@cyclonedx/cdxgen 12.1.5 → 12.2.1

package/bin/evinse.js

@@ -17,8 +17,7 @@ import {
   printReachables,
   printServices,
 } from "../lib/helpers/display.js";
-import { ATOM_DB } from "../lib/helpers/utils.js";
-import { validateBom } from "../lib/helpers/validator.js";
+import { validateBom } from "../lib/validator/bomValidator.js";
 
 const args = yargs(hideBin(process.argv))
   .env("EVINSE")
@@ -56,8 +55,9 @@ const args = yargs(hideBin(process.argv))
     ],
   })
   .option("db-path", {
-    description: `Atom slices DB path. Default ${ATOM_DB}`,
-    default: process.env.ATOM_DB || ATOM_DB,
+    description: "Atom slices DB path. Unused",
+    default: undefined,
+    hidden: true,
   })
   .option("force", {
     description: "Force creation of the database",

package/bin/repl.js

@@ -22,8 +22,8 @@ import {
 } from "../lib/helpers/display.js";
 import { readBinary } from "../lib/helpers/protobom.js";
 import { getTmpDir } from "../lib/helpers/utils.js";
-import { validateBom } from "../lib/helpers/validator.js";
 import { getBomWithOras } from "../lib/managers/oci.js";
+import { validateBom } from "../lib/validator/bomValidator.js";
 
 const options = {
   useColors: true,

package/bin/sign.js

@@ -0,0 +1,102 @@
+#!/usr/bin/env node
+
+import fs from "node:fs";
+import process from "node:process";
+
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+
+import { signBom } from "../lib/helpers/bomSigner.js";
+import { retrieveCdxgenVersion, safeExistsSync } from "../lib/helpers/utils.js";
+
+const _yargs = yargs(hideBin(process.argv));
+
+const args = _yargs
+  .option("input", {
+    alias: "i",
+    default: "bom.json",
+    description: "Input SBOM json to sign.",
+  })
+  .option("output", {
+    alias: "o",
+    description: "Output signed SBOM json. Defaults to overwriting input.",
+  })
+  .option("private-key", {
+    alias: "k",
+    demandOption: true,
+    description: "Private key in PEM format.",
+  })
+  .option("algorithm", {
+    alias: "a",
+    default: "RS512",
+    description: "JSF Signature Algorithm (e.g., RS512, ES256, Ed25519).",
+  })
+  .option("mode", {
+    alias: "m",
+    default: "replace",
+    choices: ["replace", "signers", "chain"],
+    description:
+      "Signature mode. Use 'signers' for multi-signing, 'chain' for sequential chaining.",
+  })
+  .option("key-id", {
+    description:
+      "Optional identifier for the key (keyId) to embed in the signature block.",
+  })
+  .option("sign-components", {
+    type: "boolean",
+    default: true,
+    description:
+      "Sign granular components. Disable (--no-sign-components) when appending multi-signatures.",
+  })
+  .option("sign-services", {
+    type: "boolean",
+    default: true,
+    description:
+      "Sign granular services. Disable (--no-sign-services) when appending multi-signatures.",
+  })
+  .option("sign-annotations", {
+    type: "boolean",
+    default: true,
+    description:
+      "Sign granular annotations. Disable (--no-sign-annotations) when appending multi-signatures.",
+  })
+  .scriptName("cdx-sign")
+  .version(retrieveCdxgenVersion())
+  .help()
+  .wrap(Math.min(120, yargs().terminalWidth())).argv;
+
+if (!safeExistsSync(args.input)) {
+  console.error(`Input file '${args.input}' not found.`);
+  process.exit(1);
+}
+
+if (!safeExistsSync(args.privateKey)) {
+  console.error(`Private key file '${args.privateKey}' not found.`);
+  process.exit(1);
+}
+
+try {
+  const bomJson = JSON.parse(fs.readFileSync(args.input, "utf8"));
+  const privateKey = fs.readFileSync(args.privateKey, "utf8");
+
+  const signedBom = signBom(bomJson, {
+    privateKey,
+    algorithm: args.algorithm,
+    keyId: args.keyId,
+    mode: args.mode,
+    signComponents: args.signComponents,
+    signServices: args.signServices,
+    signAnnotations: args.signAnnotations,
+  });
+
+  const outputPath = args.output || args.input;
+  fs.writeFileSync(outputPath, JSON.stringify(signedBom, null, null));
+
+  console.log(`Successfully signed BOM and saved to '${outputPath}'`);
+  console.log(
+    `Mode: ${args.mode} | Algorithm: ${args.algorithm}${args.keyId ? ` | KeyId: ${args.keyId}` : ""}`,
+  );
+} catch (error) {
+  console.error("SBOM signing failed:", error.message);
+  process.exit(1);
+}

package/bin/validate.js

@@ -0,0 +1,233 @@
+#!/usr/bin/env node
+
+/**
+ * cdx-validate CLI — structural, deep, and compliance validation for
+ * CycloneDX SBOMs.
+ *
+ * Exit codes:
+ *   0 — all checks pass (or no findings >= --fail-severity).
+ *   1 — configuration error (bad input, missing file, unknown reporter).
+ *   2 — schema validation failed (in --strict mode).
+ *   3 — compliance findings at or above --fail-severity.
+ *   4 — signature verification was requested and failed.
+ */
+
+import fs from "node:fs";
+import { dirname, join } from "node:path";
+import process from "node:process";
+
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+
+import {
+  dirNameStr,
+  retrieveCdxgenVersion,
+  safeExistsSync,
+  safeMkdirSync,
+} from "../lib/helpers/utils.js";
+import { getBomWithOras } from "../lib/managers/oci.js";
+import { shouldFail, validateBomAdvanced } from "../lib/validator/index.js";
+import { render as renderReport } from "../lib/validator/reporters/index.js";
+
+const _yargs = yargs(hideBin(process.argv));
+
+const args = _yargs
+  .option("input", {
+    alias: "i",
+    default: "bom.json",
+    description: "Input SBOM JSON file or OCI reference.",
+  })
+  .option("platform", {
+    description:
+      "Platform to use when resolving an OCI reference (passed to oras).",
+  })
+  .option("report", {
+    alias: "r",
+    default: "console",
+    choices: ["console", "json", "sarif", "annotations"],
+    description: "Output format.",
+  })
+  .option("report-file", {
+    alias: "o",
+    description:
+      "Write the report to this file. Defaults to stdout. Required for the 'annotations' reporter when you want to save the annotated BOM.",
+  })
+  .option("schema", {
+    type: "boolean",
+    default: true,
+    description:
+      "Run the CycloneDX JSON-schema validation. Pass --no-schema to skip.",
+  })
+  .option("deep", {
+    type: "boolean",
+    default: true,
+    description:
+      "Run the deep purl/ref/metadata checks from lib/helpers/bomValidator.js. Pass --no-deep to skip.",
+  })
+  .option("benchmark", {
+    alias: "b",
+    type: "string",
+    description:
+      "Comma-separated list of compliance benchmark aliases to include in the scorecards (scvs, scvs-l1, scvs-l2, scvs-l3, cra). Defaults to all.",
+  })
+  .option("categories", {
+    type: "string",
+    description:
+      "Comma-separated list of compliance rule categories to evaluate (compliance-scvs, compliance-cra). Defaults to all.",
+  })
+  .option("min-severity", {
+    type: "string",
+    default: "info",
+    choices: ["info", "low", "medium", "high", "critical"],
+    description:
+      "Drop findings below this severity from the output (benchmark scoring is unaffected).",
+  })
+  .option("fail-severity", {
+    type: "string",
+    default: "high",
+    choices: ["info", "low", "medium", "high", "critical"],
+    description:
+      "Exit with code 3 when any failing finding is at or above this severity.",
+  })
+  .option("include-manual", {
+    type: "boolean",
+    default: true,
+    description:
+      "Include non-automatable manual-review findings in the output. Pass --no-include-manual to hide them.",
+  })
+  .option("include-pass", {
+    type: "boolean",
+    default: false,
+    description:
+      "Include passing findings in the output (useful for audits). Defaults to false.",
+  })
+  .option("public-key", {
+    description:
+      "Path to a PEM public key. When set, cdx-validate also verifies the BOM signature.",
+  })
+  .option("require-signature", {
+    type: "boolean",
+    default: false,
+    description:
+      "Exit non-zero (4) when --public-key is provided but signature verification fails.",
+  })
+  .option("strict", {
+    type: "boolean",
+    default: false,
+    description:
+      "Treat a failing schema or deep validation as a non-zero exit (code 2).",
+  })
+  .completion("completion", "Generate bash/zsh completion")
+  .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
+  .scriptName("cdx-validate")
+  .version(retrieveCdxgenVersion())
+  .help()
+  .wrap(Math.min(120, yargs().terminalWidth())).argv;
+
+function loadBom(input, platform) {
+  if (safeExistsSync(input)) {
+    try {
+      return JSON.parse(fs.readFileSync(input, "utf8"));
+    } catch (err) {
+      console.error(`Failed to parse ${input}: ${err.message}`);
+      process.exit(1);
+    }
+  }
+  if (
+    input.includes(":") ||
+    input.includes("docker") ||
+    input.includes("ghcr")
+  ) {
+    const bom = getBomWithOras(input, platform);
+    if (bom) return bom;
+  }
+  console.error(`Input '${input}' is not a readable SBOM.`);
+  process.exit(1);
+  return undefined;
+}
+
+function loadPublicKey(path) {
+  if (!path) return null;
+  if (!safeExistsSync(path)) {
+    console.error(`Public key '${path}' not found.`);
+    process.exit(1);
+  }
+  return fs.readFileSync(path, "utf8");
+}
+
+function splitCsv(value) {
+  if (!value) return undefined;
+  return value
+    .split(",")
+    .map((v) => v.trim())
+    .filter(Boolean);
+}
+
+function writeOrPrint(content, outputPath) {
+  if (!outputPath) {
+    process.stdout.write(`${content}\n`);
+    return;
+  }
+  const parent = dirname(outputPath);
+  if (parent && !safeExistsSync(parent)) {
+    safeMkdirSync(parent, { recursive: true });
+  }
+  fs.writeFileSync(outputPath, content);
+}
+
+const bomJson = loadBom(args.input, args.platform);
+const publicKeyStr = loadPublicKey(args.publicKey);
+
+const report = validateBomAdvanced(bomJson, {
+  schema: args.schema,
+  deep: args.deep,
+  benchmarks: splitCsv(args.benchmark),
+  categories: splitCsv(args.categories),
+  minSeverity: args.minSeverity,
+  includeManual: args.includeManual,
+  includePass: args.includePass,
+  publicKey: publicKeyStr || undefined,
+});
+
+let output;
+try {
+  const { version: pkgVersion } = JSON.parse(
+    fs.readFileSync(join(dirNameStr, "package.json"), "utf8"),
+  );
+  output = renderReport(args.report, report, {
+    bomJson,
+    toolName: "cdx-validate",
+    toolVersion: pkgVersion,
+    pretty: true,
+  });
+} catch (err) {
+  console.error(err.message);
+  process.exit(1);
+}
+
+writeOrPrint(output, args.reportFile);
+
+const { shouldFail: fail, reason } = shouldFail(report, {
+  failSeverity: args.failSeverity,
+  strict: args.strict,
+  requireSignature: Boolean(args.requireSignature && publicKeyStr),
+});
+
+if (report.signatureVerified === false && args.requireSignature) {
+  console.error(
+    `cdx-validate: signature verification failed — ${report.signatureDetails?.error || "no matching key"}.`,
+  );
+  process.exit(4);
+}
+
+if (args.strict && report.schemaValid === false) {
+  console.error("cdx-validate: schema validation failed.");
+  process.exit(2);
+}
+
+if (fail) {
+  console.error(`cdx-validate: ${reason}`);
+  process.exit(3);
+}
+
+process.exit(0);

package/bin/verify.js

@@ -4,10 +4,10 @@ import fs from "node:fs";
 import { join } from "node:path";
 import process from "node:process";
 
-import jws from "jws";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 
+import { verifyNode } from "../lib/helpers/bomSigner.js";
 import {
   dirNameStr,
   retrieveCdxgenVersion,
@@ -32,6 +32,12 @@ const args = _yargs
     default: "public.key",
     description: "Public key in PEM format. Default public.key",
   })
+  .option("deep", {
+    type: "boolean",
+    default: true,
+    description:
+      "Strictly verify all nested component, service, and annotation signatures against the provided public key. Pass --no-deep to verify only the root signature.",
+  })
   .completion("completion", "Generate bash/zsh completion")
   .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
   .scriptName("cdx-verify")
@@ -78,49 +84,84 @@ function getBom(args) {
   }
   return undefined;
 }
+
 const bomJson = getBom(args);
+
 if (!bomJson) {
   console.log(`${args.input} is invalid!`);
   process.exit(1);
 }
+
 if (bomJson && !safeExistsSync(args.publicKey)) {
   console.log("Public key for signature verification is missing!");
   process.exit(1);
 }
-let hasInvalidComp = false;
-// Validate any component signature
-for (const comp of bomJson.components) {
-  if (comp.signature) {
-    const compSignature = comp.signature.value;
-    const validationResult = jws.verify(
-      compSignature,
-      comp.signature.algorithm,
-      fs.readFileSync(args.publicKey, "utf8"),
-    );
-    if (!validationResult) {
-      console.log(`${comp["bom-ref"]} signature is invalid!`);
-      hasInvalidComp = true;
+
+const publicKeyStr = fs.readFileSync(args.publicKey, "utf8");
+
+let rootMatch = null;
+if (bomJson.signature) {
+  rootMatch = verifyNode(bomJson, publicKeyStr);
+}
+
+const verifyNested = args.deep || !bomJson.signature;
+let hasInvalidNested = false;
+let checkedNested = 0;
+
+if (verifyNested) {
+  for (const comp of bomJson.components || []) {
+    if (comp.signature) {
+      checkedNested++;
+      if (!verifyNode(comp, publicKeyStr)) {
+        console.log(
+          `Component '${comp["bom-ref"] || comp.name}' signature is invalid!`,
+        );
+        hasInvalidNested = true;
+      }
+    }
+  }
+  for (const svc of bomJson.services || []) {
+    if (svc.signature) {
+      checkedNested++;
+      if (!verifyNode(svc, publicKeyStr)) {
+        console.log(
+          `Service '${svc["bom-ref"] || svc.name}' signature is invalid!`,
+        );
+        hasInvalidNested = true;
+      }
+    }
+  }
+  for (const ann of bomJson.annotations || []) {
+    if (ann.signature) {
+      checkedNested++;
+      if (!verifyNode(ann, publicKeyStr)) {
+        console.log(
+          `Annotation '${ann["bom-ref"] || ann.subject}' signature is invalid!`,
+        );
+        hasInvalidNested = true;
+      }
     }
   }
 }
-if (hasInvalidComp) {
+
+if (hasInvalidNested) {
+  console.log("One or more nested signatures are invalid!");
   process.exit(1);
 }
-const bomSignature = bomJson.signature?.value
-  ? bomJson.signature.value
-  : undefined;
-if (!bomSignature) {
-  console.log("No signature was found!");
-} else {
-  const validationResult = jws.verify(
-    bomSignature,
-    bomJson.signature.algorithm,
-    fs.readFileSync(args.publicKey, "utf8"),
-  );
-  if (validationResult) {
-    console.log("Signature is valid!");
+
+if (bomJson.signature) {
+  if (rootMatch) {
+    const identifier = rootMatch.keyId
+      ? `KeyId: '${rootMatch.keyId}'`
+      : `Algorithm: '${rootMatch.algorithm}'`;
+    console.log(`✓ Signature is valid! (Matched ${identifier})`);
   } else {
     console.log("BOM signature is invalid!");
     process.exit(1);
   }
+} else if (checkedNested > 0 && !hasInvalidNested) {
+  console.log(`✓ ${checkedNested} nested signature(s) are valid!`);
+} else {
+  console.log("No valid signatures found to verify!");
+  process.exit(1);
 }

package/data/queries.json

@@ -27,7 +27,7 @@
   "vscode_extensions": {
     "query": "select vscode_extensions.* from users join vscode_extensions using (uid);",
     "description": "Lists all vscode extensions.",
-    "purlType": "vsix",
+    "purlType": "vscode-extension",
     "componentType": "application"
   },
   "deb_packages": {