npm - @cyclonedx/cdxgen - Versions diffs - 12.1.5 → 12.2.1 - Mend

@cyclonedx/cdxgen 12.1.5 → 12.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (193) hide show

package/README.md +51 -40
package/bin/cdxgen.js +194 -97
package/bin/evinse.js +4 -4
package/bin/repl.js +1 -1
package/bin/sign.js +102 -0
package/bin/validate.js +233 -0
package/bin/verify.js +69 -28
package/data/queries.json +1 -1
package/data/rules/ci-permissions.yaml +186 -0
package/data/rules/dependency-sources.yaml +123 -0
package/data/rules/package-integrity.yaml +135 -0
package/data/rules/vscode-extensions.yaml +228 -0
package/lib/cli/index.js +449 -429
package/lib/cli/index.poku.js +117 -0
package/lib/evinser/db.js +137 -0
package/lib/{helpers → evinser}/db.poku.js +2 -6
package/lib/evinser/evinser.js +2 -14
package/lib/helpers/analyzer.js +606 -3
package/lib/helpers/analyzer.poku.js +230 -0
package/lib/helpers/bomSigner.js +312 -0
package/lib/helpers/bomSigner.poku.js +156 -0
package/lib/helpers/ciParsers/azurePipelines.js +295 -0
package/lib/helpers/ciParsers/azurePipelines.poku.js +253 -0
package/lib/helpers/ciParsers/circleCi.js +286 -0
package/lib/helpers/ciParsers/circleCi.poku.js +230 -0
package/lib/helpers/ciParsers/common.js +24 -0
package/lib/helpers/ciParsers/githubActions.js +636 -0
package/lib/helpers/ciParsers/githubActions.poku.js +802 -0
package/lib/helpers/ciParsers/gitlabCi.js +213 -0
package/lib/helpers/ciParsers/gitlabCi.poku.js +247 -0
package/lib/helpers/ciParsers/jenkins.js +181 -0
package/lib/helpers/ciParsers/jenkins.poku.js +197 -0
package/lib/helpers/depsUtils.js +219 -0
package/lib/helpers/depsUtils.poku.js +207 -0
package/lib/helpers/display.js +426 -5
package/lib/helpers/envcontext.js +18 -3
package/lib/helpers/formulationParsers.js +351 -0
package/lib/helpers/logger.js +14 -0
package/lib/helpers/protobom.js +9 -9
package/lib/helpers/pythonutils.js +9 -0
package/lib/helpers/remote/dependency-track.js +84 -0
package/lib/helpers/remote/dependency-track.poku.js +119 -0
package/lib/helpers/table.js +384 -0
package/lib/helpers/table.poku.js +186 -0
package/lib/helpers/utils.js +865 -416
package/lib/helpers/utils.poku.js +172 -265
package/lib/helpers/versutils.js +202 -0
package/lib/helpers/versutils.poku.js +315 -0
package/lib/helpers/vsixutils.js +1061 -0
package/lib/helpers/vsixutils.poku.js +2247 -0
package/lib/managers/binary.js +19 -19
package/lib/managers/docker.js +108 -1
package/lib/managers/oci.js +10 -0
package/lib/managers/piptree.js +3 -9
package/lib/parsers/npmrc.js +17 -13
package/lib/parsers/npmrc.poku.js +41 -5
package/lib/server/openapi.yaml +34 -1
package/lib/server/server.js +50 -13
package/lib/server/server.poku.js +332 -144
package/lib/stages/postgen/annotator.js +1 -1
package/lib/stages/postgen/auditBom.js +196 -0
package/lib/stages/postgen/auditBom.poku.js +378 -0
package/lib/stages/postgen/postgen.js +54 -1
package/lib/stages/postgen/postgen.poku.js +90 -1
package/lib/stages/postgen/ruleEngine.js +369 -0
package/lib/stages/pregen/envAudit.js +299 -0
package/lib/stages/pregen/envAudit.poku.js +572 -0
package/lib/stages/pregen/pregen.js +12 -8
package/lib/{helpers/validator.js → validator/bomValidator.js} +107 -47
package/lib/validator/complianceEngine.js +241 -0
package/lib/validator/complianceEngine.poku.js +168 -0
package/lib/validator/complianceRules.js +1610 -0
package/lib/validator/complianceRules.poku.js +328 -0
package/lib/validator/index.js +222 -0
package/lib/validator/index.poku.js +144 -0
package/lib/validator/reporters/annotations.js +121 -0
package/lib/validator/reporters/console.js +149 -0
package/lib/validator/reporters/index.js +41 -0
package/lib/validator/reporters/json.js +37 -0
package/lib/validator/reporters/sarif.js +184 -0
package/lib/validator/reporters.poku.js +150 -0
package/package.json +8 -9
package/types/bin/sign.d.ts +3 -0
package/types/bin/sign.d.ts.map +1 -0
package/types/bin/validate.d.ts +3 -0
package/types/bin/validate.d.ts.map +1 -0
package/types/helpers/utils.d.ts +0 -1
package/types/lib/cli/index.d.ts +49 -52
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/db.d.ts +34 -0
package/types/lib/evinser/db.d.ts.map +1 -0
package/types/lib/evinser/evinser.d.ts +63 -16
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/bomSigner.d.ts +27 -0
package/types/lib/helpers/bomSigner.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/azurePipelines.d.ts +17 -0
package/types/lib/helpers/ciParsers/azurePipelines.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/circleCi.d.ts +17 -0
package/types/lib/helpers/ciParsers/circleCi.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/common.d.ts +11 -0
package/types/lib/helpers/ciParsers/common.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts +34 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/gitlabCi.d.ts +17 -0
package/types/lib/helpers/ciParsers/gitlabCi.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/jenkins.d.ts +17 -0
package/types/lib/helpers/ciParsers/jenkins.d.ts.map +1 -0
package/types/lib/helpers/depsUtils.d.ts +21 -0
package/types/lib/helpers/depsUtils.d.ts.map +1 -0
package/types/lib/helpers/display.d.ts +111 -11
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/envcontext.d.ts +19 -7
package/types/lib/helpers/envcontext.d.ts.map +1 -1
package/types/lib/helpers/formulationParsers.d.ts +50 -0
package/types/lib/helpers/formulationParsers.d.ts.map +1 -0
package/types/lib/helpers/logger.d.ts +15 -1
package/types/lib/helpers/logger.d.ts.map +1 -1
package/types/lib/helpers/protobom.d.ts +2 -2
package/types/lib/helpers/pythonutils.d.ts +10 -1
package/types/lib/helpers/pythonutils.d.ts.map +1 -1
package/types/lib/helpers/remote/dependency-track.d.ts +16 -0
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -0
package/types/lib/helpers/table.d.ts +6 -0
package/types/lib/helpers/table.d.ts.map +1 -0
package/types/lib/helpers/utils.d.ts +533 -128
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/helpers/versutils.d.ts +8 -0
package/types/lib/helpers/versutils.d.ts.map +1 -0
package/types/lib/helpers/vsixutils.d.ts +130 -0
package/types/lib/helpers/vsixutils.d.ts.map +1 -0
package/types/lib/managers/docker.d.ts +12 -31
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts +11 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/managers/piptree.d.ts.map +1 -1
package/types/lib/parsers/npmrc.d.ts +4 -1
package/types/lib/parsers/npmrc.d.ts.map +1 -1
package/types/lib/server/server.d.ts +22 -2
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +20 -0
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -0
package/types/lib/stages/postgen/postgen.d.ts +8 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts +18 -0
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -0
package/types/lib/stages/pregen/envAudit.d.ts +8 -0
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -0
package/types/lib/stages/pregen/pregen.d.ts.map +1 -1
package/types/lib/{helpers/validator.d.ts → validator/bomValidator.d.ts} +1 -1
package/types/lib/validator/bomValidator.d.ts.map +1 -0
package/types/lib/validator/complianceEngine.d.ts +66 -0
package/types/lib/validator/complianceEngine.d.ts.map +1 -0
package/types/lib/validator/complianceRules.d.ts +70 -0
package/types/lib/validator/complianceRules.d.ts.map +1 -0
package/types/lib/validator/index.d.ts +70 -0
package/types/lib/validator/index.d.ts.map +1 -0
package/types/lib/validator/reporters/annotations.d.ts +31 -0
package/types/lib/validator/reporters/annotations.d.ts.map +1 -0
package/types/lib/validator/reporters/console.d.ts +30 -0
package/types/lib/validator/reporters/console.d.ts.map +1 -0
package/types/lib/validator/reporters/index.d.ts +21 -0
package/types/lib/validator/reporters/index.d.ts.map +1 -0
package/types/lib/validator/reporters/json.d.ts +11 -0
package/types/lib/validator/reporters/json.d.ts.map +1 -0
package/types/lib/validator/reporters/sarif.d.ts +16 -0
package/types/lib/validator/reporters/sarif.d.ts.map +1 -0
package/lib/helpers/db.js +0 -162
package/lib/stages/pregen/env-audit.js +0 -34
package/lib/stages/pregen/env-audit.poku.js +0 -290
package/types/helpers/db.d.ts +0 -35
package/types/helpers/db.d.ts.map +0 -1
package/types/lib/helpers/db.d.ts +0 -35
package/types/lib/helpers/db.d.ts.map +0 -1
package/types/lib/helpers/validator.d.ts.map +0 -1
package/types/lib/stages/pregen/env-audit.d.ts +0 -2
package/types/lib/stages/pregen/env-audit.d.ts.map +0 -1
package/types/managers/binary.d.ts +0 -37
package/types/managers/binary.d.ts.map +0 -1
package/types/managers/docker.d.ts +0 -56
package/types/managers/docker.d.ts.map +0 -1
package/types/managers/oci.d.ts +0 -2
package/types/managers/oci.d.ts.map +0 -1
package/types/managers/piptree.d.ts +0 -2
package/types/managers/piptree.d.ts.map +0 -1
package/types/server/server.d.ts +0 -34
package/types/server/server.d.ts.map +0 -1
package/types/stages/postgen/annotator.d.ts +0 -27
package/types/stages/postgen/annotator.d.ts.map +0 -1
package/types/stages/postgen/postgen.d.ts +0 -51
package/types/stages/postgen/postgen.d.ts.map +0 -1
package/types/stages/pregen/pregen.d.ts +0 -59
package/types/stages/pregen/pregen.d.ts.map +0 -1

package/lib/server/server.js CHANGED Viewed

@@ -36,7 +36,11 @@ const ALLOWED_PARAMS = [
   "projectGroup",
   "projectTag",
   "projectVersion",
+  "autoCreate",
+  "isLatest",
   "parentUUID",
+  "parentProjectName",
+  "parentProjectVersion",
   "serverUrl",
   "apiKey",
   "specVersion",
@@ -270,7 +274,10 @@ function gitClone(repoUrl, branch = null) {
     "core.fsmonitor=false",
     "-c",
     "safe.bareRepository=explicit",
+    "-c",
+    "core.hooksPath=/dev/null",
     "clone",
+    "--template=",
     repoUrl,
     "--depth",
     "1",
@@ -297,13 +304,14 @@ function gitClone(repoUrl, branch = null) {
     GIT_CONFIG_VALUE_0: "false",
     GIT_CONFIG_KEY_1: "safe.bareRepository",
     GIT_CONFIG_VALUE_1: "explicit",
+    GIT_TERMINAL_PROMPT: "0",
   };
   const env = isSecureMode
     ? {
         ...process.env,
         ...envConfigs,
         GIT_CONFIG_NOSYSTEM: "1",
-        GIT_CONFIG_NOGLOBAL: "1",
+        GIT_CONFIG_GLOBAL: "/dev/null",
         GIT_ALLOW_PROTOCOL: gitAllowProtocol,
       }
     : {
@@ -372,6 +380,17 @@ export function parseValue(raw) {
   throw new TypeError(`Invalid value type: ${t}.`);
 }
+/**
+ * Parses allowed query/body parameters into a typed options object.
+ * Query parameters take priority over body parameters. Handles the
+ * `type` → `projectType` rename, lifecycle-based `installDeps` defaulting,
+ * and profile option expansion.
+ *
+ * @param {Object} q Parsed query string key/value map
+ * @param {Object} [body={}] Parsed request body key/value map
+ * @param {Object} [options={}] Seed options object to merge results into
+ * @returns {Object} Populated options object
+ */
 export function parseQueryString(q, body = {}, options = {}) {
   // Priority is query params followed by body
   for (const param of ALLOWED_PARAMS) {
@@ -391,6 +410,14 @@ export function parseQueryString(q, body = {}, options = {}) {
   return options;
 }
+/**
+ * Extracts query parameters from an incoming HTTP request object.
+ * Handles repeated keys by collecting their values into an array.
+ * Returns an empty object if the URL cannot be parsed.
+ *
+ * @param {Object} req Node.js/connect HTTP request object
+ * @returns {Object} Key/value map of query parameters from the request URL
+ */
 export function getQueryParams(req) {
   try {
     if (!req?.url) {
@@ -402,7 +429,7 @@ export function getQueryParams(req) {
     const baseUrl = `${protocol}://${host}`;
     const fullUrl = new URL(req.url, baseUrl);
-    const params = {};
+    const params = Object.create(null);
     // Convert multiple values to an array
     for (const [key, value] of fullUrl.searchParams) {
@@ -449,21 +476,25 @@ const configureServer = (cdxgenServer) => {
 const ALL_INTERFACES = new Set(["0.0.0.0", "::", "::/128", "::/0"]);
 const start = (options) => {
+  if (isSecureMode && !process.permission) {
+    console.error(
+      "SECURE MODE: Node.js permission model not enabled. Use --permission flag.",
+    );
+    process.exit(1);
+  }
   console.log(`cdxgen server version ${CDXGEN_VERSION}`);
-  console.log(
-    "Listening on",
-    options.serverHost,
-    options.serverPort,
-    "without authentication!",
-  );
   if (ALL_INTERFACES.has(options.serverHost)) {
     console.log("Exposing cdxgen server on all IP address is a security risk!");
     if (isSecureMode) {
       process.exit(1);
     }
   }
-  if (+options.serverPort < 1024) {
+  const serverPort = Number(options.serverPort);
+  if (!Number.isInteger(serverPort) || serverPort <= 0 || serverPort > 65535) {
+    console.log("Invalid server port specified.");
+    process.exit(1);
+  }
+  if (serverPort < 1024) {
     console.log(
       "Running cdxgen server with a privileged port is a security risk!",
     );
@@ -503,9 +534,15 @@ const start = (options) => {
       process.exit(1);
     }
   }
+  console.log(
+    "Listening on",
+    options.serverHost,
+    serverPort,
+    "without authentication!",
+  );
   const cdxgenServer = http
     .createServer(app)
-    .listen(options.serverPort, options.serverHost);
+    .listen(serverPort, options.serverHost);
   configureServer(cdxgenServer);
   app.use("/health", (_req, res) => {
@@ -525,7 +562,7 @@ const start = (options) => {
     }
     const q = getQueryParams(req);
     let cleanup = false;
-    let reqOptions = {};
+    let reqOptions = Object.create(null);
     try {
       reqOptions = parseQueryString(
         q,
@@ -647,4 +684,4 @@ const start = (options) => {
   });
 };
-export { configureServer, start };
+export { configureServer, gitClone, start };