@cyclonedx/cdxgen 12.1.4 → 12.2.0

package/bin/repl.js

@@ -22,8 +22,8 @@ import {
 } from "../lib/helpers/display.js";
 import { readBinary } from "../lib/helpers/protobom.js";
 import { getTmpDir } from "../lib/helpers/utils.js";
-import { validateBom } from "../lib/helpers/validator.js";
 import { getBomWithOras } from "../lib/managers/oci.js";
+import { validateBom } from "../lib/validator/bomValidator.js";
 
 const options = {
   useColors: true,
@@ -594,7 +594,7 @@ cdxgenRepl.defineCommand("osinfocategories", {
 cdxgenRepl.defineCommand("licenses", {
   help: "visualize license distribution",
   async action() {
-    if (!sbom || !sbom.components) {
+    if (!sbom?.components) {
       console.log("⚠ No SBOM loaded.");
       this.displayPrompt();
       return;
@@ -649,7 +649,7 @@ cdxgenRepl.defineCommand("inspect", {
 cdxgenRepl.defineCommand("tagcloud", {
   help: "generate a text/tag cloud based on component descriptions and tags",
   action() {
-    if (!sbom || !sbom.components) {
+    if (!sbom?.components) {
       console.log("⚠ No SBOM loaded.");
       this.displayPrompt();
       return;

package/bin/sign.js

@@ -0,0 +1,102 @@
+#!/usr/bin/env node
+
+import fs from "node:fs";
+import process from "node:process";
+
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+
+import { signBom } from "../lib/helpers/bomSigner.js";
+import { retrieveCdxgenVersion, safeExistsSync } from "../lib/helpers/utils.js";
+
+const _yargs = yargs(hideBin(process.argv));
+
+const args = _yargs
+  .option("input", {
+    alias: "i",
+    default: "bom.json",
+    description: "Input SBOM json to sign.",
+  })
+  .option("output", {
+    alias: "o",
+    description: "Output signed SBOM json. Defaults to overwriting input.",
+  })
+  .option("private-key", {
+    alias: "k",
+    demandOption: true,
+    description: "Private key in PEM format.",
+  })
+  .option("algorithm", {
+    alias: "a",
+    default: "RS512",
+    description: "JSF Signature Algorithm (e.g., RS512, ES256, Ed25519).",
+  })
+  .option("mode", {
+    alias: "m",
+    default: "replace",
+    choices: ["replace", "signers", "chain"],
+    description:
+      "Signature mode. Use 'signers' for multi-signing, 'chain' for sequential chaining.",
+  })
+  .option("key-id", {
+    description:
+      "Optional identifier for the key (keyId) to embed in the signature block.",
+  })
+  .option("sign-components", {
+    type: "boolean",
+    default: true,
+    description:
+      "Sign granular components. Disable (--no-sign-components) when appending multi-signatures.",
+  })
+  .option("sign-services", {
+    type: "boolean",
+    default: true,
+    description:
+      "Sign granular services. Disable (--no-sign-services) when appending multi-signatures.",
+  })
+  .option("sign-annotations", {
+    type: "boolean",
+    default: true,
+    description:
+      "Sign granular annotations. Disable (--no-sign-annotations) when appending multi-signatures.",
+  })
+  .scriptName("cdx-sign")
+  .version(retrieveCdxgenVersion())
+  .help()
+  .wrap(Math.min(120, yargs().terminalWidth())).argv;
+
+if (!safeExistsSync(args.input)) {
+  console.error(`Input file '${args.input}' not found.`);
+  process.exit(1);
+}
+
+if (!safeExistsSync(args.privateKey)) {
+  console.error(`Private key file '${args.privateKey}' not found.`);
+  process.exit(1);
+}
+
+try {
+  const bomJson = JSON.parse(fs.readFileSync(args.input, "utf8"));
+  const privateKey = fs.readFileSync(args.privateKey, "utf8");
+
+  const signedBom = signBom(bomJson, {
+    privateKey,
+    algorithm: args.algorithm,
+    keyId: args.keyId,
+    mode: args.mode,
+    signComponents: args.signComponents,
+    signServices: args.signServices,
+    signAnnotations: args.signAnnotations,
+  });
+
+  const outputPath = args.output || args.input;
+  fs.writeFileSync(outputPath, JSON.stringify(signedBom, null, null));
+
+  console.log(`Successfully signed BOM and saved to '${outputPath}'`);
+  console.log(
+    `Mode: ${args.mode} | Algorithm: ${args.algorithm}${args.keyId ? ` | KeyId: ${args.keyId}` : ""}`,
+  );
+} catch (error) {
+  console.error("SBOM signing failed:", error.message);
+  process.exit(1);
+}

package/bin/validate.js

@@ -0,0 +1,233 @@
+#!/usr/bin/env node
+
+/**
+ * cdx-validate CLI — structural, deep, and compliance validation for
+ * CycloneDX SBOMs.
+ *
+ * Exit codes:
+ *   0 — all checks pass (or no findings >= --fail-severity).
+ *   1 — configuration error (bad input, missing file, unknown reporter).
+ *   2 — schema validation failed (in --strict mode).
+ *   3 — compliance findings at or above --fail-severity.
+ *   4 — signature verification was requested and failed.
+ */
+
+import fs from "node:fs";
+import { dirname, join } from "node:path";
+import process from "node:process";
+
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+
+import {
+  dirNameStr,
+  retrieveCdxgenVersion,
+  safeExistsSync,
+  safeMkdirSync,
+} from "../lib/helpers/utils.js";
+import { getBomWithOras } from "../lib/managers/oci.js";
+import { shouldFail, validateBomAdvanced } from "../lib/validator/index.js";
+import { render as renderReport } from "../lib/validator/reporters/index.js";
+
+const _yargs = yargs(hideBin(process.argv));
+
+const args = _yargs
+  .option("input", {
+    alias: "i",
+    default: "bom.json",
+    description: "Input SBOM JSON file or OCI reference.",
+  })
+  .option("platform", {
+    description:
+      "Platform to use when resolving an OCI reference (passed to oras).",
+  })
+  .option("report", {
+    alias: "r",
+    default: "console",
+    choices: ["console", "json", "sarif", "annotations"],
+    description: "Output format.",
+  })
+  .option("report-file", {
+    alias: "o",
+    description:
+      "Write the report to this file. Defaults to stdout. Required for the 'annotations' reporter when you want to save the annotated BOM.",
+  })
+  .option("schema", {
+    type: "boolean",
+    default: true,
+    description:
+      "Run the CycloneDX JSON-schema validation. Pass --no-schema to skip.",
+  })
+  .option("deep", {
+    type: "boolean",
+    default: true,
+    description:
+      "Run the deep purl/ref/metadata checks from lib/helpers/bomValidator.js. Pass --no-deep to skip.",
+  })
+  .option("benchmark", {
+    alias: "b",
+    type: "string",
+    description:
+      "Comma-separated list of compliance benchmark aliases to include in the scorecards (scvs, scvs-l1, scvs-l2, scvs-l3, cra). Defaults to all.",
+  })
+  .option("categories", {
+    type: "string",
+    description:
+      "Comma-separated list of compliance rule categories to evaluate (compliance-scvs, compliance-cra). Defaults to all.",
+  })
+  .option("min-severity", {
+    type: "string",
+    default: "info",
+    choices: ["info", "low", "medium", "high", "critical"],
+    description:
+      "Drop findings below this severity from the output (benchmark scoring is unaffected).",
+  })
+  .option("fail-severity", {
+    type: "string",
+    default: "high",
+    choices: ["info", "low", "medium", "high", "critical"],
+    description:
+      "Exit with code 3 when any failing finding is at or above this severity.",
+  })
+  .option("include-manual", {
+    type: "boolean",
+    default: true,
+    description:
+      "Include non-automatable manual-review findings in the output. Pass --no-include-manual to hide them.",
+  })
+  .option("include-pass", {
+    type: "boolean",
+    default: false,
+    description:
+      "Include passing findings in the output (useful for audits). Defaults to false.",
+  })
+  .option("public-key", {
+    description:
+      "Path to a PEM public key. When set, cdx-validate also verifies the BOM signature.",
+  })
+  .option("require-signature", {
+    type: "boolean",
+    default: false,
+    description:
+      "Exit non-zero (4) when --public-key is provided but signature verification fails.",
+  })
+  .option("strict", {
+    type: "boolean",
+    default: false,
+    description:
+      "Treat a failing schema or deep validation as a non-zero exit (code 2).",
+  })
+  .completion("completion", "Generate bash/zsh completion")
+  .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
+  .scriptName("cdx-validate")
+  .version(retrieveCdxgenVersion())
+  .help()
+  .wrap(Math.min(120, yargs().terminalWidth())).argv;
+
+function loadBom(input, platform) {
+  if (safeExistsSync(input)) {
+    try {
+      return JSON.parse(fs.readFileSync(input, "utf8"));
+    } catch (err) {
+      console.error(`Failed to parse ${input}: ${err.message}`);
+      process.exit(1);
+    }
+  }
+  if (
+    input.includes(":") ||
+    input.includes("docker") ||
+    input.includes("ghcr")
+  ) {
+    const bom = getBomWithOras(input, platform);
+    if (bom) return bom;
+  }
+  console.error(`Input '${input}' is not a readable SBOM.`);
+  process.exit(1);
+  return undefined;
+}
+
+function loadPublicKey(path) {
+  if (!path) return null;
+  if (!safeExistsSync(path)) {
+    console.error(`Public key '${path}' not found.`);
+    process.exit(1);
+  }
+  return fs.readFileSync(path, "utf8");
+}
+
+function splitCsv(value) {
+  if (!value) return undefined;
+  return value
+    .split(",")
+    .map((v) => v.trim())
+    .filter(Boolean);
+}
+
+function writeOrPrint(content, outputPath) {
+  if (!outputPath) {
+    process.stdout.write(`${content}\n`);
+    return;
+  }
+  const parent = dirname(outputPath);
+  if (parent && !safeExistsSync(parent)) {
+    safeMkdirSync(parent, { recursive: true });
+  }
+  fs.writeFileSync(outputPath, content);
+}
+
+const bomJson = loadBom(args.input, args.platform);
+const publicKeyStr = loadPublicKey(args.publicKey);
+
+const report = validateBomAdvanced(bomJson, {
+  schema: args.schema,
+  deep: args.deep,
+  benchmarks: splitCsv(args.benchmark),
+  categories: splitCsv(args.categories),
+  minSeverity: args.minSeverity,
+  includeManual: args.includeManual,
+  includePass: args.includePass,
+  publicKey: publicKeyStr || undefined,
+});
+
+let output;
+try {
+  const { version: pkgVersion } = JSON.parse(
+    fs.readFileSync(join(dirNameStr, "package.json"), "utf8"),
+  );
+  output = renderReport(args.report, report, {
+    bomJson,
+    toolName: "cdx-validate",
+    toolVersion: pkgVersion,
+    pretty: true,
+  });
+} catch (err) {
+  console.error(err.message);
+  process.exit(1);
+}
+
+writeOrPrint(output, args.reportFile);
+
+const { shouldFail: fail, reason } = shouldFail(report, {
+  failSeverity: args.failSeverity,
+  strict: args.strict,
+  requireSignature: Boolean(args.requireSignature && publicKeyStr),
+});
+
+if (report.signatureVerified === false && args.requireSignature) {
+  console.error(
+    `cdx-validate: signature verification failed — ${report.signatureDetails?.error || "no matching key"}.`,
+  );
+  process.exit(4);
+}
+
+if (args.strict && report.schemaValid === false) {
+  console.error("cdx-validate: schema validation failed.");
+  process.exit(2);
+}
+
+if (fail) {
+  console.error(`cdx-validate: ${reason}`);
+  process.exit(3);
+}
+
+process.exit(0);

package/bin/verify.js

@@ -4,10 +4,10 @@ import fs from "node:fs";
 import { join } from "node:path";
 import process from "node:process";
 
-import jws from "jws";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 
+import { verifyNode } from "../lib/helpers/bomSigner.js";
 import {
   dirNameStr,
   retrieveCdxgenVersion,
@@ -32,6 +32,12 @@ const args = _yargs
     default: "public.key",
     description: "Public key in PEM format. Default public.key",
   })
+  .option("deep", {
+    type: "boolean",
+    default: true,
+    description:
+      "Strictly verify all nested component, service, and annotation signatures against the provided public key. Pass --no-deep to verify only the root signature.",
+  })
   .completion("completion", "Generate bash/zsh completion")
   .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
   .scriptName("cdx-verify")
@@ -78,49 +84,84 @@ function getBom(args) {
   }
   return undefined;
 }
+
 const bomJson = getBom(args);
+
 if (!bomJson) {
   console.log(`${args.input} is invalid!`);
   process.exit(1);
 }
+
 if (bomJson && !safeExistsSync(args.publicKey)) {
   console.log("Public key for signature verification is missing!");
   process.exit(1);
 }
-let hasInvalidComp = false;
-// Validate any component signature
-for (const comp of bomJson.components) {
-  if (comp.signature) {
-    const compSignature = comp.signature.value;
-    const validationResult = jws.verify(
-      compSignature,
-      comp.signature.algorithm,
-      fs.readFileSync(args.publicKey, "utf8"),
-    );
-    if (!validationResult) {
-      console.log(`${comp["bom-ref"]} signature is invalid!`);
-      hasInvalidComp = true;
+
+const publicKeyStr = fs.readFileSync(args.publicKey, "utf8");
+
+let rootMatch = null;
+if (bomJson.signature) {
+  rootMatch = verifyNode(bomJson, publicKeyStr);
+}
+
+const verifyNested = args.deep || !bomJson.signature;
+let hasInvalidNested = false;
+let checkedNested = 0;
+
+if (verifyNested) {
+  for (const comp of bomJson.components || []) {
+    if (comp.signature) {
+      checkedNested++;
+      if (!verifyNode(comp, publicKeyStr)) {
+        console.log(
+          `Component '${comp["bom-ref"] || comp.name}' signature is invalid!`,
+        );
+        hasInvalidNested = true;
+      }
+    }
+  }
+  for (const svc of bomJson.services || []) {
+    if (svc.signature) {
+      checkedNested++;
+      if (!verifyNode(svc, publicKeyStr)) {
+        console.log(
+          `Service '${svc["bom-ref"] || svc.name}' signature is invalid!`,
+        );
+        hasInvalidNested = true;
+      }
+    }
+  }
+  for (const ann of bomJson.annotations || []) {
+    if (ann.signature) {
+      checkedNested++;
+      if (!verifyNode(ann, publicKeyStr)) {
+        console.log(
+          `Annotation '${ann["bom-ref"] || ann.subject}' signature is invalid!`,
+        );
+        hasInvalidNested = true;
+      }
     }
   }
 }
-if (hasInvalidComp) {
+
+if (hasInvalidNested) {
+  console.log("One or more nested signatures are invalid!");
   process.exit(1);
 }
-const bomSignature = bomJson.signature?.value
-  ? bomJson.signature.value
-  : undefined;
-if (!bomSignature) {
-  console.log("No signature was found!");
-} else {
-  const validationResult = jws.verify(
-    bomSignature,
-    bomJson.signature.algorithm,
-    fs.readFileSync(args.publicKey, "utf8"),
-  );
-  if (validationResult) {
-    console.log("Signature is valid!");
+
+if (bomJson.signature) {
+  if (rootMatch) {
+    const identifier = rootMatch.keyId
+      ? `KeyId: '${rootMatch.keyId}'`
+      : `Algorithm: '${rootMatch.algorithm}'`;
+    console.log(`✓ Signature is valid! (Matched ${identifier})`);
   } else {
     console.log("BOM signature is invalid!");
     process.exit(1);
   }
+} else if (checkedNested > 0 && !hasInvalidNested) {
+  console.log(`✓ ${checkedNested} nested signature(s) are valid!`);
+} else {
+  console.log("No valid signatures found to verify!");
+  process.exit(1);
 }

package/data/queries.json

@@ -27,7 +27,7 @@
   "vscode_extensions": {
     "query": "select vscode_extensions.* from users join vscode_extensions using (uid);",
     "description": "Lists all vscode extensions.",
-    "purlType": "vsix",
+    "purlType": "vscode-extension",
     "componentType": "application"
   },
   "deb_packages": {

package/data/rules/ci-permissions.yaml

@@ -0,0 +1,186 @@
+# CI/CD Permission Security Rules
+# Category: ci-permission
+# Evaluates GitHub Actions, GitLab CI, Azure Pipelines, etc. for privilege risks
+
+- id: CI-001
+  name: "Unpinned action in write-permission workflow"
+  description: "GitHub Actions referenced by tag/branch in workflows with write permissions pose supply chain risk"
+  severity: high
+  category: ci-permission
+  condition: |
+    components[
+      $prop($, 'cdx:github:action:isShaPinned') = 'false'
+      and (
+        $prop($, 'cdx:github:workflow:hasWritePermissions') = 'true'
+        or $prop($, 'cdx:github:job:hasWritePermissions') = 'true'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "Unpinned GitHub Action '{{ $prop($, 'cdx:github:action:uses') }}' in workflow with write permissions"
+  mitigation: "Pin action to full SHA: actions/setup-node@abc123def456..."
+  evidence: |
+    {
+      "pinningType": $prop($, 'cdx:github:action:versionPinningType'),
+      "workflowTriggers": $prop($, 'cdx:github:workflow:triggers'),
+      "jobName": $prop($, 'cdx:github:job:name')
+    }
+- id: CI-002
+  name: "OIDC token issuance to non-official action"
+  description: "Workflows granting id-token:write to third-party actions may enable token exfiltration"
+  severity: high
+  category: ci-permission
+  condition: |
+    components[
+      $prop($, 'cdx:github:workflow:hasIdTokenWrite') = 'true'
+      and $prop($, 'cdx:actions:isOfficial') = 'false'
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "Workflow grants OIDC token access to non-official action '{{ $prop($, 'cdx:github:action:uses') }}'"
+  mitigation: "Restrict id-token scope or use only verified/official actions for OIDC operations"
+  evidence: |
+    {
+      "isVerified": $prop($, 'cdx:actions:isVerified'),
+      "actionGroup": group
+    }
+- id: CI-003
+  name: "Action pinned to mutable tag"
+  description: "GitHub Actions pinned to tags (vs SHA) can change behavior unexpectedly if tag is moved"
+  severity: medium
+  category: ci-permission
+  condition: |
+    components[
+      $prop($, 'cdx:github:action:versionPinningType') = 'tag'
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "GitHub Action '{{ $prop($, 'cdx:github:action:uses') }}' pinned to mutable tag (not SHA)"
+  mitigation: "Consider pinning to full commit SHA for immutability: actions/setup-node@<full-sha>"
+  evidence: |
+    {
+      "currentVersion": version,
+      "isOfficial": $prop($, 'cdx:actions:isOfficial')
+    }
+- id: CI-004
+  name: "Workflow uses pull_request_target trigger"
+  description: "pull_request_target can execute code in the context of the base branch, risking secret exposure"
+  severity: medium
+  category: ci-permission
+  # Check workflows (not components) for this trigger pattern
+  condition: |
+    formulation.workflows[
+      $hasProp($, 'cdx:github:workflow:triggers')
+      and $nullSafeProp($, 'cdx:github:workflow:triggers') ~> $trim() ~> $contains('pull_request_target')
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "Workflow '{{ $prop($, 'cdx:github:workflow:name') }}' uses pull_request_target trigger"
+  mitigation: "Ensure workflow does not checkout or run code from the PR head; use pull_request with careful permissions"
+  evidence: |
+    {
+      "triggers": $prop($, 'cdx:github:workflow:triggers'),
+      "hasWritePermissions": $prop($, 'cdx:github:workflow:hasWritePermissions')
+    }
+- id: CI-005
+  name: "Checkout step persists credentials unnecessarily"
+  description: "actions/checkout with persist-credentials=true (default) exposes GITHUB_TOKEN to subsequent steps"
+  severity: medium
+  category: ci-permission
+  condition: |
+    components[
+      $contains($nullSafeProp($, 'cdx:github:action:uses'), 'actions/checkout')
+      and $propBool($, 'cdx:github:checkout:persistCredentials') != false
+      and (
+        $propBool($, 'cdx:github:workflow:hasWritePermissions') = true
+        or $propBool($, 'cdx:github:job:hasWritePermissions') = true
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "Checkout step uses persist-credentials=true in privileged workflow; consider persist-credentials: false;"
+  mitigation: "Add persist-credentials: false to checkout steps that don't require git push operations"
+  evidence: |
+    {
+      "persistCredentials": $prop($, 'cdx:github:checkout:persistCredentials'),
+      "workflowPermissions": $prop($, 'cdx:github:workflow:hasWritePermissions')
+    }
+- id: CI-006
+  name: "Cache usage in untrusted trigger context"
+  description: "GitHub Actions cache can be poisoned when used in workflows triggered by untrusted input (e.g., pull_request from forks)"
+  severity: high
+  category: ci-permission
+  condition: |
+    components[
+      $nullSafeProp($, 'cdx:github:action:uses') ~> $contains('actions/cache')
+      and $nullSafeProp($, 'cdx:github:workflow:triggers') ~> $contains('pull_request')
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "Cache action used in pull_request-triggered workflow; cache key '{{ $prop($, 'cdx:github:cache:key') }}' may be writable by untrusted code"
+  mitigation: "Scope cache keys to PR-specific values, validate restored cache contents, or avoid caching in untrusted workflows"
+  evidence: |
+    {
+      "cacheKey": $prop($, 'cdx:github:cache:key'),
+      "cachePath": $prop($, 'cdx:github:cache:path'),
+      "triggers": $prop($, 'cdx:github:workflow:triggers')
+    }
+- id: CI-007
+  name: "Script injection via untrusted context interpolation"
+  description: "Direct interpolation of github.event.* or inputs.* into run: blocks enables command injection"
+  severity: critical
+  category: ci-permission
+  condition: |
+    formulation.components[
+      $prop($, 'cdx:github:step:hasUntrustedInterpolation') = 'true'
+      and $prop($, 'cdx:github:step:type') = 'run'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "Untrusted input interpolated into shell command: variables '{{ $prop($, 'cdx:github:step:interpolatedVars') }}'"
+  mitigation: "Use intermediate environment variables: env: TITLE: ${{ github.event.pull_request.title }} then reference $TITLE in run:"
+  evidence: |
+    {
+      "interpolatedVars": $prop($, 'cdx:github:step:interpolatedVars'),
+      "stepCommand": $prop($, 'cdx:github:step:command')
+    }
+- id: CI-008
+  name: "High-risk trigger with write permissions"
+  description: "Triggers like pull_request_target, issue_comment, or workflow_run combined with write permissions enable privilege escalation"
+  severity: high
+  category: ci-permission
+  condition: |
+    formulation.workflows[
+      $prop($, 'cdx:github:workflow:hasHighRiskTrigger') = 'true'
+      and $prop($, 'cdx:github:workflow:hasWritePermissions') = 'true'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "Workflow '{{ $prop($, 'cdx:github:workflow:name') }}' uses high-risk trigger with write permissions"
+  mitigation: "Use pull_request instead of pull_request_target; require manual approval for issue_comment triggers; restrict permissions per job"
+  evidence: |
+    {
+      "triggers": $prop($, 'cdx:github:workflow:triggers'),
+      "hasWritePermissions": $prop($, 'cdx:github:workflow:hasWritePermissions')
+    }