@cyclonedx/cdxgen 11.4.4 → 11.5.0

package/lib/managers/binary.js

@@ -604,15 +604,19 @@ export async function getOSPackages(src, imageConfig) {
             }
             comp.group = group;
             comp.name = name;
+            try {
+              purlObj = PackageURL.fromString(comp.purl);
+              purlObj.qualifiers = purlObj.qualifiers || {};
+            } catch (_err) {
+              // continue regardless of error
+            }
             if (group === "") {
               try {
-                purlObj = PackageURL.fromString(comp.purl);
-                if (purlObj.namespace && purlObj.namespace !== "") {
+                if (purlObj?.namespace && purlObj.namespace !== "") {
                   group = purlObj.namespace;
                   comp.group = group;
                   purlObj.namespace = group;
                 }
-                purlObj.qualifiers = purlObj.qualifiers || {};
                 if (distro_id?.length) {
                   purlObj.qualifiers["distro"] = distro_id;
                 }
@@ -621,7 +625,7 @@ export async function getOSPackages(src, imageConfig) {
                 }
                 // Bug fix for mageia and oracle linux
                 // Type is being returned as none for ubuntu as well!
-                if (purlObj.type === "none") {
+                if (purlObj?.type === "none") {
                   purlObj["type"] = purl_type;
                   purlObj["namespace"] = "";
                   comp.group = "";
@@ -641,11 +645,11 @@ export async function getOSPackages(src, imageConfig) {
                   ).toString();
                   comp["bom-ref"] = decodeURIComponent(comp.purl);
                 }
-                if (purlObj.type !== "none") {
+                if (purlObj?.type !== "none") {
                   allTypes.add(purlObj.type);
                 }
                 // Prefix distro codename for ubuntu
-                if (purlObj.qualifiers?.distro) {
+                if (purlObj?.qualifiers?.distro) {
                   allTypes.add(purlObj.qualifiers.distro);
                   if (OS_DISTRO_ALIAS[purlObj.qualifiers.distro]) {
                     distro_codename =
@@ -689,8 +693,28 @@ export async function getOSPackages(src, imageConfig) {
             }
             if (comp.purl.includes("epoch=")) {
               try {
-                purlObj = PackageURL.fromString(comp.purl);
-                purlObj.qualifiers = purlObj.qualifiers || {};
+                const epoch = purlObj.qualifiers?.epoch;
+                // trivy seems to be removing the epoch from the version and moving it to a qualifier
+                // let's fix this hack to improve confidence.
+                if (epoch) {
+                  purlObj.version = `${epoch}:${purlObj.version}`;
+                  comp.version = purlObj.version;
+                }
+                comp.evidence = {
+                  identity: [
+                    {
+                      field: "purl",
+                      confidence: 1,
+                      methods: [
+                        {
+                          technique: "other",
+                          confidence: 1,
+                          value: comp.purl,
+                        },
+                      ],
+                    },
+                  ],
+                };
                 if (distro_id?.length) {
                   purlObj.qualifiers["distro"] = distro_id;
                 }
@@ -756,16 +780,35 @@ export async function getOSPackages(src, imageConfig) {
             const compProperties = comp.properties;
             let srcName;
             let srcVersion;
+            let srcRelease;
+            let epoch;
             if (compProperties && Array.isArray(compProperties)) {
               for (const aprop of compProperties) {
+                // Property name: aquasecurity:trivy:SrcName
                 if (aprop.name.endsWith("SrcName")) {
                   srcName = aprop.value;
                 }
+                // Property name: aquasecurity:trivy:SrcVersion
                 if (aprop.name.endsWith("SrcVersion")) {
                   srcVersion = aprop.value;
                 }
+                // Property name: aquasecurity:trivy:SrcRelease
+                if (aprop.name.endsWith("SrcRelease")) {
+                  srcRelease = aprop.value;
+                }
+                // Property name: aquasecurity:trivy:SrcEpoch
+                if (aprop.name.endsWith("SrcEpoch")) {
+                  epoch = aprop.value;
+                }
               }
             }
+            // See issue #2067
+            if (srcVersion && srcRelease) {
+              srcVersion = `${srcVersion}-${srcRelease}`;
+            }
+            if (epoch) {
+              srcVersion = `${epoch}:${srcVersion}`;
+            }
             delete comp.properties;
             // Bug fix: We can get bom-ref like this: pkg:rpm/sles/libstdc%2B%2B6@14.2.0+git10526-150000.1.6.1?arch=x86_64&distro=sles-15.5
             if (
@@ -785,18 +828,44 @@ export async function getOSPackages(src, imageConfig) {
             if (compDeps) {
               dependenciesList.push(compDeps);
             }
-            // If there is a source package defined include it as well
+            // HACK: Many vulnerability databases, including vdb, track vulnerabilities based on source package names :(
+            // If there is a source package defined we include it as well to make such SCA scanners work.
+            // As a compromise, we reduce the confidence to zero so that there is a way to filter these out.
             if (srcName && srcVersion && srcName !== comp.name) {
               const newComp = Object.assign({}, comp);
               newComp.name = srcName;
               newComp.version = srcVersion;
+              newComp.tags = ["source"];
+              newComp.evidence = {
+                identity: [
+                  {
+                    field: "purl",
+                    confidence: 0,
+                    methods: [
+                      {
+                        technique: "filename",
+                        confidence: 0,
+                        value: comp.name,
+                      },
+                    ],
+                  },
+                ],
+              };
+              // Track upstream and source versions as qualifiers
               if (purlObj) {
+                const newCompQualifiers = {
+                  ...purlObj.qualifiers,
+                };
+                delete newCompQualifiers.epoch;
+                if (epoch) {
+                  newCompQualifiers.epoch = epoch;
+                }
                 newComp.purl = new PackageURL(
                   purlObj.type,
                   purlObj.namespace,
                   srcName,
                   srcVersion,
-                  purlObj.qualifiers,
+                  newCompQualifiers,
                   purlObj.subpath,
                 ).toString();
               }
@@ -879,7 +948,8 @@ function detectSdksRuntimes(comp, bundledSdks, bundledRuntimes) {
 
 const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
   try {
-    const tmpDependsOn = tmpDependencies[origBomRef] || [];
+    const tmpDependsOn =
+      tmpDependencies[origBomRef] || tmpDependencies[comp["bom-ref"]] || [];
     const dependsOn = new Set();
     tmpDependsOn.forEach((d) => {
       try {
@@ -896,6 +966,14 @@ const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
             tmpPurl.qualifiers.distro = compPurl.qualifiers.distro;
           }
         }
+        if (tmpPurl.qualifiers) {
+          if (
+            tmpPurl.qualifiers.epoch &&
+            !tmpPurl.version.startsWith(`${tmpPurl.qualifiers.epoch}:`)
+          ) {
+            tmpPurl.version = `${tmpPurl.qualifiers.epoch}:${tmpPurl.version}`;
+          }
+        }
         dependsOn.add(decodeURIComponent(tmpPurl.toString()));
       } catch (_e) {
         // ignore

package/lib/managers/docker.js

@@ -474,7 +474,6 @@ export const getConnection = async (options, forRegistry) => {
           if (_platform() === "win32") {
             console.warn(
               "Ensure Docker for Desktop is running as an administrator with 'Exposing daemon on TCP without TLS' setting turned on.",
-              opts,
             );
           } else if (_platform() === "darwin" && !isNerdctl) {
             if (detectRancherDesktop() || detectColima()) {
@@ -488,7 +487,6 @@ export const getConnection = async (options, forRegistry) => {
           } else {
             console.warn(
               "Ensure docker/podman service or Docker for Desktop is running.",
-              opts,
             );
             console.log(
               "Check if the post-installation steps were performed correctly as per this documentation https://docs.docker.com/engine/install/linux-postinstall/",
@@ -693,7 +691,7 @@ export const getImage = async (fullImageName) => {
           console.log(
             "Set the environment variable DOCKER_CMD to use an alternative command such as nerdctl or podman.",
           );
-        } else {
+        } else if (result.stderr) {
           console.log(result.stderr);
         }
       }
@@ -702,7 +700,9 @@ export const getImage = async (fullImageName) => {
       encoding: "utf-8",
     });
     if (result.status !== 0 || result.error) {
-      console.log(result.stderr);
+      if (result.stderr) {
+        console.log(result.stderr);
+      }
       return localData;
     }
     try {
@@ -847,6 +847,43 @@ function handleAbsolutePath(entry) {
   }
 }
 
+// These paths are known to cause extract errors
+const EXTRACT_EXCLUDE_PATHS = [
+  "etc/machine-id",
+  "etc/gshadow",
+  "etc/shadow",
+  "etc/passwd",
+  "etc/ssl/certs",
+  "etc/pki/ca-trust",
+  "usr/lib/systemd/",
+  "usr/lib64/libdevmapper.so",
+  "usr/sbin/",
+  "cacerts",
+  "ssl/certs",
+  "logs/",
+  "dev/",
+  "usr/share/zoneinfo/",
+  "usr/share/doc/",
+  "usr/share/i18n/",
+  "var/lib/ca-certificates",
+  "root/.gnupg",
+  "root/.dotnet",
+  "usr/share/licenses/device-mapper-libs",
+];
+
+// These device types are known to cause extract errors
+const EXTRACT_EXCLUDE_TYPES = new Set([
+  "BlockDevice",
+  "CharacterDevice",
+  "FIFO",
+  "MultiVolume",
+  "TapeVolume",
+  "SymbolicLink",
+  "RenamedOrSymlinked",
+  "HardLink",
+  "Link",
+]);
+
 export const extractTar = async (fullImageName, dir, options) => {
   try {
     await stream.pipeline(
@@ -866,39 +903,11 @@ export const extractTar = async (fullImageName, dir, options) => {
         },
         onReadEntry: handleAbsolutePath,
         filter: (path, entry) => {
-          // Some files are known to cause issues with extract
+          const name = basename(path);
           return !(
-            path.includes("etc/machine-id") ||
-            path.includes("etc/gshadow") ||
-            path.includes("etc/shadow") ||
-            path.includes("etc/passwd") ||
-            path.includes("etc/ssl/certs") ||
-            path.includes("etc/pki/ca-trust") ||
-            path.includes("usr/lib/systemd/") ||
-            path.includes("usr/lib64/libdevmapper.so") ||
-            path.includes("usr/sbin/") ||
-            path.includes("cacerts") ||
-            path.includes("ssl/certs") ||
-            path.includes("logs/") ||
-            path.includes("dev/") ||
-            path.includes("usr/share/zoneinfo/") ||
-            path.includes("usr/share/doc/") ||
-            path.includes("usr/share/i18n/") ||
-            path.includes("var/lib/ca-certificates") ||
-            path.includes("root/.gnupg") ||
-            basename(path).startsWith(".") ||
-            path.includes("usr/share/licenses/device-mapper-libs") ||
-            [
-              "BlockDevice",
-              "CharacterDevice",
-              "FIFO",
-              "MultiVolume",
-              "TapeVolume",
-              "SymbolicLink",
-              "RenamedOrSymlinked",
-              "HardLink",
-              "Link",
-            ].includes(entry.type)
+            name.startsWith(".") ||
+            EXTRACT_EXCLUDE_PATHS.some((p) => path.includes(p)) ||
+            EXTRACT_EXCLUDE_TYPES.has(entry.type)
           );
         },
       }),
@@ -937,7 +946,8 @@ export const extractTar = async (fullImageName, dir, options) => {
     } else if (["TAR_ENTRY_INFO", "TAR_ENTRY_INVALID"].includes(err.code)) {
       if (
         err?.header?.path?.includes("{") ||
-        err?.message?.includes("linkpath required")
+        err?.message?.includes("linkpath required") ||
+        err?.message?.includes("linkpath forbidden")
       ) {
         return false;
       }

package/lib/server/server.js

@@ -9,7 +9,14 @@ import compression from "compression";
 import connect from "connect";
 
 import { createBom, submitBom } from "../cli/index.js";
-import { getTmpDir, isSecureMode, safeSpawnSync } from "../helpers/utils.js";
+import {
+  getTmpDir,
+  hasDangerousUnicode,
+  isSecureMode,
+  isValidDriveRoot,
+  isWin,
+  safeSpawnSync,
+} from "../helpers/utils.js";
 import { postProcess } from "../stages/postgen/postgen.js";
 
 // Timeout milliseconds. Default 10 mins
@@ -57,19 +64,90 @@ app.use(
 );
 app.use(compression());
 
+/**
+ * Checks the given hostname against the allowed list.
+ *
+ * @param {string} hostname Host name to check
+ * @returns {boolean} true if the hostname in its entirety is allowed. false otherwise.
+ */
 export function isAllowedHost(hostname) {
   if (!process.env.CDXGEN_SERVER_ALLOWED_HOSTS) {
     return true;
   }
+  // Guard against dangerous Unicode characters
+  if (hasDangerousUnicode(hostname)) {
+    return false;
+  }
   return (process.env.CDXGEN_SERVER_ALLOWED_HOSTS || "")
     .split(",")
     .includes(hostname);
 }
 
+/**
+ * Checks the given path string to belong to a drive in Windows.
+ *
+ * @param {string} p Path string to check
+ * @returns {boolean} true if the windows path belongs to a drive. false otherwise (device names)
+ */
+export function isAllowedWinPath(p) {
+  if (typeof p !== "string") {
+    return false;
+  }
+  if (p === "") {
+    return true;
+  }
+  // Guard against dangerous Unicode characters
+  if (hasDangerousUnicode(p)) {
+    return false;
+  }
+  try {
+    const normalized = path.normalize(p);
+    // Check the entire normalized path for dangerous patterns
+    if (hasDangerousUnicode(normalized)) {
+      return false;
+    }
+    const { root } = path.parse(normalized);
+    // Both Relative paths and invalid windows device names are resulting in an empty root
+    // To keep things simple, we don't accept relative paths for Windows server-mode users at all
+
+    // Invocations with unix-style paths result in "\\" as the root on windows
+    // path.parse(path.normalize("/foo/bar"))
+    // { root: '\\', dir: '\\foo', base: 'bar', ext: '', name: 'bar' }
+    if (root === "\\") {
+      return true;
+    }
+    // Check for device/UNC paths - these should always return false
+    if (root.startsWith("\\\\")) {
+      return false;
+    }
+    // Strict validation for drive letter format
+    return isValidDriveRoot(root);
+  } catch (_err) {
+    return false;
+  }
+}
+
+/**
+ * Checks the given path against the allowed list.
+ *
+ * @param {string} p Path string to check
+ * @returns {boolean} true if the path is present in the allowed paths. false otherwise.
+ */
 export function isAllowedPath(p) {
+  if (typeof p !== "string") {
+    return false;
+  }
+  // Guard against dangerous Unicode characters
+  if (hasDangerousUnicode(p)) {
+    return false;
+  }
   if (!process.env.CDXGEN_SERVER_ALLOWED_PATHS) {
     return true;
   }
+  // Handle CVE-2025-27210 without relying entirely on node blocklists
+  if (isWin && !isAllowedWinPath(p)) {
+    return false;
+  }
   return (process.env.CDXGEN_SERVER_ALLOWED_PATHS || "")
     .split(",")
     .some((ap) => p.startsWith(ap));
@@ -90,7 +168,8 @@ function gitClone(repoUrl, branch = null) {
     tempDir,
   ];
   if (branch) {
-    gitArgs.splice(2, 0, "--branch", branch);
+    const cloneIndex = gitArgs.indexOf("clone");
+    gitArgs.splice(cloneIndex + 1, 0, "--branch", branch);
   }
   console.log(
     `Cloning Repo${branch ? ` with branch ${branch}` : ""} to ${tempDir}`,
@@ -174,6 +253,39 @@ export function parseQueryString(q, body = {}, options = {}) {
   return options;
 }
 
+export function getQueryParams(req) {
+  try {
+    if (!req || !req.url) {
+      return {};
+    }
+
+    const protocol = req.protocol || "http";
+    const host = req.headers?.host || "localhost";
+    const baseUrl = `${protocol}://${host}`;
+
+    const fullUrl = new URL(req.url, baseUrl);
+    const params = {};
+
+    // Convert multiple values to an array
+    for (const [key, value] of fullUrl.searchParams) {
+      if (params[key]) {
+        if (Array.isArray(params[key])) {
+          params[key].push(value);
+        } else {
+          params[key] = [params[key], value];
+        }
+      } else {
+        params[key] = value;
+      }
+    }
+
+    return params;
+  } catch (error) {
+    console.error("Error parsing URL:", error);
+    return {};
+  }
+}
+
 const applyProfileOptions = (options) => {
   switch (options.profile) {
     case "appsec":
@@ -257,8 +369,7 @@ const start = (options) => {
         }),
       );
     }
-    const requestUrl = new URL(req.url, `http://${req.headers.host}`);
-    const q = Object.fromEntries(requestUrl.searchParams.entries());
+    const q = getQueryParams(req);
     let cleanup = false;
     let reqOptions = {};
     try {
@@ -277,7 +388,7 @@ const start = (options) => {
         }),
       );
     }
-    const filePath = q.path || q.url || req.body.path || req.body.url;
+    const filePath = q?.path || q?.url || req?.body?.path || req?.body?.url;
     if (!filePath) {
       res.writeHead(500, { "Content-Type": "application/json" });
       return res.end(
@@ -302,7 +413,10 @@ const start = (options) => {
       srcDir = gitClone(filePath, reqOptions.gitBranch);
       cleanup = true;
     } else {
-      if (!isAllowedPath(path.resolve(srcDir))) {
+      if (
+        !isAllowedPath(path.resolve(srcDir)) ||
+        (isWin && !isAllowedWinPath(srcDir))
+      ) {
         res.writeHead(403, { "Content-Type": "application/json" });
         return res.end(
           JSON.stringify({