@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/stages/postgen/postgen.js

@@ -1,10 +1,15 @@
-import { readFileSync, rmSync } from "node:fs";
+import { readFileSync } from "node:fs";
 import { basename, join, relative, sep } from "node:path";
 import process from "node:process";
 
 import { PackageURL } from "packageurl-js";
 
-import { mergeDependencies } from "../../helpers/depsUtils.js";
+import {
+  AI_INVENTORY_PROJECT_TYPES,
+  matchesAiInventoryExcludeType,
+  optionIncludesAiInventoryProjectType,
+} from "../../helpers/aiInventory.js";
+import { mergeDependencies, mergeServices } from "../../helpers/depsUtils.js";
 import { addFormulationSection } from "../../helpers/formulationParsers.js";
 import { thoughtLog } from "../../helpers/logger.js";
 import { buildReleaseNotesFromGit } from "../../helpers/source.js";
@@ -14,7 +19,11 @@ import {
   getTimestamp,
   getTmpDir,
   hasAnyProjectType,
+  isDryRun,
+  resetActivityContext,
   safeExistsSync,
+  safeRmSync,
+  setActivityContext,
 } from "../../helpers/utils.js";
 import { extractTags, findBomType, textualMetadata } from "./annotator.js";
 
@@ -68,11 +77,29 @@ function applyFormulation(bomJson, options, filePath, formulationList) {
     return bomJson;
   }
   const context = formulationList?.length ? { formulationList } : {};
-  const formulationData = addFormulationSection(filePath, options, context);
+  setActivityContext({
+    projectType: "Formulation",
+    sourcePath: filePath || options.filePath || process.cwd(),
+  });
+  let formulationData;
+  try {
+    formulationData = addFormulationSection(filePath, options, context);
+  } finally {
+    resetActivityContext();
+  }
   if (!formulationData) {
     return bomJson;
   }
   bomJson.formulation = formulationData.formulation;
+  const formulationServices = formulationData.formulation.flatMap(
+    (entry) => entry?.services || [],
+  );
+  if (formulationServices.length) {
+    bomJson.services = mergeServices(
+      bomJson.services || [],
+      formulationServices,
+    );
+  }
   if (formulationData.dependencies?.length) {
     bomJson.dependencies = mergeDependencies(
       bomJson.dependencies || [],
@@ -82,6 +109,189 @@ function applyFormulation(bomJson, options, filePath, formulationList) {
   return bomJson;
 }
 
+const WEAK_TLP_CLASSIFICATIONS = new Set(["CLEAR", "GREEN", "AMBER"]);
+const SENSITIVE_PROPERTY_NAMES = new Set([
+  "cdx:agent:description",
+  "cdx:agent:hiddenMcpUrls",
+  "cdx:agent:permission",
+  "cdx:mcp:command",
+  "cdx:mcp:configuredEndpoints",
+  "cdx:mcp:description",
+  "cdx:mcp:resourceUri",
+  "cdx:skill:metadata",
+]);
+const SENSITIVE_PROPERTY_PREFIXES = ["cdx:crewai:", "cdx:mcp:auth:"];
+const SECRET_ASSIGNMENT_PATTERN =
+  /(?:^|[\s,{\[])(?:authorization|password|passwd|pwd|token|access[_-]?token|id[_-]?token|refresh[_-]?token|api[_-]?key|client[_-]?secret|secret|session(?:id)?|cookie)\s*(?:[:=]|=>)\s*["'`]?[^"'`\s,}\]]{4,}/iu;
+const ENV_SECRET_PATTERN =
+  /\b[A-Z0-9_]*(?:TOKEN|PASSWORD|SECRET|API_KEY|CLIENT_SECRET|SESSION|COOKIE)[A-Z0-9_]*=\S+/u;
+const AUTH_HEADER_PATTERN =
+  /\bAuthorization\s*:\s*(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]{8,}/iu;
+const BEARER_TOKEN_PATTERN = /\b(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]{12,}/u;
+const PRIVATE_KEY_PATTERN =
+  /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/u;
+const SIGNED_URL_PARAM_NAMES = new Set([
+  "access_token",
+  "api_key",
+  "client_secret",
+  "id_token",
+  "signature",
+  "sig",
+  "token",
+  "x-amz-signature",
+  "x-goog-signature",
+]);
+
+function normalizeSpecVersion(specVersion) {
+  return Number.parseFloat(String(specVersion || 0));
+}
+
+function normalizeTlpClassification(tlpClassification) {
+  return String(tlpClassification || "")
+    .trim()
+    .toUpperCase();
+}
+
+function hasSensitivePropertyName(propertyName) {
+  if (SENSITIVE_PROPERTY_NAMES.has(propertyName)) {
+    return true;
+  }
+  return SENSITIVE_PROPERTY_PREFIXES.some((prefix) =>
+    propertyName.startsWith(prefix),
+  );
+}
+
+function extractUrlCandidates(value) {
+  return Array.from(value.matchAll(/https?:\/\/[^\s]+/gu), (match) =>
+    match[0].replace(/[),.;]+$/u, ""),
+  );
+}
+
+function hasSensitiveUrlValue(value) {
+  for (const candidate of extractUrlCandidates(value)) {
+    if (!URL.canParse(candidate)) {
+      continue;
+    }
+    const parsedUrl = new URL(candidate);
+    if (parsedUrl.username || parsedUrl.password || parsedUrl.hash) {
+      return true;
+    }
+    for (const [paramName] of parsedUrl.searchParams) {
+      if (SIGNED_URL_PARAM_NAMES.has(paramName.toLowerCase())) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+function hasKnownSensitiveText(value) {
+  return (
+    SECRET_ASSIGNMENT_PATTERN.test(value) ||
+    ENV_SECRET_PATTERN.test(value) ||
+    AUTH_HEADER_PATTERN.test(value) ||
+    BEARER_TOKEN_PATTERN.test(value) ||
+    PRIVATE_KEY_PATTERN.test(value)
+  );
+}
+
+function propertyContainsSensitiveValue(propertyName, propertyValue) {
+  if (!hasSensitivePropertyName(propertyName) || !propertyValue?.trim()) {
+    return false;
+  }
+  return (
+    hasSensitiveUrlValue(propertyValue) || hasKnownSensitiveText(propertyValue)
+  );
+}
+
+function collectSensitivePropertyViolations(
+  subject,
+  violations = [],
+  location = "bom",
+  seen = new Set(),
+) {
+  if (!subject || typeof subject !== "object" || seen.has(subject)) {
+    return violations;
+  }
+  seen.add(subject);
+  if (Array.isArray(subject.properties)) {
+    const subjectLabel = subject["bom-ref"] || subject.name || location;
+    for (const property of subject.properties) {
+      if (
+        typeof property?.name === "string" &&
+        typeof property?.value === "string" &&
+        propertyContainsSensitiveValue(property.name, property.value)
+      ) {
+        violations.push({
+          propertyName: property.name,
+          subjectLabel,
+        });
+      }
+    }
+  }
+  if (Array.isArray(subject)) {
+    subject.forEach((entry, index) => {
+      collectSensitivePropertyViolations(
+        entry,
+        violations,
+        `${location}[${index}]`,
+        seen,
+      );
+    });
+    return violations;
+  }
+  for (const [key, value] of Object.entries(subject)) {
+    if (key === "properties") {
+      continue;
+    }
+    collectSensitivePropertyViolations(
+      value,
+      violations,
+      `${location}.${key}`,
+      seen,
+    );
+  }
+  return violations;
+}
+
+function validateTlpClassification(bomJson, options) {
+  const specVersion = normalizeSpecVersion(
+    bomJson?.specVersion || options?.specVersion,
+  );
+  if (specVersion < 1.7) {
+    return bomJson;
+  }
+  const tlpClassification = normalizeTlpClassification(
+    bomJson?.metadata?.distributionConstraints?.tlp ||
+      bomJson?.metadata?.distribution ||
+      options?.tlpClassification,
+  );
+  if (!WEAK_TLP_CLASSIFICATIONS.has(tlpClassification)) {
+    return bomJson;
+  }
+  const violations = collectSensitivePropertyViolations(bomJson);
+  if (!violations.length) {
+    return bomJson;
+  }
+  const uniqueViolations = [
+    ...new Set(
+      violations.map(
+        ({ propertyName, subjectLabel }) =>
+          `${propertyName} on ${subjectLabel}`,
+      ),
+    ),
+  ];
+  const errorMessage =
+    `CycloneDX 1.7+ BOMs with TLP classification '${tlpClassification}' must not include known sensitive property values. ` +
+    "Redact the values or raise the TLP classification to AMBER_AND_STRICT or RED. " +
+    `Found: ${uniqueViolations.slice(0, 5).join("; ")}${uniqueViolations.length > 5 ? `; and ${uniqueViolations.length - 5} more` : ""}`;
+  if (options?.failOnError) {
+    throw new Error(errorMessage);
+  }
+  console.warn(errorMessage);
+  return bomJson;
+}
+
 /**
  * Filter and enhance BOM post generation.
  *
@@ -109,6 +319,7 @@ export function postProcess(bomNSData, options, filePath) {
     bomNSData.formulationList,
   );
   bomNSData.bomJson = applyReleaseNotes(bomNSData.bomJson, options, filePath);
+  bomNSData.bomJson = validateTlpClassification(bomNSData.bomJson, options);
   // Support for automatic annotations
   if (options.specVersion >= 1.6) {
     bomNSData.bomJson = annotate(bomNSData.bomJson, options);
@@ -409,12 +620,17 @@ function getIdentityTechniques(comp) {
  */
 export function filterBom(bomJson, options) {
   const newPkgMap = {};
+  const newServices = [];
   let filtered = false;
   let anyFiltered = false;
   if (!bomJson?.components) {
     return bomJson;
   }
   for (const comp of bomJson.components) {
+    if (shouldExcludeInventoryType(comp, options)) {
+      filtered = true;
+      continue;
+    }
     // minimum confidence filter
     if (options?.minConfidence > 0) {
       const confidence = Math.min(options.minConfidence, 1);
@@ -448,6 +664,7 @@ export function filterBom(bomJson, options) {
     ) {
       filtered = true;
     } else if (options.only?.length) {
+      const componentPurl = comp.purl?.toLowerCase?.() || "";
       if (!Array.isArray(options.only)) {
         options.only = [options.only];
       }
@@ -456,7 +673,7 @@ export function filterBom(bomJson, options) {
       for (const filterstr of options.only) {
         if (
           filterstr.length &&
-          comp.purl.toLowerCase().includes(filterstr.toLowerCase())
+          componentPurl.includes(filterstr.toLowerCase())
         ) {
           filtered = true;
           purlfiltered = false;
@@ -471,11 +688,12 @@ export function filterBom(bomJson, options) {
         options.filter = [options.filter];
       }
       let purlfiltered = false;
+      const componentPurl = comp.purl?.toLowerCase?.() || "";
       for (const filterstr of options.filter) {
         // Check the purl
         if (
           filterstr.length &&
-          comp.purl.toLowerCase().includes(filterstr.toLowerCase())
+          componentPurl.includes(filterstr.toLowerCase())
         ) {
           filtered = true;
           purlfiltered = true;
@@ -500,40 +718,59 @@ export function filterBom(bomJson, options) {
       newPkgMap[comp["bom-ref"]] = comp;
     }
   }
+  for (const service of bomJson.services || []) {
+    if (shouldExcludeInventoryType(service, options)) {
+      filtered = true;
+      continue;
+    }
+    newServices.push(service);
+  }
   if (filtered) {
     if (!anyFiltered) {
       anyFiltered = true;
     }
     const newcomponents = [];
     const newdependencies = [];
+    const retainedRefs = new Set();
     for (const aref of Object.keys(newPkgMap).sort()) {
       newcomponents.push(newPkgMap[aref]);
+      retainedRefs.add(aref);
+    }
+    for (const service of newServices) {
+      if (service?.["bom-ref"]) {
+        retainedRefs.add(service["bom-ref"]);
+      }
     }
     if (bomJson.metadata?.component?.["bom-ref"]) {
       newPkgMap[bomJson.metadata.component["bom-ref"]] =
         bomJson.metadata.component;
+      retainedRefs.add(bomJson.metadata.component["bom-ref"]);
     }
     if (bomJson.metadata?.component?.components) {
       for (const comp of bomJson.metadata.component.components) {
         newPkgMap[comp["bom-ref"]] = comp;
+        retainedRefs.add(comp["bom-ref"]);
       }
     }
-    for (const adep of bomJson.dependencies) {
-      if (newPkgMap[adep.ref]) {
-        const newdepson = (adep.dependsOn || []).filter((d) => newPkgMap[d]);
+    for (const adep of bomJson.dependencies || []) {
+      if (retainedRefs.has(adep.ref)) {
+        const newdepson = (adep.dependsOn || []).filter((d) =>
+          retainedRefs.has(d),
+        );
         const obj = {
           ref: adep.ref,
           dependsOn: newdepson,
         };
         // Filter provides array if needed
         if (adep.provides?.length) {
-          obj.provides = adep.provides.filter((d) => newPkgMap[d]);
+          obj.provides = adep.provides.filter((d) => retainedRefs.has(d));
         }
         newdependencies.push(obj);
       }
     }
     bomJson.components = newcomponents;
     bomJson.dependencies = newdependencies;
+    bomJson.services = newServices;
     // We set the compositions.aggregate to incomplete by default
     if (
       options.specVersion >= 1.5 &&
@@ -571,12 +808,23 @@ export function filterBom(bomJson, options) {
   return bomJson;
 }
 
+function shouldExcludeInventoryType(subject, options) {
+  return AI_INVENTORY_PROJECT_TYPES.some(
+    (type) =>
+      optionIncludesAiInventoryProjectType(options?.excludeType, type) &&
+      matchesAiInventoryExcludeType(subject, type),
+  );
+}
+
 /**
  * Clean up
  */
 export function cleanupEnv(_options) {
+  if (isDryRun) {
+    return;
+  }
   if (process.env?.PIP_TARGET?.startsWith(getTmpDir())) {
-    rmSync(process.env.PIP_TARGET, { recursive: true, force: true });
+    safeRmSync(process.env.PIP_TARGET, { recursive: true, force: true });
   }
 }
 
@@ -588,8 +836,11 @@ export function cleanupEnv(_options) {
  * @returns {void}
  */
 export function cleanupTmpDir() {
+  if (isDryRun) {
+    return;
+  }
   if (process.env?.CDXGEN_TMP_DIR?.startsWith(getTmpDir())) {
-    rmSync(process.env.CDXGEN_TMP_DIR, { recursive: true, force: true });
+    safeRmSync(process.env.CDXGEN_TMP_DIR, { recursive: true, force: true });
   }
 }