npm - @cyclonedx/cdxgen - Versions diffs - 12.2.1 → 12.3.0 - Mend

@cyclonedx/cdxgen 12.2.1 → 12.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/README.md +239 -90
package/bin/audit.js +191 -0
package/bin/cdxgen.js +513 -167
package/bin/convert.js +99 -0
package/bin/evinse.js +23 -0
package/bin/repl.js +339 -8
package/bin/sign.js +8 -0
package/bin/validate.js +8 -0
package/bin/verify.js +8 -0
package/data/container-knowledge-index.json +125 -0
package/data/gtfobins-index.json +6296 -0
package/data/lolbas-index.json +150 -0
package/data/queries-darwin.json +63 -3
package/data/queries-win.json +45 -3
package/data/queries.json +74 -2
package/data/rules/chrome-extensions.yaml +240 -0
package/data/rules/ci-permissions.yaml +478 -18
package/data/rules/container-risk.yaml +270 -0
package/data/rules/obom-runtime.yaml +891 -0
package/data/rules/package-integrity.yaml +49 -0
package/data/spdx-export.schema.json +6794 -0
package/data/spdx-model-v3.0.1.jsonld +15999 -0
package/lib/audit/index.js +1924 -0
package/lib/audit/index.poku.js +1488 -0
package/lib/audit/progress.js +137 -0
package/lib/audit/progress.poku.js +188 -0
package/lib/audit/reporters.js +618 -0
package/lib/audit/scoring.js +310 -0
package/lib/audit/scoring.poku.js +341 -0
package/lib/audit/targets.js +260 -0
package/lib/audit/targets.poku.js +331 -0
package/lib/cli/index.js +154 -11
package/lib/cli/index.poku.js +251 -0
package/lib/helpers/analyzer.js +446 -2
package/lib/helpers/analyzer.poku.js +72 -1
package/lib/helpers/annotationFormatter.js +49 -0
package/lib/helpers/annotationFormatter.poku.js +44 -0
package/lib/helpers/bomUtils.js +36 -0
package/lib/helpers/bomUtils.poku.js +51 -0
package/lib/helpers/caxa.js +2 -2
package/lib/helpers/chromextutils.js +1153 -0
package/lib/helpers/chromextutils.poku.js +493 -0
package/lib/helpers/ciParsers/githubActions.js +1632 -45
package/lib/helpers/ciParsers/githubActions.poku.js +853 -1
package/lib/helpers/containerRisk.js +186 -0
package/lib/helpers/containerRisk.poku.js +52 -0
package/lib/helpers/display.js +241 -59
package/lib/helpers/display.poku.js +162 -2
package/lib/helpers/exportUtils.js +123 -0
package/lib/helpers/exportUtils.poku.js +60 -0
package/lib/helpers/formulationParsers.js +69 -0
package/lib/helpers/formulationParsers.poku.js +44 -0
package/lib/helpers/gtfobins.js +189 -0
package/lib/helpers/gtfobins.poku.js +49 -0
package/lib/helpers/lolbas.js +267 -0
package/lib/helpers/lolbas.poku.js +39 -0
package/lib/helpers/osqueryTransform.js +84 -0
package/lib/helpers/osqueryTransform.poku.js +49 -0
package/lib/helpers/provenanceUtils.js +193 -0
package/lib/helpers/provenanceUtils.poku.js +145 -0
package/lib/helpers/pylockutils.js +281 -0
package/lib/helpers/pylockutils.poku.js +48 -0
package/lib/helpers/registryProvenance.js +793 -0
package/lib/helpers/registryProvenance.poku.js +452 -0
package/lib/helpers/source.js +1267 -0
package/lib/helpers/source.poku.js +771 -0
package/lib/helpers/spdxUtils.js +97 -0
package/lib/helpers/spdxUtils.poku.js +70 -0
package/lib/helpers/unicodeScan.js +147 -0
package/lib/helpers/unicodeScan.poku.js +45 -0
package/lib/helpers/utils.js +700 -128
package/lib/helpers/utils.poku.js +877 -80
package/lib/managers/binary.js +29 -5
package/lib/managers/docker.js +179 -52
package/lib/managers/docker.poku.js +327 -28
package/lib/managers/oci.js +107 -23
package/lib/managers/oci.poku.js +132 -0
package/lib/server/openapi.yaml +17 -0
package/lib/server/server.js +225 -336
package/lib/server/server.poku.js +16 -10
package/lib/stages/postgen/annotator.js +7 -0
package/lib/stages/postgen/annotator.poku.js +40 -0
package/lib/stages/postgen/auditBom.js +19 -3
package/lib/stages/postgen/auditBom.poku.js +1729 -67
package/lib/stages/postgen/postgen.js +40 -0
package/lib/stages/postgen/postgen.poku.js +47 -0
package/lib/stages/postgen/ruleEngine.js +80 -2
package/lib/stages/postgen/spdxConverter.js +796 -0
package/lib/stages/postgen/spdxConverter.poku.js +341 -0
package/lib/validator/bomValidator.js +232 -0
package/lib/validator/bomValidator.poku.js +70 -0
package/lib/validator/complianceRules.js +70 -7
package/lib/validator/complianceRules.poku.js +30 -0
package/lib/validator/reporters/annotations.js +2 -2
package/lib/validator/reporters/console.js +11 -0
package/lib/validator/reporters.poku.js +13 -0
package/package.json +10 -7
package/types/bin/audit.d.ts +3 -0
package/types/bin/audit.d.ts.map +1 -0
package/types/bin/convert.d.ts +3 -0
package/types/bin/convert.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +115 -0
package/types/lib/audit/index.d.ts.map +1 -0
package/types/lib/audit/progress.d.ts +27 -0
package/types/lib/audit/progress.d.ts.map +1 -0
package/types/lib/audit/reporters.d.ts +35 -0
package/types/lib/audit/reporters.d.ts.map +1 -0
package/types/lib/audit/scoring.d.ts +35 -0
package/types/lib/audit/scoring.d.ts.map +1 -0
package/types/lib/audit/targets.d.ts +63 -0
package/types/lib/audit/targets.d.ts.map +1 -0
package/types/lib/cli/index.d.ts +8 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +13 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/annotationFormatter.d.ts +23 -0
package/types/lib/helpers/annotationFormatter.d.ts.map +1 -0
package/types/lib/helpers/bomUtils.d.ts +5 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -0
package/types/lib/helpers/chromextutils.d.ts +97 -0
package/types/lib/helpers/chromextutils.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts +3 -8
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
package/types/lib/helpers/containerRisk.d.ts +17 -0
package/types/lib/helpers/containerRisk.d.ts.map +1 -0
package/types/lib/helpers/display.d.ts +4 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/exportUtils.d.ts +40 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -0
package/types/lib/helpers/formulationParsers.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +17 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts +16 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -0
package/types/lib/helpers/osqueryTransform.d.ts +7 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -0
package/types/lib/helpers/provenanceUtils.d.ts +90 -0
package/types/lib/helpers/provenanceUtils.d.ts.map +1 -0
package/types/lib/helpers/pylockutils.d.ts +51 -0
package/types/lib/helpers/pylockutils.d.ts.map +1 -0
package/types/lib/helpers/registryProvenance.d.ts +17 -0
package/types/lib/helpers/registryProvenance.d.ts.map +1 -0
package/types/lib/helpers/source.d.ts +141 -0
package/types/lib/helpers/source.d.ts.map +1 -0
package/types/lib/helpers/spdxUtils.d.ts +2 -0
package/types/lib/helpers/spdxUtils.d.ts.map +1 -0
package/types/lib/helpers/unicodeScan.d.ts +46 -0
package/types/lib/helpers/unicodeScan.d.ts.map +1 -0
package/types/lib/helpers/utils.d.ts +29 -11
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/server/server.d.ts +0 -36
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/postgen/spdxConverter.d.ts +11 -0
package/types/lib/stages/postgen/spdxConverter.d.ts.map +1 -0
package/types/lib/validator/bomValidator.d.ts +1 -0
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/types/lib/validator/reporters/console.d.ts.map +1 -1
package/types/bin/dependencies.d.ts +0 -3
package/types/bin/dependencies.d.ts.map +0 -1
package/types/bin/licenses.d.ts +0 -3
package/types/bin/licenses.d.ts.map +0 -1

package/lib/audit/targets.js ADDED Viewed

@@ -0,0 +1,260 @@
+import { PackageURL } from "packageurl-js";
+import { hasTrustedPublishingProperties } from "../helpers/provenanceUtils.js";
+const SUPPORTED_PURL_TYPES = new Set(["npm", "pypi"]);
+const NON_REQUIRED_SCOPES = new Set(["excluded", "optional"]);
+/**
+ * Normalize predictive audit target selection options.
+ *
+ * @param {number | object | undefined} options selector options or legacy maxTargets value
+ * @returns {{
+ *   maxTargets: number | undefined,
+ *   scope: string | undefined,
+ *   trusted: "exclude" | "include" | "only",
+ * }} normalized options
+ */
+function normalizeTargetSelectionOptions(options) {
+  if (typeof options === "number") {
+    return {
+      maxTargets: options,
+      scope: undefined,
+      trusted: "exclude",
+    };
+  }
+  return {
+    maxTargets: options?.maxTargets,
+    scope: options?.scope === "required" ? "required" : undefined,
+    trusted:
+      options?.trusted === "only"
+        ? "only"
+        : options?.trusted === "include"
+          ? "include"
+          : "exclude",
+  };
+}
+/**
+ * Determine whether a CycloneDX component scope should be treated as required.
+ *
+ * Missing scope is treated as required to match the main BOM filtering flow.
+ *
+ * @param {string | undefined} scope component scope
+ * @returns {boolean} true when the component is required for predictive audit selection
+ */
+export function isRequiredComponentScope(scope) {
+  if (!scope || typeof scope !== "string") {
+    return true;
+  }
+  return !NON_REQUIRED_SCOPES.has(scope.toLowerCase());
+}
+function normalizeComponentScope(scope) {
+  if (!scope || typeof scope !== "string") {
+    return undefined;
+  }
+  return scope.toLowerCase();
+}
+function mergeTargetScope(existingTarget, nextTarget) {
+  const mergedRequired = Boolean(
+    existingTarget.required || nextTarget.required,
+  );
+  const existingScope = normalizeComponentScope(existingTarget.scope);
+  const nextScope = normalizeComponentScope(nextTarget.scope);
+  if (mergedRequired) {
+    return existingScope === "required" || nextScope === "required"
+      ? "required"
+      : existingScope || nextScope;
+  }
+  return existingScope === "optional" || nextScope === "optional"
+    ? "optional"
+    : existingScope || nextScope;
+}
+/**
+ * Normalize package names for safe matching and grouping.
+ *
+ * @param {string | undefined} packageName package name
+ * @returns {string} normalized package name
+ */
+export function normalizePackageName(packageName) {
+  if (!packageName || typeof packageName !== "string") {
+    return "";
+  }
+  return packageName.toLowerCase().replace(/[-_.]+/g, "-");
+}
+/**
+ * Extract npm and PyPI package-url targets from a CycloneDX BOM.
+ *
+ * @param {object} bomJson CycloneDX BOM
+ * @param {string} sourceName source BOM path or label
+ * @param {number | object | undefined} [options] selector options
+ * @returns {{ targets: object[], skipped: object[] }} extracted targets and skipped components
+ */
+export function extractPurlTargetsFromBom(bomJson, sourceName, options) {
+  const selectorOptions = normalizeTargetSelectionOptions(options);
+  const targets = [];
+  const skipped = [];
+  const components = Array.isArray(bomJson?.components)
+    ? bomJson.components
+    : [];
+  for (const component of components) {
+    const componentScope = normalizeComponentScope(component?.scope);
+    if (
+      selectorOptions.scope === "required" &&
+      !isRequiredComponentScope(componentScope)
+    ) {
+      continue;
+    }
+    const componentPurl = component?.purl;
+    if (!componentPurl) {
+      continue;
+    }
+    let purlObj;
+    try {
+      purlObj = PackageURL.fromString(componentPurl);
+    } catch {
+      skipped.push({
+        reason: "invalid-purl",
+        source: sourceName,
+        purl: componentPurl,
+        bomRef: component?.["bom-ref"],
+        name: component?.name,
+      });
+      continue;
+    }
+    if (!SUPPORTED_PURL_TYPES.has(purlObj.type)) {
+      skipped.push({
+        reason: "unsupported-ecosystem",
+        source: sourceName,
+        purl: componentPurl,
+        bomRef: component?.["bom-ref"],
+        name: component?.name,
+        type: purlObj.type,
+      });
+      continue;
+    }
+    targets.push({
+      bomRef: component?.["bom-ref"],
+      name: purlObj.name,
+      namespace: purlObj.namespace,
+      purl: componentPurl,
+      properties: Array.isArray(component?.properties)
+        ? component.properties.map((property) => ({ ...property }))
+        : [],
+      qualifiers: purlObj.qualifiers,
+      required: isRequiredComponentScope(componentScope),
+      scope: componentScope,
+      source: sourceName,
+      trustedPublishing: hasTrustedPublishingProperties(component?.properties),
+      type: purlObj.type,
+      version: purlObj.version,
+    });
+  }
+  return { skipped, targets };
+}
+/**
+ * Merge targets across many BOMs by purl.
+ *
+ * @param {{ source: string, bomJson: object }[]} inputBoms input BOMs
+ * @param {number | object | undefined} [options] selector options or a legacy maxTargets value
+ * @returns {{
+ *   skipped: object[],
+ *   stats: {
+ *     availableTargets: number,
+ *     nonRequiredTargets: number,
+ *     requiredTargets: number,
+ *     trustedTargets: number,
+ *     trustedTargetsExcluded: number,
+ *     truncatedTargets: number,
+ *   },
+ *   targets: object[],
+ * }} merged targets and skipped components
+ */
+export function collectAuditTargets(inputBoms, options) {
+  const selectorOptions = normalizeTargetSelectionOptions(options);
+  const skipped = [];
+  const targetMap = new Map();
+  for (const inputBom of inputBoms) {
+    const extracted = extractPurlTargetsFromBom(
+      inputBom.bomJson,
+      inputBom.source,
+      selectorOptions,
+    );
+    skipped.push(...extracted.skipped);
+    for (const target of extracted.targets) {
+      const existing = targetMap.get(target.purl);
+      if (existing) {
+        existing.required = Boolean(existing.required || target.required);
+        existing.scope = mergeTargetScope(existing, target);
+        existing.trustedPublishing = Boolean(
+          existing.trustedPublishing || target.trustedPublishing,
+        );
+        existing.sources.add(target.source);
+        if (target.bomRef) {
+          existing.bomRefs.add(target.bomRef);
+        }
+        for (const property of target.properties || []) {
+          const alreadyPresent = existing.properties.some(
+            (existingProperty) =>
+              existingProperty.name === property.name &&
+              existingProperty.value === property.value,
+          );
+          if (!alreadyPresent) {
+            existing.properties.push(property);
+          }
+        }
+        continue;
+      }
+      targetMap.set(target.purl, {
+        ...target,
+        bomRefs: new Set(target.bomRef ? [target.bomRef] : []),
+        sources: new Set([target.source]),
+      });
+    }
+  }
+  let targets = [...targetMap.values()].map((target) => ({
+    ...target,
+    bomRefs: [...target.bomRefs].sort(),
+    normalizedName: normalizePackageName(target.name),
+    sources: [...target.sources].sort(),
+  }));
+  targets.sort((left, right) => left.purl.localeCompare(right.purl));
+  const trustedTargets = targets.filter((target) => target.trustedPublishing);
+  if (selectorOptions.trusted === "only") {
+    targets = trustedTargets;
+  } else if (selectorOptions.trusted === "exclude") {
+    targets = targets.filter((target) => !target.trustedPublishing);
+  }
+  const requiredTargets = targets.filter((target) => target.required);
+  const nonRequiredTargets = targets.filter((target) => !target.required);
+  const availableTargets = targets.length;
+  if (
+    typeof selectorOptions.maxTargets === "number" &&
+    selectorOptions.maxTargets > 0
+  ) {
+    targets = [...requiredTargets, ...nonRequiredTargets].slice(
+      0,
+      selectorOptions.maxTargets,
+    );
+  }
+  return {
+    skipped,
+    stats: {
+      availableTargets,
+      nonRequiredTargets: nonRequiredTargets.length,
+      requiredTargets: requiredTargets.length,
+      trustedTargets: trustedTargets.length,
+      trustedTargetsExcluded:
+        selectorOptions.trusted === "exclude" ? trustedTargets.length : 0,
+      truncatedTargets: Math.max(0, availableTargets - targets.length),
+    },
+    targets,
+  };
+}
+export { SUPPORTED_PURL_TYPES };

package/lib/audit/targets.poku.js ADDED Viewed

@@ -0,0 +1,331 @@
+import { assert, describe, it } from "poku";
+import {
+  collectAuditTargets,
+  extractPurlTargetsFromBom,
+  isRequiredComponentScope,
+  normalizePackageName,
+} from "./targets.js";
+function makeBom(components) {
+  return {
+    bomFormat: "CycloneDX",
+    components,
+    specVersion: "1.6",
+  };
+}
+describe("normalizePackageName()", () => {
+  it("normalizes Python-style package separators", () => {
+    assert.strictEqual(
+      normalizePackageName("My_Package.Name"),
+      "my-package-name",
+    );
+  });
+});
+describe("extractPurlTargetsFromBom()", () => {
+  it("extracts only npm and pypi purls", () => {
+    const bom = makeBom([
+      {
+        "bom-ref": "pkg:npm/left-pad@1.3.0",
+        name: "left-pad",
+        properties: [
+          { name: "cdx:npm:trustedPublishing", value: "true" },
+          { name: "cdx:npm:provenanceKeyId", value: "sigstore-key" },
+        ],
+        purl: "pkg:npm/left-pad@1.3.0",
+      },
+      {
+        "bom-ref": "pkg:pypi/requests@2.32.3",
+        name: "requests",
+        purl: "pkg:pypi/requests@2.32.3",
+      },
+      {
+        "bom-ref": "pkg:gem/rails@8.0.0",
+        name: "rails",
+        purl: "pkg:gem/rails@8.0.0",
+      },
+    ]);
+    const extracted = extractPurlTargetsFromBom(bom, "bom.json");
+    assert.strictEqual(extracted.targets.length, 2);
+    assert.strictEqual(extracted.skipped.length, 1);
+    assert.strictEqual(extracted.targets[0].type, "npm");
+    assert.strictEqual(
+      extracted.targets[0].properties[0].name,
+      "cdx:npm:trustedPublishing",
+    );
+    assert.strictEqual(
+      extracted.targets[0].properties[1].name,
+      "cdx:npm:provenanceKeyId",
+    );
+    assert.strictEqual(extracted.targets[1].type, "pypi");
+    assert.strictEqual(extracted.skipped[0].reason, "unsupported-ecosystem");
+  });
+  it("records invalid purls as skipped entries", () => {
+    const bom = makeBom([
+      {
+        "bom-ref": "bad-ref",
+        name: "broken",
+        purl: "not-a-purl",
+      },
+    ]);
+    const extracted = extractPurlTargetsFromBom(bom, "broken.json");
+    assert.strictEqual(extracted.targets.length, 0);
+    assert.strictEqual(extracted.skipped.length, 1);
+    assert.strictEqual(extracted.skipped[0].reason, "invalid-purl");
+  });
+});
+describe("isRequiredComponentScope()", () => {
+  it("treats missing scope as required and excludes optional/excluded scopes", () => {
+    assert.strictEqual(isRequiredComponentScope(undefined), true);
+    assert.strictEqual(isRequiredComponentScope("required"), true);
+    assert.strictEqual(isRequiredComponentScope("optional"), false);
+    assert.strictEqual(isRequiredComponentScope("excluded"), false);
+  });
+});
+describe("collectAuditTargets()", () => {
+  it("deduplicates targets across multiple BOMs while preserving sources", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/left-pad@1.3.0",
+            name: "left-pad",
+            properties: [{ name: "cdx:npm:trustedPublishing", value: "true" }],
+            purl: "pkg:npm/left-pad@1.3.0",
+          },
+        ]),
+        source: "one.json",
+      },
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/left-pad@1.3.0",
+            name: "left-pad",
+            properties: [{ name: "cdx:npm:publisher", value: "octo" }],
+            purl: "pkg:npm/left-pad@1.3.0",
+          },
+          {
+            "bom-ref": "pkg:pypi/requests@2.32.3",
+            name: "requests",
+            purl: "pkg:pypi/requests@2.32.3",
+          },
+        ]),
+        source: "two.json",
+      },
+    ];
+    const collected = collectAuditTargets(inputBoms, { trusted: "include" });
+    assert.strictEqual(collected.targets.length, 2);
+    const npmTarget = collected.targets.find((target) => target.type === "npm");
+    assert.deepStrictEqual(npmTarget.sources, ["one.json", "two.json"]);
+    assert.strictEqual(npmTarget.bomRefs.length, 1);
+    assert.strictEqual(npmTarget.properties.length, 2);
+  });
+  it("respects maxTargets when supplied", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/a@1.0.0",
+            name: "a",
+            purl: "pkg:npm/a@1.0.0",
+          },
+          {
+            "bom-ref": "pkg:npm/b@1.0.0",
+            name: "b",
+            purl: "pkg:npm/b@1.0.0",
+          },
+        ]),
+        source: "limit.json",
+      },
+    ];
+    const collected = collectAuditTargets(inputBoms, 1);
+    assert.strictEqual(collected.targets.length, 1);
+  });
+  it("filters predictive audit targets to required scope when requested", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/core@1.0.0",
+            name: "core",
+            purl: "pkg:npm/core@1.0.0",
+            scope: "required",
+          },
+          {
+            "bom-ref": "pkg:npm/transitive@1.0.0",
+            name: "transitive",
+            purl: "pkg:npm/transitive@1.0.0",
+          },
+          {
+            "bom-ref": "pkg:npm/optional-addon@1.0.0",
+            name: "optional-addon",
+            purl: "pkg:npm/optional-addon@1.0.0",
+            scope: "optional",
+          },
+          {
+            "bom-ref": "pkg:pypi/unused@1.0.0",
+            name: "unused",
+            purl: "pkg:pypi/unused@1.0.0",
+            scope: "excluded",
+          },
+        ]),
+        source: "required.json",
+      },
+    ];
+    const collected = collectAuditTargets(inputBoms, { scope: "required" });
+    assert.deepStrictEqual(
+      collected.targets.map((target) => target.purl),
+      ["pkg:npm/core@1.0.0", "pkg:npm/transitive@1.0.0"],
+    );
+    assert.strictEqual(collected.stats.requiredTargets, 2);
+    assert.strictEqual(collected.stats.nonRequiredTargets, 0);
+  });
+  it("prioritizes required targets before optional ones when maxTargets is set", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/a-optional@1.0.0",
+            name: "a-optional",
+            purl: "pkg:npm/a-optional@1.0.0",
+            scope: "optional",
+          },
+          {
+            "bom-ref": "pkg:npm/z-required@1.0.0",
+            name: "z-required",
+            purl: "pkg:npm/z-required@1.0.0",
+            scope: "required",
+          },
+        ]),
+        source: "priority.json",
+      },
+    ];
+    const collected = collectAuditTargets(inputBoms, { maxTargets: 1 });
+    assert.strictEqual(collected.targets.length, 1);
+    assert.strictEqual(collected.targets[0].purl, "pkg:npm/z-required@1.0.0");
+    assert.strictEqual(collected.stats.truncatedTargets, 1);
+  });
+  it("excludes trusted-publishing-backed targets by default", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/trusted@1.0.0",
+            name: "trusted",
+            properties: [
+              {
+                name: "cdx:npm:trustedPublishing",
+                value: "true",
+              },
+            ],
+            purl: "pkg:npm/trusted@1.0.0",
+            scope: "required",
+          },
+          {
+            "bom-ref": "pkg:npm/plain@1.0.0",
+            name: "plain",
+            purl: "pkg:npm/plain@1.0.0",
+            scope: "required",
+          },
+        ]),
+        source: "trusted.json",
+      },
+    ];
+    const collected = collectAuditTargets(inputBoms);
+    assert.deepStrictEqual(
+      collected.targets.map((target) => target.purl),
+      ["pkg:npm/plain@1.0.0"],
+    );
+    assert.strictEqual(collected.stats.trustedTargets, 1);
+    assert.strictEqual(collected.stats.trustedTargetsExcluded, 1);
+  });
+  it("includes trusted-publishing-backed targets when explicitly requested", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/trusted@1.0.0",
+            name: "trusted",
+            properties: [
+              {
+                name: "cdx:npm:trustedPublishing",
+                value: "true",
+              },
+            ],
+            purl: "pkg:npm/trusted@1.0.0",
+          },
+          {
+            "bom-ref": "pkg:pypi/plain@1.0.0",
+            name: "plain",
+            purl: "pkg:pypi/plain@1.0.0",
+          },
+        ]),
+        source: "include-trusted.json",
+      },
+    ];
+    const collected = collectAuditTargets(inputBoms, { trusted: "include" });
+    assert.strictEqual(collected.targets.length, 2);
+    assert.strictEqual(collected.stats.trustedTargetsExcluded, 0);
+  });
+  it("can restrict predictive audit targets to only trusted-publishing-backed packages", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/trusted@1.0.0",
+            name: "trusted",
+            properties: [
+              {
+                name: "cdx:npm:trustedPublishing",
+                value: "true",
+              },
+            ],
+            purl: "pkg:npm/trusted@1.0.0",
+          },
+          {
+            "bom-ref": "pkg:npm/plain@1.0.0",
+            name: "plain",
+            purl: "pkg:npm/plain@1.0.0",
+          },
+        ]),
+        source: "only-trusted.json",
+      },
+    ];
+    const collected = collectAuditTargets(inputBoms, { trusted: "only" });
+    assert.deepStrictEqual(
+      collected.targets.map((target) => target.purl),
+      ["pkg:npm/trusted@1.0.0"],
+    );
+    assert.strictEqual(collected.stats.availableTargets, 1);
+    assert.strictEqual(collected.stats.trustedTargets, 1);
+  });
+});