@cyclonedx/cdxgen 12.1.5 → 12.2.1

package/lib/helpers/ciParsers/gitlabCi.js

@@ -0,0 +1,213 @@
+import { readFileSync } from "node:fs";
+
+import { v4 as uuidv4 } from "uuid";
+import { parse as _load } from "yaml";
+
+import { disambiguateSteps } from "./common.js";
+
+/**
+ * Parse a single .gitlab-ci.yml file and return formulation-shaped data.
+ *
+ * @param {string} f Absolute path to the YAML file
+ * @param {Object} _options CLI options
+ * @returns {{ workflows: Object[], components: Object[], services: Object[], properties: Object[], dependencies: Object[] }}
+ */
+function parseGitlabCiFile(f, _options) {
+  const workflows = [];
+  const components = [];
+  const services = [];
+  const dependencies = [];
+
+  let raw;
+  try {
+    raw = readFileSync(f, { encoding: "utf-8" });
+  } catch (_e) {
+    return { workflows, components, services, properties: [], dependencies };
+  }
+
+  let yamlObj;
+  try {
+    yamlObj = _load(raw);
+  } catch (_e) {
+    return { workflows, components, services, properties: [], dependencies };
+  }
+
+  if (!yamlObj || typeof yamlObj !== "object") {
+    return { workflows, components, services, properties: [], dependencies };
+  }
+
+  // Top-level reserved keys that are not job names
+  const RESERVED_KEYS = new Set([
+    "image",
+    "services",
+    "stages",
+    "types",
+    "before_script",
+    "after_script",
+    "variables",
+    "cache",
+    "include",
+    "workflow",
+    "default",
+    "pages",
+    ".pre",
+    ".post",
+  ]);
+
+  const globalImage = yamlObj.image?.name || yamlObj.image || "";
+  const stages = Array.isArray(yamlObj.stages) ? yamlObj.stages : [];
+
+  // Collect global services as CycloneDX service objects
+  const globalServices = Array.isArray(yamlObj.services)
+    ? yamlObj.services
+    : [];
+  for (const svc of globalServices) {
+    const svcName = typeof svc === "string" ? svc : svc?.name || "";
+    if (svcName) {
+      services.push({ name: svcName });
+    }
+  }
+
+  const tasks = [];
+  const workflowRef = uuidv4();
+  const workflowDependsOn = [];
+
+  for (const key of Object.keys(yamlObj)) {
+    if (RESERVED_KEYS.has(key) || key.startsWith(".")) {
+      continue;
+    }
+    const job = yamlObj[key];
+    if (!job || typeof job !== "object" || Array.isArray(job)) {
+      continue;
+    }
+
+    const jobRef = uuidv4();
+    const steps = [];
+    const jobProperties = [{ name: "cdx:gitlab:job:name", value: key }];
+
+    const jobStage = job.stage || "test";
+    jobProperties.push({ name: "cdx:gitlab:job:stage", value: jobStage });
+
+    const jobImage = job.image?.name || job.image || globalImage;
+    if (jobImage) {
+      jobProperties.push({ name: "cdx:gitlab:job:image", value: jobImage });
+      components.push({ type: "container", name: jobImage });
+    }
+
+    const jobEnv = job.environment?.name || job.environment || "";
+    if (jobEnv) {
+      jobProperties.push({ name: "cdx:gitlab:job:environment", value: jobEnv });
+    }
+
+    // Collect job-level services
+    const jobServices = Array.isArray(job.services) ? job.services : [];
+    for (const svc of jobServices) {
+      const svcName = typeof svc === "string" ? svc : svc?.name || "";
+      if (svcName) {
+        services.push({ name: svcName });
+      }
+    }
+    if (jobServices.length) {
+      jobProperties.push({
+        name: "cdx:gitlab:job:services",
+        value: jobServices
+          .map((s) => (typeof s === "string" ? s : s?.name || ""))
+          .join(","),
+      });
+    }
+
+    const jobNeeds = Array.isArray(job.needs) ? job.needs : [];
+    if (jobNeeds.length) {
+      const jobNeedNames = jobNeeds
+        .map((need) => (typeof need === "string" ? need : need?.job || ""))
+        .filter(Boolean);
+      if (jobNeedNames.length) {
+        jobProperties.push({
+          name: "cdx:gitlab:job:needs",
+          value: jobNeedNames.join(","),
+        });
+      }
+    }
+
+    // before_script
+    for (const cmd of Array.isArray(job.before_script)
+      ? job.before_script
+      : []) {
+      steps.push({ name: "before_script", commands: [{ executed: cmd }] });
+    }
+    // script (main)
+    for (const cmd of Array.isArray(job.script) ? job.script : []) {
+      steps.push({ name: "script", commands: [{ executed: cmd }] });
+    }
+    // after_script
+    for (const cmd of Array.isArray(job.after_script) ? job.after_script : []) {
+      steps.push({ name: "after_script", commands: [{ executed: cmd }] });
+    }
+
+    tasks.push({
+      "bom-ref": jobRef,
+      uid: jobRef,
+      name: key,
+      taskTypes: ["build"],
+      steps: disambiguateSteps(steps),
+      properties: jobProperties,
+    });
+    workflowDependsOn.push(jobRef);
+  }
+
+  const stagesProperty = stages.length
+    ? [{ name: "cdx:gitlab:stages", value: stages.join(",") }]
+    : [];
+
+  const workflow = {
+    "bom-ref": workflowRef,
+    uid: workflowRef,
+    name: "GitLab CI Pipeline",
+    taskTypes: ["build"],
+    tasks: tasks.length ? tasks : undefined,
+    properties: [{ name: "cdx:gitlab:config", value: f }, ...stagesProperty],
+  };
+
+  workflows.push(workflow);
+  if (workflowDependsOn.length) {
+    dependencies.push({ ref: workflowRef, dependsOn: workflowDependsOn });
+  }
+
+  return { workflows, components, services, properties: [], dependencies };
+}
+
+/**
+ * GitLab CI formulation parser.
+ *
+ * Matches `.gitlab-ci.yml` files and converts them into CycloneDX formulation
+ * workflow objects. Each GitLab job becomes a task; script lines become steps.
+ *
+ * Parser contract: `parse(files, options)` returns
+ * `{ workflows, components, services, properties, dependencies }`.
+ */
+export const gitlabCiParser = {
+  id: "gitlab-ci",
+  patterns: ["**/.gitlab-ci.yml", ".gitlab-ci.yml"],
+
+  /**
+   * @param {string[]} files Matched CI config file paths
+   * @param {Object} options CLI options
+   * @returns {{ workflows: Object[], components: Object[], services: Object[], properties: Object[], dependencies: Object[] }}
+   */
+  parse(files, options) {
+    const workflows = [];
+    const components = [];
+    const services = [];
+    const dependencies = [];
+
+    for (const f of files) {
+      const result = parseGitlabCiFile(f, options);
+      workflows.push(...result.workflows);
+      components.push(...result.components);
+      services.push(...result.services);
+      dependencies.push(...result.dependencies);
+    }
+
+    return { workflows, components, services, properties: [], dependencies };
+  },
+};

package/lib/helpers/ciParsers/gitlabCi.poku.js

@@ -0,0 +1,247 @@
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { assert, describe, it } from "poku";
+
+import { gitlabCiParser } from "./gitlabCi.js";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const repoRoot = path.resolve(__dirname, "../../..");
+
+describe("gitlabCiParser", () => {
+  it("has correct metadata", () => {
+    assert.strictEqual(gitlabCiParser.id, "gitlab-ci");
+    assert.ok(Array.isArray(gitlabCiParser.patterns));
+    assert.ok(gitlabCiParser.patterns.length > 0);
+    assert.strictEqual(typeof gitlabCiParser.parse, "function");
+  });
+
+  it("returns empty arrays for no files", () => {
+    const result = gitlabCiParser.parse([], {});
+    assert.deepStrictEqual(result.workflows, []);
+    assert.deepStrictEqual(result.components, []);
+    assert.deepStrictEqual(result.services, []);
+    assert.deepStrictEqual(result.properties, []);
+    assert.deepStrictEqual(result.dependencies, []);
+  });
+
+  it("parses the GitLab CI fixture", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci.yml");
+    const result = gitlabCiParser.parse([f], {});
+
+    assert.ok(Array.isArray(result.workflows));
+    assert.strictEqual(result.workflows.length, 1, "expected one workflow");
+
+    const wf = result.workflows[0];
+    assert.ok(wf["bom-ref"]);
+    assert.strictEqual(wf.name, "GitLab CI Pipeline");
+    assert.ok(Array.isArray(wf.tasks));
+    assert.ok(wf.tasks.length > 0, "expected at least one task (job)");
+
+    const jobNames = wf.tasks.map((t) => t.name);
+    assert.ok(jobNames.includes("build"), "expected build job");
+    assert.ok(jobNames.includes("test"), "expected test job");
+
+    // image used in jobs captured as components
+    assert.ok(Array.isArray(result.components));
+    const compNames = result.components.map((c) => c.name);
+    assert.ok(
+      compNames.includes("node:20"),
+      "expected node:20 container component",
+    );
+  });
+
+  it("extracts services from jobs", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci.yml");
+    const result = gitlabCiParser.parse([f], {});
+    // The test job has services: [postgres:14, redis:7]
+    assert.ok(Array.isArray(result.services));
+    assert.ok(
+      result.services.length > 0,
+      "expected at least one service from jobs",
+    );
+    const svcNames = result.services.map((s) => s.name);
+    assert.ok(
+      svcNames.some((n) => n.includes("postgres")),
+      "expected postgres service",
+    );
+    assert.ok(
+      svcNames.some((n) => n.includes("redis")),
+      "expected redis service",
+    );
+  });
+
+  it("produces workflow dependency links", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci.yml");
+    const result = gitlabCiParser.parse([f], {});
+
+    assert.ok(result.dependencies.length > 0);
+    const wfDep = result.dependencies.find(
+      (d) => d.ref === result.workflows[0]["bom-ref"],
+    );
+    assert.ok(wfDep);
+    assert.ok(wfDep.dependsOn.length > 0);
+  });
+
+  it("gracefully handles missing file", () => {
+    const result = gitlabCiParser.parse(["/no/such/file/.gitlab-ci.yml"], {});
+    assert.deepStrictEqual(result.workflows, []);
+    assert.deepStrictEqual(result.components, []);
+  });
+
+  it("skips anchor/reserved keys", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci.yml");
+    const result = gitlabCiParser.parse([f], {});
+    const taskNames = result.workflows[0].tasks.map((t) => t.name);
+    // Should not include 'image', 'stages', 'variables', 'cache', 'services'
+    assert.ok(!taskNames.includes("image"));
+    assert.ok(!taskNames.includes("stages"));
+    assert.ok(!taskNames.includes("variables"));
+    assert.ok(!taskNames.includes("cache"));
+  });
+
+  it("parses gitlab-ci-rules.yml: all jobs extracted (rules-based pipeline)", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci-rules.yml");
+    const result = gitlabCiParser.parse([f], {});
+
+    assert.strictEqual(result.workflows.length, 1);
+    const taskNames = result.workflows[0].tasks.map((t) => t.name);
+
+    // Core jobs must be present
+    assert.ok(taskNames.includes("flake8"), "expected flake8 job");
+    assert.ok(taskNames.includes("mypy"), "expected mypy job");
+    assert.ok(taskNames.includes("build:wheel"), "expected build:wheel job");
+    assert.ok(taskNames.includes("build:docker"), "expected build:docker job");
+    assert.ok(taskNames.includes("test:unit"), "expected test:unit job");
+    assert.ok(
+      taskNames.includes("test:integration"),
+      "expected test:integration job",
+    );
+    assert.ok(taskNames.includes("test:matrix"), "expected test:matrix job");
+    assert.ok(
+      taskNames.includes("deploy:staging"),
+      "expected deploy:staging job",
+    );
+    assert.ok(
+      taskNames.includes("deploy:production"),
+      "expected deploy:production job",
+    );
+
+    // Hidden jobs (starts with '.') must NOT appear
+    assert.ok(
+      !taskNames.some((n) => n.startsWith(".")),
+      "hidden jobs must not appear",
+    );
+  });
+
+  it("parses gitlab-ci-rules.yml: job-level image object extracted", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci-rules.yml");
+    const result = gitlabCiParser.parse([f], {});
+
+    // build:docker uses `image: { name: gcr.io/kaniko-project/executor:debug, entrypoint: [""] }`
+    const compNames = result.components.map((c) => c.name);
+    assert.ok(
+      compNames.some((n) => n.includes("kaniko")),
+      "expected kaniko image as component from image object syntax",
+    );
+  });
+
+  it("parses gitlab-ci-rules.yml: services with alias captured", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci-rules.yml");
+    const result = gitlabCiParser.parse([f], {});
+
+    const svcNames = result.services.map((s) => s.name);
+    assert.ok(
+      svcNames.some((n) => n.includes("postgres")),
+      "expected postgres:15-alpine service",
+    );
+    assert.ok(
+      svcNames.some((n) => n.includes("redis")),
+      "expected redis:7-alpine service",
+    );
+
+    // test:integration job should record services in its properties
+    const task = result.workflows[0].tasks.find(
+      (t) => t.name === "test:integration",
+    );
+    assert.ok(task, "test:integration task must exist");
+    const svcProp = task.properties.find(
+      (p) => p.name === "cdx:gitlab:job:services",
+    );
+    assert.ok(svcProp, "expected cdx:gitlab:job:services property");
+    assert.ok(
+      svcProp.value.includes("postgres"),
+      "services property must include postgres",
+    );
+  });
+
+  it("parses gitlab-ci-rules.yml: DAG needs recorded in job properties", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci-rules.yml");
+    const result = gitlabCiParser.parse([f], {});
+
+    // test:unit needs build:wheel
+    const unitTask = result.workflows[0].tasks.find(
+      (t) => t.name === "test:unit",
+    );
+    assert.ok(unitTask, "test:unit task must exist");
+    const needsProp = unitTask.properties.find(
+      (p) => p.name === "cdx:gitlab:job:needs",
+    );
+    assert.ok(needsProp, "expected cdx:gitlab:job:needs property on test:unit");
+    assert.ok(
+      needsProp.value.includes("build:wheel"),
+      "needs must reference build:wheel",
+    );
+  });
+
+  it("parses gitlab-ci-rules.yml: stages property recorded on workflow", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci-rules.yml");
+    const result = gitlabCiParser.parse([f], {});
+
+    const stagesProp = result.workflows[0].properties.find(
+      (p) => p.name === "cdx:gitlab:stages",
+    );
+    assert.ok(stagesProp, "expected cdx:gitlab:stages property");
+    assert.ok(stagesProp.value.includes("lint"), "stages must include lint");
+    assert.ok(
+      stagesProp.value.includes("deploy"),
+      "stages must include deploy",
+    );
+  });
+
+  it("parses gitlab-ci-minimal.yml: minimal config — no stages, single job, no image", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci-minimal.yml");
+    const result = gitlabCiParser.parse([f], {});
+
+    assert.strictEqual(result.workflows.length, 1, "expected one workflow");
+    const taskNames = result.workflows[0].tasks.map((t) => t.name);
+    assert.ok(
+      taskNames.includes("build_and_test"),
+      "expected build_and_test job",
+    );
+
+    // No global image → no container components
+    assert.strictEqual(
+      result.components.filter((c) => c.type === "container").length,
+      0,
+      "no container components expected for minimal config",
+    );
+
+    // No stages property (stages array is empty)
+    const stagesProp = result.workflows[0].properties.find(
+      (p) => p.name === "cdx:gitlab:stages",
+    );
+    assert.ok(!stagesProp, "no stages property expected for minimal config");
+  });
+
+  it("parses multiple files: two separate .gitlab-ci.yml configs produce two workflows", () => {
+    const f1 = path.join(repoRoot, "test", "data", "gitlab-ci.yml");
+    const f2 = path.join(repoRoot, "test", "data", "gitlab-ci-minimal.yml");
+    const result = gitlabCiParser.parse([f1, f2], {});
+    assert.strictEqual(
+      result.workflows.length,
+      2,
+      "expected two workflows for two files",
+    );
+  });
+});

package/lib/helpers/ciParsers/jenkins.js

@@ -0,0 +1,181 @@
+import { readFileSync } from "node:fs";
+
+import { v4 as uuidv4 } from "uuid";
+
+import { disambiguateSteps } from "./common.js";
+
+/**
+ * Very lightweight declarative Jenkinsfile parser using regex heuristics.
+ *
+ * Only parses the declarative pipeline syntax (`pipeline { ... }`).
+ * Full Groovy/scripted pipelines are not supported.
+ *
+ * @param {string} f Path to Jenkinsfile
+ * @param {Object} _options CLI options
+ * @returns {{ workflows: Object[], components: Object[], services: Object[], properties: Object[], dependencies: Object[] }}
+ */
+function parseJenkinsfile(f, _options) {
+  const workflows = [];
+  const components = [];
+  const dependencies = [];
+
+  let raw;
+  try {
+    raw = readFileSync(f, { encoding: "utf-8" });
+  } catch (_e) {
+    return {
+      workflows,
+      components,
+      services: [],
+      properties: [],
+      dependencies,
+    };
+  }
+
+  // Quick check: must look like a declarative pipeline
+  if (!raw.includes("pipeline") || !raw.includes("stages")) {
+    return {
+      workflows,
+      components,
+      services: [],
+      properties: [],
+      dependencies,
+    };
+  }
+
+  const workflowRef = uuidv4();
+  const tasks = [];
+  const workflowDependsOn = [];
+  const workflowProperties = [{ name: "cdx:jenkins:file", value: f }];
+
+  // Extract agent info
+  const agentMatch = raw.match(
+    /agent\s*\{[^}]*docker\s*\{[^}]*image\s+['"]([^'"]+)['"]/s,
+  );
+  if (agentMatch) {
+    const agentImage = agentMatch[1];
+    components.push({ type: "container", name: agentImage });
+    workflowProperties.push({
+      name: "cdx:jenkins:agent:image",
+      value: agentImage,
+    });
+  } else {
+    const simpleAgentMatch = raw.match(/agent\s+['"]?(\w+)['"]?/);
+    if (simpleAgentMatch) {
+      workflowProperties.push({
+        name: "cdx:jenkins:agent",
+        value: simpleAgentMatch[1],
+      });
+    }
+  }
+
+  // Extract stage blocks using a regex heuristic.
+  // NOTE: This only works reliably for declarative pipelines with simple,
+  // non-deeply-nested stage blocks. Scripted pipelines or stages with heavily
+  // nested closures may produce incomplete or incorrect results.
+  const stagePattern =
+    /stage\s*\(\s*['"]([^'"]+)['"]\s*\)\s*\{([\s\S]*?)(?=stage\s*\(|post\s*\{|$)/g;
+  let stageMatch;
+  while ((stageMatch = stagePattern.exec(raw)) !== null) {
+    const stageName = stageMatch[1];
+    const stageBody = stageMatch[2];
+    const taskRef = uuidv4();
+    const steps = [];
+    const taskProperties = [
+      { name: "cdx:jenkins:stage:name", value: stageName },
+    ];
+
+    // Detect parallel stages
+    if (stageBody.includes("parallel")) {
+      taskProperties.push({
+        name: "cdx:jenkins:stage:parallel",
+        value: "true",
+      });
+    }
+
+    // Detect when conditions
+    const whenMatch = stageBody.match(/when\s*\{([^}]+)\}/);
+    if (whenMatch) {
+      taskProperties.push({
+        name: "cdx:jenkins:stage:when",
+        value: whenMatch[1].trim(),
+      });
+    }
+
+    // Extract sh/echo/script steps
+    const shPattern = /(?:sh|bat|powershell)\s+['"]([^'"]+)['"]/g;
+    let shMatch;
+    while ((shMatch = shPattern.exec(stageBody)) !== null) {
+      steps.push({
+        name: `sh: ${shMatch[1].substring(0, 60)}`,
+        commands: [{ executed: shMatch[1] }],
+      });
+    }
+
+    tasks.push({
+      "bom-ref": taskRef,
+      uid: taskRef,
+      name: stageName,
+      taskTypes: ["build"],
+      steps: disambiguateSteps(steps),
+      properties: taskProperties,
+    });
+    workflowDependsOn.push(taskRef);
+  }
+
+  const workflow = {
+    "bom-ref": workflowRef,
+    uid: workflowRef,
+    name: "Jenkinsfile Pipeline",
+    taskTypes: ["build"],
+    tasks: tasks.length ? tasks : undefined,
+    properties: workflowProperties,
+  };
+
+  workflows.push(workflow);
+  if (workflowDependsOn.length) {
+    dependencies.push({ ref: workflowRef, dependsOn: workflowDependsOn });
+  }
+
+  return { workflows, components, services: [], properties: [], dependencies };
+}
+
+/**
+ * Jenkins formulation parser.
+ *
+ * Matches `Jenkinsfile` and `Jenkinsfile.*` at any directory depth and converts
+ * declarative pipeline syntax into CycloneDX formulation workflow objects.
+ *
+ * Parser contract: `parse(files, options)` returns
+ * `{ workflows, components, services, properties, dependencies }`.
+ */
+export const jenkinsParser = {
+  id: "jenkins",
+  patterns: ["**/Jenkinsfile", "**/Jenkinsfile.*"],
+
+  /**
+   * @param {string[]} files Matched Jenkinsfile paths
+   * @param {Object} options CLI options
+   * @returns {{ workflows: Object[], components: Object[], services: Object[], properties: Object[], dependencies: Object[] }}
+   */
+  parse(files, options) {
+    const workflows = [];
+    const components = [];
+    const dependencies = [];
+
+    for (const f of files) {
+      const result = parseJenkinsfile(f, options);
+      workflows.push(...result.workflows);
+      components.push(...result.components);
+      dependencies.push(...result.dependencies);
+    }
+
+    return {
+      workflows,
+      components,
+      services: [],
+      properties: [],
+      dependencies,
+    };
+  },
+};