@cyclonedx/cdxgen 12.1.5 → 12.2.1

package/lib/helpers/ciParsers/jenkins.poku.js

@@ -0,0 +1,197 @@
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { assert, describe, it } from "poku";
+
+import { jenkinsParser } from "./jenkins.js";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const repoRoot = path.resolve(__dirname, "../../..");
+
+describe("jenkinsParser", () => {
+  it("has correct metadata", () => {
+    assert.strictEqual(jenkinsParser.id, "jenkins");
+    assert.ok(Array.isArray(jenkinsParser.patterns));
+    assert.ok(jenkinsParser.patterns.length > 0);
+    assert.strictEqual(typeof jenkinsParser.parse, "function");
+  });
+
+  it("returns empty arrays for no files", () => {
+    const result = jenkinsParser.parse([], {});
+    assert.deepStrictEqual(result.workflows, []);
+    assert.deepStrictEqual(result.components, []);
+    assert.deepStrictEqual(result.services, []);
+    assert.deepStrictEqual(result.properties, []);
+    assert.deepStrictEqual(result.dependencies, []);
+  });
+
+  it("parses the Jenkinsfile fixture", () => {
+    const f = path.join(repoRoot, "test", "data", "Jenkinsfile");
+    const result = jenkinsParser.parse([f], {});
+
+    assert.ok(Array.isArray(result.workflows));
+    assert.strictEqual(result.workflows.length, 1, "expected one workflow");
+
+    const wf = result.workflows[0];
+    assert.ok(wf["bom-ref"]);
+    assert.strictEqual(wf.name, "Jenkinsfile Pipeline");
+    assert.ok(Array.isArray(wf.tasks));
+    assert.ok(wf.tasks.length > 0, "expected at least one task (stage)");
+
+    const stageNames = wf.tasks.map((t) => t.name);
+    assert.ok(stageNames.includes("Install"), "expected Install stage");
+    assert.ok(stageNames.includes("Build"), "expected Build stage");
+    assert.ok(stageNames.includes("Test"), "expected Test stage");
+  });
+
+  it("captures docker agent image as a component", () => {
+    const f = path.join(repoRoot, "test", "data", "Jenkinsfile");
+    const result = jenkinsParser.parse([f], {});
+    const compNames = result.components.map((c) => c.name);
+    assert.ok(
+      compNames.some((n) => n.includes("node")),
+      "expected node docker image component",
+    );
+  });
+
+  it("produces workflow dependency links", () => {
+    const f = path.join(repoRoot, "test", "data", "Jenkinsfile");
+    const result = jenkinsParser.parse([f], {});
+
+    assert.ok(result.dependencies.length > 0);
+    const wfDep = result.dependencies.find(
+      (d) => d.ref === result.workflows[0]["bom-ref"],
+    );
+    assert.ok(wfDep);
+    assert.ok(wfDep.dependsOn.length > 0);
+  });
+
+  it("gracefully handles non-declarative content", () => {
+    const f = path.join(repoRoot, "test", "data", "gitlab-ci.yml");
+    const result = jenkinsParser.parse([f], {});
+    // .gitlab-ci.yml is not a Jenkinsfile → empty result
+    assert.deepStrictEqual(result.workflows, []);
+  });
+
+  it("gracefully handles missing file", () => {
+    const result = jenkinsParser.parse(["/no/such/Jenkinsfile"], {});
+    assert.deepStrictEqual(result.workflows, []);
+  });
+
+  it("parses Jenkinsfile.agentany: agent any with no Docker image", () => {
+    const f = path.join(repoRoot, "test", "data", "Jenkinsfile.agentany");
+    const result = jenkinsParser.parse([f], {});
+
+    assert.strictEqual(result.workflows.length, 1);
+    // agent any → no container component
+    assert.strictEqual(
+      result.components.length,
+      0,
+      "no Docker component expected for agent any",
+    );
+
+    // agent property should record 'any'
+    const agentProp = result.workflows[0].properties.find(
+      (p) => p.name === "cdx:jenkins:agent",
+    );
+    assert.ok(agentProp, "expected cdx:jenkins:agent property");
+    assert.strictEqual(agentProp.value, "any", "agent value should be 'any'");
+  });
+
+  it("parses Jenkinsfile.agentany: all expected stages present", () => {
+    const f = path.join(repoRoot, "test", "data", "Jenkinsfile.agentany");
+    const result = jenkinsParser.parse([f], {});
+
+    const stageNames = result.workflows[0].tasks.map((t) => t.name);
+    assert.ok(stageNames.includes("Checkout"), "expected Checkout stage");
+    assert.ok(stageNames.includes("Compile"), "expected Compile stage");
+    assert.ok(stageNames.includes("Unit Tests"), "expected Unit Tests stage");
+    assert.ok(
+      stageNames.includes("Integration Tests"),
+      "expected Integration Tests stage",
+    );
+    assert.ok(stageNames.includes("Package"), "expected Package stage");
+    assert.ok(stageNames.includes("Deploy"), "expected Deploy stage");
+  });
+
+  it("parses Jenkinsfile.agentany: `when` condition captured", () => {
+    const f = path.join(repoRoot, "test", "data", "Jenkinsfile.agentany");
+    const result = jenkinsParser.parse([f], {});
+
+    const integTask = result.workflows[0].tasks.find(
+      (t) => t.name === "Integration Tests",
+    );
+    assert.ok(integTask, "Integration Tests task must exist");
+    const whenProp = integTask.properties.find(
+      (p) => p.name === "cdx:jenkins:stage:when",
+    );
+    assert.ok(whenProp, "expected cdx:jenkins:stage:when property");
+    assert.ok(
+      whenProp.value.includes("RUN_INTEGRATION_TESTS"),
+      "when must include param check",
+    );
+  });
+
+  it("parses Jenkinsfile.agentany: parallel stage detected", () => {
+    const f = path.join(repoRoot, "test", "data", "Jenkinsfile.agentany");
+    const result = jenkinsParser.parse([f], {});
+
+    const parallelTask = result.workflows[0].tasks.find(
+      (t) => t.name === "Code Analysis",
+    );
+    assert.ok(parallelTask, "Code Analysis task must exist");
+    const parallelProp = parallelTask.properties.find(
+      (p) => p.name === "cdx:jenkins:stage:parallel",
+    );
+    assert.ok(parallelProp, "expected cdx:jenkins:stage:parallel property");
+    assert.strictEqual(parallelProp.value, "true");
+  });
+
+  it("parses Jenkinsfile.multiplatform: per-stage Docker agents extracted", () => {
+    const f = path.join(repoRoot, "test", "data", "Jenkinsfile.multiplatform");
+    const result = jenkinsParser.parse([f], {});
+
+    assert.strictEqual(result.workflows.length, 1);
+    const stageNames = result.workflows[0].tasks.map((t) => t.name);
+    assert.ok(stageNames.includes("Build Linux"), "expected Build Linux stage");
+    assert.ok(
+      stageNames.includes("Build Windows"),
+      "expected Build Windows stage",
+    );
+    assert.ok(stageNames.includes("Build macOS"), "expected Build macOS stage");
+    assert.ok(stageNames.includes("Package"), "expected Package stage");
+    assert.ok(stageNames.includes("Release"), "expected Release stage");
+
+    // Build Linux uses golang:1.22-bookworm docker image
+    const compNames = result.components.map((c) => c.name);
+    assert.ok(
+      compNames.some((n) => n.includes("golang")),
+      "expected golang Docker image component from Build Linux stage",
+    );
+  });
+
+  it("parses Jenkinsfile.multiplatform: bat step in Windows stage captured", () => {
+    const f = path.join(repoRoot, "test", "data", "Jenkinsfile.multiplatform");
+    const result = jenkinsParser.parse([f], {});
+
+    const winTask = result.workflows[0].tasks.find(
+      (t) => t.name === "Build Windows",
+    );
+    assert.ok(winTask, "Build Windows task must exist");
+
+    // bat steps should be captured as steps
+    if (winTask.steps && winTask.steps.length > 0) {
+      const batStep = winTask.steps.find((s) =>
+        s.commands?.[0]?.executed?.includes("go"),
+      );
+      assert.ok(batStep, "expected a step with go command from bat");
+    }
+  });
+
+  it("parses multiple Jenkinsfiles: two files produce two workflows", () => {
+    const f1 = path.join(repoRoot, "test", "data", "Jenkinsfile");
+    const f2 = path.join(repoRoot, "test", "data", "Jenkinsfile.agentany");
+    const result = jenkinsParser.parse([f1, f2], {});
+    assert.strictEqual(result.workflows.length, 2, "expected two workflows");
+  });
+});

package/lib/helpers/depsUtils.js

@@ -0,0 +1,219 @@
+import { DEBUG_MODE } from "./utils.js";
+
+/**
+ * Merges two CycloneDX dependency arrays into a single deduplicated list.
+ * For each unique ref, the dependsOn and provides sets from both arrays are
+ * combined. Self-referential entries pointing to the parent component are
+ * removed from all dependsOn and provides lists.
+ *
+ * @param {Object[]} dependencies First array of dependency objects
+ * @param {Object[]} newDependencies Second array of dependency objects to merge
+ * @param {Object} parentComponent Parent component whose bom-ref is used to filter self-references
+ * @returns {Object[]} Merged and deduplicated array of dependency objects
+ */
+export function mergeDependencies(
+  dependencies,
+  newDependencies,
+  parentComponent = {},
+) {
+  if (!parentComponent && DEBUG_MODE) {
+    console.log(
+      "Unable to determine parent component. Dependencies will be flattened.",
+    );
+  }
+  let providesFound = false;
+  const deps_map = {};
+  const provides_map = {};
+  const parentRef = parentComponent?.["bom-ref"]
+    ? parentComponent["bom-ref"]
+    : undefined;
+  const combinedDeps = dependencies.concat(newDependencies || []);
+  for (const adep of combinedDeps) {
+    if (!deps_map[adep.ref]) {
+      deps_map[adep.ref] = new Set();
+    }
+    if (!provides_map[adep.ref]) {
+      provides_map[adep.ref] = new Set();
+    }
+    if (adep["dependsOn"]) {
+      for (const eachDepends of adep["dependsOn"]) {
+        if (!eachDepends) {
+          continue;
+        }
+        if (parentRef) {
+          if (eachDepends.toLowerCase() !== parentRef.toLowerCase()) {
+            deps_map[adep.ref].add(eachDepends);
+          }
+        } else {
+          deps_map[adep.ref].add(eachDepends);
+        }
+      }
+    }
+    if (adep["provides"]) {
+      providesFound = true;
+      for (const eachProvides of adep["provides"]) {
+        // Add the entry unless it is the parent itself:
+        // when there is no parentRef every entry is kept (!parentRef is true),
+        // when parentRef exists only entries that differ from it are kept.
+        if (
+          !parentRef ||
+          eachProvides?.toLowerCase() !== parentRef?.toLowerCase()
+        ) {
+          provides_map[adep.ref].add(eachProvides);
+        }
+      }
+    }
+  }
+  const retlist = [];
+  for (const akey of Object.keys(deps_map)) {
+    if (providesFound) {
+      retlist.push({
+        ref: akey,
+        dependsOn: Array.from(deps_map[akey]).sort(),
+        provides: Array.from(provides_map[akey]).sort(),
+      });
+    } else {
+      retlist.push({
+        ref: akey,
+        dependsOn: Array.from(deps_map[akey]).sort(),
+      });
+    }
+  }
+  return retlist;
+}
+
+/**
+ * Trim duplicate components by retaining all the properties
+ *
+ * @param {Array} components Components
+ *
+ * @returns {Array} Filtered components
+ */
+export function trimComponents(components) {
+  const keyCache = {};
+  const filteredComponents = [];
+  for (const comp of components) {
+    const key = (
+      comp.purl ||
+      comp["bom-ref"] ||
+      comp.name + comp.version
+    ).toLowerCase();
+    if (!keyCache[key]) {
+      keyCache[key] = comp;
+    } else {
+      const existingComponent = keyCache[key];
+      // We need to retain any properties that differ
+      if (comp.properties) {
+        if (existingComponent.properties) {
+          for (const newprop of comp.properties) {
+            if (
+              !existingComponent.properties.find(
+                (prop) =>
+                  prop.name === newprop.name && prop.value === newprop.value,
+              )
+            ) {
+              existingComponent.properties.push(newprop);
+            }
+          }
+        } else {
+          existingComponent.properties = comp.properties;
+        }
+      }
+      if (comp.hashes) {
+        if (existingComponent.hashes) {
+          for (const newhash of comp.hashes) {
+            if (
+              !existingComponent.hashes.find(
+                (hash) =>
+                  hash.alg === newhash.alg && hash.content === newhash.content,
+              )
+            ) {
+              existingComponent.hashes.push(newhash);
+            }
+          }
+        } else {
+          existingComponent.hashes = comp.hashes;
+        }
+      }
+      // Retain all component.evidence.identity
+      if (comp?.evidence?.identity) {
+        if (!existingComponent.evidence) {
+          existingComponent.evidence = { identity: [] };
+        } else if (!existingComponent?.evidence?.identity) {
+          existingComponent.evidence.identity = [];
+        } else if (
+          existingComponent?.evidence?.identity &&
+          !Array.isArray(existingComponent.evidence.identity)
+        ) {
+          existingComponent.evidence.identity = [
+            existingComponent.evidence.identity,
+          ];
+        }
+        // comp.evidence.identity can be an array or object
+        // Merge the evidence.identity based on methods or objects
+        const isIdentityArray = Array.isArray(comp.evidence.identity);
+        const identities = isIdentityArray
+          ? comp.evidence.identity
+          : [comp.evidence.identity];
+        for (const aident of identities) {
+          let methodBasedMerge = false;
+          if (aident?.methods?.length) {
+            for (const amethod of aident.methods) {
+              for (const existIdent of existingComponent.evidence.identity) {
+                if (existIdent.field === aident.field) {
+                  if (!existIdent.methods) {
+                    existIdent.methods = [];
+                  }
+                  let isDup = false;
+                  for (const emethod of existIdent.methods) {
+                    if (emethod?.value === amethod?.value) {
+                      isDup = true;
+                      break;
+                    }
+                  }
+                  if (!isDup) {
+                    existIdent.methods.push(amethod);
+                  }
+                  methodBasedMerge = true;
+                }
+              }
+            }
+          }
+          if (!methodBasedMerge && aident.field && aident.confidence) {
+            existingComponent.evidence.identity.push(aident);
+          }
+        }
+        if (!isIdentityArray) {
+          const firstIdentity = existingComponent.evidence.identity[0];
+          let identConfidence = firstIdentity?.confidence;
+          // We need to set the confidence to the max of all confidences
+          if (firstIdentity?.methods?.length > 1) {
+            for (const aidentMethod of firstIdentity.methods) {
+              if (
+                aidentMethod?.confidence &&
+                aidentMethod.confidence > identConfidence
+              ) {
+                identConfidence = aidentMethod.confidence;
+              }
+            }
+          }
+          firstIdentity.confidence = identConfidence;
+          existingComponent.evidence = {
+            identity: firstIdentity,
+          };
+        }
+      }
+      // If the component is required in any of the child projects, then make it required
+      if (
+        existingComponent?.scope !== "required" &&
+        comp?.scope === "required"
+      ) {
+        existingComponent.scope = "required";
+      }
+    }
+  }
+  for (const akey of Object.keys(keyCache)) {
+    filteredComponents.push(keyCache[akey]);
+  }
+  return filteredComponents;
+}

package/lib/helpers/depsUtils.poku.js

@@ -0,0 +1,207 @@
+import { assert, describe, it } from "poku";
+
+import { mergeDependencies, trimComponents } from "./depsUtils.js";
+
+describe("mergeDependencies()", () => {
+  it("merges two non-overlapping dependency arrays", () => {
+    const a = [{ ref: "pkg:npm/a@1", dependsOn: ["pkg:npm/b@1"] }];
+    const b = [{ ref: "pkg:npm/c@1", dependsOn: ["pkg:npm/d@1"] }];
+    const result = mergeDependencies(a, b);
+    assert.strictEqual(result.length, 2);
+    const aEntry = result.find((d) => d.ref === "pkg:npm/a@1");
+    assert.ok(aEntry);
+    assert.deepStrictEqual(aEntry.dependsOn, ["pkg:npm/b@1"]);
+  });
+
+  it("merges dependsOn sets for the same ref", () => {
+    const a = [{ ref: "pkg:npm/a@1", dependsOn: ["pkg:npm/b@1"] }];
+    const b = [{ ref: "pkg:npm/a@1", dependsOn: ["pkg:npm/c@1"] }];
+    const result = mergeDependencies(a, b);
+    assert.strictEqual(result.length, 1);
+    const entry = result[0];
+    assert.ok(entry.dependsOn.includes("pkg:npm/b@1"));
+    assert.ok(entry.dependsOn.includes("pkg:npm/c@1"));
+  });
+
+  it("deduplicates identical dependsOn entries", () => {
+    const a = [{ ref: "pkg:npm/a@1", dependsOn: ["pkg:npm/b@1"] }];
+    const b = [
+      { ref: "pkg:npm/a@1", dependsOn: ["pkg:npm/b@1", "pkg:npm/c@1"] },
+    ];
+    const result = mergeDependencies(a, b);
+    assert.strictEqual(result.length, 1);
+    assert.strictEqual(
+      result[0].dependsOn.filter((x) => x === "pkg:npm/b@1").length,
+      1,
+    );
+  });
+
+  it("handles undefined newDependencies gracefully", () => {
+    const a = [{ ref: "pkg:npm/a@1", dependsOn: ["pkg:npm/b@1"] }];
+    const result = mergeDependencies(a, undefined);
+    assert.strictEqual(result.length, 1);
+    assert.strictEqual(result[0].ref, "pkg:npm/a@1");
+  });
+
+  it("handles empty arrays", () => {
+    assert.deepStrictEqual(mergeDependencies([], []), []);
+    assert.deepStrictEqual(mergeDependencies([], undefined), []);
+  });
+
+  it("merges a single dependency object (non-array)", () => {
+    const a = [{ ref: "pkg:npm/a@1", dependsOn: ["pkg:npm/b@1"] }];
+    const single = { ref: "pkg:npm/c@1", dependsOn: ["pkg:npm/d@1"] };
+    const result = mergeDependencies(a, single);
+    assert.strictEqual(result.length, 2);
+  });
+
+  it("handles the provides field for OmniBOR / ADG links", () => {
+    const a = [
+      {
+        ref: "gitoid:commit:sha1:abc",
+        dependsOn: [],
+        provides: ["gitoid:commit:sha1:def"],
+      },
+    ];
+    const b = [
+      {
+        ref: "gitoid:commit:sha1:def",
+        provides: ["gitoid:blob:sha1:001", "gitoid:blob:sha1:002"],
+      },
+    ];
+    const result = mergeDependencies(a, b);
+    assert.ok(
+      result.every((d) => Array.isArray(d.provides)),
+      "all entries should have provides",
+    );
+    const defEntry = result.find((d) => d.ref === "gitoid:commit:sha1:def");
+    assert.ok(defEntry);
+    assert.ok(defEntry.provides.includes("gitoid:blob:sha1:001"));
+    assert.ok(defEntry.provides.includes("gitoid:blob:sha1:002"));
+  });
+
+  it("excludes parent component from dependsOn", () => {
+    const parentComponent = { "bom-ref": "pkg:npm/myapp@1.0.0" };
+    const a = [
+      {
+        ref: "pkg:npm/a@1",
+        dependsOn: ["pkg:npm/myapp@1.0.0", "pkg:npm/b@1"],
+      },
+    ];
+    const result = mergeDependencies(a, [], parentComponent);
+    const entry = result.find((d) => d.ref === "pkg:npm/a@1");
+    assert.ok(
+      !entry.dependsOn.includes("pkg:npm/myapp@1.0.0"),
+      "parent should be excluded",
+    );
+    assert.ok(entry.dependsOn.includes("pkg:npm/b@1"));
+  });
+
+  it("merges parser-returned dependencies into BOM dependencies", () => {
+    const bomDeps = [{ ref: "pkg:npm/app@1", dependsOn: ["pkg:npm/lib@2"] }];
+    const parserDeps = [
+      {
+        ref: "workflow-bom-ref-1",
+        dependsOn: ["task-bom-ref-1", "task-bom-ref-2"],
+      },
+      { ref: "task-bom-ref-1", dependsOn: ["pkg:github/actions/checkout@v4"] },
+    ];
+    const result = mergeDependencies(bomDeps, parserDeps);
+    assert.strictEqual(result.length, 3);
+    const wfEntry = result.find((d) => d.ref === "workflow-bom-ref-1");
+    assert.ok(wfEntry);
+    assert.ok(wfEntry.dependsOn.includes("task-bom-ref-1"));
+    assert.ok(wfEntry.dependsOn.includes("task-bom-ref-2"));
+  });
+
+  it("filters out null and undefined entries from dependsOn", () => {
+    const deps = [
+      {
+        ref: "pkg:composer/foo/bar",
+        dependsOn: [null, undefined, "pkg:composer/vendor/lib@1.0"],
+      },
+    ];
+    const result = mergeDependencies(deps, []);
+    assert.strictEqual(result.length, 1);
+    assert.deepStrictEqual(result[0].dependsOn, [
+      "pkg:composer/vendor/lib@1.0",
+    ]);
+    assert.ok(!result[0].dependsOn.includes(null), "null must be filtered");
+    assert.ok(
+      !result[0].dependsOn.includes(undefined),
+      "undefined must be filtered",
+    );
+  });
+
+  it("filters out null and undefined from dependsOn even with a parentComponent", () => {
+    const parent = { "bom-ref": "pkg:composer/foo/bar" };
+    const deps = [
+      {
+        ref: "pkg:composer/foo/bar",
+        dependsOn: [null, "pkg:composer/vendor/lib@1.0"],
+      },
+    ];
+    const result = mergeDependencies(deps, [], parent);
+    const entry = result.find((d) => d.ref === "pkg:composer/foo/bar");
+    assert.ok(entry);
+    assert.deepStrictEqual(entry.dependsOn, ["pkg:composer/vendor/lib@1.0"]);
+    assert.ok(!entry.dependsOn.includes(null), "null must be filtered");
+  });
+});
+
+describe("trimComponents()", () => {
+  it("retains hashes from duplicate components", () => {
+    const components = [
+      {
+        name: "jquery",
+        version: "3.5.1",
+        purl: "pkg:npm/jquery@3.5.1",
+        type: "library",
+        properties: [{ name: "SrcFile", value: "Scripts/jquery.min.js" }],
+      },
+      {
+        name: "jquery",
+        version: "3.5.1",
+        purl: "pkg:npm/jquery@3.5.1",
+        type: "framework",
+        hashes: [{ alg: "SHA-512", content: "abc123" }],
+        properties: [{ name: "SrcFile", value: "package-lock.json" }],
+      },
+    ];
+    const result = trimComponents(components);
+    assert.strictEqual(result.length, 1);
+    assert.deepStrictEqual(result[0].hashes, [
+      { alg: "SHA-512", content: "abc123" },
+    ]);
+  });
+
+  it("merges and deduplicates hashes from duplicate components", () => {
+    const components = [
+      {
+        name: "jquery",
+        version: "3.5.1",
+        purl: "pkg:npm/jquery@3.5.1",
+        type: "library",
+        hashes: [{ alg: "SHA-512", content: "abc123" }],
+        properties: [{ name: "SrcFile", value: "Scripts/jquery.min.js" }],
+      },
+      {
+        name: "jquery",
+        version: "3.5.1",
+        purl: "pkg:npm/jquery@3.5.1",
+        type: "framework",
+        hashes: [
+          { alg: "SHA-512", content: "abc123" },
+          { alg: "SHA-256", content: "def456" },
+        ],
+        properties: [{ name: "SrcFile", value: "package-lock.json" }],
+      },
+    ];
+    const result = trimComponents(components);
+    assert.strictEqual(result.length, 1);
+    assert.deepStrictEqual(result[0].hashes, [
+      { alg: "SHA-512", content: "abc123" },
+      { alg: "SHA-256", content: "def456" },
+    ]);
+  });
+});