Tweaks

Signed-off-by: Prabhu Subramanian <[email protected]>

Increase cdxgen timeout to 30 minutes

Signed-off-by: Prabhu Subramanian <[email protected]>

Author: prabhu

.github/workflows/pythonapp.yml

@@ -67,7 +67,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [macos-latest]
     steps:
     - uses: actions/checkout@v4
     - name: Trim CI agent
@@ -81,7 +81,10 @@ jobs:
     - name: Install devenv.sh
       run: nix profile install nixpkgs#devenv
     - name: Build the devenv shell
-      run: devenv test
+      run: |
+        mkdir -p $HOME/.local/share/pnpm/global
+        echo "$HOME/.local/share/pnpm/global" >> $GITHUB_PATH
+        devenv test
     - name: Run pytest with uv
       run: |
         devenv shell uv run pytest --cov=depscan test

Dockerfile

@@ -74,7 +74,7 @@ RUN set -e; \
     && sdk offline enable \
     && mv /root/.sdkman/candidates/* /opt/ \
     && rm -rf /root/.sdkman \
-    && npm install -g @cyclonedx/cdxgen @appthreat/atom \
+    && npm install -g @cyclonedx/cdxgen @appthreat/atom-parsetools \
     && cdxgen --version \
     && curl -LO "https://dl.google.com/go/go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz" \
     && tar -C /usr/local -xzf go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz \

depscan/lib/bom.py

@@ -6,7 +6,6 @@
 from datetime import datetime, timezone
 from urllib.parse import unquote_plus
 
-from blint.cyclonedx.spec import CycloneDX
 from custom_json_diff.lib.utils import json_load, json_dump
 from defusedxml.ElementTree import parse
 from xbom_lib.blint import BlintGenerator
@@ -326,13 +325,6 @@ def create_blint_bom(
             LOG.info(
                 "The blint invocation was unsuccessful. Try generating the BOM separately."
             )
-        # Empty SBOM is fine if there are no binaries in the project.
-        elif bom_result.bom_obj and isinstance(bom_result.bom_obj, CycloneDX):
-            if (
-                not bom_result.bom_obj.components
-                and not bom_result.bom_obj.dependencies
-            ):
-                LOG.debug("Empty SBOM received from blint.")
         return bom_result.success and os.path.exists(bom_file)
 
 

depscan/lib/explainer.py

@@ -1,3 +1,4 @@
+import os
 import re
 import glob
 from collections import defaultdict
@@ -58,6 +59,12 @@ def explain(project_type, src_dir, bom_dir, vdr_file, vdr_result, explanation_mo
         else "Reachable Flows"
     )
     for sf in slices_files:
+        if len(slices_files) > 1:
+            fn = os.path.basename(sf)
+            section_label = f"# Explanations for {sf}"
+            if "-" in fn:
+                section_label = f"# Explanations for {fn.split('-')[0].upper()}"
+            console.print(Markdown(section_label))
         if (reachables_data := json_load(sf, log=LOG)) and reachables_data.get(
             "reachables"
         ):
@@ -211,7 +218,7 @@ def explain_reachables(
             project_type,
             vdr_result,
         )
-        if not source_sink_desc or not flow_tree:
+        if not source_sink_desc or not flow_tree or len(flow_tree.children) < 5:
             continue
         # In non-reachables mode, we are not interested in reachable flows.
         if (
@@ -358,7 +365,7 @@ def flow_to_source_sink(idx, flow, purls, project_type, vdr_result):
             source_sink_desc = f"Invocation: {method_full_name}"
     elif flow.get("label") == "RETURN" and flow.get("code"):
         source_sink_desc = flow.get("code").split("\n")[0]
-    elif project_type not in ("java") and flow.get("label") == "IDENTIFIER":
+    elif project_type not in ("java",) and flow.get("label") == "IDENTIFIER":
         source_sink_desc = flow.get("code").split("\n")[0]
         if source_sink_desc.endswith("("):
             source_sink_desc = f":diamond_suit: {source_sink_desc})"
@@ -421,19 +428,21 @@ def filter_tags(tags):
 
 
 def is_filterable_code(project_type, code):
-    match project_type:
-        case "js" | "ts" | "javascript" | "typescript" | "bom":
-            for c in (
-                "console.log",
-                "thoughtLog(",
-                "_tmp_",
-                "LOG.debug(",
-                "options.get(",
-                "RET",
-                "this.",
-            ):
-                if code and code.startswith(c):
-                    return True
+    if len(code) < 5:
+        return True
+    for c in (
+        "console.log",
+        "thoughtLog(",
+        "_tmp_",
+        "LOG.debug(",
+        "options.get(",
+        "RET",
+        "this.",
+        "NULL",
+        "!",
+    ):
+        if code and code.startswith(c):
+            return True
     return False
 
 
@@ -450,17 +459,21 @@ def flow_to_str(explanation_mode, flow, project_type):
     node_desc = flow.get("code").split("\n")[0]
     if node_desc.endswith("("):
         node_desc = f":diamond_suit: {node_desc})"
+    elif node_desc.startswith("return "):
+        node_desc = f":arrow_backward: [italic]{node_desc}[/italic]"
     tags = filter_tags(flow.get("tags"))
-    if flow.get("label") == "METHOD_PARAMETER_IN":
+    if flow.get("label") in ("METHOD_PARAMETER_IN",):
         param_name = flow.get("name")
         if param_name == "this":
             param_name = ""
         node_desc = f"{flow.get('parentMethodName')}([red]{param_name}[/red]) :right_arrow_curving_left:"
         if tags:
             node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
-    elif flow.get("label") == "IDENTIFIER":
+    elif flow.get("label") in ("IDENTIFIER", "CALL"):
         if node_desc.startswith("<"):
             node_desc = flow.get("name")
+        if flow.get("isExternal"):
+            node_desc = f"{node_desc} :right_arrow_curving_up:"
         if tags:
             node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
     if tags and not is_filterable_code(project_type, node_desc):
@@ -528,7 +541,7 @@ def explain_flows(explanation_mode, flows, purls, project_type, vdr_result):
         file_loc, flow_str, node_desc, has_check_tag_flow = flow_to_str(
             explanation_mode, aflow, project_type
         )
-        if last_file_loc and last_file_loc == file_loc:
+        if not flow_str or (last_file_loc and last_file_loc == file_loc):
             continue
         last_file_loc = file_loc
         if flow_str in added_flows or node_desc in added_node_desc:

devenv.lock

@@ -3,10 +3,10 @@
     "devenv": {
       "locked": {
         "dir": "src/modules",
-        "lastModified": 1746190425,
+        "lastModified": 1747185494,
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "b97652de96e5704fc313d865f2bd1cf8433c514c",
+        "rev": "b292bc94c2daccda165bc9f909bf6c8056e37a80",
         "type": "github"
       },
       "original": {
@@ -19,10 +19,10 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
+        "lastModified": 1747046372,
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -34,10 +34,10 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
+        "lastModified": 1747046372,
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -49,10 +49,10 @@
     "flake-compat_3": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
+        "lastModified": 1747046372,
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -87,10 +87,10 @@
         ]
       },
       "locked": {
-        "lastModified": 1742649964,
+        "lastModified": 1746537231,
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+        "rev": "fa466640195d38ec97cf0493d6d6882bc4d14969",
         "type": "github"
       },
       "original": {
@@ -121,10 +121,10 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733477122,
+        "lastModified": 1746807397,
         "owner": "cachix",
         "repo": "devenv-nixpkgs",
-        "rev": "7bd9e84d0452f6d2e63b6e6da29fe73fac951857",
+        "rev": "c5208b594838ea8e6cca5997fbf784b7cca1ca90",
         "type": "github"
       },
       "original": {
@@ -163,10 +163,10 @@
         ]
       },
       "locked": {
-        "lastModified": 1745387063,
+        "lastModified": 1747201535,
         "owner": "bobvanderlinden",
         "repo": "nixpkgs-ruby",
-        "rev": "4363adc15a1137dc4b883a655e8f1db256e3c2e4",
+        "rev": "978be3ec85a9f8661512432a29e452285c3b3b6b",
         "type": "github"
       },
       "original": {
@@ -177,10 +177,10 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1746206129,
+        "lastModified": 1747060738,
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9a7caecf30a0494c88b7daeeed29244cd9a52e7d",
+        "rev": "eaeed9530c76ce5f1d2d8232e08bec5e26f18ec1",
         "type": "github"
       },
       "original": {

devenv.nix

@@ -66,7 +66,7 @@ in
 
       # Common packages
       packages = [
-        pkgs.nodejs_23
+        pkgs-unstable.nodejs_24
         pkgs.python312Full
         config.languages.python.package.pkgs.astral
         pkgs.uv
@@ -82,9 +82,10 @@ in
         pnpm setup
         source $HOME/.bashrc
         export PNPM_GLOBAL_DIR="$HOME/.local/share/pnpm/global"
+        mkdir -p $PNPM_GLOBAL_DIR
         export PATH="$PNPM_GLOBAL_DIR/bin:$PATH"
         pnpm config set global-dir "$PNPM_GLOBAL_DIR" --location=global
-        pnpm add -g --allow-build sqlite3 @cyclonedx/cdxgen
+        pnpm add -g --allow-build=sqlite3 @cyclonedx/cdxgen
         cdxgen --version
         python3 --version
         uv sync --all-extras --all-packages --dev

packages/analysis-lib/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "ds-analysis-lib"
-version = "6.0.0a2"
+version = "6.0.0a3"
 description = "Analysis library for owasp depscan"
 authors = [
     {name = "Team AppThreat", email = "[email protected]"},

packages/xbom-lib/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "ds-xbom-lib"
-version = "6.0.0a2"
+version = "6.0.0a3"
 description = "xBOM library for owasp depscan"
 authors = [
     {name = "Team AppThreat", email = "[email protected]"},

packages/xbom-lib/src/xbom_lib/cdxgen.py

@@ -17,6 +17,9 @@
     "Accept-Encoding": "gzip",
 }
 
+# cdxgen timeout. Increased to 30 minutes
+CDXGEN_TIMEOUT_MS = os.getenv("CDXGEN_TIMEOUT_MS", str(int(30 * 60 * 1000)))
+
 # version of cdxgen to use
 CDXGEN_IMAGE_VERSION = os.getenv("CDXGEN_IMAGE_VERSION", "latest")
 CDXGEN_IMAGE_ROLLING_VERSION = os.getenv("CDXGEN_IMAGE_ROLLING_VERSION", "v11")
@@ -271,6 +274,7 @@ def generate(self) -> BOMResult:
                 prefix="cdxgen-temp-", dir=os.getenv("DEPSCAN_TEMP_DIR")
             )
             env["CDXGEN_TEMP_DIR"] = cdxgen_temp_dir
+        env["CDXGEN_TIMEOUT_MS"] = CDXGEN_TIMEOUT_MS
         if cdxgen_cmd:
             bom_result = exec_tool(
                 args,
@@ -405,6 +409,7 @@ def _container_run_cmd(self) -> Tuple[str, List[str]]:
                 or k in ("FETCH_LICENSE",)
             ):
                 run_command_args += ["-e", k]
+        run_command_args += ["-e", f"CDXGEN_TIMEOUT_MS={CDXGEN_TIMEOUT_MS}"]
         # Enabling license fetch will improve metadata such as tags and description
         # These will help with semantic reachability analysis
         if self.options.get("profile") not in ("generic",):

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "owasp-depscan"
-version = "6.0.0a2"
+version = "6.0.0a3"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "[email protected]"},