@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/helpers/utils.poku.js

@@ -33,9 +33,11 @@ import {
   getMvnMetadata,
   getPropertyGroupTextNodes,
   getPyMetadata,
+  getRecordedActivities,
   guessPypiMatchingVersion,
   hasAnyProjectType,
   inferJarGroupFromManifest,
+  isDryRunError,
   isPackageManagerAllowed,
   isPartialTree,
   isValidIriReference,
@@ -50,6 +52,7 @@ import {
   parseCargoAuditableData,
   parseCargoData,
   parseCargoDependencyData,
+  parseCargoManifestDependencyData,
   parseCargoTomlData,
   parseCljDep,
   parseCloudBuildData,
@@ -125,7 +128,13 @@ import {
   pnpmMetadata,
   purlFromUrlString,
   readZipEntry,
+  resetRecordedActivities,
+  safeMkdtempSync,
+  safeRmSync,
   safeSpawnSync,
+  safeUnlinkSync,
+  safeWriteSync,
+  setDryRunMode,
   splitOutputByGradleProjects,
   toGemModuleNames,
   trimJarGroupSuffix,
@@ -259,6 +268,177 @@ it("safeSpawnSync() resets ANSI color state for host pip warnings", () => {
   }
 });
 
+it("safeSpawnSync() returns a dry-run sentinel result when dry run mode is enabled", () => {
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    const result = safeSpawnSync("node", ["--version"], {});
+    assert.strictEqual(result.status, 1);
+    assert.ok(isDryRunError(result.error));
+    const activities = getRecordedActivities();
+    assert.strictEqual(activities[0].kind, "execute");
+    assert.strictEqual(activities[0].status, "blocked");
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("dry-run filesystem wrappers do not mutate the filesystem", () => {
+  const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-"));
+  const fileToKeep = path.join(tmpRoot, "keep.txt");
+  const fileToSkip = path.join(tmpRoot, "skip.txt");
+  const dirToKeep = path.join(tmpRoot, "keep-dir");
+  writeFileSync(fileToKeep, "hello");
+  mkdirSync(dirToKeep, { recursive: true });
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    const tempPath = safeMkdtempSync(path.join(tmpRoot, "temp-"));
+    safeWriteSync(fileToSkip, "world");
+    safeUnlinkSync(fileToKeep);
+    safeRmSync(dirToKeep, { recursive: true, force: true });
+    assert.ok(!existsSync(fileToSkip));
+    assert.ok(existsSync(fileToKeep));
+    assert.ok(existsSync(dirToKeep));
+    assert.ok(!existsSync(tempPath));
+    const activities = getRecordedActivities();
+    assert.deepStrictEqual(
+      activities.map((activity) => activity.kind),
+      ["temp-dir", "write", "cleanup", "cleanup"],
+    );
+    assert.ok(activities.every((activity) => activity.status === "blocked"));
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+    rmSync(tmpRoot, { force: true, recursive: true });
+  }
+});
+
+it("safeWriteSync() honors explicit fs.write permission for output files", async () => {
+  const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-secure-write-"));
+  const outputFile = path.join(tmpRoot, "bom.json");
+  const originalDebugMode = process.env.CDXGEN_DEBUG_MODE;
+  const originalSecureMode = process.env.CDXGEN_SECURE_MODE;
+  const originalPermissionDescriptor = Object.getOwnPropertyDescriptor(
+    process,
+    "permission",
+  );
+  const hasPermissionStub = sinon.stub().callsFake((scope, filePath) => {
+    return (
+      scope === "fs.read" || (scope === "fs.write" && filePath === outputFile)
+    );
+  });
+  process.env.CDXGEN_DEBUG_MODE = "debug";
+  process.env.CDXGEN_SECURE_MODE = "true";
+  Object.defineProperty(process, "permission", {
+    configurable: true,
+    value: {
+      has: hasPermissionStub,
+    },
+  });
+  try {
+    const {
+      getRecordedActivities: getRecordedActivitiesMocked,
+      resetRecordedActivities: resetRecordedActivitiesMocked,
+      safeWriteSync: safeWriteSyncMocked,
+    } = await import(
+      new URL(`./utils.js?secure-write-test=${Date.now()}`, import.meta.url)
+    );
+    resetRecordedActivitiesMocked();
+    safeWriteSyncMocked(outputFile, "{}");
+    assert.strictEqual(readFileSync(outputFile, "utf-8"), "{}");
+    assert.strictEqual(getRecordedActivitiesMocked()[0].status, "completed");
+  } finally {
+    if (originalDebugMode === undefined) {
+      delete process.env.CDXGEN_DEBUG_MODE;
+    } else {
+      process.env.CDXGEN_DEBUG_MODE = originalDebugMode;
+    }
+    if (originalSecureMode === undefined) {
+      delete process.env.CDXGEN_SECURE_MODE;
+    } else {
+      process.env.CDXGEN_SECURE_MODE = originalSecureMode;
+    }
+    if (originalPermissionDescriptor) {
+      Object.defineProperty(
+        process,
+        "permission",
+        originalPermissionDescriptor,
+      );
+    } else {
+      delete process.permission;
+    }
+    rmSync(tmpRoot, { force: true, recursive: true });
+  }
+});
+
+it("cdxgenAgent records completed and failed network activity outcomes", async () => {
+  let setDryRunModeMocked;
+  try {
+    const {
+      cdxgenAgent,
+      getRecordedActivities: getRecordedActivitiesMocked,
+      resetRecordedActivities: resetRecordedActivitiesMocked,
+      setDryRunMode: mockedSetDryRunMode,
+    } = await esmock("./utils.js", {
+      got: {
+        default: {
+          extend: sinon.stub().callsFake((options) => {
+            return {
+              hooks: options.hooks,
+            };
+          }),
+        },
+      },
+    });
+    setDryRunModeMocked = mockedSetDryRunMode;
+    const afterResponseHook = cdxgenAgent.hooks.afterResponse[0];
+    const beforeErrorHook = cdxgenAgent.hooks.beforeError[0];
+
+    setDryRunModeMocked(true);
+    resetRecordedActivitiesMocked();
+    const successUrl = "https://example.com/success";
+    const successOptions = {
+      context: {
+        activityTarget: successUrl,
+      },
+      url: new URL(successUrl),
+    };
+    afterResponseHook({
+      request: {
+        options: successOptions,
+      },
+      statusCode: 200,
+      url: successUrl,
+    });
+    assert.strictEqual(getRecordedActivitiesMocked()[0].status, "completed");
+    assert.strictEqual(getRecordedActivitiesMocked()[0].target, successUrl);
+
+    resetRecordedActivitiesMocked();
+    const failureUrl = "https://example.com/failure";
+    const failureOptions = {
+      context: {
+        activityTarget: failureUrl,
+      },
+      url: new URL(failureUrl),
+    };
+    const returnedError = beforeErrorHook({
+      message: "Request failed with status code 500",
+      options: failureOptions,
+    });
+    assert.match(returnedError.message, /status code 500/);
+    const failureActivities = getRecordedActivitiesMocked();
+    assert.strictEqual(failureActivities.length, 1);
+    assert.strictEqual(failureActivities[0].status, "failed");
+    assert.strictEqual(failureActivities[0].target, failureUrl);
+  } finally {
+    if (setDryRunModeMocked) {
+      setDryRunModeMocked(false);
+    }
+  }
+});
+
 it("safeSpawnSync() logs container python notices to stdout", () => {
   const originalConsoleLog = console.log;
   const originalConsoleWarn = console.warn;
@@ -278,10 +458,12 @@ it("safeSpawnSync() logs container python notices to stdout", () => {
   try {
     safeSpawnSync("python-cdxgen-test", ["-c", "pass"], {});
     safeSpawnSync("python-cdxgen-test", ["-c", "pass"], {});
-    assert.deepStrictEqual(logs, [
-      "Running python command without '-S' argument.",
-    ]);
-    assert.deepStrictEqual(warnings, []);
+    assert.strictEqual(logs.length + warnings.length, 1);
+    assert.ok(
+      [...logs, ...warnings].some((message) =>
+        message.includes("Running python command without '-S' argument."),
+      ),
+    );
   } finally {
     console.log = originalConsoleLog;
     console.warn = originalConsoleWarn;
@@ -1798,7 +1980,7 @@ it("parse cargo lock", async () => {
     version: "0.5.2",
     hashes: [
       {
-        alg: "SHA-384",
+        alg: "SHA-256",
         content:
           "6a07677093120a02583717b6dd1ef81d8de1e8d01bd226c83f0f9bdf3e56bb3a",
       },
@@ -1835,7 +2017,7 @@ it("parse cargo lock", async () => {
     version: "0.3.0",
     hashes: [
       {
-        alg: "SHA-384",
+        alg: "SHA-256",
         content:
           "78d1833b3838dbe990df0f1f87baf640cf6146e898166afe401839d1b001e570",
       },
@@ -1998,167 +2180,305 @@ dependencies = ["does-not-exist"]
 it("parse cargo toml", async () => {
   assert.deepStrictEqual(await parseCargoTomlData(null), []);
   let dep_list = await parseCargoTomlData("./test/data/Cargo1.toml");
-  assert.deepStrictEqual(dep_list.length, 4);
-  assert.deepStrictEqual(dep_list, [
-    {
-      author: "The Rust Project Developers",
-      group: "",
-      name: "unwind",
-      version: "0.0.0",
-      properties: [{ name: "SrcFile", value: "./test/data/Cargo1.toml" }],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.5,
-          methods: [
-            {
-              technique: "manifest-analysis",
-              confidence: 0.5,
-              value: "./test/data/Cargo1.toml",
-            },
-          ],
-        },
-      },
-      purl: "pkg:cargo/unwind@0.0.0",
-      "bom-ref": "pkg:cargo/unwind@0.0.0",
-      type: "library",
-    },
-    {
-      name: "libc",
-      version: "0.2.79",
-      properties: [{ name: "SrcFile", value: "./test/data/Cargo1.toml" }],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.5,
-          methods: [
-            {
-              technique: "manifest-analysis",
-              confidence: 0.5,
-              value: "./test/data/Cargo1.toml",
-            },
-          ],
-        },
-      },
-      purl: "pkg:cargo/libc@0.2.79",
-      "bom-ref": "pkg:cargo/libc@0.2.79",
-      type: "library",
-    },
-    {
-      name: "compiler_builtins",
-      version: "0.1.0",
-      properties: [{ name: "SrcFile", value: "./test/data/Cargo1.toml" }],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.5,
-          methods: [
-            {
-              technique: "manifest-analysis",
-              confidence: 0.5,
-              value: "./test/data/Cargo1.toml",
-            },
-          ],
-        },
-      },
-      purl: "pkg:cargo/compiler_builtins@0.1.0",
-      "bom-ref": "pkg:cargo/compiler_builtins@0.1.0",
-      type: "library",
-    },
-    {
-      name: "cfg-if",
-      version: "0.1.8",
-      properties: [{ name: "SrcFile", value: "./test/data/Cargo1.toml" }],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.5,
-          methods: [
-            {
-              technique: "manifest-analysis",
-              confidence: 0.5,
-              value: "./test/data/Cargo1.toml",
-            },
-          ],
-        },
-      },
-      purl: "pkg:cargo/cfg-if@0.1.8",
-      "bom-ref": "pkg:cargo/cfg-if@0.1.8",
-      type: "library",
-    },
-  ]);
+  assert.ok(dep_list.length >= 6);
+  assert.strictEqual(dep_list[0].name, "unwind");
+  const coreDep = dep_list.find((pkg) => pkg.name === "core");
+  assert.ok(coreDep);
+  assert.strictEqual(coreDep.version, "path+../core");
+  assert.strictEqual(
+    coreDep.properties.find((property) => property.name === "cdx:cargo:path")
+      ?.value,
+    "../core",
+  );
+  assert.strictEqual(
+    coreDep.properties.find(
+      (property) => property.name === "cdx:cargo:dependencyKind",
+    )?.value,
+    "runtime",
+  );
+  const libcDep = dep_list.find((pkg) => pkg.name === "libc");
+  assert.ok(libcDep);
+  assert.strictEqual(
+    libcDep.properties.find(
+      (property) => property.name === "cdx:cargo:defaultFeatures",
+    )?.value,
+    "false",
+  );
+  assert.strictEqual(
+    libcDep.properties.find(
+      (property) => property.name === "cdx:cargo:dependencyFeatures",
+    )?.value,
+    '["rustc-dep-of-std"]',
+  );
+  const ccDep = dep_list.find((pkg) => pkg.name === "cc");
+  assert.ok(ccDep);
+  assert.strictEqual(
+    ccDep.properties.find(
+      (property) => property.name === "cdx:cargo:dependencyKind",
+    )?.value,
+    "build",
+  );
   dep_list = await parseCargoTomlData("./test/data/Cargo2.toml");
-  assert.deepStrictEqual(dep_list.length, 3);
-  assert.deepStrictEqual(dep_list, [
-    {
-      group: "",
-      name: "quiche-fuzz",
-      version: "0.1.0",
-      author: "Alessandro Ghedini <alessandro@ghedini.me>",
-      properties: [{ name: "SrcFile", value: "./test/data/Cargo2.toml" }],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.5,
-          methods: [
-            {
-              technique: "manifest-analysis",
-              confidence: 0.5,
-              value: "./test/data/Cargo2.toml",
-            },
-          ],
-        },
-      },
-      purl: "pkg:cargo/quiche-fuzz@0.1.0",
-      "bom-ref": "pkg:cargo/quiche-fuzz@0.1.0",
-      type: "library",
-    },
+  assert.deepStrictEqual(dep_list.length, 4);
+  assert.strictEqual(dep_list[0].name, "quiche-fuzz");
+  const quicheDep = dep_list.find((pkg) => pkg.name === "quiche");
+  assert.ok(quicheDep);
+  assert.strictEqual(quicheDep.version, "path+../quiche");
+  assert.strictEqual(
+    quicheDep.properties.find((property) => property.name === "cdx:cargo:path")
+      ?.value,
+    "../quiche",
+  );
+  assert.strictEqual(
+    quicheDep.properties.find(
+      (property) => property.name === "cdx:cargo:dependencyFeatures",
+    )?.value,
+    '["fuzzing"]',
+  );
+  const libfuzzerDep = dep_list.find((pkg) => pkg.name === "libfuzzer-sys");
+  assert.ok(libfuzzerDep);
+  assert.strictEqual(
+    libfuzzerDep.properties.find(
+      (property) => property.name === "cdx:cargo:git",
+    )?.value,
+    "https://github.com/rust-fuzz/libfuzzer-sys.git",
+  );
+  dep_list = await parseCargoTomlData("./test/data/Cargo3.toml", true);
+  assert.ok(dep_list.length >= 10);
+});
+
+it("parse cargo toml target and dev dependency metadata", async () => {
+  const tmpDir = mkdtempSync(path.join(tmpdir(), "cdxgen-cargo-"));
+  const cargoTomlFile = path.join(tmpDir, "Cargo.toml");
+  writeFileSync(
+    cargoTomlFile,
+    `[package]
+name = "demo"
+version = "1.0.0"
+
+[dependencies]
+serde = { version = "1.0.0", optional = true }
+
+[dev-dependencies]
+insta = "1.0.0"
+
+[target.'cfg(target_os = "linux")'.dependencies]
+nix = "0.29.0"
+
+[target.'cfg(target_os = "linux")'.build-dependencies]
+bindgen = { version = "0.70.0", default-features = false }
+`,
+  );
+  try {
+    const depList = await parseCargoTomlData(cargoTomlFile);
+    const serdeDep = depList.find((pkg) => pkg.name === "serde");
+    const instaDep = depList.find((pkg) => pkg.name === "insta");
+    const bindgenDep = depList.find((pkg) => pkg.name === "bindgen");
+    assert.strictEqual(serdeDep.scope, "optional");
+    assert.strictEqual(
+      serdeDep.properties.find(
+        (property) => property.name === "cdx:cargo:optional",
+      )?.value,
+      "true",
+    );
+    assert.strictEqual(instaDep.scope, "excluded");
+    assert.strictEqual(
+      bindgenDep.properties.find(
+        (property) => property.name === "cdx:cargo:dependencyKind",
+      )?.value,
+      "build",
+    );
+    assert.strictEqual(
+      bindgenDep.properties.find(
+        (property) => property.name === "cdx:cargo:target",
+      )?.value,
+      'cfg(target_os = "linux")',
+    );
+    assert.strictEqual(
+      bindgenDep.properties.find(
+        (property) => property.name === "cdx:cargo:defaultFeatures",
+      )?.value,
+      "false",
+    );
+  } finally {
+    rmSync(tmpDir, { force: true, recursive: true });
+  }
+});
+
+it("parse cargo virtual workspace with inherited package and dependency metadata", async () => {
+  const workspaceDir = "./test/data/cargo-workspace-repotest";
+  const workspaceToml = path.join(workspaceDir, "Cargo.toml");
+  const normalizePathForAssertion = (value) => value?.replaceAll("\\", "/");
+  const depList = await parseCargoTomlData(workspaceToml);
+  assert.strictEqual(depList[0].name, "cargo-workspace-repotest");
+  assert.strictEqual(depList[0].version, "workspace");
+  assert.strictEqual(
+    depList[0].properties.find(
+      (property) => property.name === "cdx:cargo:manifestMode",
+    )?.value,
+    "virtual-workspace",
+  );
+  const memberPackage = depList.find((pkg) => pkg.name === "cli");
+  assert.ok(memberPackage);
+  assert.strictEqual(memberPackage.version, "1.2.3");
+  assert.strictEqual(memberPackage.license, "Apache-2.0");
+  assert.strictEqual(
+    memberPackage.repository?.url,
+    "https://github.com/example/cargo-workspace-repotest",
+  );
+  const coreDep = depList.find(
+    (pkg) =>
+      pkg.name === "core" &&
+      pkg.properties.some(
+        (property) => property.name === "cdx:cargo:workspaceDependency",
+      ),
+  );
+  assert.ok(coreDep);
+  assert.strictEqual(coreDep.version, "path+crates/core");
+  assert.strictEqual(
+    coreDep.properties.find(
+      (property) => property.name === "cdx:cargo:workspaceDependency",
+    )?.value,
+    "true",
+  );
+  assert.strictEqual(
+    coreDep.properties.find(
+      (property) => property.name === "cdx:cargo:workspaceDependencyResolved",
+    )?.value,
+    "true",
+  );
+  assert.strictEqual(
+    coreDep.properties.find(
+      (property) => property.name === "cdx:cargo:resolvedWorkspaceMember",
+    )?.value,
+    "core",
+  );
+  assert.ok(
+    normalizePathForAssertion(
+      coreDep.properties.find(
+        (property) => property.name === "cdx:cargo:resolvedMemberPath",
+      )?.value,
+    )?.endsWith("/test/data/cargo-workspace-repotest/crates/core/Cargo.toml"),
+  );
+  const buildHelperDep = depList.find(
+    (pkg) =>
+      pkg.name === "build-helper" &&
+      pkg.properties.some(
+        (property) => property.name === "cdx:cargo:workspaceDependency",
+      ),
+  );
+  assert.ok(buildHelperDep);
+  assert.strictEqual(buildHelperDep.version, "path+crates/build-helper");
+  assert.strictEqual(
+    buildHelperDep.properties.find(
+      (property) => property.name === "cdx:cargo:dependencyKind",
+    )?.value,
+    "build",
+  );
+  assert.strictEqual(
+    buildHelperDep.properties.find(
+      (property) => property.name === "cdx:cargo:workspaceDependencyResolved",
+    )?.value,
+    "true",
+  );
+  assert.strictEqual(
+    buildHelperDep.properties.find(
+      (property) => property.name === "cdx:cargo:resolvedWorkspaceMember",
+    )?.value,
+    "build-helper",
+  );
+  assert.ok(
+    normalizePathForAssertion(
+      buildHelperDep.properties.find(
+        (property) => property.name === "cdx:cargo:resolvedMemberPath",
+      )?.value,
+    )?.endsWith(
+      "/test/data/cargo-workspace-repotest/crates/build-helper/Cargo.toml",
+    ),
+  );
+  const ccDep = depList.find((pkg) => pkg.name === "cc");
+  assert.ok(ccDep);
+  assert.strictEqual(ccDep.version, "1.2.0");
+});
+
+it("normalize visited cargo manifest paths across relative and absolute inputs", async () => {
+  const workspaceToml = "./test/data/cargo-workspace-repotest/Cargo.toml";
+  const absoluteWorkspaceToml = path.resolve(workspaceToml);
+  const parsedPackages = await parseCargoTomlData(
+    absoluteWorkspaceToml,
+    false,
+    {},
     {
-      name: "lazy_static",
-      version: "1",
-      properties: [{ name: "SrcFile", value: "./test/data/Cargo2.toml" }],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.5,
-          methods: [
-            {
-              technique: "manifest-analysis",
-              confidence: 0.5,
-              value: "./test/data/Cargo2.toml",
-            },
-          ],
-        },
-      },
-      purl: "pkg:cargo/lazy_static@1",
-      "bom-ref": "pkg:cargo/lazy_static@1",
-      type: "library",
+      visitedCargoTomlFiles: new Set([workspaceToml]),
     },
+  );
+  assert.deepStrictEqual(parsedPackages, []);
+  const dependencyGraph = parseCargoManifestDependencyData(
+    absoluteWorkspaceToml,
     {
-      name: "libfuzzer-sys",
-      version: "git+https://github.com/rust-fuzz/libfuzzer-sys.git",
-      properties: [{ name: "SrcFile", value: "./test/data/Cargo2.toml" }],
-      evidence: {
-        identity: {
-          field: "purl",
-          confidence: 0.5,
-          methods: [
-            {
-              technique: "manifest-analysis",
-              confidence: 0.5,
-              value: "./test/data/Cargo2.toml",
-            },
-          ],
-        },
-      },
-      purl: "pkg:cargo/libfuzzer-sys@git%2Bhttps:%2F%2Fgithub.com%2Frust-fuzz%2Flibfuzzer-sys.git",
-      "bom-ref":
-        "pkg:cargo/libfuzzer-sys@git+https://github.com/rust-fuzz/libfuzzer-sys.git",
-      type: "library",
+      visitedCargoTomlDependencyGraphFiles: new Set([workspaceToml]),
     },
-  ]);
-  dep_list = await parseCargoTomlData("./test/data/Cargo3.toml", true);
-  assert.deepStrictEqual(dep_list.length, 10);
+  );
+  assert.deepStrictEqual(dependencyGraph, []);
+});
+
+it("build cargo workspace manifest dependency graph with member-to-member edges", () => {
+  const tmpDir = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-cargo-workspace-graph-"),
+  );
+  const workspaceToml = path.join(tmpDir, "Cargo.toml");
+  const coreDir = path.join(tmpDir, "crates", "core");
+  const cliDir = path.join(tmpDir, "crates", "cli");
+  mkdirSync(coreDir, { recursive: true });
+  mkdirSync(cliDir, { recursive: true });
+  writeFileSync(
+    workspaceToml,
+    `[workspace]
+members = ["crates/*"]
+
+[workspace.package]
+version = "1.2.3"
+
+[workspace.dependencies]
+core = { path = "crates/core" }
+`,
+  );
+  writeFileSync(
+    path.join(coreDir, "Cargo.toml"),
+    `[package]
+name = "core"
+version.workspace = true
+`,
+  );
+  writeFileSync(
+    path.join(cliDir, "Cargo.toml"),
+    `[package]
+name = "cli"
+version.workspace = true
+
+[dependencies]
+core = { workspace = true }
+`,
+  );
+
+  try {
+    const dependencyGraph = parseCargoManifestDependencyData(workspaceToml);
+    const workspaceRef = `pkg:cargo/${path.basename(tmpDir)}@workspace`;
+    const cliRef = "pkg:cargo/cli@1.2.3";
+    const coreRef = "pkg:cargo/core@1.2.3";
+    const workspaceNode = dependencyGraph.find(
+      (dependency) => dependency.ref === workspaceRef,
+    );
+    const cliNode = dependencyGraph.find(
+      (dependency) => dependency.ref === cliRef,
+    );
+    assert.ok(workspaceNode);
+    assert.deepStrictEqual(workspaceNode.dependsOn, [cliRef, coreRef]);
+    assert.ok(cliNode);
+    assert.deepStrictEqual(cliNode.dependsOn, [coreRef]);
+  } finally {
+    rmSync(tmpDir, { force: true, recursive: true });
+  }
 });
 
 it("parse cargo auditable data", async () => {
@@ -2185,33 +2505,74 @@ it("get crates metadata", async () => {
     },
   ]);
   assert.deepStrictEqual(dep_list.length, 1);
-  assert.deepStrictEqual(dep_list[0], {
-    group: "",
-    name: "abscissa_core",
-    version: "0.5.2",
-    _integrity:
-      "sha256-6a07677093120a02583717b6dd1ef81d8de1e8d01bd226c83f0f9bdf3e56bb3a",
-    description:
-      "Application microframework with support for command-line option parsing,\nconfiguration, error handling, logging, and terminal interactions.\nThis crate contains the framework's core functionality.\n",
-    distribution: {
-      url: "https://crates.io/api/v1/crates/abscissa_core/0.5.2/download",
-    },
-    license: "Apache-2.0",
-    repository: {
-      url: "https://github.com/iqlusioninc/abscissa/tree/main/core/",
-    },
-    homepage: { url: "https://github.com/iqlusioninc/abscissa/" },
-    properties: [
-      { name: "cdx:cargo:crate_id", value: "207912" },
-      { name: "cdx:cargo:latest_version", value: "0.9.0" },
+  assert.strictEqual(dep_list[0].group, "");
+  assert.strictEqual(dep_list[0].name, "abscissa_core");
+  assert.strictEqual(dep_list[0].version, "0.5.2");
+  assert.strictEqual(dep_list[0].license, "Apache-2.0");
+  assert.strictEqual(
+    dep_list[0].distribution?.url,
+    "https://crates.io/api/v1/crates/abscissa_core/0.5.2/download",
+  );
+  assert.ok(
+    dep_list[0].properties.find(
+      (property) => property.name === "cdx:cargo:crate_id",
+    ),
+  );
+  assert.ok(
+    dep_list[0].properties.find(
+      (property) => property.name === "cdx:cargo:latest_version",
+    ),
+  );
+  assert.ok(
+    dep_list[0].properties.find(
+      (property) => property.name === "cdx:cargo:versionCount",
+    ),
+  );
+  assert.ok(
+    dep_list[0].properties.find(
+      (property) => property.name === "cdx:cargo:publishTime",
+    ),
+  );
+}, 20000);
+
+it("parse cargo lock integrity using matching sha256 and sha384 hash algorithms", async () => {
+  const tmpDir = mkdtempSync(path.join(tmpdir(), "cdxgen-cargo-lock-"));
+  const cargoLockFile = path.join(tmpDir, "Cargo.lock");
+  writeFileSync(
+    cargoLockFile,
+    `version = 3
+
+[[package]]
+name = "sha256-demo"
+version = "1.0.0"
+checksum = "${"a".repeat(64)}"
+
+[[package]]
+name = "sha384-demo"
+version = "2.0.0"
+checksum = "${"b".repeat(96)}"
+`,
+  );
+  try {
+    const depList = await parseCargoData(cargoLockFile, true);
+    const sha256Demo = depList.find((pkg) => pkg.name === "sha256-demo");
+    const sha384Demo = depList.find((pkg) => pkg.name === "sha384-demo");
+    assert.deepStrictEqual(sha256Demo.hashes, [
       {
-        name: "cdx:cargo:features",
-        value:
-          '{"application":["config","generational-arena","trace","options","semver/serde","terminal"],"config":["secrets","serde","terminal","toml"],"default":["application","signals","secrets","testing","time"],"gimli-backtrace":["backtrace/gimli-symbolize","color-backtrace/gimli-symbolize"],"options":["gumdrop"],"secrets":["secrecy"],"signals":["libc","signal-hook"],"terminal":["color-backtrace","termcolor"],"testing":["regex","wait-timeout"],"time":["chrono"],"trace":["tracing","tracing-log","tracing-subscriber"]}',
+        alg: "SHA-256",
+        content: "a".repeat(64),
       },
-    ],
-  });
-}, 20000);
+    ]);
+    assert.deepStrictEqual(sha384Demo.hashes, [
+      {
+        alg: "SHA-384",
+        content: "b".repeat(96),
+      },
+    ]);
+  } finally {
+    rmSync(tmpDir, { force: true, recursive: true });
+  }
+});
 
 it("parse pub lock", async () => {
   assert.deepStrictEqual(await parsePubLockData(null), []);
@@ -2772,10 +3133,60 @@ it("parse github actions workflow data", () => {
   dep_list = parseGitHubWorkflowData("./test/data/github-actions-tj.yaml");
   assert.deepStrictEqual(dep_list.length, 4);
   dep_list = parseGitHubWorkflowData("./.github/workflows/repotests.yml");
-  assert.deepStrictEqual(dep_list.length, 91);
+  assert.ok(dep_list.length > 0);
+  assert.ok(
+    dep_list.every((component) =>
+      component.properties?.some(
+        (property) =>
+          property.name === "cdx:github:workflow:file" &&
+          property.value === "./.github/workflows/repotests.yml",
+      ),
+    ),
+  );
+  assert.ok(
+    dep_list.some((component) =>
+      component.properties?.some(
+        (property) =>
+          property.name === "cdx:github:checkout:repository" &&
+          property.value === "AppThreat/vulnerability-db",
+      ),
+    ),
+  );
 });
 // biome-ignore-end lint/suspicious/noTemplateCurlyInString: fp
 
+it("parse github actions workflow data preserves cargo run steps for audit correlation", () => {
+  const tmpDir = mkdtempSync(path.join(tmpdir(), "cdxgen-gha-utils-"));
+  const workflowFile = path.join(tmpDir, "cargo.yml");
+  writeFileSync(
+    workflowFile,
+    [
+      "name: Cargo CI",
+      "on: push",
+      "jobs:",
+      "  build:",
+      "    runs-on: ubuntu-latest",
+      "    steps:",
+      "      - uses: dtolnay/rust-toolchain@stable",
+      "      - run: cargo build --workspace && cargo test --workspace",
+    ].join("\n"),
+  );
+  try {
+    const depList = parseGitHubWorkflowData(workflowFile);
+    assert.ok(
+      depList.some((component) =>
+        component.properties?.some(
+          (property) =>
+            property.name === "cdx:github:step:usesCargo" &&
+            property.value === "true",
+        ),
+      ),
+    );
+  } finally {
+    rmSync(tmpDir, { force: true, recursive: true });
+  }
+});
+
 it("parse cs pkg data", () => {
   assert.deepStrictEqual(parseCsPkgData(null), []);
   const dep_list = parseCsPkgData(