@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/helpers/vsixutils.js

@@ -1,4 +1,4 @@
-import { mkdtempSync, readdirSync, readFileSync, rmSync } from "node:fs";
+import { readdirSync, readFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { basename, join, resolve } from "node:path";
 import process from "node:process";
@@ -13,6 +13,9 @@ import {
   isMac,
   isWin,
   safeExistsSync,
+  safeExtractArchive,
+  safeMkdtempSync,
+  safeRmSync,
 } from "./utils.js";
 import { toVersRange } from "./versutils.js";
 
@@ -804,9 +807,14 @@ export async function extractVsixToTempDir(vsixFile) {
   let tempDir;
   let zip;
   try {
-    tempDir = mkdtempSync(join(getTmpDir(), "vsix-deps-"));
+    tempDir = safeMkdtempSync(join(getTmpDir(), "vsix-deps-"));
     zip = new StreamZip.async({ file: vsixFile });
-    await zip.extract(null, tempDir);
+    const extracted = await safeExtractArchive(vsixFile, tempDir, async () => {
+      await zip.extract(null, tempDir);
+    });
+    if (!extracted) {
+      return undefined;
+    }
     // Most vsix files have content under extension/ subdirectory
     const extensionSubDir = join(tempDir, "extension");
     if (safeExistsSync(extensionSubDir)) {
@@ -854,7 +862,7 @@ export function cleanupTempDir(tempDir) {
       dirBaseName.startsWith("vsix-deps-") &&
       resolve(dirToRemove, "..") === expectedBase
     ) {
-      rmSync(dirToRemove, { recursive: true, force: true });
+      safeRmSync(dirToRemove, { recursive: true, force: true });
     }
   } catch (_e) {
     // Best effort cleanup

package/lib/helpers/vsixutils.poku.js

@@ -9,7 +9,9 @@ import {
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 
+import esmock from "esmock";
 import { describe, it } from "poku";
+import sinon from "sinon";
 
 import {
   cleanupTempDir,
@@ -40,6 +42,38 @@ describe("VSCODE_EXTENSION_PURL_TYPE", () => {
   });
 });
 
+describe("extractVsixToTempDir()", () => {
+  it("returns undefined when dry-run blocks vsix extraction", async () => {
+    const safeExtractArchive = sinon.stub().resolves(false);
+    const zipClose = sinon.stub().resolves();
+    const { extractVsixToTempDir } = await esmock("./vsixutils.js", {
+      "node-stream-zip": {
+        default: {
+          async: sinon.stub().returns({
+            close: zipClose,
+          }),
+        },
+      },
+      "./utils.js": {
+        DEBUG_MODE: false,
+        getTmpDir: sinon.stub().returns("/tmp"),
+        isMac: false,
+        isWin: false,
+        safeExistsSync: sinon.stub().returns(false),
+        safeExtractArchive,
+        safeMkdtempSync: sinon.stub().returns("/tmp/vsix-deps-test"),
+        safeRmSync: sinon.stub(),
+      },
+    });
+
+    const extractedDir = await extractVsixToTempDir("/tmp/sample.vsix");
+
+    assert.strictEqual(extractedDir, undefined);
+    sinon.assert.calledOnce(safeExtractArchive);
+    sinon.assert.calledOnce(zipClose);
+  });
+});
+
 describe("getIdeExtensionDirs", () => {
   it("should return an array of IDE configurations", () => {
     const ides = getIdeExtensionDirs();

package/lib/managers/binary.js

@@ -1,11 +1,4 @@
-import {
-  lstatSync,
-  mkdtempSync,
-  readFileSync,
-  realpathSync,
-  rmSync,
-  statSync,
-} from "node:fs";
+import { lstatSync, readFileSync, realpathSync, statSync } from "node:fs";
 import { arch as _arch, platform as _platform, homedir } from "node:os";
 import {
   basename,
@@ -30,11 +23,15 @@ import {
   extractPathEnv,
   findLicenseId,
   getTmpDir,
+  isDryRun,
   isSpdxLicenseExpression,
   multiChecksumFile,
+  recordActivity,
   retrieveCdxgenPluginVersion,
   safeExistsSync,
   safeMkdirSync,
+  safeMkdtempSync,
+  safeRmSync,
   safeSpawnSync,
 } from "../helpers/utils.js";
 import { getDirs } from "./containerutils.js";
@@ -451,6 +448,25 @@ export function executeSourcekitten(args) {
  * @returns {Object} Metadata containing packages, dependencies, etc
  */
 export async function getOSPackages(src, imageConfig) {
+  if (isDryRun) {
+    recordActivity({
+      kind: "container",
+      reason:
+        "Dry run mode blocks Trivy-based OS package generation because it executes external tools and writes temporary output.",
+      status: "blocked",
+      target: src,
+    });
+    return {
+      allTypes: new Set(),
+      binPaths: [],
+      bundledRuntimes: new Set(),
+      bundledSdks: new Set(),
+      dependenciesList: [],
+      executables: [],
+      osPackages: [],
+      sharedLibs: [],
+    };
+  }
   const pkgList = [];
   const dependenciesList = [];
   const allTypes = new Set();
@@ -491,7 +507,7 @@ export async function getOSPackages(src, imageConfig) {
     if (safeExistsSync(src)) {
       imageType = "rootfs";
     }
-    const tempDir = mkdtempSync(join(getTmpDir(), "trivy-cdxgen-"));
+    const tempDir = safeMkdtempSync(join(getTmpDir(), "trivy-cdxgen-"));
     const bomJsonFile = join(tempDir, "trivy-bom.json");
     const args = [
       imageType,
@@ -541,9 +557,7 @@ export async function getOSPackages(src, imageConfig) {
         if (DEBUG_MODE) {
           console.log(`Cleaning up ${tempDir}`);
         }
-        if (rmSync) {
-          rmSync(tempDir, { recursive: true, force: true });
-        }
+        safeRmSync(tempDir, { recursive: true, force: true });
       }
       const osReleaseData = {};
       let osReleaseFile;
@@ -1026,6 +1040,16 @@ const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
 };
 
 export function executeOsQuery(query) {
+  if (isDryRun) {
+    recordActivity({
+      kind: "osquery",
+      reason:
+        "Dry run mode blocks osquery execution and reports the query instead.",
+      status: "blocked",
+      target: query,
+    });
+    return undefined;
+  }
   if (OSQUERY_BIN) {
     if (!query.endsWith(";")) {
       query = `${query};`;

package/lib/managers/binary.poku.js

@@ -0,0 +1,68 @@
+import esmock from "esmock";
+import { assert, it } from "poku";
+import sinon from "sinon";
+
+async function loadBinaryModule({ utilsOverrides } = {}) {
+  return esmock("./binary.js", {
+    "../helpers/utils.js": {
+      adjustLicenseInformation: sinon.stub(),
+      collectExecutables: sinon.stub().returns([]),
+      collectSharedLibs: sinon.stub().returns([]),
+      DEBUG_MODE: false,
+      dirNameStr: "/tmp",
+      extractPathEnv: sinon.stub().returns([]),
+      findLicenseId: sinon.stub(),
+      getTmpDir: sinon.stub().returns("/tmp"),
+      isDryRun: false,
+      isSpdxLicenseExpression: sinon.stub().returns(false),
+      multiChecksumFile: sinon.stub(),
+      recordActivity: sinon.stub(),
+      retrieveCdxgenPluginVersion: sinon.stub().returns("1.0.0"),
+      safeExistsSync: sinon.stub().returns(false),
+      safeMkdirSync: sinon.stub(),
+      safeMkdtempSync: sinon.stub().returns("/tmp/trivy-cdxgen-test"),
+      safeRmSync: sinon.stub(),
+      safeSpawnSync: sinon
+        .stub()
+        .returns({ status: 1, stdout: "", stderr: "" }),
+      ...utilsOverrides,
+    },
+  });
+}
+
+it("executeOsQuery() reports a blocked dry-run activity", async () => {
+  const recordActivity = sinon.stub();
+  const { executeOsQuery } = await loadBinaryModule({
+    utilsOverrides: {
+      isDryRun: true,
+      recordActivity,
+    },
+  });
+  const result = executeOsQuery("select * from processes");
+  assert.strictEqual(result, undefined);
+  sinon.assert.calledWithMatch(recordActivity, {
+    kind: "osquery",
+    status: "blocked",
+    target: "select * from processes",
+  });
+});
+
+it("getOSPackages() returns empty collections and reports a blocked dry-run activity", async () => {
+  const recordActivity = sinon.stub();
+  const { getOSPackages } = await loadBinaryModule({
+    utilsOverrides: {
+      isDryRun: true,
+      recordActivity,
+    },
+  });
+  const result = await getOSPackages("/tmp/rootfs", {});
+  assert.deepStrictEqual(result.osPackages, []);
+  assert.deepStrictEqual(result.dependenciesList, []);
+  assert.deepStrictEqual(result.binPaths, []);
+  assert.deepStrictEqual(Array.from(result.allTypes), []);
+  sinon.assert.calledWithMatch(recordActivity, {
+    kind: "container",
+    status: "blocked",
+    target: "/tmp/rootfs",
+  });
+});

package/lib/managers/docker.js

@@ -2,11 +2,8 @@ import { Buffer } from "node:buffer";
 import {
   createReadStream,
   lstatSync,
-  mkdtempSync,
   readdirSync,
   readFileSync,
-  rmSync,
-  writeFileSync,
 } from "node:fs";
 import { platform as _platform, userInfo as _userInfo, homedir } from "node:os";
 import { basename, join, resolve, win32 } from "node:path";
@@ -22,9 +19,14 @@ import {
   extractPathEnv,
   getAllFiles,
   getTmpDir,
+  isDryRun,
+  recordActivity,
   safeExistsSync,
   safeMkdirSync,
+  safeMkdtempSync,
+  safeRmSync,
   safeSpawnSync,
+  safeWriteSync,
 } from "../helpers/utils.js";
 import { getDirs, getOnlyDirs } from "./containerutils.js";
 
@@ -393,6 +395,16 @@ const getDefaultOptions = (forRegistry) => {
  *   daemon base URL, or `undefined`
  */
 export const getConnection = async (options, forRegistry) => {
+  if (isDryRun) {
+    recordActivity({
+      kind: "network",
+      reason:
+        "Dry run mode blocks container daemon and registry HTTP requests.",
+      status: "blocked",
+      target: forRegistry || "container-daemon",
+    });
+    return undefined;
+  }
   if (isContainerd || isNerdctl) {
     return undefined;
   }
@@ -507,6 +519,16 @@ export const getConnection = async (options, forRegistry) => {
  *   requests, raw Buffer for other methods, or `undefined` if no client is available
  */
 export const makeRequest = async (path, method, forRegistry) => {
+  if (isDryRun) {
+    recordActivity({
+      kind: "network",
+      reason:
+        "Dry run mode blocks container daemon and registry HTTP requests.",
+      status: "blocked",
+      target: `${method} ${forRegistry || "container-daemon"}/${path}`,
+    });
+    return undefined;
+  }
   const client = await getConnection({}, forRegistry);
   if (!client) {
     return undefined;
@@ -959,6 +981,16 @@ const EXTRACT_EXCLUDE_TYPES = new Set([
  *   empty or a non-fatal error was encountered
  */
 export const extractTar = async (fullImageName, dir, options) => {
+  if (isDryRun) {
+    recordActivity({
+      kind: "untar",
+      reason:
+        "Dry run mode blocks untar and layer extraction operations because they create files on disk.",
+      status: "blocked",
+      target: `${fullImageName} -> ${dir}`,
+    });
+    return false;
+  }
   try {
     await stream.pipeline(
       createReadStream(fullImageName),
@@ -1126,12 +1158,22 @@ const discoverManifestFromBlobs = (tempDir) => {
  * Returns the location of the layers with additional packages related metadata
  */
 export const exportArchive = async (fullImageName, options = {}) => {
+  if (isDryRun) {
+    recordActivity({
+      kind: "container",
+      reason:
+        "Dry run mode blocks container archive expansion and layer materialization.",
+      status: "blocked",
+      target: fullImageName,
+    });
+    return undefined;
+  }
   if (!safeExistsSync(fullImageName)) {
     console.log(`Unable to find container image archive ${fullImageName}`);
     return undefined;
   }
   const manifest = {};
-  const tempDir = mkdtempSync(join(getTmpDir(), "docker-images-"));
+  const tempDir = safeMkdtempSync(join(getTmpDir(), "docker-images-"));
   const allLayersExplodedDir = join(tempDir, "all-layers");
   const blobsDir = join(tempDir, "blobs", "sha256");
   safeMkdirSync(allLayersExplodedDir);
@@ -1163,7 +1205,7 @@ export const exportArchive = async (fullImageName, options = {}) => {
     if (safeExistsSync(blobsDir)) {
       const discoveredManifest = discoverManifestFromBlobs(tempDir);
       if (discoveredManifest?.length) {
-        writeFileSync(
+        safeWriteSync(
           synthesizedManifestFile,
           JSON.stringify(discoveredManifest),
           "utf-8",
@@ -1340,6 +1382,16 @@ export const extractFromManifest = async (
  * Returns the location of the layers with additional packages related metadata
  */
 export const exportImage = async (fullImageName, options) => {
+  if (isDryRun) {
+    recordActivity({
+      kind: "container",
+      reason:
+        "Dry run mode blocks container image pull, save, and export operations.",
+      status: "blocked",
+      target: fullImageName,
+    });
+    return undefined;
+  }
   // Safely ignore local directories
   if (
     !fullImageName ||
@@ -1358,7 +1410,7 @@ export const exportImage = async (fullImageName, options) => {
   if (tag === "" && digest === "") {
     fullImageName = `${fullImageName}:latest`;
   }
-  const tempDir = mkdtempSync(join(getTmpDir(), "docker-images-"));
+  const tempDir = safeMkdtempSync(join(getTmpDir(), "docker-images-"));
   const allLayersExplodedDir = join(tempDir, "all-layers");
   let manifestFile = join(tempDir, "manifest.json");
   // Windows containers use index.json
@@ -1386,9 +1438,7 @@ export const exportImage = async (fullImageName, options) => {
     if (DEBUG_MODE) {
       console.log(`Cleaning up ${imageTarFile}`);
     }
-    if (rmSync) {
-      rmSync(imageTarFile, { force: true });
-    }
+    safeRmSync(imageTarFile, { force: true });
   } else {
     const client = await getConnection({}, registry);
     try {

package/lib/managers/docker.poku.js

@@ -135,12 +135,18 @@ async function loadDockerModule({ clientResponse, utilsOverrides } = {}) {
   };
   const utilsStub = {
     DEBUG_MODE: false,
+    createDryRunError: sinon.stub(),
     extractPathEnv: sinon.stub().returns([]),
     getAllFiles: sinon.stub().returns([]),
     getTmpDir: sinon.stub().returns("/tmp"),
+    isDryRun: false,
+    recordActivity: sinon.stub(),
     safeExistsSync: sinon.stub().returns(false),
     safeMkdirSync: sinon.stub(),
+    safeMkdtempSync: sinon.stub().returns("/tmp/docker-images-test"),
+    safeRmSync: sinon.stub(),
     safeSpawnSync: sinon.stub().returns({ status: 1, stdout: "", stderr: "" }),
+    safeWriteSync: sinon.stub(),
     ...utilsOverrides,
   };
   const dockerModule = await esmock("./docker.js", {
@@ -257,6 +263,61 @@ await it("docker getImage uses nerdctl when DOCKER_CMD is configured", async ()
   }
 });
 
+await it("docker getConnection reports blocked network activity in dry-run mode", async () => {
+  const recordActivity = sinon.stub();
+  const { dockerModule } = await loadDockerModule({
+    utilsOverrides: {
+      isDryRun: true,
+      recordActivity,
+    },
+  });
+  const conn = await dockerModule.getConnection({}, "docker.io");
+  assert.strictEqual(conn, undefined);
+  sinon.assert.calledWithMatch(recordActivity, {
+    kind: "network",
+    status: "blocked",
+    target: "docker.io",
+  });
+});
+
+await it("docker extractTar reports a blocked untar activity in dry-run mode", async () => {
+  const recordActivity = sinon.stub();
+  const { dockerModule } = await loadDockerModule({
+    utilsOverrides: {
+      isDryRun: true,
+      recordActivity,
+    },
+  });
+  const result = await dockerModule.extractTar(
+    "/tmp/image.tar",
+    "/tmp/out",
+    {},
+  );
+  assert.strictEqual(result, false);
+  sinon.assert.calledWithMatch(recordActivity, {
+    kind: "untar",
+    status: "blocked",
+    target: "/tmp/image.tar -> /tmp/out",
+  });
+});
+
+await it("docker exportImage reports a blocked container activity in dry-run mode", async () => {
+  const recordActivity = sinon.stub();
+  const { dockerModule } = await loadDockerModule({
+    utilsOverrides: {
+      isDryRun: true,
+      recordActivity,
+    },
+  });
+  const result = await dockerModule.exportImage("alpine:3.20", {});
+  assert.strictEqual(result, undefined);
+  sinon.assert.calledWithMatch(recordActivity, {
+    kind: "container",
+    status: "blocked",
+    target: "alpine:3.20",
+  });
+});
+
 await it("docker exportImage ignores local directories", async () => {
   const imageData = await exportImage(".");
   assert.strictEqual(imageData, undefined);

package/lib/managers/piptree.js

@@ -4,10 +4,17 @@
  *
  * We use the internal pip api to construct the dependency tree for modern python + pip environments
  */
-import { mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { readFileSync } from "node:fs";
 import { delimiter, join } from "node:path";
 
-import { getTmpDir, safeExistsSync, safeSpawnSync } from "../helpers/utils.js";
+import {
+  getTmpDir,
+  safeExistsSync,
+  safeMkdtempSync,
+  safeRmSync,
+  safeSpawnSync,
+  safeWriteSync,
+} from "../helpers/utils.js";
 
 const PIP_TREE_PLUGIN_CONTENT = `
 import importlib.metadata as importlib_metadata
@@ -226,11 +233,11 @@ if __name__ == "__main__":
  */
 export const getTreeWithPlugin = (env, python_cmd, basePath) => {
   let tree = [];
-  const tempDir = mkdtempSync(join(getTmpDir(), "cdxgen-piptree-"));
+  const tempDir = safeMkdtempSync(join(getTmpDir(), "cdxgen-piptree-"));
   const pipPlugin = join(tempDir, "piptree.py");
   const pipTreeJson = join(tempDir, "piptree.json");
   const pipPluginArgs = [pipPlugin, pipTreeJson];
-  writeFileSync(pipPlugin, PIP_TREE_PLUGIN_CONTENT);
+  safeWriteSync(pipPlugin, PIP_TREE_PLUGIN_CONTENT);
   if (env.PIP_TARGET) {
     if (!env.PYTHONPATH) {
       env.PYTHONPATH = "";
@@ -255,8 +262,6 @@ export const getTreeWithPlugin = (env, python_cmd, basePath) => {
       }),
     );
   }
-  if (rmSync) {
-    rmSync(tempDir, { recursive: true, force: true });
-  }
+  safeRmSync(tempDir, { recursive: true, force: true });
   return tree;
 };

package/lib/managers/piptree.poku.js

@@ -0,0 +1,44 @@
+import path from "node:path";
+
+import esmock from "esmock";
+import { assert, it } from "poku";
+import sinon from "sinon";
+
+it("getTreeWithPlugin() reports dry-run temp-dir, write, execute, and cleanup activity", async () => {
+  const tempDir = path.join(path.sep, "tmp", "cdxgen-piptree-test");
+  const pluginFile = path.join(tempDir, "piptree.py");
+  const outputFile = path.join(tempDir, "piptree.json");
+  const safeMkdtempSync = sinon.stub().returns(tempDir);
+  const safeWriteSync = sinon.stub();
+  const safeSpawnSync = sinon.stub().returns({
+    error: new Error("dry run"),
+    status: 1,
+    stderr: "",
+    stdout: "",
+  });
+  const safeRmSync = sinon.stub();
+  const { getTreeWithPlugin } = await esmock("./piptree.js", {
+    "../helpers/utils.js": {
+      getTmpDir: sinon.stub().returns("/tmp"),
+      safeExistsSync: sinon.stub().returns(false),
+      safeMkdtempSync,
+      safeRmSync,
+      safeSpawnSync,
+      safeWriteSync,
+    },
+  });
+
+  const result = getTreeWithPlugin({}, "python3", "/repo");
+
+  assert.deepStrictEqual(result, []);
+  sinon.assert.calledOnce(safeMkdtempSync);
+  sinon.assert.calledWithMatch(safeWriteSync, pluginFile, sinon.match.string);
+  sinon.assert.calledWith(safeSpawnSync, "python3", [pluginFile, outputFile], {
+    cwd: "/repo",
+    env: {},
+  });
+  sinon.assert.calledWith(safeRmSync, tempDir, {
+    force: true,
+    recursive: true,
+  });
+});

package/lib/stages/postgen/annotator.js

@@ -285,7 +285,8 @@ export function textualMetadata(bomJson) {
   const { bomType, bomTypeDescription } = findBomType(bomJson);
   const metadata = bomJson.metadata;
   const lifecycles = metadata?.lifecycles || [];
-  const tlpClassification = metadata.distribution;
+  const tlpClassification =
+    metadata.distributionConstraints?.tlp || metadata.distribution;
   const cryptoAssetsCount = bomJson?.components?.filter(
     (c) => c.type === "cryptographic-asset",
   ).length;

package/lib/stages/postgen/annotator.poku.js

@@ -311,3 +311,18 @@ it("extractTags tests", () => {
     "security",
   ]);
 });
+
+it("textualMetadata includes the CycloneDX 1.7 TLP classification from distributionConstraints", () => {
+  assert.match(
+    textualMetadata({
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      metadata: {
+        distributionConstraints: {
+          tlp: "AMBER_AND_STRICT",
+        },
+      },
+    }),
+    /TLP\) classification for this document is 'AMBER_AND_STRICT'/,
+  );
+});

package/lib/stages/postgen/auditBom.js

@@ -6,6 +6,10 @@ import { join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 
 import { buildAnnotationText } from "../../helpers/annotationFormatter.js";
+import {
+  expandBomAuditCategories,
+  validateBomAuditCategories,
+} from "../../helpers/auditCategories.js";
 import { table } from "../../helpers/table.js";
 import {
   DEBUG_MODE,
@@ -45,15 +49,17 @@ export async function auditBom(bomJson, options) {
   }
   let activeRules = rules;
   if (options.bomAuditCategories) {
-    const categories = options.bomAuditCategories
-      .split(",")
-      .map((c) => c.trim())
-      .filter(Boolean);
+    const { categories, expandedCategories } = validateBomAuditCategories(
+      options.bomAuditCategories,
+      rules,
+    );
     if (categories.length > 0) {
-      activeRules = rules.filter((r) => categories.includes(r.category));
+      activeRules = rules.filter((r) =>
+        expandedCategories.includes(r.category),
+      );
       if (DEBUG_MODE) {
         console.log(
-          `Filtering rules by categories: ${categories.join(", ")} (${activeRules.length} active)`,
+          `Filtering rules by categories: ${categories.join(", ")} -> ${expandBomAuditCategories(categories).join(", ")} (${activeRules.length} active)`,
         );
       }
     }
@@ -159,6 +165,14 @@ export function formatAnnotations(findings, bomJson) {
         value: f.attackTechniques.join(","),
       });
     }
+    if (f.standards && typeof f.standards === "object") {
+      for (const [standardName, entries] of Object.entries(f.standards)) {
+        properties.push({
+          name: `cdx:audit:standards:${standardName}`,
+          value: Array.isArray(entries) ? entries.join(",") : String(entries),
+        });
+      }
+    }
     if (f?.location?.purl) {
       properties.push({
         name: "cdx:audit:location:purl",