npm - @cyclonedx/cdxgen - Versions diffs - 12.1.5 → 12.2.0 - Mend

@cyclonedx/cdxgen 12.1.5 → 12.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (181) hide show

package/README.md +47 -39
package/bin/cdxgen.js +175 -96
package/bin/evinse.js +4 -4
package/bin/repl.js +1 -1
package/bin/sign.js +102 -0
package/bin/validate.js +233 -0
package/bin/verify.js +69 -28
package/data/queries.json +1 -1
package/data/rules/ci-permissions.yaml +186 -0
package/data/rules/dependency-sources.yaml +123 -0
package/data/rules/package-integrity.yaml +135 -0
package/data/rules/vscode-extensions.yaml +228 -0
package/lib/cli/index.js +327 -372
package/lib/evinser/db.js +137 -0
package/lib/{helpers → evinser}/db.poku.js +2 -6
package/lib/evinser/evinser.js +2 -14
package/lib/helpers/bomSigner.js +312 -0
package/lib/helpers/bomSigner.poku.js +156 -0
package/lib/helpers/ciParsers/azurePipelines.js +295 -0
package/lib/helpers/ciParsers/azurePipelines.poku.js +253 -0
package/lib/helpers/ciParsers/circleCi.js +286 -0
package/lib/helpers/ciParsers/circleCi.poku.js +230 -0
package/lib/helpers/ciParsers/common.js +24 -0
package/lib/helpers/ciParsers/githubActions.js +636 -0
package/lib/helpers/ciParsers/githubActions.poku.js +802 -0
package/lib/helpers/ciParsers/gitlabCi.js +213 -0
package/lib/helpers/ciParsers/gitlabCi.poku.js +247 -0
package/lib/helpers/ciParsers/jenkins.js +181 -0
package/lib/helpers/ciParsers/jenkins.poku.js +197 -0
package/lib/helpers/depsUtils.js +203 -0
package/lib/helpers/depsUtils.poku.js +150 -0
package/lib/helpers/display.js +423 -4
package/lib/helpers/envcontext.js +18 -3
package/lib/helpers/formulationParsers.js +351 -0
package/lib/helpers/logger.js +14 -0
package/lib/helpers/protobom.js +9 -9
package/lib/helpers/pythonutils.js +9 -0
package/lib/helpers/utils.js +681 -406
package/lib/helpers/utils.poku.js +55 -255
package/lib/helpers/versutils.js +202 -0
package/lib/helpers/versutils.poku.js +315 -0
package/lib/helpers/vsixutils.js +1061 -0
package/lib/helpers/vsixutils.poku.js +2247 -0
package/lib/managers/binary.js +19 -19
package/lib/managers/docker.js +108 -1
package/lib/managers/oci.js +10 -0
package/lib/managers/piptree.js +3 -9
package/lib/parsers/npmrc.js +17 -13
package/lib/parsers/npmrc.poku.js +41 -5
package/lib/server/openapi.yaml +1 -1
package/lib/server/server.js +40 -11
package/lib/server/server.poku.js +123 -144
package/lib/stages/postgen/annotator.js +1 -1
package/lib/stages/postgen/auditBom.js +197 -0
package/lib/stages/postgen/auditBom.poku.js +378 -0
package/lib/stages/postgen/postgen.js +54 -1
package/lib/stages/postgen/postgen.poku.js +90 -1
package/lib/stages/postgen/ruleEngine.js +369 -0
package/lib/stages/pregen/envAudit.js +299 -0
package/lib/stages/pregen/envAudit.poku.js +572 -0
package/lib/stages/pregen/pregen.js +12 -8
package/lib/{helpers/validator.js → validator/bomValidator.js} +107 -47
package/lib/validator/complianceEngine.js +241 -0
package/lib/validator/complianceEngine.poku.js +168 -0
package/lib/validator/complianceRules.js +1610 -0
package/lib/validator/complianceRules.poku.js +328 -0
package/lib/validator/index.js +222 -0
package/lib/validator/index.poku.js +144 -0
package/lib/validator/reporters/annotations.js +121 -0
package/lib/validator/reporters/console.js +149 -0
package/lib/validator/reporters/index.js +41 -0
package/lib/validator/reporters/json.js +37 -0
package/lib/validator/reporters/sarif.js +184 -0
package/lib/validator/reporters.poku.js +150 -0
package/package.json +8 -8
package/types/bin/sign.d.ts +3 -0
package/types/bin/sign.d.ts.map +1 -0
package/types/bin/validate.d.ts +3 -0
package/types/bin/validate.d.ts.map +1 -0
package/types/helpers/utils.d.ts +0 -1
package/types/lib/cli/index.d.ts +49 -52
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/db.d.ts +34 -0
package/types/lib/evinser/db.d.ts.map +1 -0
package/types/lib/evinser/evinser.d.ts +63 -16
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/bomSigner.d.ts +27 -0
package/types/lib/helpers/bomSigner.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/azurePipelines.d.ts +17 -0
package/types/lib/helpers/ciParsers/azurePipelines.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/circleCi.d.ts +17 -0
package/types/lib/helpers/ciParsers/circleCi.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/common.d.ts +11 -0
package/types/lib/helpers/ciParsers/common.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts +34 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/gitlabCi.d.ts +17 -0
package/types/lib/helpers/ciParsers/gitlabCi.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/jenkins.d.ts +17 -0
package/types/lib/helpers/ciParsers/jenkins.d.ts.map +1 -0
package/types/lib/helpers/depsUtils.d.ts +21 -0
package/types/lib/helpers/depsUtils.d.ts.map +1 -0
package/types/lib/helpers/display.d.ts +111 -11
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/envcontext.d.ts +19 -7
package/types/lib/helpers/envcontext.d.ts.map +1 -1
package/types/lib/helpers/formulationParsers.d.ts +50 -0
package/types/lib/helpers/formulationParsers.d.ts.map +1 -0
package/types/lib/helpers/logger.d.ts +15 -1
package/types/lib/helpers/logger.d.ts.map +1 -1
package/types/lib/helpers/protobom.d.ts +2 -2
package/types/lib/helpers/pythonutils.d.ts +10 -1
package/types/lib/helpers/pythonutils.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +532 -128
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/helpers/versutils.d.ts +8 -0
package/types/lib/helpers/versutils.d.ts.map +1 -0
package/types/lib/helpers/vsixutils.d.ts +130 -0
package/types/lib/helpers/vsixutils.d.ts.map +1 -0
package/types/lib/managers/docker.d.ts +12 -31
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts +11 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/managers/piptree.d.ts.map +1 -1
package/types/lib/parsers/npmrc.d.ts +4 -1
package/types/lib/parsers/npmrc.d.ts.map +1 -1
package/types/lib/server/server.d.ts +21 -2
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +20 -0
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -0
package/types/lib/stages/postgen/postgen.d.ts +8 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts +18 -0
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -0
package/types/lib/stages/pregen/envAudit.d.ts +8 -0
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -0
package/types/lib/stages/pregen/pregen.d.ts.map +1 -1
package/types/lib/{helpers/validator.d.ts → validator/bomValidator.d.ts} +1 -1
package/types/lib/validator/bomValidator.d.ts.map +1 -0
package/types/lib/validator/complianceEngine.d.ts +66 -0
package/types/lib/validator/complianceEngine.d.ts.map +1 -0
package/types/lib/validator/complianceRules.d.ts +70 -0
package/types/lib/validator/complianceRules.d.ts.map +1 -0
package/types/lib/validator/index.d.ts +70 -0
package/types/lib/validator/index.d.ts.map +1 -0
package/types/lib/validator/reporters/annotations.d.ts +31 -0
package/types/lib/validator/reporters/annotations.d.ts.map +1 -0
package/types/lib/validator/reporters/console.d.ts +30 -0
package/types/lib/validator/reporters/console.d.ts.map +1 -0
package/types/lib/validator/reporters/index.d.ts +21 -0
package/types/lib/validator/reporters/index.d.ts.map +1 -0
package/types/lib/validator/reporters/json.d.ts +11 -0
package/types/lib/validator/reporters/json.d.ts.map +1 -0
package/types/lib/validator/reporters/sarif.d.ts +16 -0
package/types/lib/validator/reporters/sarif.d.ts.map +1 -0
package/lib/helpers/db.js +0 -162
package/lib/stages/pregen/env-audit.js +0 -34
package/lib/stages/pregen/env-audit.poku.js +0 -290
package/types/helpers/db.d.ts +0 -35
package/types/helpers/db.d.ts.map +0 -1
package/types/lib/helpers/db.d.ts +0 -35
package/types/lib/helpers/db.d.ts.map +0 -1
package/types/lib/helpers/validator.d.ts.map +0 -1
package/types/lib/stages/pregen/env-audit.d.ts +0 -2
package/types/lib/stages/pregen/env-audit.d.ts.map +0 -1
package/types/managers/binary.d.ts +0 -37
package/types/managers/binary.d.ts.map +0 -1
package/types/managers/docker.d.ts +0 -56
package/types/managers/docker.d.ts.map +0 -1
package/types/managers/oci.d.ts +0 -2
package/types/managers/oci.d.ts.map +0 -1
package/types/managers/piptree.d.ts +0 -2
package/types/managers/piptree.d.ts.map +0 -1
package/types/server/server.d.ts +0 -34
package/types/server/server.d.ts.map +0 -1
package/types/stages/postgen/annotator.d.ts +0 -27
package/types/stages/postgen/annotator.d.ts.map +0 -1
package/types/stages/postgen/postgen.d.ts +0 -51
package/types/stages/postgen/postgen.d.ts.map +0 -1
package/types/stages/pregen/pregen.d.ts +0 -59
package/types/stages/pregen/pregen.d.ts.map +0 -1

package/lib/helpers/versutils.poku.js ADDED Viewed

@@ -0,0 +1,315 @@
+import { strict as assert } from "node:assert";
+import { describe, it } from "poku";
+import { toVersRange } from "./versutils.js";
+describe("toVersRange", () => {
+  // === Basic Validation ===
+  describe("input validation", () => {
+    it("should return empty for null/undefined/empty", () => {
+      assert.strictEqual(toVersRange(null), "");
+      assert.strictEqual(toVersRange(undefined), "");
+      assert.strictEqual(toVersRange(""), "");
+      assert.strictEqual(toVersRange("   "), "");
+    });
+    it("should return empty for non-string input", () => {
+      assert.strictEqual(toVersRange(123), "");
+      assert.strictEqual(toVersRange({}), "");
+      assert.strictEqual(toVersRange([]), "");
+    });
+  });
+  // === Special Markers ===
+  describe("special markers", () => {
+    it("should handle wildcard '*'", () => {
+      assert.strictEqual(toVersRange("*"), "vers:npm/*");
+    });
+    it("should return empty for 'latest'", () => {
+      assert.strictEqual(toVersRange("latest"), "");
+    });
+    it("should return empty for workspace:* references", () => {
+      assert.strictEqual(toVersRange("workspace:*"), "");
+      assert.strictEqual(toVersRange("workspace:^1.0.0"), "");
+      assert.strictEqual(toVersRange("workspace:~"), "");
+    });
+  });
+  // === Simple Operators ===
+  describe("simple comparison operators", () => {
+    it("should handle >= operator", () => {
+      assert.strictEqual(toVersRange(">=4.1.0"), "vers:npm/>=4.1.0");
+      assert.strictEqual(toVersRange(">= 1.6.9"), "vers:npm/>=1.6.9");
+      assert.strictEqual(
+        toVersRange(">=v2.0.0-alpha8"),
+        "vers:npm/>=2.0.0-alpha8",
+      );
+    });
+    it("should handle <= operator", () => {
+      assert.strictEqual(toVersRange("<=4.0.4"), "vers:npm/<=4.0.4");
+      assert.strictEqual(toVersRange("<= 1.6.8"), "vers:npm/<=1.6.8");
+      assert.strictEqual(
+        toVersRange("<=v2.0.0-alpha7"),
+        "vers:npm/<=2.0.0-alpha7",
+      );
+    });
+    it("should handle < operator", () => {
+      assert.strictEqual(toVersRange("<0.0.0"), "vers:npm/<0.0.0");
+      assert.strictEqual(toVersRange("<2.11.2"), "vers:npm/<2.11.2");
+      assert.strictEqual(toVersRange("< 6.1.0"), "vers:npm/<6.1.0");
+    });
+    it("should handle > operator", () => {
+      assert.strictEqual(toVersRange(">0.12.7"), "vers:npm/>0.12.7");
+      assert.strictEqual(toVersRange("> 0.9.6"), "vers:npm/>0.9.6");
+      assert.strictEqual(toVersRange(">3.0.0"), "vers:npm/>3.0.0");
+    });
+    it("should handle = operator (exact version)", () => {
+      assert.strictEqual(toVersRange("=3.0.0-rc.1"), "vers:npm/3.0.0-rc.1");
+    });
+  });
+  // === Exact Versions ===
+  describe("exact versions", () => {
+    it("should convert plain version strings", () => {
+      assert.strictEqual(toVersRange("2.1.4"), "vers:npm/2.1.4");
+      assert.strictEqual(toVersRange("7.0.0"), "vers:npm/7.0.0");
+      assert.strictEqual(toVersRange("2.3.21"), "vers:npm/2.3.21");
+    });
+    it("should handle prerelease exact versions", () => {
+      assert.strictEqual(toVersRange("2.1.0-M1"), "vers:npm/2.1.0-M1");
+      assert.strictEqual(toVersRange("3.0.0-rc.1"), "vers:npm/3.0.0-rc.1");
+    });
+    it("should strip 'v' prefix from versions", () => {
+      assert.strictEqual(toVersRange("v2.0.0"), "vers:npm/2.0.0");
+      assert.strictEqual(
+        toVersRange(">=v2.0.0-alpha8"),
+        "vers:npm/>=2.0.0-alpha8",
+      );
+    });
+  });
+  // === AND Conditions (space-separated) ===
+  describe("AND conditions (space-separated)", () => {
+    it("should convert space-separated ranges to pipe-separated", () => {
+      assert.strictEqual(
+        toVersRange(">=2.0.0 <=4.0.4"),
+        "vers:npm/>=2.0.0|<=4.0.4",
+      );
+      assert.strictEqual(
+        toVersRange(">= 2.0.1 <3.0.2"),
+        "vers:npm/>=2.0.1|<3.0.2",
+      );
+      assert.strictEqual(
+        toVersRange(">= 15.0.0 <= 16.1.0"),
+        "vers:npm/>=15.0.0|<=16.1.0",
+      );
+      assert.strictEqual(
+        toVersRange(">=5.0.3 >=4.2.1"),
+        "vers:npm/>=4.2.1|>=5.0.3",
+      );
+    });
+    it("should handle two-part version padding in AND ranges", () => {
+      assert.strictEqual(
+        toVersRange("<=2.1 >=1.1"),
+        "vers:npm/>=1.1.0|<=2.1.0",
+      );
+    });
+  });
+  // === OR Conditions (||) ===
+  describe("OR conditions (||)", () => {
+    it("should convert || to single |", () => {
+      assert.strictEqual(
+        toVersRange(">=1.5.2 || >=1.4.11 <1.5.0 || >=1.3.2 <1.4.0"),
+        "vers:npm/>=1.3.2|<1.4.0|>=1.4.11|<1.5.0|>=1.5.2",
+      );
+      assert.strictEqual(
+        toVersRange(">=1.3.0 <1.3.2 || >=1.4.0 <1.4.11 || >=1.5.0 <1.5.2"),
+        "vers:npm/>=1.3.0|<1.3.2|>=1.4.0|<1.4.11|>=1.5.0|<1.5.2",
+      );
+    });
+    it("should handle complex OR ranges", () => {
+      assert.strictEqual(
+        toVersRange(
+          ">=3.5.1 <4.0.0 || >=4.1.3 <5.0.0 || >=5.6.1 <6.0.0 || >=6.1.2",
+        ),
+        "vers:npm/>=3.5.1|<4.0.0|>=4.1.3|<5.0.0|>=5.6.1|<6.0.0|>=6.1.2",
+      );
+      assert.strictEqual(
+        toVersRange(">=2.5.0 <= 3.0.0 || >=3.1.0"),
+        "vers:npm/>=2.5.0|<=3.0.0|>=3.1.0",
+      );
+    });
+    it("should handle exact versions in OR ranges", () => {
+      assert.strictEqual(
+        toVersRange("2.1.0-M1 || 2.1.0-M2"),
+        "vers:npm/2.1.0-M1|2.1.0-M2",
+      );
+      assert.strictEqual(
+        toVersRange("=3.10.1 || >=3.10.3"),
+        "vers:npm/3.10.1|>=3.10.3",
+      );
+      assert.strictEqual(toVersRange("2.1 || 2.6"), "vers:npm/2.1.0|2.6.0");
+    });
+  });
+  // === Caret Ranges (^) ===
+  describe("caret ranges (^)", () => {
+    it("should expand caret for major >= 1", () => {
+      assert.strictEqual(toVersRange("^1.2.9"), "vers:npm/>=1.2.9|<2.0.0");
+      assert.strictEqual(toVersRange("^2.0.18"), "vers:npm/>=2.0.18|<3.0.0");
+      assert.strictEqual(toVersRange("^4.0.8"), "vers:npm/>=4.0.8|<5.0.0");
+    });
+    it("should expand caret for major = 0, minor > 0", () => {
+      assert.strictEqual(
+        toVersRange("^0.2.1-beta"),
+        "vers:npm/>=0.2.1-beta|<0.3.0",
+      );
+      assert.strictEqual(toVersRange("^0.2.3"), "vers:npm/>=0.2.3|<0.3.0");
+    });
+    it("should expand caret for major = 0, minor = 0", () => {
+      assert.strictEqual(
+        toVersRange("^0.0.2-beta"),
+        "vers:npm/>=0.0.2-beta|<0.0.3",
+      );
+      assert.strictEqual(toVersRange("^0.0.3"), "vers:npm/>=0.0.3|<0.0.4");
+    });
+    it("should handle caret with prerelease", () => {
+      assert.strictEqual(
+        toVersRange("^1.2.3-beta.1"),
+        "vers:npm/>=1.2.3-beta.1|<2.0.0",
+      );
+      assert.strictEqual(
+        toVersRange("^5.0.0-beta.5"),
+        "vers:npm/>=5.0.0-beta.5|<6.0.0",
+      );
+    });
+    it("should handle multiple caret ranges with OR", () => {
+      assert.strictEqual(
+        toVersRange("^2.0.18 || ^3.0.16 || ^3.1.6 || ^4.0.8 || ^5.0.0-beta.5"),
+        "vers:npm/>=2.0.18|<3.0.0|>=3.0.16|>=3.1.6|<4.0.0|<4.0.0|>=4.0.8|>=5.0.0-beta.5|<5.0.0|<6.0.0",
+      );
+    });
+  });
+  // === Tilde Ranges (~) ===
+  describe("tilde ranges (~)", () => {
+    it("should expand tilde ranges", () => {
+      assert.strictEqual(toVersRange("~3.8.2"), "vers:npm/>=3.8.2|<3.9.0");
+      assert.strictEqual(toVersRange("~1.6.5"), "vers:npm/>=1.6.5|<1.7.0");
+    });
+    it("should handle tilde with prerelease", () => {
+      assert.strictEqual(
+        toVersRange("~0.8.0-pre"),
+        "vers:npm/>=0.8.0-pre|<0.8.0|>=0.8.0|<0.8.1",
+      );
+    });
+    it("should handle tilde in OR ranges", () => {
+      assert.strictEqual(
+        toVersRange("~1.6.5 || >=1.7.2"),
+        "vers:npm/>=1.6.5|<1.7.0|>=1.7.2",
+      );
+      assert.strictEqual(
+        toVersRange("~0.2.2 || >=0.3.2"),
+        "vers:npm/>=0.2.2|<0.3.0|>=0.3.2",
+      );
+    });
+  });
+  // === X-Wildcard Ranges ===
+  describe("x-wildcard ranges", () => {
+    it("should expand major.x patterns", () => {
+      assert.strictEqual(toVersRange(">= 1.x"), "vers:npm/>=1.0.0|<2.0.0");
+      assert.strictEqual(toVersRange(">= 2.2.x"), "vers:npm/>=2.2.0|<2.3.0");
+    });
+    it("should expand minor.x patterns", () => {
+      assert.strictEqual(toVersRange("1.2.x"), "vers:npm/>=1.2.0|<1.3.0");
+      assert.strictEqual(
+        toVersRange("2.0.x || 2.1.x"),
+        "vers:npm/>=2.0.0|<2.1.0|>=2.1.0|<2.2.0",
+      );
+    });
+  });
+  // === Hyphen Ranges ===
+  describe("hyphen ranges", () => {
+    it("should convert hyphen ranges to >= and <=", () => {
+      assert.strictEqual(
+        toVersRange("5.0.0 - 7.2.3"),
+        "vers:npm/>=5.0.0|<=7.2.3",
+      );
+    });
+  });
+  // === Version Padding ===
+  describe("version padding", () => {
+    it("should pad two-part versions to three parts", () => {
+      assert.strictEqual(toVersRange(">= 1.1"), "vers:npm/>=1.1.0");
+      assert.strictEqual(toVersRange("<= 1.0"), "vers:npm/<=1.0.0");
+      assert.strictEqual(toVersRange(">= 3.11"), "vers:npm/>=3.11.0");
+      assert.strictEqual(toVersRange("<3.11"), "vers:npm/<3.11.0");
+      assert.strictEqual(toVersRange(">=4.5"), "vers:npm/>=4.5.0");
+    });
+    it("should handle padded versions in ranges", () => {
+      assert.strictEqual(
+        toVersRange(">=3.11 <4 || >=4.5"),
+        "vers:npm/>=3.11.0|<4.0.0|>=4.5.0",
+      );
+    });
+  });
+  // === Edge Cases ===
+  describe("edge cases", () => {
+    it("should handle large version numbers", () => {
+      assert.strictEqual(
+        toVersRange("<=99.999.99999"),
+        "vers:npm/<=99.999.99999",
+      );
+      assert.strictEqual(toVersRange("<99.999.9999"), "vers:npm/<99.999.9999");
+    });
+    it("should handle spacing variations", () => {
+      assert.strictEqual(toVersRange(">= 1.6.9"), "vers:npm/>=1.6.9");
+      assert.strictEqual(toVersRange("<  2.0.5"), "vers:npm/<2.0.5");
+      assert.strictEqual(
+        toVersRange(">=3.4.6 < 4.0.0|| >=4.0.5"),
+        "vers:npm/>=3.4.6|<4.0.0|>=4.0.5",
+      );
+    });
+    it("should handle mixed operators in compound ranges", () => {
+      assert.strictEqual(
+        toVersRange("<5.0.3 >=5.0.0 || < 4.2.1"),
+        "vers:npm/<4.2.1|>=5.0.0|<5.0.3",
+      );
+      assert.strictEqual(
+        toVersRange("<1.6.5 || < 2.1.7 > 2.0.0"),
+        "vers:npm/<1.6.5|>2.0.0|<2.1.7",
+      );
+    });
+    it("should handle multiple exact versions", () => {
+      assert.strictEqual(toVersRange("1.1.2 1.2.2"), "vers:npm/1.1.2|1.2.2");
+    });
+  });
+});