@cyclonedx/cdxgen 12.3.0 → 12.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (121) hide show
  1. package/README.md +15 -5
  2. package/bin/audit.js +7 -0
  3. package/bin/cdxgen.js +241 -81
  4. package/bin/repl.js +138 -0
  5. package/data/rules/ai-agent-governance.yaml +249 -0
  6. package/data/rules/dependency-sources.yaml +41 -0
  7. package/data/rules/mcp-servers.yaml +304 -0
  8. package/data/rules/package-integrity.yaml +123 -0
  9. package/lib/audit/index.js +353 -29
  10. package/lib/audit/index.poku.js +247 -7
  11. package/lib/audit/reporters.js +26 -0
  12. package/lib/audit/scoring.js +262 -13
  13. package/lib/audit/scoring.poku.js +179 -0
  14. package/lib/audit/targets.js +391 -2
  15. package/lib/audit/targets.poku.js +416 -3
  16. package/lib/cli/index.js +588 -45
  17. package/lib/cli/index.poku.js +735 -1
  18. package/lib/evinser/evinser.js +8 -5
  19. package/lib/helpers/agentFormulationParser.js +318 -0
  20. package/lib/helpers/aiInventory.js +262 -0
  21. package/lib/helpers/aiInventory.poku.js +111 -0
  22. package/lib/helpers/analyzer.js +1769 -0
  23. package/lib/helpers/analyzer.poku.js +284 -3
  24. package/lib/helpers/auditCategories.js +76 -0
  25. package/lib/helpers/ciParsers/githubActions.js +140 -16
  26. package/lib/helpers/ciParsers/githubActions.poku.js +110 -0
  27. package/lib/helpers/communityAiConfigParser.js +672 -0
  28. package/lib/helpers/communityAiConfigParser.poku.js +63 -0
  29. package/lib/helpers/depsUtils.js +108 -0
  30. package/lib/helpers/depsUtils.poku.js +72 -1
  31. package/lib/helpers/display.js +325 -3
  32. package/lib/helpers/display.poku.js +301 -0
  33. package/lib/helpers/formulationParsers.js +28 -0
  34. package/lib/helpers/formulationParsers.poku.js +504 -1
  35. package/lib/helpers/jsonLike.js +102 -0
  36. package/lib/helpers/jsonLike.poku.js +34 -0
  37. package/lib/helpers/mcp.js +248 -0
  38. package/lib/helpers/mcp.poku.js +101 -0
  39. package/lib/helpers/mcpConfigParser.js +656 -0
  40. package/lib/helpers/mcpConfigParser.poku.js +126 -0
  41. package/lib/helpers/mcpDiscovery.js +84 -0
  42. package/lib/helpers/mcpDiscovery.poku.js +21 -0
  43. package/lib/helpers/protobom.js +3 -3
  44. package/lib/helpers/provenanceUtils.js +29 -4
  45. package/lib/helpers/provenanceUtils.poku.js +29 -3
  46. package/lib/helpers/registryProvenance.js +210 -0
  47. package/lib/helpers/registryProvenance.poku.js +144 -0
  48. package/lib/helpers/rustFormulationParser.js +330 -0
  49. package/lib/helpers/source.js +21 -2
  50. package/lib/helpers/source.poku.js +38 -0
  51. package/lib/helpers/utils.js +1331 -83
  52. package/lib/helpers/utils.poku.js +599 -188
  53. package/lib/helpers/vsixutils.js +12 -4
  54. package/lib/helpers/vsixutils.poku.js +34 -0
  55. package/lib/managers/binary.js +36 -12
  56. package/lib/managers/binary.poku.js +68 -0
  57. package/lib/managers/docker.js +59 -9
  58. package/lib/managers/docker.poku.js +61 -0
  59. package/lib/managers/piptree.js +12 -7
  60. package/lib/managers/piptree.poku.js +44 -0
  61. package/lib/stages/postgen/annotator.js +2 -1
  62. package/lib/stages/postgen/annotator.poku.js +15 -0
  63. package/lib/stages/postgen/auditBom.js +20 -6
  64. package/lib/stages/postgen/auditBom.poku.js +694 -1
  65. package/lib/stages/postgen/postgen.js +262 -11
  66. package/lib/stages/postgen/postgen.poku.js +306 -2
  67. package/lib/stages/postgen/ruleEngine.js +49 -1
  68. package/lib/stages/postgen/spdxConverter.poku.js +70 -0
  69. package/lib/stages/pregen/pregen.js +6 -4
  70. package/package.json +1 -1
  71. package/types/bin/repl.d.ts.map +1 -1
  72. package/types/lib/audit/index.d.ts.map +1 -1
  73. package/types/lib/audit/reporters.d.ts.map +1 -1
  74. package/types/lib/audit/scoring.d.ts.map +1 -1
  75. package/types/lib/audit/targets.d.ts +12 -0
  76. package/types/lib/audit/targets.d.ts.map +1 -1
  77. package/types/lib/cli/index.d.ts +2 -8
  78. package/types/lib/cli/index.d.ts.map +1 -1
  79. package/types/lib/evinser/evinser.d.ts.map +1 -1
  80. package/types/lib/helpers/agentFormulationParser.d.ts +19 -0
  81. package/types/lib/helpers/agentFormulationParser.d.ts.map +1 -0
  82. package/types/lib/helpers/aiInventory.d.ts +23 -0
  83. package/types/lib/helpers/aiInventory.d.ts.map +1 -0
  84. package/types/lib/helpers/analyzer.d.ts +10 -0
  85. package/types/lib/helpers/analyzer.d.ts.map +1 -1
  86. package/types/lib/helpers/auditCategories.d.ts +12 -0
  87. package/types/lib/helpers/auditCategories.d.ts.map +1 -0
  88. package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
  89. package/types/lib/helpers/communityAiConfigParser.d.ts +29 -0
  90. package/types/lib/helpers/communityAiConfigParser.d.ts.map +1 -0
  91. package/types/lib/helpers/depsUtils.d.ts +8 -0
  92. package/types/lib/helpers/depsUtils.d.ts.map +1 -1
  93. package/types/lib/helpers/display.d.ts +17 -1
  94. package/types/lib/helpers/display.d.ts.map +1 -1
  95. package/types/lib/helpers/formulationParsers.d.ts.map +1 -1
  96. package/types/lib/helpers/jsonLike.d.ts +4 -0
  97. package/types/lib/helpers/jsonLike.d.ts.map +1 -0
  98. package/types/lib/helpers/mcp.d.ts +29 -0
  99. package/types/lib/helpers/mcp.d.ts.map +1 -0
  100. package/types/lib/helpers/mcpConfigParser.d.ts +30 -0
  101. package/types/lib/helpers/mcpConfigParser.d.ts.map +1 -0
  102. package/types/lib/helpers/mcpDiscovery.d.ts +5 -0
  103. package/types/lib/helpers/mcpDiscovery.d.ts.map +1 -0
  104. package/types/lib/helpers/provenanceUtils.d.ts +5 -3
  105. package/types/lib/helpers/provenanceUtils.d.ts.map +1 -1
  106. package/types/lib/helpers/registryProvenance.d.ts +9 -0
  107. package/types/lib/helpers/registryProvenance.d.ts.map +1 -1
  108. package/types/lib/helpers/rustFormulationParser.d.ts +17 -0
  109. package/types/lib/helpers/rustFormulationParser.d.ts.map +1 -0
  110. package/types/lib/helpers/source.d.ts.map +1 -1
  111. package/types/lib/helpers/utils.d.ts +31 -1
  112. package/types/lib/helpers/utils.d.ts.map +1 -1
  113. package/types/lib/helpers/vsixutils.d.ts.map +1 -1
  114. package/types/lib/managers/binary.d.ts.map +1 -1
  115. package/types/lib/managers/docker.d.ts.map +1 -1
  116. package/types/lib/managers/piptree.d.ts.map +1 -1
  117. package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
  118. package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
  119. package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
  120. package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
  121. package/types/lib/stages/pregen/pregen.d.ts.map +1 -1
package/lib/helpers/ciParsers/githubActions.poku.js CHANGED
@@ -145,6 +145,41 @@ describe("githubActionsParser", () => {
145
145
  assert.deepStrictEqual(result.workflows, []);
146
146
  });
147
147
 
148
+ it("gracefully handles non-string run fields", () => {
149
+ const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdxgen-gha-"));
150
+ const workflowFile = path.join(tmpDir, "non-string-run.yml");
151
+ writeFileSync(
152
+ workflowFile,
153
+ [
154
+ "name: Non-string run",
155
+ "on: push",
156
+ "jobs:",
157
+ " build:",
158
+ " runs-on: ubuntu-latest",
159
+ " steps:",
160
+ " - name: Numeric run",
161
+ " run: 42",
162
+ " - name: Object run",
163
+ " run:",
164
+ " nested: true",
165
+ ].join("\n"),
166
+ );
167
+
168
+ try {
169
+ const result = parseWorkflowFile(workflowFile, { specVersion: 1.7 });
170
+ assert.strictEqual(result.workflows.length, 1);
171
+ assert.ok(result.workflows[0].tasks?.length > 0);
172
+ const runStepComp = result.components.find(
173
+ (component) =>
174
+ getProp(component, "cdx:github:step:type") === "run" &&
175
+ getProp(component, "cdx:github:step:command") === "42",
176
+ );
177
+ assert.ok(runStepComp, "expected numeric run step to be normalized");
178
+ } finally {
179
+ rmSync(tmpDir, { force: true, recursive: true });
180
+ }
181
+ });
182
+
148
183
  it("derives unnamed workflow names from the file stem without leaking Windows-style path segments", () => {
149
184
  const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdxgen-gha-"));
150
185
  const workflowFile = path.join(tmpDir, "nested\\workflow-file.yml");
@@ -220,6 +255,81 @@ describe("githubActionsParser", () => {
220
255
  );
221
256
  });
222
257
 
258
+ it("annotates Cargo setup, cache, and cargo run steps", () => {
259
+ const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdxgen-gha-cargo-"));
260
+ const workflowFile = path.join(tmpDir, "cargo.yml");
261
+ writeFileSync(
262
+ workflowFile,
263
+ [
264
+ "name: Cargo CI",
265
+ "on: push",
266
+ "jobs:",
267
+ " rust:",
268
+ " runs-on: ubuntu-latest",
269
+ " steps:",
270
+ " - uses: dtolnay/rust-toolchain@stable",
271
+ " - uses: actions/cache@v4",
272
+ " with:",
273
+ " path: |",
274
+ " ~/.cargo/registry",
275
+ " ~/.cargo/git",
276
+ " key: cargo-$" +
277
+ "{{ runner.os }}-$" +
278
+ "{{ hashFiles('**/Cargo.lock') }}",
279
+ " - run: cargo build --workspace && cargo test --workspace",
280
+ ].join("\n"),
281
+ );
282
+
283
+ try {
284
+ const result = parseWorkflowFile(workflowFile, { specVersion: 1.7 });
285
+ const cargoToolchainComp = result.components.find(
286
+ (component) =>
287
+ getProp(component, "cdx:github:action:uses") ===
288
+ "dtolnay/rust-toolchain@stable",
289
+ );
290
+ const cargoCacheComp = result.components.find(
291
+ (component) =>
292
+ getProp(component, "cdx:github:action:uses") === "actions/cache@v4",
293
+ );
294
+ const cargoRunComp = result.components.find(
295
+ (component) =>
296
+ getProp(component, "cdx:github:step:usesCargo") === "true",
297
+ );
298
+ assert.ok(
299
+ cargoToolchainComp,
300
+ "expected Cargo toolchain action component",
301
+ );
302
+ assert.strictEqual(
303
+ getProp(cargoToolchainComp, "cdx:github:action:ecosystem"),
304
+ "cargo",
305
+ );
306
+ assert.strictEqual(
307
+ getProp(cargoToolchainComp, "cdx:github:action:role"),
308
+ "toolchain",
309
+ );
310
+ assert.ok(cargoCacheComp, "expected Cargo cache action component");
311
+ assert.strictEqual(
312
+ getProp(cargoCacheComp, "cdx:github:action:ecosystem"),
313
+ "cargo",
314
+ );
315
+ assert.strictEqual(
316
+ getProp(cargoCacheComp, "cdx:github:action:role"),
317
+ "cache",
318
+ );
319
+ assert.ok(cargoRunComp, "expected Cargo run step component");
320
+ assert.strictEqual(
321
+ getProp(cargoRunComp, "cdx:github:step:cargoSubcommands"),
322
+ "build,test",
323
+ );
324
+ assert.strictEqual(
325
+ getProp(cargoRunComp, "cdx:github:step:cargoWorkspaceScope"),
326
+ "true",
327
+ );
328
+ } finally {
329
+ rmSync(tmpDir, { force: true, recursive: true });
330
+ }
331
+ });
332
+
223
333
  describe("checkout persist-credentials property emission", () => {
224
334
  it("emits persistCredentials=true when not specified (default)", () => {
225
335
  const result = parseWorkflow("checkout-default.yml");