Update cdxgen to bring go purl compatibility fixes (#297)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
owasp-dep-scan · Apr 7, 2024 · 523e60c · 523e60c
1 parent 7adaf46
commit 523e60c
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 12 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@ LABEL maintainer="AppThreat" \
  org.opencontainers.image.authors="Team AppThreat <cloud@appthreat.com>" \
  org.opencontainers.image.source="https://github.com/owasp-dep-scan/dep-scan" \
  org.opencontainers.image.url="https://appthreat.com" \
- org.opencontainers.image.version="5.2.x" \
+ org.opencontainers.image.version="5.3.x" \
  org.opencontainers.image.vendor="appthreat" \
  org.opencontainers.image.licenses="MIT" \
  org.opencontainers.image.title="dep-scan" \
@@ -74,7 +74,7 @@ RUN set -e; \
  && sdk offline enable \
  && mv /root/.sdkman/candidates/* /opt/ \
  && rm -rf /root/.sdkman \
- && npm install -g @cyclonedx/cdxgen@10.2.6 \
+ && npm install -g @cyclonedx/cdxgen@10.3.0 \
  && cdxgen --version \
  && curl -LO "https://dl.google.com/go/go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz" \
  && tar -C /usr/local -xzf go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz \

diff --git a/depscan/lib/utils.py b/depscan/lib/utils.py
@@ -232,23 +232,21 @@ def search_pkgs(db, project_type, pkg_list):
  vendor, name = get_pkg_vendor_name(pkg)
  version = pkg.get("version")
  if pkg.get("purl"):
+ ppurl = pkg.get("purl")
  purl_aliases[pkg.get("purl")] = pkg.get("purl")
- purl_aliases[
-  f"{vendor.lower()}:{name.lower()}:{version}"
- ] = pkg.get("purl")
+ purl_aliases[f"{vendor.lower()}:{name.lower()}:{version}"] = ppurl
+ if ppurl.startswith("pkg:npm"):
+  purl_aliases[f"npm:{vendor.lower()}/{name.lower()}:{version}"] = ppurl
  if not purl_aliases.get(f"{vendor.lower()}:{name.lower()}"):
- purl_aliases[f"{vendor.lower()}:{name.lower()}"] = pkg.get(
- "purl"
- )
+ purl_aliases[f"{vendor.lower()}:{name.lower()}"] = ppurl
  if variations:
  for vari in variations:
  vari_full_pkg = f"""{vari.get("vendor")}:{vari.get("name")}"""
  pkg_aliases[
  f"{vendor.lower()}:{name.lower()}:{version}"
  ].append(vari_full_pkg)
- purl_aliases[f"{vari_full_pkg.lower()}:{version}"] = pkg.get(
- "purl"
- )
+ if pkg.get("purl"):
+ purl_aliases[f"{vari_full_pkg.lower()}:{version}"] = pkg.get("purl")
  quick_res = db_lib.bulk_index_search(expanded_list)
  raw_results = db_lib.pkg_bulk_search(db, quick_res)
  raw_results = normalize.dedup(project_type, raw_results)

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "owasp-depscan"
-version = "5.3.1"
+version = "5.3.2"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
  {name = "Team AppThreat", email = "cloud@appthreat.com"},