} Map with subProject names as keys and corresponding dependency task outputs as values.
  */
 export function splitOutputByGradleProjects(rawOutput: string, relevantTasks: string[]): map;
+/**
+ * Method that handles object creation for gradle modules.
+ *
+ * @param {string} name The simple name of the module
+ * @param {object} metadata Object with all other parsed data for the gradle module
+ * @returns {object} An object representing the gradle module in SBOM-format
+ */
+export function buildObjectForGradleModule(name: string, metadata: object): object;
 /**
  * Method to return the maven command to use.
  *