@cyclonedx/cdxgen 12.1.5 → 12.2.1

package/lib/helpers/utils.poku.js

@@ -7,6 +7,7 @@ import { assert, describe, it, test } from "poku";
 import { parse } from "ssri";
 import { parse as loadYaml } from "yaml";
 
+import { validateRefs } from "../validator/bomValidator.js";
 import {
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
@@ -113,7 +114,6 @@ import {
   toGemModuleNames,
   yarnLockToIdentMap,
 } from "./utils.js";
-import { validateRefs } from "./validator.js";
 
 it("SSRI test", () => {
   // gopkg.lock hash
@@ -2596,12 +2596,15 @@ it("parse mix lock data", () => {
 it("parse github actions workflow data", () => {
   assert.deepStrictEqual(parseGitHubWorkflowData(null), []);
   let dep_list = parseGitHubWorkflowData("./.github/workflows/nodejs.yml");
-  assert.deepStrictEqual(dep_list.length, 8);
+  assert.deepStrictEqual(dep_list.length, 13);
   assert.deepStrictEqual(dep_list[0], {
+    "bom-ref":
+      "pkg:github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+    type: "application",
     group: "actions",
     name: "checkout",
-    version: "6.0.2",
-    purl: "pkg:github/actions/checkout@6.0.2?commit=de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+    version: "de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+    purl: "pkg:github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
     properties: [
       {
         name: "SrcFile",
@@ -2611,6 +2614,10 @@ it("parse github actions workflow data", () => {
         name: "cdx:github:workflow:name",
         value: "Node CI",
       },
+      {
+        name: "cdx:github:workflow:file",
+        value: "./.github/workflows/nodejs.yml",
+      },
       {
         name: "cdx:github:job:name",
         value: "read-node-versions",
@@ -2631,277 +2638,40 @@ it("parse github actions workflow data", () => {
         name: "cdx:github:action:isShaPinned",
         value: "true",
       },
-      {
-        name: "cdx:github:workflow:concurrencyGroup",
-        value:
-          "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}",
-      },
       {
         name: "cdx:actions:isOfficial",
         value: "true",
       },
+      {
+        name: "cdx:github:checkout:persistCredentials",
+        value: "false",
+      },
       {
         name: "cdx:github:workflow:triggers",
         value: "pull_request,push,workflow_dispatch",
       },
     ],
+    scope: "required",
     evidence: {
-      identity: {
-        field: "purl",
-        confidence: 0.7,
-        methods: [
-          {
-            technique: "source-code-analysis",
-            confidence: 0.7,
-            value: "./.github/workflows/nodejs.yml",
-          },
-        ],
-      },
-    },
-  });
-  dep_list = parseGitHubWorkflowData("./test/data/github-actions-tj.yaml");
-  assert.deepStrictEqual(dep_list.length, 4);
-  assert.deepStrictEqual(dep_list, [
-    {
-      group: "pixel",
-      name: "steamcmd",
-      version: "1.2.7",
-      purl: "pkg:github/pixel/steamcmd@1.2.7?commit=foo",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value: "pixel/steamcmd@foo",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "tag",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "false",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Test action 1",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
-      ],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.7,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
-            },
-          ],
-        },
-      },
-    },
-    {
-      group: "tj",
-      name: "branch",
-      version: "8.2.0",
-      purl: "pkg:github/tj/branch@8.2.0?commit=47dd",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value: "tj/branch@47dd",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "tag",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "false",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Test action 2",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
-      ],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.7,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
-            },
-          ],
-        },
-      },
-    },
-    {
-      group: "tj",
-      name: "branch2",
-      version: "08",
-      purl: "pkg:github/tj/branch2@08?tag=v0.0.18",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
+      identity: [
         {
-          name: "cdx:github:action:uses",
-          value: "tj/branch2@v0.0.18",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "tag",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "false",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Test action 3",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
-      ],
-      evidence: {
-        identity: {
           field: "purl",
-          confidence: 0.7,
+          confidence: 0.5,
           methods: [
             {
               technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
+              confidence: 0.5,
+              value: "./.github/workflows/nodejs.yml",
             },
           ],
         },
-      },
-    },
-    {
-      group: "github/codeql-action",
-      name: "upload-sarif",
-      version: "3.30.3",
-      purl: "pkg:github/github/codeql-action/upload-sarif@3.30.3?commit=192325c86100d080feab897ff886c34abd4c83a3",
-      properties: [
-        {
-          name: "SrcFile",
-          value: "./test/data/github-actions-tj.yaml",
-        },
-        {
-          name: "cdx:github:workflow:name",
-          value: "Testing",
-        },
-        {
-          name: "cdx:github:job:name",
-          value: "vulnerable-actions",
-        },
-        {
-          name: "cdx:github:job:runner",
-          value: "ubuntu-latest",
-        },
-        {
-          name: "cdx:github:action:uses",
-          value:
-            "github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3",
-        },
-        {
-          name: "cdx:github:action:versionPinningType",
-          value: "sha",
-        },
-        {
-          name: "cdx:github:action:isShaPinned",
-          value: "true",
-        },
-        {
-          name: "cdx:github:step:name",
-          value: "Upload to code-scanning",
-        },
-        {
-          name: "cdx:actions:isOfficial",
-          value: "true",
-        },
-        {
-          name: "cdx:actions:isVerified",
-          value: "true",
-        },
-        {
-          name: "cdx:github:workflow:triggers",
-          value: "push,pull_request_target",
-        },
       ],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.7,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.7,
-              value: "./test/data/github-actions-tj.yaml",
-            },
-          ],
-        },
-      },
     },
-  ]);
+  });
+  dep_list = parseGitHubWorkflowData("./test/data/github-actions-tj.yaml");
+  assert.deepStrictEqual(dep_list.length, 4);
   dep_list = parseGitHubWorkflowData("./.github/workflows/repotests.yml");
-  assert.deepStrictEqual(dep_list.length, 17);
+  assert.deepStrictEqual(dep_list.length, 91);
 });
 // biome-ignore-end lint/suspicious/noTemplateCurlyInString: fp
 
@@ -3805,6 +3575,23 @@ it("get licenses", () => {
     },
   ]);
 
+  licenses = getLicenses({
+    license: [
+      {
+        type: "MIT",
+        url: "https://github.com/harvesthq/chosen/blob/master/LICENSE.md",
+      },
+    ],
+  });
+  assert.deepStrictEqual(licenses, [
+    {
+      license: {
+        id: "MIT",
+        url: "https://github.com/harvesthq/chosen/blob/master/LICENSE.md",
+      },
+    },
+  ]);
+
   licenses = getLicenses({
     license: "GPL-2.0+",
   });
@@ -3907,6 +3694,30 @@ it("parsePkgLock v2", async () => {
       ],
     },
   });
+  const devOnlyPkg = deps.find(
+    (pkg) => pkg["bom-ref"] === "pkg:npm/@types/shelljs@0.8.11",
+  );
+  assert.ok(devOnlyPkg);
+  assert.deepStrictEqual(devOnlyPkg.scope, "optional");
+  assert.ok(
+    devOnlyPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:package:development" &&
+        property.value === "true",
+    ),
+  );
+  const devOptionalPkg = deps.find(
+    (pkg) => pkg["bom-ref"] === "pkg:npm/@esbuild/android-arm@0.15.12",
+  );
+  assert.ok(devOptionalPkg);
+  assert.deepStrictEqual(devOptionalPkg.scope, "optional");
+  assert.ok(
+    devOptionalPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:package:development" &&
+        property.value === "true",
+    ),
+  );
   assert.deepStrictEqual(parsedList.dependenciesList.length, 134);
 });
 
@@ -4095,10 +3906,8 @@ it("parsePnpmLock", async () => {
     type: "library",
     version: "7.16.7",
     properties: [
-      {
-        name: "SrcFile",
-        value: "./test/data/pnpm-lock.yaml",
-      },
+      { name: "SrcFile", value: "./test/data/pnpm-lock.yaml" },
+      { name: "cdx:npm:package:development", value: "true" },
     ],
     evidence: {
       identity: {
@@ -4200,7 +4009,10 @@ it("parsePnpmLock", async () => {
     type: "library",
     _integrity:
       "sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
-    properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }],
+    properties: [
+      { name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" },
+      { name: "cdx:npm:package:development", value: "true" },
+    ],
     evidence: {
       identity: {
         field: "purl",
@@ -4225,7 +4037,10 @@ it("parsePnpmLock", async () => {
     type: "library",
     _integrity:
       "sha512-cwiTb08Xuv5fqF4AovYacTFNxk62th7LKJ6BL9IGUpTJrWoU7/7WdQGTP2SjKf1dUNBGzDd28p/Yfs/GI6JrLw==",
-    properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" }],
+    properties: [
+      { name: "SrcFile", value: "./test/data/pnpm-lock6.yaml" },
+      { name: "cdx:npm:package:development", value: "true" },
+    ],
     evidence: {
       identity: {
         field: "purl",
@@ -4253,7 +4068,10 @@ it("parsePnpmLock", async () => {
     type: "library",
     _integrity:
       "sha512-TDCmlK5eOvH+eH7cdAFlNXeVJqWIQ7gW9tY1GJIpUtFb6CmjVyq2VM3u71bOyR8CRihcCgMUYoDNyLXao3+70Q==",
-    properties: [{ name: "SrcFile", value: "./test/data/pnpm-lock6a.yaml" }],
+    properties: [
+      { name: "SrcFile", value: "./test/data/pnpm-lock6a.yaml" },
+      { name: "cdx:npm:package:development", value: "true" },
+    ],
     evidence: {
       identity: {
         field: "purl",
@@ -4268,6 +4086,18 @@ it("parsePnpmLock", async () => {
       },
     },
   });
+  const pnpmDevOptionalPkg = parsedList.pkgList.find(
+    (pkg) => pkg["bom-ref"] === "pkg:npm/@cyclonedx/cdxgen-plugins-bin@1.0.5",
+  );
+  assert.ok(pnpmDevOptionalPkg);
+  assert.deepStrictEqual(pnpmDevOptionalPkg.scope, "optional");
+  assert.ok(
+    pnpmDevOptionalPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:package:development" &&
+        property.value === "true",
+    ),
+  );
   // Test case to see if parsePnpmLock is finding all root deps
   const dummpyParent = {
     name: "rush",
@@ -4309,7 +4139,15 @@ it("parsePnpmLock", async () => {
   assert.deepStrictEqual(parsedList.pkgList.length, 1007);
   assert.deepStrictEqual(parsedList.dependenciesList.length, 1006);
   assert.deepStrictEqual(
-    parsedList.pkgList.filter((pkg) => !pkg.scope).length,
+    parsedList.pkgList.filter(
+      (pkg) =>
+        !pkg.scope &&
+        !pkg.properties?.some(
+          (property) =>
+            property.name === "cdx:npm:package:development" &&
+            property.value === "true",
+        ),
+    ).length,
     0,
   );
   parsedList = await parsePnpmLock("./test/data/pnpm-lock9b.yaml", {
@@ -4319,7 +4157,15 @@ it("parsePnpmLock", async () => {
   assert.deepStrictEqual(parsedList.pkgList.length, 1366);
   assert.deepStrictEqual(parsedList.dependenciesList.length, 1353);
   assert.deepStrictEqual(
-    parsedList.pkgList.filter((pkg) => !pkg.scope).length,
+    parsedList.pkgList.filter(
+      (pkg) =>
+        !pkg.scope &&
+        !pkg.properties?.some(
+          (property) =>
+            property.name === "cdx:npm:package:development" &&
+            property.value === "true",
+        ),
+    ).length,
     12,
   );
   parsedList = await parsePnpmLock("./test/data/pnpm-lock9c.yaml", {
@@ -4329,9 +4175,40 @@ it("parsePnpmLock", async () => {
   assert.deepStrictEqual(parsedList.pkgList.length, 461);
   assert.deepStrictEqual(parsedList.dependenciesList.length, 462);
   assert.deepStrictEqual(
-    parsedList.pkgList.filter((pkg) => !pkg.scope).length,
+    parsedList.pkgList.filter(
+      (pkg) =>
+        !pkg.scope &&
+        !pkg.properties?.some(
+          (property) =>
+            property.name === "cdx:npm:package:development" &&
+            property.value === "true",
+        ),
+    ).length,
     3,
   );
+  parsedList = await parsePnpmLock(
+    "./test/data/pnpm-lock-dev-propagation.yaml",
+  );
+  assert.deepStrictEqual(parsedList.pkgList.length, 4);
+  assert.deepStrictEqual(parsedList.dependenciesList.length, 4);
+  assert.deepStrictEqual(
+    parsedList.pkgList.filter(
+      (pkg) =>
+        pkg.scope === "optional" &&
+        pkg.properties?.some(
+          (property) =>
+            property.name === "cdx:npm:package:development" &&
+            property.value === "true",
+        ),
+    ).length,
+    4,
+  );
+  assert.ok(
+    parsedList.pkgList.find((pkg) => pkg["bom-ref"] === "pkg:npm/gamma@1.0.0"),
+  );
+  assert.ok(
+    parsedList.pkgList.find((pkg) => pkg["bom-ref"] === "pkg:npm/delta@1.0.0"),
+  );
   parsedList = await parsePnpmLock(
     "./test/data/pnpm_locks/bytemd-pnpm-lock.yaml",
   );
@@ -4472,7 +4349,10 @@ it("pnpmMetadata with scoped packages", async () => {
 it("pnpmMetadata integration with parsePnpmLock", async () => {
   // Test that the integration works by parsing a real pnpm lock file
   const parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-
+  const externalRefDistPackages = parsedList.pkgList.filter((pkg) =>
+    pkg.externalReferences?.some((p) => p.type === "distribution"),
+  );
+  assert.ok(externalRefDistPackages.length > 0);
   // Check that some packages have been enhanced with LocalNodeModulesPath
   const enhancedPackages = parsedList.pkgList.filter((pkg) =>
     pkg.properties?.some((p) => p.name === "LocalNodeModulesPath"),
@@ -5694,6 +5574,33 @@ it("parseComposerLock", () => {
     ref: "pkg:composer/doctrine/annotations@v1.2.1",
     dependsOn: ["pkg:composer/doctrine/lexer@v1.0"],
   });
+
+  // Platform requirements (php, ext-*) must not appear in rootList
+  const platformRootRequires = {
+    php: "^7.1.3|^8",
+    "ext-SimpleXML": "*",
+    "ext-dom": "*",
+    "amphp/amp": "^2.1",
+    "amphp/byte-stream": "^1.5",
+  };
+  retMap = parseComposerLock(
+    "./test/data/composer-2.lock",
+    platformRootRequires,
+  );
+  assert.ok(
+    !retMap.rootList.some((p) => p.name === "php"),
+    "php must not be in rootList",
+  );
+  assert.ok(
+    !retMap.rootList.some((p) => p.name?.startsWith("ext-")),
+    "ext-* must not be in rootList",
+  );
+  // Regular packages that are in rootRequires should still be in rootList
+  // Note: apkg.name is basename(pkg.name), so "amphp/amp" → name "amp"
+  assert.ok(
+    retMap.rootList.some((p) => p.name === "amp"),
+    "amphp/amp should be in rootList",
+  );
 });
 
 it("parseComposerJson", () => {