@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/lib/helpers/analyzer.js

@@ -889,13 +889,340 @@ const getAllSrcJSAndTSFiles = (src, deep) =>
     getAllFiles(deep, src, ".svelte"),
   ]);
 
+export const CHROMIUM_EXTENSION_CAPABILITY_CATEGORIES = [
+  "fileAccess",
+  "deviceAccess",
+  "network",
+  "bluetooth",
+  "accessibility",
+  "codeInjection",
+  "fingerprinting",
+];
+
+const EXTENSION_CAPABILITY_CHAIN_PATTERNS = {
+  fileAccess: [
+    /^(chrome|browser)\.(downloads|fileSystem|fileBrowserHandler|fileManagerPrivate)\b/i,
+    /^(window\.)?show(Open|Save|Directory)FilePicker$/i,
+  ],
+  deviceAccess: [
+    /^(chrome|browser)\.(usb|hid|serial|nfc|mediaGalleries|gcdPrivate|bluetooth|bluetoothPrivate)\b/i,
+  ],
+  network: [
+    /^(chrome|browser)\.(webRequest|declarativeNetRequest|proxy|webNavigation|socket)\b/i,
+    /^(window\.)?(fetch|WebSocket|EventSource)$/i,
+    /^(XMLHttpRequest)\b/i,
+    /^navigator\.sendBeacon$/i,
+  ],
+  bluetooth: [/^(chrome|browser)\.(bluetooth|bluetoothPrivate)\b/i],
+  accessibility: [
+    /^(chrome|browser)\.(accessibilityFeatures|accessibilityPrivate|automation)\b/i,
+  ],
+  codeInjection: [
+    /^(chrome|browser)\.(scripting\.executeScript|tabs\.executeScript|userScripts|debugger)\b/i,
+    /^(window\.)?(eval|Function)$/i,
+    /^document\.write$/i,
+  ],
+  fingerprinting: [
+    /^navigator\.(userAgent|platform|languages|language|hardwareConcurrency|deviceMemory|plugins|userAgentData)\b/i,
+    /^(screen\.)?(width|height|availWidth|availHeight|colorDepth|pixelDepth)$/i,
+    /^(window\.)?(AudioContext|OfflineAudioContext|RTCPeerConnection)$/i,
+    /^(canvas|[a-zA-Z_$][a-zA-Z0-9_$]*\.(getImageData|toDataURL|measureText))$/i,
+  ],
+};
+
+const EXTENSION_CAPABILITY_IDENTIFIER_PATTERNS = {
+  network: /^(fetch|WebSocket|EventSource|XMLHttpRequest)$/i,
+  codeInjection: /^(eval|Function)$/i,
+  fingerprinting: /^(AudioContext|OfflineAudioContext|RTCPeerConnection)$/i,
+};
+
+const SUSPICIOUS_JS_PROCESS_MODULES = new Set([
+  "child_process",
+  "node:child_process",
+]);
+
+const SUSPICIOUS_JS_NETWORK_MODULES = new Set([
+  "axios",
+  "got",
+  "http",
+  "https",
+  "net",
+  "node-fetch",
+  "node:http",
+  "node:https",
+  "node:net",
+  "node:tls",
+  "tls",
+  "undici",
+]);
+
+const SUSPICIOUS_JS_EXECUTION_MEMBERS = new Set([
+  "exec",
+  "execFile",
+  "execFileSync",
+  "execSync",
+  "fork",
+  "spawn",
+  "spawnSync",
+]);
+
+const SUSPICIOUS_JS_NETWORK_MEMBERS = new Set([
+  "fetch",
+  "get",
+  "post",
+  "put",
+  "patch",
+  "request",
+]);
+
+const SUSPICIOUS_JS_LONG_BASE64_PATTERN = /\b[A-Za-z0-9+/]{80,}={0,2}\b/;
+
+const getLiteralStringValue = (node) => {
+  if (!node) {
+    return undefined;
+  }
+  if (node.type === "StringLiteral") {
+    return node.value;
+  }
+  if (node.type === "TemplateLiteral" && node.expressions?.length === 0) {
+    return node.quasis.map((quasi) => quasi.value.cooked || "").join("");
+  }
+  return undefined;
+};
+
+const addSuspiciousLiteralIndicators = (obfuscationIndicators, rawValue) => {
+  if (!rawValue || typeof rawValue !== "string") {
+    return;
+  }
+  if (SUSPICIOUS_JS_LONG_BASE64_PATTERN.test(rawValue)) {
+    obfuscationIndicators.add("long-base64-literal");
+  }
+};
+
+const trackSuspiciousModuleReference = (
+  moduleName,
+  localName,
+  executionIndicators,
+  networkIndicators,
+  processAliases,
+  networkAliases,
+) => {
+  if (!moduleName || typeof moduleName !== "string") {
+    return;
+  }
+  if (SUSPICIOUS_JS_PROCESS_MODULES.has(moduleName)) {
+    executionIndicators.add("child-process-import");
+    if (localName) {
+      processAliases.add(localName);
+    }
+  }
+  if (SUSPICIOUS_JS_NETWORK_MODULES.has(moduleName)) {
+    networkIndicators.add("network-module-import");
+    if (localName) {
+      networkAliases.add(localName);
+    }
+  }
+};
+
+const getMemberChainString = (node) => {
+  if (!node) {
+    return "";
+  }
+  if (node.type === "Identifier") {
+    return node.name;
+  }
+  if (node.type === "ThisExpression") {
+    return "this";
+  }
+  if (node.type === "StringLiteral") {
+    return node.value;
+  }
+  if (node.type === "MetaProperty") {
+    const metaName = node.meta?.name || "";
+    const propertyName = node.property?.name || "";
+    return [metaName, propertyName].filter(Boolean).join(".");
+  }
+  if (node.type === "CallExpression") {
+    return getMemberChainString(node.callee);
+  }
+  if (node.type === "OptionalCallExpression") {
+    return getMemberChainString(node.callee);
+  }
+  if (
+    node.type !== "MemberExpression" &&
+    node.type !== "OptionalMemberExpression"
+  ) {
+    return "";
+  }
+  const objectChain = getMemberChainString(node.object);
+  const propertyChain = getMemberChainString(node.property);
+  if (objectChain && propertyChain) {
+    return `${objectChain}.${propertyChain}`;
+  }
+  return objectChain || propertyChain || "";
+};
+
+function analyzeSuspiciousJsSource(source) {
+  const executionIndicators = new Set();
+  const networkIndicators = new Set();
+  const obfuscationIndicators = new Set();
+  const processAliases = new Set();
+  const networkAliases = new Set();
+  let ast;
+  try {
+    ast = parse(source, babelParserOptions);
+  } catch {
+    return {
+      executionIndicators: [],
+      indicators: [],
+      networkIndicators: [],
+      obfuscationIndicators: [],
+    };
+  }
+  traverse.default(ast, {
+    ImportDeclaration: (path) => {
+      const moduleName = getLiteralStringValue(path?.node?.source);
+      path.node.specifiers.forEach((specifier) => {
+        trackSuspiciousModuleReference(
+          moduleName,
+          specifier?.local?.name,
+          executionIndicators,
+          networkIndicators,
+          processAliases,
+          networkAliases,
+        );
+      });
+      if (!path.node.specifiers?.length) {
+        trackSuspiciousModuleReference(
+          moduleName,
+          undefined,
+          executionIndicators,
+          networkIndicators,
+          processAliases,
+          networkAliases,
+        );
+      }
+    },
+    VariableDeclarator: (path) => {
+      const init = path?.node?.init;
+      if (
+        init?.type === "CallExpression" &&
+        init.callee?.type === "Identifier" &&
+        init.callee.name === "require"
+      ) {
+        const moduleName = getLiteralStringValue(init.arguments?.[0]);
+        const localName =
+          path?.node?.id?.type === "Identifier" ? path.node.id.name : undefined;
+        trackSuspiciousModuleReference(
+          moduleName,
+          localName,
+          executionIndicators,
+          networkIndicators,
+          processAliases,
+          networkAliases,
+        );
+      }
+    },
+    CallExpression: (path) => {
+      const callee = path?.node?.callee;
+      const calleeChain = getMemberChainString(callee);
+      if (callee?.type === "Identifier") {
+        if (callee.name === "eval") {
+          executionIndicators.add("eval");
+        }
+        if (callee.name === "atob") {
+          obfuscationIndicators.add("atob");
+        }
+        if (["fetch", "axios", "got"].includes(callee.name)) {
+          networkIndicators.add("network-request");
+        }
+      }
+      if (calleeChain === "Buffer.from") {
+        const encodingValue = getLiteralStringValue(path.node.arguments?.[1]);
+        if (encodingValue?.toLowerCase() === "base64") {
+          obfuscationIndicators.add("buffer-base64");
+        }
+      }
+      if (calleeChain === "String.fromCharCode") {
+        obfuscationIndicators.add("string-from-char-code");
+      }
+      if (calleeChain === "vm.runInNewContext") {
+        executionIndicators.add("vm-run-context");
+        obfuscationIndicators.add("vm-run-context");
+      }
+      if (calleeChain === "vm.runInThisContext") {
+        executionIndicators.add("vm-run-context");
+        obfuscationIndicators.add("vm-run-context");
+      }
+      if (callee?.type === "MemberExpression") {
+        const objectName = getMemberChainString(callee.object);
+        const propertyName = getMemberChainString(callee.property);
+        if (
+          objectName &&
+          processAliases.has(objectName) &&
+          SUSPICIOUS_JS_EXECUTION_MEMBERS.has(propertyName)
+        ) {
+          executionIndicators.add("child-process");
+        }
+        if (
+          objectName &&
+          networkAliases.has(objectName) &&
+          SUSPICIOUS_JS_NETWORK_MEMBERS.has(propertyName)
+        ) {
+          networkIndicators.add("network-request");
+        }
+      }
+      if (
+        callee?.type === "Identifier" &&
+        callee.name === "require" &&
+        path.node.arguments?.length
+      ) {
+        const moduleName = getLiteralStringValue(path.node.arguments[0]);
+        trackSuspiciousModuleReference(
+          moduleName,
+          undefined,
+          executionIndicators,
+          networkIndicators,
+          processAliases,
+          networkAliases,
+        );
+      }
+    },
+    NewExpression: (path) => {
+      const calleeChain = getMemberChainString(path?.node?.callee);
+      if (calleeChain === "Function") {
+        executionIndicators.add("function-constructor");
+      }
+    },
+    StringLiteral: (path) => {
+      addSuspiciousLiteralIndicators(obfuscationIndicators, path?.node?.value);
+    },
+    TemplateElement: (path) => {
+      addSuspiciousLiteralIndicators(
+        obfuscationIndicators,
+        path?.node?.value?.raw,
+      );
+    },
+  });
+  const indicators = [
+    ...obfuscationIndicators,
+    ...executionIndicators,
+    ...networkIndicators,
+  ].sort();
+  return {
+    executionIndicators: Array.from(executionIndicators).sort(),
+    indicators,
+    networkIndicators: Array.from(networkIndicators).sort(),
+    obfuscationIndicators: Array.from(obfuscationIndicators).sort(),
+  };
+}
+
 /**
  * Find all imports and exports
  */
 export const findJSImportsExports = async (src, deep) => {
   const allImports = {};
   const allExports = {};
-  const errFiles = [];
   try {
     const promiseMap = await getAllSrcJSAndTSFiles(src, deep);
     const srcFiles = promiseMap.flat();
@@ -903,7 +1230,7 @@ export const findJSImportsExports = async (src, deep) => {
       try {
         parseFileASTTree(src, file, allImports, allExports);
       } catch (_err) {
-        errFiles.push(file);
+        // ignore parse failures
       }
     }
     return { allImports, allExports };
@@ -911,3 +1238,120 @@ export const findJSImportsExports = async (src, deep) => {
     return { allImports, allExports };
   }
 };
+
+/**
+ * Detect suspicious obfuscation, execution, and network indicators in a single
+ * JavaScript/TypeScript source file using Babel AST analysis.
+ *
+ * @param {string} filePath Source file path
+ * @returns {{executionIndicators: string[], indicators: string[], networkIndicators: string[], obfuscationIndicators: string[]}}
+ */
+export const analyzeSuspiciousJsFile = (filePath) => {
+  let source;
+  try {
+    source = fileToParseableCode(filePath);
+  } catch {
+    return {
+      executionIndicators: [],
+      indicators: [],
+      networkIndicators: [],
+      obfuscationIndicators: [],
+    };
+  }
+  return analyzeSuspiciousJsSource(source);
+};
+
+/**
+ * Detect browser-extension capability signals from source code using Babel AST analysis.
+ *
+ * @param {string} src Path to the extension source directory
+ * @param {boolean} deep When true, includes node_modules and nested directories
+ * @returns {{capabilities: string[], indicators: Object<string, string[]>}}
+ * `indicators` is keyed by capability category name and contains arrays of
+ * detected signal strings (for example property chains and call names).
+ */
+export const detectExtensionCapabilities = (src, deep = false) => {
+  const indicators = {};
+  for (const category of CHROMIUM_EXTENSION_CAPABILITY_CATEGORIES) {
+    indicators[category] = new Set();
+  }
+  let srcFiles = [];
+  try {
+    srcFiles = [
+      ...getAllFiles(deep, src, ".js"),
+      ...getAllFiles(deep, src, ".jsx"),
+      ...getAllFiles(deep, src, ".cjs"),
+      ...getAllFiles(deep, src, ".mjs"),
+      ...getAllFiles(deep, src, ".ts"),
+      ...getAllFiles(deep, src, ".tsx"),
+      ...getAllFiles(deep, src, ".vue"),
+      ...getAllFiles(deep, src, ".svelte"),
+    ];
+  } catch (_err) {
+    return { capabilities: [], indicators: {} };
+  }
+  const addSignalByPatterns = (rawSignal, patternMap) => {
+    const signal = String(rawSignal || "").trim();
+    if (!signal) {
+      return;
+    }
+    for (const category of Object.keys(patternMap)) {
+      const categoryPatterns = patternMap[category];
+      const safePatterns = Array.isArray(categoryPatterns)
+        ? categoryPatterns
+        : [categoryPatterns];
+      if (safePatterns.some((pattern) => pattern?.test(signal))) {
+        indicators[category].add(signal);
+      }
+    }
+  };
+  const addSignal = (rawSignal) => {
+    addSignalByPatterns(rawSignal, EXTENSION_CAPABILITY_CHAIN_PATTERNS);
+  };
+  const addIdentifierSignal = (rawSignal) => {
+    addSignalByPatterns(rawSignal, EXTENSION_CAPABILITY_IDENTIFIER_PATTERNS);
+  };
+  for (const file of srcFiles) {
+    try {
+      const ast = parse(fileToParseableCode(file), babelParserOptions);
+      traverse.default(ast, {
+        MemberExpression: (path) => {
+          addSignal(getMemberChainString(path?.node));
+        },
+        OptionalMemberExpression: (path) => {
+          addSignal(getMemberChainString(path?.node));
+        },
+        CallExpression: (path) => {
+          addSignal(getMemberChainString(path?.node?.callee));
+          if (path?.node?.callee?.type === "Identifier") {
+            addIdentifierSignal(path.node.callee.name);
+          }
+        },
+        OptionalCallExpression: (path) => {
+          addSignal(getMemberChainString(path?.node?.callee));
+          if (path?.node?.callee?.type === "Identifier") {
+            addIdentifierSignal(path.node.callee.name);
+          }
+        },
+        NewExpression: (path) => {
+          addSignal(getMemberChainString(path?.node?.callee));
+          if (path?.node?.callee?.type === "Identifier") {
+            addIdentifierSignal(path.node.callee.name);
+          }
+        },
+      });
+    } catch (_err) {
+      // Skip parse failures and continue scanning
+    }
+  }
+  const capabilityList = [];
+  const indicatorMap = {};
+  for (const category of CHROMIUM_EXTENSION_CAPABILITY_CATEGORIES) {
+    const sortedSignals = Array.from(indicators[category]).sort();
+    if (sortedSignals.length) {
+      capabilityList.push(category);
+      indicatorMap[category] = sortedSignals;
+    }
+  }
+  return { capabilities: capabilityList, indicators: indicatorMap };
+};

package/lib/helpers/analyzer.poku.js

@@ -10,7 +10,11 @@ import { join } from "node:path";
 
 import { assert, describe, it } from "poku";
 
-import { findJSImportsExports } from "./analyzer.js";
+import {
+  analyzeSuspiciousJsFile,
+  detectExtensionCapabilities,
+  findJSImportsExports,
+} from "./analyzer.js";
 
 const baseTempDir = mkdtempSync(join(tmpdir(), "cdxgen-analyzer-poku-"));
 
@@ -228,3 +232,70 @@ wasi.start(instance);
     }
   });
 });
+
+describe("detectExtensionCapabilities()", () => {
+  it("should detect extension capability signals from source usage", () => {
+    const projectDir = createProject(
+      "extension-capabilities",
+      `chrome.scripting.executeScript({ target: { tabId: 1 }, files: ["inject.js"] });
+chrome.bluetooth.getDevices(() => {});
+chrome.downloads.download({ url: "https://example.invalid/a.txt" });
+const canvas = document.createElement("canvas");
+canvas.toDataURL();
+fetch("https://example.invalid/api");
+navigator.userAgentData?.getHighEntropyValues(["platformVersion"]);
+`,
+    );
+    const detected = detectExtensionCapabilities(projectDir);
+    assert.ok(detected.capabilities.includes("codeInjection"));
+    assert.ok(detected.capabilities.includes("bluetooth"));
+    assert.ok(detected.capabilities.includes("deviceAccess"));
+    assert.ok(detected.capabilities.includes("fileAccess"));
+    assert.ok(detected.capabilities.includes("network"));
+    assert.ok(detected.capabilities.includes("fingerprinting"));
+  });
+
+  it("should detect fingerprinting from canvas member-chain APIs", () => {
+    const projectDir = createProject(
+      "extension-capabilities-canvas-only",
+      `const canvas = document.createElement("canvas");
+const ctx = canvas.getContext("2d");
+ctx.getImageData(0, 0, 1, 1);
+canvas.toDataURL();
+ctx.measureText("a");
+`,
+    );
+    const detected = detectExtensionCapabilities(projectDir);
+    assert.ok(detected.capabilities.includes("fingerprinting"));
+  });
+});
+
+describe("analyzeSuspiciousJsFile()", () => {
+  it("detects encoded child-process loader patterns", () => {
+    const projectDir = createProject(
+      "suspicious-lifecycle-js",
+      [
+        "import cp from 'node:child_process';",
+        "const payload = Buffer.from('ZXZhbCgnY29uc29sZS5sb2coMSknKQ==', 'base64');",
+        "cp.execSync(payload.toString());",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeSuspiciousJsFile(join(projectDir, "index.js"));
+    assert.match(analysis.obfuscationIndicators.join(","), /buffer-base64/);
+    assert.match(analysis.executionIndicators.join(","), /child-process/);
+  });
+
+  it("detects network-capable script files referenced by lifecycle hooks", () => {
+    const projectDir = createProject(
+      "network-lifecycle-js",
+      [
+        "import https from 'node:https';",
+        "https.request('https://example.invalid/payload');",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeSuspiciousJsFile(join(projectDir, "index.js"));
+    assert.match(analysis.networkIndicators.join(","), /network-request/);
+  });
+});

package/lib/helpers/annotationFormatter.js

@@ -0,0 +1,49 @@
+function escapeMarkdownText(value) {
+  return String(value ?? "")
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/([\\`*_{}\[\]()#+!|])/g, "\\$1")
+    .replace(/\r?\n/g, "<br>")
+    .trim();
+}
+
+function escapeMarkdownCell(value) {
+  return escapeMarkdownText(value);
+}
+
+/**
+ * Format annotation properties as a markdown table for CycloneDX annotations.
+ *
+ * @param {{ name: string, value: string }[]} properties annotation properties
+ * @returns {string} markdown table text
+ */
+export function propertiesToMarkdownTable(properties) {
+  if (!properties?.length) {
+    return "";
+  }
+  const lines = ["| Property | Value |", "| --- | --- |"];
+  for (const property of properties) {
+    lines.push(
+      `| ${escapeMarkdownCell(property?.name)} | ${escapeMarkdownCell(property?.value)} |`,
+    );
+  }
+  return lines.join("\n");
+}
+
+/**
+ * Build production-ready markdown annotation text.
+ *
+ * @param {string} message leading message text
+ * @param {{ name: string, value: string }[]} properties annotation properties
+ * @param {string[]} [details] optional detail lines shown before the table
+ * @returns {string} annotation text
+ */
+export function buildAnnotationText(message, properties, details = []) {
+  const lines = [message, ...details.filter(Boolean)].map(escapeMarkdownText);
+  const markdownTable = propertiesToMarkdownTable(properties);
+  if (markdownTable) {
+    lines.push("", markdownTable);
+  }
+  return lines.join("\n");
+}

package/lib/helpers/annotationFormatter.poku.js

@@ -0,0 +1,44 @@
+import { assert, describe, it } from "poku";
+
+import {
+  buildAnnotationText,
+  propertiesToMarkdownTable,
+} from "./annotationFormatter.js";
+
+describe("annotationFormatter", () => {
+  it("escapes markdown tables for untrusted annotation properties", () => {
+    const table = propertiesToMarkdownTable([
+      {
+        name: "<script>alert(1)</script>",
+        value: "[click](javascript:alert(1))\nnext|cell & more",
+      },
+    ]);
+
+    assert.strictEqual(
+      table,
+      [
+        "| Property | Value |",
+        "| --- | --- |",
+        String.raw`| &lt;script&gt;alert\(1\)&lt;/script&gt; | \[click\]\(javascript:alert\(1\)\)<br>next\|cell &amp; more |`,
+      ].join("\n"),
+    );
+  });
+
+  it("escapes markdown and HTML-sensitive content in annotation messages", () => {
+    const htmlLikeMessage =
+      String.fromCharCode(60) +
+      "img src=x onerror=alert(1)" +
+      String.fromCharCode(62);
+    const text = buildAnnotationText(
+      htmlLikeMessage,
+      [{ name: "cdx:test", value: "safe" }],
+      ["[open](javascript:alert(1))", "line\nbreak"],
+    );
+
+    assert.ok(text.startsWith("&lt;img src=x onerror=alert\\(1\\)&gt;"));
+    assert.ok(text.includes("\\[open\\]\\(javascript:alert\\(1\\)\\)"));
+    assert.ok(text.includes("line<br>break"));
+    assert.ok(text.includes("| cdx:test | safe |"));
+    assert.ok(!text.includes(htmlLikeMessage));
+  });
+});

package/lib/helpers/bomUtils.js

@@ -0,0 +1,36 @@
+const SPDX_CONTEXT_PREFIX = "https://spdx.org/rdf/";
+const CYCLONEDX_FORMAT = "CycloneDX";
+const BOM_FORMAT_CYCLONEDX = "cyclonedx";
+const BOM_FORMAT_SPDX = "spdx";
+const BOM_FORMAT_UNKNOWN = "unknown";
+
+export const isSpdxJsonLd = (bomJson) =>
+  Boolean(
+    bomJson?.["@context"]?.startsWith(SPDX_CONTEXT_PREFIX) &&
+      Array.isArray(bomJson?.["@graph"]) &&
+      bomJson["@graph"].some((element) => element?.type === "SpdxDocument"),
+  );
+
+export const isCycloneDxBom = (bomJson) =>
+  bomJson?.bomFormat === CYCLONEDX_FORMAT && Boolean(bomJson?.specVersion);
+
+export const detectBomFormat = (bomJson) => {
+  if (isCycloneDxBom(bomJson)) {
+    return BOM_FORMAT_CYCLONEDX;
+  }
+  if (isSpdxJsonLd(bomJson)) {
+    return BOM_FORMAT_SPDX;
+  }
+  return BOM_FORMAT_UNKNOWN;
+};
+
+export const getNonCycloneDxErrorMessage = (
+  bomJson,
+  commandName = "This command",
+) => {
+  const detectedFormat = detectBomFormat(bomJson);
+  if (detectedFormat === BOM_FORMAT_SPDX) {
+    return `${commandName} expects a CycloneDX BOM. SPDX input is not supported for this command.`;
+  }
+  return `${commandName} expects a CycloneDX JSON BOM.`;
+};