fix: replace auto-detected root component with user-provided one

Previously, disabling root component auto-detection while specifying a root component left the
auto-detected root in the BOM, with dependencies still attached to it (issue #1418).

This change ensures that all instances of the auto-detected root are replaced by the
user-provided component using a `componentSubstitutionMap` during component generation.

Regression tests were added for that particular case

Signed-off-by: Maxim Bagryantsev <[email protected]>

Author: max619

src/_helpers.ts

@@ -20,6 +20,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 import { existsSync, readFileSync } from 'node:fs'
 import { dirname, isAbsolute, join, sep } from 'node:path'
 
+import type * as CDX from '@cyclonedx/cyclonedx-library'
 import normalizePackageData from 'normalize-package-data'
 
 
@@ -45,6 +46,10 @@ export interface PackageDescription {
   packageJson: NonNullable<any>
 }
 
+export interface RootComponentCreationResult {
+  rootComponent: CDX.Models.Component
+  detectedRootComponent: CDX.Models.Component | undefined
+}
 
 const PACKAGE_MANIFEST_FILENAME = 'package.json'
 
@@ -138,3 +143,9 @@ export function normalizePackageManifest (data: any, warn?: normalizePackageData
     data.version = oVersion.trim()
   }
 }
+
+export function doComponentsMatch(first: CDX.Models.Component, second: CDX.Models.Component): boolean {
+  return first.group === second.group &&
+    first.name === second.name &&
+    first.version === second.version
+}

src/extractor.ts

@@ -23,10 +23,12 @@ import * as CDX from '@cyclonedx/cyclonedx-library'
 import type { Compilation, Module } from 'webpack'
 
 import {
+  doComponentsMatch,
   getPackageDescription,
   isNonNullable,
   normalizePackageManifest,
   type PackageDescription,
+  type RootComponentCreationResult,
   structuredClonePolyfill
 } from './_helpers'
 
@@ -50,7 +52,7 @@ export class Extractor {
     this.#leGatherer = leFetcher
   }
 
-  generateComponents (modules: Iterable<Module>, collectEvidence: boolean, logger?: WebpackLogger): Iterable<CDX.Models.Component> {
+  generateComponents (modules: Iterable<Module>, collectEvidence: boolean, rootComponents: RootComponentCreationResult | undefined, logger?: WebpackLogger): Iterable<CDX.Models.Component> {
     const pkgs: Record<string, CDX.Models.Component | undefined> = {}
     const components = new Map<Module, CDX.Models.Component>()
 
@@ -69,7 +71,7 @@ export class Extractor {
       if (component === undefined) {
         logger?.log('try to build new Component from PkgPath:', pkg.path)
         try {
-          component = this.makeComponent(pkg, collectEvidence, logger)
+          component = this.#makeComponent(pkg, collectEvidence, rootComponents, logger)
         } catch (err) {
           logger?.debug('unexpected error:', err)
           logger?.warn('skipped Component from PkgPath', pkg.path)
@@ -91,7 +93,7 @@ export class Extractor {
   /**
    * @throws {@link Error} when no component could be fetched
    */
-  makeComponent (pkg: PackageDescription, collectEvidence: boolean, logger?: WebpackLogger): CDX.Models.Component {
+  #makeComponent (pkg: PackageDescription, collectEvidence: boolean, rootComponents: RootComponentCreationResult | undefined, logger?: WebpackLogger): CDX.Models.Component {
     try {
       // work with a deep copy, because `normalizePackageManifest()` might modify the data
       /* eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- ach */
@@ -102,14 +104,18 @@ export class Extractor {
       logger?.warn('normalizePackageJson from PkgPath', pkg.path, 'failed:', e)
     }
 
-    const component = this.#componentBuilder.makeComponent(
+    let component = this.#componentBuilder.makeComponent(
       /* @ts-expect-error TS2559 */
       pkg.packageJson as PackageDescription) /* eslint-disable-line  @typescript-eslint/no-unsafe-type-assertion -- ack */
 
     if (component === undefined) {
       throw new Error(`failed building Component from PkgPath ${pkg.path}`)
     }
 
+    if (rootComponents?.detectedRootComponent !== undefined && doComponentsMatch(component, rootComponents.detectedRootComponent)) {
+      component = rootComponents.rootComponent
+    }
+
     component.licenses.forEach(l => {
       /* eslint-disable no-param-reassign -- intended */
       l.acknowledgement = CDX.Enums.LicenseAcknowledgement.Declared

src/plugin.ts

@@ -24,11 +24,13 @@ import * as CDX from '@cyclonedx/cyclonedx-library'
 import { Compilation, type Compiler, sources, version as WEBPACK_VERSION } from 'webpack'
 
 import {
+  doComponentsMatch,
   getPackageDescription,
   iterableSome,
   loadJsonFile,
   normalizePackageManifest,
-  type PackageDescription
+  type PackageDescription,
+  type RootComponentCreationResult
 } from './_helpers'
 import { Extractor } from './extractor'
 
@@ -214,7 +216,8 @@ export class CycloneDxWebpackPlugin {
 
     const bom = new CDX.Models.Bom()
     bom.metadata.lifecycles.add(CDX.Enums.LifecyclePhase.Build)
-    bom.metadata.component = this.#makeRootComponent(compilation.compiler.context, cdxComponentBuilder, logger.getChildLogger('RootComponentBuilder'))
+    const rootComponents = this.#makeRootComponent(compilation.compiler.context, cdxComponentBuilder, logger.getChildLogger('RootComponentBuilder'))
+    bom.metadata.component = rootComponents?.rootComponent
 
     const serializeOptions: CDX.Serialize.Types.SerializerOptions & CDX.Serialize.Types.NormalizerOptions = {
       sortLists: this.reproducibleResults,
@@ -267,11 +270,9 @@ export class CycloneDxWebpackPlugin {
         )
 
         thisLogger.log('generating components...')
-        for (const component of extractor.generateComponents(modules, this.collectEvidence, thisLogger.getChildLogger('Extractor'))) {
+        for (const component of extractor.generateComponents(modules, this.collectEvidence, rootComponents, thisLogger.getChildLogger('Extractor'))) {
           if (bom.metadata.component !== undefined &&
-            bom.metadata.component.group === component.group &&
-            bom.metadata.component.name === component.name &&
-            bom.metadata.component.version === component.version
+            doComponentsMatch(bom.metadata.component, component)
           ) {
             // metadata matches this exact component.
             // -> so the component is actually treated as the root component.
@@ -380,19 +381,33 @@ export class CycloneDxWebpackPlugin {
     path: string,
     builder: CDX.Builders.FromNodePackageJson.ComponentBuilder,
     logger: WebpackLogger
-  ): CDX.Models.Component | undefined {
+  ): RootComponentCreationResult | undefined {
     /* eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- expected */
-    const thisPackageJson = this.rootComponentAutodetect
-      ? getPackageDescription(path)?.packageJson
-      : { name: this.rootComponentName, version: this.rootComponentVersion }
-    if (thisPackageJson === undefined) { return undefined }
-    normalizePackageManifest(
+    const detectedRootPackageJson = getPackageDescription(path)?.packageJson
+    /* eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- expected */
+    const rootPackageJson = this.rootComponentAutodetect ? detectedRootPackageJson
+                              : { name: this.rootComponentName, version: this.rootComponentVersion }
 
-      thisPackageJson,
+    if (rootPackageJson === undefined) { return undefined }
+    normalizePackageManifest(
+      rootPackageJson,
       w => { logger.debug('normalizePackageJson from PkgPath', path, 'caused:', w) }
     )
 
-    return builder.makeComponent(thisPackageJson)
+    if (detectedRootPackageJson !== rootPackageJson) {
+      normalizePackageManifest(
+        detectedRootPackageJson,
+        w => { logger.debug('normalizePackageJson from PkgPath', path, 'caused:', w) }
+      )
+    }
+
+    const rootComponent = builder.makeComponent(rootPackageJson)
+    if(rootComponent === undefined) { return undefined }
+
+    const detectedRootComponent = detectedRootPackageJson === rootPackageJson ? rootComponent
+                                /* eslint-disable-next-line @typescript-eslint/no-unsafe-argument -- expected */
+                                : builder.makeComponent(detectedRootPackageJson)
+    return { rootComponent, detectedRootComponent }
   }
 
   #finalizeBom (