@cyclonedx/cdxgen 12.2.0 → 12.3.0

package/lib/stages/postgen/postgen.js

@@ -7,6 +7,7 @@ import { PackageURL } from "packageurl-js";
 import { mergeDependencies } from "../../helpers/depsUtils.js";
 import { addFormulationSection } from "../../helpers/formulationParsers.js";
 import { thoughtLog } from "../../helpers/logger.js";
+import { buildReleaseNotesFromGit } from "../../helpers/source.js";
 import {
   DEBUG_MODE,
   dirNameStr,
@@ -107,6 +108,7 @@ export function postProcess(bomNSData, options, filePath) {
     filePath,
     bomNSData.formulationList,
   );
+  bomNSData.bomJson = applyReleaseNotes(bomNSData.bomJson, options, filePath);
   // Support for automatic annotations
   if (options.specVersion >= 1.6) {
     bomNSData.bomJson = annotate(bomNSData.bomJson, options);
@@ -116,6 +118,44 @@ export function postProcess(bomNSData, options, filePath) {
   return bomNSData;
 }
 
+function applyReleaseNotes(bomJson, options, filePath) {
+  if (!options?.includeReleaseNotes) {
+    return bomJson;
+  }
+  const specVersion = Number(options.specVersion || 1.7);
+  if (specVersion < 1.6) {
+    const errorMessage =
+      "releaseNotes in metadata.tools.components requires CycloneDX spec version 1.6 or above.";
+    if (options.failOnError) {
+      throw new Error(errorMessage);
+    }
+    console.warn(errorMessage);
+    return bomJson;
+  }
+  const toolComponents = bomJson?.metadata?.tools?.components;
+  if (!Array.isArray(toolComponents) || !toolComponents.length) {
+    return bomJson;
+  }
+  const cdxgenToolComponent = toolComponents.find(
+    (comp) => comp?.group === "@cyclonedx" && comp?.name === "cdxgen",
+  );
+  if (!cdxgenToolComponent) {
+    return bomJson;
+  }
+  const releaseNotes = buildReleaseNotesFromGit(filePath, options);
+  if (!releaseNotes) {
+    const errorMessage =
+      "Unable to compute release notes. Provide --release-notes-current-tag and optionally --release-notes-previous-tag.";
+    if (options.failOnError) {
+      throw new Error(errorMessage);
+    }
+    console.warn(errorMessage);
+    return bomJson;
+  }
+  cdxgenToolComponent.releaseNotes = releaseNotes;
+  return bomJson;
+}
+
 /**
  * Apply additional metadata based on components
  *

package/lib/stages/postgen/postgen.poku.js

@@ -158,3 +158,50 @@ it("postProcess passes formulationList from bomNSData into the formulation secti
     "pixi-pkg from formulationList should appear in formulation components",
   );
 });
+
+it("postProcess attaches releaseNotes to cdxgen metadata tool component", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      components: [],
+      dependencies: [],
+      metadata: {
+        tools: {
+          components: [
+            {
+              group: "@cyclonedx",
+              name: "cdxgen",
+              version: "12.3.0",
+              type: "application",
+            },
+          ],
+        },
+        properties: [],
+      },
+    },
+  };
+  const options = {
+    includeReleaseNotes: true,
+    releaseNotesCurrentTag: "v1.0.0",
+    releaseNotesPreviousTag: "v0.9.0",
+    specVersion: 1.7,
+    failOnError: true,
+  };
+  const result = postProcess(bomNSData, options);
+  const cdxTool = result.bomJson.metadata.tools.components[0];
+  assert.strictEqual(cdxTool.releaseNotes.title, "Release notes for v1.0.0");
+  assert.strictEqual(
+    cdxTool.releaseNotes.description,
+    "Changes between v0.9.0 and v1.0.0.",
+  );
+  assert.ok(cdxTool.releaseNotes.timestamp);
+  assert.deepStrictEqual(cdxTool.releaseNotes.tags, ["v1.0.0", "v0.9.0"]);
+  assert.ok(Array.isArray(cdxTool.releaseNotes.resolves));
+  for (const aresolve of cdxTool.releaseNotes.resolves) {
+    assert.ok(aresolve.type);
+    assert.ok(aresolve.id);
+    assert.ok(aresolve.name);
+    assert.ok(aresolve.description);
+  }
+});

package/lib/stages/postgen/ruleEngine.js

@@ -34,6 +34,66 @@ function extractProperty(obj, propName) {
   return prop?.value ?? null;
 }
 
+function dedupeObjectsByIdentity(items) {
+  const seen = new Set();
+  const deduped = [];
+  (items || []).forEach((item) => {
+    if (!item) {
+      return;
+    }
+    const key =
+      item["bom-ref"] ||
+      item.purl ||
+      `${item.type || "unknown"}:${item.name || "unnamed"}:${item.version || ""}`;
+    if (seen.has(key)) {
+      return;
+    }
+    seen.add(key);
+    deduped.push(item);
+  });
+  return deduped;
+}
+
+function getFormulationEntries(bomJson) {
+  return Array.isArray(bomJson?.formulation) ? bomJson.formulation : [];
+}
+
+function getFormulationComponents(bomJson) {
+  return getFormulationEntries(bomJson).flatMap(
+    (entry) => entry?.components || [],
+  );
+}
+
+function getAuditComponents(bomJson) {
+  return dedupeObjectsByIdentity([
+    ...(Array.isArray(bomJson?.components) ? bomJson.components : []),
+    ...getFormulationComponents(bomJson),
+  ]);
+}
+
+function getAuditWorkflows(bomJson) {
+  return dedupeObjectsByIdentity(
+    getFormulationEntries(bomJson).flatMap((entry) => entry?.workflows || []),
+  );
+}
+
+function normalizeAttackMetadata(rule) {
+  const tactics = Array.isArray(rule?.attack?.tactics)
+    ? rule.attack.tactics
+    : [];
+  const techniques = Array.isArray(rule?.attack?.techniques)
+    ? rule.attack.techniques
+    : [];
+  return {
+    tactics: tactics
+      .filter((value) => typeof value === "string" && value.trim().length > 0)
+      .map((value) => value.trim()),
+    techniques: techniques
+      .filter((value) => typeof value === "string" && value.trim().length > 0)
+      .map((value) => value.trim()),
+  };
+}
+
 /**
  * Helper: Check if property exists and equals expected value
  * Usage: $hasProp(component, 'cdx:foo', 'bar')
@@ -145,6 +205,15 @@ function registerCdxHelpers(expression) {
   expression.registerFunction("safeStr", (val) => {
     return val === null || val === undefined ? "" : String(val).trim();
   });
+  expression.registerFunction("auditComponents", (bomJson) =>
+    getAuditComponents(bomJson),
+  );
+  expression.registerFunction("auditWorkflows", (bomJson) =>
+    getAuditWorkflows(bomJson),
+  );
+  expression.registerFunction("formulationComponents", (bomJson) =>
+    getFormulationComponents(bomJson),
+  );
   return expression;
 }
 
@@ -217,6 +286,10 @@ export async function loadRules(rulesDir) {
         }
         rule.severity = rule.severity || "medium";
         rule.category = rule.category || "unknown";
+        const attack = normalizeAttackMetadata(rule);
+        if (attack.tactics.length || attack.techniques.length) {
+          rule.attack = attack;
+        }
         if (!["critical", "high", "medium", "low"].includes(rule.severity)) {
           console.warn(
             `Rule ${rule.id} has invalid severity '${rule.severity}'; defaulting to 'medium'`,
@@ -287,11 +360,13 @@ export async function evaluateRule(rule, bomJson) {
       return findings;
     }
     for (const item of matches) {
+      const attack = normalizeAttackMetadata(rule);
       const context = {
         ...item,
         bom: bomJson,
-        components: bomJson.components || [],
-        workflows: bomJson.formulation?.[0]?.workflows || [],
+        components: getAuditComponents(bomJson),
+        workflows: getAuditWorkflows(bomJson),
+        formulationComponents: getFormulationComponents(bomJson),
         services: bomJson.services || [],
         metadata: bomJson.metadata || {},
       };
@@ -327,6 +402,9 @@ export async function evaluateRule(rule, bomJson) {
         }
       }
       findings.push({
+        attack,
+        attackTactics: attack.tactics,
+        attackTechniques: attack.techniques,
         ruleId: rule.id,
         name: rule.name || rule.id,
         description: rule.description,