Remove duplicate filenames in CycloneDX JSON output

RetireJS · Jul 4, 2024 · 5baff2d · 5baff2d
1 parent 4b40446
commit 5baff2d
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 12 deletions.
diff --git a/chrome/extension/js/generated/retire-chrome.js b/chrome/extension/js/generated/retire-chrome.js
@@ -50,7 +50,7 @@ function deepScan(content, repo) {
  */
 
 var exports = exports || {};
-exports.version = '5.1.0';
+exports.version = '5.1.1';
 
 function isDefined(o) {
   return typeof o !== 'undefined';

diff --git a/node/CHANGELOG.md b/node/CHANGELOG.md
@@ -1,8 +1,14 @@
 # Changelog
 
+## [5.1.1]
+
+### Bugfix
+
+- Remove duplicates in filename output in CycloneDX JSON formats
+
 ## [5.1.0]
 
-## Add
+### Add
 
 - Support for CycloneDX 1.6 JSON as output format
 - Adding file location as property in CycloneDX 1.4 JSON output

diff --git a/node/lib/retire.js b/node/lib/retire.js
@@ -4,7 +4,7 @@
  */
 
 var exports = exports || {};
-exports.version = '5.1.0';
+exports.version = '5.1.1';
 
 function isDefined(o) {
   return typeof o !== 'undefined';

diff --git a/node/package-lock.json b/node/package-lock.json
diff --git a/node/package.json b/node/package.json
@@ -2,7 +2,7 @@
   "author": "Erlend Oftedal <[email protected]>",
   "name": "retire",
   "description": "Retire is a tool for detecting use of vulnerable libraries",
-  "version": "5.1.0",
+  "version": "5.1.1",
   "license": "Apache-2.0",
   "repository": {
     "type": "git",

diff --git a/node/src/reporters/cyclonedx-1_6-json.ts b/node/src/reporters/cyclonedx-1_6-json.ts
@@ -63,8 +63,12 @@ function configureCycloneDXJSONLogger(logger: Logger, writer: Writer, config: Lo
               ];
             }
             const purl = generatePURL(dep);
-            if (seen.has(purl)) {
-              seen.get(purl)?.evidence.occurrences.push(...evidence.occurrences);
+            const existing = seen.get(purl);
+            if (existing) {
+              const missing = evidence.occurrences.filter(
+                (x) => !existing.evidence.occurrences.some((y) => y.location == x.location),
+              );
+              existing.evidence.occurrences.push(...missing);
               return undefined;
             }
             const result = {

diff --git a/node/src/reporters/cyclonedx-json.ts b/node/src/reporters/cyclonedx-json.ts
@@ -33,9 +33,13 @@ function configureCycloneDXJSONLogger(logger: Logger, writer: Writer, config: Lo
     }
   };
 
+  type Component = {
+    properties: Array<{ name: string; value: string }>;
+  };
+
   logger.close = function (callback) {
     const write = vulnsFound ? writer.err : writer.out;
-    const seen = new Set<string>();
+    const seen = new Map<string, Component>();
     const components = finalResults.data
       .filter((d) => d.results)
       .map((r) =>
@@ -57,16 +61,22 @@ function configureCycloneDXJSONLogger(logger: Logger, writer: Writer, config: Lo
               ];
             }
             const purl = generatePURL(dep);
-            if (seen.has(purl)) return undefined;
-            seen.add(purl);
-            return {
+            const existing = seen.get(purl);
+            if (existing) {
+              const missing = properties.filter((p) => !existing.properties.some((ep) => ep.value === p.value));
+              existing.properties.push(...missing);
+              return undefined;
+            }
+            const result = {
               type: 'library',
               name: dep.component,
               version: dep.version,
               purl: purl,
               hashes: hashes,
               properties,
             };
+            seen.set(purl, result);
+            return result;
           })
           .filter((x) => x != undefined),
       )