@cyclonedx/cdxgen 12.2.0 → 12.3.0

package/lib/helpers/analyzer.poku.js

@@ -0,0 +1,301 @@
+import {
+  copyFileSync,
+  mkdirSync,
+  mkdtempSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import { assert, describe, it } from "poku";
+
+import {
+  analyzeSuspiciousJsFile,
+  detectExtensionCapabilities,
+  findJSImportsExports,
+} from "./analyzer.js";
+
+const baseTempDir = mkdtempSync(join(tmpdir(), "cdxgen-analyzer-poku-"));
+
+process.on("exit", () => {
+  rmSync(baseTempDir, { recursive: true, force: true });
+});
+
+const createProject = (subDirName, entryContent) => {
+  const projectDir = join(baseTempDir, subDirName);
+  mkdirSync(projectDir, { recursive: true });
+  writeFileSync(join(projectDir, "index.js"), entryContent, {
+    encoding: "utf-8",
+  });
+  return projectDir;
+};
+
+const createProjectFromFixture = (subDirName, fixtureFileName) => {
+  const projectDir = join(baseTempDir, subDirName);
+  mkdirSync(projectDir, { recursive: true });
+  const fixturePath = new URL(
+    `../../test/data/${fixtureFileName}`,
+    import.meta.url,
+  );
+  copyFileSync(fixturePath, join(projectDir, fixtureFileName));
+  return projectDir;
+};
+
+describe("findJSImportsExports() wasm and wasi detection", () => {
+  it("captures wasm exports from WebAssembly.instantiate() flow", async () => {
+    const projectDir = createProject(
+      "instantiate-flow",
+      `import fs from "node:fs/promises";
+const wasmBuffer = await fs.readFile("./add.wasm");
+const wasmModule = await WebAssembly.instantiate(wasmBuffer);
+const { add } = wasmModule.instance.exports;
+console.log(add(5, 6));
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(allImports["add.wasm"], "expected add.wasm to be discovered");
+    const occurrences = Array.from(allImports["add.wasm"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("add")),
+      "expected add export symbol to be tracked",
+    );
+    const addOccurrence = occurrences.find((occ) =>
+      occ.importedModules?.includes("add"),
+    );
+    assert.ok(addOccurrence, "expected add symbol occurrence to exist");
+    assert.ok(
+      addOccurrence.fileName?.includes("index.js"),
+      "expected source filename to be tracked",
+    );
+    assert.strictEqual(addOccurrence.lineNumber, 4);
+    assert.strictEqual(typeof addOccurrence.columnNumber, "number");
+    assert.ok(addOccurrence.columnNumber >= 0);
+  });
+
+  it("captures wasm exports from instantiateStreaming(fetch(new URL(...)))", async () => {
+    const projectDir = createProject(
+      "streaming-flow",
+      `const { instance } = await WebAssembly.instantiateStreaming(
+  fetch(new URL("./stream.wasm", import.meta.url)),
+);
+const { run } = instance.exports;
+console.log(run());
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(
+      allImports["stream.wasm"],
+      "expected stream.wasm to be discovered",
+    );
+    const occurrences = Array.from(allImports["stream.wasm"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("run")),
+      "expected run export symbol to be tracked",
+    );
+  });
+
+  it("does not treat arbitrary function calls with .wasm literals as wasm imports", async () => {
+    const projectDir = createProject(
+      "non-wasm-callee",
+      `doSomething("./ignored.wasm");
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(
+      !allImports["./ignored.wasm"] && !allImports["ignored.wasm"],
+      "expected non-wasm callee usage to be ignored",
+    );
+  });
+
+  it("captures wasi constructor and lifecycle API usage", async () => {
+    const projectDir = createProject(
+      "wasi-flow",
+      `import { WASI } from "node:wasi";
+const wasi = new WASI({ version: "preview1" });
+wasi.initialize(instance);
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(allImports["node:wasi"], "expected node:wasi to be discovered");
+    const occurrences = Array.from(allImports["node:wasi"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("WASI")),
+      "expected WASI usage to be tracked",
+    );
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("initialize")),
+      "expected initialize API usage to be tracked",
+    );
+  });
+
+  it("captures wasi constructor alias invoked without new", async () => {
+    const projectDir = createProject(
+      "wasi-call-alias-flow",
+      `import { WASI as WasiCtor } from "node:wasi";
+const wasi = WasiCtor({ version: "preview1" });
+wasi.start(instance);
+`,
+    );
+
+    const { allImports } = await findJSImportsExports(projectDir, false);
+    assert.ok(allImports["node:wasi"], "expected node:wasi to be discovered");
+    const occurrences = Array.from(allImports["node:wasi"]);
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("WASI")),
+      "expected WASI constructor alias usage to be tracked",
+    );
+    assert.ok(
+      occurrences.some((occ) => occ.importedModules?.includes("start")),
+      "expected start API usage to be tracked",
+    );
+  });
+
+  it("detects wasm import/export functions from libmagic wrapper fixture", async () => {
+    const projectDir = createProjectFromFixture(
+      "libmagic-wrapper",
+      "libmagic-wrapper.js",
+    );
+
+    const { allImports, allExports } = await findJSImportsExports(
+      projectDir,
+      false,
+    );
+    assert.ok(allImports.fs, "expected fs require import to be detected");
+    assert.ok(
+      allImports.crypto,
+      "expected crypto require import to be detected",
+    );
+    assert.ok(
+      allImports["libmagic-wrapper.wasm"],
+      "expected libmagic-wrapper.wasm to be detected",
+    );
+    assert.ok(
+      allExports["libmagic-wrapper.wasm"],
+      "expected libmagic-wrapper.wasm exports to be detected",
+    );
+
+    const wasmImportOccurrences = Array.from(
+      allImports["libmagic-wrapper.wasm"],
+    );
+    const wasmExportOccurrences = Array.from(
+      allExports["libmagic-wrapper.wasm"],
+    );
+
+    assert.ok(
+      wasmImportOccurrences.some(
+        (occ) =>
+          occ.fileName?.includes("libmagic-wrapper.js") &&
+          typeof occ.lineNumber === "number" &&
+          typeof occ.columnNumber === "number",
+      ),
+      "expected wasm import occurrences to include source location metadata",
+    );
+
+    const importedModules = new Set(
+      wasmImportOccurrences.flatMap((occ) => occ.importedModules || []),
+    );
+    for (const expectedImportedModule of [
+      "free",
+      "malloc",
+      "magic_wrapper_load",
+      "magic_wrapper_detect",
+      "_emscripten_stack_restore",
+      "_emscripten_stack_alloc",
+      "emscripten_stack_get_current",
+      "memory",
+      "__indirect_function_table",
+    ]) {
+      assert.ok(
+        importedModules.has(expectedImportedModule),
+        `expected imported wasm symbol ${expectedImportedModule}`,
+      );
+    }
+
+    const exportedModules = new Set(
+      wasmExportOccurrences.flatMap((occ) => occ.exportedModules || []),
+    );
+    for (const expectedExportedModule of [
+      "_free",
+      "_malloc",
+      "_magic_wrapper_load",
+      "_magic_wrapper_detect",
+    ]) {
+      assert.ok(
+        exportedModules.has(expectedExportedModule),
+        `expected exported wasm symbol ${expectedExportedModule}`,
+      );
+    }
+  });
+});
+
+describe("detectExtensionCapabilities()", () => {
+  it("should detect extension capability signals from source usage", () => {
+    const projectDir = createProject(
+      "extension-capabilities",
+      `chrome.scripting.executeScript({ target: { tabId: 1 }, files: ["inject.js"] });
+chrome.bluetooth.getDevices(() => {});
+chrome.downloads.download({ url: "https://example.invalid/a.txt" });
+const canvas = document.createElement("canvas");
+canvas.toDataURL();
+fetch("https://example.invalid/api");
+navigator.userAgentData?.getHighEntropyValues(["platformVersion"]);
+`,
+    );
+    const detected = detectExtensionCapabilities(projectDir);
+    assert.ok(detected.capabilities.includes("codeInjection"));
+    assert.ok(detected.capabilities.includes("bluetooth"));
+    assert.ok(detected.capabilities.includes("deviceAccess"));
+    assert.ok(detected.capabilities.includes("fileAccess"));
+    assert.ok(detected.capabilities.includes("network"));
+    assert.ok(detected.capabilities.includes("fingerprinting"));
+  });
+
+  it("should detect fingerprinting from canvas member-chain APIs", () => {
+    const projectDir = createProject(
+      "extension-capabilities-canvas-only",
+      `const canvas = document.createElement("canvas");
+const ctx = canvas.getContext("2d");
+ctx.getImageData(0, 0, 1, 1);
+canvas.toDataURL();
+ctx.measureText("a");
+`,
+    );
+    const detected = detectExtensionCapabilities(projectDir);
+    assert.ok(detected.capabilities.includes("fingerprinting"));
+  });
+});
+
+describe("analyzeSuspiciousJsFile()", () => {
+  it("detects encoded child-process loader patterns", () => {
+    const projectDir = createProject(
+      "suspicious-lifecycle-js",
+      [
+        "import cp from 'node:child_process';",
+        "const payload = Buffer.from('ZXZhbCgnY29uc29sZS5sb2coMSknKQ==', 'base64');",
+        "cp.execSync(payload.toString());",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeSuspiciousJsFile(join(projectDir, "index.js"));
+    assert.match(analysis.obfuscationIndicators.join(","), /buffer-base64/);
+    assert.match(analysis.executionIndicators.join(","), /child-process/);
+  });
+
+  it("detects network-capable script files referenced by lifecycle hooks", () => {
+    const projectDir = createProject(
+      "network-lifecycle-js",
+      [
+        "import https from 'node:https';",
+        "https.request('https://example.invalid/payload');",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeSuspiciousJsFile(join(projectDir, "index.js"));
+    assert.match(analysis.networkIndicators.join(","), /network-request/);
+  });
+});

package/lib/helpers/annotationFormatter.js

@@ -0,0 +1,49 @@
+function escapeMarkdownText(value) {
+  return String(value ?? "")
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/([\\`*_{}\[\]()#+!|])/g, "\\$1")
+    .replace(/\r?\n/g, "<br>")
+    .trim();
+}
+
+function escapeMarkdownCell(value) {
+  return escapeMarkdownText(value);
+}
+
+/**
+ * Format annotation properties as a markdown table for CycloneDX annotations.
+ *
+ * @param {{ name: string, value: string }[]} properties annotation properties
+ * @returns {string} markdown table text
+ */
+export function propertiesToMarkdownTable(properties) {
+  if (!properties?.length) {
+    return "";
+  }
+  const lines = ["| Property | Value |", "| --- | --- |"];
+  for (const property of properties) {
+    lines.push(
+      `| ${escapeMarkdownCell(property?.name)} | ${escapeMarkdownCell(property?.value)} |`,
+    );
+  }
+  return lines.join("\n");
+}
+
+/**
+ * Build production-ready markdown annotation text.
+ *
+ * @param {string} message leading message text
+ * @param {{ name: string, value: string }[]} properties annotation properties
+ * @param {string[]} [details] optional detail lines shown before the table
+ * @returns {string} annotation text
+ */
+export function buildAnnotationText(message, properties, details = []) {
+  const lines = [message, ...details.filter(Boolean)].map(escapeMarkdownText);
+  const markdownTable = propertiesToMarkdownTable(properties);
+  if (markdownTable) {
+    lines.push("", markdownTable);
+  }
+  return lines.join("\n");
+}

package/lib/helpers/annotationFormatter.poku.js

@@ -0,0 +1,44 @@
+import { assert, describe, it } from "poku";
+
+import {
+  buildAnnotationText,
+  propertiesToMarkdownTable,
+} from "./annotationFormatter.js";
+
+describe("annotationFormatter", () => {
+  it("escapes markdown tables for untrusted annotation properties", () => {
+    const table = propertiesToMarkdownTable([
+      {
+        name: "<script>alert(1)</script>",
+        value: "[click](javascript:alert(1))\nnext|cell & more",
+      },
+    ]);
+
+    assert.strictEqual(
+      table,
+      [
+        "| Property | Value |",
+        "| --- | --- |",
+        String.raw`| &lt;script&gt;alert\(1\)&lt;/script&gt; | \[click\]\(javascript:alert\(1\)\)<br>next\|cell &amp; more |`,
+      ].join("\n"),
+    );
+  });
+
+  it("escapes markdown and HTML-sensitive content in annotation messages", () => {
+    const htmlLikeMessage =
+      String.fromCharCode(60) +
+      "img src=x onerror=alert(1)" +
+      String.fromCharCode(62);
+    const text = buildAnnotationText(
+      htmlLikeMessage,
+      [{ name: "cdx:test", value: "safe" }],
+      ["[open](javascript:alert(1))", "line\nbreak"],
+    );
+
+    assert.ok(text.startsWith("&lt;img src=x onerror=alert\\(1\\)&gt;"));
+    assert.ok(text.includes("\\[open\\]\\(javascript:alert\\(1\\)\\)"));
+    assert.ok(text.includes("line<br>break"));
+    assert.ok(text.includes("| cdx:test | safe |"));
+    assert.ok(!text.includes(htmlLikeMessage));
+  });
+});

package/lib/helpers/bomUtils.js

@@ -0,0 +1,36 @@
+const SPDX_CONTEXT_PREFIX = "https://spdx.org/rdf/";
+const CYCLONEDX_FORMAT = "CycloneDX";
+const BOM_FORMAT_CYCLONEDX = "cyclonedx";
+const BOM_FORMAT_SPDX = "spdx";
+const BOM_FORMAT_UNKNOWN = "unknown";
+
+export const isSpdxJsonLd = (bomJson) =>
+  Boolean(
+    bomJson?.["@context"]?.startsWith(SPDX_CONTEXT_PREFIX) &&
+      Array.isArray(bomJson?.["@graph"]) &&
+      bomJson["@graph"].some((element) => element?.type === "SpdxDocument"),
+  );
+
+export const isCycloneDxBom = (bomJson) =>
+  bomJson?.bomFormat === CYCLONEDX_FORMAT && Boolean(bomJson?.specVersion);
+
+export const detectBomFormat = (bomJson) => {
+  if (isCycloneDxBom(bomJson)) {
+    return BOM_FORMAT_CYCLONEDX;
+  }
+  if (isSpdxJsonLd(bomJson)) {
+    return BOM_FORMAT_SPDX;
+  }
+  return BOM_FORMAT_UNKNOWN;
+};
+
+export const getNonCycloneDxErrorMessage = (
+  bomJson,
+  commandName = "This command",
+) => {
+  const detectedFormat = detectBomFormat(bomJson);
+  if (detectedFormat === BOM_FORMAT_SPDX) {
+    return `${commandName} expects a CycloneDX BOM. SPDX input is not supported for this command.`;
+  }
+  return `${commandName} expects a CycloneDX JSON BOM.`;
+};

package/lib/helpers/bomUtils.poku.js

@@ -0,0 +1,51 @@
+import { assert, describe, it } from "poku";
+
+import {
+  detectBomFormat,
+  getNonCycloneDxErrorMessage,
+  isCycloneDxBom,
+  isSpdxJsonLd,
+} from "./bomUtils.js";
+
+const sampleSpdx = {
+  "@context": "https://spdx.org/rdf/3.0.1/spdx-context.jsonld",
+  "@graph": [{ type: "SpdxDocument", spdxId: "urn:demo#SPDXRef-DOCUMENT" }],
+};
+
+describe("bomUtils", () => {
+  it("detects CycloneDX documents", () => {
+    assert.strictEqual(
+      isCycloneDxBom({
+        bomFormat: "CycloneDX",
+        specVersion: 1.7,
+      }),
+      true,
+    );
+    assert.strictEqual(isCycloneDxBom(sampleSpdx), false);
+  });
+
+  it("detects SPDX JSON-LD documents", () => {
+    assert.strictEqual(isSpdxJsonLd(sampleSpdx), true);
+    assert.strictEqual(isSpdxJsonLd({ bomFormat: "CycloneDX" }), false);
+  });
+
+  it("classifies BOM formats for CLI reuse", () => {
+    assert.strictEqual(detectBomFormat(sampleSpdx), "spdx");
+    assert.strictEqual(
+      detectBomFormat({ bomFormat: "CycloneDX", specVersion: "1.6" }),
+      "cyclonedx",
+    );
+    assert.strictEqual(detectBomFormat({ foo: "bar" }), "unknown");
+  });
+
+  it("generates clear CycloneDX-only command errors", () => {
+    assert.strictEqual(
+      getNonCycloneDxErrorMessage(sampleSpdx, "cdx-sign"),
+      "cdx-sign expects a CycloneDX BOM. SPDX input is not supported for this command.",
+    );
+    assert.strictEqual(
+      getNonCycloneDxErrorMessage({ foo: "bar" }, "cdx-sign"),
+      "cdx-sign expects a CycloneDX JSON BOM.",
+    );
+  });
+});

package/lib/helpers/caxa.js

@@ -1,6 +1,6 @@
 import { readFileSync } from "node:fs";
 
-import { getNpmMetadata, shouldFetchLicense } from "./utils.js";
+import { getNpmMetadata, shouldFetchPackageMetadata } from "./utils.js";
 
 export async function parseCaxaMetadata(mfile) {
   let mdata;
@@ -48,7 +48,7 @@ export async function parseCaxaMetadata(mfile) {
       },
     };
   }
-  if (shouldFetchLicense()) {
+  if (shouldFetchPackageMetadata()) {
     mdata.components = await getNpmMetadata(mdata.components);
   }
   return mdata;