dependency tree for dotnet packages.lock.json (#830)

Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Jan 26, 2024 · b690d69 · b690d69
1 parent 7605c7f
commit b690d69
Show file tree

Hide file tree

Showing 8 changed files with 654 additions and 40 deletions.
diff --git a/README.md b/README.md
@@ -345,7 +345,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Gradle
 - Scala SBT
 - Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
-- .NET (project.assets.json, paket.lock)
+- .NET (packages.lock.json, project.assets.json, paket.lock)
 - Go (go.mod)
 - PHP (composer.lock)
 

diff --git a/index.js b/index.js
@@ -4357,16 +4357,41 @@ export const createCsharpBom = async (
     }
   } else if (pkgLockFiles.length) {
     manifestFiles = manifestFiles.concat(pkgLockFiles);
+    let parentDependsOn = [];
     // packages.lock.json from nuget
     for (const af of pkgLockFiles) {
       if (DEBUG_MODE) {
         console.log(`Parsing ${af}`);
       }
       pkgData = readFileSync(af, { encoding: "utf-8" });
-      const dlist = await parseCsPkgLockData(pkgData);
+      let results = await parseCsPkgLockData(pkgData, af);
+      let deps = results["dependenciesList"];
+      let dlist = results["pkgList"];
+      let rootList = results["rootList"];
       if (dlist && dlist.length) {
         pkgList = pkgList.concat(dlist);
       }
+      if (deps && deps.length) {
+        dependencies = dependencies.concat(deps);
+      }
+      if (!parentComponent) {
+        parentComponent = createDefaultParentComponent(
+          path,
+          options.type,
+          options
+        );
+      }
+      // Keep track of the direct dependencies so that we can construct one complete
+      // list after processing all lock files
+      if (rootList && rootList.length) {
+        parentDependsOn = parentDependsOn.concat(rootList);
+      }
+    }
+    if (parentDependsOn.length) {
+      dependencies.splice(0, 0, {
+        ref: parentComponent["bom-ref"],
+        dependsOn: parentDependsOn.map((p) => p["bom-ref"])
+      });
     }
   } else if (pkgConfigFiles.length) {
     manifestFiles = manifestFiles.concat(pkgConfigFiles);

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.11.2",
+  "version": "9.11.3",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <[email protected]>",
@@ -55,9 +55,9 @@
     "url": "https://github.com/cyclonedx/cdxgen/issues"
   },
   "dependencies": {
-    "@babel/parser": "^7.23.6",
-    "@babel/traverse": "^7.23.7",
-    "@npmcli/arborist": "7.2.2",
+    "@babel/parser": "^7.23.9",
+    "@babel/traverse": "^7.23.9",
+    "@npmcli/arborist": "7.3.1",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
     "cheerio": "^1.0.0-rc.12",