@cyclonedx/cdxgen 12.1.3 → 12.1.5

package/lib/stages/pregen/env-audit.poku.js

@@ -0,0 +1,290 @@
+import { strict as assert } from "node:assert";
+
+import { describe, test } from "poku";
+
+import { auditEnvironment } from "./env-audit.js";
+
+const NODE_OPTIONS_ATTACK_VECTORS = [
+  {
+    name: "--require flag",
+    value: "--require ./evil.js",
+    expectedMatch: true,
+  },
+  {
+    name: "--require with uppercase",
+    value: "--REQUIRE ./evil.js",
+    expectedMatch: true,
+  },
+  {
+    name: "-r short flag",
+    value: "-r ./evil.js",
+    expectedMatch: false,
+  },
+  {
+    name: "--eval flag",
+    value: "--eval \"console.log('pwned')\"",
+    expectedMatch: true,
+  },
+  {
+    name: "--eval with complex payload",
+    value: "--eval \"require('child_process').execSync('id')\"",
+    expectedMatch: true,
+  },
+  {
+    name: "-e short flag",
+    value: "-e \"console.log('test')\"",
+    expectedMatch: false,
+  },
+  {
+    name: "--import flag (Node 18+)",
+    value: "--import ./malicious.mjs",
+    expectedMatch: true,
+  },
+  {
+    name: "--loader flag",
+    value: "--loader ./hook-loader.js",
+    expectedMatch: true,
+  },
+  {
+    name: "--inspect flag",
+    value: "--inspect=0.0.0.0:9229",
+    expectedMatch: true,
+  },
+  {
+    name: "--inspect-brk flag",
+    value: "--inspect-brk=9229",
+    expectedMatch: true,
+  },
+  {
+    name: "--inspect with host",
+    value: "--inspect 127.0.0.1:9229",
+    expectedMatch: true,
+  },
+  {
+    name: "safe memory flag",
+    value: "--max-old-space-size=4096",
+    expectedMatch: false,
+  },
+  {
+    name: "safe GC flag",
+    value: "--expose-gc",
+    expectedMatch: false,
+  },
+  {
+    name: "safe trace flag",
+    value: "--trace-warnings",
+    expectedMatch: false,
+  },
+  {
+    name: "multiple flags with one malicious",
+    value: "--max-old-space-size=4096 --require ./evil.js",
+    expectedMatch: true,
+  },
+  {
+    name: "empty string",
+    value: "",
+    expectedMatch: false,
+  },
+  {
+    name: "whitespace only",
+    value: "   ",
+    expectedMatch: false,
+  },
+];
+
+const DANGEROUS_ENV_VAR_CASES = [
+  {
+    name: "NODE_NO_WARNINGS set",
+    env: { NODE_NO_WARNINGS: "1" },
+    expectedWarnings: 1,
+    expectedVar: "NODE_NO_WARNINGS",
+  },
+  {
+    name: "NODE_PENDING_DEPRECATION set",
+    env: { NODE_PENDING_DEPRECATION: "1" },
+    expectedWarnings: 1,
+    expectedVar: "NODE_PENDING_DEPRECATION",
+  },
+  {
+    name: "UV_THREADPOOL_SIZE set",
+    env: { UV_THREADPOOL_SIZE: "128" },
+    expectedWarnings: 1,
+    expectedVar: "UV_THREADPOOL_SIZE",
+  },
+  {
+    name: "all dangerous vars set",
+    env: {
+      NODE_NO_WARNINGS: "1",
+      NODE_PENDING_DEPRECATION: "1",
+      UV_THREADPOOL_SIZE: "128",
+    },
+    expectedWarnings: 3,
+    expectedVar: null,
+  },
+  {
+    name: "no dangerous vars",
+    env: { PATH: "/usr/bin", HOME: "/home/user" },
+    expectedWarnings: 0,
+    expectedVar: null,
+  },
+  {
+    name: "dangerous var with empty value (falsy)",
+    env: { NODE_NO_WARNINGS: "" },
+    expectedWarnings: 0,
+    expectedVar: null,
+  },
+];
+
+const COMBINED_ATTACK_CASES = [
+  {
+    name: "NODE_OPTIONS attack + dangerous vars",
+    env: {
+      NODE_OPTIONS: "--require ./evil.js",
+      NODE_NO_WARNINGS: "1",
+      UV_THREADPOOL_SIZE: "128",
+    },
+    minWarnings: 3,
+  },
+  {
+    name: "multiple NODE_OPTIONS patterns",
+    env: {
+      NODE_OPTIONS: '--require ./a.js --eval "code" --inspect',
+    },
+    minWarnings: 3,
+  },
+  {
+    name: "clean environment",
+    env: {},
+    minWarnings: 0,
+  },
+];
+
+describe("auditEnvironment - NODE_OPTIONS Detection", () => {
+  for (const tc of NODE_OPTIONS_ATTACK_VECTORS) {
+    test(`should detect ${tc.name}`, () => {
+      const env = { NODE_OPTIONS: tc.value };
+      const warnings = auditEnvironment(env);
+
+      const hasSuspiciousWarning = warnings.some((w) =>
+        w.includes("NODE_OPTIONS contains code execution flag"),
+      );
+
+      if (tc.expectedMatch) {
+        assert.ok(
+          hasSuspiciousWarning,
+          `Expected warning for ${tc.name} but got: ${warnings.join(", ")}`,
+        );
+      } else {
+        assert.ok(
+          !hasSuspiciousWarning,
+          `Unexpected warning for ${tc.name}: ${warnings.join(", ")}`,
+        );
+      }
+    });
+  }
+});
+
+describe("auditEnvironment - Dangerous Env Vars", () => {
+  for (const tc of DANGEROUS_ENV_VAR_CASES) {
+    test(`should handle ${tc.name}`, () => {
+      const warnings = auditEnvironment(tc.env);
+
+      assert.strictEqual(
+        warnings.length,
+        tc.expectedWarnings,
+        `Expected ${tc.expectedWarnings} warnings, got ${warnings.length}: ${warnings.join(", ")}`,
+      );
+
+      if (tc.expectedVar) {
+        assert.ok(
+          warnings.some((w) => w.includes(tc.expectedVar)),
+          `Expected warning about ${tc.expectedVar} but got: ${warnings.join(", ")}`,
+        );
+      }
+    });
+  }
+});
+
+describe("auditEnvironment - Combined Attacks", () => {
+  for (const tc of COMBINED_ATTACK_CASES) {
+    test(`should handle ${tc.name}`, () => {
+      const warnings = auditEnvironment(tc.env);
+
+      assert.ok(
+        warnings.length >= tc.minWarnings,
+        `Expected at least ${tc.minWarnings} warnings, got ${warnings.length}: ${warnings.join(", ")}`,
+      );
+    });
+  }
+});
+
+describe("auditEnvironment - Edge Cases", () => {
+  test("should handle undefined NODE_OPTIONS", () => {
+    const warnings = auditEnvironment({});
+    const hasSuspiciousWarning = warnings.some((w) =>
+      w.includes("NODE_OPTIONS contains code execution flag"),
+    );
+    assert.ok(!hasSuspiciousWarning);
+  });
+
+  test("should handle null env (uses process.env)", () => {
+    const warnings = auditEnvironment();
+    assert.ok(Array.isArray(warnings));
+  });
+
+  test("should return empty array for completely clean env", () => {
+    const warnings = auditEnvironment({
+      PATH: "/usr/bin",
+      HOME: "/home/user",
+      LANG: "en_US.UTF-8",
+    });
+    assert.deepStrictEqual(warnings, []);
+  });
+
+  test("should detect all dangerous vars individually", () => {
+    const warnings1 = auditEnvironment({ NODE_NO_WARNINGS: "1" });
+    const warnings2 = auditEnvironment({ NODE_PENDING_DEPRECATION: "1" });
+    const warnings3 = auditEnvironment({ UV_THREADPOOL_SIZE: "128" });
+
+    assert.strictEqual(warnings1.length, 1);
+    assert.strictEqual(warnings2.length, 1);
+    assert.strictEqual(warnings3.length, 1);
+
+    assert.ok(warnings1[0].includes("NODE_NO_WARNINGS"));
+    assert.ok(warnings2[0].includes("NODE_PENDING_DEPRECATION"));
+    assert.ok(warnings3[0].includes("UV_THREADPOOL_SIZE"));
+  });
+
+  test("should be case-sensitive for env var names", () => {
+    const warnings = auditEnvironment({
+      node_no_warnings: "1",
+      Node_Options: "--require ./evil.js",
+    });
+    assert.strictEqual(warnings.length, 0);
+  });
+});
+
+describe("auditEnvironment - Warning Message Format", () => {
+  test("dangerous var warning should mention unsetting", () => {
+    const warnings = auditEnvironment({ NODE_NO_WARNINGS: "1" });
+    assert.ok(warnings[0].includes("Unset"));
+    assert.ok(warnings[0].includes("NODE_NO_WARNINGS"));
+  });
+
+  test("NODE_OPTIONS warning should mention the pattern", () => {
+    const warnings = auditEnvironment({ NODE_OPTIONS: "--require ./evil.js" });
+    assert.ok(warnings[0].includes("NODE_OPTIONS"));
+    assert.ok(warnings[0].includes("code execution flag"));
+  });
+
+  test("warnings should be human-readable strings", () => {
+    const warnings = auditEnvironment({
+      NODE_OPTIONS: "--eval test",
+      NODE_NO_WARNINGS: "1",
+    });
+    for (const w of warnings) {
+      assert.strictEqual(typeof w, "string");
+      assert.ok(w.length > 0);
+    }
+  });
+});

package/lib/third-party/arborist/lib/deepest-nesting-target.js

@@ -9,7 +9,7 @@ const deepestNestingTarget = (start, name) => {
       return target;
     }
     const targetEdge = target.edgesOut.get(name);
-    if (!targetEdge || !targetEdge.peer) {
+    if (!targetEdge?.peer) {
       return target;
     }
   }

package/lib/third-party/arborist/lib/node.js

@@ -1052,7 +1052,7 @@ class Node {
     }
 
     // it's a top level pkg, or a dep of one
-    if (!this.resolveParent || !this.resolveParent.resolveParent) {
+    if (!this.resolveParent?.resolveParent) {
       return false;
     }
 
@@ -1382,7 +1382,7 @@ class Node {
 
   updateOverridesEdgeInRemoved(otherOverrideSet) {
     // If this edge's overrides isn't equal to this node's overrides, then removing it won't change newOverrideSet later.
-    if (!this.overrides || !this.overrides.isEqual(otherOverrideSet)) {
+    if (!this.overrides?.isEqual(otherOverrideSet)) {
       return false;
     }
     let newOverrideSet;
@@ -1453,7 +1453,7 @@ class Node {
 
   addEdgeIn(edge) {
     // We need to handle the case where the new edge in has an overrides field which is different from the current value.
-    if (!this.overrides || !this.overrides.isEqual(edge.overrides)) {
+    if (!this.overrides?.isEqual(edge.overrides)) {
       this.updateOverridesEdgeInAdded(edge.overrides);
     }
     this.edgesIn.add(edge);

package/lib/third-party/arborist/lib/shrinkwrap.js

@@ -897,7 +897,7 @@ class Shrinkwrap {
     }
 
     // if the yarn lock is empty, nothing to do
-    if (!this.yarnLock.entries || !this.yarnLock.entries.size) {
+    if (!this.yarnLock.entries?.size) {
       return;
     }
 

package/lib/third-party/arborist/lib/tree-check.js

@@ -5,7 +5,7 @@ const checkTree = (tree, checkUnreachable = true) => {
 
   // this can only happen in tests where we have a "tree" object
   // that isn't actually a tree.
-  if (!tree.root || !tree.root.inventory) {
+  if (!tree.root?.inventory) {
     return tree;
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "12.1.3",
+  "version": "12.1.5",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "keywords": [
     "sbom",
@@ -129,21 +129,21 @@
     "semver": "7.7.4",
     "ssri": "13.0.1",
     "table": "6.9.0",
-    "tar": "7.5.11",
+    "tar": "7.5.13",
     "treeverse": "3.0.0",
     "uuid": "13.0.0",
     "walk-up-path": "4.0.0",
     "xml-js": "1.6.11",
-    "yaml": "2.8.2",
+    "yaml": "2.8.3",
     "yargs": "18.0.0",
     "yoctocolors": "2.1.2"
   },
   "devDependencies": {
-    "@biomejs/biome": "2.4.7",
+    "@biomejs/biome": "2.4.10",
     "esmock": "2.7.3",
-    "poku": "4.1.0",
+    "poku": "4.2.0",
     "sinon": "21.0.3",
-    "typescript": "5.9.3"
+    "typescript": "6.0.2"
   },
   "optionalDependencies": {
     "@appthreat/atom": "2.5.2",

package/types/lib/cli/index.d.ts

@@ -7,7 +7,7 @@
  * @param {Object} pkg Package object
  * @param {string} ptype Package type
  */
-export function listComponents(options: any, allImports: any, pkg: any, ptype?: string): any[];
+export function listComponents(options: Object, allImports: Object, pkg: Object, ptype?: string): any[];
 /**
  * Function to create bom string for Java jars
  *
@@ -16,43 +16,43 @@ export function listComponents(options: any, allImports: any, pkg: any, ptype?:
  *
  * @returns {Object} BOM with namespace mapping
  */
-export function createJarBom(path: string, options: any): any;
+export function createJarBom(path: string, options: Object): Object;
 /**
  * Function to create bom string for Android apps using blint
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createAndroidBom(path: string, options: any): {
+export function createAndroidBom(path: string, options: Object): {
     bomJson: any;
     dependencies: any;
     parentComponent: any;
-};
+} | undefined;
 /**
  * Function to create bom string for binaries using blint
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createBinaryBom(path: string, options: any): {
+export function createBinaryBom(path: string, options: Object): {
     bomJson: any;
     dependencies: any;
     parentComponent: any;
-};
+} | undefined;
 /**
  * Function to create bom string for Java projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createJavaBom(path: string, options: any): Promise<any>;
+export function createJavaBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for Node.js projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createNodejsBom(path: string, options: any): Promise<any>;
+export function createNodejsBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for Projects that use Pixi package manager.
  * createPixiBom is based on createPythonBom.
@@ -64,161 +64,161 @@ export function createNodejsBom(path: string, options: any): Promise<any>;
  * @param {String} path
  * @param {Object} options
  */
-export function createPixiBom(path: string, options: any): any;
+export function createPixiBom(path: string, options: Object): Object | null;
 /**
  * Function to create bom string for Python projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createPythonBom(path: string, options: any): Promise<any>;
+export function createPythonBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for Go projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createGoBom(path: string, options: any): Promise<any>;
+export function createGoBom(path: string, options: Object): Promise<Object | undefined>;
 /**
  * Function to create bom string for Rust projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createRustBom(path: string, options: any): Promise<any>;
+export function createRustBom(path: string, options: Object): Promise<Object | undefined>;
 /**
  * Function to create bom string for Dart projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createDartBom(path: string, options: any): Promise<any>;
+export function createDartBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for cpp projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createCppBom(path: string, options: any): any;
+export function createCppBom(path: string, options: Object): Object;
 /**
  * Function to create bom string for clojure projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createClojureBom(path: string, options: any): any;
+export function createClojureBom(path: string, options: Object): Object;
 /**
  * Function to create bom string for Haskell projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createHaskellBom(path: string, options: any): any;
+export function createHaskellBom(path: string, options: Object): Object;
 /**
  * Function to create bom string for Elixir projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createElixirBom(path: string, options: any): any;
+export function createElixirBom(path: string, options: Object): Object;
 /**
  * Function to create bom string for GitHub action workflows
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createGitHubBom(path: string, options: any): any;
+export function createGitHubBom(path: string, options: Object): Object;
 /**
  * Function to create bom string for cloudbuild yaml
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createCloudBuildBom(path: string, options: any): any;
+export function createCloudBuildBom(path: string, options: Object): Object;
 /**
  * Function to create obom string for the current OS using osquery
  *
  * @param {string} _path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createOSBom(_path: string, options: any): Promise<any>;
+export function createOSBom(_path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for Jenkins plugins
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createJenkinsBom(path: string, options: any): Promise<any>;
+export function createJenkinsBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for Helm charts
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createHelmBom(path: string, options: any): any;
+export function createHelmBom(path: string, options: Object): Object;
 /**
  * Function to create bom string for swift projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createSwiftBom(path: string, options: any): Promise<any>;
+export function createSwiftBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for cocoa projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createCocoaBom(path: string, options: any): Promise<any>;
+export function createCocoaBom(path: string, options: Object): Promise<Object | undefined>;
 /**
  * Function to create bom string for Nix flakes
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createNixBom(path: string, options: any): Promise<any>;
+export function createNixBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for caxa SEA binaries
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createCaxaBom(path: string, options: any): Promise<any>;
+export function createCaxaBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for docker compose
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createContainerSpecLikeBom(path: string, options: any): any;
+export function createContainerSpecLikeBom(path: string, options: Object): any;
 /**
  * Function to create bom string for php projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createPHPBom(path: string, options: any): any;
+export function createPHPBom(path: string, options: Object): Object;
 /**
  * Function to create bom string for ruby projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createRubyBom(path: string, options: any): Promise<any>;
+export function createRubyBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom string for csharp projects
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createCsharpBom(path: string, options: any): Promise<any>;
+export function createCsharpBom(path: string, options: Object): Promise<Object | undefined>;
 /**
  * Function to create bom object for cryptographic certificate files
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createCryptoCertsBom(path: string, options: any): Promise<{
+export function createCryptoCertsBom(path: string, options: Object): Promise<{
     bomJson: {
         components: {
             name: any;
@@ -241,11 +241,11 @@ export function createCryptoCertsBom(path: string, options: any): Promise<{
 }>;
 export function mergeDependencies(dependencies: any, newDependencies: any, parentComponent?: {}): ({
     ref: string;
-    dependsOn: any;
-    provides: any;
+    dependsOn: any[];
+    provides: any[];
 } | {
     ref: string;
-    dependsOn: any;
+    dependsOn: any[];
     provides?: undefined;
 })[];
 /**
@@ -266,28 +266,28 @@ export function trimComponents(components: any[]): any[];
  *
  * @returns {Object} Object including BOM Json
  */
-export function dedupeBom(options: any, components: any[], parentComponent: any, dependencies: any[]): any;
+export function dedupeBom(options: Object, components: any[], parentComponent: Object, dependencies: any[]): Object;
 /**
  * Function to create bom string for all languages
  *
  * @param {string[]} pathList list of to the project
  * @param {Object} options Parse options from the cli
  */
-export function createMultiXBom(pathList: string[], options: any): Promise<any>;
+export function createMultiXBom(pathList: string[], options: Object): Promise<Object>;
 /**
  * Function to create bom string for various languages
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createXBom(path: string, options: any): Promise<any>;
+export function createXBom(path: string, options: Object): Promise<any>;
 /**
  * Function to create bom string for various languages
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
  */
-export function createBom(path: string, options: any): any;
+export function createBom(path: string, options: Object): any;
 /**
  * Method to submit the generated bom to dependency-track or cyclonedx server
  *
@@ -296,7 +296,7 @@ export function createBom(path: string, options: any): any;
  * @return {Promise<{ token: string } | undefined>} a promise with a token (if request was successful) or undefined (in case of invalid arguments)
  * @throws {Error} if the request fails
  */
-export function submitBom(args: any, bomContents: any): Promise<{
+export function submitBom(args: Object, bomContents: Object): Promise<{
     token: string;
 } | undefined>;
 //# sourceMappingURL=index.d.ts.map