@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/audit/index.poku.js

@@ -170,6 +170,7 @@ describe("runAuditFromBoms()", () => {
       {
         maxTargets: 50,
         onProgress: (event) => progressEvents.push(event),
+        prioritizeDirectRuntime: true,
         scope: "required",
         trustedSelectionHelp:
           "Use --include-trusted to include them or --only-trusted to audit just those packages.",
@@ -179,6 +180,7 @@ describe("runAuditFromBoms()", () => {
     assert.strictEqual(report.summary.totalTargets, 1);
     assert.deepStrictEqual(collectAuditTargetsStub.firstCall.args[1], {
       maxTargets: 50,
+      prioritizeDirectRuntime: true,
       scope: "required",
       trusted: undefined,
     });
@@ -318,6 +320,43 @@ describe("finalizeAuditReport()", () => {
     assert.match(finalized.output, /@npmcli/);
   });
 
+  it("does not treat target analysis errors as fail-threshold hits on their own", () => {
+    const finalized = finalizeAuditReport(
+      {
+        results: [
+          {
+            assessment: {
+              severity: "critical",
+            },
+            error: "Unable to clone repository.",
+            findings: [],
+            status: "error",
+            target: {
+              name: "left-pad",
+              type: "npm",
+            },
+          },
+        ],
+        summary: {
+          analysisErrorCounts: { clone: 1 },
+          erroredTargets: 1,
+          inputBomCount: 1,
+          scannedTargets: 0,
+          skippedTargets: 0,
+          totalTargets: 1,
+        },
+      },
+      {
+        failSeverity: "high",
+        minSeverity: "low",
+        report: "console",
+      },
+    );
+
+    assert.strictEqual(finalized.exitCode, 0);
+    assert.match(finalized.output, /analysis error types: clone: 1/i);
+  });
+
   it("renders grouped predictive findings as SARIF 2.1.0 output", () => {
     const finalized = finalizeAuditReport(
       {
@@ -363,7 +402,7 @@ describe("finalizeAuditReport()", () => {
         },
         tool: {
           name: "cdx-audit",
-          version: "12.3.0",
+          version: "12.3.1",
         },
       },
       {
@@ -377,7 +416,7 @@ describe("finalizeAuditReport()", () => {
     assert.strictEqual(finalized.exitCode, 0);
     assert.strictEqual(parsed.version, "2.1.0");
     assert.strictEqual(parsed.runs[0].tool.driver.name, "cdx-audit");
-    assert.strictEqual(parsed.runs[0].tool.driver.version, "12.3.0");
+    assert.strictEqual(parsed.runs[0].tool.driver.version, "12.3.1");
     assert.strictEqual(parsed.runs[0].results.length, 1);
     assert.strictEqual(parsed.runs[0].results[0].ruleId, "PROV-001");
     assert.strictEqual(
@@ -421,7 +460,7 @@ describe("finalizeAuditReport()", () => {
         },
         tool: {
           name: "cdx-audit",
-          version: "12.3.0",
+          version: "12.3.1",
         },
       },
       {
@@ -483,7 +522,7 @@ describe("finalizeAuditReport()", () => {
         },
         tool: {
           name: "cdx-audit",
-          version: "12.3.0",
+          version: "12.3.1",
         },
       },
       {
@@ -750,6 +789,165 @@ describe("groupAuditResults()", () => {
     assert.strictEqual(groupedResults[0].grouping?.memberCount, 2);
     assert.strictEqual(groupedResults[1].target.name, "string-locale-compare");
   });
+
+  it("consolidates shared-repository CI findings across multiple packages", () => {
+    const groupedResults = groupAuditResults([
+      {
+        assessment: {
+          categoryCounts: {
+            "ci-permission": 2,
+          },
+          confidenceLabel: "high",
+          reasons: ["CI hygiene signals were observed."],
+          score: 42,
+          severity: "medium",
+        },
+        findings: [
+          {
+            category: "ci-permission",
+            location: {
+              file: ".github/workflows/release.yml",
+            },
+            message: "Unpinned privileged action",
+            ruleId: "CI-001",
+          },
+        ],
+        repoUrl: "https://github.com/example/mono.git",
+        status: "audited",
+        target: {
+          bomRefs: ["pkg:npm/pkg-a@1.0.0"],
+          name: "pkg-a",
+          namespace: "@acme",
+          purl: "pkg:npm/%40acme/pkg-a@1.0.0",
+          type: "npm",
+          version: "1.0.0",
+        },
+      },
+      {
+        assessment: {
+          categoryCounts: {
+            "ci-permission": 2,
+          },
+          confidenceLabel: "high",
+          reasons: ["CI hygiene signals were observed."],
+          score: 42,
+          severity: "medium",
+        },
+        findings: [
+          {
+            category: "ci-permission",
+            location: {
+              file: ".github/workflows/release.yml",
+            },
+            message: "Unpinned privileged action",
+            ruleId: "CI-001",
+          },
+        ],
+        repoUrl: "https://github.com/example/mono",
+        status: "audited",
+        target: {
+          bomRefs: ["pkg:npm/pkg-b@1.0.0"],
+          name: "pkg-b",
+          namespace: "@acme",
+          purl: "pkg:npm/%40acme/pkg-b@1.0.0",
+          type: "npm",
+          version: "1.0.0",
+        },
+      },
+    ]);
+
+    assert.strictEqual(groupedResults.length, 1);
+    assert.strictEqual(groupedResults[0].grouping?.kind, "shared-repo-ci");
+    assert.strictEqual(groupedResults[0].grouping?.memberCount, 2);
+    assert.strictEqual(groupedResults[0].findings.length, 1);
+    assert.match(
+      groupedResults[0].assessment.reasons.join(" "),
+      /same repository/i,
+    );
+  });
+
+  it("consolidates Cargo repository findings with the same predictive pattern", () => {
+    const groupedResults = groupAuditResults([
+      {
+        assessment: {
+          categoryCounts: {
+            "dependency-source": 1,
+            "package-integrity": 1,
+          },
+          confidenceLabel: "high",
+          reasons: ["Cargo build-surface signals increased review priority."],
+          score: 61,
+          severity: "high",
+        },
+        findings: [
+          {
+            category: "dependency-source",
+            message: "Mutable source for workspace build dependency",
+            ruleId: "PKG-001",
+          },
+          {
+            category: "package-integrity",
+            message: "Crate was yanked from the registry",
+            ruleId: "PROV-015",
+          },
+        ],
+        repoUrl: "https://github.com/example/rust-mono.git",
+        status: "audited",
+        target: {
+          bomRefs: ["pkg:cargo/core-crate@1.2.3"],
+          name: "core-crate",
+          purl: "pkg:cargo/core-crate@1.2.3",
+          type: "cargo",
+          version: "1.2.3",
+        },
+      },
+      {
+        assessment: {
+          categoryCounts: {
+            "dependency-source": 1,
+            "package-integrity": 1,
+          },
+          confidenceLabel: "high",
+          reasons: ["Cargo build-surface signals increased review priority."],
+          score: 59,
+          severity: "high",
+        },
+        findings: [
+          {
+            category: "dependency-source",
+            message: "Mutable source for workspace build dependency",
+            ruleId: "PKG-001",
+          },
+          {
+            category: "package-integrity",
+            message: "Crate was yanked from the registry",
+            ruleId: "PROV-015",
+          },
+        ],
+        repoUrl: "https://github.com/example/rust-mono",
+        status: "audited",
+        target: {
+          bomRefs: ["pkg:cargo/cli-crate@1.2.3"],
+          name: "cli-crate",
+          purl: "pkg:cargo/cli-crate@1.2.3",
+          type: "cargo",
+          version: "1.2.3",
+        },
+      },
+    ]);
+
+    assert.strictEqual(groupedResults.length, 1);
+    assert.strictEqual(groupedResults[0].grouping?.kind, "cargo-repository");
+    assert.strictEqual(groupedResults[0].grouping?.memberCount, 2);
+    assert.match(
+      groupedResults[0].grouping?.label,
+      /^cargo:https:\/\/github.com/,
+    );
+    assert.match(
+      groupedResults[0].assessment.reasons.join(" "),
+      /Cargo packages resolved to the same repository/i,
+    );
+  });
 });
 
 describe("buildTargetContextFindings()", () => {
@@ -1083,6 +1281,48 @@ describe("buildTargetContextFindings()", () => {
     assert.ok(findings.some((finding) => finding.ruleId === "PROV-014"));
     assert.ok(!findings.some((finding) => finding.ruleId === "PROV-009"));
   });
+
+  it("creates yanked and provenance-aware drift detectors for Cargo packages", () => {
+    const recentTimestamp = new Date(
+      Date.now() - 1000 * 60 * 60 * 12,
+    ).toISOString();
+    const oldTimestamp = new Date(
+      Date.now() - 1000 * 60 * 60 * 24 * 120,
+    ).toISOString();
+    const findings = buildTargetContextFindings({
+      bomRefs: ["pkg:cargo/serde@1.0.217"],
+      name: "serde",
+      purl: "pkg:cargo/serde@1.0.217",
+      properties: [
+        {
+          name: "cdx:cargo:yanked",
+          value: "true",
+        },
+        {
+          name: "cdx:cargo:publishTime",
+          value: recentTimestamp,
+        },
+        {
+          name: "cdx:cargo:packageCreatedTime",
+          value: oldTimestamp,
+        },
+        {
+          name: "cdx:cargo:versionCount",
+          value: "10",
+        },
+        {
+          name: "cdx:cargo:publisherDrift",
+          value: "true",
+        },
+      ],
+      type: "cargo",
+      version: "1.0.217",
+    });
+
+    assert.ok(findings.some((finding) => finding.ruleId === "PROV-015"));
+    assert.ok(findings.some((finding) => finding.ruleId === "PROV-016"));
+    assert.ok(findings.some((finding) => finding.ruleId === "PROV-017"));
+  });
 });
 
 describe("buildPythonSourceHeuristicFindings()", () => {
@@ -1242,7 +1482,7 @@ describe("formatPredictiveAnnotations()", () => {
               {
                 name: "cdxgen",
                 type: "application",
-                version: "12.3.0",
+                version: "12.3.1",
               },
             ],
           },
@@ -1306,7 +1546,7 @@ describe("formatPredictiveAnnotations()", () => {
               {
                 name: "cdxgen",
                 type: "application",
-                version: "12.3.0",
+                version: "12.3.1",
               },
             ],
           },
@@ -1380,7 +1620,7 @@ describe("audit reporters", () => {
       },
       tool: {
         name: "cdx-audit",
-        version: "12.3.0",
+        version: "12.3.1",
       },
     };
 

package/lib/audit/reporters.js

@@ -27,6 +27,17 @@ function effectiveResults(report) {
     : report.results || [];
 }
 
+function formatAnalysisErrorCounts(summary) {
+  const entries = Object.entries(summary?.analysisErrorCounts || {});
+  if (!entries.length) {
+    return undefined;
+  }
+  return entries
+    .sort(([left], [right]) => left.localeCompare(right))
+    .map(([errorType, count]) => `${errorType}: ${count}`)
+    .join(", ");
+}
+
 function severityToSarifLevel(severity) {
   switch (severity) {
     case "critical":
@@ -488,6 +499,10 @@ export function renderConsoleReport(report, options = {}) {
   lines.push(`Scanned targets: ${report.summary.scannedTargets}`);
   lines.push(`Errored targets: ${report.summary.erroredTargets}`);
   lines.push(`Skipped targets: ${report.summary.skippedTargets}`);
+  const analysisErrorSummary = formatAnalysisErrorCounts(report.summary);
+  if (analysisErrorSummary) {
+    lines.push(`Analysis error types: ${analysisErrorSummary}`);
+  }
   if (report.summary.groupedResultCount) {
     lines.push(
       `Consolidated alert groups: ${report.summary.groupedResultCount}`,
@@ -499,12 +514,23 @@ export function renderConsoleReport(report, options = {}) {
     lines.push(
       `No predictive findings met or exceeded the configured severity threshold ('${minSeverity}').`,
     );
+    if (report.summary.erroredTargets > 0) {
+      lines.push(
+        "Some targets could not be fully analyzed, so review the recorded analysis errors before treating this rollup as complete.",
+      );
+    }
     return `${lines.join("\n")}\n`;
   }
   lines.push("Dependencies requiring your attention:");
   lines.push("");
   lines.push(renderActionTable(visibleResults));
   lines.push("");
+  if (report.summary.erroredTargets > 0) {
+    lines.push(
+      "Note: one or more targets could not be fully analyzed, so the final rollup may be incomplete until those analysis errors are resolved.",
+    );
+    lines.push("");
+  }
   lines.push(
     "Next step: review the file, repository, or package listed in 'What to do next'. If you maintain it, make the remediation directly; otherwise, open an upstream issue or discussion with the relevant maintainers, then re-run cdx-audit or cdxgen --bom-audit.",
   );