@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/helpers/mcpConfigParser.poku.js

@@ -0,0 +1,126 @@
+import esmock from "esmock";
+import { assert, describe, it } from "poku";
+import sinon from "sinon";
+
+function getProp(obj, name) {
+  return obj?.properties?.find((property) => property.name === name)?.value;
+}
+
+describe("mcpConfigParser", () => {
+  it("normalizes Windows paths for config format detection and treats jsonc as json", async () => {
+    const readFileSync = sinon.stub();
+    const scanTextForHiddenUnicode = sinon.stub().returns({
+      hasHiddenUnicode: false,
+    });
+    readFileSync.withArgs("C:\\repo\\.vscode\\mcp.json", "utf-8").returns(
+      JSON.stringify({
+        mcpServers: {
+          localDocs: {
+            transport: "streamable-http",
+            url: "https://docs.example.com/mcp",
+          },
+        },
+      }),
+    );
+    readFileSync.withArgs("C:\\repo\\opencode.jsonc", "utf-8").returns(`{
+        // JSONC config
+        "mcp": {
+          "remoteDocs": {
+            "type": "remote",
+            "url": "https://example.com/mcp"
+          }
+        }
+      }`);
+    const { mcpConfigParser } = await esmock("./mcpConfigParser.js", {
+      "node:fs": { readFileSync },
+      "./unicodeScan.js": { scanTextForHiddenUnicode },
+    });
+
+    const result = mcpConfigParser.parse([
+      "C:\\repo\\.vscode\\mcp.json",
+      "C:\\repo\\opencode.jsonc",
+    ]);
+
+    assert.ok(
+      result.components.some(
+        (component) => getProp(component, "cdx:mcp:configFormat") === "vscode",
+      ),
+    );
+    assert.ok(
+      result.components.some(
+        (component) =>
+          getProp(component, "cdx:mcp:configFormat") === "opencode",
+      ),
+    );
+    sinon.assert.calledWithMatch(scanTextForHiddenUnicode, sinon.match.string, {
+      syntax: "json",
+    });
+  });
+
+  it("records credential exposure without embedding raw secret metadata", async () => {
+    const readFileSync = sinon.stub();
+    const scanTextForHiddenUnicode = sinon.stub().returns({
+      hasHiddenUnicode: false,
+    });
+    readFileSync.withArgs("/repo/.vscode/mcp.json", "utf-8").returns(
+      JSON.stringify({
+        mcpServers: {
+          releaseDocs: {
+            args: [
+              "--token",
+              "sk_test_super_secret_value",
+              "https://docs.example.com/mcp",
+            ],
+            command: "npx",
+            env: {
+              API_KEY: "$" + "{API_KEY}",
+            },
+            headers: {
+              Authorization: "Bearer sk_test_another_secret_value",
+            },
+            transport: "http",
+          },
+        },
+      }),
+    );
+    const { mcpConfigParser } = await esmock("./mcpConfigParser.js", {
+      "node:fs": { readFileSync },
+      "./unicodeScan.js": { scanTextForHiddenUnicode },
+    });
+
+    const result = mcpConfigParser.parse(["/repo/.vscode/mcp.json"]);
+    const service = result.services[0];
+    const component = result.components[0];
+
+    assert.strictEqual(getProp(service, "cdx:mcp:credentialExposure"), "true");
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialIndicatorCount"),
+      "3",
+    );
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialExposureFieldCount"),
+      "3",
+    );
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialReferenceCount"),
+      "1",
+    );
+    assert.strictEqual(
+      getProp(component, "cdx:mcp:credentialExposedServiceCount"),
+      "1",
+    );
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialRiskIndicators"),
+      undefined,
+    );
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialExposureFields"),
+      undefined,
+    );
+    assert.strictEqual(getProp(service, "cdx:mcp:credentialRefs"), undefined);
+    assert.strictEqual(
+      getProp(component, "cdx:mcp:credentialExposedServices"),
+      undefined,
+    );
+  });
+});

package/lib/helpers/mcpDiscovery.js

@@ -0,0 +1,84 @@
+const PROVIDER_TEXT_PATTERNS = [
+  ["anthropic", /\banthropic\b|claude/i],
+  ["openai", /\bopenai\b|\bgpt-[a-z0-9-]+\b|\bo[13]\b/i],
+  ["google", /\bgemini\b|google(?:\s+ai)?/i],
+  ["mistral", /\bmistral\b/i],
+  ["deepseek", /\bdeepseek\b/i],
+  ["ollama", /\bollama\b/i],
+  ["groq", /\bgroq\b/i],
+];
+
+const INLINE_CREDENTIAL_PATTERNS = [
+  ["aws-access-key", /\bAKIA[0-9A-Z]{16}\b/u],
+  ["bearer-token", /\bbearer\s+[a-z0-9._-]{16,}\b/iu],
+  ["generic-secret", /\b(?:sk|rk|pk)_[a-z0-9_-]{8,}\b/iu],
+  ["github-token", /\bgh[pousr]_[a-z0-9]{20,}\b/iu],
+  ["google-api-key", /\bAIza[0-9A-Za-z_-]{20,}\b/u],
+];
+
+export function sanitizeMcpRefToken(value) {
+  const input = String(value || "")
+    .normalize("NFKC")
+    .trim()
+    .toLowerCase();
+  const normalized = input
+    .replaceAll(/[/\\:]/gu, "-")
+    .replaceAll(/[^a-z0-9._-]+/gu, "-")
+    .replaceAll(/[._-]{2,}/gu, "-")
+    .replaceAll(/^\.+|\.+$/gu, "")
+    .replaceAll(/^[._-]+|[._-]+$/gu, "");
+  if (!normalized || normalized === "." || normalized === "..") {
+    return "unknown";
+  }
+  return normalized.slice(0, 128);
+}
+
+export function isLocalHost(hostname) {
+  const normalized = String(hostname || "").toLowerCase();
+  if (
+    !normalized ||
+    normalized === "localhost" ||
+    normalized === "127.0.0.1" ||
+    normalized === "::1"
+  ) {
+    return true;
+  }
+  if (
+    normalized.startsWith("10.") ||
+    normalized.startsWith("127.") ||
+    normalized.startsWith("169.254.") ||
+    normalized.startsWith("192.168.")
+  ) {
+    return true;
+  }
+  const octets = normalized.split(".");
+  if (
+    octets.length === 4 &&
+    octets[0] === "172" &&
+    Number(octets[1]) >= 16 &&
+    Number(octets[1]) <= 31
+  ) {
+    return true;
+  }
+  return false;
+}
+
+export function providerNamesForText(text) {
+  return [
+    ...new Set(
+      PROVIDER_TEXT_PATTERNS.flatMap(([name, pattern]) =>
+        pattern.test(text) ? [name] : [],
+      ),
+    ),
+  ];
+}
+
+export function credentialIndicatorsForText(text) {
+  return [
+    ...new Set(
+      INLINE_CREDENTIAL_PATTERNS.flatMap(([name, pattern]) =>
+        pattern.test(text) ? [name] : [],
+      ),
+    ),
+  ];
+}

package/lib/helpers/mcpDiscovery.poku.js

@@ -0,0 +1,21 @@
+import { assert, describe, it } from "poku";
+
+import { sanitizeMcpRefToken } from "./mcpDiscovery.js";
+
+describe("sanitizeMcpRefToken()", () => {
+  it("normalizes path traversal and punctuation-heavy input into safe tokens", () => {
+    assert.strictEqual(
+      sanitizeMcpRefToken("../Secrets/Prod Token"),
+      "secrets-prod-token",
+    );
+    assert.strictEqual(
+      sanitizeMcpRefToken("..\\..\\etc\\passwd"),
+      "etc-passwd",
+    );
+  });
+
+  it("returns unknown for empty or separator-only input", () => {
+    assert.strictEqual(sanitizeMcpRefToken("..."), "unknown");
+    assert.strictEqual(sanitizeMcpRefToken("///"), "unknown");
+  });
+});

package/lib/helpers/protobom.js

@@ -1,4 +1,4 @@
-import { readFileSync, writeFileSync } from "node:fs";
+import { readFileSync } from "node:fs";
 
 import { cdx_16, cdx_17 } from "@appthreat/cdx-proto";
 import {
@@ -8,7 +8,7 @@ import {
   toJson,
 } from "@bufbuild/protobuf";
 
-import { safeExistsSync } from "./utils.js";
+import { safeExistsSync, safeWriteSync } from "./utils.js";
 
 /**
  * Stringify the given bom json based on the type.
@@ -37,7 +37,7 @@ export const writeBinary = (bomJson, binFile) => {
     } else {
       bomSchema = cdx_16.BomSchema;
     }
-    writeFileSync(
+    safeWriteSync(
       binFile,
       toBinary(
         bomSchema,

package/lib/helpers/provenanceUtils.js

@@ -2,6 +2,8 @@ const NPM_PROVENANCE_URL_PROPERTY = "cdx:npm:provenanceUrl";
 const NPM_TRUSTED_PUBLISHING_PROPERTY = "cdx:npm:trustedPublishing";
 const PYPI_PROVENANCE_URL_PROPERTY = "cdx:pypi:provenanceUrl";
 const PYPI_TRUSTED_PUBLISHING_PROPERTY = "cdx:pypi:trustedPublishing";
+const CARGO_PROVENANCE_URL_PROPERTY = "cdx:cargo:provenanceUrl";
+const CARGO_TRUSTED_PUBLISHING_PROPERTY = "cdx:cargo:trustedPublishing";
 
 export const NPM_PROVENANCE_EVIDENCE_PROPERTIES = [
   NPM_PROVENANCE_URL_PROPERTY,
@@ -22,13 +24,23 @@ export const PYPI_PROVENANCE_EVIDENCE_PROPERTIES = [
   "cdx:pypi:artifactDigestBlake2b256",
   "cdx:pypi:artifactDigestMd5",
 ];
+export const CARGO_PROVENANCE_EVIDENCE_PROPERTIES = [
+  CARGO_PROVENANCE_URL_PROPERTY,
+  "cdx:cargo:provenanceDigest",
+  "cdx:cargo:provenanceKeyId",
+  "cdx:cargo:provenancePredicateType",
+  "cdx:cargo:provenanceSignature",
+  "cdx:cargo:artifactDigestSha256",
+];
 export const REGISTRY_PROVENANCE_EVIDENCE_PROPERTIES = [
   ...NPM_PROVENANCE_EVIDENCE_PROPERTIES,
   ...PYPI_PROVENANCE_EVIDENCE_PROPERTIES,
+  ...CARGO_PROVENANCE_EVIDENCE_PROPERTIES,
 ];
 export const TRUSTED_PUBLISHING_PROPERTIES = [
   NPM_TRUSTED_PUBLISHING_PROPERTY,
   PYPI_TRUSTED_PUBLISHING_PROPERTY,
+  CARGO_TRUSTED_PUBLISHING_PROPERTY,
 ];
 
 export const REGISTRY_PROVENANCE_ICON = "🛡";
@@ -73,7 +85,7 @@ export function hasAnyPropertyValue(properties, propertyNames) {
  * Determine whether a raw properties array includes trusted publishing metadata.
  *
  * @param {object[]} properties CycloneDX properties array
- * @returns {boolean} True when trusted publishing is recorded for npm or PyPI
+ * @returns {boolean} True when trusted publishing is recorded for npm, PyPI, or Cargo
  */
 export function hasTrustedPublishingProperties(properties) {
   return TRUSTED_PUBLISHING_PROPERTIES.some(
@@ -98,7 +110,7 @@ export function hasRegistryProvenanceEvidenceProperties(properties) {
  * Determine whether a component includes trusted publishing metadata.
  *
  * @param {object} component CycloneDX component
- * @returns {boolean} True when trusted publishing is recorded for npm or PyPI
+ * @returns {boolean} True when trusted publishing is recorded for npm, PyPI, or Cargo
  */
 export function hasComponentTrustedPublishing(component) {
   return hasTrustedPublishingProperties(component?.properties);
@@ -161,10 +173,11 @@ export function getProvenanceComponents(components) {
  * Count components with trusted publishing metadata by registry ecosystem.
  *
  * @param {object[]} components BOM components
- * @returns {{npm: number, pypi: number, total: number}} Trusted publishing counts
+ * @returns {{cargo: number, npm: number, pypi: number, total: number}} Trusted publishing counts
  */
 export function getTrustedPublishingComponentCounts(components) {
   const counts = {
+    cargo: 0,
     npm: 0,
     pypi: 0,
     total: 0,
@@ -179,13 +192,25 @@ export function getTrustedPublishingComponentCounts(components) {
     const pypiTrustedPublishing =
       getComponentPropertyValue(component, PYPI_TRUSTED_PUBLISHING_PROPERTY) ===
       "true";
+    const cargoTrustedPublishing =
+      getComponentPropertyValue(
+        component,
+        CARGO_TRUSTED_PUBLISHING_PROPERTY,
+      ) === "true";
     if (npmTrustedPublishing) {
       counts.npm += 1;
     }
     if (pypiTrustedPublishing) {
       counts.pypi += 1;
     }
-    if (npmTrustedPublishing || pypiTrustedPublishing) {
+    if (cargoTrustedPublishing) {
+      counts.cargo += 1;
+    }
+    if (
+      npmTrustedPublishing ||
+      pypiTrustedPublishing ||
+      cargoTrustedPublishing
+    ) {
       counts.total += 1;
     }
   }

package/lib/helpers/provenanceUtils.poku.js

@@ -32,6 +32,19 @@ describe("provenanceUtils", () => {
       },
     ],
   };
+  const cargoTrustedComponent = {
+    name: "serde",
+    properties: [
+      {
+        name: "cdx:cargo:trustedPublishing",
+        value: "true",
+      },
+      {
+        name: "cdx:cargo:provenanceUrl",
+        value: "https://crates.io/provenance/serde/1.0.0",
+      },
+    ],
+  };
   const plainComponent = {
     name: "lodash",
     properties: [],
@@ -58,17 +71,19 @@ describe("provenanceUtils", () => {
       getTrustedComponents([
         plainComponent,
         npmTrustedComponent,
+        cargoTrustedComponent,
         pypiProvenanceComponent,
       ]).map((component) => component.name),
-      ["left-pad"],
+      ["left-pad", "serde"],
     );
     assert.deepStrictEqual(
       getProvenanceComponents([
         plainComponent,
         npmTrustedComponent,
+        cargoTrustedComponent,
         pypiProvenanceComponent,
       ]).map((component) => component.name),
-      ["requests"],
+      ["serde", "requests"],
     );
     assert.deepStrictEqual(
       getTrustedPublishingComponentCounts([
@@ -82,12 +97,14 @@ describe("provenanceUtils", () => {
             },
           ],
         },
+        cargoTrustedComponent,
         plainComponent,
       ]),
       {
+        cargo: 1,
         npm: 1,
         pypi: 1,
-        total: 2,
+        total: 3,
       },
     );
   });
@@ -102,6 +119,10 @@ describe("provenanceUtils", () => {
         name: "cdx:npm:trustedPublishing",
         value: "true",
       },
+      {
+        name: "cdx:cargo:artifactDigestSha256",
+        value: "deadbeef",
+      },
     ];
     assert.strictEqual(
       getPropertyValue(properties, "cdx:npm:provenanceKeyId"),
@@ -132,10 +153,15 @@ describe("provenanceUtils", () => {
               name: "cdx:pypi:trustedPublishing",
               value: "true",
             },
+            {
+              name: "cdx:cargo:trustedPublishing",
+              value: "true",
+            },
           ],
         },
       ]),
       {
+        cargo: 1,
         npm: 1,
         pypi: 1,
         total: 1,

package/lib/helpers/registryProvenance.js

@@ -791,3 +791,213 @@ export function collectPypiRegistryProvenanceProperties(projectBody, version) {
   );
   return properties;
 }
+
+/**
+ * Extract Cargo/crates.io release, publisher, and provenance-adjacent properties.
+ *
+ * @param {object} crateBody crates.io `/api/v1/crates/{name}` response body
+ * @param {string | undefined} version crate version
+ * @param {object} [ownersBody] crates.io `/api/v1/crates/{name}/owners` response body
+ * @returns {object[]} custom properties
+ */
+export function collectCargoRegistryProvenanceProperties(
+  crateBody,
+  version,
+  ownersBody,
+) {
+  const properties = [];
+  const versions = Array.isArray(crateBody?.versions) ? crateBody.versions : [];
+  const currentVersionBody =
+    versions.find((entry) => entry?.num === version) || versions[0];
+  if (!currentVersionBody) {
+    return properties;
+  }
+  const releaseEntries = versions
+    .map((entry) => ({
+      publishers: uniqueStrings([
+        entry?.published_by?.login,
+        entry?.published_by?.name,
+      ]),
+      timestamp: parseTimestamp(entry?.created_at || entry?.updated_at),
+      version: entry?.num,
+      rawTime: entry?.created_at || entry?.updated_at,
+    }))
+    .filter((entry) => entry.version && entry.timestamp !== undefined);
+  const currentPublishTimestamp = parseTimestamp(
+    currentVersionBody?.created_at || currentVersionBody?.updated_at,
+  );
+  const priorReleaseEntry = sortReleaseEntries(
+    releaseEntries.filter(
+      (entry) =>
+        entry.version !== currentVersionBody?.num &&
+        currentPublishTimestamp !== undefined &&
+        entry.timestamp < currentPublishTimestamp,
+    ),
+  ).pop();
+  const gapMetrics = releaseGapMetrics(releaseEntries, currentVersionBody?.num);
+  const cadenceMetrics = compressedCadenceMetrics(gapMetrics);
+  const currentPublisherSet = uniqueIdentities([
+    currentVersionBody?.published_by?.login,
+    currentVersionBody?.published_by?.name,
+  ]);
+  const priorPublisherSet = uniqueIdentities(
+    priorReleaseEntry?.publishers || [],
+  );
+  const overlapMetrics = identityOverlapMetrics(
+    currentPublisherSet,
+    priorPublisherSet,
+  );
+  const publisherDrift = isDisjointIdentitySet(
+    currentPublisherSet,
+    priorPublisherSet,
+  );
+  const ownerSet = uniqueIdentities(
+    (ownersBody?.users || []).flatMap((owner) => [owner?.login, owner?.name]),
+  );
+  const trustpubCandidate =
+    currentVersionBody?.trustpub_data ||
+    currentVersionBody?.trustpubData ||
+    crateBody?.crate?.trustpub_data ||
+    crateBody?.crate?.trustpubData ||
+    crateBody?.versions?.find((entry) => entry?.trustpub_data)?.trustpub_data;
+  const provenanceUrl = normalizeProvenanceUrl(trustpubCandidate);
+  const provenanceDigests = collectProvenanceDigests(trustpubCandidate);
+  const provenanceKeyIds = collectProvenanceKeyIds(trustpubCandidate);
+  const provenanceSignatures = collectProvenanceSignatures(trustpubCandidate);
+  const provenancePredicateTypes =
+    collectProvenancePredicateTypes(trustpubCandidate);
+
+  appendProperty(
+    properties,
+    "cdx:cargo:packageCreatedTime",
+    sortReleaseEntries([...releaseEntries])[0]?.rawTime,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:publishTime",
+    currentVersionBody?.created_at || currentVersionBody?.updated_at,
+  );
+  appendProperty(properties, "cdx:cargo:versionCount", releaseEntries.length);
+  appendProperty(
+    properties,
+    "cdx:cargo:publisher",
+    currentVersionBody?.published_by?.login ||
+      currentVersionBody?.published_by?.name,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:priorPublisher",
+    priorReleaseEntry?.publishers?.join(", "),
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:publisherSet",
+    currentPublisherSet.join(", "),
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:publisherSetCount",
+    currentPublisherSet.length,
+  );
+  appendProperty(properties, "cdx:cargo:ownerSet", ownerSet.join(", "));
+  appendProperty(properties, "cdx:cargo:ownerSetCount", ownerSet.length);
+  appendProperty(
+    properties,
+    "cdx:cargo:publisherOverlapCount",
+    overlapMetrics.overlapCount,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:publisherOverlapRatio",
+    overlapMetrics.overlapRatio?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:priorVersion",
+    priorReleaseEntry?.version,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:priorPublishTime",
+    priorReleaseEntry?.rawTime,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:releaseGapDays",
+    gapMetrics.currentGapDays?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:releaseGapBaselineDays",
+    gapMetrics.baselineDays?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:releaseGapSampleSize",
+    gapMetrics.sampleSize,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:releaseCadenceCompressionRatio",
+    cadenceMetrics.compressionRatio?.toFixed(2),
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:artifactDigestSha256",
+    currentVersionBody?.checksum,
+  );
+  appendProperty(properties, "cdx:cargo:edition", currentVersionBody?.edition);
+  appendProperty(properties, "cdx:cargo:hasLib", currentVersionBody?.has_lib);
+  appendJoinedProperty(
+    properties,
+    "cdx:cargo:binNames",
+    Array.isArray(currentVersionBody?.bin_names)
+      ? currentVersionBody.bin_names
+      : [],
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:crateSize",
+    currentVersionBody?.crate_size,
+  );
+  if (currentVersionBody?.yanked === true) {
+    appendProperty(properties, "cdx:cargo:yanked", "true");
+  }
+  if (publisherDrift) {
+    appendProperty(properties, "cdx:cargo:publisherDrift", "true");
+  }
+  if (overlapMetrics.partialDrift) {
+    appendProperty(properties, "cdx:cargo:publisherSetPartialDrift", "true");
+  }
+  if (cadenceMetrics.compressedCadence) {
+    appendProperty(properties, "cdx:cargo:compressedCadence", "true");
+  }
+  if (
+    crateBody?.crate?.trustpub_only === true ||
+    hasTrustedPublishingEvidence(trustpubCandidate)
+  ) {
+    appendProperty(properties, "cdx:cargo:trustedPublishing", "true");
+  }
+  appendProperty(properties, "cdx:cargo:provenanceUrl", provenanceUrl);
+  appendJoinedProperty(
+    properties,
+    "cdx:cargo:provenanceDigest",
+    provenanceDigests,
+  );
+  appendJoinedProperty(
+    properties,
+    "cdx:cargo:provenanceKeyId",
+    provenanceKeyIds,
+  );
+  appendJoinedProperty(
+    properties,
+    "cdx:cargo:provenanceSignature",
+    provenanceSignatures,
+  );
+  appendJoinedProperty(
+    properties,
+    "cdx:cargo:provenancePredicateType",
+    provenancePredicateTypes,
+  );
+  return properties;
+}