@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/bin/convert.js

@@ -0,0 +1,99 @@
+#!/usr/bin/env node
+
+import fs from "node:fs";
+import { dirname } from "node:path";
+import process from "node:process";
+
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+
+import {
+  getNonCycloneDxErrorMessage,
+  isCycloneDxBom,
+} from "../lib/helpers/bomUtils.js";
+import { deriveSpdxOutputPath } from "../lib/helpers/exportUtils.js";
+import {
+  retrieveCdxgenVersion,
+  safeExistsSync,
+  safeMkdirSync,
+} from "../lib/helpers/utils.js";
+import { convertCycloneDxToSpdx } from "../lib/stages/postgen/spdxConverter.js";
+import { validateSpdx } from "../lib/validator/bomValidator.js";
+
+const _yargs = yargs(hideBin(process.argv));
+
+const args = _yargs
+  .option("input", {
+    alias: "i",
+    default: "bom.json",
+    description: "Input CycloneDX BOM JSON file.",
+  })
+  .option("output", {
+    alias: "o",
+    description: "Output SPDX JSON file. Defaults to <input>.spdx.json.",
+  })
+  .option("validate", {
+    type: "boolean",
+    default: true,
+    description:
+      "Validate the generated SPDX export. Pass --no-validate to skip.",
+  })
+  .option("json-pretty", {
+    type: "boolean",
+    default: false,
+    description: "Pretty-print generated JSON output.",
+  })
+  .completion("completion", "Generate bash/zsh completion")
+  .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
+  .scriptName("cdx-convert")
+  .version(retrieveCdxgenVersion())
+  .help()
+  .wrap(Math.min(120, yargs().terminalWidth())).argv;
+
+if (!safeExistsSync(args.input)) {
+  console.error(`Input file '${args.input}' not found.`);
+  process.exit(1);
+}
+
+let bomJson;
+try {
+  bomJson = JSON.parse(fs.readFileSync(args.input, "utf8"));
+} catch (error) {
+  console.error(`Failed to parse '${args.input}' as JSON: ${error.message}`);
+  process.exit(1);
+}
+
+if (!isCycloneDxBom(bomJson)) {
+  console.error(getNonCycloneDxErrorMessage(bomJson, "cdx-convert"));
+  process.exit(1);
+}
+const cdxSpecVersion = Number.parseFloat(`${bomJson?.specVersion || ""}`);
+if (![1.6, 1.7].includes(cdxSpecVersion)) {
+  console.error(
+    `Unsupported CycloneDX specVersion '${bomJson?.specVersion}'. cdx-convert currently supports CycloneDX 1.6 or 1.7 input and exports SPDX 3.0.1.`,
+  );
+  process.exit(1);
+}
+
+const spdxJson = convertCycloneDxToSpdx(bomJson, args);
+if (!spdxJson) {
+  console.error("Conversion failed: unable to generate SPDX output.");
+  process.exit(1);
+}
+
+if (args.validate && !validateSpdx(spdxJson)) {
+  console.error("SPDX validation failed for the converted output.");
+  process.exit(1);
+}
+
+const outputPath = args.output || deriveSpdxOutputPath(args.input);
+const outputParent = dirname(outputPath);
+if (outputParent && outputParent !== "." && !safeExistsSync(outputParent)) {
+  safeMkdirSync(outputParent, { recursive: true });
+}
+
+fs.writeFileSync(
+  outputPath,
+  JSON.stringify(spdxJson, null, args.jsonPretty ? 2 : null),
+);
+console.log(`Successfully converted '${args.input}' to '${outputPath}'.`);

package/bin/evinse.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 // Evinse (Evinse Verification Is Nearly SBOM Evidence)
 
+import fs from "node:fs";
 import process from "node:process";
 
 import yargs from "yargs";
@@ -11,12 +12,17 @@ import {
   createEvinseFile,
   prepareDB,
 } from "../lib/evinser/evinser.js";
+import {
+  getNonCycloneDxErrorMessage,
+  isCycloneDxBom,
+} from "../lib/helpers/bomUtils.js";
 import {
   printCallStack,
   printOccurrences,
   printReachables,
   printServices,
 } from "../lib/helpers/display.js";
+import { safeExistsSync } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/validator/bomValidator.js";
 
 const args = yargs(hideBin(process.argv))
@@ -149,6 +155,23 @@ if (process.env?.CDXGEN_NODE_OPTIONS) {
 }
 
 console.log(evinseArt);
+function ensureCycloneDxInput(inputFile) {
+  if (!safeExistsSync(inputFile)) {
+    return;
+  }
+  let bomJson;
+  try {
+    bomJson = JSON.parse(fs.readFileSync(inputFile, "utf8"));
+  } catch (error) {
+    console.error(`Unable to parse '${inputFile}' as JSON: ${error.message}`);
+    process.exit(1);
+  }
+  if (!isCycloneDxBom(bomJson)) {
+    console.error(getNonCycloneDxErrorMessage(bomJson, "evinse"));
+    process.exit(1);
+  }
+}
+ensureCycloneDxInput(args.input);
 (async () => {
   // First, prepare the database by cataloging jars and other libraries
   const dbObjMap = await prepareDB(args);

package/bin/repl.js

@@ -9,6 +9,7 @@ import repl from "node:repl";
 import jsonata from "jsonata";
 
 import { createBom } from "../lib/cli/index.js";
+import { isSpdxJsonLd } from "../lib/helpers/bomUtils.js";
 import {
   printCallStack,
   printDependencyTree,
@@ -21,6 +22,12 @@ import {
   printVulnerabilities,
 } from "../lib/helpers/display.js";
 import { readBinary } from "../lib/helpers/protobom.js";
+import {
+  getProvenanceComponents,
+  getTrustedComponents,
+} from "../lib/helpers/provenanceUtils.js";
+import { toCycloneDxLikeBom } from "../lib/helpers/spdxUtils.js";
+import { table } from "../lib/helpers/table.js";
 import { getTmpDir } from "../lib/helpers/utils.js";
 import { getBomWithOras } from "../lib/managers/oci.js";
 import { validateBom } from "../lib/validator/bomValidator.js";
@@ -54,6 +61,95 @@ if (process.env?.CDXGEN_NODE_OPTIONS) {
 
 // The current sbom is stored here
 let sbom;
+const getInteractiveBom = () => toCycloneDxLikeBom(sbom);
+
+function unescapeAnnotationText(value) {
+  return String(value || "")
+    .replace(/<br>/g, "\n")
+    .replace(/&lt;/g, "<")
+    .replace(/&gt;/g, ">")
+    .replace(/&amp;/g, "&")
+    .replace(/\\([\\`*_{}\[\]()#+!|])/g, "$1")
+    .trim();
+}
+
+function parseAnnotationProperties(text) {
+  const properties = {};
+  const lines = String(text || "").split(/\r?\n/);
+  let foundHeader = false;
+  for (const line of lines) {
+    if (!line.startsWith("|")) {
+      continue;
+    }
+    const cells = line
+      .split("|")
+      .slice(1, -1)
+      .map((cell) => cell.trim());
+    if (cells.length < 2) {
+      continue;
+    }
+    if (cells[0] === "Property" && cells[1] === "Value") {
+      foundHeader = true;
+      continue;
+    }
+    if (
+      foundHeader &&
+      /^-+$/.test(cells[0].replace(/\s/g, "")) &&
+      /^-+$/.test(cells[1].replace(/\s/g, ""))
+    ) {
+      continue;
+    }
+    if (!foundHeader) {
+      continue;
+    }
+    properties[unescapeAnnotationText(cells[0])] = unescapeAnnotationText(
+      cells[1],
+    );
+  }
+  return properties;
+}
+
+function getAuditAnnotations() {
+  return (sbom?.annotations || [])
+    .map((annotation) => {
+      const properties = parseAnnotationProperties(annotation?.text);
+      return {
+        firstLine: unescapeAnnotationText(
+          String(annotation?.text || "").split(/\r?\n/, 1)[0],
+        ),
+        properties,
+        raw: annotation,
+      };
+    })
+    .filter(
+      (annotation) =>
+        Object.keys(annotation.properties).some((key) =>
+          key.startsWith("cdx:audit:"),
+        ) || annotation.firstLine.includes("cdx:audit:"),
+    );
+}
+
+function printAuditTable(title, rows) {
+  if (rows.length <= 1) {
+    return;
+  }
+  console.log(
+    table(rows, {
+      header: {
+        alignment: "center",
+        content: title,
+      },
+    }),
+  );
+}
+
+function isLikelyObom(bom) {
+  return Boolean(
+    bom?.components?.some((comp) =>
+      comp?.properties?.some((prop) => prop?.name === "cdx:osquery:category"),
+    ),
+  );
+}
 
 let historyFile;
 const historyConfigDir = join(homedir(), ".config", ".cdxgen");
@@ -73,11 +169,24 @@ export const importSbom = (sbomOrPath) => {
     try {
       sbom = JSON.parse(fs.readFileSync(sbomOrPath, "utf-8"));
       let bomType = "SBOM";
+      if (isSpdxJsonLd(sbom)) {
+        bomType = "SPDX";
+      }
       if (sbom?.vulnerabilities && Array.isArray(sbom.vulnerabilities)) {
         bomType = "VDR";
       }
       console.log(`✅ ${bomType} imported successfully from ${sbomOrPath}`);
       printSummary(sbom);
+      if (isLikelyObom(sbom)) {
+        console.log(
+          "💭 OBOM detected. Try .osinfocategories, .obomtips, .processes, or .services_snapshot",
+        );
+      }
+      if (getAuditAnnotations().length) {
+        console.log(
+          "💭 Audit annotations detected. Try .auditfindings, .auditactions, or .dispatchedges.",
+        );
+      }
     } catch (e) {
       console.log(`⚠ Unable to import the BOM from ${sbomOrPath} due to ${e}`);
     }
@@ -111,12 +220,24 @@ export const importSbom = (sbomOrPath) => {
 if (process.argv.length > 2) {
   importSbom(process.argv[process.argv.length - 1]);
   console.log("💭 Type .print to view the BOM as a table");
+  console.log("💭 Type .trusted to list components with trusted publishing.");
+  console.log(
+    "💭 Type .provenance to list components with registry provenance evidence.",
+  );
+  if (getAuditAnnotations().length) {
+    console.log(
+      "💭 Type .auditfindings to review cdx-audit and bom-audit annotations.",
+    );
+  }
 } else if (fs.existsSync("bom.json")) {
   // If the current directory has a bom.json load it
   importSbom("bom.json");
 } else {
   console.log("💭 Use .create <path> to create an SBOM for the given path.");
   console.log("💭 Use .import <json> to import an existing BOM.");
+  console.log(
+    "💭 For OBOM investigations, try .obomtips after importing an OBOM.",
+  );
   console.log("💭 Type .exit or press ctrl+d to close.");
 }
 
@@ -148,6 +269,17 @@ cdxgenRepl.defineCommand("create", {
       sbom = bomNSData.bomJson;
       console.log("✅ BOM imported successfully.");
       console.log("💭 Type .print to view the BOM as a table");
+      console.log(
+        "💭 Type .trusted to list components with trusted publishing.",
+      );
+      console.log(
+        "💭 Type .provenance to list components with registry provenance evidence.",
+      );
+      if (getAuditAnnotations().length) {
+        console.log(
+          "💭 Type .auditfindings to review cdx-audit and bom-audit annotations.",
+        );
+      }
     } else {
       console.log("BOM was not generated successfully");
     }
@@ -207,9 +339,12 @@ cdxgenRepl.defineCommand("search", {
             fixedSearchStr = `components[group ~> /${fixedSearchStr}/i or name ~> /${fixedSearchStr}/i or description ~> /${fixedSearchStr}/i or publisher ~> /${fixedSearchStr}/i or purl ~> /${fixedSearchStr}/i or tags ~> /${fixedSearchStr}/i]`;
           }
           const expression = jsonata(fixedSearchStr);
-          let components = await expression.evaluate(sbom);
+          const bomForSearch = searchStr.includes("~>")
+            ? sbom
+            : getInteractiveBom();
+          let components = await expression.evaluate(bomForSearch);
           const dexpression = jsonata(dependenciesSearchStr);
-          let dependencies = await dexpression.evaluate(sbom);
+          let dependencies = await dexpression.evaluate(bomForSearch);
           if (components && !Array.isArray(components)) {
             components = [components];
           }
@@ -303,8 +438,63 @@ cdxgenRepl.defineCommand("query", {
 cdxgenRepl.defineCommand("print", {
   help: "print the current bom as a table",
   action() {
-    if (sbom) {
-      printTable(sbom);
+    const interactiveBom = getInteractiveBom();
+    if (interactiveBom) {
+      printTable(interactiveBom);
+    } else {
+      console.log(
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM",
+      );
+    }
+    this.displayPrompt();
+  },
+});
+cdxgenRepl.defineCommand("trusted", {
+  help: "print components with trusted publishing",
+  action() {
+    const interactiveBom = getInteractiveBom();
+    if (interactiveBom?.components) {
+      const trustedComponents = getTrustedComponents(interactiveBom.components);
+      if (!trustedComponents.length) {
+        console.log(
+          "No trusted-publishing components found. Look for components enriched with cdx:npm:trustedPublishing or cdx:pypi:trustedPublishing.",
+        );
+      } else {
+        printTable(
+          { components: trustedComponents, dependencies: [] },
+          undefined,
+          undefined,
+          `Found ${trustedComponents.length} trusted component(s) backed by trusted publishing metadata.`,
+        );
+      }
+    } else {
+      console.log(
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM",
+      );
+    }
+    this.displayPrompt();
+  },
+});
+cdxgenRepl.defineCommand("provenance", {
+  help: "print components with direct registry provenance evidence",
+  action() {
+    const interactiveBom = getInteractiveBom();
+    if (interactiveBom?.components) {
+      const provenanceComponents = getProvenanceComponents(
+        interactiveBom.components,
+      );
+      if (!provenanceComponents.length) {
+        console.log(
+          "No provenance-backed components found. Look for registry URLs, digests, signatures, or key IDs captured as component properties.",
+        );
+      } else {
+        printTable(
+          { components: provenanceComponents, dependencies: [] },
+          undefined,
+          undefined,
+          `Found ${provenanceComponents.length} component(s) with direct registry provenance evidence.`,
+        );
+      }
     } else {
       console.log(
         "⚠ No BOM is loaded. Use .import command to import an existing BOM",
@@ -342,8 +532,9 @@ cdxgenRepl.defineCommand("frameworks", {
 cdxgenRepl.defineCommand("tree", {
   help: "display the dependency tree",
   action() {
-    if (sbom) {
-      printDependencyTree(sbom);
+    const interactiveBom = getInteractiveBom();
+    if (interactiveBom) {
+      printDependencyTree(interactiveBom);
     } else {
       console.log(
         "⚠ No BOM is loaded. Use .import command to import an existing BOM",
@@ -355,8 +546,9 @@ cdxgenRepl.defineCommand("tree", {
 cdxgenRepl.defineCommand("provides", {
   help: "display the provides tree",
   action() {
-    if (sbom) {
-      printDependencyTree(sbom, "provides");
+    const interactiveBom = getInteractiveBom();
+    if (interactiveBom) {
+      printDependencyTree(interactiveBom, "provides");
     } else {
       console.log(
         "⚠ No BOM is loaded. Use .import command to import an existing BOM",
@@ -566,6 +758,113 @@ cdxgenRepl.defineCommand("formulation", {
     this.displayPrompt();
   },
 });
+cdxgenRepl.defineCommand("auditfindings", {
+  help: "summarize cdx-audit and bom-audit annotations from the loaded BOM",
+  action() {
+    if (!sbom) {
+      console.log("⚠ No BOM is loaded. Use .import command to import an SBOM");
+      this.displayPrompt();
+      return;
+    }
+    const auditAnnotations = getAuditAnnotations();
+    if (!auditAnnotations.length) {
+      console.log(
+        "No audit annotations found. Generate an SBOM with --bom-audit or import a BOM enriched by cdx-audit.",
+      );
+      this.displayPrompt();
+      return;
+    }
+    const rows = [
+      ["Engine", "Severity", "Rule", "Target / Edge", "Next action"],
+    ];
+    auditAnnotations.forEach((annotation) => {
+      const props = annotation.properties;
+      rows.push([
+        props["cdx:audit:engine"] || "bom-audit",
+        props["cdx:audit:severity"] || "unknown",
+        props["cdx:audit:topFinding:ruleId"] ||
+          props["cdx:audit:ruleId"] ||
+          "-",
+        props["cdx:audit:dispatch:edge"] ||
+          props["cdx:audit:target:purl"] ||
+          props["cdx:audit:location:file"] ||
+          annotation.firstLine,
+        props["cdx:audit:nextAction"] ||
+          props["cdx:audit:upstreamGuidance"] ||
+          props["cdx:audit:mitigation"] ||
+          "-",
+      ]);
+    });
+    printAuditTable("Audit findings", rows);
+    this.displayPrompt();
+  },
+});
+cdxgenRepl.defineCommand("auditactions", {
+  help: "list next actions from predictive audit annotations",
+  action() {
+    if (!sbom) {
+      console.log("⚠ No BOM is loaded. Use .import command to import an SBOM");
+      this.displayPrompt();
+      return;
+    }
+    const auditAnnotations = getAuditAnnotations().filter(
+      (annotation) => annotation.properties["cdx:audit:nextAction"],
+    );
+    if (!auditAnnotations.length) {
+      console.log(
+        "No predictive next actions found. Import a BOM annotated by cdx-audit to review remediation guidance.",
+      );
+      this.displayPrompt();
+      return;
+    }
+    const rows = [["Severity", "Target", "Next action", "Upstream guidance"]];
+    auditAnnotations.forEach((annotation) => {
+      const props = annotation.properties;
+      rows.push([
+        props["cdx:audit:severity"] || "unknown",
+        props["cdx:audit:dispatch:edge"] ||
+          props["cdx:audit:target:purl"] ||
+          annotation.firstLine,
+        props["cdx:audit:nextAction"] || "-",
+        props["cdx:audit:upstreamGuidance"] || "-",
+      ]);
+    });
+    printAuditTable("Predictive audit actions", rows);
+    this.displayPrompt();
+  },
+});
+cdxgenRepl.defineCommand("dispatchedges", {
+  help: "show local sender to receiver workflow edges captured by predictive audit",
+  action() {
+    if (!sbom) {
+      console.log("⚠ No BOM is loaded. Use .import command to import an SBOM");
+      this.displayPrompt();
+      return;
+    }
+    const auditAnnotations = getAuditAnnotations().filter(
+      (annotation) => annotation.properties["cdx:audit:dispatch:edge"],
+    );
+    if (!auditAnnotations.length) {
+      console.log(
+        "No local dispatch edges found. Import a BOM annotated by cdx-audit with correlated workflow dispatch findings.",
+      );
+      this.displayPrompt();
+      return;
+    }
+    const rows = [["Severity", "Rule", "Sender -> Receiver", "Receiver files"]];
+    auditAnnotations.forEach((annotation) => {
+      const props = annotation.properties;
+      rows.push([
+        props["cdx:audit:severity"] || "unknown",
+        props["cdx:audit:topFinding:ruleId"] || "-",
+        props["cdx:audit:dispatch:edge"] || annotation.firstLine,
+        props["cdx:audit:dispatch:receiverFiles"] || "-",
+      ]);
+    });
+    printAuditTable("Predictive workflow dispatch edges", rows);
+    this.displayPrompt();
+  },
+});
 cdxgenRepl.defineCommand("osinfocategories", {
   help: "view the category names for the OS info from the obom",
   async action() {
@@ -591,6 +890,27 @@ cdxgenRepl.defineCommand("osinfocategories", {
     this.displayPrompt();
   },
 });
+// OBOM-specific analyst helper tips for SOC/IR and compliance workflows.
+cdxgenRepl.defineCommand("obomtips", {
+  help: "show analyst tips and useful commands for OBOM investigations",
+  action() {
+    console.log("OBOM analyst quick guide:");
+    console.log("1. .osinfocategories");
+    console.log(
+      "2. Run an OS-query category command from .help (examples below)",
+    );
+    console.log("   .processes");
+    console.log("   .services_snapshot");
+    console.log("   .scheduled_tasks");
+    console.log("   .startup_items");
+    console.log("3. .inspect <name>");
+    console.log("4. .services / .print / .summary for quick pivots");
+    console.log(
+      "Tip: Generate with --bom-audit --bom-audit-categories obom-runtime for prioritized findings.",
+    );
+    this.displayPrompt();
+  },
+});
 cdxgenRepl.defineCommand("licenses", {
   help: "visualize license distribution",
   async action() {
@@ -631,6 +951,13 @@ cdxgenRepl.defineCommand("licenses", {
 cdxgenRepl.defineCommand("inspect", {
   help: "view full JSON details of a component: .inspect <name_search_string>",
   async action(nameStr) {
+    if (!nameStr) {
+      console.log(
+        "⚠ Specify a component name or purl fragment. Eg: .inspect lodash",
+      );
+      this.displayPrompt();
+      return;
+    }
     if (sbom?.components) {
       const found = sbom.components.find(
         (c) =>
@@ -792,6 +1119,7 @@ cdxgenRepl.defineCommand("tagcloud", {
   "kernel_integrity",
   "kernel_modules",
   "ld_preload",
+  "elevated_processes",
   "listening_ports",
   "os_version",
   "pipes",
@@ -799,11 +1127,14 @@ cdxgenRepl.defineCommand("tagcloud", {
   "portage_packages",
   "process_events",
   "processes",
+  "privilege_transitions",
+  "privileged_listening_ports",
   "python_packages",
   "rpm_packages",
   "scheduled_tasks",
   "services_snapshot",
   "startup_items",
+  "sudo_executions",
   "system_info_snapshot",
   "windows_drivers",
   "windows_patches",

package/bin/sign.js

@@ -7,6 +7,10 @@ import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 
 import { signBom } from "../lib/helpers/bomSigner.js";
+import {
+  getNonCycloneDxErrorMessage,
+  isCycloneDxBom,
+} from "../lib/helpers/bomUtils.js";
 import { retrieveCdxgenVersion, safeExistsSync } from "../lib/helpers/utils.js";
 
 const _yargs = yargs(hideBin(process.argv));
@@ -78,6 +82,10 @@ if (!safeExistsSync(args.privateKey)) {
 try {
   const bomJson = JSON.parse(fs.readFileSync(args.input, "utf8"));
   const privateKey = fs.readFileSync(args.privateKey, "utf8");
+  if (!isCycloneDxBom(bomJson)) {
+    console.error(getNonCycloneDxErrorMessage(bomJson, "cdx-sign"));
+    process.exit(1);
+  }
 
   const signedBom = signBom(bomJson, {
     privateKey,

package/bin/validate.js

@@ -19,6 +19,10 @@ import process from "node:process";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 
+import {
+  getNonCycloneDxErrorMessage,
+  isCycloneDxBom,
+} from "../lib/helpers/bomUtils.js";
 import {
   dirNameStr,
   retrieveCdxgenVersion,
@@ -177,6 +181,10 @@ function writeOrPrint(content, outputPath) {
 
 const bomJson = loadBom(args.input, args.platform);
 const publicKeyStr = loadPublicKey(args.publicKey);
+if (!isCycloneDxBom(bomJson)) {
+  console.error(getNonCycloneDxErrorMessage(bomJson, "cdx-validate"));
+  process.exit(1);
+}
 
 const report = validateBomAdvanced(bomJson, {
   schema: args.schema,

package/bin/verify.js

@@ -8,6 +8,10 @@ import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 
 import { verifyNode } from "../lib/helpers/bomSigner.js";
+import {
+  getNonCycloneDxErrorMessage,
+  isCycloneDxBom,
+} from "../lib/helpers/bomUtils.js";
 import {
   dirNameStr,
   retrieveCdxgenVersion,
@@ -91,6 +95,10 @@ if (!bomJson) {
   console.log(`${args.input} is invalid!`);
   process.exit(1);
 }
+if (!isCycloneDxBom(bomJson)) {
+  console.log(getNonCycloneDxErrorMessage(bomJson, "cdx-verify"));
+  process.exit(1);
+}
 
 if (bomJson && !safeExistsSync(args.publicKey)) {
   console.log("Public key for signature verification is missing!");