@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/audit/scoring.js

@@ -1,3 +1,4 @@
+import { thoughtLog } from "../helpers/logger.js";
 import {
   hasRegistryProvenanceEvidenceProperties,
   hasTrustedPublishingProperties,
@@ -18,9 +19,13 @@ const BASE_FINDING_WEIGHT = {
   critical: 30,
 };
 
+// Predictive scoring weighs dependency-source findings more heavily than generic
+// CI hygiene because source mutability/local-path/git-origin issues tend to map
+// more directly to reviewable upstream compromise exposure for package targets.
 const CATEGORY_WEIGHT = {
-  "ci-permission": 12,
-  "dependency-source": 8,
+  "ai-agent": 6,
+  "ci-permission": 4,
+  "dependency-source": 10,
   "package-integrity": 6,
 };
 
@@ -30,6 +35,56 @@ const RULE_SPECIFIC_WEIGHT = {
 };
 
 const PRIORITY_CORROBORATION_RULES = new Set(["CI-019", "INT-009"]);
+// Require multiple compromise-oriented signals before escalating to critical so
+// a single strong heuristic or one noisy category cannot dominate the final
+// predictive severity on its own.
+const MIN_COMPROMISE_SIGNALS_FOR_CRITICAL = 2;
+const MIN_COMPROMISE_SIGNALS_FOR_HIGH = 1;
+const CI_HYGIENE_RULES = new Set([
+  "CI-001",
+  "CI-002",
+  "CI-003",
+  "CI-005",
+  "CI-014",
+]);
+const PACKAGE_HYGIENE_RULES = new Set(["INT-001"]);
+const SIGNAL_BUCKET_WEIGHT = {
+  "ci-compromise": 12,
+  "ci-hygiene": 2,
+  "dependency-compromise": 10,
+  "package-hygiene": 3,
+  "package-compromise": 12,
+  other: 4,
+};
+
+/**
+ * Emit a short thought-log explanation for the final package risk decision.
+ *
+ * @param {object} target audit target descriptor
+ * @param {object} assessment final predictive risk assessment
+ * @returns {void}
+ */
+function logRiskAssessmentDecision(target, assessment) {
+  const reasonPreview = Array.isArray(assessment?.reasons)
+    ? assessment.reasons.slice(0, 2)
+    : [];
+  const indicators = {
+    confidence: assessment?.confidence,
+    confidenceLabel: assessment?.confidenceLabel,
+    distinctCategories: assessment?.distinctCategoryCount,
+    findings: assessment?.findingsCount,
+    purl: target?.purl,
+    reasons: reasonPreview,
+    score: assessment?.score,
+    severity: assessment?.severity,
+    strongSignals: assessment?.strongSignalCount,
+  };
+  if (["medium", "high", "critical"].includes(assessment?.severity)) {
+    thoughtLog("Predictive audit considered the package risky.", indicators);
+    return;
+  }
+  thoughtLog("Predictive audit kept the package at low risk.", indicators);
+}
 
 /**
  * Clamp a number into a fixed range.
@@ -55,6 +110,74 @@ function getTargetProperty(target, propertyName) {
     ?.value;
 }
 
+function getTargetListProperty(target, propertyName) {
+  const propertyValue = getTargetProperty(target, propertyName);
+  if (!propertyValue || typeof propertyValue !== "string") {
+    return [];
+  }
+  return propertyValue
+    .split(",")
+    .map((entry) => entry.trim())
+    .filter(Boolean);
+}
+
+function getCargoPredictiveSignals(target) {
+  const buildScriptCapabilities = getTargetListProperty(
+    target,
+    "cdx:cargo:buildScriptCapabilities",
+  );
+  const nativeBuildIndicators = getTargetListProperty(
+    target,
+    "cdx:cargo:nativeBuildIndicators",
+  );
+  return {
+    buildDependency:
+      getTargetProperty(target, "cdx:cargo:dependencyKind") === "build",
+    buildScript:
+      getTargetProperty(target, "cdx:cargo:hasBuildScript") === "true",
+    nativeBuild:
+      getTargetProperty(target, "cdx:cargo:hasNativeBuild") === "true",
+    networkCapableBuildScript:
+      buildScriptCapabilities.includes("network-access"),
+    processCapableBuildScript:
+      buildScriptCapabilities.includes("process-execution"),
+    runtimeFacing: Boolean(target?.runtimeFacingCargo),
+    workspaceDependency:
+      getTargetProperty(target, "cdx:cargo:workspaceDependencyResolved") ===
+      "true",
+    buildOnlyWorkspace: Boolean(target?.buildOnlyWorkspace),
+    yanked: getTargetProperty(target, "cdx:cargo:yanked") === "true",
+    buildScriptCapabilities,
+    nativeBuildIndicators,
+  };
+}
+
+/**
+ * Classify a finding into a coarse signal bucket for conservative scoring.
+ *
+ * @param {object} finding predictive audit finding
+ * @returns {"ci-hygiene" | "ci-compromise" | "dependency-compromise" | "package-hygiene" | "package-compromise" | "other"} signal bucket
+ */
+function classifyFindingSignalBucket(finding) {
+  if (finding?.category === "ai-agent") {
+    return "package-compromise";
+  }
+  if (finding?.category === "ci-permission") {
+    return CI_HYGIENE_RULES.has(finding?.ruleId)
+      ? "ci-hygiene"
+      : "ci-compromise";
+  }
+  if (finding?.category === "package-integrity") {
+    return PACKAGE_HYGIENE_RULES.has(finding?.ruleId)
+      ? "package-hygiene"
+      : "package-compromise";
+  }
+  if (finding?.category === "dependency-source") {
+    return "dependency-compromise";
+  }
+  return "other";
+}
+
 /**
  * Convert a numeric confidence score into a human readable label.
  *
@@ -104,7 +227,7 @@ export function scoreTargetRisk(findings, target, context = {}) {
       (context?.scanError
         ? `Predictive audit for '${target.purl}' could not complete successfully.`
         : `${target.type} package '${target.purl}' did not trigger any predictive audit rules.`);
-    return {
+    const assessment = {
       categoryCounts: {},
       confidence: 0.35,
       confidenceLabel: "low",
@@ -116,6 +239,8 @@ export function scoreTargetRisk(findings, target, context = {}) {
       severity: "none",
       strongSignalCount: 0,
     };
+    logRiskAssessmentDecision(target, assessment);
+    return assessment;
   }
   const categoryCounts = {};
   const attackTactics = new Set();
@@ -124,28 +249,93 @@ export function scoreTargetRisk(findings, target, context = {}) {
   const matchedPriorityRules = new Set();
   let score = 0;
   let strongSignalCount = 0;
-  let ciSignalCount = 0;
+  let ciCompromiseSignalCount = 0;
+  let ciHygieneSignalCount = 0;
   let formulationSignalCount = 0;
+  let compromiseSignalCount = 0;
+  let packageIntegrityCompromiseSignalCount = 0;
+  let packageIntegrityHygieneSignalCount = 0;
   let priorityCorroborationCount = 0;
+  let cargoBuildSignalCount = 0;
   for (const finding of findings) {
     const findingSeverity = finding?.severity || "low";
     const findingCategory = finding?.category || "unknown";
+    const signalBucket = classifyFindingSignalBucket(finding);
     let findingScore = BASE_FINDING_WEIGHT[findingSeverity] ?? 4;
     findingScore += CATEGORY_WEIGHT[findingCategory] ?? 4;
+    findingScore +=
+      SIGNAL_BUCKET_WEIGHT[signalBucket] ?? SIGNAL_BUCKET_WEIGHT.other;
     findingScore += RULE_SPECIFIC_WEIGHT[finding?.ruleId] ?? 0;
-    if (findingCategory === "ci-permission") {
-      ciSignalCount += 1;
-      findingScore += 8;
+    if (target?.type === "cargo") {
+      const cargoSignals = getCargoPredictiveSignals(target);
+      if (
+        ["dependency-compromise", "package-compromise"].includes(
+          signalBucket,
+        ) &&
+        cargoSignals.nativeBuild
+      ) {
+        findingScore += 6;
+        cargoBuildSignalCount += 1;
+      }
+      if (
+        signalBucket === "package-compromise" &&
+        (cargoSignals.processCapableBuildScript ||
+          cargoSignals.networkCapableBuildScript)
+      ) {
+        findingScore += 4;
+        cargoBuildSignalCount += 1;
+      }
+      if (
+        signalBucket === "dependency-compromise" &&
+        (cargoSignals.buildDependency || cargoSignals.workspaceDependency)
+      ) {
+        findingScore += 3;
+        cargoBuildSignalCount += 1;
+      }
+      if (
+        ["dependency-compromise", "package-compromise"].includes(
+          signalBucket,
+        ) &&
+        cargoSignals.runtimeFacing
+      ) {
+        findingScore += 2;
+      }
+      if (
+        cargoSignals.buildOnlyWorkspace &&
+        !cargoSignals.runtimeFacing &&
+        signalBucket !== "ci-compromise"
+      ) {
+        findingScore -= 2;
+      }
+      if (finding?.ruleId === "PROV-015" && cargoSignals.yanked) {
+        findingScore += cargoSignals.nativeBuild ? 8 : 4;
+      }
+    }
+    if (signalBucket === "ci-hygiene") {
+      ciHygieneSignalCount += 1;
+    } else if (signalBucket === "ci-compromise") {
+      ciCompromiseSignalCount += 1;
+    } else if (signalBucket === "package-compromise") {
+      packageIntegrityCompromiseSignalCount += 1;
+    } else if (signalBucket === "package-hygiene") {
+      packageIntegrityHygieneSignalCount += 1;
     }
     if (
       finding?.ruleId?.startsWith("CI-") ||
       finding?.location?.file?.includes(".github/workflows")
     ) {
       formulationSignalCount += 1;
-      findingScore += 8;
+      findingScore += signalBucket === "ci-hygiene" ? 1 : 4;
     }
     if (["high", "critical"].includes(findingSeverity)) {
       strongSignalCount += 1;
+      if (
+        signalBucket === "ci-compromise" ||
+        signalBucket === "dependency-compromise" ||
+        signalBucket === "package-compromise"
+      ) {
+        compromiseSignalCount += 1;
+      }
     }
     if (PRIORITY_CORROBORATION_RULES.has(finding?.ruleId)) {
       priorityCorroborationCount += 1;
@@ -170,7 +360,17 @@ export function scoreTargetRisk(findings, target, context = {}) {
   }
   score += Math.max(0, distinctCategories.size - 1) * 8;
   score += Math.max(0, strongSignalCount - 1) * 10;
-  score += Math.max(0, formulationSignalCount - 1) * 6;
+  score += Math.max(0, formulationSignalCount - 1) * 2;
+  if (target?.type === "cargo" && cargoBuildSignalCount > 0) {
+    score += Math.min(cargoBuildSignalCount, 3) * 3;
+  }
+  if (
+    target?.type === "cargo" &&
+    target?.buildOnlyWorkspace &&
+    !target?.runtimeFacingCargo
+  ) {
+    score = Math.max(0, score - 3);
+  }
 
   const hasTrustedPublishing = hasTrustedPublishingProperties(
     target?.properties,
@@ -237,8 +437,8 @@ export function scoreTargetRisk(findings, target, context = {}) {
   if (
     severity === "critical" &&
     (effectiveStrongSignalCount < 3 ||
+      compromiseSignalCount < MIN_COMPROMISE_SIGNALS_FOR_CRITICAL ||
       distinctCategories.size < 2 ||
-      ciSignalCount < 1 ||
       confidence < 0.85)
   ) {
     severity = "high";
@@ -246,6 +446,7 @@ export function scoreTargetRisk(findings, target, context = {}) {
   if (
     severity === "high" &&
     (effectiveStrongSignalCount < 2 ||
+      compromiseSignalCount < MIN_COMPROMISE_SIGNALS_FOR_HIGH ||
       distinctCategories.size < 2 ||
       confidence < 0.65)
   ) {
@@ -256,9 +457,51 @@ export function scoreTargetRisk(findings, target, context = {}) {
   }
 
   const reasons = [];
-  if (ciSignalCount > 0) {
+  if (ciHygieneSignalCount > 0) {
+    reasons.push(
+      `${ciHygieneSignalCount} CI hygiene signal(s) were observed in GitHub Actions or privileged workflow configuration.`,
+    );
+  }
+  if (ciCompromiseSignalCount > 0) {
+    reasons.push(
+      `${ciCompromiseSignalCount} compromise-oriented CI signal(s) increased the predictive risk score.`,
+    );
+  }
+  if (target?.type === "cargo" && cargoBuildSignalCount > 0) {
+    const cargoSignals = getCargoPredictiveSignals(target);
+    const cargoReasonParts = [];
+    if (cargoSignals.nativeBuild) {
+      cargoReasonParts.push("native build tooling");
+    }
+    if (cargoSignals.processCapableBuildScript) {
+      cargoReasonParts.push("process-capable build scripts");
+    }
+    if (cargoSignals.networkCapableBuildScript) {
+      cargoReasonParts.push("network-capable build scripts");
+    }
+    if (cargoSignals.workspaceDependency) {
+      cargoReasonParts.push("workspace-resolved member dependencies");
+    }
+    if (cargoSignals.runtimeFacing) {
+      cargoReasonParts.push("runtime-facing crate exposure");
+    }
+    if (cargoSignals.buildOnlyWorkspace && !cargoSignals.runtimeFacing) {
+      cargoReasonParts.push("build-only workspace helper role");
+    }
+    if (cargoReasonParts.length) {
+      reasons.push(
+        `Cargo build-surface signals (${cargoReasonParts.join(", ")}) increased the predictive review priority.`,
+      );
+    }
+  }
+  if (packageIntegrityCompromiseSignalCount > 0) {
     reasons.push(
-      `${ciSignalCount} GitHub Actions or privileged workflow signal(s) increased the predictive risk score.`,
+      `${packageIntegrityCompromiseSignalCount} package-integrity compromise signal(s) corroborated the package risk posture.`,
+    );
+  }
+  if (packageIntegrityHygieneSignalCount > 0) {
+    reasons.push(
+      `${packageIntegrityHygieneSignalCount} package-integrity hygiene signal(s) were recorded for review.`,
     );
   }
   if (distinctCategories.size > 1) {
@@ -292,19 +535,25 @@ export function scoreTargetRisk(findings, target, context = {}) {
     );
   }
 
-  return {
+  const assessment = {
     categoryCounts,
     attackTacticCount: attackTactics.size,
     attackTechniqueCount: attackTechniques.size,
     confidence,
     confidenceLabel: confidenceLabel(confidence),
+    ciCompromiseSignalCount,
+    ciHygieneSignalCount,
     distinctCategoryCount: distinctCategories.size,
     findingsCount: findings.length,
     formulationSignalCount,
+    packageIntegrityCompromiseSignalCount,
+    packageIntegrityHygieneSignalCount,
     priorityCorroborationCount,
     reasons,
     score,
     severity,
     strongSignalCount,
   };
+  logRiskAssessmentDecision(target, assessment);
+  return assessment;
 }

package/lib/audit/scoring.poku.js

@@ -1,4 +1,6 @@
+import esmock from "esmock";
 import { assert, describe, it } from "poku";
+import sinon from "sinon";
 
 import {
   confidenceLabel,
@@ -270,6 +272,120 @@ describe("scoreTargetRisk()", () => {
     assert.ok(withEvidence.score < withoutEvidence.score);
   });
 
+  it("boosts predictive scoring for Cargo targets with risky build-surface signals", () => {
+    const findings = [
+      {
+        category: "dependency-source",
+        location: {
+          purl: "pkg:cargo/ring@0.17.8",
+        },
+        message: "Build dependency resolved from a mutable source",
+        ruleId: "PKG-001",
+        severity: "high",
+      },
+      {
+        category: "package-integrity",
+        location: {
+          purl: "pkg:cargo/ring@0.17.8",
+        },
+        message: "Crate was yanked from the registry",
+        ruleId: "PROV-015",
+        severity: "high",
+      },
+    ];
+    const cargoTarget = {
+      name: "ring",
+      purl: "pkg:cargo/ring@0.17.8",
+      properties: [
+        { name: "cdx:cargo:dependencyKind", value: "build" },
+        { name: "cdx:cargo:hasNativeBuild", value: "true" },
+        {
+          name: "cdx:cargo:buildScriptCapabilities",
+          value: "process-execution, network-access",
+        },
+        { name: "cdx:cargo:workspaceDependencyResolved", value: "true" },
+        { name: "cdx:cargo:yanked", value: "true" },
+      ],
+      type: "cargo",
+      version: "0.17.8",
+    };
+
+    const plainAssessment = scoreTargetRisk(findings, baseTarget, {
+      bomJson: {
+        formulation: [{}],
+      },
+      resolution: {
+        repoUrl: "https://github.com/example/repo",
+      },
+      sourceDirectoryConfidence: "high",
+      versionMatched: true,
+    });
+    const cargoAssessment = scoreTargetRisk(findings, cargoTarget, {
+      bomJson: {
+        formulation: [{}],
+      },
+      resolution: {
+        repoUrl: "https://github.com/example/ring",
+      },
+      sourceDirectoryConfidence: "high",
+      versionMatched: true,
+    });
+
+    assert.ok(cargoAssessment.score > plainAssessment.score);
+    assert.match(
+      cargoAssessment.reasons.join(" "),
+      /Cargo build-surface signals/i,
+    );
+  });
+
+  it("keeps stacked CI hygiene findings below critical without compromise corroboration", () => {
+    const findings = [
+      {
+        category: "ci-permission",
+        location: {
+          file: ".github/workflows/release.yml",
+        },
+        message: "Unpinned privileged action",
+        ruleId: "CI-001",
+        severity: "high",
+      },
+      {
+        category: "ci-permission",
+        location: {
+          file: ".github/workflows/release.yml",
+        },
+        message: "Mutable action tag",
+        ruleId: "CI-003",
+        severity: "medium",
+      },
+      {
+        category: "package-integrity",
+        location: {
+          purl: baseTarget.purl,
+        },
+        message: "Install hook present",
+        ruleId: "INT-001",
+        severity: "medium",
+      },
+    ];
+
+    const assessment = scoreTargetRisk(findings, baseTarget, {
+      bomJson: {
+        formulation: [{ workflows: [] }],
+      },
+      resolution: {
+        repoUrl: "https://github.com/example/repo",
+      },
+      sourceDirectoryConfidence: "high",
+      versionMatched: true,
+    });
+
+    assert.strictEqual(assessment.severity, "medium");
+    assert.strictEqual(assessment.ciHygieneSignalCount, 2);
+    assert.strictEqual(assessment.packageIntegrityHygieneSignalCount, 1);
+    assert.strictEqual(assessment.packageIntegrityCompromiseSignalCount, 0);
+  });
+
   it("keeps isolated CI-019 findings conservative despite the rule-specific bonus", () => {
     const findings = [
       {
@@ -338,4 +454,67 @@ describe("scoreTargetRisk()", () => {
       /high-confidence compound rule/i,
     );
   });
+
+  it("emits a low-risk thought log when no findings are present", async () => {
+    const thoughtLog = sinon.spy();
+    const { scoreTargetRisk: scoreTargetRiskWithMock } = await esmock(
+      "./scoring.js",
+      {
+        "../helpers/logger.js": { thoughtLog },
+      },
+    );
+
+    const assessment = scoreTargetRiskWithMock([], baseTarget);
+
+    assert.strictEqual(assessment.severity, "none");
+    assert.strictEqual(thoughtLog.calledOnce, true);
+    assert.match(thoughtLog.firstCall.args[0], /low risk/i);
+    assert.strictEqual(thoughtLog.firstCall.args[1].purl, baseTarget.purl);
+  });
+
+  it("emits a risky thought log when corroborated findings raise the package severity", async () => {
+    const thoughtLog = sinon.spy();
+    const { scoreTargetRisk: scoreTargetRiskWithMock } = await esmock(
+      "./scoring.js",
+      {
+        "../helpers/logger.js": { thoughtLog },
+      },
+    );
+    const findings = [
+      {
+        category: "ci-permission",
+        location: {
+          file: ".github/workflows/release.yml",
+        },
+        message: "Unpinned privileged action",
+        ruleId: "CI-001",
+        severity: "high",
+      },
+      {
+        category: "dependency-source",
+        location: {
+          purl: baseTarget.purl,
+        },
+        message: "Install script from non-registry source",
+        ruleId: "PKG-001",
+        severity: "high",
+      },
+    ];
+
+    const assessment = scoreTargetRiskWithMock(findings, baseTarget, {
+      bomJson: {
+        formulation: [{}],
+      },
+      resolution: {
+        repoUrl: "https://github.com/example/repo",
+      },
+      sourceDirectoryConfidence: "high",
+      versionMatched: true,
+    });
+
+    assert.strictEqual(assessment.severity, "high");
+    assert.strictEqual(thoughtLog.calledOnce, true);
+    assert.match(thoughtLog.firstCall.args[0], /considered the package risky/i);
+    assert.strictEqual(thoughtLog.firstCall.args[1].severity, "high");
+  });
 });