fix: reproducible bom-refs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

package.json

@@ -124,5 +124,6 @@
     "suiteName": "jest tests",
     "outputDirectory": "reports/jest",
     "outputName": "tests.junit.xml"
-  }
+  },
+  "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }

src/_helpers.ts

@@ -17,8 +17,11 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
+import { spawnSync } from "node:child_process";
+import type { BinaryLike} from "node:crypto";
+import { createHash } from "node:crypto";
 import { existsSync, readFileSync } from 'node:fs'
-import { dirname, isAbsolute, join, sep } from 'node:path'
+import { dirname, isAbsolute, join, relative, resolve, sep } from 'node:path'
 
 import normalizePackageData from 'normalize-package-data'
 
@@ -132,3 +135,90 @@ export function normalizePackageManifest (data: any, warn?: normalizePackageData
   }
 }
 
+function sha256(data: BinaryLike): string  {
+  return createHash('sha256').update(data).digest('hex')
+}
+
+// region relative paths
+
+const YarnBerryVirtualCacheRE = /^.*[/\\].yarn[/\\]__virtual__[/\\][^/\\]+[/\\]\d[/\\].yarn[/\\]berry[/\\]cache[/\\]/
+
+const _YarnCacheFolders = new Map<string, string | null | undefined>()
+function getYarnCacheFolder(cwd: string): string | null {
+  let cf = _YarnCacheFolders.get(cwd)
+  if (undefined === cf) {
+    cf = ''
+    // yarn 2+
+    const sr2 = spawnSync('yarn', ['config', 'get', 'cacheFolder'], {
+      stdio: ['ignore', 'pipe', 'ignore'],
+      encoding: 'utf-8',
+      cwd
+    })
+    if (sr2.status === 0) {
+      cf = sr2.stdout.trim()
+    } else {
+      // yarn 1
+      const sr1 = spawnSync('yarn', ['cache', 'dir'], {
+        stdio: ['ignore', 'pipe', 'ignore'],
+        encoding: 'utf-8',
+        cwd
+      })
+      if (sr1.status === 0) {
+        cf = sr1.stdout.trim()
+      }
+    }
+    cf = cf.length > 0
+      ? `${resolve(cf)}${sep}`
+      : null
+    _YarnCacheFolders.set(cwd, cf)
+  }
+  return cf
+}
+
+const _BunCacheFolders = new Map<string, string | null | undefined>()
+function getBunCacheFolder(cwd: string): string | null {
+  let cf = _BunCacheFolders.get(cwd)
+  if (undefined === cf) {
+    cf = ''
+    const sr = spawnSync('bun', ['pm', 'cache'], {
+      stdio: ['ignore', 'pipe', 'ignore'],
+      encoding: 'utf-8',
+      cwd
+    })
+    if (sr.status === 0) {
+      cf = sr.stdout.trim()
+    }
+    cf = cf.length > 0
+      ? `${resolve(cf)}${sep}`
+      : null
+    _BunCacheFolders.set(cwd, cf)
+  }
+  return cf
+}
+
+function mkRelativePath(absRoot: string, absPath: string): string {
+  const ybvcf = YarnBerryVirtualCacheRE.exec(absPath)?.[0]
+  if (ybvcf !== undefined) {
+    return `yarnCache:${absPath.slice(ybvcf.length)}`
+  }
+
+  const ycf = getYarnCacheFolder(absRoot)
+  if (ycf !== null && absPath.startsWith(ycf)) {
+    return `yarnCache:${absPath.slice(ycf.length)}`
+  }
+
+  const bcf = getBunCacheFolder(absRoot)
+  if (bcf !== null && absPath.startsWith(bcf)) {
+    return `bunCache:${absPath.slice(bcf.length)}`
+  }
+
+  return relative(absRoot, absPath)
+}
+
+export function mkRelativePathReproducibleHash(absRoot: string, absPath: string): string {
+  return sha256(
+    mkRelativePath(absRoot, absPath).replace(sep, '/')
+  )
+}
+
+// endregion relative paths

src/extractor.ts

@@ -17,7 +17,7 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import { dirname } from 'node:path'
+import {dirname} from 'node:path'
 
 import type { Builders as FromNodePackageJsonBuilders } from '@cyclonedx/cyclonedx-library/Contrib/FromNodePackageJson'
 import type { Utils as LicenseUtils } from '@cyclonedx/cyclonedx-library/Contrib/License'
@@ -27,7 +27,7 @@ import { ComponentEvidence, LicenseRepository, NamedLicense } from '@cyclonedx/c
 import type normalizePackageData from "normalize-package-data";
 import type { Compilation, Module } from 'webpack'
 
-import type { PackageDescription } from './_helpers'
+import type { PackageDescription} from './_helpers'
 import {
   getPackageConfig,
   isNonNullable,

src/plugin.ts

@@ -34,13 +34,12 @@ import spdxExpressionParse from "spdx-expression-parse"
 import type { Compiler } from 'webpack'
 import { Compilation, sources, version as WEBPACK_VERSION } from 'webpack'
 
-import type { PackageDescription } from './_helpers'
-import {
-  getPackageConfig,
+import type { PackageDescription} from './_helpers';
+import {  getPackageConfig,
   iterableSome,
   loadJsonFile,
-  normalizePackageManifest
-} from './_helpers'
+  mkRelativePathReproducibleHash,
+  normalizePackageManifest} from './_helpers'
 import { Extractor } from './extractor'
 import { PackageUrlFactory } from './factories'
 
@@ -259,8 +258,7 @@ export class CycloneDxWebpackPlugin {
       }
     }
 
-    const rcPath = getPackageConfig(compilation.compiler.context)?.path
-      ?? compilation.compiler.context
+    const compilerContext = compilation.compiler.context
 
     compilation.hooks.afterOptimizeTree.tap(
       pluginName,
@@ -275,12 +273,21 @@ export class CycloneDxWebpackPlugin {
 
         thisLogger.log('generating components...')
         const components = extractor.generateComponents(modules, this.collectEvidence, thisLogger.getChildLogger('Extractor'))
-        const rcComponentDetected = components.get(rcPath)
-        if ( undefined !== rcComponentDetected ) {
+        if ( this.reproducibleResults ) {
+          components.forEach((component, pkgPath) => {
+            /* eslint-disable-next-line no-param-reassign -- ack */
+            component.bomRef.value = mkRelativePathReproducibleHash(compilerContext, pkgPath)
+          })
+        }
+
+        const rcPath = getPackageConfig(compilerContext)?.path
+        const rcComponentDetected = rcPath === undefined ? undefined : components.get(rcPath)
+        if (undefined !== rcComponentDetected ) {
           if (this.rootComponentAutodetect) {
             thisLogger.debug('set bom.metadata.component', rcComponentDetected)
             bom.metadata.component = rcComponentDetected
-            components.delete(rcPath)
+            /* eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- ack */
+            components.delete(rcPath!)
           } else {
             const rcComponent = cdxComponentBuilder.makeComponent({
               name: this.rootComponentName,
@@ -295,13 +302,15 @@ export class CycloneDxWebpackPlugin {
               }
               thisLogger.debug('add to bom.metadata.component', rcComponentDetected)
               bom.metadata.component = rcComponent
-              components.delete(rcPath)
+              /* eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- ack */
+              components.delete(rcPath!)
             }
           }
         }
+
         for (const component of components.values()) {
-            thisLogger.debug('add to bom.components', component)
-            bom.components.add(component)
+          thisLogger.debug('add to bom.components', component)
+          bom.components.add(component)
         }
         thisLogger.log('generated components.')
 
@@ -420,11 +429,12 @@ export class CycloneDxWebpackPlugin {
     }
 
     const rComponent = bom.metadata.component
-    if (rComponent !== undefined) {
+    if (undefined !== rComponent) {
       this.#addRootComponentExtRefs(rComponent, logger)
       /* eslint-disable-next-line  @typescript-eslint/no-unsafe-type-assertion -- ack */
       rComponent.type = this.rootComponentType as Component['type']
-      rComponent.bomRef.value ??= '__root_component__'
+      /* eslint-disable-next-line  @typescript-eslint/prefer-nullish-coalescing -- intended for empty strings */
+      rComponent.bomRef.value ||= '__root_component__'
     }
     /* eslint-enable no-param-reassign */
   }