Fix name vs group for scoped components in CycloneDX output

eoftedal · eoftedal · commit 83d7943983ad · 2024-09-26T08:41:36.000+02:00
diff --git a/node/CHANGELOG.md b/node/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## [5.2.4]
+
+### Bugfix
+
+- Fix name vs group for scoped components in CycloneDX output
+
 ## [5.2.3]
 
 ### Bugfix
diff --git a/node/lib/retire.js b/node/lib/retire.js
@@ -4,7 +4,7 @@
  */
 
 var exports = exports || {};
-exports.version = '5.2.3';
+exports.version = '5.2.4';
 
 function isDefined(o) {
   return typeof o !== 'undefined';
diff --git a/node/package-lock.json b/node/package-lock.json
diff --git a/node/package.json b/node/package.json
@@ -2,7 +2,7 @@
   "author": "Erlend Oftedal <erlend@oftedal.no>",
   "name": "retire",
   "description": "Retire is a tool for detecting use of vulnerable libraries",
-  "version": "5.2.3",
+  "version": "5.2.4",
   "license": "Apache-2.0",
   "repository": {
     "type": "git",
diff --git a/node/src/reporters/cyclonedx-1_6-json.ts b/node/src/reporters/cyclonedx-1_6-json.ts
@@ -71,9 +71,11 @@ function configureCycloneDXJSONLogger(logger: Logger, writer: Writer, config: Lo
               existing.evidence.occurrences.push(...missing);
               return undefined;
             }
+            const nameParts = dep.component.split('/').reverse();
             const result = {
               type: 'library',
-              name: dep.component,
+              name: nameParts[0],
+              group: nameParts[1],
               version: dep.version,
               purl: purl,
               hashes: hashes,
diff --git a/node/src/reporters/cyclonedx-json.ts b/node/src/reporters/cyclonedx-json.ts
@@ -67,9 +67,11 @@ function configureCycloneDXJSONLogger(logger: Logger, writer: Writer, config: Lo
               existing.properties.push(...missing);
               return undefined;
             }
+            const nameParts = dep.component.split('/').reverse();
             const result = {
               type: 'library',
-              name: dep.component,
+              name: nameParts[0],
+              group: nameParts[1],
               version: dep.version,
               purl: purl,
               hashes: hashes,
diff --git a/node/src/reporters/cyclonedx.ts b/node/src/reporters/cyclonedx.ts
@@ -58,9 +58,10 @@ function configureCycloneDXLogger(logger: Logger, writer: Writer, config: Logger
             const purl = generatePURL(dep);
             if (seen.has(purl)) return '';
             seen.add(purl);
+            const nameParts = dep.component.split('/').reverse();
             return `
     <component type="library">
-      <name>${dep.component}</name>
+      <name>${nameParts[0]}</name>${nameParts.length > 1 ? `\n      <group>${nameParts[1]}</group>` : ''}
       <version>${dep.version}</version>${hashes}
       <licenses>${mapLicenses(dep.licenses)}</licenses>
       <purl>${purl}</purl>
