@cyclonedx/cdxgen 12.1.5 → 12.2.1

package/lib/helpers/analyzer.poku.js

@@ -0,0 +1,230 @@
+import {
+  copyFileSync,
+  mkdirSync,
+  mkdtempSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import { assert, describe, it } from "poku";
+
+import { findJSImportsExports } from "./analyzer.js";
+
+const baseTempDir = mkdtempSync(join(tmpdir(), "cdxgen-analyzer-poku-"));
+
+process.on("exit", () => {
+  rmSync(baseTempDir, { recursive: true, force: true });
+});
+
+const createProject = (subDirName, entryContent) => {
+  const projectDir = join(baseTempDir, subDirName);
+  mkdirSync(projectDir, { recursive: true });
+  writeFileSync(join(projectDir, "index.js"), entryContent, {
+    encoding: "utf-8",
+  });
+  return projectDir;
+};
+
+const createProjectFromFixture = (subDirName, fixtureFileName) => {
+  const projectDir = join(baseTempDir, subDirName);
+  mkdirSync(projectDir, { recursive: true });
+  const fixturePath = new URL(
+    `../../test/data/${fixtureFileName}`,
+    import.meta.url,
+  );
+  copyFileSync(fixturePath, join(projectDir, fixtureFileName));
+  return projectDir;
+};
+
+describe("findJSImportsExports() wasm and wasi detection", () => {
+  it("captures wasm exports from WebAssembly.instantiate() flow", async () => {
+    const projectDir = createProject(
+      "instantiate-flow",
+      `import fs from "node:fs/promises";
+const wasmBuffer = await fs.readFile("./add.wasm");
+const wasmModule = await WebAssembly.instantiate(wasmBuffer);
+const { add } = wasmModule.instance.exports;
+console.log(add(5, 6));
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(allImports["add.wasm"], "expected add.wasm to be discovered");
+    const occurrences = Array.from(allImports["add.wasm"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("add")),
+      "expected add export symbol to be tracked",
+    );
+    const addOccurrence = occurrences.find((occ) =>
+      occ.importedModules?.includes("add"),
+    );
+    assert.ok(addOccurrence, "expected add symbol occurrence to exist");
+    assert.ok(
+      addOccurrence.fileName?.includes("index.js"),
+      "expected source filename to be tracked",
+    );
+    assert.strictEqual(addOccurrence.lineNumber, 4);
+    assert.strictEqual(typeof addOccurrence.columnNumber, "number");
+    assert.ok(addOccurrence.columnNumber >= 0);
+  });
+
+  it("captures wasm exports from instantiateStreaming(fetch(new URL(...)))", async () => {
+    const projectDir = createProject(
+      "streaming-flow",
+      `const { instance } = await WebAssembly.instantiateStreaming(
+  fetch(new URL("./stream.wasm", import.meta.url)),
+);
+const { run } = instance.exports;
+console.log(run());
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(
+      allImports["stream.wasm"],
+      "expected stream.wasm to be discovered",
+    );
+    const occurrences = Array.from(allImports["stream.wasm"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("run")),
+      "expected run export symbol to be tracked",
+    );
+  });
+
+  it("does not treat arbitrary function calls with .wasm literals as wasm imports", async () => {
+    const projectDir = createProject(
+      "non-wasm-callee",
+      `doSomething("./ignored.wasm");
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(
+      !allImports["./ignored.wasm"] && !allImports["ignored.wasm"],
+      "expected non-wasm callee usage to be ignored",
+    );
+  });
+
+  it("captures wasi constructor and lifecycle API usage", async () => {
+    const projectDir = createProject(
+      "wasi-flow",
+      `import { WASI } from "node:wasi";
+const wasi = new WASI({ version: "preview1" });
+wasi.initialize(instance);
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(allImports["node:wasi"], "expected node:wasi to be discovered");
+    const occurrences = Array.from(allImports["node:wasi"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("WASI")),
+      "expected WASI usage to be tracked",
+    );
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("initialize")),
+      "expected initialize API usage to be tracked",
+    );
+  });
+
+  it("captures wasi constructor alias invoked without new", async () => {
+    const projectDir = createProject(
+      "wasi-call-alias-flow",
+      `import { WASI as WasiCtor } from "node:wasi";
+const wasi = WasiCtor({ version: "preview1" });
+wasi.start(instance);
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(allImports["node:wasi"], "expected node:wasi to be discovered");
+    const occurrences = Array.from(allImports["node:wasi"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("WASI")),
+      "expected WASI constructor alias usage to be tracked",
+    );
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("start")),
+      "expected start API usage to be tracked",
+    );
+  });
+
+  it("detects wasm import/export functions from libmagic wrapper fixture", async () => {
+    const projectDir = createProjectFromFixture(
+      "libmagic-wrapper",
+      "libmagic-wrapper.js",
+    );
+
+    const { allImports, allExports } = await findJSImportsExports(
+      projectDir,
+      false,
+    );
+    assert.ok(allImports.fs, "expected fs require import to be detected");
+    assert.ok(
+      allImports.crypto,
+      "expected crypto require import to be detected",
+    );
+    assert.ok(
+      allImports["libmagic-wrapper.wasm"],
+      "expected libmagic-wrapper.wasm to be detected",
+    );
+    assert.ok(
+      allExports["libmagic-wrapper.wasm"],
+      "expected libmagic-wrapper.wasm exports to be detected",
+    );
+
+    const wasmImportOccurrences = Array.from(
+      allImports["libmagic-wrapper.wasm"],
+    );
+    const wasmExportOccurrences = Array.from(
+      allExports["libmagic-wrapper.wasm"],
+    );
+
+    assert.ok(
+      wasmImportOccurrences.some(
+        (occ) =>
+          occ.fileName?.includes("libmagic-wrapper.js") &&
+          typeof occ.lineNumber === "number" &&
+          typeof occ.columnNumber === "number",
+      ),
+      "expected wasm import occurrences to include source location metadata",
+    );
+
+    const importedModules = new Set(
+      wasmImportOccurrences.flatMap((occ) => occ.importedModules || []),
+    );
+    for (const expectedImportedModule of [
+      "free",
+      "malloc",
+      "magic_wrapper_load",
+      "magic_wrapper_detect",
+      "_emscripten_stack_restore",
+      "_emscripten_stack_alloc",
+      "emscripten_stack_get_current",
+      "memory",
+      "__indirect_function_table",
+    ]) {
+      assert.ok(
+        importedModules.has(expectedImportedModule),
+        `expected imported wasm symbol ${expectedImportedModule}`,
+      );
+    }
+
+    const exportedModules = new Set(
+      wasmExportOccurrences.flatMap((occ) => occ.exportedModules || []),
+    );
+    for (const expectedExportedModule of [
+      "_free",
+      "_malloc",
+      "_magic_wrapper_load",
+      "_magic_wrapper_detect",
+    ]) {
+      assert.ok(
+        exportedModules.has(expectedExportedModule),
+        `expected exported wasm symbol ${expectedExportedModule}`,
+      );
+    }
+  });
+});

package/lib/helpers/bomSigner.js

@@ -0,0 +1,312 @@
+import crypto from "node:crypto";
+
+/**
+ * Lightweight, deterministic JSON Canonicalizer (similar to RFC 8785).
+ * Required by JSF to ensure the signature payload remains identical across systems.
+ *
+ * @param {any} value - The JSON object/value to canonicalize
+ * @returns {string} - Canonicalized JSON string
+ */
+function canonicalize(value) {
+  if (value === null || typeof value !== "object") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return `[${value.map(canonicalize).join(",")}]`;
+  }
+  const keys = Object.keys(value).sort();
+  let str = "{";
+  for (let i = 0; i < keys.length; i++) {
+    if (i > 0) str += ",";
+    str += `${JSON.stringify(keys[i])}:${canonicalize(value[keys[i]])}`;
+  }
+  str += "}";
+  return str;
+}
+
+/**
+ * Creates a JSF-compliant signature block.
+ *
+ * @param {Object} payload - The object to sign (e.g., BOM, component)
+ * @param {string|Buffer|crypto.KeyObject} privateKey - The signing key
+ * @param {string} alg - JSF algorithm identifier
+ * @param {Object} [publicKeyJwk] - Optional JWK representation of the public key
+ * @param {string} keyId - Key ID
+ *
+ * @returns {Object} - JSF signature block
+ */
+function createSignatureBlock(
+  payload,
+  privateKey,
+  alg,
+  publicKeyJwk = null,
+  keyId = null,
+) {
+  // Exclude existing signatures from the canonicalized payload as per JSF
+  const { signature, ...dataToSign } = payload;
+  const canonicalData = canonicalize(dataToSign);
+
+  let hashAlg;
+  const signOptions = { key: privateKey };
+
+  // Handle HMAC (Symmetric)
+  if (alg.startsWith("HS")) {
+    const hash = alg.replace("HS", "sha");
+    const value = crypto
+      .createHmac(hash, privateKey)
+      .update(canonicalData, "utf8")
+      .digest("base64url");
+    const block = { algorithm: alg, value };
+    if (publicKeyJwk) {
+      block.publicKey = publicKeyJwk;
+    }
+    if (keyId) {
+      block.keyId = keyId;
+    }
+    return block;
+  }
+
+  // Handle Asymmetric Algorithms
+  if (alg.startsWith("RS")) {
+    hashAlg = alg.replace("RS", "SHA");
+  } else if (alg.startsWith("PS")) {
+    hashAlg = alg.replace("PS", "SHA");
+    signOptions.padding = crypto.constants.RSA_PKCS1_PSS_PADDING;
+    signOptions.saltLength = crypto.constants.RSA_PSS_SALTLEN_AUTO;
+  } else if (alg.startsWith("ES")) {
+    hashAlg = alg.replace("ES", "SHA");
+    // Standard JWA format requires IEEE P1363 (R || S) instead of ASN.1 DER
+    signOptions.dsaEncoding = "ieee-p1363";
+  } else if (alg === "Ed25519" || alg === "Ed448") {
+    // Native EdDSA algorithms do not require a separate hash algorithm definition
+    hashAlg = null;
+  } else {
+    throw new Error(`Unsupported JSF algorithm: ${alg}`);
+  }
+  const sigBuffer = crypto.sign(
+    hashAlg,
+    Buffer.from(canonicalData, "utf8"),
+    signOptions,
+  );
+  const block = { algorithm: alg, value: sigBuffer.toString("base64url") };
+  if (publicKeyJwk) {
+    block.publicKey = publicKeyJwk;
+  }
+  if (keyId) {
+    block.keyId = keyId;
+  }
+  return block;
+}
+
+/**
+ * Appends or replaces a signature on a target object based on the configured mode.
+ */
+function addSignature(target, sigBlock, mode) {
+  if (!target.signature) {
+    target.signature = sigBlock;
+    return;
+  }
+  if (mode === "chain") {
+    if (target.signature.chain) {
+      target.signature.chain.push(sigBlock);
+    } else if (target.signature.signers) {
+      throw new Error("Cannot mix signature chains and multi-signers.");
+    } else {
+      target.signature = { chain: [target.signature, sigBlock] };
+    }
+  } else if (mode === "signers") {
+    if (target.signature.signers) {
+      target.signature.signers.push(sigBlock);
+    } else if (target.signature.chain) {
+      throw new Error("Cannot mix signature chains and multi-signers.");
+    } else {
+      target.signature = { signers: [target.signature, sigBlock] };
+    }
+  } else {
+    target.signature = sigBlock;
+  }
+}
+
+/**
+ * Recursively applies signatures to the BOM and its granular components.
+ *
+ * @param {Object} bomJson - CycloneDX BOM Object
+ * @param {Object} options - Signing options { privateKey, algorithm, mode, ... }
+ * @returns {Object} - Signed BOM Object
+ */
+export function signBom(bomJson, options = {}) {
+  const {
+    privateKey,
+    algorithm = "RS512",
+    publicKeyJwk = null,
+    keyId = null,
+    mode = "replace", // Supports: 'replace', 'chain', 'signers'
+    signComponents = true,
+    signServices = true,
+    signAnnotations = true,
+  } = options;
+
+  if (!privateKey) {
+    throw new Error("privateKey is required for signing");
+  }
+  if (signComponents && Array.isArray(bomJson.components)) {
+    for (const comp of bomJson.components) {
+      addSignature(
+        comp,
+        createSignatureBlock(comp, privateKey, algorithm, publicKeyJwk, keyId),
+        mode,
+      );
+    }
+  }
+  if (signServices && Array.isArray(bomJson.services)) {
+    for (const svc of bomJson.services) {
+      addSignature(
+        svc,
+        createSignatureBlock(svc, privateKey, algorithm, publicKeyJwk, keyId),
+        mode,
+      );
+    }
+  }
+  if (signAnnotations && Array.isArray(bomJson.annotations)) {
+    for (const ann of bomJson.annotations) {
+      addSignature(
+        ann,
+        createSignatureBlock(ann, privateKey, algorithm, publicKeyJwk, keyId),
+        mode,
+      );
+    }
+  }
+  addSignature(
+    bomJson,
+    createSignatureBlock(bomJson, privateKey, algorithm, publicKeyJwk, keyId),
+    mode,
+  );
+  return bomJson;
+}
+
+/**
+ * Validates a single JSF signature block against the payload.
+ *
+ * @param {Object} payload - The payload to verify
+ * @param {string|crypto.KeyObject} publicKey - The public key corresponding to the signature
+ * @param {Object} sigBlock Signature
+ *
+ * @returns {boolean|Object} - Signature block if signature is valid. False otherwise.
+ */
+function verifySignatureBlock(payload, publicKey, sigBlock) {
+  const { signature, ...dataToVerify } = payload;
+  const canonicalData = canonicalize(dataToVerify);
+
+  const { algorithm: alg, value } = sigBlock;
+
+  if (alg.startsWith("HS")) {
+    const hash = alg.replace("HS", "sha");
+    const expected = crypto
+      .createHmac(hash, publicKey)
+      .update(canonicalData, "utf8")
+      .digest("base64url");
+    const isValid = expected === value;
+    return isValid ? sigBlock : false;
+  }
+
+  const verifyOptions = { key: publicKey };
+  let hashAlg;
+
+  if (alg.startsWith("RS")) {
+    hashAlg = alg.replace("RS", "SHA");
+  } else if (alg.startsWith("PS")) {
+    hashAlg = alg.replace("PS", "SHA");
+    verifyOptions.padding = crypto.constants.RSA_PKCS1_PSS_PADDING;
+    verifyOptions.saltLength = crypto.constants.RSA_PSS_SALTLEN_AUTO;
+  } else if (alg.startsWith("ES")) {
+    hashAlg = alg.replace("ES", "SHA");
+    verifyOptions.dsaEncoding = "ieee-p1363";
+  } else if (alg === "Ed25519" || alg === "Ed448") {
+    hashAlg = null;
+  } else {
+    console.warn(`${alg} is unknown.`);
+    return false;
+  }
+
+  const isValid = crypto.verify(
+    hashAlg,
+    Buffer.from(canonicalData, "utf8"),
+    verifyOptions,
+    Buffer.from(value, "base64url"),
+  );
+  return isValid ? sigBlock : false;
+}
+
+/**
+ * Verifies the integrity of a specific element node (e.g., BOM root, Component, Service, Annotation).
+ * Resolves standard JSF signatures, multisignature (signers), and chains.
+ *
+ * @param {Object} node - The BOM or granular object to verify
+ * @param {string|crypto.KeyObject} publicKey - The public key corresponding to the signature
+ * @returns {boolean|Object} - Signature block if signature is valid. False otherwise.
+ */
+export function verifyNode(node, publicKey) {
+  if (!node?.signature) {
+    return false;
+  }
+  const sigTarget = node.signature;
+  if (sigTarget.signers) {
+    for (const sig of sigTarget.signers) {
+      const match = verifySignatureBlock(node, publicKey, sig);
+      if (match) {
+        return match;
+      }
+    }
+    return false;
+  }
+  if (sigTarget.chain) {
+    for (const sig of sigTarget.chain) {
+      const match = verifySignatureBlock(node, publicKey, sig);
+      if (match) {
+        return match;
+      }
+    }
+    return false;
+  }
+  return verifySignatureBlock(node, publicKey, sigTarget);
+}
+
+/**
+ * Verifies the integrity of a BOM's top-level signature, as well as nested components, services, and annotations.
+ * Returns true only if the root signature is valid AND all signed nested elements are valid.
+ *
+ * @param {Object} bom - CycloneDX BOM Object
+ * @param {string|crypto.KeyObject} publicKey - The public key corresponding to the signature
+ * @returns {boolean|Object} - Signature block if signature is valid. False otherwise.
+ */
+export function verifyBom(bom, publicKey) {
+  if (!bom?.signature) {
+    return false;
+  }
+  const rootMatch = verifyNode(bom, publicKey);
+  if (!rootMatch) {
+    return false;
+  }
+  if (Array.isArray(bom.components)) {
+    for (const comp of bom.components) {
+      if (comp.signature && !verifyNode(comp, publicKey)) {
+        return false;
+      }
+    }
+  }
+  if (Array.isArray(bom.services)) {
+    for (const svc of bom.services) {
+      if (svc.signature && !verifyNode(svc, publicKey)) {
+        return false;
+      }
+    }
+  }
+  if (Array.isArray(bom.annotations)) {
+    for (const ann of bom.annotations) {
+      if (ann.signature && !verifyNode(ann, publicKey)) {
+        return false;
+      }
+    }
+  }
+  return rootMatch;
+}

package/lib/helpers/bomSigner.poku.js

@@ -0,0 +1,156 @@
+import assert from "node:assert";
+import crypto from "node:crypto";
+
+import { describe, it } from "poku";
+
+import { signBom, verifyBom, verifyNode } from "./bomSigner.js";
+
+const rsaKeys = crypto.generateKeyPairSync("rsa", {
+  modulusLength: 2048,
+  publicKeyEncoding: { type: "spki", format: "pem" },
+  privateKeyEncoding: { type: "pkcs8", format: "pem" },
+});
+
+const ecKeys = crypto.generateKeyPairSync("ec", {
+  namedCurve: "prime256v1",
+  publicKeyEncoding: { type: "spki", format: "pem" },
+  privateKeyEncoding: { type: "pkcs8", format: "pem" },
+});
+
+const generateMockBom = () => ({
+  bomFormat: "CycloneDX",
+  specVersion: "1.6",
+  components: [{ type: "library", name: "cdxgen", version: "1.0.0" }],
+  services: [{ name: "acme-service", endpoints: ["https://appthreat.com"] }],
+  annotations: [{ subject: "ref-1", annotator: { name: "System" } }],
+});
+
+describe("bomSigner Tests", async () => {
+  it("Test basic RS512 Signature & Verification", () => {
+    const bomRsa = generateMockBom();
+    const signedRsa = signBom(bomRsa, {
+      privateKey: rsaKeys.privateKey,
+      algorithm: "RS512",
+    });
+    assert.ok(signedRsa.signature, "Root BOM should be signed");
+    assert.strictEqual(signedRsa.signature.algorithm, "RS512");
+    assert.ok(
+      signedRsa.components[0].signature,
+      "Granular component should be signed",
+    );
+    assert.ok(
+      signedRsa.services[0].signature,
+      "Granular service should be signed",
+    );
+    assert.ok(
+      signedRsa.annotations[0].signature,
+      "Granular annotation should be signed",
+    );
+    assert.ok(verifyBom(signedRsa, rsaKeys.publicKey));
+  });
+
+  it("Test ECDSA (ES256) Signature & Verification (JWA IEEE P1363 Format Compliance)", () => {
+    const bomEc = generateMockBom();
+    const signedEc = signBom(bomEc, {
+      privateKey: ecKeys.privateKey,
+      algorithm: "ES256",
+    });
+    assert.strictEqual(signedEc.signature.algorithm, "ES256");
+    assert.ok(verifyBom(signedEc, ecKeys.publicKey));
+    const signedRsa = signBom(bomEc, {
+      privateKey: rsaKeys.privateKey,
+      algorithm: "RS512",
+    });
+    assert.strictEqual(
+      verifyBom(signedRsa, ecKeys.publicKey),
+      false,
+      "Verification must fail with the wrong public key",
+    );
+  });
+
+  it("Test Multi-Signature Support (`signers`)", () => {
+    const bomMulti = generateMockBom();
+
+    // 1st Pass: First signer signs the whole BOM including inner elements
+    signBom(bomMulti, {
+      privateKey: rsaKeys.privateKey,
+      algorithm: "RS512",
+      mode: "signers",
+    });
+
+    assert.ok(
+      bomMulti.signature.algorithm,
+      "Initial signature block takes root format",
+    );
+
+    // 2nd Pass: Second signer ONLY co-signs the root BOM.
+    signBom(bomMulti, {
+      privateKey: ecKeys.privateKey,
+      algorithm: "ES256",
+      mode: "signers",
+      signComponents: false,
+      signServices: false,
+      signAnnotations: false,
+    });
+
+    assert.ok(
+      Array.isArray(bomMulti.signature.signers),
+      "Signature should be converted to signers array",
+    );
+
+    assert.strictEqual(
+      bomMulti.signature.signers.length,
+      2,
+      "Should contain exactly two signers",
+    );
+
+    // RSA key signed EVERYTHING (root + components), so full deep verifyBom passes
+    assert.ok(verifyBom(bomMulti, rsaKeys.publicKey));
+
+    // EC key ONLY signed the root.
+    assert.ok(verifyNode(bomMulti, ecKeys.publicKey));
+  });
+
+  it("Test Signature Chain Support (`chain`)", () => {
+    const bomChain = generateMockBom();
+
+    signBom(bomChain, {
+      privateKey: rsaKeys.privateKey,
+      algorithm: "RS512",
+      mode: "chain",
+    });
+
+    signBom(bomChain, {
+      privateKey: ecKeys.privateKey,
+      algorithm: "ES256",
+      mode: "chain",
+      signComponents: false,
+      signServices: false,
+      signAnnotations: false,
+    });
+
+    assert.ok(
+      Array.isArray(bomChain.signature.chain),
+      "Signature should be converted to chain array",
+    );
+
+    assert.strictEqual(bomChain.signature.chain.length, 2);
+
+    // RSA key signed everything, verifyBom works
+    assert.ok(verifyBom(bomChain, rsaKeys.publicKey));
+
+    // EC key only chained the root, verifyNode strictly checks the root
+    assert.ok(verifyNode(bomChain, ecKeys.publicKey));
+  });
+
+  it("Test HMAC Symmetric Signature (HS256)", () => {
+    const symmetricKey = crypto.randomBytes(32).toString("hex");
+    const bomHmac = generateMockBom();
+    const signedHmac = signBom(bomHmac, {
+      privateKey: symmetricKey,
+      algorithm: "HS256",
+    });
+    assert.strictEqual(signedHmac.signature.algorithm, "HS256");
+    assert.ok(verifyBom(signedHmac, symmetricKey));
+  });
+});