npm - @cyclonedx/cdxgen - Versions diffs - 12.1.5 → 12.2.1 - Mend

@cyclonedx/cdxgen 12.1.5 → 12.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (193) hide show

package/README.md +51 -40
package/bin/cdxgen.js +194 -97
package/bin/evinse.js +4 -4
package/bin/repl.js +1 -1
package/bin/sign.js +102 -0
package/bin/validate.js +233 -0
package/bin/verify.js +69 -28
package/data/queries.json +1 -1
package/data/rules/ci-permissions.yaml +186 -0
package/data/rules/dependency-sources.yaml +123 -0
package/data/rules/package-integrity.yaml +135 -0
package/data/rules/vscode-extensions.yaml +228 -0
package/lib/cli/index.js +449 -429
package/lib/cli/index.poku.js +117 -0
package/lib/evinser/db.js +137 -0
package/lib/{helpers → evinser}/db.poku.js +2 -6
package/lib/evinser/evinser.js +2 -14
package/lib/helpers/analyzer.js +606 -3
package/lib/helpers/analyzer.poku.js +230 -0
package/lib/helpers/bomSigner.js +312 -0
package/lib/helpers/bomSigner.poku.js +156 -0
package/lib/helpers/ciParsers/azurePipelines.js +295 -0
package/lib/helpers/ciParsers/azurePipelines.poku.js +253 -0
package/lib/helpers/ciParsers/circleCi.js +286 -0
package/lib/helpers/ciParsers/circleCi.poku.js +230 -0
package/lib/helpers/ciParsers/common.js +24 -0
package/lib/helpers/ciParsers/githubActions.js +636 -0
package/lib/helpers/ciParsers/githubActions.poku.js +802 -0
package/lib/helpers/ciParsers/gitlabCi.js +213 -0
package/lib/helpers/ciParsers/gitlabCi.poku.js +247 -0
package/lib/helpers/ciParsers/jenkins.js +181 -0
package/lib/helpers/ciParsers/jenkins.poku.js +197 -0
package/lib/helpers/depsUtils.js +219 -0
package/lib/helpers/depsUtils.poku.js +207 -0
package/lib/helpers/display.js +426 -5
package/lib/helpers/envcontext.js +18 -3
package/lib/helpers/formulationParsers.js +351 -0
package/lib/helpers/logger.js +14 -0
package/lib/helpers/protobom.js +9 -9
package/lib/helpers/pythonutils.js +9 -0
package/lib/helpers/remote/dependency-track.js +84 -0
package/lib/helpers/remote/dependency-track.poku.js +119 -0
package/lib/helpers/table.js +384 -0
package/lib/helpers/table.poku.js +186 -0
package/lib/helpers/utils.js +865 -416
package/lib/helpers/utils.poku.js +172 -265
package/lib/helpers/versutils.js +202 -0
package/lib/helpers/versutils.poku.js +315 -0
package/lib/helpers/vsixutils.js +1061 -0
package/lib/helpers/vsixutils.poku.js +2247 -0
package/lib/managers/binary.js +19 -19
package/lib/managers/docker.js +108 -1
package/lib/managers/oci.js +10 -0
package/lib/managers/piptree.js +3 -9
package/lib/parsers/npmrc.js +17 -13
package/lib/parsers/npmrc.poku.js +41 -5
package/lib/server/openapi.yaml +34 -1
package/lib/server/server.js +50 -13
package/lib/server/server.poku.js +332 -144
package/lib/stages/postgen/annotator.js +1 -1
package/lib/stages/postgen/auditBom.js +196 -0
package/lib/stages/postgen/auditBom.poku.js +378 -0
package/lib/stages/postgen/postgen.js +54 -1
package/lib/stages/postgen/postgen.poku.js +90 -1
package/lib/stages/postgen/ruleEngine.js +369 -0
package/lib/stages/pregen/envAudit.js +299 -0
package/lib/stages/pregen/envAudit.poku.js +572 -0
package/lib/stages/pregen/pregen.js +12 -8
package/lib/{helpers/validator.js → validator/bomValidator.js} +107 -47
package/lib/validator/complianceEngine.js +241 -0
package/lib/validator/complianceEngine.poku.js +168 -0
package/lib/validator/complianceRules.js +1610 -0
package/lib/validator/complianceRules.poku.js +328 -0
package/lib/validator/index.js +222 -0
package/lib/validator/index.poku.js +144 -0
package/lib/validator/reporters/annotations.js +121 -0
package/lib/validator/reporters/console.js +149 -0
package/lib/validator/reporters/index.js +41 -0
package/lib/validator/reporters/json.js +37 -0
package/lib/validator/reporters/sarif.js +184 -0
package/lib/validator/reporters.poku.js +150 -0
package/package.json +8 -9
package/types/bin/sign.d.ts +3 -0
package/types/bin/sign.d.ts.map +1 -0
package/types/bin/validate.d.ts +3 -0
package/types/bin/validate.d.ts.map +1 -0
package/types/helpers/utils.d.ts +0 -1
package/types/lib/cli/index.d.ts +49 -52
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/db.d.ts +34 -0
package/types/lib/evinser/db.d.ts.map +1 -0
package/types/lib/evinser/evinser.d.ts +63 -16
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/bomSigner.d.ts +27 -0
package/types/lib/helpers/bomSigner.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/azurePipelines.d.ts +17 -0
package/types/lib/helpers/ciParsers/azurePipelines.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/circleCi.d.ts +17 -0
package/types/lib/helpers/ciParsers/circleCi.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/common.d.ts +11 -0
package/types/lib/helpers/ciParsers/common.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts +34 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/gitlabCi.d.ts +17 -0
package/types/lib/helpers/ciParsers/gitlabCi.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/jenkins.d.ts +17 -0
package/types/lib/helpers/ciParsers/jenkins.d.ts.map +1 -0
package/types/lib/helpers/depsUtils.d.ts +21 -0
package/types/lib/helpers/depsUtils.d.ts.map +1 -0
package/types/lib/helpers/display.d.ts +111 -11
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/envcontext.d.ts +19 -7
package/types/lib/helpers/envcontext.d.ts.map +1 -1
package/types/lib/helpers/formulationParsers.d.ts +50 -0
package/types/lib/helpers/formulationParsers.d.ts.map +1 -0
package/types/lib/helpers/logger.d.ts +15 -1
package/types/lib/helpers/logger.d.ts.map +1 -1
package/types/lib/helpers/protobom.d.ts +2 -2
package/types/lib/helpers/pythonutils.d.ts +10 -1
package/types/lib/helpers/pythonutils.d.ts.map +1 -1
package/types/lib/helpers/remote/dependency-track.d.ts +16 -0
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -0
package/types/lib/helpers/table.d.ts +6 -0
package/types/lib/helpers/table.d.ts.map +1 -0
package/types/lib/helpers/utils.d.ts +533 -128
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/helpers/versutils.d.ts +8 -0
package/types/lib/helpers/versutils.d.ts.map +1 -0
package/types/lib/helpers/vsixutils.d.ts +130 -0
package/types/lib/helpers/vsixutils.d.ts.map +1 -0
package/types/lib/managers/docker.d.ts +12 -31
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts +11 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/managers/piptree.d.ts.map +1 -1
package/types/lib/parsers/npmrc.d.ts +4 -1
package/types/lib/parsers/npmrc.d.ts.map +1 -1
package/types/lib/server/server.d.ts +22 -2
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +20 -0
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -0
package/types/lib/stages/postgen/postgen.d.ts +8 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts +18 -0
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -0
package/types/lib/stages/pregen/envAudit.d.ts +8 -0
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -0
package/types/lib/stages/pregen/pregen.d.ts.map +1 -1
package/types/lib/{helpers/validator.d.ts → validator/bomValidator.d.ts} +1 -1
package/types/lib/validator/bomValidator.d.ts.map +1 -0
package/types/lib/validator/complianceEngine.d.ts +66 -0
package/types/lib/validator/complianceEngine.d.ts.map +1 -0
package/types/lib/validator/complianceRules.d.ts +70 -0
package/types/lib/validator/complianceRules.d.ts.map +1 -0
package/types/lib/validator/index.d.ts +70 -0
package/types/lib/validator/index.d.ts.map +1 -0
package/types/lib/validator/reporters/annotations.d.ts +31 -0
package/types/lib/validator/reporters/annotations.d.ts.map +1 -0
package/types/lib/validator/reporters/console.d.ts +30 -0
package/types/lib/validator/reporters/console.d.ts.map +1 -0
package/types/lib/validator/reporters/index.d.ts +21 -0
package/types/lib/validator/reporters/index.d.ts.map +1 -0
package/types/lib/validator/reporters/json.d.ts +11 -0
package/types/lib/validator/reporters/json.d.ts.map +1 -0
package/types/lib/validator/reporters/sarif.d.ts +16 -0
package/types/lib/validator/reporters/sarif.d.ts.map +1 -0
package/lib/helpers/db.js +0 -162
package/lib/stages/pregen/env-audit.js +0 -34
package/lib/stages/pregen/env-audit.poku.js +0 -290
package/types/helpers/db.d.ts +0 -35
package/types/helpers/db.d.ts.map +0 -1
package/types/lib/helpers/db.d.ts +0 -35
package/types/lib/helpers/db.d.ts.map +0 -1
package/types/lib/helpers/validator.d.ts.map +0 -1
package/types/lib/stages/pregen/env-audit.d.ts +0 -2
package/types/lib/stages/pregen/env-audit.d.ts.map +0 -1
package/types/managers/binary.d.ts +0 -37
package/types/managers/binary.d.ts.map +0 -1
package/types/managers/docker.d.ts +0 -56
package/types/managers/docker.d.ts.map +0 -1
package/types/managers/oci.d.ts +0 -2
package/types/managers/oci.d.ts.map +0 -1
package/types/managers/piptree.d.ts +0 -2
package/types/managers/piptree.d.ts.map +0 -1
package/types/server/server.d.ts +0 -34
package/types/server/server.d.ts.map +0 -1
package/types/stages/postgen/annotator.d.ts +0 -27
package/types/stages/postgen/annotator.d.ts.map +0 -1
package/types/stages/postgen/postgen.d.ts +0 -51
package/types/stages/postgen/postgen.d.ts.map +0 -1
package/types/stages/pregen/pregen.d.ts +0 -59
package/types/stages/pregen/pregen.d.ts.map +0 -1

package/lib/cli/index.poku.js CHANGED Viewed

@@ -120,5 +120,122 @@ describe("CLI tests", () => {
       assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
       assert.deepEqual(options.json, expectedRequestPayload);
     });
+    it("should include parentName and parentVersion when parent project name and version are passed", async () => {
+      const fakeGotResponse = {
+        json: sinon.stub().resolves({ success: true }),
+      };
+      const gotStub = sinon.stub().returns(fakeGotResponse);
+      gotStub.extend = sinon.stub().returns(gotStub);
+      const { submitBom } = await esmock("./index.js", {
+        got: { default: gotStub },
+      });
+      const serverUrl = "https://dtrack.example.com";
+      const projectName = "cdxgen-test-project";
+      const projectVersion = "2.0.0";
+      const parentProjectName = "parent-project";
+      const parentProjectVersion = "1.0.0";
+      const bomContent = {
+        bom: "test3",
+      };
+      const apiKey = "TEST_API_KEY";
+      const skipDtTlsCheck = false;
+      const expectedRequestPayload = {
+        autoCreate: "true",
+        bom: "eyJib20iOiJ0ZXN0MyJ9", // stringified and base64 encoded bomContent
+        parentName: parentProjectName,
+        parentVersion: parentProjectVersion,
+        projectName,
+        projectVersion,
+      };
+      await submitBom(
+        {
+          serverUrl,
+          projectName,
+          projectVersion,
+          parentProjectName,
+          parentProjectVersion,
+          apiKey,
+          skipDtTlsCheck,
+        },
+        bomContent,
+      );
+      sinon.assert.calledOnce(gotStub);
+      const [calledUrl, options] = gotStub.firstCall.args;
+      assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
+      assert.equal(options.method, "PUT");
+      assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
+      assert.equal(options.headers["X-Api-Key"], apiKey);
+      assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
+      assert.deepEqual(options.json, expectedRequestPayload);
+    });
+    it("should include configurable autoCreate and isLatest values in payload", async () => {
+      const fakeGotResponse = {
+        json: sinon.stub().resolves({ success: true }),
+      };
+      const gotStub = sinon.stub().returns(fakeGotResponse);
+      gotStub.extend = sinon.stub().returns(gotStub);
+      const { submitBom } = await esmock("./index.js", {
+        got: { default: gotStub },
+      });
+      const serverUrl = "https://dtrack.example.com";
+      const projectName = "cdxgen-test-project";
+      const apiKey = "TEST_API_KEY";
+      await submitBom(
+        {
+          serverUrl,
+          projectName,
+          apiKey,
+          autoCreate: false,
+          isLatest: true,
+        },
+        { bom: "test4" },
+      );
+      sinon.assert.calledOnce(gotStub);
+      const [_calledUrl, options] = gotStub.firstCall.args;
+      assert.equal(options.json.autoCreate, "false");
+      assert.equal(options.json.isLatest, true);
+      assert.equal(options.json.projectVersion, "main");
+    });
+    it("should reject invalid mixed parent modes before making network request", async () => {
+      const fakeGotResponse = {
+        json: sinon.stub().resolves({ success: true }),
+      };
+      const gotStub = sinon.stub().returns(fakeGotResponse);
+      gotStub.extend = sinon.stub().returns(gotStub);
+      const { submitBom } = await esmock("./index.js", {
+        got: { default: gotStub },
+      });
+      const response = await submitBom(
+        {
+          serverUrl: "https://dtrack.example.com",
+          projectName: "cdxgen-test-project",
+          parentProjectId: "5103b8b4-4ca3-46ea-8051-036a3b2ab17e",
+          parentProjectName: "parent",
+          parentProjectVersion: "1.0.0",
+        },
+        { bom: "test5" },
+      );
+      assert.equal(response, undefined);
+      sinon.assert.notCalled(gotStub);
+    });
   });
 });

package/lib/evinser/db.js ADDED Viewed

@@ -0,0 +1,137 @@
+class Model {
+  constructor(tableName) {
+    this.tableName = tableName;
+    this.store = new Map();
+  }
+  async init() {
+    this.store.clear();
+  }
+  async findByPk(purl) {
+    if (this.store.has(purl)) {
+      const record = this.store.get(purl);
+      let parsedData;
+      try {
+        parsedData = JSON.parse(record.dataStr);
+      } catch (_e) {
+        parsedData = record.dataStr;
+      }
+      return {
+        purl: record.purl,
+        data: parsedData,
+        createdAt: record.createdAt,
+        updatedAt: record.updatedAt,
+      };
+    }
+    return null;
+  }
+  async findOrCreate(options) {
+    const { where, defaults } = options;
+    const existing = await this.findByPk(where.purl);
+    if (existing) {
+      return [existing, false];
+    }
+    let dataStr;
+    if (typeof defaults.data === "string") {
+      dataStr = defaults.data;
+    } else {
+      dataStr = JSON.stringify(defaults.data);
+    }
+    const now = new Date().toISOString();
+    const searchStr = dataStr.toLowerCase();
+    const record = {
+      purl: defaults.purl,
+      dataStr: dataStr,
+      searchStr: searchStr,
+      createdAt: now,
+      updatedAt: now,
+    };
+    this.store.set(defaults.purl, record);
+    let parsedData;
+    try {
+      parsedData = JSON.parse(record.dataStr);
+    } catch (_e) {
+      parsedData = record.dataStr;
+    }
+    const instance = {
+      purl: record.purl,
+      data: parsedData,
+      createdAt: record.createdAt,
+      updatedAt: record.updatedAt,
+    };
+    return [instance, true];
+  }
+  async findAll(options) {
+    const results = [];
+    let searchTerm = null;
+    if (options?.where?.data?.like) {
+      searchTerm = options.where.data.like.replace(/%/g, "").toLowerCase();
+    }
+    for (const record of this.store.values()) {
+      let matches = true;
+      if (searchTerm) {
+        if (!record.searchStr.includes(searchTerm)) {
+          matches = false;
+        }
+      }
+      if (matches) {
+        let parsedData;
+        try {
+          parsedData = JSON.parse(record.dataStr);
+        } catch (_e) {
+          parsedData = record.dataStr;
+        }
+        results.push({
+          purl: record.purl,
+          data: parsedData,
+          createdAt: record.createdAt,
+          updatedAt: record.updatedAt,
+        });
+      }
+    }
+    return results;
+  }
+}
+export const createOrLoad = async () => {
+  const Namespaces = new Model("Namespaces");
+  const Usages = new Model("Usages");
+  const DataFlows = new Model("DataFlows");
+  await Namespaces.init();
+  await Usages.init();
+  await DataFlows.init();
+  const sequelize = {
+    close: () => {
+      return true;
+    },
+  };
+  return {
+    sequelize,
+    Namespaces,
+    Usages,
+    DataFlows,
+  };
+};

package/lib/{helpers → evinser}/db.poku.js RENAMED Viewed

@@ -2,12 +2,8 @@ import { assert, describe, test } from "poku";
 import { createOrLoad } from "./db.js";
-describe("SQLite3 Helper Tests", async () => {
-  const { sequelize, Namespaces } = await createOrLoad(
-    "test.db",
-    ":memory:",
-    false,
-  );
+describe("In-Memory DB Helper Tests", async () => {
+  const { sequelize, Namespaces } = await createOrLoad();
   await test("Model Initialization", () => {
     assert.ok(sequelize, "Database instance should exist");

package/lib/evinser/evinser.js CHANGED Viewed

@@ -5,7 +5,6 @@ import process from "node:process";
 import { PackageURL } from "packageurl-js";
 import { findCryptoAlgos } from "../helpers/cbomutils.js";
-import * as db from "../helpers/db.js";
 import {
   collectGradleDependencies,
   collectMvnDependencies,
@@ -18,13 +17,12 @@ import {
   getTmpDir,
   PROJECT_TYPE_ALIASES,
   safeExistsSync,
-  safeMkdirSync,
 } from "../helpers/utils.js";
 import { postProcess } from "../stages/postgen/postgen.js";
+import { createOrLoad } from "./db.js";
 import { findPurlLocations } from "./scalasem.js";
 import { createSemanticsSlices } from "./swiftsem.js";
-const DB_NAME = "evinser.db";
 const typePurlsCache = {};
 /**
@@ -33,13 +31,6 @@ const typePurlsCache = {};
  * @param {Object} options Command line options
  */
 export async function prepareDB(options) {
-  if (!options.dbPath.includes("memory") && !safeExistsSync(options.dbPath)) {
-    try {
-      safeMkdirSync(options.dbPath, { recursive: true });
-    } catch (_e) {
-      // ignore
-    }
-  }
   const dirPath = options._[0] || ".";
   const bomJsonFile = options.input;
   if (!safeExistsSync(bomJsonFile)) {
@@ -61,10 +52,7 @@ export async function prepareDB(options) {
     process.exit(0);
   }
   const components = bomJson.components || [];
-  const { sequelize, Namespaces, Usages, DataFlows } = await db.createOrLoad(
-    DB_NAME,
-    options.dbPath,
-  );
+  const { sequelize, Namespaces, Usages, DataFlows } = await createOrLoad();
   let hasMavenPkgs = false;
   // We need to slice only non-maven packages
   const purlsToSlice = {};