@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/lib/validator/complianceRules.js

@@ -211,6 +211,20 @@ function manual(message, extras = {}) {
   return { status: "manual", message, ...extras };
 }
 
+const CDX_AUDIT_MANUAL_COMMAND = "cdx-audit --bom bom.json --scope required";
+
+function buildCdxAuditAssistMitigation(reviewFocus) {
+  return `${reviewFocus} To support manual verification, run \`${CDX_AUDIT_MANUAL_COMMAND}\` against the same SBOM and review the resulting repository, workflow, provenance, and publishing findings.`;
+}
+
+function buildCdxAuditAssistEvidence(controlId) {
+  return {
+    reviewMode: "manual-with-cdx-audit",
+    standardRef: `SCVS-${controlId}`,
+    suggestedCommand: CDX_AUDIT_MANUAL_COMMAND,
+  };
+}
+
 /**
  * Factory for SCVS manual-review rules. These are emitted so that benchmark
  * reports can accurately reflect per-level coverage even when the rule cannot
@@ -220,9 +234,10 @@ function manual(message, extras = {}) {
  * @param {string} name
  * @param {string} description
  * @param {{ l1: boolean, l2: boolean, l3: boolean }} levels
+ * @param {{ mitigation?: string, evidence?: object }} [options]
  * @returns {object}
  */
-function scvsManual(id, name, description, levels) {
+function scvsManual(id, name, description, levels, options = {}) {
   const required = [];
   if (levels.l1) required.push("L1");
   if (levels.l2) required.push("L2");
@@ -241,7 +256,8 @@ function scvsManual(id, name, description, levels) {
       manual(
         `${name} is not automatable from the BOM and requires manual review.`,
         {
-          mitigation: description,
+          evidence: options.evidence,
+          mitigation: options.mitigation || description,
         },
       ),
   };
@@ -546,11 +562,22 @@ const SCVS_RULES = [
       return pass(`metadata.timestamp present (${ts}).`);
     },
   },
-  scvsManual("2.8", "SBOM is analyzed for risk", "SBOM is analyzed for risk.", {
-    l1: true,
-    l2: true,
-    l3: true,
-  }),
+  scvsManual(
+    "2.8",
+    "SBOM is analyzed for risk",
+    "SBOM is analyzed for risk.",
+    {
+      l1: true,
+      l2: true,
+      l3: true,
+    },
+    {
+      evidence: buildCdxAuditAssistEvidence("2.8"),
+      mitigation: buildCdxAuditAssistMitigation(
+        "Use predictive audit evidence to show how the SBOM is being reviewed for workflow, provenance, and publishing risk.",
+      ),
+    },
+  ),
   {
     id: "SCVS-2.9",
     name: "Complete and accurate inventory",
@@ -838,6 +865,12 @@ const SCVS_RULES = [
     "Application uses CI build pipeline",
     "Application uses a continuous integration build pipeline.",
     { l1: true, l2: true, l3: true },
+    {
+      evidence: buildCdxAuditAssistEvidence("3.3"),
+      mitigation: buildCdxAuditAssistMitigation(
+        "Review the resolved repository workflows to confirm a CI build pipeline is present and corresponds to the released package.",
+      ),
+    },
   ),
   scvsManual(
     "3.4",
@@ -856,6 +889,12 @@ const SCVS_RULES = [
     "No arbitrary code execution",
     "Application build pipeline prohibits the execution of arbitrary code outside of the context of a jobs build script.",
     { l1: false, l2: true, l3: true },
+    {
+      evidence: buildCdxAuditAssistEvidence("3.6"),
+      mitigation: buildCdxAuditAssistMitigation(
+        "Review workflow and publishing findings for risky scripts, hidden Unicode, and legacy token-based release steps that may indicate unsafe build execution paths.",
+      ),
+    },
   ),
   scvsManual(
     "3.7",
@@ -1063,12 +1102,24 @@ const SCVS_RULES = [
     "Version-to-source correlation",
     "Package repository provides a verifiable way of correlating component versions to specific source codes in version control.",
     { l1: false, l2: true, l3: true },
+    {
+      evidence: buildCdxAuditAssistEvidence("4.10"),
+      mitigation: buildCdxAuditAssistMitigation(
+        "Review the resolved repository URL, version mapping, and source correlation details for the component version under review.",
+      ),
+    },
   ),
   scvsManual(
     "4.11",
     "Package repository auditability",
     "Package repository provides auditability when components are updated.",
     { l1: true, l2: true, l3: true },
+    {
+      evidence: buildCdxAuditAssistEvidence("4.11"),
+      mitigation: buildCdxAuditAssistMitigation(
+        "Review provenance, publisher drift, publish timing, and trusted-publishing signals to assess whether package updates are auditable.",
+      ),
+    },
   ),
   scvsManual(
     "4.12",
@@ -1235,12 +1286,24 @@ const SCVS_RULES = [
     "Point of origin verifiable",
     "Point of origin is verifiable for source code and binary components.",
     { l1: false, l2: true, l3: true },
+    {
+      evidence: buildCdxAuditAssistEvidence("6.1"),
+      mitigation: buildCdxAuditAssistMitigation(
+        "Review the resolved repository and registry provenance signals to confirm the package point of origin is verifiable.",
+      ),
+    },
   ),
   scvsManual(
     "6.2",
     "Chain of custody auditable",
     "Chain of custody if auditable for source code and binary components.",
     { l1: false, l2: false, l3: true },
+    {
+      evidence: buildCdxAuditAssistEvidence("6.2"),
+      mitigation: buildCdxAuditAssistMitigation(
+        "Review provenance, publisher identity changes, trusted-publishing status, and source-repository correlation to assess auditable chain-of-custody evidence.",
+      ),
+    },
   ),
   {
     id: "SCVS-6.3",

package/lib/validator/complianceRules.poku.js

@@ -282,6 +282,36 @@ describe("SCVS automatable rules on a clean BOM", () => {
   });
 });
 
+describe("SCVS manual controls with predictive audit assistance", () => {
+  it("includes cdx-audit guidance for mapped manual-review controls", () => {
+    const mappedRuleIds = [
+      "SCVS-2.8",
+      "SCVS-3.3",
+      "SCVS-3.6",
+      "SCVS-4.10",
+      "SCVS-4.11",
+      "SCVS-6.1",
+      "SCVS-6.2",
+    ];
+
+    mappedRuleIds.forEach((ruleId) => {
+      const rule = getScvsRules().find((entry) => entry.id === ruleId);
+      assert.ok(rule, `missing rule ${ruleId}`);
+      const result = rule.evaluate(baseBom());
+      assert.strictEqual(result.status, "manual");
+      assert.match(
+        result.mitigation,
+        /cdx-audit --bom bom\.json --scope required/,
+      );
+      assert.strictEqual(
+        result.evidence?.suggestedCommand,
+        "cdx-audit --bom bom.json --scope required",
+      );
+      assert.strictEqual(result.evidence?.reviewMode, "manual-with-cdx-audit");
+    });
+  });
+});
+
 describe("CRA rules", () => {
   const rules = getCraRules();
 

package/lib/validator/reporters/annotations.js

@@ -5,10 +5,10 @@
  * CycloneDX supports the annotation schema from spec version 1.5 onward.
  */
 
+import { buildAnnotationText } from "../../helpers/annotationFormatter.js";
 import { DEBUG_MODE, getTimestamp } from "../../helpers/utils.js";
 
 const SUPPORTED_FROM = 1.5;
-const CODE_BLOCK = "```";
 
 /**
  * Render a set of findings into CycloneDX annotations.
@@ -81,7 +81,7 @@ export function buildAnnotations(findings, bomJson) {
         component: cdxgenAnnotator[0],
       },
       timestamp,
-      text: `${f.message}\n${CODE_BLOCK}\n${JSON.stringify(properties)}\n${CODE_BLOCK}`,
+      text: buildAnnotationText(f.message, properties),
     };
   });
 }

package/lib/validator/reporters/console.js

@@ -144,6 +144,17 @@ export function render(report) {
         title: `Manual review required (${manual.length})`,
       }),
     );
+    if (
+      manual.some((finding) =>
+        finding?.mitigation?.includes(
+          "cdx-audit --bom bom.json --scope required",
+        ),
+      )
+    ) {
+      pieces.push(
+        "Tip: some manual SCVS controls can be supported with predictive audit evidence. Run `cdx-audit --bom bom.json --scope required` against the same SBOM and review the flagged repositories, workflows, provenance, and publishing signals.",
+      );
+    }
   }
   return pieces.filter(Boolean).join("\n");
 }

package/lib/validator/reporters.poku.js

@@ -82,6 +82,18 @@ describe("reporter dispatcher", () => {
     assert.match(out, /SCVS-2\.4/);
   });
 
+  it("console reporter suggests cdx-audit when manual controls include predictive-audit guidance", () => {
+    const report = sampleReport();
+    report.findings[1].mitigation =
+      "To support manual verification, run `cdx-audit --bom bom.json --scope required` against the same SBOM.";
+    const out = render("console", report);
+    assert.match(
+      out,
+      /Tip: some manual SCVS controls can be supported with predictive audit evidence/,
+    );
+    assert.match(out, /cdx-audit --bom bom\.json --scope required/);
+  });
+
   it("json reporter emits stable schema", () => {
     const out = render("json", sampleReport());
     const parsed = JSON.parse(out);
@@ -136,6 +148,7 @@ describe("reporter dispatcher", () => {
     const first = parsed.annotations[0];
     assert.ok(first.subjects[0].includes(bomJson.serialNumber));
     assert.ok(first.annotator);
+    assert.match(first.text, /\| Property \| Value \|/);
   });
 
   it("annotations reporter skips when spec version is below 1.5", () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "12.2.1",
+  "version": "12.3.0",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "keywords": [
     "sbom",
@@ -82,6 +82,8 @@
   "types": "./types/lib/cli/index.d.ts",
   "bin": {
     "cbom": "bin/cdxgen.js",
+    "cdx-audit": "bin/audit.js",
+    "cdx-convert": "bin/convert.js",
     "cdx-validate": "bin/validate.js",
     "cdx-verify": "bin/verify.js",
     "cdx-sign": "bin/sign.js",
@@ -90,7 +92,8 @@
     "cdxi": "bin/repl.js",
     "evinse": "bin/evinse.js",
     "obom": "bin/cdxgen.js",
-    "saasbom": "bin/cdxgen.js"
+    "saasbom": "bin/cdxgen.js",
+    "spdxgen": "bin/cdxgen.js"
   },
   "files": [
     "*.js",
@@ -109,7 +112,7 @@
     "@npmcli/map-workspaces": "5.0.3",
     "@npmcli/name-from-folder": "4.0.0",
     "@npmcli/package-json": "7.0.5",
-    "ajv": "8.18.0",
+    "ajv": "8.20.0",
     "ajv-formats": "3.0.1",
     "bin-links": "6.0.0",
     "cheerio": "1.2.0",
@@ -131,7 +134,7 @@
     "ssri": "13.0.1",
     "tar": "7.5.13",
     "treeverse": "3.0.0",
-    "uuid": "13.0.0",
+    "uuid": "14.0.0",
     "walk-up-path": "4.0.0",
     "xml-js": "1.6.11",
     "yaml": "2.8.3",
@@ -139,11 +142,11 @@
     "yoctocolors": "2.1.2"
   },
   "devDependencies": {
-    "@biomejs/biome": "2.4.12",
+    "@biomejs/biome": "2.4.13",
     "esmock": "2.7.3",
-    "poku": "4.2.1",
+    "poku": "4.3.0",
     "sinon": "21.1.2",
-    "typescript": "6.0.2"
+    "typescript": "6.0.3"
   },
   "optionalDependencies": {
     "@appthreat/atom": "2.5.2",

package/types/bin/audit.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=audit.d.ts.map

package/types/bin/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../bin/audit.js"],"names":[],"mappings":""}

package/types/bin/convert.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=convert.d.ts.map

package/types/bin/convert.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"convert.d.ts","sourceRoot":"","sources":["../../bin/convert.js"],"names":[],"mappings":""}

package/types/bin/repl.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"repl.d.ts","sourceRoot":"","sources":["../../bin/repl.js"],"names":[],"mappings":";AAsEO,kDAsCN"}
+{"version":3,"file":"repl.d.ts","sourceRoot":"","sources":["../../bin/repl.js"],"names":[],"mappings":";AAsKO,kDAmDN"}

package/types/lib/audit/index.d.ts

@@ -0,0 +1,115 @@
+/**
+ * Read and validate a CycloneDX BOM file.
+ *
+ * @param {string} bomPath BOM file path
+ * @returns {object} parsed CycloneDX BOM
+ */
+export function loadBomFile(bomPath: string): object;
+/**
+ * Recursively list JSON files under a BOM directory.
+ *
+ * @param {string} bomDir directory path
+ * @returns {string[]} discovered file paths
+ */
+export function listBomFiles(bomDir: string): string[];
+/**
+ * Load input BOM files from either a single file or a directory.
+ *
+ * @param {object} options CLI options
+ * @returns {{ source: string, bomJson: object }[]} loaded input BOMs
+ */
+export function loadInputBoms(options: object): {
+    source: string;
+    bomJson: object;
+}[];
+/**
+ * Build low-noise provenance-aware contextual findings from the root BOM target.
+ *
+ * These are intentionally conservative and only fire when there is explicit risk
+ * posture already present in the target metadata.
+ *
+ * @param {object} target audit target
+ * @returns {object[]} contextual findings
+ */
+export function buildTargetContextFindings(target: object): object[];
+/**
+ * Resolve the most specific Python package directory inside a cloned repo.
+ *
+ * @param {string} cloneDir cloned repository root
+ * @param {object} target audit target
+ * @returns {{ confidence: string, scanDir: string }} selected directory and confidence
+ */
+export function resolvePythonSourceDirectory(cloneDir: string, target: object): {
+    confidence: string;
+    scanDir: string;
+};
+/**
+ * Resolve the most appropriate scan directory for a cloned target repository.
+ *
+ * @param {string} cloneDir cloned repository root
+ * @param {object} target audit target
+ * @param {object} resolution repository resolution metadata
+ * @returns {{ confidence: string, scanDir: string }} selected directory and confidence
+ */
+export function resolveTargetSourceDirectory(cloneDir: string, target: object, resolution: object): {
+    confidence: string;
+    scanDir: string;
+};
+/**
+ * Build shallow predictive findings for suspicious Python packaging files.
+ *
+ * Phase 1 intentionally focuses on high-signal packaging surfaces (`setup.py`
+ * and package `__init__.py`) until deeper Python static analysis is added.
+ *
+ * @param {string} scanDir cloned repository scan directory
+ * @param {object} target audit target
+ * @returns {object[]} predictive findings
+ */
+export function buildPythonSourceHeuristicFindings(scanDir: string, target: object): object[];
+/**
+ * Analyze a single purl target by generating a child SBOM and auditing it.
+ *
+ * @param {object} target audit target
+ * @param {object} options CLI options
+ * @returns {Promise<object>} analyzed target result
+ */
+export function auditTarget(target: object, options: object): Promise<object>;
+export function groupAuditResults(results: any): any[];
+/**
+ * Run the predictive audit flow from one or more already-loaded CycloneDX BOM inputs.
+ *
+ * @param {{ source: string, bomJson: object }[]} inputBoms loaded CycloneDX BOM objects
+ * @param {object} options CLI options
+ * @returns {Promise<object>} aggregate audit report
+ */
+export function runAuditFromBoms(inputBoms: {
+    source: string;
+    bomJson: object;
+}[], options: object): Promise<object>;
+/**
+ * Run the predictive audit flow from one or more CycloneDX BOM inputs.
+ *
+ * @param {object} options CLI options
+ * @returns {Promise<object>} aggregate audit report
+ */
+export function runAudit(options: object): Promise<object>;
+/**
+ * Render a report and compute the proper process exit code.
+ *
+ * @param {object} report aggregate report
+ * @param {object} options CLI options
+ * @returns {{ exitCode: number, output: string }} rendered output and exit code
+ */
+export function finalizeAuditReport(report: object, options: object): {
+    exitCode: number;
+    output: string;
+};
+/**
+ * Build a result file name for user-provided report output paths.
+ *
+ * @param {object} options CLI options
+ * @returns {string | undefined} output file path
+ */
+export function defaultOutputFile(options: object): string | undefined;
+export const DEFAULT_AUDIT_CATEGORIES: string[];
+//# sourceMappingURL=index.d.ts.map

package/types/lib/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/audit/index.js"],"names":[],"mappings":"AAyFA;;;;;GAKG;AACH,qCAHW,MAAM,GACJ,MAAM,CAclB;AAED;;;;;GAKG;AACH,qCAHW,MAAM,GACJ,MAAM,EAAE,CAoBpB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,GACJ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,EAAE,CA0BjD;AAkbD;;;;;;;;GAQG;AACH,mDAHW,MAAM,GACJ,MAAM,EAAE,CAwXpB;AAgJD;;;;;;GAMG;AACH,uDAJW,MAAM,UACN,MAAM,GACJ;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CA0CnD;AAED;;;;;;;GAOG;AACH,uDALW,MAAM,UACN,MAAM,cACN,MAAM,GACJ;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAuBnD;AAoED;;;;;;;;;GASG;AACH,4DAJW,MAAM,UACN,MAAM,GACJ,MAAM,EAAE,CAkEpB;AAuBD;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAgN3B;AAgJD,uDA2BC;AAoBD;;;;;;GAMG;AACH,4CAJW;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,EAAE,WACrC,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAkF3B;AAED;;;;;GAKG;AACH,kCAHW,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAe3B;AAED;;;;;;GAMG;AACH,4CAJW,MAAM,WACN,MAAM,GACJ;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAmBhD;AAED;;;;;GAKG;AACH,2CAHW,MAAM,GACJ,MAAM,GAAG,SAAS,CAU9B;AAn1DD,gDAIE"}

package/types/lib/audit/progress.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Build a human-readable label for an audit target.
+ *
+ * @param {object} target audit target
+ * @returns {string} formatted target label
+ */
+export function formatTargetLabel(target: object): string;
+/**
+ * Decide if interactive progress should be shown.
+ *
+ * @param {object} [options] progress options
+ * @returns {boolean} true when spinner-style progress is appropriate
+ */
+export function shouldRenderProgress(options?: object): boolean;
+/**
+ * Create a dependency-free progress renderer for cdx-audit.
+ *
+ * Progress is always written to stderr so JSON/stdout reports remain clean.
+ *
+ * @param {object} [options] progress options
+ * @returns {{ onProgress: Function, stop: Function }} progress controller
+ */
+export function createProgressTracker(options?: object): {
+    onProgress: Function;
+    stop: Function;
+};
+//# sourceMappingURL=progress.d.ts.map

package/types/lib/audit/progress.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"progress.d.ts","sourceRoot":"","sources":["../../../lib/audit/progress.js"],"names":[],"mappings":"AAKA;;;;;GAKG;AACH,0CAHW,MAAM,GACJ,MAAM,CAMlB;AAED;;;;;GAKG;AACH,+CAHW,MAAM,GACJ,OAAO,CAWnB;AAED;;;;;;;GAOG;AACH,gDAHW,MAAM,GACJ;IAAE,UAAU,WAAW;IAAC,IAAI,WAAU;CAAE,CAgGpD"}

package/types/lib/audit/reporters.d.ts

@@ -0,0 +1,35 @@
+export function renderSarifReport(report: any, options?: {}): string;
+/**
+ * Render an audit report as pretty JSON.
+ *
+ * @param {object} report aggregate report
+ * @returns {string} JSON output
+ */
+export function renderJsonReport(report: object): string;
+/**
+ * Render an audit report for terminal output.
+ *
+ * @param {object} report aggregate report
+ * @param {object} options render options
+ * @returns {string} console report text
+ */
+export function renderConsoleReport(report: object, options?: object): string;
+/**
+ * Render the requested report format.
+ *
+ * @param {string} reportType format name
+ * @param {object} report aggregate report
+ * @param {object} options render options
+ * @returns {string} rendered report
+ */
+export function renderAuditReport(reportType: string, report: object, options?: object): string;
+/**
+ * Convert predictive audit results into CycloneDX annotations.
+ *
+ * @param {object} report aggregate audit report
+ * @param {object} bomJson root CycloneDX BOM
+ * @param {object} [options] annotation options
+ * @returns {object[]} annotations
+ */
+export function formatPredictiveAnnotations(report: object, bomJson: object, options?: object): object[];
+//# sourceMappingURL=reporters.d.ts.map

package/types/lib/audit/reporters.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporters.d.ts","sourceRoot":"","sources":["../../../lib/audit/reporters.js"],"names":[],"mappings":"AA0ZA,qEAkDC;AAED;;;;;GAKG;AACH,yCAHW,MAAM,GACJ,MAAM,CAIlB;AAED;;;;;;GAMG;AACH,4CAJW,MAAM,YACN,MAAM,GACJ,MAAM,CAkClB;AAED;;;;;;;GAOG;AACH,8CALW,MAAM,UACN,MAAM,YACN,MAAM,GACJ,MAAM,CAUlB;AAED;;;;;;;GAOG;AACH,oDALW,MAAM,WACN,MAAM,YACN,MAAM,GACJ,MAAM,EAAE,CAgFpB"}

package/types/lib/audit/scoring.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Convert a numeric confidence score into a human readable label.
+ *
+ * @param {number} confidence confidence score
+ * @returns {string} confidence label
+ */
+export function confidenceLabel(confidence: number): string;
+/**
+ * Check if a severity meets the given threshold.
+ *
+ * @param {string} severity severity to compare
+ * @param {string} threshold threshold severity
+ * @returns {boolean} true if severity is at or above threshold
+ */
+export function severityMeetsThreshold(severity: string, threshold: string): boolean;
+/**
+ * Conservatively score predictive supply-chain risk for a single target.
+ *
+ * High and critical require corroboration across categories and strong findings,
+ * which keeps false positives low.
+ *
+ * @param {object[]} findings post-generation audit findings
+ * @param {object} target target metadata
+ * @param {object} context additional scan context
+ * @returns {object} conservative risk assessment
+ */
+export function scoreTargetRisk(findings: object[], target: object, context?: object): object;
+export namespace SEVERITY_ORDER {
+    let none: number;
+    let low: number;
+    let medium: number;
+    let high: number;
+    let critical: number;
+}
+//# sourceMappingURL=scoring.d.ts.map

package/types/lib/audit/scoring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.d.ts","sourceRoot":"","sources":["../../../lib/audit/scoring.js"],"names":[],"mappings":"AAyDA;;;;;GAKG;AACH,4CAHW,MAAM,GACJ,MAAM,CAUlB;AAED;;;;;;GAMG;AACH,iDAJW,MAAM,aACN,MAAM,GACJ,OAAO,CAMnB;AAED;;;;;;;;;;GAUG;AACH,0CALW,MAAM,EAAE,UACR,MAAM,YACN,MAAM,GACJ,MAAM,CAsNlB"}

package/types/lib/audit/targets.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Determine whether a CycloneDX component scope should be treated as required.
+ *
+ * Missing scope is treated as required to match the main BOM filtering flow.
+ *
+ * @param {string | undefined} scope component scope
+ * @returns {boolean} true when the component is required for predictive audit selection
+ */
+export function isRequiredComponentScope(scope: string | undefined): boolean;
+/**
+ * Normalize package names for safe matching and grouping.
+ *
+ * @param {string | undefined} packageName package name
+ * @returns {string} normalized package name
+ */
+export function normalizePackageName(packageName: string | undefined): string;
+/**
+ * Extract npm and PyPI package-url targets from a CycloneDX BOM.
+ *
+ * @param {object} bomJson CycloneDX BOM
+ * @param {string} sourceName source BOM path or label
+ * @param {number | object | undefined} [options] selector options
+ * @returns {{ targets: object[], skipped: object[] }} extracted targets and skipped components
+ */
+export function extractPurlTargetsFromBom(bomJson: object, sourceName: string, options?: number | object | undefined): {
+    targets: object[];
+    skipped: object[];
+};
+/**
+ * Merge targets across many BOMs by purl.
+ *
+ * @param {{ source: string, bomJson: object }[]} inputBoms input BOMs
+ * @param {number | object | undefined} [options] selector options or a legacy maxTargets value
+ * @returns {{
+ *   skipped: object[],
+ *   stats: {
+ *     availableTargets: number,
+ *     nonRequiredTargets: number,
+ *     requiredTargets: number,
+ *     trustedTargets: number,
+ *     trustedTargetsExcluded: number,
+ *     truncatedTargets: number,
+ *   },
+ *   targets: object[],
+ * }} merged targets and skipped components
+ */
+export function collectAuditTargets(inputBoms: {
+    source: string;
+    bomJson: object;
+}[], options?: number | object | undefined): {
+    skipped: object[];
+    stats: {
+        availableTargets: number;
+        nonRequiredTargets: number;
+        requiredTargets: number;
+        trustedTargets: number;
+        trustedTargetsExcluded: number;
+        truncatedTargets: number;
+    };
+    targets: object[];
+};
+export const SUPPORTED_PURL_TYPES: Set<string>;
+//# sourceMappingURL=targets.d.ts.map

package/types/lib/audit/targets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"targets.d.ts","sourceRoot":"","sources":["../../../lib/audit/targets.js"],"names":[],"mappings":"AAqCA;;;;;;;GAOG;AACH,gDAHW,MAAM,GAAG,SAAS,GAChB,OAAO,CAOnB;AAyBD;;;;;GAKG;AACH,kDAHW,MAAM,GAAG,SAAS,GAChB,MAAM,CAOlB;AAED;;;;;;;GAOG;AACH,mDALW,MAAM,cACN,MAAM,YACN,MAAM,GAAG,MAAM,GAAG,SAAS,GACzB;IAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CA+DpD;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,+CAfW;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,EAAE,YACrC,MAAM,GAAG,MAAM,GAAG,SAAS,GACzB;IACR,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,EAAE;QACL,gBAAgB,EAAE,MAAM,CAAC;QACzB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,eAAe,EAAE,MAAM,CAAC;QACxB,cAAc,EAAE,MAAM,CAAC;QACvB,sBAAsB,EAAE,MAAM,CAAC;QAC/B,gBAAgB,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAkFH;AA7PD,+CAAsD"}

package/types/lib/cli/index.d.ts

@@ -242,6 +242,14 @@ export function createCsharpBom(path: string, options: Object): Promise<Object |
  * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export function createVscodeExtensionBom(path: string, options: Object): Promise<Object>;
+/**
+ * Function to create BOM for installed Chrome and Chromium-based browser extensions.
+ *
+ * @param {string} path to the project path or a directly provided extension path
+ * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
+ */
+export function createChromeExtensionBom(path: string, options: Object): Promise<Object>;
 /**
  * Function to create bom object for cryptographic certificate files
  *

package/types/lib/cli/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/cli/index.js"],"names":[],"mappings":"AA60BA;;;;;;;;;GASG;AACH,wCANW,MAAM,cACN,MAAM,OACN,MAAM,UACN,MAAM,GACJ,MAAM,EAAE,CAcpB;AA2ZD;;;;;;;GAOG;AACH,mCALW,MAAM,WACN,MAAM,GAEJ,MAAM,CA0ElB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,GAAC,SAAS,CAI5B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,GAAC,SAAS,CAiB5B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA+tC3B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAi6B3B;AAgFD;;;;;;;;;;;GAWG;AACH,qDAHW,MAAM,GACJ,MAAM,GAAG,IAAI,CAwEzB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAuhB3B;AAED;;;;;;GAMG;AACH,kCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAoavC;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAqIrC;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAiE3B;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA6MlB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA+GlB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CAyBlB;AAED;;;;;;GAMG;AACH,0CAJW,MAAM,WACN,MAAM,GACJ,MAAM,CAsBlB;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAoD3B;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2C3B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA0I3B;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAoJvC;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAoH3B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA6C3B;AAED;;;;;;GAMG;AACH,iDAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAkU3B;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA4JlB;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAuP3B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAkbrC;AAED;;;;;;;;;GASG;AACH,+CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2F3B;AA2FD;;;;;;GAMG;AACH,2CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAmC3B;AAED;;;;;;;;;GASG;AACH,mCAPW,MAAM,sCAEN,MAAM,wBAGJ,MAAM,CAyClB;AAED;;;;;;GAMG;AACH,0CAJW,MAAM,EAAE,WACR,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAy0B3B;AAED;;;;;;GAMG;AACH,iCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CA6VrC;AAED;;;;;;GAMG;AACH,gCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAmR3B;AAED;;;;;;;GAOG;AACH,gCALW,MAAM,eACN,MAAM,GACL,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAAC,CA8FjD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/cli/index.js"],"names":[],"mappings":"AAo1BA;;;;;;;;;GASG;AACH,wCANW,MAAM,cACN,MAAM,OACN,MAAM,UACN,MAAM,GACJ,MAAM,EAAE,CAcpB;AA2ZD;;;;;;;GAOG;AACH,mCALW,MAAM,WACN,MAAM,GAEJ,MAAM,CA0ElB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,GAAC,SAAS,CAI5B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,GAAC,SAAS,CAiB5B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA+tC3B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAi6B3B;AAgFD;;;;;;;;;;;GAWG;AACH,qDAHW,MAAM,GACJ,MAAM,GAAG,IAAI,CAwEzB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2iB3B;AAED;;;;;;GAMG;AACH,kCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAoavC;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAqIrC;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAiE3B;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA6MlB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA+GlB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CAyBlB;AAED;;;;;;GAMG;AACH,0CAJW,MAAM,WACN,MAAM,GACJ,MAAM,CAsBlB;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAoD3B;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2C3B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA0I3B;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAgKvC;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAoH3B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA6C3B;AAED;;;;;;GAMG;AACH,iDAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAkU3B;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA4JlB;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAuP3B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAkbrC;AAED;;;;;;;;;GASG;AACH,+CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2F3B;AAED;;;;;;GAMG;AACH,+CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAgD3B;AA2FD;;;;;;GAMG;AACH,2CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAmC3B;AAED;;;;;;;;;GASG;AACH,mCAPW,MAAM,sCAEN,MAAM,wBAGJ,MAAM,CAyClB;AAED;;;;;;GAMG;AACH,0CAJW,MAAM,EAAE,WACR,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAi3B3B;AAED;;;;;;GAMG;AACH,iCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAmWrC;AAED;;;;;;GAMG;AACH,gCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAsR3B;AAED;;;;;;;GAOG;AACH,gCALW,MAAM,eACN,MAAM,GACL,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAAC,CA8FjD"}