@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/helpers/communityAiConfigParser.poku.js

@@ -0,0 +1,63 @@
+import esmock from "esmock";
+import { assert, describe, it } from "poku";
+import sinon from "sinon";
+
+function getProp(obj, name) {
+  return obj?.properties?.find((property) => property.name === name)?.value;
+}
+
+describe("communityAiConfigParser", () => {
+  it("normalizes Windows paths for community ecosystem discovery", async () => {
+    const readFileSync = sinon.stub();
+    readFileSync
+      .withArgs("C:\\repo\\.opencode\\agents\\review.md", "utf-8")
+      .returns(
+        [
+          "---",
+          "description: Reviews code for bugs and quality",
+          "mode: subagent",
+          "model: anthropic/claude-sonnet-4-20250514",
+          "---",
+          "Focus on code review findings.",
+        ].join("\n"),
+      );
+    readFileSync
+      .withArgs("C:\\repo\\.nanocoder\\commands\\fix.md", "utf-8")
+      .returns(
+        [
+          "---",
+          "description: Apply the standard fix workflow",
+          "category: engineering",
+          "tags: [bugfix, workflow]",
+          "---",
+          "1. Reproduce the issue",
+        ].join("\n"),
+      );
+    const { communityAiConfigParser } = await esmock(
+      "./communityAiConfigParser.js",
+      {
+        "node:fs": { readFileSync },
+      },
+    );
+
+    const result = communityAiConfigParser.parse([
+      "C:\\repo\\.opencode\\agents\\review.md",
+      "C:\\repo\\.nanocoder\\commands\\fix.md",
+    ]);
+
+    assert.ok(
+      result.components.some(
+        (component) =>
+          getProp(component, "cdx:agent:framework") === "opencode" &&
+          getProp(component, "cdx:file:kind") === "agent-definition",
+      ),
+    );
+    assert.ok(
+      result.components.some(
+        (component) =>
+          getProp(component, "cdx:agent:framework") === "nanocoder" &&
+          getProp(component, "cdx:file:kind") === "custom-command",
+      ),
+    );
+  });
+});

package/lib/helpers/depsUtils.js

@@ -82,6 +82,114 @@ export function mergeDependencies(
   return retlist;
 }
 
+function serviceIdentityKey(service) {
+  if (service?.["bom-ref"]) {
+    return service["bom-ref"].toLowerCase();
+  }
+  return `${service?.group || ""}:${service?.name || ""}:${service?.version || ""}`.toLowerCase();
+}
+
+function mergeServiceProperties(existingProps = [], newProps = []) {
+  const merged = [...existingProps];
+  for (const newProp of newProps) {
+    if (
+      !merged.find(
+        (prop) =>
+          prop?.name === newProp?.name && prop?.value === newProp?.value,
+      )
+    ) {
+      merged.push(newProp);
+    }
+  }
+  return merged;
+}
+
+function normalizeServiceEndpoints(endpoints) {
+  if (Array.isArray(endpoints)) {
+    return endpoints.filter(
+      (endpoint) => typeof endpoint === "string" && endpoint,
+    );
+  }
+  if (typeof endpoints === "string" && endpoints) {
+    return [endpoints];
+  }
+  return [];
+}
+
+/**
+ * Merge CycloneDX services using bom-ref or group/name/version identity.
+ *
+ * @param {Object[]|Object} services Existing service list
+ * @param {Object[]|Object} newServices New service list
+ * @returns {Object[]} Merged and deduplicated services
+ */
+export function mergeServices(services, newServices) {
+  const combined = []
+    .concat(services || [])
+    .concat(newServices || [])
+    .filter(Boolean);
+  const serviceMap = new Map();
+  for (const service of combined) {
+    const key = serviceIdentityKey(service);
+    if (!serviceMap.has(key)) {
+      serviceMap.set(key, {
+        ...service,
+        endpoints: Array.from(
+          new Set(normalizeServiceEndpoints(service.endpoints)),
+        ),
+        properties: mergeServiceProperties([], service.properties || []),
+        services: Array.isArray(service.services)
+          ? mergeServices([], service.services)
+          : undefined,
+      });
+      continue;
+    }
+    const existing = serviceMap.get(key);
+    existing.description = existing.description || service.description;
+    existing.group = existing.group || service.group;
+    existing.name = existing.name || service.name;
+    existing.version = existing.version || service.version;
+    existing.provider = existing.provider || service.provider;
+    existing.trustZone = existing.trustZone || service.trustZone;
+    if (service.authenticated === true) {
+      existing.authenticated = true;
+    } else if (
+      typeof existing.authenticated === "undefined" &&
+      typeof service.authenticated !== "undefined"
+    ) {
+      existing.authenticated = service.authenticated;
+    }
+    if (service["x-trust-boundary"] === true) {
+      existing["x-trust-boundary"] = true;
+    } else if (
+      typeof existing["x-trust-boundary"] === "undefined" &&
+      typeof service["x-trust-boundary"] !== "undefined"
+    ) {
+      existing["x-trust-boundary"] = service["x-trust-boundary"];
+    }
+    const incomingEndpoints = normalizeServiceEndpoints(service.endpoints);
+    if (incomingEndpoints.length) {
+      existing.endpoints = Array.from(
+        new Set([
+          ...normalizeServiceEndpoints(existing.endpoints),
+          ...incomingEndpoints,
+        ]),
+      );
+    }
+    existing.properties = mergeServiceProperties(
+      existing.properties || [],
+      service.properties || [],
+    );
+    if (Array.isArray(service.services) && service.services.length) {
+      existing.services = mergeServices(
+        existing.services || [],
+        service.services,
+      );
+    }
+  }
+  return Array.from(serviceMap.values());
+}
+
 /**
  * Trim duplicate components by retaining all the properties
  *

package/lib/helpers/depsUtils.poku.js

@@ -1,6 +1,10 @@
 import { assert, describe, it } from "poku";
 
-import { mergeDependencies, trimComponents } from "./depsUtils.js";
+import {
+  mergeDependencies,
+  mergeServices,
+  trimComponents,
+} from "./depsUtils.js";
 
 describe("mergeDependencies()", () => {
   it("merges two non-overlapping dependency arrays", () => {
@@ -205,3 +209,70 @@ describe("trimComponents()", () => {
     ]);
   });
 });
+
+describe("mergeServices()", () => {
+  it("merges matching services and deduplicates endpoints and properties", () => {
+    const result = mergeServices(
+      [
+        {
+          "bom-ref": "urn:service:mcp:demo:1.0.0",
+          name: "demo",
+          version: "1.0.0",
+          endpoints: ["/mcp"],
+          authenticated: false,
+          properties: [{ name: "cdx:mcp:transport", value: "streamable-http" }],
+        },
+      ],
+      [
+        {
+          "bom-ref": "urn:service:mcp:demo:1.0.0",
+          name: "demo",
+          version: "1.0.0",
+          endpoints: ["/mcp", "/.well-known/oauth-authorization-server"],
+          authenticated: true,
+          "x-trust-boundary": true,
+          properties: [
+            { name: "cdx:mcp:transport", value: "streamable-http" },
+            { name: "cdx:mcp:capabilities:tools", value: "true" },
+          ],
+        },
+      ],
+    );
+    assert.strictEqual(result.length, 1);
+    assert.deepStrictEqual(result[0].endpoints, [
+      "/mcp",
+      "/.well-known/oauth-authorization-server",
+    ]);
+    assert.strictEqual(result[0].authenticated, true);
+    assert.strictEqual(result[0]["x-trust-boundary"], true);
+    assert.strictEqual(result[0].properties.length, 2);
+  });
+
+  it("retains distinct services", () => {
+    const result = mergeServices(
+      [{ "bom-ref": "urn:service:mcp:stdio:1.0.0", name: "stdio" }],
+      [{ "bom-ref": "urn:service:mcp:http:1.0.0", name: "http" }],
+    );
+    assert.strictEqual(result.length, 2);
+  });
+
+  it("normalizes string endpoints when merging matching services", () => {
+    const result = mergeServices(
+      [
+        {
+          "bom-ref": "urn:service:mcp:demo:1.0.0",
+          endpoints: "/mcp",
+          name: "demo",
+        },
+      ],
+      [
+        {
+          "bom-ref": "urn:service:mcp:demo:1.0.0",
+          endpoints: ["/mcp", "/health"],
+          name: "demo",
+        },
+      ],
+    );
+    assert.deepStrictEqual(result[0].endpoints, ["/mcp", "/health"]);
+  });
+});

package/lib/helpers/display.js

@@ -7,7 +7,13 @@ import {
   REGISTRY_PROVENANCE_ICON,
 } from "./provenanceUtils.js";
 import { createStream, table } from "./table.js";
-import { isSecureMode, safeExistsSync, toCamel } from "./utils.js";
+import {
+  getRecordedActivities,
+  isDryRun,
+  isSecureMode,
+  safeExistsSync,
+  toCamel,
+} from "./utils.js";
 
 // https://github.com/yangshun/tree-node-cli/blob/master/src/index.js
 const SYMBOLS_ANSI = {
@@ -21,6 +27,29 @@ const SYMBOLS_ANSI = {
 const MAX_TREE_DEPTH = 6;
 const CYCLE_NODE_ICON = "↺";
 const REPEATED_NODE_ICON = "⤴";
+const MULTIVALUE_ACTIVITY_TARGET_KEYS = new Set([
+  "LockFiles",
+  "ManifestFiles",
+  "PkgFiles",
+  "SrcFiles",
+]);
+const PATH_SEPARATOR_REGEX = /[\\/]+/;
+const ENV_AUDIT_SEVERITY_RANK = {
+  low: 1,
+  medium: 2,
+  high: 3,
+  critical: 4,
+};
+const ENV_AUDIT_TYPE_LABELS = {
+  "code-execution": "Code Execution",
+  "credential-exposure": "Credential Exposure",
+  "debug-exposure": "Debug Exposure",
+  "environment-variable": "Environment Variable",
+  "network-interception": "Network Interception",
+  "permission-misuse": "Permission Misuse",
+  privilege: "Privilege",
+};
+
 const highlightStr = (s, highlight) => {
   if (highlight && s?.includes(highlight)) {
     s = s.replaceAll(highlight, `\x1b[1;33m${highlight}\x1b[0m`);
@@ -61,6 +90,86 @@ export const buildDependencyTreeLegendLines = (treeGraphics) => {
   }
   return [`Legend: ${legendLines.join("; ")}`];
 };
+
+export function buildActivitySummaryPayload(activities, dryRunMode = isDryRun) {
+  const completedCount = activities.filter(
+    ({ status }) => status === "completed",
+  ).length;
+  const blockedCount = activities.filter(
+    ({ status }) => status === "blocked",
+  ).length;
+  const failedCount = activities.filter(
+    ({ status }) => status === "failed",
+  ).length;
+  return {
+    activities,
+    mode: dryRunMode ? "dry-run" : "debug",
+    summary: {
+      blocked: blockedCount,
+      completed: completedCount,
+      failed: failedCount,
+      total: activities.length,
+    },
+  };
+}
+
+export function serializeActivitySummary(
+  activities,
+  reportType = "json",
+  dryRunMode = isDryRun,
+) {
+  const activitySummaryPayload = buildActivitySummaryPayload(
+    activities,
+    dryRunMode,
+  );
+  if (reportType === "json") {
+    return [JSON.stringify(activitySummaryPayload, null, 2)];
+  }
+  if (reportType === "jsonl") {
+    return [
+      JSON.stringify({
+        mode: activitySummaryPayload.mode,
+        recordType: "summary",
+        ...activitySummaryPayload.summary,
+      }),
+      ...activities.map((activity) =>
+        JSON.stringify({
+          recordType: "activity",
+          ...activity,
+        }),
+      ),
+    ];
+  }
+  return [];
+}
+
+const splitCommaSeparatedActivityEntries = (value) =>
+  value
+    .split(",")
+    .map((entry) => entry.trim())
+    .filter(Boolean);
+
+const activityPathDepth = (entry) =>
+  entry.split(PATH_SEPARATOR_REGEX).filter(Boolean).length;
+
+const sortActivityTargetEntries = (entries) =>
+  [...entries].sort((left, right) => {
+    const depthDiff = activityPathDepth(left) - activityPathDepth(right);
+    if (depthDiff !== 0) {
+      return depthDiff;
+    }
+    const lengthDiff = left.length - right.length;
+    if (lengthDiff !== 0) {
+      return lengthDiff;
+    }
+    return left.localeCompare(right);
+  });
+
+const isLikelyActivityPathList = (entries) =>
+  entries.length > 1 &&
+  entries.every(
+    (entry) => PATH_SEPARATOR_REGEX.test(entry) && !entry.includes("://"),
+  );
 /**
  * Prints the BOM components as a streaming table to the console.
  * Delegates to {@link printOSTable} automatically when the BOM metadata indicates
@@ -765,10 +874,220 @@ export function printSummary(bomJson) {
   console.log(table(data, config));
 }
 
+export function printActivitySummary(reportType = undefined) {
+  const activities = getRecordedActivities();
+  if (!activities.length) {
+    return;
+  }
+  const activitySummaryPayload = buildActivitySummaryPayload(activities);
+  const completedCount = activitySummaryPayload.summary.completed;
+  const blockedCount = activitySummaryPayload.summary.blocked;
+  const failedCount = activitySummaryPayload.summary.failed;
+  const formatStatus = (status) => {
+    if (status === "completed") {
+      return "completed";
+    }
+    if (status === "blocked") {
+      return "blocked";
+    }
+    if (status === "failed") {
+      return "failed";
+    }
+    return status || "";
+  };
+  if (reportType === "json") {
+    for (const line of serializeActivitySummary(activities, reportType)) {
+      console.log(line);
+    }
+    return;
+  }
+  if (reportType === "jsonl") {
+    for (const line of serializeActivitySummary(activities, reportType)) {
+      console.log(line);
+    }
+    return;
+  }
+  const formatActivityTarget = (target) => {
+    if (typeof target !== "string" || !target.includes(",")) {
+      return target || "";
+    }
+    const targetEntries = splitCommaSeparatedActivityEntries(target);
+    if (isLikelyActivityPathList(targetEntries)) {
+      return sortActivityTargetEntries(targetEntries).join("\n");
+    }
+    if (!(target.includes(":") || target.includes("="))) {
+      return target || "";
+    }
+    const targetSegments = target.split(/,\s*(?=[A-Za-z][\w-]*\s*[:=])/);
+    let didFormat = false;
+    const renderedSegments = targetSegments.map((segment) => {
+      const segmentMatch = segment.match(/^([A-Za-z][\w-]*)\s*([:=])\s*(.*)$/);
+      if (!segmentMatch) {
+        return segment;
+      }
+      const [, key, separator, value] = segmentMatch;
+      if (!MULTIVALUE_ACTIVITY_TARGET_KEYS.has(key) || !value.includes(",")) {
+        return segment;
+      }
+      didFormat = true;
+      return `${key}${separator}\n${sortActivityTargetEntries(
+        splitCommaSeparatedActivityEntries(value),
+      )
+        .map((entry) => `- ${entry}`)
+        .join("\n")}`;
+    });
+    return didFormat ? renderedSegments.join("\n") : target;
+  };
+  const formatActivityType = (type) => {
+    if (typeof type !== "string" || !type.includes(",")) {
+      return type || "";
+    }
+    return splitCommaSeparatedActivityEntries(type)
+      .sort((left, right) => left.localeCompare(right))
+      .join("\n");
+  };
+  const data = [
+    [
+      "Identifier",
+      "Type",
+      "Package Type",
+      "Activity",
+      "Target",
+      "Outcome / Why",
+    ],
+  ];
+  for (const activity of activities) {
+    data.push([
+      activity.identifier,
+      formatActivityType(activity.projectType),
+      activity.packageType || "",
+      activity.kind || "",
+      formatActivityTarget(activity.target),
+      activity.reason
+        ? `${formatStatus(activity.status)}\n${activity.reason}`.trim()
+        : formatStatus(activity.status),
+    ]);
+  }
+  const config = {
+    header: {
+      alignment: "center",
+      content: `${
+        isDryRun
+          ? "cdxgen dry-run activity summary"
+          : "cdxgen debug activity summary"
+      }\n${completedCount} completed   ${blockedCount} blocked   ${failedCount} failed`,
+    },
+    columns: [
+      { width: 14 },
+      { width: 14 },
+      { width: 14 },
+      { width: 12 },
+      { width: 48, wrapWord: true },
+      { width: 28, wrapWord: true },
+    ],
+  };
+  console.log(table(data, config));
+}
+
 /**
  * @typedef {{type: string, variable: string, severity: string, message: string, mitigation: string}} EnvAuditFinding
  */
 
+const summarizeEnvAuditSeverities = (envAuditFindings) => {
+  const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+  for (const finding of envAuditFindings) {
+    if (counts[finding.severity] !== undefined) {
+      counts[finding.severity] += 1;
+    }
+  }
+  return ["critical", "high", "medium", "low"]
+    .filter((severity) => counts[severity] > 0)
+    .map((severity) => `${counts[severity]} ${severity}`)
+    .join("   ");
+};
+
+const buildEnvironmentAuditGroups = (envAuditFindings) => {
+  const groups = new Map();
+  for (const finding of envAuditFindings) {
+    const isCredentialExposure = finding.type === "credential-exposure";
+    const groupKey = isCredentialExposure
+      ? "credential-exposure"
+      : JSON.stringify([
+          finding.type,
+          finding.severity,
+          finding.message,
+          finding.mitigation,
+        ]);
+    if (!groups.has(groupKey)) {
+      groups.set(groupKey, {
+        details: isCredentialExposure
+          ? "Credential-like environment variables are set. Build tools or install scripts invoked during SBOM generation may read inherited environment variables."
+          : finding.message,
+        mitigation: isCredentialExposure
+          ? "Unset unneeded secrets when scanning untrusted repositories. Prefer ephemeral, scoped CI credentials injected only for the step that needs them."
+          : finding.mitigation,
+        severity: finding.severity,
+        title:
+          ENV_AUDIT_TYPE_LABELS[finding.type] ||
+          toCamel(finding.type || "Finding"),
+        variables: new Set(),
+      });
+    }
+    groups.get(groupKey).variables.add(finding.variable);
+  }
+  return [...groups.values()]
+    .map((group) => ({
+      ...group,
+      variables: [...group.variables].filter(Boolean).sort(),
+    }))
+    .sort((left, right) => {
+      const severityDiff =
+        (ENV_AUDIT_SEVERITY_RANK[right.severity] || 0) -
+        (ENV_AUDIT_SEVERITY_RANK[left.severity] || 0);
+      if (severityDiff !== 0) {
+        return severityDiff;
+      }
+      return left.title.localeCompare(right.title);
+    });
+};
+
+/**
+ * Prints a grouped secure-mode environment audit call-out panel.
+ *
+ * @param {EnvAuditFinding[]} envAuditFindings Audit findings to display
+ * @returns {void}
+ */
+export function printEnvironmentAuditFindings(envAuditFindings = []) {
+  if (!envAuditFindings.length) {
+    return;
+  }
+  const groupedFindings = buildEnvironmentAuditGroups(envAuditFindings);
+  const severitySummary = summarizeEnvAuditSeverities(envAuditFindings);
+  const data = [["Category", "Severity", "Variable(s)", "Details"]];
+  for (const finding of groupedFindings) {
+    data.push([
+      finding.title,
+      finding.severity.toUpperCase(),
+      finding.variables.join("\n"),
+      `${finding.details}\nMitigation: ${finding.mitigation}`,
+    ]);
+  }
+  const config = {
+    header: {
+      alignment: "center",
+      content: `SECURE MODE: Environment audit\n${severitySummary || `${envAuditFindings.length} finding(s)`}`,
+    },
+    columns: [
+      { width: 22 },
+      { width: 10 },
+      { width: 24, wrapWord: true },
+      { width: 50, wrapWord: true },
+    ],
+    columnDefault: { wrapWord: true },
+  };
+  console.log(table(data, config));
+}
+
 /**
  * Runs the pre-generation environment audit and renders the results as formatted
  * tables to the console. Called when the --env-audit CLI flag is set.
@@ -784,7 +1103,7 @@ export function displaySelfThreatModel(
   options,
   envAuditFindings,
 ) {
-  const TLP = options.tlpClassification || "CLEAR";
+  const TLP = options.tlpClassification;
   const risks = [];
   let riskScore = 0;
 
@@ -923,8 +1242,11 @@ export function displaySelfThreatModel(
     AMBER_AND_STRICT: "Organisation only. No external sharing.",
     RED: "Named recipients only. Do not forward or store beyond session.",
   };
+  const tlpValue = TLP
+    ? `${TLP} — ${tlpGuidance[TLP]}`
+    : "Not set — no distribution constraints recorded.";
   const headerData = [
-    ["TLP Classification", `${TLP} — ${tlpGuidance[TLP]}`],
+    ["TLP Classification", tlpValue],
     ["Risk Score", `${riskScore}/10`],
     ["Risk Level", `${riskColor[riskLevel]}${riskLevel}${reset}`],
   ];