@cyclonedx/cdxgen 12.1.5 → 12.2.0

package/lib/helpers/utils.poku.js

@@ -7,6 +7,7 @@ import { assert, describe, it, test } from "poku";
 import { parse } from "ssri";
 import { parse as loadYaml } from "yaml";
 
+import { validateRefs } from "../validator/bomValidator.js";
 import {
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
@@ -113,7 +114,6 @@ import {
   toGemModuleNames,
   yarnLockToIdentMap,
 } from "./utils.js";
-import { validateRefs } from "./validator.js";
 
 it("SSRI test", () => {
   // gopkg.lock hash
@@ -2596,12 +2596,15 @@ it("parse mix lock data", () => {
 it("parse github actions workflow data", () => {
   assert.deepStrictEqual(parseGitHubWorkflowData(null), []);
   let dep_list = parseGitHubWorkflowData("./.github/workflows/nodejs.yml");
-  assert.deepStrictEqual(dep_list.length, 8);
+  assert.deepStrictEqual(dep_list.length, 13);
   assert.deepStrictEqual(dep_list[0], {
+    "bom-ref":
+      "pkg:github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+    type: "application",
     group: "actions",
     name: "checkout",
-    version: "6.0.2",
-    purl: "pkg:github/actions/checkout@6.0.2?commit=de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+    version: "de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+    purl: "pkg:github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
     properties: [
       {
         name: "SrcFile",
@@ -2611,6 +2614,10 @@ it("parse github actions workflow data", () => {
         name: "cdx:github:workflow:name",
         value: "Node CI",
       },
+      {
+        name: "cdx:github:workflow:file",
+        value: "./.github/workflows/nodejs.yml",
+      },
       {
         name: "cdx:github:job:name",
         value: "read-node-versions",
@@ -2631,277 +2638,40 @@ it("parse github actions workflow data", () => {
         name: "cdx:github:action:isShaPinned",
         value: "true",
       },
-      {
-        name: "cdx:github:workflow:concurrencyGroup",
-        value:
-          "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}",
-      },
       {
         name: "cdx:actions:isOfficial",
         value: "true",
       },
+      {
+        name: "cdx:github:checkout:persistCredentials",
+        value: "false",
+      },
       {
         name: "cdx:github:workflow:triggers",
         value: "pull_request,push,workflow_dispatch",
       },
     ],
+    scope: "required",
     evidence: {
-      identity: {
-        field: "purl",
-        confidence: 0.7,
-        methods: [
-          {
-            technique: "source-code-analysis",
-            confidence: 0.7,
-            value: "./.github/workflows/nodejs.yml",
-          },
-        ],
-      },
-    },
-  });
-  dep_list = parseGitHubWorkflowData("./test/data/github-actions-tj.yaml");
-  assert.deepStrictEqual(dep_list.length, 4);
-  assert.deepStrictEqual(dep_list, [
-    {
-      group: "pixel",
-      name: "steamcmd",
-      version: "1.2.7",
-      purl: "pkg:github/pixel/steamcmd@1.2.7?commit=foo",
-      properties: [
+      identity: [
         {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value: "pixel/steamcmd@foo",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "tag",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "false",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Test action 1",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
-      ],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.7,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
-            },
-          ],
-        },
-      },
-    },
-    {
-      group: "tj",
-      name: "branch",
-      version: "8.2.0",
-      purl: "pkg:github/tj/branch@8.2.0?commit=47dd",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value: "tj/branch@47dd",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "tag",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "false",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Test action 2",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
-      ],
-      evidence: {
-        identity: {
           field: "purl",
-          confidence: 0.7,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
-            },
-          ],
-        },
-      },
-    },
-    {
-      group: "tj",
-      name: "branch2",
-      version: "08",
-      purl: "pkg:github/tj/branch2@08?tag=v0.0.18",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value: "tj/branch2@v0.0.18",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "tag",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "false",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Test action 3",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
-      ],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.7,
+          confidence: 0.5,
           methods: [
             {
               technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
+              confidence: 0.5,
+              value: "./.github/workflows/nodejs.yml",
             },
           ],
         },
-      },
-    },
-    {
-      group: "github/codeql-action",
-      name: "upload-sarif",
-      version: "3.30.3",
-      purl: "pkg:github/github/codeql-action/upload-sarif@3.30.3?commit=192325c86100d080feab897ff886c34abd4c83a3",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value:
-            "github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "sha",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "true",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Upload to code-scanning",
-        },
-        {
-          name: "cdx:actions:isOfficial",
-          value: "true",
-        },
-        {
-          name: "cdx:actions:isVerified",
-          value: "true",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
       ],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.7,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
-            },
-          ],
-        },
-      },
     },
-  ]);
+  });
+  dep_list = parseGitHubWorkflowData("./test/data/github-actions-tj.yaml");
+  assert.deepStrictEqual(dep_list.length, 4);
   dep_list = parseGitHubWorkflowData("./.github/workflows/repotests.yml");
-  assert.deepStrictEqual(dep_list.length, 17);
+  assert.deepStrictEqual(dep_list.length, 90);
 });
 // biome-ignore-end lint/suspicious/noTemplateCurlyInString: fp
 
@@ -4472,7 +4242,10 @@ it("pnpmMetadata with scoped packages", async () => {
 it("pnpmMetadata integration with parsePnpmLock", async () => {
   // Test that the integration works by parsing a real pnpm lock file
   const parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-
+  const externalRefDistPackages = parsedList.pkgList.filter((pkg) =>
+    pkg.externalReferences?.some((p) => p.type === "distribution"),
+  );
+  assert.ok(externalRefDistPackages.length > 0);
   // Check that some packages have been enhanced with LocalNodeModulesPath
   const enhancedPackages = parsedList.pkgList.filter((pkg) =>
     pkg.properties?.some((p) => p.name === "LocalNodeModulesPath"),
@@ -5694,6 +5467,33 @@ it("parseComposerLock", () => {
     ref: "pkg:composer/doctrine/annotations@v1.2.1",
     dependsOn: ["pkg:composer/doctrine/lexer@v1.0"],
   });
+
+  // Platform requirements (php, ext-*) must not appear in rootList
+  const platformRootRequires = {
+    php: "^7.1.3|^8",
+    "ext-SimpleXML": "*",
+    "ext-dom": "*",
+    "amphp/amp": "^2.1",
+    "amphp/byte-stream": "^1.5",
+  };
+  retMap = parseComposerLock(
+    "./test/data/composer-2.lock",
+    platformRootRequires,
+  );
+  assert.ok(
+    !retMap.rootList.some((p) => p.name === "php"),
+    "php must not be in rootList",
+  );
+  assert.ok(
+    !retMap.rootList.some((p) => p.name?.startsWith("ext-")),
+    "ext-* must not be in rootList",
+  );
+  // Regular packages that are in rootRequires should still be in rootList
+  // Note: apkg.name is basename(pkg.name), so "amphp/amp" → name "amp"
+  assert.ok(
+    retMap.rootList.some((p) => p.name === "amp"),
+    "amphp/amp should be in rootList",
+  );
 });
 
 it("parseComposerJson", () => {

package/lib/helpers/versutils.js

@@ -0,0 +1,202 @@
+function parseVersion(v) {
+  const m = v.match(/^([><=^~]+)?(.*)$/);
+  const ver = m ? m[2] : v;
+  if (ver === "*")
+    return { major: 0, minor: 0, patch: 0, pre: "", op: "", isStar: true };
+  const parts = ver.split("-");
+  const main = parts[0].split(".");
+  return {
+    op: m ? m[1] || "" : "",
+    major: Number.parseInt(main[0] || "0", 10),
+    minor: Number.parseInt(main[1] || "0", 10),
+    patch: Number.parseInt(main[2] || "0", 10),
+    pre: parts.slice(1).join("-"),
+  };
+}
+
+/**
+ * Converts a package.json npm version specifier to a VERS format range.
+ *
+ * @param {string} versionString - The native npm semver string.
+ * @returns {string} The formatted vers:npm range string.
+ */
+export function toVersRange(versionString) {
+  if (!versionString || typeof versionString !== "string") {
+    return "";
+  }
+  let str = versionString.trim();
+  if (!str) {
+    return "";
+  }
+  if (str === "latest" || str.startsWith("workspace:")) {
+    return "";
+  }
+  if (str === "*") {
+    return "vers:npm/*";
+  }
+  // Replace hyphen ranges: A - B -> >=A <=B
+  str = str.replace(/([\w.-]+)\s+-\s+([\w.-]+)/g, ">= $1 <= $2");
+
+  // Split logical ORs
+  const ors = str.split("||").map((s) => s.trim());
+  const allBounds = [];
+
+  for (let part of ors) {
+    // Normalize spaces after operators to attach them to the version
+    part = part.replace(/([><=^~]+)\s+/g, "$1");
+    part = part.replace(/\s+/g, " ");
+
+    const tokens = part.split(" ").filter(Boolean);
+
+    for (let token of tokens) {
+      // Strip the 'v' prefix if present (e.g. >=v1.2.3 -> >=1.2.3)
+      token = token.replace(/^([><=^~]+)?v/i, (_match, op) => op || "");
+
+      if (token === "*") {
+        allBounds.push("*");
+        continue;
+      }
+
+      const match = token.match(/^([><=^~]+)?(.*)$/);
+      const op = match[1] || "";
+      let ver = match[2];
+
+      if (ver === "*") {
+        allBounds.push("*");
+        continue;
+      }
+
+      // Pad versions (e.g., '1' -> '1.0.0', '1.1' -> '1.1.0')
+      if (/^\d+$/.test(ver)) {
+        ver += ".0.0";
+      } else if (/^\d+\.\d+$/.test(ver)) {
+        ver += ".0";
+      }
+
+      // Handle .x or .* ranges
+      if (ver.endsWith(".x") || ver.endsWith(".*")) {
+        const parts = ver.split(".");
+        if (parts[1] === "x" || parts[1] === "*") {
+          const M = Number.parseInt(parts[0], 10);
+          allBounds.push(`>=${M}.0.0`, `<${M + 1}.0.0`);
+        } else if (parts[2] === "x" || parts[2] === "*") {
+          const M = parts[0];
+          const m_minor = Number.parseInt(parts[1], 10);
+          allBounds.push(`>=${M}.${m_minor}.0`, `<${M}.${m_minor + 1}.0`);
+        }
+        continue;
+      }
+
+      // Caret (^) expansion
+      if (op === "^") {
+        const m = ver.match(/^(\d+)\.(\d+)\.(\d+)(.*)$/);
+        if (!m) {
+          allBounds.push(`${op}${ver}`);
+          continue;
+        }
+        const M = Number.parseInt(m[1], 10);
+        const m_minor = Number.parseInt(m[2], 10);
+        const p = Number.parseInt(m[3], 10);
+        let upper;
+        if (M > 0) {
+          upper = `${M + 1}.0.0`;
+        } else if (m_minor > 0) {
+          upper = `0.${m_minor + 1}.0`;
+        } else {
+          upper = `0.0.${p + 1}`;
+        }
+        allBounds.push(`>=${ver}`, `<${upper}`);
+        continue;
+      }
+
+      // Tilde (~) expansion
+      if (op === "~") {
+        const m = ver.match(/^(\d+)\.(\d+)\.(\d+)(.*)$/);
+        if (!m) {
+          allBounds.push(`${op}${ver}`);
+          continue;
+        }
+        if (ver.includes("-pre")) {
+          const sv = parseVersion(ver);
+          const upper = `${sv.major}.${sv.minor}.0`;
+          const upper_1 = `${sv.major}.${sv.minor}.1`;
+          allBounds.push(`>=${ver}`, `<${upper}`, `>=${upper}`, `<${upper_1}`);
+          continue;
+        }
+        const M = Number.parseInt(m[1], 10);
+        const m_minor = Number.parseInt(m[2], 10);
+        const upper = `${M}.${m_minor + 1}.0`;
+        allBounds.push(`>=${ver}`, `<${upper}`);
+        continue;
+      }
+
+      if (op === "=") {
+        allBounds.push(ver);
+        continue;
+      }
+
+      // Exact fallback matches
+      if (op === "") {
+        allBounds.push(ver);
+        continue;
+      }
+
+      allBounds.push(op + ver);
+    }
+  }
+
+  // Sort all bounded intervals linearly mapped by semver precedence
+  allBounds.sort((aStr, bStr) => {
+    if (aStr === "*" && bStr === "*") return 0;
+    if (aStr === "*") return -1;
+    if (bStr === "*") return 1;
+
+    const a = parseVersion(aStr);
+    const b = parseVersion(bStr);
+
+    if (a.major !== b.major) return a.major - b.major;
+    if (a.minor !== b.minor) return a.minor - b.minor;
+    if (a.patch !== b.patch) return a.patch - b.patch;
+
+    if (a.pre && !b.pre) return -1;
+    if (!a.pre && b.pre) return 1;
+
+    if (a.pre && b.pre) {
+      if (a.pre !== b.pre) {
+        const aPre = a.pre.split(".");
+        const bPre = b.pre.split(".");
+        for (let i = 0; i < Math.max(aPre.length, bPre.length); i++) {
+          const ap = aPre[i];
+          const bp = bPre[i];
+
+          if (ap === undefined) return -1;
+          if (bp === undefined) return 1;
+
+          const apNum = /^\d+$/.test(ap);
+          const bpNum = /^\d+$/.test(bp);
+
+          if (apNum && bpNum) {
+            const diff = Number.parseInt(ap, 10) - Number.parseInt(bp, 10);
+            if (diff !== 0) return diff;
+          } else if (apNum && !bpNum) {
+            return -1;
+          } else if (!apNum && bpNum) {
+            return 1;
+          } else {
+            if (ap < bp) return -1;
+            if (ap > bp) return 1;
+          }
+        }
+      }
+    }
+
+    const opOrder = { "<": 1, "<=": 2, "": 3, ">=": 4, ">": 5 };
+    const aOp = opOrder[a.op] || 3;
+    const bOp = opOrder[b.op] || 3;
+    if (aOp !== bOp) return aOp - bOp;
+
+    return 0;
+  });
+
+  return `vers:npm/${allBounds.join("|")}`;
+}