Make 10.x branch the default (#838)

* Switch to java 21, node >= 20 (#816)

* Switch to java 21, node >= 20

Signed-off-by: Prabhu Subramanian <[email protected]>

* Use temurin

Signed-off-by: Prabhu Subramanian <[email protected]>

* update atom

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

* Rebase from master

Signed-off-by: Prabhu Subramanian <[email protected]>

* deno improvements (#832)

* Switch to java 21, node >= 20 (#816)

Prettier fixes

Signed-off-by: Prabhu Subramanian <[email protected]>

Test fixes

Signed-off-by: Prabhu Subramanian <[email protected]>

Enable deno lint

Signed-off-by: Prabhu Subramanian <[email protected]>

* Update workflow

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

* Native jar parsing (#833)

* Native jar parsing

Signed-off-by: Prabhu Subramanian <[email protected]>

* Reduce build artefacts

Signed-off-by: Prabhu Subramanian <[email protected]>

* Update maven plugin

Signed-off-by: Prabhu Subramanian <[email protected]>

* deno tests

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

* Feature/cross plat builds (#836)

* Use matrix strategy to build native exes

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

* Remove xml format (#837)

* Lint fixes

Signed-off-by: Prabhu Subramanian <[email protected]>

* Remove xml generation support

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

* Lint fix (#831)

Signed-off-by: Prabhu Subramanian <[email protected]>

* Include git metadata under formulation (#839)

* Include git metadata under formulation

Signed-off-by: Prabhu Subramanian <[email protected]>

* 1.4 fixes

Signed-off-by: Prabhu Subramanian <[email protected]>

* git.js was matching git on windows and causing infinite loop :)

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

* Update java version

Signed-off-by: Prabhu Subramanian <[email protected]>

* [cbom] OS crypto libraries (#842)

* cbom os queries

Signed-off-by: Prabhu Subramanian <[email protected]>

* Capture crypto libs under formulation

Signed-off-by: Prabhu Subramanian <[email protected]>

* Support for < 1.6 for cryptographic asset

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

* Publish images from release branches

Signed-off-by: Prabhu Subramanian <[email protected]>

* Feature/v10 tweaks (#844)

* Use package instead of name for portage

Signed-off-by: Prabhu Subramanian <[email protected]>

* Flatpak wip

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

* dotnet dependency tree was getting lost without the type (#847)

Signed-off-by: Prabhu Subramanian <[email protected]>

* Fixes #848 in v10 (#850)

Signed-off-by: Prabhu Subramanian <[email protected]>

* Collect build context under formulation (#851)

* Temp commit

Signed-off-by: Prabhu Subramanian <[email protected]>

* Collect build tools information

Signed-off-by: Prabhu Subramanian <[email protected]>

* disable flaky test

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

* Ignore additional types during tar extraction (#853)

* Ignore additional types during tar extraction

Signed-off-by: Prabhu Subramanian <[email protected]>

* Handle maven search timeout

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

.github/workflows/app-release.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: '21.x'
     - name: Install dependencies

.github/workflows/appimage.yml

@@ -22,7 +22,7 @@ jobs:
         appimage-builder --recipe appimage-builder.yml --skip-test
       env:
         UPDATE_INFO: gh-releases-zsync|cyclonedx|cdxgen|latest|*x86_64.AppImage.zsync
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@v4
       with:
         name: AppImage
         path: './*.AppImage*'

.github/workflows/dockertests.yml

@@ -18,11 +18,11 @@ jobs:
     strategy:
       matrix:
         node-version: ['21.x']
-        java-version: ['19']
+        java-version: ['21']
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - name: Set up Python
@@ -71,11 +71,11 @@ jobs:
     strategy:
       matrix:
         node-version: ['21.x']
-        java-version: ['19']
+        java-version: ['21']
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - name: Set up Python
@@ -100,7 +100,7 @@ jobs:
           bin/cdxgen.js -t os -o bomresults/bom-os.json --validate
         env:
           CDXGEN_DEBUG_MODE: debug
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: bomresults-os
           path: bomresults
@@ -111,11 +111,11 @@ jobs:
     strategy:
       matrix:
         node-version: ['21.x']
-        java-version: ['19']
+        java-version: ['21']
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - name: Set up Python
@@ -141,7 +141,7 @@ jobs:
           dir bomresults
         env:
           CDXGEN_DEBUG_MODE: debug
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: bomresults-win
           path: bomresults

.github/workflows/java-reachables-test.yml

@@ -17,9 +17,9 @@ jobs:
         uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: '19'
+          java-version: '21'
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - name: npm install, build
@@ -47,7 +47,7 @@ jobs:
           cd repotests/drogon/examples
           node ../../../bin/cdxgen.js -p -t c --profile research -o bom.json .
           cd ../../..
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: bomresults
           path: bomresults

.github/workflows/nodejs.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches:
       - master
-      - feature/*
     tags:
     - 'v*'
   workflow_dispatch:
@@ -15,12 +14,12 @@ jobs:
 
     strategy:
       matrix:
-        node-version: ['16.x', '18.x', '20.x', '21.x']
+        node-version: ['20.x', '21.x']
 
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - name: npm install, build and test
@@ -31,6 +30,56 @@ jobs:
           npm test
         env:
           CI: true
+  deno-build:
+    strategy:
+      matrix:
+        os: [windows, macos, ubuntu]
+        include:
+          - os: windows
+            build: |
+              deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,osRelease --allow-write --allow-net --output cdxgenx.exe bin/cdxgen.js
+              .\cdxgenx.exe --help
+              (Get-FileHash .\cdxgenx.exe).hash | Out-File -FilePath .\cdxgenx.exe.sha256
+            artifact: cdxgenx.exe
+          - os: macos
+            build: |
+              deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net --target x86_64-apple-darwin --output cdxgenx-darwin-amd64 bin/cdxgen.js
+              ./cdxgenx-darwin-amd64 --help
+              shasum -a 256 cdxgenx-darwin-amd64 > cdxgenx-darwin-amd64.sha256
+              deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net --target aarch64-apple-darwin --output cdxgenx-darwin-arm64 bin/cdxgen.js
+              shasum -a 256 cdxgenx-darwin-arm64 > cdxgenx-darwin-arm64.sha256
+            artifact: cdxgenx-darwin-amd64
+          - os: ubuntu
+            build: |
+              deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net --output cdxgenx bin/cdxgen.js
+              shasum -a 256 cdxgenx > cdxgenx.sha256
+              chmod + cdxgenx
+              ./cdxgenx --help
+            artifact: cdxgenx
+    runs-on: ${{ matrix.os }}-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: denoland/setup-deno@v1
+        with:
+          deno-version: v1.x
+      - name: deno compile
+        run: |
+          deno lint
+          mkdir build
+          ${{ matrix.build }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.artifact }}
+          path: ${{ matrix.artifact }}
+      # - name: Release
+      #   uses: softprops/action-gh-release@v1
+      #   if: startsWith(github.ref, 'refs/tags/')
+      #   with:
+      #     files: |
+      #       ${{ matrix.artifact }}
+      #       ${{ matrix.artifact }}.sha256
+      #       cdxgenx-darwin-arm64
+      #       cdxgenx-darwin-arm64.sha256
   sae-builds:
     strategy:
       matrix:
@@ -77,18 +126,18 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: 20.5
+          node-version: '21.x'
       - name: Produce sae
         run: |
           npm ci
           ${{ matrix.build }}
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.artifact }}
           path: ${{ matrix.artifact }}
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.vartifact }}
           path: ${{ matrix.vartifact }}

.github/workflows/npm-release.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - master
+      - release/*
     tags:
     - 'v*'
   workflow_dispatch:
@@ -21,9 +22,9 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
-        node-version: 18.x
+        node-version: 21.x
         registry-url: https://registry.npmjs.org/
     - name: Trim CI agent
       run: |
@@ -50,9 +51,9 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
-        node-version: 18.x
+        node-version: 21.x
         registry-url: https://registry.npmjs.org/
     - name: Trim CI agent
       run: |

.github/workflows/nydus-demo.yml

@@ -16,9 +16,9 @@ jobs:
         uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: '19'
+          java-version: '21'
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - uses: actions/checkout@v4

.github/workflows/python-atom-tests.yml

@@ -18,7 +18,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: '19'
+          java-version: '21'
       - name: npm install, build and test
         run: |
           npm install

.github/workflows/repotests.yml

@@ -26,11 +26,14 @@ jobs:
         uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: '19'
+          java-version: '21'
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: denoland/setup-deno@v1
+        with:
+          deno-version: v1.x
       - name: Trim CI agent
         run: |
           chmod +x contrib/free_disk_space.sh
@@ -54,7 +57,7 @@ jobs:
         env:
           CI: true
       - name: Setup Android SDK
-        uses: android-actions/setup-android@v2
+        uses: android-actions/setup-android@v3
       - uses: swift-actions/setup-swift@v1
         if: matrix.os == 'ubuntu-latest'
       - uses: actions/checkout@v4
@@ -188,13 +191,9 @@ jobs:
           repository: 'microsoft/dotnet-podcasts'
           path: 'repotests/dotnet-podcasts'
       - uses: dtolnay/rust-toolchain@stable
-      - name: repotests evidence
-        run: |
-          bin/cdxgen.js -p -t js --no-recurse -o bomresults/bom.json --evidence .
-        shell: bash
       - name: repotests java-sec-code
         run: |
-          bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-1.json
+          bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-1.json --include-formulation --include-crypto
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-2.json --author foo --author bar
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-3.json --required-only
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-4.json --filter postgres --filter json
@@ -203,6 +202,10 @@ jobs:
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-7.json --profile research --export-proto
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-8.json --profile license-compliance
         shell: bash
+      - name: repotests evidence
+        run: |
+          bin/cdxgen.js -p -t js --no-recurse -o bomresults/bom.json --evidence .
+        shell: bash
       - name: repotests django-DefectDojo
         run: |
           bin/cdxgen.js -p -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo.json --deep --evidence
@@ -215,7 +218,7 @@ jobs:
         shell: bash
       - name: repotests shiftleft-ts-example
         run: |
-          FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-1.json --validate
+          FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-1.json --include-formulation
           node bin/evinse.js -i bomresults/bom-ts-1.json -o bomresults/bom-ts.evinse.json -l javascript --with-data-flow -p repotests/shiftleft-ts-example
           FETCH_LICENSE=true bin/cdxgen.js -p -t js repotests/shiftleft-ts-example --required-only -o bomresults/bom-ts-2.json --validate
           FETCH_LICENSE=1 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-3.json --validate
@@ -237,11 +240,11 @@ jobs:
         shell: bash
       - name: repotests vulnerable_net_core
         run: |
-          FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/bom-csharp2.json --validate
+          FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/bom-csharp2.json --include-formulation
         shell: bash
       - name: repotests Goatly.NET
         run: |
-          FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/bom-csharp3.json --validate
+          FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/bom-csharp3.json --include-formulation
         shell: bash
       - name: repotests DjanGoat
         run: |
@@ -356,13 +359,13 @@ jobs:
           ls -ltr bomresults
         shell: bash
       - name: denotests
-        if: github.ref == 'refs/heads/master' && matrix.os == 'ubuntu-latest'
         run: |
-          docker build -t ghcr.io/cyclonedx/cdxgen-deno -f ci/Dockerfile-deno .
-          docker run --rm -t -e "CDXGEN_DEBUG_MODE=debug" -v $(pwd):/app ghcr.io/cyclonedx/cdxgen-deno -p -r -t java /app/repotests/shiftleft-java-example -o /app/denoresults/bom-java.json
-          docker run --rm -t -e "CDXGEN_DEBUG_MODE=debug" -v $(pwd):/app ghcr.io/cyclonedx/cdxgen-deno -p -r -t python /app/repotests/DjanGoat -o /app/denoresults/bom-python.json
-          ls -ltr denoresults
-      - uses: actions/upload-artifact@v3
+          deno info bin/cdxgen.js
+          deno info bin/evinse.js
+          deno run --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-deno.json
+          deno run --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net bin/cdxgen.js -p -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo-deno.json
+      - uses: actions/upload-artifact@v4
+        if: github.ref == 'refs/heads/master' && matrix.os == 'ubuntu-latest'
         with:
           name: bomresults
           path: bomresults

.gitignore

@@ -122,3 +122,4 @@ test/obj
 oci/
 roots/
 .python-version
+build/

.vscode/settings.json

@@ -1,5 +1,6 @@
 {
   "editor.codeActionsOnSave": {
     "source.fixAll.eslint": "explicit"
-  }
+  },
+  "deno.enable": true
 }

ADVANCED.md

@@ -12,7 +12,7 @@ Evinse (Evinse Verification Is Nearly SBOM Evidence) is a new command with cdxge
 
 ### Pre-requisites
 
-- Java > 17 installed
+- Java >= 21 installed
 - Application source code
 - Input SBOM in CycloneDX >1.5 format. Use cdxgen to generate one.