Raised runtime dependency @cyclonedx/cyclonedx-library@^6.11.0 (#1205)

* Raised runtime dependency `@cyclonedx/cyclonedx-library@^6.11.0`, was
`@^6.6.0`
This was done to incorporate non-breaking upstream changes and fixes.
* Added additional test cases

---------

Signed-off-by: Jan Kowalleck <[email protected]>

.github/workflows/npm-ls_demo-results.yml

@@ -19,7 +19,8 @@ jobs:
       fail-fast: false # gather all the results !
       matrix:
         subject:
-          - alternative-package-registry
+          - deps-from-git
+          # - alternative-package-registry
           # - bundled-dependencies
           # - dev-dependencies
           # - juice-shop

HISTORY.md

@@ -6,6 +6,12 @@ All notable changes to this project will be documented in this file.
 
 <!-- unreleased changes go here -->
 
+* Dependencies
+  * Raised runtime dependency `@cyclonedx/cyclonedx-library@^6.11.0`, was `@^6.6.0` (via [#1205])  
+    This was done to incorporate non-breaking upstream changes and fixes.
+
+[#1205]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1205
+
 ## 1.19.2 - 2024-07-10
 
 * Fixed

demo/deps-from-git/README.md

@@ -0,0 +1,70 @@
+
+# Integration test: dev dependencies
+
+*ATTENTION*: this demo might use known vulnerable dependencies for showcasing purposes.
+
+Install dependencies from `git`-sources, instead of the usual npmjs registry.
+
+## remarks
+
+used all known `git`-related sources:
+- "lib0": "git://github.com/CycloneDX/cyclonedx-javascript-library.git#v6.0.0",
+- "lib1": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git#semver:6.1.0",
+- "lib2": "git+ssh://github.com/CycloneDX/cyclonedx-javascript-library.git#v6.2.0",
+- "lib3": "[email protected]:CycloneDX/cyclonedx-javascript-library.git#v6.3.0",
+- "lib4": "github:CycloneDX/cyclonedx-javascript-library.git#v6.4.0",
+- "lib5": "CycloneDX/cyclonedx-javascript-library#v6.5.0"
+
+All these sources were transformed to valid URLs by node, and are available as `resolved`.
+
+## output
+
+see [demo snapshots](../../tests/_data/npm-ls_demo-results/dev-dependencies).
+
+Output of `npm ls --json -a -l` look like this:
+```json5
+{
+  "version": "1.0.0",
+  "name": "demo-deps-from-git",
+  "private": true,
+  // ...
+  "dependencies": {
+    "lib0": {
+      "version": "6.0.0",
+      "resolved": "git+ssh://[email protected]/CycloneDX/cyclonedx-javascript-library.git#c887c803ac56deb5f91b617ef0486ca3fb98473b",
+      "name": "@cyclonedx/cyclonedx-library",
+      // ...      
+    },
+    "lib1": {
+      "version": "6.1.0",
+      "resolved": "git+ssh://[email protected]/CycloneDX/cyclonedx-javascript-library.git#e1a99f9871ca1cbd9b7f7b097c0e2aa8f1e79fe7",
+      "name": "@cyclonedx/cyclonedx-library",
+      // ...      
+    },
+    "lib2": {
+      "version": "6.2.0",
+      "resolved": "git+ssh://[email protected]/CycloneDX/cyclonedx-javascript-library.git#d66d36280dde484bcf73a5c2139961663e3ba954",
+      "name": "@cyclonedx/cyclonedx-library",
+      // ...      
+    },
+    "lib3": {
+      "version": "6.3.0",
+      "resolved": "git+ssh://[email protected]/CycloneDX/cyclonedx-javascript-library.git#7a914980f0508368df54ca193347cec6ffd16415",
+      "name": "@cyclonedx/cyclonedx-library",
+       // ...      
+    },
+    "lib4": {
+      "version": "6.4.0",
+      "resolved": "git+ssh://[email protected]/CycloneDX/cyclonedx-javascript-library.git#3367c1638662d57c53caff0824ee94cd7859bee2",
+      "name": "@cyclonedx/cyclonedx-library",
+       // ...
+    },
+    "lib5": {
+      "version": "6.5.0",
+      "resolved": "git+ssh://[email protected]/CycloneDX/cyclonedx-javascript-library.git#4cea42bf5ec78f17b86dcd308022b6d52e9a98f0",
+      "name": "@cyclonedx/cyclonedx-library",
+       // ...
+    }
+  }
+}
+```

demo/deps-from-git/project/.gitignore

@@ -0,0 +1,5 @@
+/*
+!/.gitignore
+!/.npmrc
+!/package.json
+!/README.md

demo/deps-from-git/project/.npmrc

@@ -0,0 +1,4 @@
+;  see the docs: https://docs.npmjs.com/cli/v9/using-npm/config
+
+engine-strict=false
+ignore-scripts=true

demo/deps-from-git/project/package.json

@@ -0,0 +1,14 @@
+{
+  "private": true,
+  "name": "demo-deps-from-git",
+  "description": "demo: dependencies from git",
+  "version": "1.0.0",
+  "dependencies": {
+    "lib0": "git://github.com/CycloneDX/cyclonedx-javascript-library.git#v6.0.0",
+    "lib1": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git#semver:6.1.0",
+    "lib2": "git+ssh://github.com/CycloneDX/cyclonedx-javascript-library.git#v6.2.0",
+    "lib3": "[email protected]:CycloneDX/cyclonedx-javascript-library.git#v6.3.0",
+    "lib4": "github:CycloneDX/cyclonedx-javascript-library.git#v6.4.0",
+    "lib5": "CycloneDX/cyclonedx-javascript-library#v6.5.0"
+  }
+}

package.json

@@ -47,7 +47,7 @@
     }
   ],
   "dependencies": {
-    "@cyclonedx/cyclonedx-library": "^6.6.0",
+    "@cyclonedx/cyclonedx-library": "^6.11.0",
     "commander": "^10.0.0",
     "normalize-package-data": "^3||^4||^5||^6",
     "packageurl-js": "^1.2.1",

src/_helpers.ts

@@ -56,38 +56,3 @@ export function tryRemoveSecretsFromUrl (url: string): string {
     return url
   }
 }
-
-/* eslint-disable-next-line @typescript-eslint/naming-convention */
-const _urlCanParse_polyfill: (url: string) => boolean = typeof URL.canParse === 'function'
-  ? URL.canParse.bind(URL)
-  : (url: string) => {
-      try {
-        /* eslint-disable-next-line no-new */
-        new URL(url)
-      } catch { return false }
-      return true
-    }
-
-// region trySanitizeGitUrl
-
-const _sshGitUrlRE = /^(?<user>[^@:]+@)(?<host>[^:]+):(?<path>.*)$/
-interface _sshGitUrlRE_groups {
-  user?: string
-  host: string
-  path: string
-}
-
-export function trySanitizeGitUrl (gitUrl: string): string {
-  if (_urlCanParse_polyfill(gitUrl)) {
-    return gitUrl
-  }
-
-  const sshGs = _sshGitUrlRE.exec(gitUrl)?.groups as _sshGitUrlRE_groups | undefined
-  if (sshGs !== undefined) {
-    return `git+ssh://${sshGs.user ?? ''}${sshGs.host}/${sshGs.path}`
-  }
-
-  return gitUrl
-}
-
-// endregion trySanitizeGitUrl

src/builders.ts

@@ -23,7 +23,7 @@ import * as normalizePackageData from 'normalize-package-data'
 import { type PackageURL } from 'packageurl-js'
 import * as path from 'path'
 
-import { isString, loadJsonFile, tryRemoveSecretsFromUrl, trySanitizeGitUrl } from './_helpers'
+import { isString, loadJsonFile, tryRemoveSecretsFromUrl } from './_helpers'
 import { makeNpmRunner, type runFunc } from './npmRunner'
 import { PropertyNames, PropertyValueBool } from './properties'
 import { versionCompare } from './versionCompare'
@@ -451,9 +451,6 @@ export class BomBuilder {
       // allow non-SemVer strings
       _dataC.version = data.version.trim()
     }
-    if (_dataC.repository?.type === 'git') {
-      _dataC.repository.url = trySanitizeGitUrl(_dataC.repository.url as string)
-    }
     // endregion fix normalizations
 
     const component = this.componentBuilder.makeComponent(
@@ -524,7 +521,7 @@ export class BomBuilder {
       }
       component.externalReferences.add(
         new Models.ExternalReference(
-          tryRemoveSecretsFromUrl(trySanitizeGitUrl(resolved)),
+          tryRemoveSecretsFromUrl(resolved),
           Enums.ExternalReferenceType.Distribution,
           {
             hashes,

tests/_data/npm-ls_demo-results/_duplicates-cleaner/package.json

@@ -3,5 +3,8 @@
   "description": "find duplicates and remove them",
   "license": "Apache-2.0",
   "type": "module",
-  "main": "remove-duplicates.js"
+  "main": "remove-duplicates.js",
+  "scripts": {
+    "clean": "node -- ./remove-duplicates.js"
+  }
 }