CycloneDX · prabhu · Jan 16, 2025 · Jan 16, 2025 · Jan 16, 2025
@@ -3959,14 +3959,30 @@ export async function createDartBom(path, options) {
   );
   let dependencies = [];
   let pkgList = [];
-  const parentComponent = determineParentComponent(options);
+  let parentComponent;
+  if (pubSpecYamlFiles.length) {
+    for (const f of pubSpecYamlFiles) {
+      if (DEBUG_MODE) {
+        console.log(`Parsing ${f}`);
+      }
+      const pubYamlData = readFileSync(f, { encoding: "utf-8" });
+      const dlist = parsePubYamlData(pubYamlData);
+      if (dlist?.length) {
+        pkgList = pkgList.concat(dlist);
+        if (!parentComponent) {
+          parentComponent = pkgList[0];
+          parentComponent.type = "application";
+        }
+      }
+    }
+  }
   if (pubFiles.length) {
     for (const f of pubFiles) {
       if (DEBUG_MODE) {
         console.log(`Parsing ${f}`);
       }
       const pubLockData = readFileSync(f, { encoding: "utf-8" });
-      const retMap = await parsePubLockData(pubLockData);
+      const retMap = await parsePubLockData(pubLockData, f);
       if (retMap.pkgList?.length) {
         pkgList = pkgList.concat(retMap.pkgList);
       }
@@ -3986,31 +4002,13 @@ export async function createDartBom(path, options) {
         );
       }
     }
-    return buildBomNSData(options, pkgList, "pub", {
-      src: path,
-      dependencies,
-      parentComponent,
-      filename: pubFiles.join(", "),
-    });
   }
-  if (pubSpecYamlFiles.length) {
-    for (const f of pubSpecYamlFiles) {
-      if (DEBUG_MODE) {
-        console.log(`Parsing ${f}`);
-      }
-      const pubYamlData = readFileSync(f, { encoding: "utf-8" });
-      const dlist = parsePubYamlData(pubYamlData);
-      if (dlist?.length) {
-        pkgList = pkgList.concat(dlist);
-      }
-    }
-    return buildBomNSData(options, pkgList, "pub", {
-      src: path,
-      filename: pubSpecYamlFiles.join(", "),
-    });
-  }
-
-  return {};
+  return buildBomNSData(options, pkgList, "pub", {
+    src: path,
+    dependencies,
+    parentComponent,
+    filename: pubFiles.join(", "),
+  });
 }
 
 /**

@@ -7426,27 +7426,45 @@
   return pkgList;
 }
 
-export async function parsePubLockData(pubLockData) {
+/**
+ * Method to parse pubspec.lock files.
+ *
+ * @param pubLockData Contents of lock data
+ * @param lockFile Filename for setting evidence
+ *
+ * @returns {Object}
+ */
+export async function parsePubLockData(pubLockData, lockFile) {
   if (!pubLockData) {
     return [];
   }
   let pkgList = [];
   const rootList = [];
   const data = _load(pubLockData);
   const packages = data.packages;
-
   for (const [packageName, packageData] of Object.entries(packages)) {
-    const pkg = { name: packageName, version: packageData.version };
+    const pkg = {
+      name: packageName,
+      version: packageData.version,
+      properties: [],
+    };
     // older dart versions don't have sha256
     if (packageData.description?.sha256) {
       pkg._integrity = `sha256-${packageData.description?.sha256}`;
     }
-
-    const purlString = new PackageURL("dart", "", pkg.name, pkg.version)
+    if (
+      packageData.description?.url &&
+      !packageData.description?.url?.startsWith("https://pub.dev")
+    ) {
+      pkg.properties.push({
+        name: "cdx:pub:registry",
+        value: packageData.description.url,
+      });
+    }
+    const purlString = new PackageURL("pub", "", pkg.name, pkg.version)
       .toString()
       .replace(/%2F/g, "/");
     pkg["bom-ref"] = decodeURIComponent(purlString);
-
     if (packageData.dependency === "direct main") {
       pkg.scope = "required";
       rootList.push(pkg);
@@ -7455,14 +7473,30 @@
     } else if (packageData.dependency === "direct dev") {
       pkg.scope = "optional";
     }
-
+    if (lockFile) {
+      pkg.properties.push({
+        name: "SrcFile",
+        value: lockFile,
+      });
+      pkg.evidence = {
+        identity: {
+          field: "purl",
+          confidence: 1,
+          methods: [
+            {
+              technique: "manifest-analysis",
+              confidence: 1,
+              value: lockFile,
+            },
+          ],
+        },
+      };
+    }
     pkgList.push(pkg);
   }
-
   if (shouldFetchLicense()) {
     pkgList = await getDartMetadata(pkgList);
   }
-
   return { rootList, pkgList };
 }
 
@@ -7477,12 +7511,18 @@
   if (!yamlObj) {
     return pkgList;
   }
-  pkgList.push({
+  const pkg = {
     name: yamlObj.name,
     description: yamlObj.description,
     version: yamlObj.version,
     homepage: { url: yamlObj.homepage },
-  });
+  };
+  const purlString = new PackageURL("pub", "", pkg.name, pkg.version)
+    .toString()
+    .replace(/%2F/g, "/");
+  pkg.purl = purlString;
+  pkg["bom-ref"] = decodeURIComponent(purlString);
+  pkgList.push(pkg);
   return pkgList;
 }
 

@@ -2086,17 +2086,19 @@ test("parse pub lock", async () => {
     version: "2.11.0",
     _integrity:
       "sha256-947bfcf187f74dbc5e146c9eb9c0f10c9f8b30743e341481c1e2ed3ecc18c20c",
-    "bom-ref": "pkg:dart/[email protected]",
+    "bom-ref": "pkg:pub/[email protected]",
     scope: "required",
+    properties: [],
   });
   expect(root_list.length).toEqual(3);
   expect(root_list[0]).toEqual({
     name: "flare_flutter",
     version: "3.0.2",
     _integrity:
       "sha256-99d63c60f00fac81249ce6410ee015d7b125c63d8278a30da81edf3317a1f6a0",
-    "bom-ref": "pkg:dart/[email protected]",
+    "bom-ref": "pkg:pub/[email protected]",
     scope: "required",
+    properties: [],
   });
   dep_list = parsePubYamlData(
     readFileSync("./test/data/pubspec.yaml", { encoding: "utf-8" }),
@@ -2110,6 +2112,8 @@ test("parse pub lock", async () => {
     homepage: {
       url: "https://github.com/marcos930807/awesomeDialogs",
     },
+    "bom-ref": "pkg:pub/[email protected]",
+    purl: "pkg:pub/[email protected]",
   });
 });
 

@@ -680,13 +680,15 @@ export function parseCargoDependencyData(cargoLockData: any): {
     dependsOn: any[];
 }[];
 export function parseCargoAuditableData(cargoData: any): Promise<any[]>;
-export function parsePubLockData(pubLockData: any): Promise<any[] | {
-    rootList: {
-        name: string;
-        version: any;
-    }[];
-    pkgList: any[];
-}>;
+/**
+ * Method to parse pubspec.lock files.
+ *
+ * @param pubLockData Contents of lock data
+ * @param lockFile Filename for setting evidence
+ *
+ * @returns {Object}
+ */
+export function parsePubLockData(pubLockData: any, lockFile: any): any;
 export function parsePubYamlData(pubYamlData: any): any[];
 export function parseHelmYamlData(helmData: any): any[];
 export function recurseImageNameLookup(keyValueObj: any, pkgList: any, imgList: any): any;