npm - @cyclonedx/cdxgen - Versions diffs - 12.2.0 → 12.3.0 - Mend

@cyclonedx/cdxgen 12.2.0 → 12.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (181) hide show

package/README.md +242 -90
package/bin/audit.js +191 -0
package/bin/cdxgen.js +532 -168
package/bin/convert.js +99 -0
package/bin/evinse.js +23 -0
package/bin/repl.js +339 -8
package/bin/sign.js +8 -0
package/bin/validate.js +8 -0
package/bin/verify.js +8 -0
package/data/container-knowledge-index.json +125 -0
package/data/gtfobins-index.json +6296 -0
package/data/lolbas-index.json +150 -0
package/data/queries-darwin.json +63 -3
package/data/queries-win.json +45 -3
package/data/queries.json +74 -2
package/data/rules/chrome-extensions.yaml +240 -0
package/data/rules/ci-permissions.yaml +478 -18
package/data/rules/container-risk.yaml +270 -0
package/data/rules/obom-runtime.yaml +891 -0
package/data/rules/package-integrity.yaml +49 -0
package/data/spdx-export.schema.json +6794 -0
package/data/spdx-model-v3.0.1.jsonld +15999 -0
package/lib/audit/index.js +1924 -0
package/lib/audit/index.poku.js +1488 -0
package/lib/audit/progress.js +137 -0
package/lib/audit/progress.poku.js +188 -0
package/lib/audit/reporters.js +618 -0
package/lib/audit/scoring.js +310 -0
package/lib/audit/scoring.poku.js +341 -0
package/lib/audit/targets.js +260 -0
package/lib/audit/targets.poku.js +331 -0
package/lib/cli/index.js +276 -68
package/lib/cli/index.poku.js +368 -0
package/lib/helpers/analyzer.js +1052 -5
package/lib/helpers/analyzer.poku.js +301 -0
package/lib/helpers/annotationFormatter.js +49 -0
package/lib/helpers/annotationFormatter.poku.js +44 -0
package/lib/helpers/bomUtils.js +36 -0
package/lib/helpers/bomUtils.poku.js +51 -0
package/lib/helpers/caxa.js +2 -2
package/lib/helpers/chromextutils.js +1153 -0
package/lib/helpers/chromextutils.poku.js +493 -0
package/lib/helpers/ciParsers/githubActions.js +1632 -45
package/lib/helpers/ciParsers/githubActions.poku.js +853 -1
package/lib/helpers/containerRisk.js +186 -0
package/lib/helpers/containerRisk.poku.js +52 -0
package/lib/helpers/depsUtils.js +16 -0
package/lib/helpers/depsUtils.poku.js +58 -1
package/lib/helpers/display.js +245 -61
package/lib/helpers/display.poku.js +162 -2
package/lib/helpers/exportUtils.js +123 -0
package/lib/helpers/exportUtils.poku.js +60 -0
package/lib/helpers/formulationParsers.js +69 -0
package/lib/helpers/formulationParsers.poku.js +44 -0
package/lib/helpers/gtfobins.js +189 -0
package/lib/helpers/gtfobins.poku.js +49 -0
package/lib/helpers/lolbas.js +267 -0
package/lib/helpers/lolbas.poku.js +39 -0
package/lib/helpers/osqueryTransform.js +84 -0
package/lib/helpers/osqueryTransform.poku.js +49 -0
package/lib/helpers/provenanceUtils.js +193 -0
package/lib/helpers/provenanceUtils.poku.js +145 -0
package/lib/helpers/pylockutils.js +281 -0
package/lib/helpers/pylockutils.poku.js +48 -0
package/lib/helpers/registryProvenance.js +793 -0
package/lib/helpers/registryProvenance.poku.js +452 -0
package/lib/helpers/remote/dependency-track.js +84 -0
package/lib/helpers/remote/dependency-track.poku.js +119 -0
package/lib/helpers/source.js +1267 -0
package/lib/helpers/source.poku.js +771 -0
package/lib/helpers/spdxUtils.js +97 -0
package/lib/helpers/spdxUtils.poku.js +70 -0
package/lib/helpers/table.js +384 -0
package/lib/helpers/table.poku.js +186 -0
package/lib/helpers/unicodeScan.js +147 -0
package/lib/helpers/unicodeScan.poku.js +45 -0
package/lib/helpers/utils.js +882 -136
package/lib/helpers/utils.poku.js +995 -91
package/lib/managers/binary.js +29 -5
package/lib/managers/docker.js +179 -52
package/lib/managers/docker.poku.js +327 -28
package/lib/managers/oci.js +107 -23
package/lib/managers/oci.poku.js +132 -0
package/lib/server/openapi.yaml +50 -0
package/lib/server/server.js +228 -331
package/lib/server/server.poku.js +220 -5
package/lib/stages/postgen/annotator.js +7 -0
package/lib/stages/postgen/annotator.poku.js +40 -0
package/lib/stages/postgen/auditBom.js +20 -5
package/lib/stages/postgen/auditBom.poku.js +1729 -67
package/lib/stages/postgen/postgen.js +40 -0
package/lib/stages/postgen/postgen.poku.js +47 -0
package/lib/stages/postgen/ruleEngine.js +80 -2
package/lib/stages/postgen/spdxConverter.js +796 -0
package/lib/stages/postgen/spdxConverter.poku.js +341 -0
package/lib/validator/bomValidator.js +232 -0
package/lib/validator/bomValidator.poku.js +70 -0
package/lib/validator/complianceRules.js +70 -7
package/lib/validator/complianceRules.poku.js +30 -0
package/lib/validator/reporters/annotations.js +2 -2
package/lib/validator/reporters/console.js +13 -2
package/lib/validator/reporters.poku.js +13 -0
package/package.json +10 -8
package/types/bin/audit.d.ts +3 -0
package/types/bin/audit.d.ts.map +1 -0
package/types/bin/convert.d.ts +3 -0
package/types/bin/convert.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +115 -0
package/types/lib/audit/index.d.ts.map +1 -0
package/types/lib/audit/progress.d.ts +27 -0
package/types/lib/audit/progress.d.ts.map +1 -0
package/types/lib/audit/reporters.d.ts +35 -0
package/types/lib/audit/reporters.d.ts.map +1 -0
package/types/lib/audit/scoring.d.ts +35 -0
package/types/lib/audit/scoring.d.ts.map +1 -0
package/types/lib/audit/targets.d.ts +63 -0
package/types/lib/audit/targets.d.ts.map +1 -0
package/types/lib/cli/index.d.ts +8 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +13 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/annotationFormatter.d.ts +23 -0
package/types/lib/helpers/annotationFormatter.d.ts.map +1 -0
package/types/lib/helpers/bomUtils.d.ts +5 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -0
package/types/lib/helpers/chromextutils.d.ts +97 -0
package/types/lib/helpers/chromextutils.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts +3 -8
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
package/types/lib/helpers/containerRisk.d.ts +17 -0
package/types/lib/helpers/containerRisk.d.ts.map +1 -0
package/types/lib/helpers/depsUtils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts +4 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/exportUtils.d.ts +40 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -0
package/types/lib/helpers/formulationParsers.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +17 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts +16 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -0
package/types/lib/helpers/osqueryTransform.d.ts +7 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -0
package/types/lib/helpers/provenanceUtils.d.ts +90 -0
package/types/lib/helpers/provenanceUtils.d.ts.map +1 -0
package/types/lib/helpers/pylockutils.d.ts +51 -0
package/types/lib/helpers/pylockutils.d.ts.map +1 -0
package/types/lib/helpers/registryProvenance.d.ts +17 -0
package/types/lib/helpers/registryProvenance.d.ts.map +1 -0
package/types/lib/helpers/remote/dependency-track.d.ts +16 -0
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -0
package/types/lib/helpers/source.d.ts +141 -0
package/types/lib/helpers/source.d.ts.map +1 -0
package/types/lib/helpers/spdxUtils.d.ts +2 -0
package/types/lib/helpers/spdxUtils.d.ts.map +1 -0
package/types/lib/helpers/table.d.ts +6 -0
package/types/lib/helpers/table.d.ts.map +1 -0
package/types/lib/helpers/unicodeScan.d.ts +46 -0
package/types/lib/helpers/unicodeScan.d.ts.map +1 -0
package/types/lib/helpers/utils.d.ts +30 -11
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/server/server.d.ts +0 -35
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/postgen/spdxConverter.d.ts +11 -0
package/types/lib/stages/postgen/spdxConverter.d.ts.map +1 -0
package/types/lib/validator/bomValidator.d.ts +1 -0
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/types/lib/validator/reporters/console.d.ts.map +1 -1
package/types/bin/dependencies.d.ts +0 -3
package/types/bin/dependencies.d.ts.map +0 -1
package/types/bin/licenses.d.ts +0 -3
package/types/bin/licenses.d.ts.map +0 -1

package/lib/helpers/registryProvenance.js ADDED Viewed

@@ -0,0 +1,793 @@
+function appendProperty(properties, name, value) {
+  if (!name || value === undefined || value === null || value === "") {
+    return;
+  }
+  properties.push({
+    name,
+    value: typeof value === "string" ? value : String(value),
+  });
+}
+function uniqueStrings(values) {
+  return [
+    ...new Set(values.filter(Boolean).map((value) => String(value).trim())),
+  ];
+}
+function parseTimestamp(value) {
+  if (!value || typeof value !== "string") {
+    return undefined;
+  }
+  const timestamp = Date.parse(value);
+  return Number.isNaN(timestamp) ? undefined : timestamp;
+}
+function sortReleaseEntries(entries) {
+  return entries.sort((left, right) => left.timestamp - right.timestamp);
+}
+function median(numbers) {
+  if (!numbers.length) {
+    return undefined;
+  }
+  const sorted = [...numbers].sort((left, right) => left - right);
+  const midpoint = Math.floor(sorted.length / 2);
+  if (sorted.length % 2 === 0) {
+    return (sorted[midpoint - 1] + sorted[midpoint]) / 2;
+  }
+  return sorted[midpoint];
+}
+function normalizeIdentity(value) {
+  if (!value) {
+    return undefined;
+  }
+  return String(value).trim().toLowerCase();
+}
+function uniqueIdentities(values) {
+  return [
+    ...new Set(values.map((value) => normalizeIdentity(value)).filter(Boolean)),
+  ];
+}
+function isDisjointIdentitySet(leftSet, rightSet) {
+  if (!leftSet.length || !rightSet.length) {
+    return false;
+  }
+  return leftSet.every(
+    (leftValue) => !rightSet.some((rightValue) => rightValue === leftValue),
+  );
+}
+function identityOverlapMetrics(leftSet, rightSet) {
+  if (!leftSet.length || !rightSet.length) {
+    return {};
+  }
+  const rightValues = new Set(rightSet);
+  const overlapCount = leftSet.filter((leftValue) =>
+    rightValues.has(leftValue),
+  ).length;
+  const unionCount = new Set([...leftSet, ...rightSet]).size;
+  return {
+    overlapCount,
+    overlapRatio: unionCount > 0 ? overlapCount / unionCount : undefined,
+    partialDrift:
+      overlapCount > 0 &&
+      overlapCount < unionCount &&
+      (overlapCount < leftSet.length || overlapCount < rightSet.length),
+  };
+}
+function extractMaintainerIdentities(maintainers) {
+  if (!Array.isArray(maintainers)) {
+    return [];
+  }
+  const identities = [];
+  for (const maintainer of maintainers) {
+    if (typeof maintainer === "string") {
+      identities.push(maintainer);
+      continue;
+    }
+    identities.push(maintainer?.name, maintainer?.email);
+  }
+  return uniqueIdentities(identities);
+}
+function releaseGapMetrics(releaseEntries, currentVersion) {
+  const sortedEntries = sortReleaseEntries([...releaseEntries]);
+  const currentIndex = sortedEntries.findIndex(
+    (entry) => entry.version === currentVersion,
+  );
+  if (currentIndex < 1) {
+    return {};
+  }
+  const currentGapDays =
+    (sortedEntries[currentIndex].timestamp -
+      sortedEntries[currentIndex - 1].timestamp) /
+    (1000 * 60 * 60 * 24);
+  const priorGapDays = [];
+  for (let index = 1; index < currentIndex; index += 1) {
+    priorGapDays.push(
+      (sortedEntries[index].timestamp - sortedEntries[index - 1].timestamp) /
+        (1000 * 60 * 60 * 24),
+    );
+  }
+  return {
+    baselineDays: median(priorGapDays),
+    currentGapDays,
+    sampleSize: priorGapDays.length,
+  };
+}
+function compressedCadenceMetrics(gapMetrics) {
+  const baselineDays = gapMetrics?.baselineDays;
+  const currentGapDays = gapMetrics?.currentGapDays;
+  const sampleSize = gapMetrics?.sampleSize;
+  if (
+    baselineDays === undefined ||
+    currentGapDays === undefined ||
+    sampleSize === undefined ||
+    sampleSize < 3 ||
+    baselineDays <= 0 ||
+    currentGapDays <= 0
+  ) {
+    return {};
+  }
+  const compressionRatio = currentGapDays / baselineDays;
+  return {
+    compressedCadence:
+      baselineDays >= 21 && currentGapDays <= 14 && compressionRatio <= 0.33,
+    compressionRatio,
+  };
+}
+function extractNestedValue(obj, paths) {
+  for (const path of paths) {
+    let current = obj;
+    for (const segment of path) {
+      current = current?.[segment];
+      if (current === undefined || current === null) {
+        break;
+      }
+    }
+    if (current !== undefined && current !== null && current !== "") {
+      return current;
+    }
+  }
+  return undefined;
+}
+function normalizeProvenanceUrl(value) {
+  if (!value) {
+    return undefined;
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  return extractNestedValue(value, [
+    ["url"],
+    ["provenanceUrl"],
+    ["attestationUrl"],
+    ["bundle", "url"],
+    ["provenance", "url"],
+    ["attestations", "url"],
+  ]);
+}
+function collectPathValues(value, pathSegments) {
+  if (value === undefined || value === null) {
+    return [];
+  }
+  if (!pathSegments.length) {
+    if (Array.isArray(value)) {
+      return value.flatMap((entry) => collectPathValues(entry, []));
+    }
+    return [value];
+  }
+  if (Array.isArray(value)) {
+    return value.flatMap((entry) => collectPathValues(entry, pathSegments));
+  }
+  const [currentSegment, ...remainingSegments] = pathSegments;
+  return collectPathValues(value?.[currentSegment], remainingSegments);
+}
+function normalizeCollectedValues(values) {
+  const normalizedValues = [];
+  for (const value of values) {
+    if (value === undefined || value === null || value === "") {
+      continue;
+    }
+    if (typeof value === "string") {
+      normalizedValues.push(value);
+      continue;
+    }
+    if (typeof value === "number" || typeof value === "boolean") {
+      normalizedValues.push(String(value));
+    }
+  }
+  return uniqueStrings(normalizedValues);
+}
+function collectNestedValues(value, paths) {
+  const collectedValues = [];
+  for (const path of paths) {
+    collectedValues.push(...collectPathValues(value, path));
+  }
+  return normalizeCollectedValues(collectedValues);
+}
+function appendJoinedProperty(properties, name, values) {
+  appendProperty(properties, name, uniqueStrings(values).join(", "));
+}
+function collectProvenanceDigests(value) {
+  return collectNestedValues(value, [
+    ["digest"],
+    ["hash"],
+    ["sha256"],
+    ["sha512"],
+    ["integrity"],
+    ["hashes", "sha256"],
+    ["hashes", "sha512"],
+    ["subject", "digest", "sha256"],
+    ["subject", "digest", "sha512"],
+    ["statement", "subject", "digest", "sha256"],
+    ["statement", "subject", "digest", "sha512"],
+    ["bundle", "subject", "digest", "sha256"],
+    ["bundle", "subject", "digest", "sha512"],
+  ]);
+}
+function collectProvenanceKeyIds(value) {
+  return collectNestedValues(value, [
+    ["keyid"],
+    ["keyId"],
+    ["publicKeyId"],
+    ["verificationKeyId"],
+    ["signingKeyId"],
+    ["signatures", "keyid"],
+    ["signatures", "keyId"],
+    ["verificationMaterial", "publicKey", "keyid"],
+    ["verificationMaterial", "publicKey", "keyId"],
+    ["verificationMaterial", "certificate", "keyid"],
+    ["verificationMaterial", "certificate", "keyId"],
+  ]);
+}
+function collectProvenanceSignatures(value) {
+  return collectNestedValues(value, [
+    ["signature"],
+    ["sig"],
+    ["signatures", "sig"],
+    ["signatures", "signature"],
+  ]);
+}
+function collectProvenancePredicateTypes(value) {
+  return collectNestedValues(value, [
+    ["predicateType"],
+    ["predicate_type"],
+    ["statement", "predicateType"],
+    ["bundle", "predicateType"],
+  ]);
+}
+function hasTrustedPublishingEvidence(value) {
+  if (!value) {
+    return false;
+  }
+  if (typeof value === "boolean") {
+    return value;
+  }
+  if (typeof value === "string") {
+    return /(trusted|oidc|attestation|provenance)/i.test(value);
+  }
+  if (Array.isArray(value)) {
+    return value.some((entry) => hasTrustedPublishingEvidence(entry));
+  }
+  return Boolean(
+    normalizeProvenanceUrl(value) ||
+      extractNestedValue(value, [
+        ["trustedPublishing"],
+        ["trusted_publishing"],
+        ["isTrustedPublishing"],
+        ["verifiedPublisher"],
+        ["oidc"],
+        ["predicateType"],
+      ]),
+  );
+}
+/**
+ * Extract advanced npm provenance and publishing properties from registry metadata.
+ *
+ * @param {object} packument npm packument body
+ * @param {string | undefined} version package version
+ * @returns {object[]} custom properties
+ */
+export function collectNpmRegistryProvenanceProperties(packument, version) {
+  const properties = [];
+  const versionBody = version ? packument?.versions?.[version] : undefined;
+  const publishTime = version ? packument?.time?.[version] : undefined;
+  const versionPublishTimes = Object.entries(packument?.time || {})
+    .filter(
+      ([entryName, entryValue]) =>
+        !["created", "modified"].includes(entryName) &&
+        typeof entryValue === "string" &&
+        parseTimestamp(entryValue) !== undefined,
+    )
+    .map(([entryName, entryValue]) => ({
+      timestamp: parseTimestamp(entryValue),
+      version: entryName,
+    }));
+  const currentPublishTimestamp = parseTimestamp(publishTime);
+  const priorReleaseEntry = sortReleaseEntries(
+    versionPublishTimes.filter(
+      (entry) =>
+        entry.version !== version &&
+        currentPublishTimestamp !== undefined &&
+        entry.timestamp < currentPublishTimestamp,
+    ),
+  ).pop();
+  const priorVersionBody = priorReleaseEntry
+    ? packument?.versions?.[priorReleaseEntry.version]
+    : undefined;
+  const currentMaintainerSet = uniqueIdentities([
+    ...extractMaintainerIdentities(versionBody?.maintainers),
+    versionBody?._npmUser?.name,
+    versionBody?._npmUser?.email,
+    versionBody?.publisher?.name,
+    versionBody?.publisher?.email,
+  ]);
+  const priorMaintainerSet = uniqueIdentities([
+    ...extractMaintainerIdentities(priorVersionBody?.maintainers),
+    priorVersionBody?._npmUser?.name,
+    priorVersionBody?._npmUser?.email,
+    priorVersionBody?.publisher?.name,
+    priorVersionBody?.publisher?.email,
+  ]);
+  const maintainerSetDrift = isDisjointIdentitySet(
+    currentMaintainerSet,
+    priorMaintainerSet,
+  );
+  const gapMetrics = releaseGapMetrics(versionPublishTimes, version);
+  const overlapMetrics = identityOverlapMetrics(
+    currentMaintainerSet,
+    priorMaintainerSet,
+  );
+  const cadenceMetrics = compressedCadenceMetrics(gapMetrics);
+  const publisherName =
+    versionBody?._npmUser?.name ||
+    versionBody?.publisher?.name ||
+    packument?.maintainers?.[0]?.name;
+  const publisherEmail =
+    versionBody?._npmUser?.email ||
+    versionBody?.publisher?.email ||
+    packument?.maintainers?.[0]?.email;
+  const provenanceCandidate =
+    versionBody?.dist?.provenance ||
+    versionBody?.provenance ||
+    versionBody?.dist?.attestations ||
+    versionBody?.attestations;
+  const provenanceUrl = normalizeProvenanceUrl(provenanceCandidate);
+  const provenanceDigests = collectProvenanceDigests(provenanceCandidate);
+  const provenanceKeyIds = collectProvenanceKeyIds(provenanceCandidate);
+  const provenanceSignatures = collectProvenanceSignatures(provenanceCandidate);
+  const provenancePredicateTypes =
+    collectProvenancePredicateTypes(provenanceCandidate);
+  const priorPublisherName =
+    priorVersionBody?._npmUser?.name || priorVersionBody?.publisher?.name;
+  const publisherDrift =
+    publisherName &&
+    priorPublisherName &&
+    publisherName.trim().toLowerCase() !==
+      priorPublisherName.trim().toLowerCase();
+  appendProperty(
+    properties,
+    "cdx:npm:packageCreatedTime",
+    packument?.time?.created,
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:lastModifiedTime",
+    packument?.time?.modified,
+  );
+  appendProperty(properties, "cdx:npm:publishTime", publishTime);
+  appendProperty(properties, "cdx:npm:publisher", publisherName);
+  appendProperty(properties, "cdx:npm:publisherEmail", publisherEmail);
+  appendProperty(
+    properties,
+    "cdx:npm:maintainerSet",
+    currentMaintainerSet.join(", "),
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:priorMaintainerSet",
+    priorMaintainerSet.join(", "),
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:maintainerSetCount",
+    currentMaintainerSet.length,
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:priorMaintainerSetCount",
+    priorMaintainerSet.length,
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:maintainerOverlapCount",
+    overlapMetrics.overlapCount,
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:maintainerOverlapRatio",
+    overlapMetrics.overlapRatio?.toFixed(2),
+  );
+  if (maintainerSetDrift) {
+    appendProperty(properties, "cdx:npm:maintainerSetDrift", "true");
+  }
+  if (overlapMetrics.partialDrift) {
+    appendProperty(properties, "cdx:npm:maintainerSetPartialDrift", "true");
+  }
+  appendProperty(
+    properties,
+    "cdx:npm:versionCount",
+    versionPublishTimes.length,
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:releaseGapDays",
+    gapMetrics.currentGapDays?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:releaseGapBaselineDays",
+    gapMetrics.baselineDays?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:releaseGapSampleSize",
+    gapMetrics.sampleSize,
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:releaseCadenceCompressionRatio",
+    cadenceMetrics.compressionRatio?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:priorVersion",
+    priorReleaseEntry?.version,
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:priorPublishTime",
+    priorReleaseEntry
+      ? packument?.time?.[priorReleaseEntry.version]
+      : undefined,
+  );
+  appendProperty(properties, "cdx:npm:priorPublisher", priorPublisherName);
+  if (publisherDrift) {
+    appendProperty(properties, "cdx:npm:publisherDrift", "true");
+  }
+  if (cadenceMetrics.compressedCadence) {
+    appendProperty(properties, "cdx:npm:compressedCadence", "true");
+  }
+  if (hasTrustedPublishingEvidence(provenanceCandidate)) {
+    appendProperty(properties, "cdx:npm:trustedPublishing", "true");
+  }
+  appendProperty(
+    properties,
+    "cdx:npm:artifactIntegrity",
+    versionBody?.dist?.integrity,
+  );
+  appendProperty(
+    properties,
+    "cdx:npm:artifactShasum",
+    versionBody?.dist?.shasum,
+  );
+  appendProperty(properties, "cdx:npm:provenanceUrl", provenanceUrl);
+  appendJoinedProperty(
+    properties,
+    "cdx:npm:provenanceDigest",
+    provenanceDigests,
+  );
+  appendJoinedProperty(properties, "cdx:npm:provenanceKeyId", provenanceKeyIds);
+  appendJoinedProperty(
+    properties,
+    "cdx:npm:provenanceSignature",
+    provenanceSignatures,
+  );
+  appendJoinedProperty(
+    properties,
+    "cdx:npm:provenancePredicateType",
+    provenancePredicateTypes,
+  );
+  return properties;
+}
+/**
+ * Extract advanced PyPI provenance and publishing properties from registry metadata.
+ *
+ * @param {object} projectBody PyPI JSON body
+ * @param {string | undefined} version package version
+ * @returns {object[]} custom properties
+ */
+export function collectPypiRegistryProvenanceProperties(projectBody, version) {
+  const properties = [];
+  const releaseEntries = [];
+  for (const [releaseVersion, releaseFilesForVersion] of Object.entries(
+    projectBody?.releases || {},
+  )) {
+    if (
+      !Array.isArray(releaseFilesForVersion) ||
+      !releaseFilesForVersion.length
+    ) {
+      continue;
+    }
+    const releaseUploadTimes = uniqueStrings(
+      releaseFilesForVersion.map(
+        (file) =>
+          file?.upload_time_iso_8601 || file?.upload_time || file?.uploadTime,
+      ),
+    );
+    const earliestUploadTime = releaseUploadTimes
+      .map((uploadTime) => ({
+        raw: uploadTime,
+        timestamp: parseTimestamp(uploadTime),
+      }))
+      .filter((entry) => entry.timestamp !== undefined)
+      .sort((left, right) => left.timestamp - right.timestamp)[0];
+    if (!earliestUploadTime) {
+      continue;
+    }
+    releaseEntries.push({
+      publishers: uniqueStrings(
+        releaseFilesForVersion.map(
+          (file) => file?.uploader || file?.uploaded_by,
+        ),
+      ),
+      timestamp: earliestUploadTime.timestamp,
+      uploadTime: earliestUploadTime.raw,
+      version: releaseVersion,
+    });
+  }
+  const releaseFiles = Array.isArray(projectBody?.releases?.[version])
+    ? projectBody.releases[version]
+    : Array.isArray(projectBody?.urls)
+      ? projectBody.urls
+      : [];
+  const uploadTimes = uniqueStrings(
+    releaseFiles.map(
+      (file) =>
+        file?.upload_time_iso_8601 || file?.upload_time || file?.uploadTime,
+    ),
+  );
+  const uploaders = uniqueStrings(
+    releaseFiles.map((file) => file?.uploader || file?.uploaded_by),
+  );
+  const provenanceUrls = uniqueStrings(
+    releaseFiles.map(
+      (file) =>
+        normalizeProvenanceUrl(file?.provenance) ||
+        normalizeProvenanceUrl(file?.attestations) ||
+        normalizeProvenanceUrl(file?.provenance_url) ||
+        normalizeProvenanceUrl(file?.attestation_url),
+    ),
+  );
+  const artifactDigestSha256 = uniqueStrings(
+    releaseFiles.map((file) => file?.digests?.sha256 || file?.sha256_digest),
+  );
+  const artifactDigestBlake2b256 = uniqueStrings(
+    releaseFiles.map((file) => file?.digests?.blake2b_256 || file?.blake2b_256),
+  );
+  const artifactDigestMd5 = uniqueStrings(
+    releaseFiles.map((file) => file?.digests?.md5 || file?.md5_digest),
+  );
+  const provenanceDigests = uniqueStrings(
+    releaseFiles.flatMap((file) =>
+      collectProvenanceDigests(
+        file?.provenance ||
+          file?.attestations ||
+          file?.provenance_url ||
+          file?.attestation_url,
+      ),
+    ),
+  );
+  const provenanceKeyIds = uniqueStrings(
+    releaseFiles.flatMap((file) =>
+      collectProvenanceKeyIds(file?.provenance || file?.attestations),
+    ),
+  );
+  const provenanceSignatures = uniqueStrings(
+    releaseFiles.flatMap((file) =>
+      collectProvenanceSignatures(file?.provenance || file?.attestations),
+    ),
+  );
+  const provenancePredicateTypes = uniqueStrings(
+    releaseFiles.flatMap((file) =>
+      collectProvenancePredicateTypes(file?.provenance || file?.attestations),
+    ),
+  );
+  const trustedPublishing = releaseFiles.some((file) =>
+    hasTrustedPublishingEvidence(
+      file?.provenance ||
+        file?.attestations ||
+        file?.trusted_publishing ||
+        file?.uploaded_via ||
+        file?.uploaded_using ||
+        file?.provenance_url,
+    ),
+  );
+  const uploaderVerified = releaseFiles.some(
+    (file) =>
+      file?.uploader_verified === true || file?.uploaderVerified === true,
+  );
+  const currentPublishTimestamp = parseTimestamp(uploadTimes[0]);
+  const priorReleaseEntry = sortReleaseEntries(
+    releaseEntries.filter(
+      (entry) =>
+        entry.version !== version &&
+        currentPublishTimestamp !== undefined &&
+        entry.timestamp < currentPublishTimestamp,
+    ),
+  ).pop();
+  const currentUploaders = uniqueStrings(uploaders);
+  const currentUploaderSet = uniqueIdentities(currentUploaders);
+  const priorUploaderSet = uniqueIdentities(
+    priorReleaseEntry?.publishers || [],
+  );
+  const uploaderSetDrift = isDisjointIdentitySet(
+    currentUploaderSet,
+    priorUploaderSet,
+  );
+  const gapMetrics = releaseGapMetrics(releaseEntries, version);
+  const overlapMetrics = identityOverlapMetrics(
+    currentUploaderSet,
+    priorUploaderSet,
+  );
+  const cadenceMetrics = compressedCadenceMetrics(gapMetrics);
+  const publisherDrift =
+    currentUploaders.length > 0 &&
+    priorReleaseEntry?.publishers?.length > 0 &&
+    currentUploaders.every(
+      (currentUploader) =>
+        !priorReleaseEntry.publishers.some(
+          (previousUploader) =>
+            previousUploader.toLowerCase() === currentUploader.toLowerCase(),
+        ),
+    );
+  appendProperty(
+    properties,
+    "cdx:pypi:packageCreatedTime",
+    sortReleaseEntries([...releaseEntries])[0]?.uploadTime,
+  );
+  appendProperty(properties, "cdx:pypi:publishTime", uploadTimes[0]);
+  appendProperty(properties, "cdx:pypi:versionCount", releaseEntries.length);
+  appendProperty(properties, "cdx:pypi:publisher", uploaders.join(", "));
+  appendProperty(
+    properties,
+    "cdx:pypi:uploaderSet",
+    currentUploaderSet.join(", "),
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:priorUploaderSet",
+    priorUploaderSet.join(", "),
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:uploaderSetCount",
+    currentUploaderSet.length,
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:priorUploaderSetCount",
+    priorUploaderSet.length,
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:uploaderOverlapCount",
+    overlapMetrics.overlapCount,
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:uploaderOverlapRatio",
+    overlapMetrics.overlapRatio?.toFixed(2),
+  );
+  if (uploaderSetDrift) {
+    appendProperty(properties, "cdx:pypi:uploaderSetDrift", "true");
+  }
+  if (overlapMetrics.partialDrift) {
+    appendProperty(properties, "cdx:pypi:uploaderSetPartialDrift", "true");
+  }
+  appendProperty(
+    properties,
+    "cdx:pypi:releaseGapDays",
+    gapMetrics.currentGapDays?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:releaseGapBaselineDays",
+    gapMetrics.baselineDays?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:releaseGapSampleSize",
+    gapMetrics.sampleSize,
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:releaseCadenceCompressionRatio",
+    cadenceMetrics.compressionRatio?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:priorVersion",
+    priorReleaseEntry?.version,
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:priorPublishTime",
+    priorReleaseEntry?.uploadTime,
+  );
+  appendProperty(
+    properties,
+    "cdx:pypi:priorPublisher",
+    priorReleaseEntry?.publishers?.join(", "),
+  );
+  if (publisherDrift) {
+    appendProperty(properties, "cdx:pypi:publisherDrift", "true");
+  }
+  if (cadenceMetrics.compressedCadence) {
+    appendProperty(properties, "cdx:pypi:compressedCadence", "true");
+  }
+  if (uploaderVerified) {
+    appendProperty(properties, "cdx:pypi:uploaderVerified", "true");
+  }
+  if (trustedPublishing) {
+    appendProperty(properties, "cdx:pypi:trustedPublishing", "true");
+  }
+  appendJoinedProperty(
+    properties,
+    "cdx:pypi:artifactDigestSha256",
+    artifactDigestSha256,
+  );
+  appendJoinedProperty(
+    properties,
+    "cdx:pypi:artifactDigestBlake2b256",
+    artifactDigestBlake2b256,
+  );
+  appendJoinedProperty(
+    properties,
+    "cdx:pypi:artifactDigestMd5",
+    artifactDigestMd5,
+  );
+  appendProperty(properties, "cdx:pypi:provenanceUrl", provenanceUrls[0]);
+  appendJoinedProperty(
+    properties,
+    "cdx:pypi:provenanceDigest",
+    provenanceDigests,
+  );
+  appendJoinedProperty(
+    properties,
+    "cdx:pypi:provenanceKeyId",
+    provenanceKeyIds,
+  );
+  appendJoinedProperty(
+    properties,
+    "cdx:pypi:provenanceSignature",
+    provenanceSignatures,
+  );
+  appendJoinedProperty(
+    properties,
+    "cdx:pypi:provenancePredicateType",
+    provenancePredicateTypes,
+  );
+  return properties;
+}