@cyclonedx/cdxgen 12.2.0 → 12.2.1

package/lib/helpers/analyzer.poku.js

@@ -0,0 +1,230 @@
+import {
+  copyFileSync,
+  mkdirSync,
+  mkdtempSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import { assert, describe, it } from "poku";
+
+import { findJSImportsExports } from "./analyzer.js";
+
+const baseTempDir = mkdtempSync(join(tmpdir(), "cdxgen-analyzer-poku-"));
+
+process.on("exit", () => {
+  rmSync(baseTempDir, { recursive: true, force: true });
+});
+
+const createProject = (subDirName, entryContent) => {
+  const projectDir = join(baseTempDir, subDirName);
+  mkdirSync(projectDir, { recursive: true });
+  writeFileSync(join(projectDir, "index.js"), entryContent, {
+    encoding: "utf-8",
+  });
+  return projectDir;
+};
+
+const createProjectFromFixture = (subDirName, fixtureFileName) => {
+  const projectDir = join(baseTempDir, subDirName);
+  mkdirSync(projectDir, { recursive: true });
+  const fixturePath = new URL(
+    `../../test/data/${fixtureFileName}`,
+    import.meta.url,
+  );
+  copyFileSync(fixturePath, join(projectDir, fixtureFileName));
+  return projectDir;
+};
+
+describe("findJSImportsExports() wasm and wasi detection", () => {
+  it("captures wasm exports from WebAssembly.instantiate() flow", async () => {
+    const projectDir = createProject(
+      "instantiate-flow",
+      `import fs from "node:fs/promises";
+const wasmBuffer = await fs.readFile("./add.wasm");
+const wasmModule = await WebAssembly.instantiate(wasmBuffer);
+const { add } = wasmModule.instance.exports;
+console.log(add(5, 6));
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(allImports["add.wasm"], "expected add.wasm to be discovered");
+    const occurrences = Array.from(allImports["add.wasm"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("add")),
+      "expected add export symbol to be tracked",
+    );
+    const addOccurrence = occurrences.find((occ) =>
+      occ.importedModules?.includes("add"),
+    );
+    assert.ok(addOccurrence, "expected add symbol occurrence to exist");
+    assert.ok(
+      addOccurrence.fileName?.includes("index.js"),
+      "expected source filename to be tracked",
+    );
+    assert.strictEqual(addOccurrence.lineNumber, 4);
+    assert.strictEqual(typeof addOccurrence.columnNumber, "number");
+    assert.ok(addOccurrence.columnNumber >= 0);
+  });
+
+  it("captures wasm exports from instantiateStreaming(fetch(new URL(...)))", async () => {
+    const projectDir = createProject(
+      "streaming-flow",
+      `const { instance } = await WebAssembly.instantiateStreaming(
+  fetch(new URL("./stream.wasm", import.meta.url)),
+);
+const { run } = instance.exports;
+console.log(run());
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(
+      allImports["stream.wasm"],
+      "expected stream.wasm to be discovered",
+    );
+    const occurrences = Array.from(allImports["stream.wasm"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("run")),
+      "expected run export symbol to be tracked",
+    );
+  });
+
+  it("does not treat arbitrary function calls with .wasm literals as wasm imports", async () => {
+    const projectDir = createProject(
+      "non-wasm-callee",
+      `doSomething("./ignored.wasm");
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(
+      !allImports["./ignored.wasm"] && !allImports["ignored.wasm"],
+      "expected non-wasm callee usage to be ignored",
+    );
+  });
+
+  it("captures wasi constructor and lifecycle API usage", async () => {
+    const projectDir = createProject(
+      "wasi-flow",
+      `import { WASI } from "node:wasi";
+const wasi = new WASI({ version: "preview1" });
+wasi.initialize(instance);
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(allImports["node:wasi"], "expected node:wasi to be discovered");
+    const occurrences = Array.from(allImports["node:wasi"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("WASI")),
+      "expected WASI usage to be tracked",
+    );
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("initialize")),
+      "expected initialize API usage to be tracked",
+    );
+  });
+
+  it("captures wasi constructor alias invoked without new", async () => {
+    const projectDir = createProject(
+      "wasi-call-alias-flow",
+      `import { WASI as WasiCtor } from "node:wasi";
+const wasi = WasiCtor({ version: "preview1" });
+wasi.start(instance);
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(allImports["node:wasi"], "expected node:wasi to be discovered");
+    const occurrences = Array.from(allImports["node:wasi"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("WASI")),
+      "expected WASI constructor alias usage to be tracked",
+    );
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("start")),
+      "expected start API usage to be tracked",
+    );
+  });
+
+  it("detects wasm import/export functions from libmagic wrapper fixture", async () => {
+    const projectDir = createProjectFromFixture(
+      "libmagic-wrapper",
+      "libmagic-wrapper.js",
+    );
+
+    const { allImports, allExports } = await findJSImportsExports(
+      projectDir,
+      false,
+    );
+    assert.ok(allImports.fs, "expected fs require import to be detected");
+    assert.ok(
+      allImports.crypto,
+      "expected crypto require import to be detected",
+    );
+    assert.ok(
+      allImports["libmagic-wrapper.wasm"],
+      "expected libmagic-wrapper.wasm to be detected",
+    );
+    assert.ok(
+      allExports["libmagic-wrapper.wasm"],
+      "expected libmagic-wrapper.wasm exports to be detected",
+    );
+
+    const wasmImportOccurrences = Array.from(
+      allImports["libmagic-wrapper.wasm"],
+    );
+    const wasmExportOccurrences = Array.from(
+      allExports["libmagic-wrapper.wasm"],
+    );
+
+    assert.ok(
+      wasmImportOccurrences.some(
+        (occ) =>
+          occ.fileName?.includes("libmagic-wrapper.js") &&
+          typeof occ.lineNumber === "number" &&
+          typeof occ.columnNumber === "number",
+      ),
+      "expected wasm import occurrences to include source location metadata",
+    );
+
+    const importedModules = new Set(
+      wasmImportOccurrences.flatMap((occ) => occ.importedModules || []),
+    );
+    for (const expectedImportedModule of [
+      "free",
+      "malloc",
+      "magic_wrapper_load",
+      "magic_wrapper_detect",
+      "_emscripten_stack_restore",
+      "_emscripten_stack_alloc",
+      "emscripten_stack_get_current",
+      "memory",
+      "__indirect_function_table",
+    ]) {
+      assert.ok(
+        importedModules.has(expectedImportedModule),
+        `expected imported wasm symbol ${expectedImportedModule}`,
+      );
+    }
+
+    const exportedModules = new Set(
+      wasmExportOccurrences.flatMap((occ) => occ.exportedModules || []),
+    );
+    for (const expectedExportedModule of [
+      "_free",
+      "_malloc",
+      "_magic_wrapper_load",
+      "_magic_wrapper_detect",
+    ]) {
+      assert.ok(
+        exportedModules.has(expectedExportedModule),
+        `expected exported wasm symbol ${expectedExportedModule}`,
+      );
+    }
+  });
+});

package/lib/helpers/depsUtils.js

@@ -119,6 +119,22 @@ export function trimComponents(components) {
           existingComponent.properties = comp.properties;
         }
       }
+      if (comp.hashes) {
+        if (existingComponent.hashes) {
+          for (const newhash of comp.hashes) {
+            if (
+              !existingComponent.hashes.find(
+                (hash) =>
+                  hash.alg === newhash.alg && hash.content === newhash.content,
+              )
+            ) {
+              existingComponent.hashes.push(newhash);
+            }
+          }
+        } else {
+          existingComponent.hashes = comp.hashes;
+        }
+      }
       // Retain all component.evidence.identity
       if (comp?.evidence?.identity) {
         if (!existingComponent.evidence) {

package/lib/helpers/depsUtils.poku.js

@@ -1,6 +1,6 @@
 import { assert, describe, it } from "poku";
 
-import { mergeDependencies } from "./depsUtils.js";
+import { mergeDependencies, trimComponents } from "./depsUtils.js";
 
 describe("mergeDependencies()", () => {
   it("merges two non-overlapping dependency arrays", () => {
@@ -148,3 +148,60 @@ describe("mergeDependencies()", () => {
     assert.ok(!entry.dependsOn.includes(null), "null must be filtered");
   });
 });
+
+describe("trimComponents()", () => {
+  it("retains hashes from duplicate components", () => {
+    const components = [
+      {
+        name: "jquery",
+        version: "3.5.1",
+        purl: "pkg:npm/jquery@3.5.1",
+        type: "library",
+        properties: [{ name: "SrcFile", value: "Scripts/jquery.min.js" }],
+      },
+      {
+        name: "jquery",
+        version: "3.5.1",
+        purl: "pkg:npm/jquery@3.5.1",
+        type: "framework",
+        hashes: [{ alg: "SHA-512", content: "abc123" }],
+        properties: [{ name: "SrcFile", value: "package-lock.json" }],
+      },
+    ];
+    const result = trimComponents(components);
+    assert.strictEqual(result.length, 1);
+    assert.deepStrictEqual(result[0].hashes, [
+      { alg: "SHA-512", content: "abc123" },
+    ]);
+  });
+
+  it("merges and deduplicates hashes from duplicate components", () => {
+    const components = [
+      {
+        name: "jquery",
+        version: "3.5.1",
+        purl: "pkg:npm/jquery@3.5.1",
+        type: "library",
+        hashes: [{ alg: "SHA-512", content: "abc123" }],
+        properties: [{ name: "SrcFile", value: "Scripts/jquery.min.js" }],
+      },
+      {
+        name: "jquery",
+        version: "3.5.1",
+        purl: "pkg:npm/jquery@3.5.1",
+        type: "framework",
+        hashes: [
+          { alg: "SHA-512", content: "abc123" },
+          { alg: "SHA-256", content: "def456" },
+        ],
+        properties: [{ name: "SrcFile", value: "package-lock.json" }],
+      },
+    ];
+    const result = trimComponents(components);
+    assert.strictEqual(result.length, 1);
+    assert.deepStrictEqual(result[0].hashes, [
+      { alg: "SHA-512", content: "abc123" },
+      { alg: "SHA-256", content: "def456" },
+    ]);
+  });
+});

package/lib/helpers/display.js

@@ -2,8 +2,7 @@ import { readFileSync } from "node:fs";
 import path from "node:path";
 import process from "node:process";
 
-import { createStream, table } from "table";
-
+import { createStream, table } from "./table.js";
 import { isSecureMode, safeExistsSync, toCamel } from "./utils.js";
 
 // https://github.com/yangshun/tree-node-cli/blob/master/src/index.js
@@ -91,6 +90,7 @@ export function printTable(
       ]);
     }
   }
+  stream.end();
   console.log();
   if (!filterTypes) {
     console.log(
@@ -135,6 +135,7 @@ export function printOSTable(bomJson) {
       (comp.tags || []).join(", "),
     ]);
   }
+  stream.end();
   console.log();
 }
 /**
@@ -253,6 +254,7 @@ export function printOccurrences(bomJson) {
       stream.write(row);
     }
   }
+  stream.end();
   console.log();
 }
 

package/lib/helpers/remote/dependency-track.js

@@ -0,0 +1,84 @@
+import { Buffer } from "node:buffer";
+
+/**
+ * Returns the Dependency-Track BOM API URL.
+ *
+ * @param {string} serverUrl Dependency-Track server URL
+ * @returns {string} API URL to submit BOM payload
+ */
+export function getDependencyTrackBomUrl(serverUrl) {
+  return `${serverUrl.replace(/\/$/, "")}/api/v1/bom`;
+}
+
+/**
+ * Build the payload for Dependency-Track BOM submission.
+ *
+ * @param {Object} args CLI/server arguments
+ * @param {Object} bomContents BOM Json
+ * @returns {Object | undefined} payload object if project coordinates are valid
+ */
+export function buildDependencyTrackBomPayload(args, bomContents) {
+  let encodedBomContents = Buffer.from(JSON.stringify(bomContents)).toString(
+    "base64",
+  );
+  if (encodedBomContents.startsWith("77u/")) {
+    encodedBomContents = encodedBomContents.substring(4);
+  }
+  const autoCreate =
+    typeof args.autoCreate === "boolean"
+      ? args.autoCreate
+      : args.autoCreate !== "false";
+  const bomPayload = {
+    autoCreate: String(autoCreate),
+    bom: encodedBomContents,
+  };
+  if (
+    typeof args.projectId !== "undefined" ||
+    typeof args.projectName !== "undefined"
+  ) {
+    if (typeof args.projectId !== "undefined") {
+      bomPayload.project = args.projectId;
+    }
+    if (typeof args.projectName !== "undefined") {
+      bomPayload.projectName = args.projectName;
+    }
+    // Dependency-Track submissions use "main" as fallback when no version is provided.
+    bomPayload.projectVersion = args.projectVersion || "main";
+  } else {
+    return undefined;
+  }
+  const parentProjectId = args.parentProjectId || args.parentUUID;
+  const hasParentUuidMode = typeof parentProjectId !== "undefined";
+  const hasParentName = typeof args.parentProjectName !== "undefined";
+  const hasParentVersion = typeof args.parentProjectVersion !== "undefined";
+  const hasParentCoordsMode = hasParentName || hasParentVersion;
+  if (hasParentUuidMode && hasParentCoordsMode) {
+    return undefined;
+  }
+  if (!hasParentUuidMode && hasParentName !== hasParentVersion) {
+    return undefined;
+  }
+  if (hasParentUuidMode) {
+    bomPayload.parentUUID = parentProjectId;
+  }
+  if (hasParentName && hasParentVersion) {
+    bomPayload.parentName = args.parentProjectName;
+    bomPayload.parentVersion = args.parentProjectVersion;
+  }
+  if (
+    typeof args.isLatest === "boolean" ||
+    args.isLatest === "true" ||
+    args.isLatest === "false"
+  ) {
+    bomPayload.isLatest =
+      typeof args.isLatest === "boolean"
+        ? args.isLatest
+        : args.isLatest === "true";
+  }
+  if (typeof args.projectTag !== "undefined") {
+    bomPayload.projectTags = (
+      Array.isArray(args.projectTag) ? args.projectTag : [args.projectTag]
+    ).map((tag) => ({ name: tag }));
+  }
+  return bomPayload;
+}

package/lib/helpers/remote/dependency-track.poku.js

@@ -0,0 +1,119 @@
+import { assert, describe, it } from "poku";
+
+import {
+  buildDependencyTrackBomPayload,
+  getDependencyTrackBomUrl,
+} from "./dependency-track.js";
+
+describe("Dependency-Track helper tests", () => {
+  it("returns submission URL without trailing slash duplication", () => {
+    assert.strictEqual(
+      getDependencyTrackBomUrl("https://dtrack.example.com/"),
+      "https://dtrack.example.com/api/v1/bom",
+    );
+    assert.strictEqual(
+      getDependencyTrackBomUrl("https://dtrack.example.com"),
+      "https://dtrack.example.com/api/v1/bom",
+    );
+  });
+
+  it("builds payload with parentUUID and tags", () => {
+    const payload = buildDependencyTrackBomPayload(
+      {
+        projectName: "child",
+        projectVersion: "1.0.0",
+        parentProjectId: "d9628844-5f04-4ca7-88a2-64eb6bc64db0",
+        projectTag: ["tag1", "tag2"],
+      },
+      { bom: "test" },
+    );
+    assert.deepStrictEqual(payload, {
+      autoCreate: "true",
+      bom: "eyJib20iOiJ0ZXN0In0=",
+      parentUUID: "d9628844-5f04-4ca7-88a2-64eb6bc64db0",
+      projectName: "child",
+      projectTags: [{ name: "tag1" }, { name: "tag2" }],
+      projectVersion: "1.0.0",
+    });
+  });
+
+  it("builds payload with parentName and parentVersion", () => {
+    const payload = buildDependencyTrackBomPayload(
+      {
+        projectName: "child",
+        projectVersion: "1.0.0",
+        parentProjectName: "parent",
+        parentProjectVersion: "2.0.0",
+      },
+      { bom: "test2" },
+    );
+    assert.deepStrictEqual(payload, {
+      autoCreate: "true",
+      bom: "eyJib20iOiJ0ZXN0MiJ9",
+      parentName: "parent",
+      parentVersion: "2.0.0",
+      projectName: "child",
+      projectVersion: "1.0.0",
+    });
+  });
+
+  it("returns undefined when project identity is missing", () => {
+    const payload = buildDependencyTrackBomPayload({}, { bom: "test3" });
+    assert.strictEqual(payload, undefined);
+  });
+
+  it("supports configurable autoCreate and isLatest", () => {
+    const payload = buildDependencyTrackBomPayload(
+      {
+        autoCreate: false,
+        isLatest: true,
+        projectName: "child",
+      },
+      { bom: "test4" },
+    );
+    assert.deepStrictEqual(payload, {
+      autoCreate: "false",
+      bom: "eyJib20iOiJ0ZXN0NCJ9",
+      isLatest: true,
+      projectName: "child",
+      projectVersion: "main",
+    });
+  });
+
+  it("defaults projectVersion to main when only projectName is provided", () => {
+    const payload = buildDependencyTrackBomPayload(
+      { projectName: "child" },
+      { bom: "test5" },
+    );
+    assert.deepStrictEqual(payload, {
+      autoCreate: "true",
+      bom: "eyJib20iOiJ0ZXN0NSJ9",
+      projectName: "child",
+      projectVersion: "main",
+    });
+  });
+
+  it("returns undefined when parent UUID and parent name/version are both provided", () => {
+    const payload = buildDependencyTrackBomPayload(
+      {
+        parentProjectId: "d9628844-5f04-4ca7-88a2-64eb6bc64db0",
+        parentProjectName: "parent",
+        parentProjectVersion: "1.0.0",
+        projectName: "child",
+      },
+      { bom: "test6" },
+    );
+    assert.strictEqual(payload, undefined);
+  });
+
+  it("returns undefined when parent name/version mode is incomplete", () => {
+    const payload = buildDependencyTrackBomPayload(
+      {
+        parentProjectName: "parent",
+        projectName: "child",
+      },
+      { bom: "test7" },
+    );
+    assert.strictEqual(payload, undefined);
+  });
+});