Evinse for scala + SaaSBOM v2

.github/workflows/repotests.yml

@@ -108,10 +108,6 @@ jobs:
         with:
           repository: 'ShiftLeftSecurity/shiftleft-go-example'
           path: 'repotests/shiftleft-go-example'
-      - uses: actions/checkout@v4
-        with:
-          repository: 'prabhu/shiftleft-scala-example'
-          path: 'repotests/shiftleft-scala-example'
       - uses: actions/checkout@v4
         with:
           repository: 'HooliCorp/vulnerable_net_core'
@@ -326,6 +322,11 @@ jobs:
           repository: 'SeanyCash/TwinCAT_CNC'
           path: 'repotests/TwinCAT_CNC'
           ref: '0e1020338c10cf77249aeaff34520f9516816167'
+      - uses: actions/checkout@v4
+        with:
+          repository: 'playframework/play-samples'
+          path: 'repotests/play-samples'
+          ref: '0dccba17856e89dbb5e457ab760efb14cc691395'
       - uses: dtolnay/rust-toolchain@stable
       - name: setup sdkman
         run: |
@@ -554,6 +555,33 @@ jobs:
           bin/cdxgen.js -p -r -t dotnet-framework repotests/SimpleFrameworkApp -o bomresults/bom-dotnet-framework.json
           bin/cdxgen.js -p -r -t dotnet-framework repotests/Reporting-Windows-Application -o bomresults/bom-dotnet-framework-reporting.json --deep
         shell: bash
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+      - uses: sbt/setup-sbt@v1
+      - uses: coursier/setup-action@v1
+        with:
+          apps: scala3 scalac
+      - name: scala tests
+        run: |
+          python -m pip install atom-tools
+          which atom-tools
+          cd $GITHUB_WORKSPACE/repotests/play-samples/play-scala-slick-example
+          sbt clean stage
+          cd $GITHUB_WORKSPACE/repotests/play-samples/play-scala-rest-api-example
+          sbt clean stage
+          cd $GITHUB_WORKSPACE/repotests/play-samples/play-scala-grpc-example
+          sbt clean stage
+          cd $GITHUB_WORKSPACE
+          bin/cdxgen.js -t scala $GITHUB_WORKSPACE/repotests/play-samples/play-scala-slick-example -o bomresults/bom-simple-play-scala-slick-example.json $GITHUB_WORKSPACE/repotests/play-samples/play-scala-slick-example
+          bin/cdxgen.js -t scala $GITHUB_WORKSPACE/repotests/play-samples/play-scala-slick-example --profile research -o bomresults/bom-play-scala-slick-example.json $GITHUB_WORKSPACE/repotests/play-samples/play-scala-slick-example
+          bin/cdxgen.js -t scala $GITHUB_WORKSPACE/repotests/play-samples/play-scala-rest-api-example --profile research -o bomresults/bom-play-scala-rest-api-example.json $GITHUB_WORKSPACE/repotests/play-samples/play-scala-rest-api-example
+          bin/cdxgen.js -t scala $GITHUB_WORKSPACE/repotests/play-samples/play-scala-grpc-example --profile research -o bomresults/bom-pplay-scala-grpc-example.json $GITHUB_WORKSPACE/repotests/play-samples/play-scala-grpc-example
+        shell: bash
+        env:
+          CDXGEN_DEBUG_MODE: debug
       - name: repotests blint
         run: |
           bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint.json --fail-on-error
@@ -732,6 +760,10 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: '23'
+      - uses: sbt/setup-sbt@v1
+      - uses: coursier/setup-action@v1
+        with:
+          apps: scala3 scalac
       - uses: actions/setup-go@v5
         with:
           go-version: '1.23'

.github/workflows/snapshot-tests.yml

@@ -38,7 +38,7 @@ jobs:
            sudo npm install -g "$cdxgen_tarball"
            git clone https://github.com/appthreat/cdxgen-samples.git original_snapshots
            python3.12 -m venv .venv
-           source .venv/bin/activate && pip install setuptools wheel
+           source .venv/bin/activate && pip install setuptools==77.0.3 wheel
            source .venv/bin/activate && pip install -r test/diff/requirements.txt
 
       - name: Generate scripts

.gitignore

@@ -127,4 +127,6 @@ build/
 .mise.toml
 
 # Ignore IntelliJ IDEA module file
-cdxgen.iml
+cdxgen.iml
+
+.theia/

bin/cdxgen.js

@@ -449,11 +449,23 @@ if (!options.projectType) {
     "Ok, the user wants me to identify all the project types and generate a consolidated BOM document.",
   );
 }
-if (process.argv[1].includes("cbom")) {
-  thoughtLog(
-    "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
-  );
-  options.includeCrypto = true;
+// Handle dedicated cbom and saasbom commands
+if (["cbom", "saasbom"].includes(process.argv[1])) {
+  if (process.argv[1].includes("cbom")) {
+    thoughtLog(
+      "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
+    );
+    options.includeCrypto = true;
+  } else if (process.argv[1].includes("saasbom")) {
+    thoughtLog(
+      "Ok, the user wants to generate a Software as a Service Bill-of-Materials (SaaSBOM). I should carefully collect the services, endpoints, and data flows.",
+    );
+    if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
+      thoughtLog(
+        "Wait, I'm not running in a container. This means the chances of successfully collecting this inventory are quite low. Perhaps this is an advanced user who has set up atom and atom-tools already 🤔?",
+      );
+    }
+  }
   options.evidence = true;
   options.specVersion = 1.6;
   options.deep = true;
@@ -700,7 +712,7 @@ const checkPermissions = (filePath, options) => {
       "usages-slices-file",
       "reachables-slices-file",
     ];
-    if (options?.type?.includes("swift")) {
+    if (options?.type?.includes("swift") || options?.type?.includes("scala")) {
       slicesFilesKeys.push("semantics-slices-file");
     }
     for (const sf of slicesFilesKeys) {

bin/evinse.js

@@ -73,6 +73,7 @@ const args = yargs(hideBin(process.argv))
       "swift",
       "ios",
       "ruby",
+      "scala",
     ],
   })
   .option("db-path", {
@@ -127,7 +128,10 @@ const args = yargs(hideBin(process.argv))
   .option("semantics-slices-file", {
     description: "Use an existing semantics slices file.",
     default: "semantics.slices.json",
-    hidden: true,
+  })
+  .option("openapi-spec-file", {
+    description: "Use an existing openapi specification file (SaaSBOM).",
+    default: "openapi.json",
   })
   .option("print", {
     alias: "p",

ci/Dockerfile

@@ -45,7 +45,7 @@ ENV GOPATH=/opt/app-root/go \
     PYTHONIOENCODING="utf-8" \
     COMPOSER_ALLOW_SUPERUSER=1 \
     ANDROID_HOME=/opt/android-sdk-linux \
-    JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF-8" \
+    JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF-8 --enable-native-access=ALL-UNNAMED" \
     SWIFT_SIGNING_KEY=$SWIFT_SIGNING_KEY \
     SWIFT_PLATFORM=$SWIFT_PLATFORM \
     SWIFT_BRANCH=$SWIFT_BRANCH \
@@ -94,7 +94,7 @@ RUN set -e; \
     && alternatives --install /usr/bin/python3 python /usr/bin/python${PYTHON_VERSION} 10 \
     && alternatives --install /usr/bin/python3 python3 /usr/bin/python${PYTHON_VERSION} 10 \
     && /usr/bin/python${PYTHON_VERSION} --version \
-    && /usr/bin/python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade setuptools wheel pip virtualenv \
+    && /usr/bin/python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade setuptools==77.0.3 wheel pip virtualenv \
     && /usr/bin/python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade pipenv poetry blint atom-tools uv --target /opt/pypi \
     && /opt/pypi/bin/poetry --version \
     && /opt/pypi/bin/pipenv --version \

ci/Dockerfile-bun

@@ -40,7 +40,7 @@ ENV GOPATH=/opt/app-root/go \
     PYTHONIOENCODING="utf-8" \
     COMPOSER_ALLOW_SUPERUSER=1 \
     ANDROID_HOME=/opt/android-sdk-linux \
-    JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF-8" \
+    JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF-8 --enable-native-access=ALL-UNNAMED" \
     SWIFT_SIGNING_KEY=$SWIFT_SIGNING_KEY \
     SWIFT_PLATFORM=$SWIFT_PLATFORM \
     SWIFT_BRANCH=$SWIFT_BRANCH \

ci/Dockerfile-deno

@@ -44,7 +44,7 @@ ENV GOPATH=/opt/app-root/go \
     PYTHONIOENCODING="utf-8" \
     COMPOSER_ALLOW_SUPERUSER=1 \
     ANDROID_HOME=/opt/android-sdk-linux \
-    JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF-8" \
+    JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF-8 --enable-native-access=ALL-UNNAMED" \
     GLOBAL_NODE_MODULES_PATH=/root/.cache/deno/npm/registry.npmjs.org \
     CDXGEN_PLUGINS_DIR=/root/.cache/deno/npm/registry.npmjs.org/@cyclonedx/cdxgen-plugins-bin/1.6.4/plugins \
     SWIFT_SIGNING_KEY=$SWIFT_SIGNING_KEY \
@@ -89,7 +89,7 @@ RUN set -e; \
     && alternatives --install /usr/bin/python3 python /usr/bin/python${PYTHON_VERSION} 10 \
     && alternatives --install /usr/bin/python3 python3 /usr/bin/python${PYTHON_VERSION} 10 \
     && python${PYTHON_VERSION} --version \
-    && python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade setuptools wheel pip virtualenv \
+    && python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade setuptools==77.0.3 wheel pip virtualenv \
     && python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade pipenv poetry blint atom-tools uv --target /opt/pypi \
     && curl -fsSL https://deno.land/x/install/install.sh | sh \
     && deno install -g --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net -n cdxgen --node-modules-dir=auto "npm:@cyclonedx/cdxgen/cdxgen" \

ci/Dockerfile-secure

@@ -100,7 +100,7 @@ RUN set -e; \
     && alternatives --install /usr/bin/python3 python /usr/bin/python${PYTHON_VERSION} 10 \
     && alternatives --install /usr/bin/python3 python3 /usr/bin/python${PYTHON_VERSION} 10 \
     && /usr/bin/python${PYTHON_VERSION} --version \
-    && /usr/bin/python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade setuptools wheel pip virtualenv \
+    && /usr/bin/python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade setuptools==77.0.3 wheel pip virtualenv \
     && /usr/bin/python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade pipenv poetry blint atom-tools uv --target /opt/pypi \
     && /opt/pypi/bin/poetry --version \
     && /opt/pypi/bin/pipenv --version \

ci/base-images/opensuse/Dockerfile.python310

@@ -34,7 +34,7 @@ RUN set -e; \
     && update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10 \
     && update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.10 10 \
     && mkdir /opt/pypi \
-    && python -m pip install --no-cache-dir --upgrade setuptools pip virtualenv \
+    && python -m pip install --no-cache-dir --upgrade setuptools==77.0.3 pip virtualenv \
     && python -m pip install --no-cache-dir --upgrade poetry pipenv uv --target /opt/pypi \
     && curl -LO "https://dl.google.com/go/go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz" \
     && tar -C /usr/local -xzf go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz \

ci/base-images/sle/Dockerfile.python311

@@ -48,7 +48,7 @@ RUN set -e; \
     && tar -C /usr/local -xzf go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz \
     && rm go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz \
     && go telemetry off \
-    && python3 -m pip install --no-cache-dir --upgrade setuptools pip virtualenv \
+    && python3 -m pip install --no-cache-dir --upgrade setuptools==77.0.3 pip virtualenv \
     && python3 -m pip install --no-cache-dir --upgrade pipenv poetry uv --target /opt/pypi \
     && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash \
     && source /root/.nvm/nvm.sh \

lib/cli/index.js

@@ -2421,11 +2421,11 @@ export async function createJavaBom(path, options) {
           // write to the existing plugins file
           if (useSlashSyntax) {
             sbtArgs = [
-              `'set ThisBuild / asciiGraphWidth := 400' "dependencyTree / toFile ${dlFile} --force"`,
+              `'set ThisBuild / asciiGraphWidth := 800' "dependencyTree / toFile ${dlFile} --force"`,
             ];
           } else {
             sbtArgs = [
-              `'set asciiGraphWidth in ThisBuild := 400' "dependencyTree::toFile ${dlFile} --force"`,
+              `'set asciiGraphWidth in ThisBuild := 800' "dependencyTree::toFile ${dlFile} --force"`,
             ];
           }
           pluginFile = addPlugin(basePath, sbtPluginDefinition);
@@ -2501,6 +2501,24 @@ export async function createJavaBom(path, options) {
       if (tmpjarNSMapping && Object.keys(tmpjarNSMapping).length) {
         jarNSMapping = { ...jarNSMapping, ...tmpjarNSMapping };
       }
+      // sbt can store jars in the target directory
+      const jarNSData = await createJarBom(path, options);
+      if (jarNSData?.bomJson?.components) {
+        pkgList = pkgList.concat(jarNSData?.bomJson?.components);
+        const targetJarNSMapping = {};
+        for (const p of jarNSData.bomJson.components) {
+          if (!p?.purl || !p?.properties?.length) {
+            continue;
+          }
+          const nsProp = p.properties.filter(
+            (prop) => prop.name === "Namespaces",
+          );
+          if (nsProp.length) {
+            targetJarNSMapping[p.purl] = nsProp[0].value;
+          }
+        }
+        jarNSMapping = { ...jarNSMapping, ...targetJarNSMapping };
+      }
     }
   }
   pkgList = trimComponents(pkgList);