@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/audit/index.js

@@ -1,13 +1,5 @@
 import { createHash } from "node:crypto";
-import {
-  mkdtempSync,
-  readdirSync,
-  readFileSync,
-  realpathSync,
-  rmSync,
-  statSync,
-  writeFileSync,
-} from "node:fs";
+import { readdirSync, readFileSync, realpathSync, statSync } from "node:fs";
 import { dirname, join, relative, resolve } from "node:path";
 import process from "node:process";
 
@@ -34,6 +26,9 @@ import {
   getTmpDir,
   safeExistsSync,
   safeMkdirSync,
+  safeMkdtempSync,
+  safeRmSync,
+  safeWriteSync,
 } from "../helpers/utils.js";
 import { auditBom } from "../stages/postgen/auditBom.js";
 import { postProcess } from "../stages/postgen/postgen.js";
@@ -44,9 +39,14 @@ import {
   scoreTargetRisk,
   severityMeetsThreshold,
 } from "./scoring.js";
-import { collectAuditTargets, normalizePackageName } from "./targets.js";
+import {
+  collectAuditTargets,
+  enrichInputBomsWithRegistryMetadata,
+  normalizePackageName,
+} from "./targets.js";
 
 export const DEFAULT_AUDIT_CATEGORIES = [
+  "ai-agent",
   "ci-permission",
   "dependency-source",
   "package-integrity",
@@ -211,7 +211,7 @@ function writeTextFile(filePath, content) {
   if (!safeExistsSync(parentDir)) {
     safeMkdirSync(parentDir, { recursive: true });
   }
-  writeFileSync(filePath, content);
+  safeWriteSync(filePath, content);
 }
 
 /**
@@ -979,6 +979,99 @@ export function buildTargetContextFindings(target) {
       });
     }
   }
+  if (target.type === "cargo") {
+    const yanked = getTargetProperty(target, "cdx:cargo:yanked") === "true";
+    const establishedPackage = isEstablishedPackage(target, "cdx:cargo");
+    const recentRelease = isRecentRelease(target, "cdx:cargo");
+    const publisherDrift = hasPublisherDrift(target, "cdx:cargo");
+    const dormantReleaseGapAnomaly = hasDormantReleaseGapAnomaly(
+      target,
+      "cdx:cargo",
+    );
+    const compressedCadence = hasCompressedCadence(target, "cdx:cargo");
+    if (target.version && yanked) {
+      findings.push({
+        category: "package-integrity",
+        description:
+          "Yanked crates are removed from normal Cargo resolution and usually indicate a correctness, security, or publisher-action issue that deserves review before further adoption.",
+        location: {
+          bomRef: target.bomRefs?.[0],
+          purl: target.purl,
+        },
+        message: `Cargo crate '${target.name}@${target.version}' has been yanked from crates.io.`,
+        mitigation:
+          "Prefer a non-yanked release and review the crate's publisher history and changelog before upgrading.",
+        ruleId: "PROV-015",
+        severity: "high",
+      });
+    }
+    if (
+      target.version &&
+      establishedPackage &&
+      recentRelease &&
+      !hasTrustedPublishing &&
+      !hasProvenanceEvidence
+    ) {
+      findings.push({
+        category: "package-integrity",
+        description:
+          "Very recent releases on established crates benefit from a short review window when trusted publishing and provenance remain weak.",
+        location: {
+          bomRef: target.bomRefs?.[0],
+          purl: target.purl,
+        },
+        message: `Cargo crate '${target.name}@${target.version}' is a very recent release on an established package without registry-visible provenance signals.`,
+        mitigation:
+          "Delay adoption briefly, compare the release to the prior version, and prefer trusted-publishing-backed releases for sensitive crates.",
+        ruleId: "PROV-016",
+        severity: "low",
+      });
+    }
+    if (
+      target.version &&
+      establishedPackage &&
+      publisherDrift &&
+      !hasTrustedPublishing &&
+      !hasProvenanceEvidence
+    ) {
+      findings.push({
+        category: "package-integrity",
+        description:
+          "Publisher drift on established crates is often benign, but becomes more meaningful when provenance and trusted publishing are absent.",
+        location: {
+          bomRef: target.bomRefs?.[0],
+          purl: target.purl,
+        },
+        message: `Cargo crate '${target.name}@${target.version}' was published by a different identity than the prior release and lacks registry-visible provenance signals.`,
+        mitigation:
+          "Review the publisher transition, compare the prior release metadata, and validate ownership before upgrading sensitive crates.",
+        ruleId: "PROV-017",
+        severity: "medium",
+      });
+    }
+    if (
+      target.version &&
+      establishedPackage &&
+      (dormantReleaseGapAnomaly || compressedCadence) &&
+      !hasTrustedPublishing &&
+      !hasProvenanceEvidence
+    ) {
+      findings.push({
+        category: "package-integrity",
+        description:
+          "Release timing anomalies on established crates are low-noise triage signals when provenance remains weak.",
+        location: {
+          bomRef: target.bomRefs?.[0],
+          purl: target.purl,
+        },
+        message: `Cargo crate '${target.name}@${target.version}' shows unusual release timing and lacks registry-visible provenance signals.`,
+        mitigation:
+          "Review the release diff and timing versus prior versions before rapidly adopting the new crate release.",
+        ruleId: "PROV-018",
+        severity: "low",
+      });
+    }
+  }
   return findings;
 }
 
@@ -1034,7 +1127,7 @@ async function cloneRepositoryToDirWithRetry(repoUrl, cloneDir, gitRef) {
       return;
     } catch (error) {
       lastError = error;
-      rmSync(cloneDir, { force: true, recursive: true });
+      safeRmSync(cloneDir, { force: true, recursive: true });
       if (!error?.retryable || attempt >= CLONE_RETRY_DELAYS_MS.length) {
         break;
       }
@@ -1062,7 +1155,9 @@ async function cloneRepositoryToDirWithRetry(repoUrl, cloneDir, gitRef) {
  */
 async function ensureCheckout(target, resolution, workspaceDir, gitRef) {
   if (!workspaceDir) {
-    const cloneDir = mkdtempSync(join(getTmpDir(), `${targetSlug(target)}-`));
+    const cloneDir = safeMkdtempSync(
+      join(getTmpDir(), `${targetSlug(target)}-`),
+    );
     await cloneRepositoryToDirWithRetry(resolution.repoUrl, cloneDir, gitRef);
     return {
       cleanup: true,
@@ -1083,7 +1178,7 @@ async function ensureCheckout(target, resolution, workspaceDir, gitRef) {
     };
   }
   if (safeExistsSync(cloneDir)) {
-    rmSync(cloneDir, { force: true, recursive: true });
+    safeRmSync(cloneDir, { force: true, recursive: true });
   }
   await cloneRepositoryToDirWithRetry(resolution.repoUrl, cloneDir, gitRef);
   return {
@@ -1354,6 +1449,14 @@ export function buildPythonSourceHeuristicFindings(scanDir, target) {
  * @returns {object} createBom options
  */
 function buildChildOptions(options, target) {
+  const projectType =
+    target.type === "npm"
+      ? ["js"]
+      : target.type === "pypi"
+        ? ["py"]
+        : target.type === "cargo"
+          ? ["cargo", "github"]
+          : [target.type];
   return {
     deep: true,
     failOnError: false,
@@ -1362,7 +1465,7 @@ function buildChildOptions(options, target) {
     installDeps: false,
     multiProject: true,
     profile: "threat-modeling",
-    projectType: [target.type === "npm" ? "js" : "py"],
+    projectType,
     specVersion: 1.7,
   };
 }
@@ -1591,6 +1694,7 @@ export async function auditTarget(target, options) {
  * @returns {object} summary object
  */
 function summarizeAudit(inputBoms, results, skipped) {
+  const analysisErrorCounts = {};
   const severityCounts = {
     critical: 0,
     high: 0,
@@ -1608,9 +1712,13 @@ function summarizeAudit(inputBoms, results, skipped) {
     }
     if (result.status === "error") {
       erroredTargets += 1;
+      const errorType = result?.errorType || "runtime";
+      analysisErrorCounts[errorType] =
+        (analysisErrorCounts[errorType] || 0) + 1;
     }
   }
   return {
+    analysisErrorCounts,
     erroredTargets,
     inputBomCount: inputBoms.length,
     scannedTargets,
@@ -1622,6 +1730,16 @@ function summarizeAudit(inputBoms, results, skipped) {
   };
 }
 
+function normalizeRepoGroupingValue(repoUrl) {
+  if (!repoUrl || typeof repoUrl !== "string") {
+    return undefined;
+  }
+  return repoUrl
+    .trim()
+    .replace(/\.git$/i, "")
+    .toLowerCase();
+}
+
 function preferredResult(left, right) {
   const leftSeverity = SEVERITY_ORDER[left?.assessment?.severity] ?? -1;
   const rightSeverity = SEVERITY_ORDER[right?.assessment?.severity] ?? -1;
@@ -1674,6 +1792,187 @@ function getNamespaceGroupingKey(result) {
   return `${result.target.namespace}|${categories.join(",")}|${ruleIds.join(",")}`;
 }
 
+function getCargoRepositoryGroupingKey(result) {
+  const normalizedRepoUrl = normalizeRepoGroupingValue(result?.repoUrl);
+  if (
+    result?.status !== "audited" ||
+    result?.target?.type !== "cargo" ||
+    !normalizedRepoUrl ||
+    (result?.assessment?.severity || "none") === "none" ||
+    !Array.isArray(result?.findings) ||
+    !result.findings.length
+  ) {
+    return undefined;
+  }
+  const categories = new Set();
+  const ruleIds = new Set();
+  for (const finding of result.findings) {
+    if (!finding?.category || !finding?.ruleId) {
+      return undefined;
+    }
+    if (finding.category === "ci-permission") {
+      return undefined;
+    }
+    categories.add(finding.category);
+    ruleIds.add(finding.ruleId);
+  }
+  if (!categories.size || !ruleIds.size) {
+    return undefined;
+  }
+  return `${normalizedRepoUrl}|cargo|${[...categories].sort().join(",")}|${[...ruleIds].sort().join(",")}`;
+}
+
+function getSharedRepoCiGroupingKey(result) {
+  const normalizedRepoUrl = normalizeRepoGroupingValue(result?.repoUrl);
+  if (
+    result?.status !== "audited" ||
+    !normalizedRepoUrl ||
+    !Array.isArray(result?.findings) ||
+    !result.findings.length
+  ) {
+    return undefined;
+  }
+  const categories = new Set();
+  const ruleIds = new Set();
+  for (const finding of result.findings) {
+    const category = finding?.category;
+    const ruleId = finding?.ruleId;
+    const findingFile = finding?.location?.file || "";
+    if (
+      category !== "ci-permission" ||
+      !ruleId?.startsWith("CI-") ||
+      (findingFile && !findingFile.includes(".github/workflows"))
+    ) {
+      return undefined;
+    }
+    categories.add(category);
+    ruleIds.add(ruleId);
+  }
+  return `${normalizedRepoUrl}|${[...categories].sort().join(",")}|${[...ruleIds].sort().join(",")}`;
+}
+
+function getGroupingDescriptor(result, sharedRepoCiGroupCounts) {
+  const sharedRepoCiKey = getSharedRepoCiGroupingKey(result);
+  if (sharedRepoCiKey) {
+    const groupSize = sharedRepoCiGroupCounts?.get(sharedRepoCiKey) || 0;
+    if (groupSize > 1) {
+      return {
+        key: sharedRepoCiKey,
+        kind: "shared-repo-ci",
+      };
+    }
+  }
+  const cargoRepositoryKey = getCargoRepositoryGroupingKey(result);
+  if (cargoRepositoryKey) {
+    return {
+      key: cargoRepositoryKey,
+      kind: "cargo-repository",
+    };
+  }
+  const namespaceKey = getNamespaceGroupingKey(result);
+  if (!namespaceKey) {
+    return undefined;
+  }
+  return {
+    key: namespaceKey,
+    kind: "npm-namespace",
+  };
+}
+
+function consolidateCargoRepositoryResult(group) {
+  const representative = group.reduce((best, result) =>
+    preferredResult(best, result),
+  );
+  const allBomRefs = [
+    ...new Set(group.flatMap((result) => result.target?.bomRefs || [])),
+  ];
+  const groupedPurls = [
+    ...new Set(group.map((result) => result.target?.purl).filter(Boolean)),
+  ];
+  const mergedFindings = dedupeFindings(
+    group.flatMap((result) => result.findings || []),
+  );
+  const categoryCounts = {};
+  for (const result of group) {
+    for (const [category, count] of Object.entries(
+      result.assessment?.categoryCounts || {},
+    )) {
+      categoryCounts[category] = (categoryCounts[category] || 0) + count;
+    }
+  }
+  const reasons = [
+    `${group.length} Cargo packages resolved to the same repository and shared the same predictive pattern, so cdx-audit consolidated them into one alert.`,
+    ...(representative.assessment?.reasons || []),
+  ];
+  return {
+    ...representative,
+    assessment: {
+      ...representative.assessment,
+      categoryCounts,
+      findingsCount: mergedFindings.length,
+      reasons: [...new Set(reasons)],
+    },
+    findings: mergedFindings,
+    grouping: {
+      kind: "cargo-repository",
+      label: `cargo:${representative.repoUrl}`,
+      memberCount: group.length,
+      repoUrl: representative.repoUrl,
+      groupedPurls,
+    },
+    target: {
+      ...representative.target,
+      bomRefs: allBomRefs,
+      name: "*",
+      version: undefined,
+    },
+  };
+}
+
+function consolidateSharedRepoCiResult(group) {
+  const representative = group.reduce((best, result) =>
+    preferredResult(best, result),
+  );
+  const allBomRefs = [
+    ...new Set(group.flatMap((result) => result.target?.bomRefs || [])),
+  ];
+  const groupedPurls = [
+    ...new Set(group.map((result) => result.target?.purl).filter(Boolean)),
+  ];
+  const mergedFindings = dedupeFindings(
+    group.flatMap((result) => result.findings || []),
+  );
+  const reasons = [
+    `${group.length} packages resolved to the same repository and shared the same CI findings, so cdx-audit consolidated them into one alert.`,
+    ...(representative.assessment?.reasons || []),
+  ];
+  return {
+    ...representative,
+    assessment: {
+      ...representative.assessment,
+      categoryCounts: {
+        "ci-permission": mergedFindings.length,
+      },
+      findingsCount: mergedFindings.length,
+      reasons: [...new Set(reasons)],
+    },
+    findings: mergedFindings,
+    grouping: {
+      kind: "shared-repo-ci",
+      label: representative.repoUrl,
+      memberCount: group.length,
+      repoUrl: representative.repoUrl,
+      groupedPurls,
+    },
+    target: {
+      ...representative.target,
+      bomRefs: allBomRefs,
+      name: "*",
+      version: undefined,
+    },
+  };
+}
+
 function consolidateNamespaceResult(group) {
   const representative = group.reduce((best, result) =>
     preferredResult(best, result),
@@ -1727,27 +2026,46 @@ function consolidateNamespaceResult(group) {
 export function groupAuditResults(results) {
   const groupedResults = [];
   const orderedEntries = [];
-  const namespaceGroups = new Map();
+  const resultGroups = new Map();
+  const sharedRepoCiGroupCounts = new Map();
+  for (const result of results) {
+    const sharedRepoCiKey = getSharedRepoCiGroupingKey(result);
+    if (!sharedRepoCiKey) {
+      continue;
+    }
+    sharedRepoCiGroupCounts.set(
+      sharedRepoCiKey,
+      (sharedRepoCiGroupCounts.get(sharedRepoCiKey) || 0) + 1,
+    );
+  }
   for (const result of results) {
-    const groupKey = getNamespaceGroupingKey(result);
-    if (!groupKey) {
+    const descriptor = getGroupingDescriptor(result, sharedRepoCiGroupCounts);
+    if (!descriptor) {
       orderedEntries.push({ result, type: "single" });
       continue;
     }
-    if (!namespaceGroups.has(groupKey)) {
-      namespaceGroups.set(groupKey, []);
-      orderedEntries.push({ groupKey, type: "group" });
+    if (!resultGroups.has(descriptor.key)) {
+      resultGroups.set(descriptor.key, []);
+      orderedEntries.push({ descriptor, type: "group" });
     }
-    namespaceGroups.get(groupKey).push(result);
+    resultGroups.get(descriptor.key).push(result);
   }
   for (const entry of orderedEntries) {
     if (entry.type === "single") {
       groupedResults.push(entry.result);
       continue;
     }
-    const group = namespaceGroups.get(entry.groupKey) || [];
+    const group = resultGroups.get(entry.descriptor.key) || [];
+    if (group.length <= 1) {
+      groupedResults.push(group[0]);
+      continue;
+    }
     groupedResults.push(
-      group.length > 1 ? consolidateNamespaceResult(group) : group[0],
+      entry.descriptor.kind === "shared-repo-ci"
+        ? consolidateSharedRepoCiResult(group)
+        : entry.descriptor.kind === "cargo-repository"
+          ? consolidateCargoRepositoryResult(group)
+          : consolidateNamespaceResult(group),
     );
   }
   return groupedResults;
@@ -1782,8 +2100,12 @@ export async function runAuditFromBoms(inputBoms, options) {
   if (!inputBoms.length) {
     throw new Error("No CycloneDX BOM inputs were found.");
   }
+  if (options.trusted !== "include") {
+    await enrichInputBomsWithRegistryMetadata(inputBoms);
+  }
   const extractedTargets = collectAuditTargets(inputBoms, {
     maxTargets: options.maxTargets,
+    prioritizeDirectRuntime: options.prioritizeDirectRuntime,
     scope: options.scope,
     trusted: options.trusted,
   });
@@ -1895,11 +2217,13 @@ export function finalizeAuditReport(report, options) {
   const effectiveResults = report.groupedResults?.length
     ? report.groupedResults
     : report.results;
-  const shouldFail = effectiveResults.some((result) =>
-    severityMeetsThreshold(
-      result?.assessment?.severity || "none",
-      options.failSeverity || "high",
-    ),
+  const shouldFail = effectiveResults.some(
+    (result) =>
+      !result?.error &&
+      severityMeetsThreshold(
+        result?.assessment?.severity || "none",
+        options.failSeverity || "high",
+      ),
   );
   return {
     exitCode: shouldFail ? 3 : 0,