@cyclonedx/cdxgen 12.1.5 → 12.2.0

package/lib/helpers/display.js

@@ -1,8 +1,11 @@
-import { existsSync, readFileSync } from "node:fs";
+import { readFileSync } from "node:fs";
+import path from "node:path";
 import process from "node:process";
 
 import { createStream, table } from "table";
 
+import { isSecureMode, safeExistsSync, toCamel } from "./utils.js";
+
 // https://github.com/yangshun/tree-node-cli/blob/master/src/index.js
 const SYMBOLS_ANSI = {
   BRANCH: "├── ",
@@ -19,6 +22,16 @@ const highlightStr = (s, highlight) => {
   }
   return s;
 };
+/**
+ * Prints the BOM components as a streaming table to the console.
+ * Delegates to {@link printOSTable} automatically when the BOM metadata indicates
+ * an operating-system or platform component type.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object
+ * @param {string[]} [filterTypes] Optional list of component types to include; all types shown when omitted
+ * @param {string} [highlight] Optional string to highlight in the output
+ * @returns {void}
+ */
 export function printTable(
   bomJson,
   filterTypes = undefined,
@@ -98,6 +111,12 @@ const formatProps = (props) => {
   }
   return retList.join("\n");
 };
+/**
+ * Prints OS package components from the BOM as a formatted streaming table.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object
+ * @returns {void}
+ */
 export function printOSTable(bomJson) {
   const config = {
     columnDefault: {
@@ -118,6 +137,13 @@ export function printOSTable(bomJson) {
   }
   console.log();
 }
+/**
+ * Prints the services listed in the BOM as a formatted table.
+ * Includes endpoint URLs, authentication flag, and cross-trust-boundary flag.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object
+ * @returns {void}
+ */
 export function printServices(bomJson) {
   const data = [["Name", "Endpoints", "Authenticated", "X Trust Boundary"]];
   if (!bomJson?.services) {
@@ -142,8 +168,14 @@ export function printServices(bomJson) {
   }
 }
 
+/**
+ * Prints the formulation components from the BOM as a formatted table.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object
+ * @returns {void}
+ */
 export function printFormulation(bomJson) {
-  const data = [["Tyoe", "Name", "Version"]];
+  const data = [["Type", "Name", "Version"]];
   if (!bomJson?.formulation) {
     return;
   }
@@ -178,6 +210,13 @@ const locationComparator = (a, b) => {
   return a.localeCompare(b);
 };
 
+/**
+ * Prints component evidence occurrences (file locations) as a streaming table.
+ * Only components that have `evidence.occurrences` are included.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object
+ * @returns {void}
+ */
 export function printOccurrences(bomJson) {
   if (!bomJson?.components) {
     return;
@@ -217,6 +256,13 @@ export function printOccurrences(bomJson) {
   console.log();
 }
 
+/**
+ * Prints the call stack evidence for each component in the BOM as a formatted table.
+ * Only components that have `evidence.callstack.frames` are included.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object
+ * @returns {void}
+ */
 export function printCallStack(bomJson) {
   const data = [["Group", "Name", "Version", "Call Stack"]];
   if (!bomJson?.components) {
@@ -260,6 +306,15 @@ export function printCallStack(bomJson) {
     console.log(table(data, config));
   }
 }
+/**
+ * Prints the dependency tree from the BOM as an ASCII tree diagram.
+ * Uses the `table` library for small trees and plain console output for larger ones.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object containing a `dependencies` array
+ * @param {string} [mode="dependsOn"] Dependency relation to traverse (`"dependsOn"` or `"provides"`)
+ * @param {string} [highlight] Optional string to highlight in the tree output
+ * @returns {void}
+ */
 export function printDependencyTree(
   bomJson,
   mode = "dependsOn",
@@ -362,9 +417,16 @@ const recursePrint = (depMap, subtree, level, shownList, treeGraphics) => {
   }
 };
 
+/**
+ * Prints a table of reachable components derived from a reachability slices file.
+ * Aggregates per-purl reachable-flow counts and sorts them descending.
+ *
+ * @param {Object} sliceArtefacts Slice artefact paths, must include `reachablesSlicesFile`
+ * @returns {void}
+ */
 export function printReachables(sliceArtefacts) {
   const reachablesSlicesFile = sliceArtefacts.reachablesSlicesFile;
-  if (!existsSync(reachablesSlicesFile)) {
+  if (!safeExistsSync(reachablesSlicesFile)) {
     return;
   }
   const purlCounts = {};
@@ -398,6 +460,12 @@ export function printReachables(sliceArtefacts) {
   }
 }
 
+/**
+ * Prints a formatted table of CycloneDX vulnerability objects.
+ *
+ * @param {Object[]} vulnerabilities Array of CycloneDX vulnerability objects
+ * @returns {void}
+ */
 export function printVulnerabilities(vulnerabilities) {
   if (!vulnerabilities) {
     return;
@@ -426,6 +494,14 @@ export function printVulnerabilities(vulnerabilities) {
   console.log(`${vulnerabilities.length} vulnerabilities found.`);
 }
 
+/**
+ * Prints an OWASP donation banner when running in a CI environment.
+ * The banner is suppressed when `options.noBanner` is set or the repository
+ * belongs to the cdxgen project itself.
+ *
+ * @param {Object} options CLI options
+ * @returns {void}
+ */
 export function printSponsorBanner(options) {
   if (
     process?.env?.CI &&
@@ -439,7 +515,7 @@ export function printSponsorBanner(options) {
       },
     };
     let message =
-      "OWASP foundation relies on donations to fund our projects.\nDonation link: https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX";
+      "OWASP foundation relies on donations to fund our projects.\nDonation link: https://owasp.org/donate/?reponame=www-project-cdxgen&title=OWASP+cdxgen";
     if (options.serverUrl && options.apiKey) {
       message = `${message}\nDependency Track: https://owasp.org/donate/?reponame=www-project-dependency-track&title=OWASP+Dependency-Track`;
     }
@@ -448,6 +524,13 @@ export function printSponsorBanner(options) {
   }
 }
 
+/**
+ * Prints a BOM summary table including generator tool names, component package types,
+ * and component namespaces extracted from BOM metadata properties.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object
+ * @returns {void}
+ */
 export function printSummary(bomJson) {
   const config = {
     header: {
@@ -497,3 +580,339 @@ export function printSummary(bomJson) {
   const data = [[message]];
   console.log(table(data, config));
 }
+
+/**
+ * @typedef {{type: string, variable: string, severity: string, message: string, mitigation: string}} EnvAuditFinding
+ */
+
+/**
+ * Runs the pre-generation environment audit and renders the results as formatted
+ * tables to the console. Called when the --env-audit CLI flag is set.
+ *
+ * @param {string} filePath Project path being scanned
+ * @param {Object} config Loaded .cdxgenrc / config-file values
+ * @param {Object} options Effective CLI options
+ * @param {EnvAuditFinding[]} envAuditFindings Audit findings to display
+ */
+export function displaySelfThreatModel(
+  filePath,
+  config,
+  options,
+  envAuditFindings,
+) {
+  const TLP = options.tlpClassification || "CLEAR";
+  const risks = [];
+  let riskScore = 0;
+
+  const addRisk = (level, reason, category = "configuration") => {
+    const scores = { low: 1, medium: 3, high: 5, critical: 8 };
+    riskScore = Math.min(10, riskScore + scores[level]);
+    risks.push({ level, reason, category });
+  };
+
+  // Config file risks
+  if (Object.keys(config).length > 0) {
+    addRisk(
+      "medium",
+      "A .cdxgenrc config file was loaded from the working directory. It may override security-relevant settings without being visible on the command line.",
+      "configuration",
+    );
+    const sensitive = ["server-url", "api-key", "include-formulation"];
+    for (const key of sensitive) {
+      if (config[key] || config[toCamel(key)]) {
+        addRisk(
+          key === "api-key" ? "high" : "medium",
+          `Config file sets '${key}', which affects SBOM content or remote submission behavior.`,
+          "configuration",
+        );
+      }
+    }
+  }
+
+  // Remote submission risks
+  if (options.serverUrl) {
+    const isHttps = options.serverUrl.startsWith("https://");
+    addRisk(
+      isHttps ? "medium" : "critical",
+      `SBOM will be submitted to ${options.serverUrl}${!isHttps ? " over plain HTTP — contents may be intercepted or tampered in transit." : "."}`,
+      "network",
+    );
+    if (options.skipDtTlsCheck) {
+      addRisk(
+        "high",
+        "TLS certificate validation is disabled for Dependency-Track uploads. SBOM contents may be intercepted or tampered in transit.",
+        "network",
+      );
+    }
+  }
+
+  // Data exposure risks
+  if (options.includeFormulation) {
+    addRisk(
+      "medium",
+      "Formulation mode is active. The SBOM will include build metadata such as git history, committer identities, and CI environment variables.",
+      "data-exposure",
+    );
+  }
+  if (options.evidence || options.deep) {
+    addRisk(
+      "medium",
+      "Evidence / deep mode will invoke build tools and parse source files to collect call graph and reachability evidence. Malicious build scripts may execute.",
+      "data-exposure",
+    );
+  }
+  if (options.installDeps) {
+    addRisk(
+      "high",
+      "Dependency auto-install is enabled. Lifecycle hooks (install scripts) from third-party packages will execute in the current environment.",
+      "data-exposure",
+    );
+  }
+
+  // Output path outside the project directory
+  if (options.output) {
+    const resolvedOutput = path.resolve(options.output);
+    const resolvedProject = path.resolve(filePath);
+    if (
+      !resolvedOutput.startsWith(resolvedProject + path.sep) &&
+      resolvedOutput !== resolvedProject
+    ) {
+      addRisk(
+        "medium",
+        `Output path '${options.output}' resolves to '${resolvedOutput}', which is outside the project directory '${resolvedProject}'. Ensure this is intentional.`,
+        "configuration",
+      );
+    }
+  }
+
+  // Environment variable risks (config-layer only; env-audit covers the rest)
+  if (process.env.CDXGEN_SERVER_URL) {
+    addRisk(
+      "low",
+      "CDXGEN_SERVER_URL is set in the environment and will override any --server-url value.",
+      "environment",
+    );
+  }
+
+  // Integrate environment audit findings
+  if (envAuditFindings?.length) {
+    for (const f of envAuditFindings) {
+      const categoryMap = {
+        "code-execution": "runtime",
+        "debug-exposure": "runtime",
+        "environment-variable": "environment",
+        "network-interception": "network",
+        "credential-exposure": "environment",
+        "permission-misuse": "runtime",
+        privilege: "runtime",
+      };
+      addRisk(
+        f.severity,
+        `${f.variable}: ${f.message}`,
+        categoryMap[f.type] || "configuration",
+      );
+    }
+  }
+
+  const nodeOptions = process.env.NODE_OPTIONS || "";
+  const riskLevel =
+    riskScore >= 8
+      ? "CRITICAL"
+      : riskScore >= 5
+        ? "HIGH"
+        : riskScore >= 3
+          ? "MEDIUM"
+          : "LOW";
+
+  const riskColor = {
+    CRITICAL: "\x1b[1;31m",
+    HIGH: "\x1b[1;33m",
+    MEDIUM: "\x1b[1;36m",
+    LOW: "\x1b[1;32m",
+  };
+  const reset = "\x1b[0m";
+  const tlpGuidance = {
+    CLEAR: "May be shared publicly. No restrictions.",
+    GREEN: "Limited to community/peers. Not for public posting.",
+    AMBER:
+      "Limited to organisation and trusted partners. Handle-in-confidence.",
+    AMBER_AND_STRICT: "Organisation only. No external sharing.",
+    RED: "Named recipients only. Do not forward or store beyond session.",
+  };
+  const headerData = [
+    ["TLP Classification", `${TLP} — ${tlpGuidance[TLP]}`],
+    ["Risk Score", `${riskScore}/10`],
+    ["Risk Level", `${riskColor[riskLevel]}${riskLevel}${reset}`],
+  ];
+  const headerConfig = {
+    header: {
+      alignment: "center",
+      content:
+        "SBOM Generation Environment Assessment\nPre-generation security audit by cdxgen",
+    },
+    columns: [{ width: 30, alignment: "right" }, { width: 70 }],
+    columnDefault: { wrapWord: true },
+  };
+
+  console.log(table(headerData, headerConfig));
+  if (risks.length > 0) {
+    const findingsData = [["#", "Severity", "Category", "Finding"]];
+    risks.forEach(({ level, reason, category }, i) => {
+      const severityColor =
+        level === "critical"
+          ? "\x1b[1;31m"
+          : level === "high"
+            ? "\x1b[1;33m"
+            : level === "medium"
+              ? "\x1b[1;36m"
+              : "\x1b[1;32m";
+      findingsData.push([
+        `${i + 1}`,
+        `${severityColor}${level.toUpperCase()}${reset}`,
+        category,
+        reason,
+      ]);
+    });
+    const findingsConfig = {
+      header: {
+        alignment: "center",
+        content: `Findings (${risks.length})`,
+      },
+      columns: [
+        { width: 5, alignment: "right" },
+        { width: 12 },
+        { width: 17 },
+        { width: 66 },
+      ],
+      columnDefault: { wrapWord: true },
+    };
+    console.log(table(findingsData, findingsConfig));
+  } else {
+    const noFindingsData = [
+      [
+        `${riskColor[riskLevel]}✅ No risks detected in the current configuration.${reset}`,
+      ],
+    ];
+    const noFindingsConfig = {
+      header: { alignment: "center", content: "📋 Findings" },
+      columns: [{ width: 100, alignment: "center" }],
+    };
+    console.log(table(noFindingsData, noFindingsConfig));
+  }
+
+  const configData = [
+    ["Setting", "Value"],
+    ["Project", options.projectName || filePath],
+    ["Type(s)", options.projectType?.join(", ") || "auto-detect"],
+    ["Profile", options.profile || "generic"],
+    ["Path", filePath],
+    ["Output", options.output || "(stdout)"],
+    ["Recursive", options.recursive ? "yes" : "no"],
+    ["Remote Submission", options.serverUrl || "none"],
+    ["Formulation", options.includeFormulation ? "yes" : "no"],
+    ["Evidence / Deep Mode", options.evidence || options.deep ? "yes" : "no"],
+    ["Auto-install Dependencies", options.installDeps ? "yes" : "no"],
+    ["NODE_OPTIONS", nodeOptions || "(not set)"],
+  ];
+  const effConfigTableConfig = {
+    header: { alignment: "center", content: "Effective Configuration" },
+    columns: [{ width: 28 }, { width: 72 }],
+    columnDefault: { wrapWord: true },
+  };
+  console.log(table(configData, effConfigTableConfig));
+
+  const recommendations = [];
+  if (["AMBER", "AMBER_AND_STRICT", "RED"].includes(TLP)) {
+    recommendations.push([
+      "High",
+      "Omit --include-formulation to avoid embedding committer identities and CI secrets in the SBOM.",
+    ]);
+    if (TLP === "RED") {
+      recommendations.push([
+        "Critical",
+        "Run cdxgen inside an isolated container or VM with no access to production credentials.",
+      ]);
+      recommendations.push([
+        "Critical",
+        "Do not set --server-url; review and handle the output SBOM manually before sharing.",
+      ]);
+    }
+  }
+  if (riskScore >= 5) {
+    recommendations.push([
+      "High",
+      "Address the findings above before scanning untrusted repositories.",
+    ]);
+    recommendations.push([
+      "Medium",
+      "Pass --no-install-deps to prevent package manager hooks from executing.",
+    ]);
+  }
+  if (envAuditFindings.some((f) => f.type === "code-execution")) {
+    recommendations.push([
+      "High",
+      "Remove code-execution flags (--require, --eval, --loader, --import) from NODE_OPTIONS and JAVA_TOOL_OPTIONS.",
+    ]);
+  }
+  if (envAuditFindings.some((f) => f.variable === "NODE_PATH")) {
+    recommendations.push([
+      "High",
+      "Unset NODE_PATH to prevent module-resolution poisoning by malicious packages.",
+    ]);
+  }
+  if (envAuditFindings.some((f) => f.type === "privilege")) {
+    recommendations.push([
+      "High",
+      "Do not run cdxgen as root. Create a dedicated low-privilege user or use a rootless container.",
+    ]);
+  }
+  if (/--permission\b/i.test(nodeOptions)) {
+    recommendations.push([
+      "Medium",
+      "Audit every --allow-* scope; use absolute paths rather than wildcards to minimise the permission surface.",
+    ]);
+  }
+  recommendations.push([
+    "Info",
+    "Minimal safe invocation: cdxgen --no-install-deps --output ./sbom.cdx.json <path>",
+  ]);
+  const recommendationsData = [["Priority", "Action"]];
+  recommendations.forEach(([priority, action]) => {
+    const priorityColor =
+      priority === "Critical"
+        ? "\x1b[1;31m"
+        : priority === "High"
+          ? "\x1b[1;33m"
+          : priority === "Medium"
+            ? "\x1b[1;36m"
+            : "\x1b[1;32m";
+    recommendationsData.push([`${priorityColor}${priority}${reset}`, action]);
+  });
+  const recommendationsConfig = {
+    header: {
+      alignment: "center",
+      content: `Recommendations for TLP:${TLP}`,
+    },
+    columns: [{ width: 12 }, { width: 88 }],
+    columnDefault: { wrapWord: true },
+  };
+
+  console.log(table(recommendationsData, recommendationsConfig));
+  // Only abort in secure mode when at least one finding is high or critical severity.
+  // Accumulated low/medium findings may push riskScore above 5 but should not abort.
+  if (
+    isSecureMode &&
+    envAuditFindings?.some((f) => ["high", "critical"].includes(f.severity))
+  ) {
+    const abortData = [
+      [
+        `${riskColor[riskLevel]}🚫 SECURE MODE: High-risk configuration detected. Aborting SBOM generation.${reset}`,
+      ],
+    ];
+    const abortConfig = {
+      columns: [{ width: 100, alignment: "center" }],
+    };
+    console.log(table(abortData, abortConfig));
+    process.exit(1);
+  }
+}

package/lib/helpers/envcontext.js

@@ -37,6 +37,7 @@ export const SDKMAN_JAVA_TOOL_ALIASES = {
   java23: process.env.JAVA23_TOOL || "23.0.2-tem",
   java24: process.env.JAVA24_TOOL || "24.0.2-tem",
   java25: process.env.JAVA25_TOOL || "25.0.2-tem",
+  java26: process.env.JAVA26_TOOL || "26-tem",
 };
 
 /**
@@ -257,7 +258,7 @@ export function collectGccInfo(dir) {
       type: "platform",
       name: "gcc",
       version: versionDesc.split("\n")[0],
-      description: moduleDesc.replaceAll("\n", "\\n"),
+      description: (moduleDesc || "").replaceAll("\n", "\\n"),
     };
   }
   return undefined;
@@ -277,7 +278,7 @@ export function collectRustInfo(dir) {
       type: "platform",
       name: "rustc",
       version: versionDesc.trim(),
-      description: moduleDesc.trim(),
+      description: (moduleDesc || "").trim(),
     };
   }
   return undefined;
@@ -405,6 +406,12 @@ const getCommandOutput = (cmd, dir, args) => {
   }
   if (DEBUG_MODE) {
     if (dir) {
+      if (safeExistsSync(join(dir, commandToUse))) {
+        console.warn(
+          `SECURE MODE: Found ${commandToUse} inside ${dir}. This command will not be executed.`,
+        );
+        return undefined;
+      }
       console.log(`Executing ${commandToUse} in ${dir}`);
     } else {
       console.log(`Executing ${commandToUse}`);
@@ -417,7 +424,7 @@ const getCommandOutput = (cmd, dir, args) => {
   });
   const stdout = result.stdout ? result.stdout.toString() : "";
   const stderr = result.stderr ? result.stderr.toString() : "";
-  return `${stdout} + "\n" + ${stderr}`;
+  return `${stdout}\n${stderr}`.trim() || undefined;
 };
 
 /**
@@ -690,6 +697,14 @@ export function isRbenvAvailable() {
   }
 }
 
+/**
+ * Returns the rbenv binary directory for the given Ruby version.
+ * Respects the `RBENV_ROOT` environment variable when set; otherwise falls back
+ * to `~/.rbenv/versions/<rubyVersion>/bin`.
+ *
+ * @param {string} rubyVersion Ruby version string (e.g. `"3.2.2"`)
+ * @returns {string} Absolute path to the rbenv bin directory for that version
+ */
 export function rubyVersionDir(rubyVersion) {
   return process.env.RBENV_ROOT
     ? join(process.env.RBENV_ROOT, "versions", rubyVersion, "bin")