@cyclonedx/cdxgen 12.2.0 → 12.3.0

package/lib/server/server.poku.js

@@ -1,15 +1,18 @@
+import os from "node:os";
+import path from "node:path";
+
+import esmock from "esmock";
 import { afterEach, assert, beforeEach, describe, it } from "poku";
+import sinon from "sinon";
 
-import { isWin } from "../helpers/utils.js";
 import {
-  getQueryParams,
   isAllowedHost,
   isAllowedPath,
   isAllowedWinPath,
-  parseQueryString,
-  parseValue,
   validateAndRejectGitSource,
-} from "./server.js";
+} from "../helpers/source.js";
+import { isWin } from "../helpers/utils.js";
+import { getQueryParams, parseQueryString, parseValue } from "./server.js";
 
 function nullProtoObj(obj) {
   if (obj === null || typeof obj !== "object") {
@@ -105,6 +108,34 @@ describe("parseQueryString tests", () => {
     const result = parseQueryString({}, {}, options);
     checkEqual(result.installDeps, false);
   });
+
+  it("parses parentProjectName and parentProjectVersion", () => {
+    const q = {
+      parentProjectName: "parent-app",
+      parentProjectVersion: "1.2.3",
+    };
+    const result = parseQueryString(q, {}, {});
+    checkEqual(result.parentProjectName, "parent-app");
+    checkEqual(result.parentProjectVersion, "1.2.3");
+  });
+
+  it("parses autoCreate and isLatest boolean options", () => {
+    const q = {
+      autoCreate: "false",
+      isLatest: "true",
+    };
+    const result = parseQueryString(q, {}, {});
+    checkEqual(result.autoCreate, false);
+    checkEqual(result.isLatest, true);
+  });
+
+  it("parses format for SPDX export requests", () => {
+    const q = {
+      format: "spdx",
+    };
+    const result = parseQueryString(q, {}, {});
+    checkEqual(result.format, "spdx");
+  });
 });
 
 describe("isAllowedHost()", () => {
@@ -586,3 +617,187 @@ it("should correctly normalize and validate various git@ (SCP-like) formats", ()
   checkEqual(deniedRes.error, "Host Not Allowed");
   delete process.env.CDXGEN_SERVER_ALLOWED_HOSTS;
 });
+
+describe("gitClone() hardening tests", () => {
+  it("passes core.hooksPath=/dev/null and --template= flags to git", async () => {
+    const spawnStub = sinon.stub().returns({ status: 0, stderr: "" });
+    const mkdtempStub = sinon
+      .stub()
+      .returns(path.join(os.tmpdir(), "fake-repo"));
+
+    const { gitClone } = await esmock("../helpers/source.js", {
+      "../helpers/utils.js": {
+        safeSpawnSync: spawnStub,
+        isSecureMode: false,
+        hasDangerousUnicode: sinon.stub().returns(false),
+        getTmpDir: sinon.stub().returns(os.tmpdir()),
+      },
+      "node:fs": {
+        mkdtempSync: mkdtempStub,
+        existsSync: sinon.stub().returns(false),
+        readdirSync: sinon.stub().returns([]),
+        statSync: sinon.stub().returns({ isDirectory: () => true }),
+        readFileSync: sinon.stub().returns(""),
+      },
+    });
+
+    gitClone("https://example.com/repo.git");
+
+    sinon.assert.calledOnce(spawnStub);
+    const [cmd, args] = spawnStub.firstCall.args;
+    assert.strictEqual(cmd, "git");
+
+    // core.hooksPath=/dev/null must be present as a -c flag
+    const hooksPathIdx = args.indexOf("core.hooksPath=/dev/null");
+    assert.ok(
+      hooksPathIdx > 0 && args[hooksPathIdx - 1] === "-c",
+      "expected -c core.hooksPath=/dev/null in git args",
+    );
+
+    // --template= must appear after "clone"
+    const cloneIdx = args.indexOf("clone");
+    assert.ok(cloneIdx >= 0, "expected 'clone' subcommand in git args");
+    assert.ok(
+      args.slice(cloneIdx).includes("--template="),
+      "expected --template= after clone in git args",
+    );
+  });
+
+  it("uses GIT_CONFIG_GLOBAL=/dev/null instead of invalid GIT_CONFIG_NOGLOBAL in secure mode", async () => {
+    const spawnStub = sinon.stub().returns({ status: 0, stderr: "" });
+    const mkdtempStub = sinon
+      .stub()
+      .returns(path.join(os.tmpdir(), "fake-repo"));
+
+    const { gitClone } = await esmock("../helpers/source.js", {
+      "../helpers/utils.js": {
+        safeSpawnSync: spawnStub,
+        isSecureMode: true,
+        hasDangerousUnicode: sinon.stub().returns(false),
+        getTmpDir: sinon.stub().returns(os.tmpdir()),
+      },
+      "node:fs": {
+        mkdtempSync: mkdtempStub,
+        existsSync: sinon.stub().returns(false),
+        readdirSync: sinon.stub().returns([]),
+        statSync: sinon.stub().returns({ isDirectory: () => true }),
+        readFileSync: sinon.stub().returns(""),
+      },
+    });
+
+    gitClone("https://example.com/repo.git");
+
+    sinon.assert.calledOnce(spawnStub);
+    const opts = spawnStub.firstCall.args[2];
+    assert.ok(opts.env, "expected env to be set");
+    assert.ok(
+      !("GIT_CONFIG_NOGLOBAL" in opts.env),
+      "GIT_CONFIG_NOGLOBAL must not be set (it is not a valid Git env var)",
+    );
+    assert.strictEqual(
+      opts.env.GIT_CONFIG_GLOBAL,
+      "/dev/null",
+      "GIT_CONFIG_GLOBAL must be /dev/null in secure mode",
+    );
+    assert.strictEqual(
+      opts.env.GIT_CONFIG_NOSYSTEM,
+      "1",
+      "GIT_CONFIG_NOSYSTEM must be '1' in secure mode",
+    );
+  });
+
+  it("sets GIT_TERMINAL_PROMPT=0 in both secure and non-secure mode", async () => {
+    for (const secureMode of [false, true]) {
+      const spawnStub = sinon.stub().returns({ status: 0, stderr: "" });
+      const mkdtempStub = sinon
+        .stub()
+        .returns(path.join(os.tmpdir(), "fake-repo"));
+
+      const { gitClone } = await esmock("../helpers/source.js", {
+        "../helpers/utils.js": {
+          safeSpawnSync: spawnStub,
+          isSecureMode: secureMode,
+          hasDangerousUnicode: sinon.stub().returns(false),
+          getTmpDir: sinon.stub().returns(os.tmpdir()),
+        },
+        "node:fs": {
+          mkdtempSync: mkdtempStub,
+          existsSync: sinon.stub().returns(false),
+          readdirSync: sinon.stub().returns([]),
+          statSync: sinon.stub().returns({ isDirectory: () => true }),
+          readFileSync: sinon.stub().returns(""),
+        },
+      });
+
+      gitClone("https://example.com/repo.git");
+
+      const opts = spawnStub.firstCall.args[2];
+      assert.strictEqual(
+        opts.env.GIT_TERMINAL_PROMPT,
+        "0",
+        `GIT_TERMINAL_PROMPT must be '0' when isSecureMode=${secureMode}`,
+      );
+    }
+  });
+
+  it("inserts --branch before repoUrl when a valid branch is specified", async () => {
+    const spawnStub = sinon.stub().returns({ status: 0, stderr: "" });
+    const mkdtempStub = sinon
+      .stub()
+      .returns(path.join(os.tmpdir(), "fake-repo"));
+
+    const { gitClone } = await esmock("../helpers/source.js", {
+      "../helpers/utils.js": {
+        safeSpawnSync: spawnStub,
+        isSecureMode: false,
+        hasDangerousUnicode: sinon.stub().returns(false),
+        getTmpDir: sinon.stub().returns(os.tmpdir()),
+      },
+      "node:fs": {
+        mkdtempSync: mkdtempStub,
+        existsSync: sinon.stub().returns(false),
+        readdirSync: sinon.stub().returns([]),
+        statSync: sinon.stub().returns({ isDirectory: () => true }),
+        readFileSync: sinon.stub().returns(""),
+      },
+    });
+
+    gitClone("https://example.com/repo.git", "main");
+
+    const [, args] = spawnStub.firstCall.args;
+    const branchIdx = args.indexOf("--branch");
+    assert.ok(branchIdx >= 0, "expected --branch in git args");
+    assert.strictEqual(args[branchIdx + 1], "main");
+  });
+
+  it("skips --branch when the branch name starts with a dash", async () => {
+    const spawnStub = sinon.stub().returns({ status: 0, stderr: "" });
+    const mkdtempStub = sinon
+      .stub()
+      .returns(path.join(os.tmpdir(), "fake-repo"));
+
+    const { gitClone } = await esmock("../helpers/source.js", {
+      "../helpers/utils.js": {
+        safeSpawnSync: spawnStub,
+        isSecureMode: false,
+        hasDangerousUnicode: sinon.stub().returns(false),
+        getTmpDir: sinon.stub().returns(os.tmpdir()),
+      },
+      "node:fs": {
+        mkdtempSync: mkdtempStub,
+        existsSync: sinon.stub().returns(false),
+        readdirSync: sinon.stub().returns([]),
+        statSync: sinon.stub().returns({ isDirectory: () => true }),
+        readFileSync: sinon.stub().returns(""),
+      },
+    });
+
+    gitClone("https://example.com/repo.git", "--malicious");
+
+    const [, args] = spawnStub.firstCall.args;
+    assert.ok(
+      !args.includes("--branch"),
+      "must not include --branch for dash-prefixed branch names",
+    );
+  });
+});

package/lib/stages/postgen/annotator.js

@@ -2,6 +2,7 @@ import { readFileSync } from "node:fs";
 import { join } from "node:path";
 
 import { thoughtLog } from "../../helpers/logger.js";
+import { getTrustedPublishingComponentCounts } from "../../helpers/provenanceUtils.js";
 import { dirNameStr } from "../../helpers/utils.js";
 
 // Tags per BOM type.
@@ -295,6 +296,9 @@ export function textualMetadata(bomJson) {
     c?.purl?.startsWith("pkg:swid"),
   ).length;
   const githubStats = getGitHubWorkflowStats(bomJson?.components);
+  const trustedPublishingCounts = getTrustedPublishingComponentCounts(
+    bomJson?.components,
+  );
   const isGitHubBom = bomType === "SBOM";
   if (metadata?.timestamp) {
     text = `This ${bomTypeDescription} document was created on ${humanifyTimestamp(metadata.timestamp)}`;
@@ -469,6 +473,9 @@ export function textualMetadata(bomJson) {
     if (!isGitHubBom) {
       text = `${text} There are ${bomJson.components.length} components.`;
     }
+    if (trustedPublishingCounts.total > 0) {
+      text = `${text} Trusted publishing metadata is present for ${trustedPublishingCounts.npm} npm component(s) and ${trustedPublishingCounts.pypi} PyPI component(s).`;
+    }
   } else {
     text = `${text} BOM file is empty without components.`;
     thoughtLog(

package/lib/stages/postgen/annotator.poku.js

@@ -263,6 +263,46 @@ it("textualMetadata tests", () => {
     }),
     "This Operations Bill-of-Materials (OBOM) document was created on Monday, November 11, 2024 with cdxgen. The lifecycles phases represented are: pre-build and operations. The document describes an operating system named 'Microsoft Windows 11 Pro' with version '22H2'. BOM file is empty without components. The OS uses the x64 architecture and has the build version '10.0.22621'.",
   );
+
+  assert.ok(
+    textualMetadata({
+      metadata: {
+        component: {
+          name: "trusted-demo",
+          type: "application",
+          version: "1.0.0",
+        },
+        timestamp: "2026-01-01T00:00:00Z",
+        tools: {
+          components: [{ name: "cdxgen" }],
+        },
+      },
+      components: [
+        {
+          name: "left-pad",
+          properties: [
+            {
+              name: "cdx:npm:trustedPublishing",
+              value: "true",
+            },
+          ],
+          type: "library",
+        },
+        {
+          name: "requests",
+          properties: [
+            {
+              name: "cdx:pypi:trustedPublishing",
+              value: "true",
+            },
+          ],
+          type: "library",
+        },
+      ],
+    }).includes(
+      "Trusted publishing metadata is present for 1 npm component(s) and 1 PyPI component(s).",
+    ),
+  );
 });
 
 it("extractTags tests", () => {

package/lib/stages/postgen/auditBom.js

@@ -5,8 +5,8 @@
 import { join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 
-import { table } from "table";
-
+import { buildAnnotationText } from "../../helpers/annotationFormatter.js";
+import { table } from "../../helpers/table.js";
 import {
   DEBUG_MODE,
   getTimestamp,
@@ -16,7 +16,6 @@ import { evaluateRules, loadRules } from "./ruleEngine.js";
 
 const __dirname = fileURLToPath(new URL(".", import.meta.url));
 const BUILTIN_RULES_DIR = join(__dirname, "..", "..", "..", "data", "rules");
-const CODE_BLOCK = "```";
 
 /**
  * Audit BOM formulation section using JSONata-powered rule engine
@@ -90,6 +89,7 @@ export function formatConsoleOutput(findings) {
     columnDefault: { wrapWord: true, width: 100 },
     columns: [
       { width: 10 },
+      { width: 26 },
       { width: 35 },
       { width: 50 },
       { width: 50 },
@@ -100,10 +100,13 @@ export function formatConsoleOutput(findings) {
       content: "BOM Audit Findings\nGenerated with \u2665  by cdxgen",
     },
   };
-  const data = [["Rule", "Message", "Description", "Ref", "File"]];
+  const data = [["Rule", "ATT&CK", "Message", "Description", "Ref", "File"]];
   for (const f of findings) {
     const line = [];
     line.push(f.ruleId);
+    line.push(
+      [...(f.attackTactics || []), ...(f.attackTechniques || [])].join(", "),
+    );
     line.push(f.message);
     line.push(f.description || "");
     line.push(f.location?.purl || f.location?.bomRef || "");
@@ -144,6 +147,18 @@ export function formatAnnotations(findings, bomJson) {
     if (f.mitigation) {
       properties.push({ name: "cdx:audit:mitigation", value: f.mitigation });
     }
+    if (f.attackTactics?.length) {
+      properties.push({
+        name: "cdx:audit:attack:tactics",
+        value: f.attackTactics.join(","),
+      });
+    }
+    if (f.attackTechniques?.length) {
+      properties.push({
+        name: "cdx:audit:attack:techniques",
+        value: f.attackTechniques.join(","),
+      });
+    }
     if (f?.location?.purl) {
       properties.push({
         name: "cdx:audit:location:purl",
@@ -178,7 +193,7 @@ export function formatAnnotations(findings, bomJson) {
         component: cdxgenAnnotator[0],
       },
       timestamp: getTimestamp(),
-      text: `${f.message}\n${CODE_BLOCK}\n${JSON.stringify(properties)}\n${CODE_BLOCK}`,
+      text: buildAnnotationText(f.message, properties),
     };
   });
 }