@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/helpers/registryProvenance.poku.js

@@ -1,6 +1,7 @@
 import { assert, describe, it } from "poku";
 
 import {
+  collectCargoRegistryProvenanceProperties,
   collectNpmRegistryProvenanceProperties,
   collectPypiRegistryProvenanceProperties,
 } from "./registryProvenance.js";
@@ -450,3 +451,146 @@ describe("collectPypiRegistryProvenanceProperties()", () => {
     );
   });
 });
+
+describe("collectCargoRegistryProvenanceProperties()", () => {
+  it("extracts Cargo publisher, release cadence, artifact, and trusted-publishing details", () => {
+    const properties = collectCargoRegistryProvenanceProperties(
+      {
+        crate: {
+          trustpub_only: true,
+        },
+        versions: [
+          {
+            num: "0.9.0",
+            created_at: "2025-01-01T10:00:00.000Z",
+            published_by: { login: "previous-publisher" },
+          },
+          {
+            num: "1.0.0",
+            created_at: "2025-03-01T10:00:00.000Z",
+            published_by: { login: "previous-publisher" },
+          },
+          {
+            num: "1.1.0",
+            created_at: "2025-05-15T10:00:00.000Z",
+            published_by: { login: "previous-publisher" },
+          },
+          {
+            num: "1.2.0",
+            created_at: "2025-06-05T10:00:00.000Z",
+            checksum: "cargo-sha256",
+            crate_size: 4242,
+            edition: "2021",
+            has_lib: true,
+            bin_names: ["cargo-demo"],
+            yanked: true,
+            published_by: {
+              login: "publisher",
+              name: "Publisher Name",
+            },
+            trustpub_data: {
+              predicateType: "https://slsa.dev/provenance/v1",
+              signatures: [
+                { keyid: "sigstore-cargo-key", sig: "cargo-signature" },
+              ],
+              subject: {
+                digest: {
+                  sha256: "cargo-subject-digest",
+                },
+              },
+              url: "https://crates.io/provenance/cargo-demo/1.2.0",
+            },
+          },
+        ],
+      },
+      "1.2.0",
+      {
+        users: [
+          { login: "publisher", name: "Publisher Name" },
+          { login: "owner-two", name: "Owner Two" },
+        ],
+      },
+    );
+
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:trustedPublishing"),
+      "true",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:publishTime"),
+      "2025-06-05T10:00:00.000Z",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:publisher"),
+      "publisher",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:priorPublisher"),
+      "previous-publisher",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:publisherDrift"),
+      "true",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:publisherSet"),
+      "publisher, publisher name",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:ownerSet"),
+      "publisher, publisher name, owner-two, owner two",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:artifactDigestSha256"),
+      "cargo-sha256",
+    );
+    assert.strictEqual(getProperty(properties, "cdx:cargo:yanked"), "true");
+    assert.strictEqual(getProperty(properties, "cdx:cargo:edition"), "2021");
+    assert.strictEqual(getProperty(properties, "cdx:cargo:hasLib"), "true");
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:binNames"),
+      "cargo-demo",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:provenanceUrl"),
+      "https://crates.io/provenance/cargo-demo/1.2.0",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:provenanceDigest"),
+      "cargo-subject-digest",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:provenanceKeyId"),
+      "sigstore-cargo-key",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:provenanceSignature"),
+      "cargo-signature",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:provenancePredicateType"),
+      "https://slsa.dev/provenance/v1",
+    );
+    assert.strictEqual(getProperty(properties, "cdx:cargo:versionCount"), "4");
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:priorVersion"),
+      "1.1.0",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:releaseGapDays"),
+      "21.00",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:releaseGapBaselineDays"),
+      "67.00",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:releaseGapSampleSize"),
+      "2",
+    );
+    assert.strictEqual(
+      getProperty(properties, "cdx:cargo:compressedCadence"),
+      undefined,
+    );
+  });
+});

package/lib/helpers/rustFormulationParser.js

@@ -0,0 +1,330 @@
+import { readFileSync } from "node:fs";
+import { basename, dirname, join } from "node:path";
+
+import toml from "@iarna/toml";
+
+import { safeExistsSync } from "./utils.js";
+
+// Keep this list conservative and high-signal: it is meant to surface common
+// Rust native build helpers for audit triage, not to exhaustively model every
+// crate that may participate in a native build pipeline.
+const NATIVE_BUILD_DEPENDENCIES = [
+  "autocfg",
+  "bindgen",
+  "cc",
+  "cbindgen",
+  "cmake",
+  "cxx-build",
+  "grpcio-compiler",
+  "nasm-rs",
+  "openssl-sys",
+  "pkg-config",
+  "prost-build",
+  "protobuf-src",
+  "pyo3-build-config",
+  "ring",
+  "tauri-build",
+  "tonic-build",
+];
+
+const BUILD_SCRIPT_CAPABILITY_PATTERNS = [
+  ["process-execution", /\b(?:std::process::Command|Command::new|duct::cmd)\b/],
+  [
+    "native-tooling",
+    /\b(?:cc::Build|bindgen::Builder|cmake::Config|pkg_config::Config|autocfg::)/,
+  ],
+  [
+    "linker-directives",
+    /cargo:rustc-link-(?:lib|search|arg|arg-bins|arg-bin|arg-tests|arg-examples)/,
+  ],
+  [
+    "file-generation",
+    /\b(?:std::fs::(?:write|copy|create_dir_all)|include_bytes!|include_str!)\b/,
+  ],
+  ["network-access", /\b(?:reqwest|ureq|curl|git2)\b/],
+];
+
+function appendProperty(properties, name, value) {
+  if (!name || value === undefined || value === null || value === "") {
+    return;
+  }
+  properties.push({
+    name,
+    value: typeof value === "string" ? value : String(value),
+  });
+}
+
+function createFormulationComponent(name, filePath, toolName) {
+  return {
+    type: "application",
+    name,
+    version: "config",
+    "bom-ref": `urn:cdxgen:formulation:${toolName}:${filePath}`,
+    properties: [{ name: "SrcFile", value: filePath }],
+  };
+}
+
+function parseCargoManifest(filePath) {
+  let cargoData;
+  try {
+    cargoData = toml.parse(readFileSync(filePath, { encoding: "utf-8" }));
+  } catch {
+    return undefined;
+  }
+  if (!cargoData || typeof cargoData !== "object") {
+    return undefined;
+  }
+  const packageName =
+    cargoData?.package?.name || basename(dirname(filePath)) || "cargo-project";
+  const component = createFormulationComponent(packageName, filePath, "cargo");
+  const properties = component.properties;
+  const buildDependencies = cargoData?.["build-dependencies"];
+  const devDependencies = cargoData?.["dev-dependencies"];
+  const targetBlocks =
+    cargoData?.target && typeof cargoData.target === "object"
+      ? Object.values(cargoData.target)
+      : [];
+  const targetDependencyBlocks = targetBlocks.filter(
+    (block) => block && typeof block === "object",
+  );
+  const packageNode = cargoData?.package || {};
+  const buildScriptPath =
+    typeof packageNode.build === "string"
+      ? join(dirname(filePath), packageNode.build)
+      : join(dirname(filePath), "build.rs");
+  const hasBuildScript =
+    typeof packageNode.build === "string" || safeExistsSync(buildScriptPath);
+  const buildDependencyNames = Object.keys(buildDependencies || {});
+  const targetBuildDependencyNames = targetDependencyBlocks.flatMap((block) =>
+    Object.keys(block?.["build-dependencies"] || {}),
+  );
+  const allBuildDependencyNames = [
+    ...new Set([...buildDependencyNames, ...targetBuildDependencyNames]),
+  ];
+  const nativeBuildIndicators = buildDependencyNames.filter((dependencyName) =>
+    NATIVE_BUILD_DEPENDENCIES.includes(dependencyName),
+  );
+  const targetNativeBuildIndicators = targetBuildDependencyNames.filter(
+    (dependencyName) =>
+      NATIVE_BUILD_DEPENDENCIES.includes(dependencyName) ||
+      dependencyName.endsWith("-sys"),
+  );
+  const expandedNativeBuildIndicators = [
+    ...new Set([
+      ...nativeBuildIndicators,
+      ...targetNativeBuildIndicators,
+      ...allBuildDependencyNames.filter((dependencyName) =>
+        dependencyName.endsWith("-sys"),
+      ),
+    ]),
+  ];
+  const releaseProfiles = Object.keys(cargoData?.profile || {});
+  let buildScriptCapabilities = [];
+  let buildScriptIndicators = [];
+  if (hasBuildScript) {
+    try {
+      const buildScriptContent = readFileSync(buildScriptPath, {
+        encoding: "utf-8",
+      });
+      buildScriptCapabilities = BUILD_SCRIPT_CAPABILITY_PATTERNS.filter(
+        ([, pattern]) => pattern.test(buildScriptContent),
+      ).map(([capability]) => capability);
+      if (/println!\s*\(\s*"cargo:/.test(buildScriptContent)) {
+        buildScriptIndicators.push("cargo-directives");
+      }
+      if (/include_bytes!|include_str!/.test(buildScriptContent)) {
+        buildScriptIndicators.push("embedded-assets");
+      }
+    } catch {
+      buildScriptCapabilities = [];
+      buildScriptIndicators = [];
+    }
+  }
+
+  appendProperty(properties, "cdx:rust:buildTool", "cargo");
+  appendProperty(
+    properties,
+    "cdx:cargo:manifestMode",
+    cargoData?.workspace ? "workspace" : "package",
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:hasWorkspaceMembers",
+    Array.isArray(cargoData?.workspace?.members) ? "true" : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:workspaceMembers",
+    Array.isArray(cargoData?.workspace?.members)
+      ? cargoData.workspace.members.join(", ")
+      : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:hasBuildDependencies",
+    allBuildDependencyNames.length ? "true" : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:hasDevDependencies",
+    Object.keys(devDependencies || {}).length ? "true" : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:hasTargetDependencies",
+    targetDependencyBlocks.some(
+      (block) =>
+        Object.keys(block?.dependencies || {}).length ||
+        Object.keys(block?.["build-dependencies"] || {}).length ||
+        Object.keys(block?.["dev-dependencies"] || {}).length,
+    )
+      ? "true"
+      : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:hasBuildScript",
+    hasBuildScript ? "true" : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:buildScript",
+    hasBuildScript ? buildScriptPath : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:publish",
+    packageNode.publish === false ? "false" : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:rustVersion",
+    packageNode["rust-version"],
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:releaseProfiles",
+    releaseProfiles.length ? releaseProfiles.join(", ") : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:nativeBuildIndicators",
+    expandedNativeBuildIndicators.length
+      ? expandedNativeBuildIndicators.join(", ")
+      : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:buildDependencyNames",
+    allBuildDependencyNames.length
+      ? allBuildDependencyNames.join(", ")
+      : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:buildScriptCapabilities",
+    buildScriptCapabilities.length
+      ? buildScriptCapabilities.join(", ")
+      : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:buildScriptIndicators",
+    buildScriptIndicators.length ? buildScriptIndicators.join(", ") : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:hasNativeBuild",
+    hasBuildScript ||
+      expandedNativeBuildIndicators.length ||
+      buildScriptCapabilities.length
+      ? "true"
+      : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:cargo:usesMaturin",
+    cargoData?.package?.metadata?.maturin ? "true" : undefined,
+  );
+  return component;
+}
+
+function parsePyProject(filePath) {
+  let pyprojectData;
+  try {
+    pyprojectData = toml.parse(readFileSync(filePath, { encoding: "utf-8" }));
+  } catch {
+    return undefined;
+  }
+  const buildBackend = pyprojectData?.["build-system"]?.["build-backend"];
+  const toolMaturin = pyprojectData?.tool?.maturin;
+  if (
+    !toolMaturin &&
+    (typeof buildBackend !== "string" || !buildBackend.includes("maturin"))
+  ) {
+    return undefined;
+  }
+  const component = createFormulationComponent(
+    pyprojectData?.project?.name ||
+      basename(dirname(filePath)) ||
+      "maturin-project",
+    filePath,
+    "maturin",
+  );
+  const properties = component.properties;
+  appendProperty(properties, "cdx:rust:buildTool", "maturin");
+  appendProperty(properties, "cdx:maturin:buildBackend", buildBackend);
+  appendProperty(
+    properties,
+    "cdx:maturin:moduleName",
+    toolMaturin?.["module-name"] || toolMaturin?.module_name,
+  );
+  appendProperty(properties, "cdx:maturin:bindings", toolMaturin?.bindings);
+  appendProperty(
+    properties,
+    "cdx:maturin:compatibility",
+    toolMaturin?.compatibility,
+  );
+  appendProperty(
+    properties,
+    "cdx:maturin:features",
+    Array.isArray(toolMaturin?.features)
+      ? toolMaturin.features.join(", ")
+      : undefined,
+  );
+  appendProperty(
+    properties,
+    "cdx:maturin:manifestPath",
+    toolMaturin?.manifest_path || toolMaturin?.["manifest-path"],
+  );
+  appendProperty(
+    properties,
+    "cdx:maturin:strip",
+    toolMaturin?.strip === true ? "true" : undefined,
+  );
+  return component;
+}
+
+export const rustFormulationParser = {
+  id: "rust-build",
+  patterns: ["**/Cargo.toml", "**/pyproject.toml"],
+  parse(files) {
+    const components = [];
+    for (const filePath of files || []) {
+      if (filePath.endsWith("Cargo.toml")) {
+        const cargoComponent = parseCargoManifest(filePath);
+        if (cargoComponent) {
+          components.push(cargoComponent);
+        }
+        continue;
+      }
+      if (filePath.endsWith("pyproject.toml")) {
+        const pyprojectComponent = parsePyProject(filePath);
+        if (pyprojectComponent) {
+          components.push(pyprojectComponent);
+        }
+      }
+    }
+    return { components };
+  },
+};

package/lib/helpers/source.js

@@ -9,13 +9,18 @@ import { coerce, diff, prerelease } from "semver";
 import { thoughtLog } from "./logger.js";
 import {
   cdxgenAgent,
+  createDryRunError,
   DEBUG_MODE,
   fetchPomXmlAsJson,
   getTmpDir,
   hasDangerousUnicode,
+  isDryRun,
   isSecureMode,
   isValidDriveRoot,
   isWin,
+  recordActivity,
+  safeMkdtempSync,
+  safeRmSync,
   safeSpawnSync,
 } from "./utils.js";
 
@@ -568,7 +573,21 @@ export function gitClone(repoUrl, branch = null) {
   if (!/^[a-zA-Z0-9_-]+$/.test(baseDirName)) {
     baseDirName = "repo-";
   }
-  const tempDir = fs.mkdtempSync(path.join(getTmpDir(), baseDirName));
+  if (isDryRun) {
+    const error = createDryRunError(
+      "clone",
+      repoUrl,
+      "Dry run mode blocks repository cloning.",
+    );
+    recordActivity({
+      kind: "clone",
+      reason: error.message,
+      status: "blocked",
+      target: repoUrl,
+    });
+    return path.join(getTmpDir(), `${baseDirName}${path.sep}dry-run-clone`);
+  }
+  const tempDir = safeMkdtempSync(path.join(getTmpDir(), baseDirName));
 
   const gitArgs = [
     "-c",
@@ -1262,6 +1281,6 @@ export function cleanupSourceDir(srcDir) {
     fs.rmSync
   ) {
     thoughtLog(`Cleaning up ${srcDir}`);
-    fs.rmSync(srcDir, { recursive: true, force: true });
+    safeRmSync(srcDir, { recursive: true, force: true });
   }
 }

package/lib/helpers/source.poku.js

@@ -7,6 +7,44 @@ import { assert, describe, it } from "poku";
 import sinon from "sinon";
 
 describe("source helper purl resolution", () => {
+  it("gitClone() records a blocked clone in dry-run mode", async () => {
+    const recordActivity = sinon.stub();
+    const safeSpawnSync = sinon.stub();
+    const { gitClone } = await esmock("./source.js", {
+      "./utils.js": {
+        cdxgenAgent: { get: sinon.stub() },
+        createDryRunError: (action, target, reason) => {
+          const error = new Error(reason);
+          error.action = action;
+          error.code = "CDXGEN_DRY_RUN";
+          error.target = target;
+          error.dryRun = true;
+          return error;
+        },
+        DEBUG_MODE: false,
+        fetchPomXmlAsJson: sinon.stub(),
+        getTmpDir: sinon.stub().returns(os.tmpdir()),
+        hasDangerousUnicode: sinon.stub().returns(false),
+        isDryRun: true,
+        isSecureMode: false,
+        isValidDriveRoot: sinon.stub().returns(true),
+        isWin: false,
+        recordActivity,
+        safeMkdtempSync: sinon.stub(),
+        safeRmSync: sinon.stub(),
+        safeSpawnSync,
+      },
+    });
+
+    const clonedPath = gitClone("https://github.com/cdxgen/cdxgen.git", "main");
+
+    assert.ok(clonedPath.includes("dry-run-clone"));
+    sinon.assert.notCalled(safeSpawnSync);
+    sinon.assert.calledOnce(recordActivity);
+    assert.strictEqual(recordActivity.firstCall.args[0].kind, "clone");
+    assert.strictEqual(recordActivity.firstCall.args[0].status, "blocked");
+  });
+
   it("resolves npm purl to repository URL", async () => {
     const getStub = sinon.stub().resolves({
       body: {