@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/lib/server/server.poku.js

@@ -5,16 +5,14 @@ import esmock from "esmock";
 import { afterEach, assert, beforeEach, describe, it } from "poku";
 import sinon from "sinon";
 
-import { isWin } from "../helpers/utils.js";
 import {
-  getQueryParams,
   isAllowedHost,
   isAllowedPath,
   isAllowedWinPath,
-  parseQueryString,
-  parseValue,
   validateAndRejectGitSource,
-} from "./server.js";
+} from "../helpers/source.js";
+import { isWin } from "../helpers/utils.js";
+import { getQueryParams, parseQueryString, parseValue } from "./server.js";
 
 function nullProtoObj(obj) {
   if (obj === null || typeof obj !== "object") {
@@ -130,6 +128,14 @@ describe("parseQueryString tests", () => {
     checkEqual(result.autoCreate, false);
     checkEqual(result.isLatest, true);
   });
+
+  it("parses format for SPDX export requests", () => {
+    const q = {
+      format: "spdx",
+    };
+    const result = parseQueryString(q, {}, {});
+    checkEqual(result.format, "spdx");
+  });
 });
 
 describe("isAllowedHost()", () => {
@@ -619,7 +625,7 @@ describe("gitClone() hardening tests", () => {
       .stub()
       .returns(path.join(os.tmpdir(), "fake-repo"));
 
-    const { gitClone } = await esmock("./server.js", {
+    const { gitClone } = await esmock("../helpers/source.js", {
       "../helpers/utils.js": {
         safeSpawnSync: spawnStub,
         isSecureMode: false,
@@ -663,7 +669,7 @@ describe("gitClone() hardening tests", () => {
       .stub()
       .returns(path.join(os.tmpdir(), "fake-repo"));
 
-    const { gitClone } = await esmock("./server.js", {
+    const { gitClone } = await esmock("../helpers/source.js", {
       "../helpers/utils.js": {
         safeSpawnSync: spawnStub,
         isSecureMode: true,
@@ -707,7 +713,7 @@ describe("gitClone() hardening tests", () => {
         .stub()
         .returns(path.join(os.tmpdir(), "fake-repo"));
 
-      const { gitClone } = await esmock("./server.js", {
+      const { gitClone } = await esmock("../helpers/source.js", {
         "../helpers/utils.js": {
           safeSpawnSync: spawnStub,
           isSecureMode: secureMode,
@@ -740,7 +746,7 @@ describe("gitClone() hardening tests", () => {
       .stub()
       .returns(path.join(os.tmpdir(), "fake-repo"));
 
-    const { gitClone } = await esmock("./server.js", {
+    const { gitClone } = await esmock("../helpers/source.js", {
       "../helpers/utils.js": {
         safeSpawnSync: spawnStub,
         isSecureMode: false,
@@ -770,7 +776,7 @@ describe("gitClone() hardening tests", () => {
       .stub()
       .returns(path.join(os.tmpdir(), "fake-repo"));
 
-    const { gitClone } = await esmock("./server.js", {
+    const { gitClone } = await esmock("../helpers/source.js", {
       "../helpers/utils.js": {
         safeSpawnSync: spawnStub,
         isSecureMode: false,

package/lib/stages/postgen/annotator.js

@@ -2,6 +2,7 @@ import { readFileSync } from "node:fs";
 import { join } from "node:path";
 
 import { thoughtLog } from "../../helpers/logger.js";
+import { getTrustedPublishingComponentCounts } from "../../helpers/provenanceUtils.js";
 import { dirNameStr } from "../../helpers/utils.js";
 
 // Tags per BOM type.
@@ -295,6 +296,9 @@ export function textualMetadata(bomJson) {
     c?.purl?.startsWith("pkg:swid"),
   ).length;
   const githubStats = getGitHubWorkflowStats(bomJson?.components);
+  const trustedPublishingCounts = getTrustedPublishingComponentCounts(
+    bomJson?.components,
+  );
   const isGitHubBom = bomType === "SBOM";
   if (metadata?.timestamp) {
     text = `This ${bomTypeDescription} document was created on ${humanifyTimestamp(metadata.timestamp)}`;
@@ -469,6 +473,9 @@ export function textualMetadata(bomJson) {
     if (!isGitHubBom) {
       text = `${text} There are ${bomJson.components.length} components.`;
     }
+    if (trustedPublishingCounts.total > 0) {
+      text = `${text} Trusted publishing metadata is present for ${trustedPublishingCounts.npm} npm component(s) and ${trustedPublishingCounts.pypi} PyPI component(s).`;
+    }
   } else {
     text = `${text} BOM file is empty without components.`;
     thoughtLog(

package/lib/stages/postgen/annotator.poku.js

@@ -263,6 +263,46 @@ it("textualMetadata tests", () => {
     }),
     "This Operations Bill-of-Materials (OBOM) document was created on Monday, November 11, 2024 with cdxgen. The lifecycles phases represented are: pre-build and operations. The document describes an operating system named 'Microsoft Windows 11 Pro' with version '22H2'. BOM file is empty without components. The OS uses the x64 architecture and has the build version '10.0.22621'.",
   );
+
+  assert.ok(
+    textualMetadata({
+      metadata: {
+        component: {
+          name: "trusted-demo",
+          type: "application",
+          version: "1.0.0",
+        },
+        timestamp: "2026-01-01T00:00:00Z",
+        tools: {
+          components: [{ name: "cdxgen" }],
+        },
+      },
+      components: [
+        {
+          name: "left-pad",
+          properties: [
+            {
+              name: "cdx:npm:trustedPublishing",
+              value: "true",
+            },
+          ],
+          type: "library",
+        },
+        {
+          name: "requests",
+          properties: [
+            {
+              name: "cdx:pypi:trustedPublishing",
+              value: "true",
+            },
+          ],
+          type: "library",
+        },
+      ],
+    }).includes(
+      "Trusted publishing metadata is present for 1 npm component(s) and 1 PyPI component(s).",
+    ),
+  );
 });
 
 it("extractTags tests", () => {

package/lib/stages/postgen/auditBom.js

@@ -5,6 +5,7 @@
 import { join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 
+import { buildAnnotationText } from "../../helpers/annotationFormatter.js";
 import { table } from "../../helpers/table.js";
 import {
   DEBUG_MODE,
@@ -15,7 +16,6 @@ import { evaluateRules, loadRules } from "./ruleEngine.js";
 
 const __dirname = fileURLToPath(new URL(".", import.meta.url));
 const BUILTIN_RULES_DIR = join(__dirname, "..", "..", "..", "data", "rules");
-const CODE_BLOCK = "```";
 
 /**
  * Audit BOM formulation section using JSONata-powered rule engine
@@ -89,6 +89,7 @@ export function formatConsoleOutput(findings) {
     columnDefault: { wrapWord: true, width: 100 },
     columns: [
       { width: 10 },
+      { width: 26 },
       { width: 35 },
       { width: 50 },
       { width: 50 },
@@ -99,10 +100,13 @@ export function formatConsoleOutput(findings) {
       content: "BOM Audit Findings\nGenerated with \u2665  by cdxgen",
     },
   };
-  const data = [["Rule", "Message", "Description", "Ref", "File"]];
+  const data = [["Rule", "ATT&CK", "Message", "Description", "Ref", "File"]];
   for (const f of findings) {
     const line = [];
     line.push(f.ruleId);
+    line.push(
+      [...(f.attackTactics || []), ...(f.attackTechniques || [])].join(", "),
+    );
     line.push(f.message);
     line.push(f.description || "");
     line.push(f.location?.purl || f.location?.bomRef || "");
@@ -143,6 +147,18 @@ export function formatAnnotations(findings, bomJson) {
     if (f.mitigation) {
       properties.push({ name: "cdx:audit:mitigation", value: f.mitigation });
     }
+    if (f.attackTactics?.length) {
+      properties.push({
+        name: "cdx:audit:attack:tactics",
+        value: f.attackTactics.join(","),
+      });
+    }
+    if (f.attackTechniques?.length) {
+      properties.push({
+        name: "cdx:audit:attack:techniques",
+        value: f.attackTechniques.join(","),
+      });
+    }
     if (f?.location?.purl) {
       properties.push({
         name: "cdx:audit:location:purl",
@@ -177,7 +193,7 @@ export function formatAnnotations(findings, bomJson) {
         component: cdxgenAnnotator[0],
       },
       timestamp: getTimestamp(),
-      text: `${f.message}\n${CODE_BLOCK}\n${JSON.stringify(properties)}\n${CODE_BLOCK}`,
+      text: buildAnnotationText(f.message, properties),
     };
   });
 }