@cyclonedx/cdxgen 12.1.5 → 12.2.0

package/lib/evinser/db.js

@@ -0,0 +1,137 @@
+class Model {
+  constructor(tableName) {
+    this.tableName = tableName;
+    this.store = new Map();
+  }
+
+  async init() {
+    this.store.clear();
+  }
+
+  async findByPk(purl) {
+    if (this.store.has(purl)) {
+      const record = this.store.get(purl);
+      let parsedData;
+
+      try {
+        parsedData = JSON.parse(record.dataStr);
+      } catch (_e) {
+        parsedData = record.dataStr;
+      }
+
+      return {
+        purl: record.purl,
+        data: parsedData,
+        createdAt: record.createdAt,
+        updatedAt: record.updatedAt,
+      };
+    }
+
+    return null;
+  }
+
+  async findOrCreate(options) {
+    const { where, defaults } = options;
+    const existing = await this.findByPk(where.purl);
+
+    if (existing) {
+      return [existing, false];
+    }
+
+    let dataStr;
+    if (typeof defaults.data === "string") {
+      dataStr = defaults.data;
+    } else {
+      dataStr = JSON.stringify(defaults.data);
+    }
+
+    const now = new Date().toISOString();
+    const searchStr = dataStr.toLowerCase();
+
+    const record = {
+      purl: defaults.purl,
+      dataStr: dataStr,
+      searchStr: searchStr,
+      createdAt: now,
+      updatedAt: now,
+    };
+
+    this.store.set(defaults.purl, record);
+
+    let parsedData;
+    try {
+      parsedData = JSON.parse(record.dataStr);
+    } catch (_e) {
+      parsedData = record.dataStr;
+    }
+
+    const instance = {
+      purl: record.purl,
+      data: parsedData,
+      createdAt: record.createdAt,
+      updatedAt: record.updatedAt,
+    };
+
+    return [instance, true];
+  }
+
+  async findAll(options) {
+    const results = [];
+    let searchTerm = null;
+
+    if (options?.where?.data?.like) {
+      searchTerm = options.where.data.like.replace(/%/g, "").toLowerCase();
+    }
+
+    for (const record of this.store.values()) {
+      let matches = true;
+
+      if (searchTerm) {
+        if (!record.searchStr.includes(searchTerm)) {
+          matches = false;
+        }
+      }
+
+      if (matches) {
+        let parsedData;
+        try {
+          parsedData = JSON.parse(record.dataStr);
+        } catch (_e) {
+          parsedData = record.dataStr;
+        }
+
+        results.push({
+          purl: record.purl,
+          data: parsedData,
+          createdAt: record.createdAt,
+          updatedAt: record.updatedAt,
+        });
+      }
+    }
+
+    return results;
+  }
+}
+
+export const createOrLoad = async () => {
+  const Namespaces = new Model("Namespaces");
+  const Usages = new Model("Usages");
+  const DataFlows = new Model("DataFlows");
+
+  await Namespaces.init();
+  await Usages.init();
+  await DataFlows.init();
+
+  const sequelize = {
+    close: () => {
+      return true;
+    },
+  };
+
+  return {
+    sequelize,
+    Namespaces,
+    Usages,
+    DataFlows,
+  };
+};

package/lib/{helpers → evinser}/db.poku.js

@@ -2,12 +2,8 @@ import { assert, describe, test } from "poku";
 
 import { createOrLoad } from "./db.js";
 
-describe("SQLite3 Helper Tests", async () => {
-  const { sequelize, Namespaces } = await createOrLoad(
-    "test.db",
-    ":memory:",
-    false,
-  );
+describe("In-Memory DB Helper Tests", async () => {
+  const { sequelize, Namespaces } = await createOrLoad();
 
   await test("Model Initialization", () => {
     assert.ok(sequelize, "Database instance should exist");

package/lib/evinser/evinser.js

@@ -5,7 +5,6 @@ import process from "node:process";
 import { PackageURL } from "packageurl-js";
 
 import { findCryptoAlgos } from "../helpers/cbomutils.js";
-import * as db from "../helpers/db.js";
 import {
   collectGradleDependencies,
   collectMvnDependencies,
@@ -18,13 +17,12 @@ import {
   getTmpDir,
   PROJECT_TYPE_ALIASES,
   safeExistsSync,
-  safeMkdirSync,
 } from "../helpers/utils.js";
 import { postProcess } from "../stages/postgen/postgen.js";
+import { createOrLoad } from "./db.js";
 import { findPurlLocations } from "./scalasem.js";
 import { createSemanticsSlices } from "./swiftsem.js";
 
-const DB_NAME = "evinser.db";
 const typePurlsCache = {};
 
 /**
@@ -33,13 +31,6 @@ const typePurlsCache = {};
  * @param {Object} options Command line options
  */
 export async function prepareDB(options) {
-  if (!options.dbPath.includes("memory") && !safeExistsSync(options.dbPath)) {
-    try {
-      safeMkdirSync(options.dbPath, { recursive: true });
-    } catch (_e) {
-      // ignore
-    }
-  }
   const dirPath = options._[0] || ".";
   const bomJsonFile = options.input;
   if (!safeExistsSync(bomJsonFile)) {
@@ -61,10 +52,7 @@ export async function prepareDB(options) {
     process.exit(0);
   }
   const components = bomJson.components || [];
-  const { sequelize, Namespaces, Usages, DataFlows } = await db.createOrLoad(
-    DB_NAME,
-    options.dbPath,
-  );
+  const { sequelize, Namespaces, Usages, DataFlows } = await createOrLoad();
   let hasMavenPkgs = false;
   // We need to slice only non-maven packages
   const purlsToSlice = {};

package/lib/helpers/bomSigner.js

@@ -0,0 +1,312 @@
+import crypto from "node:crypto";
+
+/**
+ * Lightweight, deterministic JSON Canonicalizer (similar to RFC 8785).
+ * Required by JSF to ensure the signature payload remains identical across systems.
+ *
+ * @param {any} value - The JSON object/value to canonicalize
+ * @returns {string} - Canonicalized JSON string
+ */
+function canonicalize(value) {
+  if (value === null || typeof value !== "object") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return `[${value.map(canonicalize).join(",")}]`;
+  }
+  const keys = Object.keys(value).sort();
+  let str = "{";
+  for (let i = 0; i < keys.length; i++) {
+    if (i > 0) str += ",";
+    str += `${JSON.stringify(keys[i])}:${canonicalize(value[keys[i]])}`;
+  }
+  str += "}";
+  return str;
+}
+
+/**
+ * Creates a JSF-compliant signature block.
+ *
+ * @param {Object} payload - The object to sign (e.g., BOM, component)
+ * @param {string|Buffer|crypto.KeyObject} privateKey - The signing key
+ * @param {string} alg - JSF algorithm identifier
+ * @param {Object} [publicKeyJwk] - Optional JWK representation of the public key
+ * @param {string} keyId - Key ID
+ *
+ * @returns {Object} - JSF signature block
+ */
+function createSignatureBlock(
+  payload,
+  privateKey,
+  alg,
+  publicKeyJwk = null,
+  keyId = null,
+) {
+  // Exclude existing signatures from the canonicalized payload as per JSF
+  const { signature, ...dataToSign } = payload;
+  const canonicalData = canonicalize(dataToSign);
+
+  let hashAlg;
+  const signOptions = { key: privateKey };
+
+  // Handle HMAC (Symmetric)
+  if (alg.startsWith("HS")) {
+    const hash = alg.replace("HS", "sha");
+    const value = crypto
+      .createHmac(hash, privateKey)
+      .update(canonicalData, "utf8")
+      .digest("base64url");
+    const block = { algorithm: alg, value };
+    if (publicKeyJwk) {
+      block.publicKey = publicKeyJwk;
+    }
+    if (keyId) {
+      block.keyId = keyId;
+    }
+    return block;
+  }
+
+  // Handle Asymmetric Algorithms
+  if (alg.startsWith("RS")) {
+    hashAlg = alg.replace("RS", "SHA");
+  } else if (alg.startsWith("PS")) {
+    hashAlg = alg.replace("PS", "SHA");
+    signOptions.padding = crypto.constants.RSA_PKCS1_PSS_PADDING;
+    signOptions.saltLength = crypto.constants.RSA_PSS_SALTLEN_AUTO;
+  } else if (alg.startsWith("ES")) {
+    hashAlg = alg.replace("ES", "SHA");
+    // Standard JWA format requires IEEE P1363 (R || S) instead of ASN.1 DER
+    signOptions.dsaEncoding = "ieee-p1363";
+  } else if (alg === "Ed25519" || alg === "Ed448") {
+    // Native EdDSA algorithms do not require a separate hash algorithm definition
+    hashAlg = null;
+  } else {
+    throw new Error(`Unsupported JSF algorithm: ${alg}`);
+  }
+  const sigBuffer = crypto.sign(
+    hashAlg,
+    Buffer.from(canonicalData, "utf8"),
+    signOptions,
+  );
+  const block = { algorithm: alg, value: sigBuffer.toString("base64url") };
+  if (publicKeyJwk) {
+    block.publicKey = publicKeyJwk;
+  }
+  if (keyId) {
+    block.keyId = keyId;
+  }
+  return block;
+}
+
+/**
+ * Appends or replaces a signature on a target object based on the configured mode.
+ */
+function addSignature(target, sigBlock, mode) {
+  if (!target.signature) {
+    target.signature = sigBlock;
+    return;
+  }
+  if (mode === "chain") {
+    if (target.signature.chain) {
+      target.signature.chain.push(sigBlock);
+    } else if (target.signature.signers) {
+      throw new Error("Cannot mix signature chains and multi-signers.");
+    } else {
+      target.signature = { chain: [target.signature, sigBlock] };
+    }
+  } else if (mode === "signers") {
+    if (target.signature.signers) {
+      target.signature.signers.push(sigBlock);
+    } else if (target.signature.chain) {
+      throw new Error("Cannot mix signature chains and multi-signers.");
+    } else {
+      target.signature = { signers: [target.signature, sigBlock] };
+    }
+  } else {
+    target.signature = sigBlock;
+  }
+}
+
+/**
+ * Recursively applies signatures to the BOM and its granular components.
+ *
+ * @param {Object} bomJson - CycloneDX BOM Object
+ * @param {Object} options - Signing options { privateKey, algorithm, mode, ... }
+ * @returns {Object} - Signed BOM Object
+ */
+export function signBom(bomJson, options = {}) {
+  const {
+    privateKey,
+    algorithm = "RS512",
+    publicKeyJwk = null,
+    keyId = null,
+    mode = "replace", // Supports: 'replace', 'chain', 'signers'
+    signComponents = true,
+    signServices = true,
+    signAnnotations = true,
+  } = options;
+
+  if (!privateKey) {
+    throw new Error("privateKey is required for signing");
+  }
+  if (signComponents && Array.isArray(bomJson.components)) {
+    for (const comp of bomJson.components) {
+      addSignature(
+        comp,
+        createSignatureBlock(comp, privateKey, algorithm, publicKeyJwk, keyId),
+        mode,
+      );
+    }
+  }
+  if (signServices && Array.isArray(bomJson.services)) {
+    for (const svc of bomJson.services) {
+      addSignature(
+        svc,
+        createSignatureBlock(svc, privateKey, algorithm, publicKeyJwk, keyId),
+        mode,
+      );
+    }
+  }
+  if (signAnnotations && Array.isArray(bomJson.annotations)) {
+    for (const ann of bomJson.annotations) {
+      addSignature(
+        ann,
+        createSignatureBlock(ann, privateKey, algorithm, publicKeyJwk, keyId),
+        mode,
+      );
+    }
+  }
+  addSignature(
+    bomJson,
+    createSignatureBlock(bomJson, privateKey, algorithm, publicKeyJwk, keyId),
+    mode,
+  );
+  return bomJson;
+}
+
+/**
+ * Validates a single JSF signature block against the payload.
+ *
+ * @param {Object} payload - The payload to verify
+ * @param {string|crypto.KeyObject} publicKey - The public key corresponding to the signature
+ * @param {Object} sigBlock Signature
+ *
+ * @returns {boolean|Object} - Signature block if signature is valid. False otherwise.
+ */
+function verifySignatureBlock(payload, publicKey, sigBlock) {
+  const { signature, ...dataToVerify } = payload;
+  const canonicalData = canonicalize(dataToVerify);
+
+  const { algorithm: alg, value } = sigBlock;
+
+  if (alg.startsWith("HS")) {
+    const hash = alg.replace("HS", "sha");
+    const expected = crypto
+      .createHmac(hash, publicKey)
+      .update(canonicalData, "utf8")
+      .digest("base64url");
+    const isValid = expected === value;
+    return isValid ? sigBlock : false;
+  }
+
+  const verifyOptions = { key: publicKey };
+  let hashAlg;
+
+  if (alg.startsWith("RS")) {
+    hashAlg = alg.replace("RS", "SHA");
+  } else if (alg.startsWith("PS")) {
+    hashAlg = alg.replace("PS", "SHA");
+    verifyOptions.padding = crypto.constants.RSA_PKCS1_PSS_PADDING;
+    verifyOptions.saltLength = crypto.constants.RSA_PSS_SALTLEN_AUTO;
+  } else if (alg.startsWith("ES")) {
+    hashAlg = alg.replace("ES", "SHA");
+    verifyOptions.dsaEncoding = "ieee-p1363";
+  } else if (alg === "Ed25519" || alg === "Ed448") {
+    hashAlg = null;
+  } else {
+    console.warn(`${alg} is unknown.`);
+    return false;
+  }
+
+  const isValid = crypto.verify(
+    hashAlg,
+    Buffer.from(canonicalData, "utf8"),
+    verifyOptions,
+    Buffer.from(value, "base64url"),
+  );
+  return isValid ? sigBlock : false;
+}
+
+/**
+ * Verifies the integrity of a specific element node (e.g., BOM root, Component, Service, Annotation).
+ * Resolves standard JSF signatures, multisignature (signers), and chains.
+ *
+ * @param {Object} node - The BOM or granular object to verify
+ * @param {string|crypto.KeyObject} publicKey - The public key corresponding to the signature
+ * @returns {boolean|Object} - Signature block if signature is valid. False otherwise.
+ */
+export function verifyNode(node, publicKey) {
+  if (!node?.signature) {
+    return false;
+  }
+  const sigTarget = node.signature;
+  if (sigTarget.signers) {
+    for (const sig of sigTarget.signers) {
+      const match = verifySignatureBlock(node, publicKey, sig);
+      if (match) {
+        return match;
+      }
+    }
+    return false;
+  }
+  if (sigTarget.chain) {
+    for (const sig of sigTarget.chain) {
+      const match = verifySignatureBlock(node, publicKey, sig);
+      if (match) {
+        return match;
+      }
+    }
+    return false;
+  }
+  return verifySignatureBlock(node, publicKey, sigTarget);
+}
+
+/**
+ * Verifies the integrity of a BOM's top-level signature, as well as nested components, services, and annotations.
+ * Returns true only if the root signature is valid AND all signed nested elements are valid.
+ *
+ * @param {Object} bom - CycloneDX BOM Object
+ * @param {string|crypto.KeyObject} publicKey - The public key corresponding to the signature
+ * @returns {boolean|Object} - Signature block if signature is valid. False otherwise.
+ */
+export function verifyBom(bom, publicKey) {
+  if (!bom?.signature) {
+    return false;
+  }
+  const rootMatch = verifyNode(bom, publicKey);
+  if (!rootMatch) {
+    return false;
+  }
+  if (Array.isArray(bom.components)) {
+    for (const comp of bom.components) {
+      if (comp.signature && !verifyNode(comp, publicKey)) {
+        return false;
+      }
+    }
+  }
+  if (Array.isArray(bom.services)) {
+    for (const svc of bom.services) {
+      if (svc.signature && !verifyNode(svc, publicKey)) {
+        return false;
+      }
+    }
+  }
+  if (Array.isArray(bom.annotations)) {
+    for (const ann of bom.annotations) {
+      if (ann.signature && !verifyNode(ann, publicKey)) {
+        return false;
+      }
+    }
+  }
+  return rootMatch;
+}

package/lib/helpers/bomSigner.poku.js

@@ -0,0 +1,156 @@
+import assert from "node:assert";
+import crypto from "node:crypto";
+
+import { describe, it } from "poku";
+
+import { signBom, verifyBom, verifyNode } from "./bomSigner.js";
+
+const rsaKeys = crypto.generateKeyPairSync("rsa", {
+  modulusLength: 2048,
+  publicKeyEncoding: { type: "spki", format: "pem" },
+  privateKeyEncoding: { type: "pkcs8", format: "pem" },
+});
+
+const ecKeys = crypto.generateKeyPairSync("ec", {
+  namedCurve: "prime256v1",
+  publicKeyEncoding: { type: "spki", format: "pem" },
+  privateKeyEncoding: { type: "pkcs8", format: "pem" },
+});
+
+const generateMockBom = () => ({
+  bomFormat: "CycloneDX",
+  specVersion: "1.6",
+  components: [{ type: "library", name: "cdxgen", version: "1.0.0" }],
+  services: [{ name: "acme-service", endpoints: ["https://appthreat.com"] }],
+  annotations: [{ subject: "ref-1", annotator: { name: "System" } }],
+});
+
+describe("bomSigner Tests", async () => {
+  it("Test basic RS512 Signature & Verification", () => {
+    const bomRsa = generateMockBom();
+    const signedRsa = signBom(bomRsa, {
+      privateKey: rsaKeys.privateKey,
+      algorithm: "RS512",
+    });
+    assert.ok(signedRsa.signature, "Root BOM should be signed");
+    assert.strictEqual(signedRsa.signature.algorithm, "RS512");
+    assert.ok(
+      signedRsa.components[0].signature,
+      "Granular component should be signed",
+    );
+    assert.ok(
+      signedRsa.services[0].signature,
+      "Granular service should be signed",
+    );
+    assert.ok(
+      signedRsa.annotations[0].signature,
+      "Granular annotation should be signed",
+    );
+    assert.ok(verifyBom(signedRsa, rsaKeys.publicKey));
+  });
+
+  it("Test ECDSA (ES256) Signature & Verification (JWA IEEE P1363 Format Compliance)", () => {
+    const bomEc = generateMockBom();
+    const signedEc = signBom(bomEc, {
+      privateKey: ecKeys.privateKey,
+      algorithm: "ES256",
+    });
+    assert.strictEqual(signedEc.signature.algorithm, "ES256");
+    assert.ok(verifyBom(signedEc, ecKeys.publicKey));
+    const signedRsa = signBom(bomEc, {
+      privateKey: rsaKeys.privateKey,
+      algorithm: "RS512",
+    });
+    assert.strictEqual(
+      verifyBom(signedRsa, ecKeys.publicKey),
+      false,
+      "Verification must fail with the wrong public key",
+    );
+  });
+
+  it("Test Multi-Signature Support (`signers`)", () => {
+    const bomMulti = generateMockBom();
+
+    // 1st Pass: First signer signs the whole BOM including inner elements
+    signBom(bomMulti, {
+      privateKey: rsaKeys.privateKey,
+      algorithm: "RS512",
+      mode: "signers",
+    });
+
+    assert.ok(
+      bomMulti.signature.algorithm,
+      "Initial signature block takes root format",
+    );
+
+    // 2nd Pass: Second signer ONLY co-signs the root BOM.
+    signBom(bomMulti, {
+      privateKey: ecKeys.privateKey,
+      algorithm: "ES256",
+      mode: "signers",
+      signComponents: false,
+      signServices: false,
+      signAnnotations: false,
+    });
+
+    assert.ok(
+      Array.isArray(bomMulti.signature.signers),
+      "Signature should be converted to signers array",
+    );
+
+    assert.strictEqual(
+      bomMulti.signature.signers.length,
+      2,
+      "Should contain exactly two signers",
+    );
+
+    // RSA key signed EVERYTHING (root + components), so full deep verifyBom passes
+    assert.ok(verifyBom(bomMulti, rsaKeys.publicKey));
+
+    // EC key ONLY signed the root.
+    assert.ok(verifyNode(bomMulti, ecKeys.publicKey));
+  });
+
+  it("Test Signature Chain Support (`chain`)", () => {
+    const bomChain = generateMockBom();
+
+    signBom(bomChain, {
+      privateKey: rsaKeys.privateKey,
+      algorithm: "RS512",
+      mode: "chain",
+    });
+
+    signBom(bomChain, {
+      privateKey: ecKeys.privateKey,
+      algorithm: "ES256",
+      mode: "chain",
+      signComponents: false,
+      signServices: false,
+      signAnnotations: false,
+    });
+
+    assert.ok(
+      Array.isArray(bomChain.signature.chain),
+      "Signature should be converted to chain array",
+    );
+
+    assert.strictEqual(bomChain.signature.chain.length, 2);
+
+    // RSA key signed everything, verifyBom works
+    assert.ok(verifyBom(bomChain, rsaKeys.publicKey));
+
+    // EC key only chained the root, verifyNode strictly checks the root
+    assert.ok(verifyNode(bomChain, ecKeys.publicKey));
+  });
+
+  it("Test HMAC Symmetric Signature (HS256)", () => {
+    const symmetricKey = crypto.randomBytes(32).toString("hex");
+    const bomHmac = generateMockBom();
+    const signedHmac = signBom(bomHmac, {
+      privateKey: symmetricKey,
+      algorithm: "HS256",
+    });
+    assert.strictEqual(signedHmac.signature.algorithm, "HS256");
+    assert.ok(verifyBom(signedHmac, symmetricKey));
+  });
+});