@cyclonedx/cdxgen 12.1.4 → 12.2.0

package/lib/helpers/utils.poku.js

@@ -7,6 +7,7 @@ import { assert, describe, it, test } from "poku";
 import { parse } from "ssri";
 import { parse as loadYaml } from "yaml";
 
+import { validateRefs } from "../validator/bomValidator.js";
 import {
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
@@ -113,7 +114,6 @@ import {
   toGemModuleNames,
   yarnLockToIdentMap,
 } from "./utils.js";
-import { validateRefs } from "./validator.js";
 
 it("SSRI test", () => {
   // gopkg.lock hash
@@ -2596,12 +2596,15 @@ it("parse mix lock data", () => {
 it("parse github actions workflow data", () => {
   assert.deepStrictEqual(parseGitHubWorkflowData(null), []);
   let dep_list = parseGitHubWorkflowData("./.github/workflows/nodejs.yml");
-  assert.deepStrictEqual(dep_list.length, 8);
+  assert.deepStrictEqual(dep_list.length, 13);
   assert.deepStrictEqual(dep_list[0], {
+    "bom-ref":
+      "pkg:github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+    type: "application",
     group: "actions",
     name: "checkout",
-    version: "6.0.2",
-    purl: "pkg:github/actions/checkout@6.0.2?commit=de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+    version: "de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+    purl: "pkg:github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
     properties: [
       {
         name: "SrcFile",
@@ -2611,6 +2614,10 @@ it("parse github actions workflow data", () => {
         name: "cdx:github:workflow:name",
         value: "Node CI",
       },
+      {
+        name: "cdx:github:workflow:file",
+        value: "./.github/workflows/nodejs.yml",
+      },
       {
         name: "cdx:github:job:name",
         value: "read-node-versions",
@@ -2631,277 +2638,40 @@ it("parse github actions workflow data", () => {
         name: "cdx:github:action:isShaPinned",
         value: "true",
       },
-      {
-        name: "cdx:github:workflow:concurrencyGroup",
-        value:
-          "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}",
-      },
       {
         name: "cdx:actions:isOfficial",
         value: "true",
       },
+      {
+        name: "cdx:github:checkout:persistCredentials",
+        value: "false",
+      },
       {
         name: "cdx:github:workflow:triggers",
         value: "pull_request,push,workflow_dispatch",
       },
     ],
+    scope: "required",
     evidence: {
-      identity: {
-        field: "purl",
-        confidence: 0.7,
-        methods: [
-          {
-            technique: "source-code-analysis",
-            confidence: 0.7,
-            value: "./.github/workflows/nodejs.yml",
-          },
-        ],
-      },
-    },
-  });
-  dep_list = parseGitHubWorkflowData("./test/data/github-actions-tj.yaml");
-  assert.deepStrictEqual(dep_list.length, 4);
-  assert.deepStrictEqual(dep_list, [
-    {
-      group: "pixel",
-      name: "steamcmd",
-      version: "1.2.7",
-      purl: "pkg:github/pixel/steamcmd@1.2.7?commit=foo",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value: "pixel/steamcmd@foo",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "tag",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "false",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Test action 1",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
-      ],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.7,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
-            },
-          ],
-        },
-      },
-    },
-    {
-      group: "tj",
-      name: "branch",
-      version: "8.2.0",
-      purl: "pkg:github/tj/branch@8.2.0?commit=47dd",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value: "tj/branch@47dd",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "tag",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "false",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Test action 2",
-        },
+      identity: [
         {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
-      ],
-      evidence: {
-        identity: {
           field: "purl",
-          confidence: 0.7,
+          confidence: 0.5,
           methods: [
             {
               technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
+              confidence: 0.5,
+              value: "./.github/workflows/nodejs.yml",
             },
           ],
         },
-      },
-    },
-    {
-      group: "tj",
-      name: "branch2",
-      version: "08",
-      purl: "pkg:github/tj/branch2@08?tag=v0.0.18",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value: "tj/branch2@v0.0.18",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "tag",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "false",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Test action 3",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
       ],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.7,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
-            },
-          ],
-        },
-      },
     },
-    {
-      group: "github/codeql-action",
-      name: "upload-sarif",
-      version: "3.30.3",
-      purl: "pkg:github/github/codeql-action/upload-sarif@3.30.3?commit=192325c86100d080feab897ff886c34abd4c83a3",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value:
-            "github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "sha",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "true",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Upload to code-scanning",
-        },
-        {
-          name: "cdx:actions:isOfficial",
-          value: "true",
-        },
-        {
-          name: "cdx:actions:isVerified",
-          value: "true",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
-      ],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.7,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
-            },
-          ],
-        },
-      },
-    },
-  ]);
+  });
+  dep_list = parseGitHubWorkflowData("./test/data/github-actions-tj.yaml");
+  assert.deepStrictEqual(dep_list.length, 4);
   dep_list = parseGitHubWorkflowData("./.github/workflows/repotests.yml");
-  assert.deepStrictEqual(dep_list.length, 17);
+  assert.deepStrictEqual(dep_list.length, 90);
 });
 // biome-ignore-end lint/suspicious/noTemplateCurlyInString: fp
 
@@ -4472,7 +4242,10 @@ it("pnpmMetadata with scoped packages", async () => {
 it("pnpmMetadata integration with parsePnpmLock", async () => {
   // Test that the integration works by parsing a real pnpm lock file
   const parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-
+  const externalRefDistPackages = parsedList.pkgList.filter((pkg) =>
+    pkg.externalReferences?.some((p) => p.type === "distribution"),
+  );
+  assert.ok(externalRefDistPackages.length > 0);
   // Check that some packages have been enhanced with LocalNodeModulesPath
   const enhancedPackages = parsedList.pkgList.filter((pkg) =>
     pkg.properties?.some((p) => p.name === "LocalNodeModulesPath"),
@@ -5694,6 +5467,33 @@ it("parseComposerLock", () => {
     ref: "pkg:composer/doctrine/annotations@v1.2.1",
     dependsOn: ["pkg:composer/doctrine/lexer@v1.0"],
   });
+
+  // Platform requirements (php, ext-*) must not appear in rootList
+  const platformRootRequires = {
+    php: "^7.1.3|^8",
+    "ext-SimpleXML": "*",
+    "ext-dom": "*",
+    "amphp/amp": "^2.1",
+    "amphp/byte-stream": "^1.5",
+  };
+  retMap = parseComposerLock(
+    "./test/data/composer-2.lock",
+    platformRootRequires,
+  );
+  assert.ok(
+    !retMap.rootList.some((p) => p.name === "php"),
+    "php must not be in rootList",
+  );
+  assert.ok(
+    !retMap.rootList.some((p) => p.name?.startsWith("ext-")),
+    "ext-* must not be in rootList",
+  );
+  // Regular packages that are in rootRequires should still be in rootList
+  // Note: apkg.name is basename(pkg.name), so "amphp/amp" → name "amp"
+  assert.ok(
+    retMap.rootList.some((p) => p.name === "amp"),
+    "amphp/amp should be in rootList",
+  );
 });
 
 it("parseComposerJson", () => {
@@ -6367,6 +6167,18 @@ it("parse requirements.txt", async () => {
         ],
       },
     },
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "19297512c647d4b27a2cf7c34caa7e405c0d60b5560618a29a9fe027b18b0107",
+      },
+      {
+        alg: "SHA-256",
+        content:
+          "84ec2218d8419404abcb9f0c02df3f34c6e0a68ed41072acfb1cef5cbc29051a",
+      },
+    ],
     properties: [
       {
         name: "SrcFile",
@@ -6398,6 +6210,13 @@ it("parse requirements.txt", async () => {
         value: "./test/data/requirements-lock.linux_py3.txt",
       },
     ],
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "fd17e5661f60634ddf96a569b95d34ccb8a98de60593d729c28bdcfe360eaad1",
+      },
+    ],
     evidence: {
       identity: {
         field: "purl",
@@ -6412,6 +6231,42 @@ it("parse requirements.txt", async () => {
       },
     },
   });
+  assert.deepStrictEqual(deps[1], {
+    name: "aenum",
+    version: "3.1.0",
+    scope: undefined,
+    evidence: {
+      identity: {
+        field: "purl",
+        confidence: 0.5,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 0.5,
+            value: "./test/data/requirements-lock.linux_py3.txt",
+          },
+        ],
+      },
+    },
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "1f92fb906e3d745064e85f9a1937006ee341e00a35ecd8b7f899041b8e1d67d7",
+      },
+      {
+        alg: "SHA-256",
+        content:
+          "f8401f1a258436719ed013444ab37ff22a72517e0e3097058dd1511cf284447c",
+      },
+    ],
+    properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/requirements-lock.linux_py3.txt",
+      },
+    ],
+  });
   assert.deepStrictEqual(deps[deps.length - 1], {
     name: "zipp",
     scope: undefined,
@@ -6422,6 +6277,13 @@ it("parse requirements.txt", async () => {
         value: "./test/data/requirements-lock.linux_py3.txt",
       },
     ],
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335",
+      },
+    ],
     evidence: {
       identity: {
         field: "purl",
@@ -6742,6 +6604,10 @@ it("parse wheel metadata", () => {
       },
     ],
     properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/METADATA",
+      },
       {
         name: "cdx:python:requires_python",
         value: ">=3.5.*",
@@ -6817,6 +6683,10 @@ it("parse wheel metadata", () => {
       },
     ],
     properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/dist-info/METADATA1",
+      },
       {
         name: "cdx:python:requires_python",
         value: ">=3.10",
@@ -6875,6 +6745,10 @@ it("parse wheel metadata", () => {
       },
     ],
     properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/dist-info/METADATA2",
+      },
       {
         name: "cdx:python:requires_python",
         value: ">=3.10",
@@ -6936,6 +6810,10 @@ it("parse wheel metadata", () => {
       },
     ],
     properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/dist-info/METADATA3",
+      },
       {
         name: "cdx:python:requires_python",
         value: ">=3.10",
@@ -6981,7 +6859,12 @@ it("parse wheel metadata", () => {
         url: "https://mercurial-scm.org/",
       },
     ],
-    properties: [],
+    properties: [
+      {
+        name: "SrcFile",
+        value: "./test/data/mercurial-5.5.2-py3.8.egg-info",
+      },
+    ],
     homepage: {
       url: "https://mercurial-scm.org/",
     },