@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/audit/targets.poku.js

@@ -1,3 +1,4 @@
+import esmock from "esmock";
 import { assert, describe, it } from "poku";
 
 import {
@@ -7,11 +8,12 @@ import {
   normalizePackageName,
 } from "./targets.js";
 
-function makeBom(components) {
+function makeBom(components, extra = {}) {
   return {
     bomFormat: "CycloneDX",
     components,
     specVersion: "1.6",
+    ...extra,
   };
 }
 
@@ -25,7 +27,7 @@ describe("normalizePackageName()", () => {
 });
 
 describe("extractPurlTargetsFromBom()", () => {
-  it("extracts only npm and pypi purls", () => {
+  it("extracts supported npm, pypi, and cargo purls", () => {
     const bom = makeBom([
       {
         "bom-ref": "pkg:npm/left-pad@1.3.0",
@@ -41,6 +43,12 @@ describe("extractPurlTargetsFromBom()", () => {
         name: "requests",
         purl: "pkg:pypi/requests@2.32.3",
       },
+      {
+        "bom-ref": "pkg:cargo/serde@1.0.217",
+        name: "serde",
+        properties: [{ name: "cdx:cargo:dependencyKind", value: "dev" }],
+        purl: "pkg:cargo/serde@1.0.217",
+      },
       {
         "bom-ref": "pkg:gem/rails@8.0.0",
         name: "rails",
@@ -50,7 +58,7 @@ describe("extractPurlTargetsFromBom()", () => {
 
     const extracted = extractPurlTargetsFromBom(bom, "bom.json");
 
-    assert.strictEqual(extracted.targets.length, 2);
+    assert.strictEqual(extracted.targets.length, 3);
     assert.strictEqual(extracted.skipped.length, 1);
     assert.strictEqual(extracted.targets[0].type, "npm");
     assert.strictEqual(
@@ -62,6 +70,8 @@ describe("extractPurlTargetsFromBom()", () => {
       "cdx:npm:provenanceKeyId",
     );
     assert.strictEqual(extracted.targets[1].type, "pypi");
+    assert.strictEqual(extracted.targets[2].type, "cargo");
+    assert.strictEqual(extracted.targets[2].developmentOnly, true);
     assert.strictEqual(extracted.skipped[0].reason, "unsupported-ecosystem");
   });
 
@@ -132,6 +142,110 @@ describe("collectAuditTargets()", () => {
     assert.strictEqual(npmTarget.properties.length, 2);
   });
 
+  it("recognizes Cargo trusted-publishing and target-specific metadata", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:cargo/ring@0.17.8",
+            name: "ring",
+            properties: [
+              { name: "cdx:cargo:target", value: 'cfg(target_os = "linux")' },
+              { name: "cdx:cargo:trustedPublishing", value: "true" },
+            ],
+            purl: "pkg:cargo/ring@0.17.8",
+          },
+          {
+            "bom-ref": "pkg:cargo/serde@1.0.217",
+            name: "serde",
+            purl: "pkg:cargo/serde@1.0.217",
+          },
+        ]),
+        source: "cargo-trusted.json",
+      },
+    ];
+
+    const collected = collectAuditTargets(inputBoms, { trusted: "include" });
+
+    assert.deepStrictEqual(
+      collected.targets.map((target) => target.purl),
+      ["pkg:cargo/serde@1.0.217", "pkg:cargo/ring@0.17.8"],
+    );
+    assert.strictEqual(collected.stats.trustedTargets, 1);
+    assert.strictEqual(collected.stats.platformSpecificTargets, 1);
+  });
+
+  it("prioritizes runtime-facing Cargo crates ahead of build-only workspace crates", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom(
+          [
+            {
+              "bom-ref": "pkg:cargo/root@1.0.0",
+              name: "root",
+              purl: "pkg:cargo/root@1.0.0",
+            },
+            {
+              "bom-ref": "pkg:cargo/runtime-helper@1.0.0",
+              name: "runtime-helper",
+              properties: [
+                { name: "cdx:cargo:dependencyKind", value: "runtime" },
+                {
+                  name: "cdx:cargo:workspaceDependencyResolved",
+                  value: "true",
+                },
+              ],
+              purl: "pkg:cargo/runtime-helper@1.0.0",
+            },
+            {
+              "bom-ref": "pkg:cargo/build-helper@1.0.0",
+              name: "build-helper",
+              properties: [
+                { name: "cdx:cargo:dependencyKind", value: "build" },
+                {
+                  name: "cdx:cargo:workspaceDependencyResolved",
+                  value: "true",
+                },
+              ],
+              purl: "pkg:cargo/build-helper@1.0.0",
+            },
+          ],
+          {
+            dependencies: [
+              {
+                ref: "pkg:cargo/root@1.0.0",
+                dependsOn: [
+                  "pkg:cargo/runtime-helper@1.0.0",
+                  "pkg:cargo/build-helper@1.0.0",
+                ],
+              },
+            ],
+            metadata: {
+              component: {
+                "bom-ref": "pkg:cargo/root@1.0.0",
+              },
+            },
+          },
+        ),
+        source: "cargo-priority.json",
+      },
+    ];
+
+    const collected = collectAuditTargets(inputBoms, {
+      maxTargets: 2,
+      trusted: "include",
+    });
+
+    assert.deepStrictEqual(
+      collected.targets.map((target) => target.purl),
+      ["pkg:cargo/runtime-helper@1.0.0", "pkg:cargo/build-helper@1.0.0"],
+    );
+    assert.strictEqual(collected.targets[0].runtimeFacingCargo, true);
+    assert.strictEqual(collected.targets[1].buildOnlyWorkspace, true);
+    assert.strictEqual(collected.stats.buildOnlyWorkspaceTargets, 1);
+    assert.strictEqual(collected.stats.cargoRuntimeFacingTargets, 1);
+  });
+
   it("respects maxTargets when supplied", () => {
     const inputBoms = [
       {
@@ -226,6 +340,162 @@ describe("collectAuditTargets()", () => {
     assert.strictEqual(collected.stats.truncatedTargets, 1);
   });
 
+  it("can prioritize direct runtime dependencies ahead of transitive platform-specific packages", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom(
+          [
+            {
+              "bom-ref": "pkg:npm/direct-runtime@1.0.0",
+              name: "direct-runtime",
+              purl: "pkg:npm/direct-runtime@1.0.0",
+              scope: "required",
+            },
+            {
+              "bom-ref": "pkg:npm/transitive-platform@1.0.0",
+              name: "transitive-platform",
+              properties: [{ name: "cdx:npm:os", value: "darwin" }],
+              purl: "pkg:npm/transitive-platform@1.0.0",
+            },
+          ],
+          {
+            dependencies: [
+              {
+                dependsOn: ["pkg:npm/direct-runtime@1.0.0"],
+                ref: "pkg:application/root-app@1.0.0",
+              },
+            ],
+            metadata: {
+              component: {
+                "bom-ref": "pkg:application/root-app@1.0.0",
+                name: "root-app",
+                type: "application",
+              },
+            },
+          },
+        ),
+        source: "priority-runtime.json",
+      },
+    ];
+
+    const collected = collectAuditTargets(inputBoms, {
+      maxTargets: 1,
+      prioritizeDirectRuntime: true,
+      trusted: "include",
+    });
+
+    assert.strictEqual(collected.targets.length, 1);
+    assert.strictEqual(
+      collected.targets[0].purl,
+      "pkg:npm/direct-runtime@1.0.0",
+    );
+    assert.strictEqual(collected.targets[0].directDependency, true);
+    assert.strictEqual(collected.stats.directRuntimeTargets, 1);
+    assert.strictEqual(collected.stats.platformSpecificTargets, 1);
+  });
+
+  it("prioritizes direct runtime dependencies by default", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom(
+          [
+            {
+              "bom-ref": "pkg:npm/direct-runtime@1.0.0",
+              name: "direct-runtime",
+              purl: "pkg:npm/direct-runtime@1.0.0",
+              scope: "required",
+            },
+            {
+              "bom-ref": "pkg:npm/transitive-platform@1.0.0",
+              name: "transitive-platform",
+              properties: [{ name: "cdx:npm:os", value: "darwin" }],
+              purl: "pkg:npm/transitive-platform@1.0.0",
+            },
+          ],
+          {
+            dependencies: [
+              {
+                dependsOn: ["pkg:npm/direct-runtime@1.0.0"],
+                ref: "pkg:application/root-app@1.0.0",
+              },
+            ],
+            metadata: {
+              component: {
+                "bom-ref": "pkg:application/root-app@1.0.0",
+                name: "root-app",
+                type: "application",
+              },
+            },
+          },
+        ),
+        source: "priority-runtime-default.json",
+      },
+    ];
+
+    const collected = collectAuditTargets(inputBoms, {
+      maxTargets: 1,
+      trusted: "include",
+    });
+
+    assert.strictEqual(collected.targets.length, 1);
+    assert.strictEqual(
+      collected.targets[0].purl,
+      "pkg:npm/direct-runtime@1.0.0",
+    );
+  });
+
+  it("uses explicit required scope and evidence occurrences to improve prioritization", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/implicit-required@1.0.0",
+            name: "implicit-required",
+            purl: "pkg:npm/implicit-required@1.0.0",
+          },
+          {
+            "bom-ref": "pkg:npm/evidence-backed@1.0.0",
+            evidence: {
+              occurrences: [
+                { location: "src/a.js#1" },
+                { location: "src/b.js#1" },
+                { location: "src/c.js#1" },
+              ],
+            },
+            name: "evidence-backed",
+            purl: "pkg:npm/evidence-backed@1.0.0",
+          },
+          {
+            "bom-ref": "pkg:npm/explicit-required@1.0.0",
+            evidence: {
+              occurrences: [{ location: "src/main.js#1" }],
+            },
+            name: "explicit-required",
+            purl: "pkg:npm/explicit-required@1.0.0",
+            scope: "required",
+          },
+        ]),
+        source: "priority-evidence.json",
+      },
+    ];
+
+    const collected = collectAuditTargets(inputBoms, {
+      maxTargets: 3,
+      trusted: "include",
+    });
+
+    assert.deepStrictEqual(
+      collected.targets.map((target) => target.purl),
+      [
+        "pkg:npm/explicit-required@1.0.0",
+        "pkg:npm/evidence-backed@1.0.0",
+        "pkg:npm/implicit-required@1.0.0",
+      ],
+    );
+    assert.strictEqual(collected.targets[0].explicitRequiredScope, true);
+    assert.strictEqual(collected.targets[1].occurrenceCount, 3);
+  });
+
   it("excludes trusted-publishing-backed targets by default", () => {
     const inputBoms = [
       {
@@ -329,3 +599,146 @@ describe("collectAuditTargets()", () => {
     assert.strictEqual(collected.stats.trustedTargets, 1);
   });
 });
+
+describe("enrichInputBomsWithRegistryMetadata()", () => {
+  it("adds registry trusted-publishing properties for npm targets so default selection can exclude them", async () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/@sec-ant/readable-stream@0.4.1",
+            name: "readable-stream",
+            purl: "pkg:npm/%40sec-ant/readable-stream@0.4.1",
+          },
+          {
+            "bom-ref": "pkg:npm/plain@1.0.0",
+            name: "plain",
+            purl: "pkg:npm/plain@1.0.0",
+          },
+        ]),
+        source: "registry-enrichment.json",
+      },
+    ];
+    const { enrichInputBomsWithRegistryMetadata: enrichWithMock } =
+      await esmock("./targets.js", {
+        "../helpers/utils.js": {
+          getCratesMetadata: async (pkgList) => pkgList,
+          getNpmMetadata: async (pkgList) =>
+            pkgList.map((pkg) =>
+              pkg.name === "readable-stream"
+                ? {
+                    ...pkg,
+                    properties: [
+                      ...(pkg.properties || []),
+                      { name: "cdx:npm:trustedPublishing", value: "true" },
+                      {
+                        name: "cdx:npm:provenanceUrl",
+                        value:
+                          "https://registry.npmjs.org/-/npm/v1/attestations/readable-stream",
+                      },
+                    ],
+                  }
+                : pkg,
+            ),
+          getPyMetadata: async (pkgList) => pkgList,
+        },
+      });
+
+    await enrichWithMock(inputBoms);
+
+    const enrichedProperties = inputBoms[0].bomJson.components[0].properties;
+    assert.ok(
+      enrichedProperties.some(
+        (property) => property.name === "cdx:npm:trustedPublishing",
+      ),
+    );
+    const collected = collectAuditTargets(inputBoms);
+    assert.deepStrictEqual(
+      collected.targets.map((target) => target.purl),
+      ["pkg:npm/plain@1.0.0"],
+    );
+  });
+
+  it("adds registry trusted-publishing properties for pypi targets", async () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:pypi/example@1.0.0",
+            name: "example",
+            purl: "pkg:pypi/example@1.0.0",
+          },
+        ]),
+        source: "pypi-enrichment.json",
+      },
+    ];
+    const { enrichInputBomsWithRegistryMetadata: enrichWithMock } =
+      await esmock("./targets.js", {
+        "../helpers/utils.js": {
+          getCratesMetadata: async (pkgList) => pkgList,
+          getNpmMetadata: async (pkgList) => pkgList,
+          getPyMetadata: async (pkgList) =>
+            pkgList.map((pkg) => ({
+              ...pkg,
+              properties: [
+                ...(pkg.properties || []),
+                { name: "cdx:pypi:trustedPublishing", value: "true" },
+                { name: "cdx:pypi:uploaderVerified", value: "true" },
+              ],
+            })),
+        },
+      });
+
+    await enrichWithMock(inputBoms);
+
+    assert.ok(
+      inputBoms[0].bomJson.components[0].properties.some(
+        (property) => property.name === "cdx:pypi:trustedPublishing",
+      ),
+    );
+  });
+
+  it("adds registry metadata for cargo targets", async () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:cargo/serde@1.0.217",
+            name: "serde",
+            purl: "pkg:cargo/serde@1.0.217",
+          },
+        ]),
+        source: "cargo-enrichment.json",
+      },
+    ];
+    const { enrichInputBomsWithRegistryMetadata: enrichWithMock } =
+      await esmock("./targets.js", {
+        "../helpers/utils.js": {
+          getCratesMetadata: async (pkgList) =>
+            pkgList.map((pkg) => ({
+              ...pkg,
+              properties: [
+                ...(pkg.properties || []),
+                { name: "cdx:cargo:trustedPublishing", value: "true" },
+                { name: "cdx:cargo:yanked", value: "true" },
+              ],
+            })),
+          getNpmMetadata: async (pkgList) => pkgList,
+          getPyMetadata: async (pkgList) => pkgList,
+        },
+      });
+
+    await enrichWithMock(inputBoms);
+
+    assert.ok(
+      inputBoms[0].bomJson.components[0].properties.some(
+        (property) => property.name === "cdx:cargo:trustedPublishing",
+      ),
+    );
+    assert.ok(
+      inputBoms[0].bomJson.components[0].properties.some(
+        (property) => property.name === "cdx:cargo:yanked",
+      ),
+    );
+  });
+});