@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/helpers/display.poku.js

@@ -5,9 +5,11 @@ import { assert, it } from "poku";
 import sinon from "sinon";
 
 import {
+  buildActivitySummaryPayload,
   buildDependencyTreeLegendLines,
   buildDependencyTreeLines,
   printDependencyTree,
+  serializeActivitySummary,
 } from "./display.js";
 import { REGISTRY_PROVENANCE_ICON } from "./provenanceUtils.js";
 
@@ -91,6 +93,31 @@ it("prints a provenance icon for registry-backed components", async () => {
   }
 });
 
+it("displaySelfThreatModel does not assume a default TLP classification", async () => {
+  const tableStub = sinon.stub().returns("table-output");
+  try {
+    const { displaySelfThreatModel } = await esmock("./display.js", {
+      "./table.js": {
+        createStream: sinon.stub(),
+        table: tableStub,
+      },
+      "./utils.js": {
+        isSecureMode: false,
+        safeExistsSync: sinon.stub(),
+        toCamel: sinon.stub().callsFake((value) => value),
+      },
+    });
+    displaySelfThreatModel("/workspace/project", {}, {}, []);
+    const [headerData] = tableStub.firstCall.args;
+    assert.deepStrictEqual(headerData[0], [
+      "TLP Classification",
+      "Not set — no distribution constraints recorded.",
+    ]);
+  } finally {
+    sinon.restore();
+  }
+});
+
 it("renders shared dependencies once while including dangling trees", () => {
   const treeLines = buildDependencyTreeLines([
     {
@@ -170,3 +197,277 @@ it("returns no legend lines when the dependency tree has no markers", () => {
     [],
   );
 });
+
+it("prints an informative activity summary table", async () => {
+  const tableStub = sinon.stub().returns("activity-table");
+  try {
+    const { printActivitySummary: printActivitySummaryMocked } = await esmock(
+      "./display.js",
+      {
+        "./table.js": {
+          createStream: sinon.stub(),
+          table: tableStub,
+        },
+        "./utils.js": {
+          getRecordedActivities: sinon.stub().returns([
+            {
+              identifier: "ACT-0001",
+              projectType: "ruby,js,python",
+              packageType: "npm",
+              kind: "execute",
+              reason: "Dry run mode blocks child process execution.",
+              status: "blocked",
+              target: "npm install",
+            },
+            {
+              identifier: "ACT-0002",
+              projectType: "python",
+              packageType: "pypi",
+              kind: "read",
+              status: "completed",
+              target: "/workspace/requirements.txt",
+            },
+          ]),
+          isDryRun: true,
+          isSecureMode: false,
+          safeExistsSync: sinon.stub(),
+          toCamel: sinon.stub(),
+        },
+      },
+    );
+    printActivitySummaryMocked();
+    sinon.assert.calledOnce(tableStub);
+    const [data, config] = tableStub.firstCall.args;
+    assert.strictEqual(
+      config.header.content,
+      "cdxgen dry-run activity summary\n1 completed   1 blocked   0 failed",
+    );
+    assert.deepStrictEqual(data[0], [
+      "Identifier",
+      "Type",
+      "Package Type",
+      "Activity",
+      "Target",
+      "Outcome / Why",
+    ]);
+    assert.strictEqual(data[1][0], "ACT-0001");
+    assert.strictEqual(data[1][1], "js\npython\nruby");
+    assert.strictEqual(data[1][2], "npm");
+    assert.strictEqual(data[1][3], "execute");
+    assert.strictEqual(
+      data[1][5],
+      "blocked\nDry run mode blocks child process execution.",
+    );
+  } finally {
+    sinon.restore();
+  }
+});
+
+it("renders known comma-separated activity target properties across lines", async () => {
+  const tableStub = sinon.stub().returns("activity-table");
+  try {
+    const { printActivitySummary: printActivitySummaryMocked } = await esmock(
+      "./display.js",
+      {
+        "./table.js": {
+          createStream: sinon.stub(),
+          table: tableStub,
+        },
+        "./utils.js": {
+          getRecordedActivities: sinon.stub().returns([
+            {
+              identifier: "ACT-0001",
+              projectType: "oci",
+              packageType: "container",
+              kind: "read",
+              reason: "Collected image metadata.",
+              status: "completed",
+              target:
+                "Image=ghcr.io/cdxgen/cdxgen, SrcFiles=pnpm-lock.yaml,Dockerfile,package.json",
+            },
+          ]),
+          isDryRun: true,
+          isSecureMode: false,
+          safeExistsSync: sinon.stub(),
+          toCamel: sinon.stub(),
+        },
+      },
+    );
+    printActivitySummaryMocked();
+    const [data] = tableStub.firstCall.args;
+    assert.strictEqual(
+      data[1][4],
+      "Image=ghcr.io/cdxgen/cdxgen\nSrcFiles=\n- Dockerfile\n- package.json\n- pnpm-lock.yaml",
+    );
+  } finally {
+    sinon.restore();
+  }
+});
+
+it("renders plain comma-separated activity paths one per line sorted by depth", async () => {
+  const tableStub = sinon.stub().returns("activity-table");
+  try {
+    const { printActivitySummary: printActivitySummaryMocked } = await esmock(
+      "./display.js",
+      {
+        "./table.js": {
+          createStream: sinon.stub(),
+          table: tableStub,
+        },
+        "./utils.js": {
+          getRecordedActivities: sinon.stub().returns([
+            {
+              identifier: "ACT-0004",
+              projectType: "github",
+              packageType: "github",
+              kind: "read",
+              reason: "Collected github component metadata.",
+              status: "completed",
+              target:
+                "/workspace/.github/workflows/deeper/build.yml, /workspace/.github/workflows/test.yml, /workspace/.github/workflows/deeper/nightly/scan.yml",
+            },
+          ]),
+          isDryRun: true,
+          isSecureMode: false,
+          safeExistsSync: sinon.stub(),
+          toCamel: sinon.stub(),
+        },
+      },
+    );
+    printActivitySummaryMocked();
+    const [data] = tableStub.firstCall.args;
+    assert.strictEqual(
+      data[1][4],
+      "/workspace/.github/workflows/test.yml\n/workspace/.github/workflows/deeper/build.yml\n/workspace/.github/workflows/deeper/nightly/scan.yml",
+    );
+  } finally {
+    sinon.restore();
+  }
+});
+
+it("prints grouped environment audit findings in a secure-mode panel", async () => {
+  const tableStub = sinon.stub().returns("env-audit-table");
+  try {
+    const {
+      printEnvironmentAuditFindings: printEnvironmentAuditFindingsMocked,
+    } = await esmock("./display.js", {
+      "./table.js": {
+        createStream: sinon.stub(),
+        table: tableStub,
+      },
+      "./utils.js": {
+        getRecordedActivities: sinon.stub(),
+        isDryRun: true,
+        isSecureMode: false,
+        safeExistsSync: sinon.stub(),
+        toCamel: sinon.stub().callsFake((value) => value),
+      },
+    });
+    printEnvironmentAuditFindingsMocked([
+      {
+        type: "credential-exposure",
+        variable: "HF_TOKEN",
+        severity: "low",
+        message:
+          "HF_TOKEN matches a credential naming pattern and is set in the environment. Build tools or install scripts invoked during SBOM generation may read environment variables.",
+        mitigation: "Unset HF_TOKEN.",
+      },
+      {
+        type: "environment-variable",
+        variable: "NODE_PATH",
+        severity: "high",
+        message:
+          "NODE_PATH is set and may cause unexpected modules to be loaded, enabling module-resolution poisoning.",
+        mitigation: "Unset NODE_PATH before processing untrusted repositories.",
+      },
+      {
+        type: "credential-exposure",
+        variable: "GITHUB_TOKEN",
+        severity: "low",
+        message:
+          "GITHUB_TOKEN matches a credential naming pattern and is set in the environment. Build tools or install scripts invoked during SBOM generation may read environment variables.",
+        mitigation: "Unset GITHUB_TOKEN.",
+      },
+    ]);
+    sinon.assert.calledOnce(tableStub);
+    const [data, config] = tableStub.firstCall.args;
+    assert.strictEqual(
+      config.header.content,
+      "SECURE MODE: Environment audit\n1 high   2 low",
+    );
+    assert.deepStrictEqual(data[1], [
+      "Environment Variable",
+      "HIGH",
+      "NODE_PATH",
+      "NODE_PATH is set and may cause unexpected modules to be loaded, enabling module-resolution poisoning.\nMitigation: Unset NODE_PATH before processing untrusted repositories.",
+    ]);
+    assert.deepStrictEqual(data[2], [
+      "Credential Exposure",
+      "LOW",
+      "GITHUB_TOKEN\nHF_TOKEN",
+      "Credential-like environment variables are set. Build tools or install scripts invoked during SBOM generation may read inherited environment variables.\nMitigation: Unset unneeded secrets when scanning untrusted repositories. Prefer ephemeral, scoped CI credentials injected only for the step that needs them.",
+    ]);
+  } finally {
+    sinon.restore();
+  }
+});
+
+it("prints the activity summary as JSON", async () => {
+  const lines = serializeActivitySummary(
+    [
+      {
+        identifier: "ACT-0001",
+        projectType: "js",
+        packageType: "npm",
+        kind: "execute",
+        status: "blocked",
+        target: "npm install",
+      },
+    ],
+    "json",
+    true,
+  );
+  assert.strictEqual(lines.length, 1);
+  const payload = JSON.parse(lines[0]);
+  assert.strictEqual(payload.mode, "dry-run");
+  assert.strictEqual(payload.summary.total, 1);
+  assert.strictEqual(payload.activities[0].identifier, "ACT-0001");
+});
+
+it("prints the activity summary as JSON Lines", async () => {
+  const lines = serializeActivitySummary(
+    [
+      {
+        identifier: "ACT-0001",
+        projectType: "js",
+        packageType: "npm",
+        kind: "execute",
+        status: "blocked",
+        target: "npm install",
+      },
+    ],
+    "jsonl",
+    true,
+  );
+  assert.strictEqual(lines.length, 2);
+  const summary = JSON.parse(lines[0]);
+  const activity = JSON.parse(lines[1]);
+  assert.strictEqual(summary.recordType, "summary");
+  assert.strictEqual(summary.total, 1);
+  assert.strictEqual(activity.recordType, "activity");
+  assert.strictEqual(activity.identifier, "ACT-0001");
+});
+
+it("builds summary counts for serialized activity reports", () => {
+  const payload = buildActivitySummaryPayload(
+    [{ status: "blocked" }, { status: "completed" }, { status: "failed" }],
+    true,
+  );
+  assert.deepStrictEqual(payload.summary, {
+    blocked: 1,
+    completed: 1,
+    failed: 1,
+    total: 3,
+  });
+  assert.strictEqual(payload.mode, "dry-run");
+});

package/lib/helpers/formulationParsers.js

@@ -4,6 +4,11 @@ import process from "node:process";
 
 import { v4 as uuidv4 } from "uuid";
 
+import {
+  AI_INVENTORY_PROJECT_TYPES,
+  collectAiInventory,
+  optionIncludesAiInventoryProjectType,
+} from "./aiInventory.js";
 import { collectOSCryptoLibs } from "./cbomutils.js";
 import { azurePipelinesParser } from "./ciParsers/azurePipelines.js";
 import { circleCiParser } from "./ciParsers/circleCi.js";
@@ -18,6 +23,7 @@ import {
   gitTreeHashes,
   listFiles,
 } from "./envcontext.js";
+import { rustFormulationParser } from "./rustFormulationParser.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 import { getAllFiles } from "./utils.js";
 
@@ -95,6 +101,7 @@ function buildReadmeSecurityComponents(discoveryPath, options) {
  * ```
  */
 const _parsers = [
+  rustFormulationParser,
   githubActionsParser,
   gitlabCiParser,
   jenkinsParser,
@@ -304,6 +311,12 @@ export function addFormulationSection(filePath, options, context = {}) {
   const ciProperties = [];
 
   const discoveryPath = projectPath || ".";
+  const excludedInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter((type) => {
+    return optionIncludesAiInventoryProjectType(options?.excludeType, type);
+  });
+  const includedInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter(
+    (type) => !excludedInventoryTypes.includes(type),
+  );
 
   for (const parser of _parsers) {
     const matchedFiles = [];
@@ -347,6 +360,21 @@ export function addFormulationSection(filePath, options, context = {}) {
     }
   }
 
+  const aiInventory = collectAiInventory(
+    discoveryPath,
+    options,
+    includedInventoryTypes,
+  );
+  if (aiInventory.components.length) {
+    ciComponents.push(...aiInventory.components);
+  }
+  if (aiInventory.services.length) {
+    ciServices.push(...aiInventory.services);
+  }
+  if (aiInventory.dependencies.length) {
+    dependencies.push(...aiInventory.dependencies);
+  }
+
   // Merge CI components into the formulation component list
   if (ciComponents.length) {
     components = components.concat(ciComponents);