@cyclonedx/cdxgen 12.3.1 → 12.3.2

package/bin/cdxgen.js

@@ -462,9 +462,8 @@ const args = _yargs
   })
   .option("tlp-classification", {
     description:
-      'Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is "CLEAR"',
+      "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with an artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.",
     choices: ["CLEAR", "GREEN", "AMBER", "AMBER_AND_STRICT", "RED"],
-    default: "CLEAR",
     hidden: true,
   })
   .option("env-audit", {

package/data/rules/ai-agent-governance.yaml

@@ -204,3 +204,46 @@
       "hiddenMcpUrls": $prop($, 'cdx:agent:hiddenMcpUrls'),
       "providerNames": $prop($, 'cdx:agent:providerNames')
     }
+
+- id: AGT-007
+  name: "AI agent or skill file is included in a build or post-build SBOM"
+  description: "Shipped AI instruction and skill files deserve explicit review because they can alter developer tooling, release-time automation, and downstream runtime behavior."
+  severity: medium
+  category: ai-agent
+  standards:
+    owasp-ai-top-10:
+      - "LLM05: Supply Chain Vulnerabilities"
+      - "LLM08: Excessive Agency"
+    nist-ai-rmf:
+      - "Govern"
+      - "Map"
+    nist-ssdf:
+      - "Review build and release instructions before distribution"
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:agent:inventorySource') = 'agent-file'
+        or $prop($, 'cdx:agent:inventorySource') = 'community-config'
+      )
+      and (
+        $prop($, 'cdx:file:kind') = 'skill-file'
+        or $prop($, 'cdx:file:kind') = 'agent-instructions'
+        or $prop($, 'cdx:file:kind') = 'copilot-instructions'
+        or $prop($, 'cdx:file:kind') = 'copilot-setup-workflow'
+        or $prop($, 'cdx:file:kind') = 'ai-agent-file'
+      )
+      and $count($$.metadata.lifecycles[phase = 'build' or phase = 'post-build']) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile')
+    }
+  message: "AI instruction or skill file '{{ name }}' is included in a build/post-build SBOM"
+  mitigation: "If the file must ship, keep the BOM review-friendly with '--bom-audit --bom-audit-categories ai-agent' and consider '--tlp-classification AMBER'. If you want a package-only BOM, rerun with '--exclude-type ai-skill'."
+  evidence: |
+    {
+      "inventorySource": $prop($, 'cdx:agent:inventorySource'),
+      "fileKind": $prop($, 'cdx:file:kind'),
+      "providerNames": $prop($, 'cdx:agent:providerNames')
+    }

package/data/rules/mcp-servers.yaml

@@ -191,8 +191,9 @@
     {
       "configFormat": $prop($, 'cdx:mcp:configFormat'),
       "configKey": $prop($, 'cdx:mcp:configKey'),
-      "credentialExposureFields": $prop($, 'cdx:mcp:credentialExposureFields'),
-      "credentialRiskIndicators": $prop($, 'cdx:mcp:credentialRiskIndicators')
+      "credentialExposureFieldCount": $prop($, 'cdx:mcp:credentialExposureFieldCount'),
+      "credentialIndicatorCount": $prop($, 'cdx:mcp:credentialIndicatorCount'),
+      "credentialReferenceCount": $prop($, 'cdx:mcp:credentialReferenceCount')
     }
 
 - id: MCP-006
@@ -268,3 +269,36 @@
       "trustProfile": $prop($, 'cdx:mcp:trustProfile'),
       "authPosture": $prop($, 'cdx:mcp:authPosture')
     }
+
+- id: MCP-008
+  name: "MCP configuration file is included in a build or post-build SBOM"
+  description: "Committed MCP client configuration files can carry trust, auth, and distribution sensitivity even when they are not actively used during the current scan."
+  severity: medium
+  category: mcp-server
+  standards:
+    owasp-ai-top-10:
+      - "LLM07: Insecure Plugin Design"
+      - "LLM08: Excessive Agency"
+    nist-ai-rmf:
+      - "Govern"
+      - "Map"
+    nist-ssdf:
+      - "Review configured AI control surfaces before release"
+  condition: |
+    components[
+      $prop($, 'cdx:file:kind') = 'mcp-config'
+      and $count($$.metadata.lifecycles[phase = 'build' or phase = 'post-build']) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile')
+    }
+  message: "MCP config file '{{ name }}' is included in a build/post-build SBOM"
+  mitigation: "Review the config with '--bom-audit --bom-audit-categories mcp-server', consider '--tlp-classification AMBER' before sharing the BOM broadly, or rerun with '--exclude-type mcp' if config artifacts should be omitted."
+  evidence: |
+    {
+      "configFormat": $prop($, 'cdx:mcp:configFormat'),
+      "configuredServiceCount": $prop($, 'cdx:mcp:configuredServiceCount'),
+      "configuredServiceNames": $prop($, 'cdx:mcp:configuredServiceNames')
+    }

package/lib/cli/index.js

@@ -18,10 +18,24 @@ import { parse } from "ssri";
 import { v4 as uuidv4 } from "uuid";
 import { parse as loadYaml } from "yaml";
 
+import {
+  AI_INSTRUCTION_FILE_KINDS,
+  AI_INVENTORY_PROJECT_TYPES,
+  AI_SKILL_FILE_KIND,
+  collectAiInventory,
+  filterInventoryDependencies,
+  filterInventorySubjectsByTypes,
+  inventoryPropertyValue,
+  MCP_CONFIG_FILE_KIND,
+  optionIncludesAiInventoryProjectType,
+  summarizeAiInventory,
+} from "../helpers/aiInventory.js";
 import {
   detectMcpInventory,
+  detectPythonMcpInventory,
   findJSImportsExports,
 } from "../helpers/analyzer.js";
+import { expandBomAuditCategories } from "../helpers/auditCategories.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
 import {
   CHROME_EXTENSION_PURL_TYPE,
@@ -197,6 +211,9 @@ import {
   shouldFetchLicense,
   splitOutputByGradleProjects,
 } from "../helpers/utils.js";
+
+export { summarizeAiInventory } from "../helpers/aiInventory.js";
+
 import {
   cleanupTempDir,
   collectInstalledExtensions,
@@ -2717,16 +2734,32 @@ export async function createJavaBom(path, options) {
  * @param {Object} options Parse options from the cli
  * @returns {Promise<Object>} Promise resolving to BOM object
  */
+function getRequestedAiInventoryTypes(options) {
+  return AI_INVENTORY_PROJECT_TYPES.filter((type) =>
+    optionIncludesAiInventoryProjectType(options?.projectType, type),
+  );
+}
+
+function getExcludedAiInventoryTypes(options) {
+  return AI_INVENTORY_PROJECT_TYPES.filter((type) =>
+    optionIncludesAiInventoryProjectType(options?.excludeType, type),
+  );
+}
+
+function getExactAiInventoryType(options) {
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  return requestedAiInventoryTypes.length === 1 &&
+    Array.isArray(options?.projectType) &&
+    options.projectType.length === 1
+    ? requestedAiInventoryTypes[0]
+    : undefined;
+}
+
 function shouldDetectMcpInventory(options, allImports = {}) {
   if (hasAnyProjectType(["mcp"], options, false)) {
     return true;
   }
-  const auditCategories = Array.isArray(options?.bomAuditCategories)
-    ? options.bomAuditCategories
-    : String(options?.bomAuditCategories || "")
-        .split(",")
-        .map((category) => category.trim())
-        .filter(Boolean);
+  const auditCategories = expandBomAuditCategories(options?.bomAuditCategories);
   if (
     auditCategories.some((category) =>
       ["mcp-server", "ai-agent"].includes(category),
@@ -2740,6 +2773,91 @@ function shouldDetectMcpInventory(options, allImports = {}) {
   });
 }
 
+function summarizeAiInventoryNames(subjects, discoveryPath, kindSet) {
+  return [
+    ...new Set(
+      (subjects || [])
+        .filter((subject) =>
+          kindSet.has(inventoryPropertyValue(subject, "cdx:file:kind")),
+        )
+        .map((subject) => inventoryPropertyValue(subject, "SrcFile"))
+        .filter(Boolean)
+        .map(
+          (filePath) => relative(discoveryPath, filePath) || basename(filePath),
+        ),
+    ),
+  ].sort();
+}
+
+function summarizeAiInventoryServiceNames(services) {
+  return [
+    ...new Set(
+      (services || []).map((service) => service?.name).filter(Boolean),
+    ),
+  ].sort();
+}
+
+function formatAiInventorySummaryLine(label, count, nameList) {
+  return `  ${label.padEnd(20)} ${count}${nameList.length ? ` (${nameList.join(", ")})` : ""}`;
+}
+
+function emitAiInventorySummary(aiInventory, discoveryPath) {
+  const summary = summarizeAiInventory(aiInventory);
+  const totalInventory =
+    summary.instructionCount +
+    summary.skillCount +
+    summary.mcpConfigCount +
+    summary.mcpServiceCount;
+  if (!totalInventory) {
+    return;
+  }
+  const instructionNames = summarizeAiInventoryNames(
+    aiInventory.components,
+    discoveryPath,
+    AI_INSTRUCTION_FILE_KINDS,
+  );
+  const skillNames = summarizeAiInventoryNames(
+    aiInventory.components,
+    discoveryPath,
+    new Set([AI_SKILL_FILE_KIND]),
+  );
+  const mcpConfigNames = summarizeAiInventoryNames(
+    aiInventory.components,
+    discoveryPath,
+    new Set([MCP_CONFIG_FILE_KIND]),
+  );
+  const mcpServiceNames = summarizeAiInventoryServiceNames(
+    aiInventory.services,
+  );
+  console.warn(
+    [
+      "AI Inventory Summary:",
+      formatAiInventorySummaryLine(
+        "AI instruction files:",
+        summary.instructionCount,
+        instructionNames,
+      ),
+      formatAiInventorySummaryLine(
+        "Skill files:",
+        summary.skillCount,
+        skillNames,
+      ),
+      formatAiInventorySummaryLine(
+        "MCP configs:",
+        summary.mcpConfigCount,
+        mcpConfigNames,
+      ),
+      formatAiInventorySummaryLine(
+        "MCP services:",
+        summary.mcpServiceCount,
+        mcpServiceNames,
+      ),
+      "",
+      "Run --bom-audit --bom-audit-categories ai-inventory to audit these surfaces.",
+    ].join("\n"),
+  );
+}
+
 export async function createNodejsBom(path, options) {
   let pkgList = [];
   let manifestFiles = [];
@@ -2747,6 +2865,15 @@ export async function createNodejsBom(path, options) {
   let parentComponent = {};
   const parentSubComponents = [];
   let ppurl = "";
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  const excludedAiInventoryTypes = getExcludedAiInventoryTypes(options);
+  const exactAiInventoryType = getExactAiInventoryType(options);
+  const includedAiInventoryTypes = exactAiInventoryType
+    ? requestedAiInventoryTypes
+    : AI_INVENTORY_PROJECT_TYPES.filter(
+        (type) => !excludedAiInventoryTypes.includes(type),
+      );
+  let aiInventory = { components: [], dependencies: [], services: [] };
   // Docker mode requires special handling
   if (hasAnyProjectType(["docker", "oci", "container", "os"], options, false)) {
     const pkgJsonFiles = getAllFiles(path, "**/package.json", options);
@@ -2758,11 +2885,27 @@ export async function createNodejsBom(path, options) {
           pkgList = pkgList.concat(dlist);
         }
       }
+      if (includedAiInventoryTypes.length) {
+        aiInventory = collectAiInventory(
+          path,
+          options,
+          includedAiInventoryTypes,
+        );
+      }
+      if (aiInventory.components?.length) {
+        pkgList = trimComponents(pkgList.concat(aiInventory.components));
+      }
       return buildBomNSData(options, pkgList, "npm", {
         allImports: {},
         src: path,
         filename: "package.json",
+        dependencies: mergeDependencies(
+          [],
+          aiInventory.dependencies,
+          parentComponent,
+        ),
         parentComponent,
+        services: aiInventory.services,
       });
     }
   }
@@ -2785,6 +2928,40 @@ export async function createNodejsBom(path, options) {
       mcpInventory = detectMcpInventory(path, options.deep);
     }
   }
+  if (includedAiInventoryTypes.length) {
+    aiInventory = collectAiInventory(path, options, includedAiInventoryTypes);
+  }
+  if (excludedAiInventoryTypes.includes("mcp")) {
+    mcpInventory = { components: [], dependencies: [], services: [] };
+  }
+  const aiInventorySummary = summarizeAiInventory(aiInventory);
+  if (!exactAiInventoryType) {
+    if (aiInventorySummary.instructionCount || aiInventorySummary.skillCount) {
+      thoughtLog(
+        `I found ${aiInventorySummary.instructionCount + aiInventorySummary.skillCount} AI skill/instruction file component(s). Use '--exclude-type ai-skill' for a package-only BOM, or '--bom-audit --bom-audit-categories ai-inventory' for review-friendly reporting.`,
+      );
+    }
+    if (aiInventorySummary.mcpConfigCount) {
+      thoughtLog(
+        `I found ${aiInventorySummary.mcpConfigCount} MCP config component(s). Use '--exclude-type mcp' to drop them, or '--bom-audit --bom-audit-categories ai-inventory --tlp-classification AMBER' to keep and flag them.`,
+      );
+    }
+    emitAiInventorySummary(aiInventory, path);
+  }
+  if (exactAiInventoryType === "ai-skill") {
+    const exactComponents = trimComponents([...(aiInventory.components || [])]);
+    const exactDependencies = mergeDependencies([], aiInventory.dependencies);
+    const exactServices = mergeServices([], aiInventory.services);
+    parentComponent = createDefaultParentComponent(path, "generic", options);
+    return buildBomNSData(options, exactComponents, "generic", {
+      dependencies: exactDependencies,
+      filename: path,
+      parentComponent,
+      projectType: exactAiInventoryType,
+      services: exactServices,
+      src: path,
+    });
+  }
   let yarnLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}yarn.lock`,
@@ -3675,12 +3852,37 @@ export async function createNodejsBom(path, options) {
       parentComponent,
     );
   }
+  if (aiInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(aiInventory.components));
+  }
+  if (aiInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      aiInventory.dependencies,
+      parentComponent,
+    );
+  }
+  const inventoryServices = mergeServices(
+    mergeServices([], mcpInventory.services || []),
+    aiInventory.services || [],
+  );
+  if (exactAiInventoryType === "mcp") {
+    pkgList = trimComponents(filterInventorySubjectsByTypes(pkgList, ["mcp"]));
+    dependencies = filterInventoryDependencies(
+      dependencies,
+      pkgList,
+      inventoryServices,
+    );
+    if (!parentComponent || !Object.keys(parentComponent).length) {
+      parentComponent = createDefaultParentComponent(path, "generic", options);
+    }
+  }
   return buildBomNSData(options, pkgList, "npm", {
     src: path,
     filename: manifestFiles.join(", "),
     dependencies,
     parentComponent,
-    services: mergeServices([], mcpInventory.services || []),
+    services: inventoryServices,
   });
 }
 
@@ -3859,6 +4061,16 @@ export async function createPythonBom(path, options) {
   let dependencies = [];
   let pkgList = [];
   let formulationList = [];
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  const excludedAiInventoryTypes = getExcludedAiInventoryTypes(options);
+  const includedAiInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter(
+    (type) =>
+      (!requestedAiInventoryTypes.length ||
+        requestedAiInventoryTypes.includes(type)) &&
+      !excludedAiInventoryTypes.includes(type),
+  );
+  let aiInventory = { components: [], dependencies: [], services: [] };
+  let mcpInventory = { components: [], dependencies: [], services: [] };
   const tempDir = safeMkdtempSync(join(getTmpDir(), "cdxgen-venv-"));
   let parentComponent = createDefaultParentComponent(path, "pypi", options);
   // We are checking only the root here for pipenv
@@ -4350,6 +4562,24 @@ export async function createPythonBom(path, options) {
       pkgList = pkgList.concat(dlist);
     }
   }
+  if (includedAiInventoryTypes.length) {
+    aiInventory = collectAiInventory(path, options, includedAiInventoryTypes);
+    if (includedAiInventoryTypes.includes("mcp")) {
+      mcpInventory = detectPythonMcpInventory(path, options.deep);
+    }
+  }
+  const aiInventorySummary = summarizeAiInventory(aiInventory);
+  if (aiInventorySummary.instructionCount || aiInventorySummary.skillCount) {
+    thoughtLog(
+      `I found ${aiInventorySummary.instructionCount + aiInventorySummary.skillCount} AI skill/instruction file component(s). Use '--exclude-type ai-skill' for a package-only BOM, or '--bom-audit --bom-audit-categories ai-inventory' for review-friendly reporting.`,
+    );
+  }
+  if (aiInventorySummary.mcpConfigCount) {
+    thoughtLog(
+      `I found ${aiInventorySummary.mcpConfigCount} MCP config component(s). Use '--exclude-type mcp' to drop them, or '--bom-audit --bom-audit-categories ai-inventory --tlp-classification AMBER' to keep and flag them.`,
+    );
+  }
+  emitAiInventorySummary(aiInventory, path);
   // Check and complete the dependency tree
   if (
     isFeatureEnabled(options, "safe-pip-install") &&
@@ -4398,6 +4628,30 @@ export async function createPythonBom(path, options) {
   if (shouldFetchLicense()) {
     pkgList = await getPyMetadata(pkgList, false);
   }
+  if (mcpInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(mcpInventory.components));
+  }
+  if (mcpInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      mcpInventory.dependencies,
+      parentComponent,
+    );
+  }
+  if (aiInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(aiInventory.components));
+  }
+  if (aiInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      aiInventory.dependencies,
+      parentComponent,
+    );
+  }
+  const inventoryServices = mergeServices(
+    mergeServices([], mcpInventory.services || []),
+    aiInventory.services || [],
+  );
   return buildBomNSData(options, pkgList, "pypi", {
     allImports,
     src: path,
@@ -4405,6 +4659,7 @@ export async function createPythonBom(path, options) {
     dependencies,
     parentComponent,
     formulationList,
+    services: inventoryServices,
   });
 }
 
@@ -7882,22 +8137,39 @@ export async function createMultiXBom(pathList, options) {
     if (pathList.length > 2) {
       thoughtLog(`Let's thoroughly check the path ${path}.`);
     }
-    // Node.js
-    if (hasAnyProjectType(["oci", "js"], options)) {
+    // Node.js and AI inventory
+    if (hasAnyProjectType(["oci", "js", "mcp", "ai-skill"], options)) {
+      const exactAiInventoryType = getExactAiInventoryType(options);
       if (!hasAnyProjectType(["oci"], options, false)) {
-        thoughtLog(
-          "**JS**: Now looking for JavaScript projects (npm, yarn, pnpm) and files.",
-        );
+        if (exactAiInventoryType === "mcp") {
+          thoughtLog(
+            "**MCP**: Looking for MCP services, MCP configs, and related AI control-plane artifacts.",
+          );
+        } else if (exactAiInventoryType === "ai-skill") {
+          thoughtLog(
+            "**AI-SKILL**: Looking for AI instruction, skill, and agent-definition files that can influence build or release flows.",
+          );
+        } else {
+          thoughtLog(
+            "**JS**: Now looking for JavaScript projects (npm, yarn, pnpm) and files.",
+          );
+        }
       }
-      setProjectTypeActivityContext("js", path);
+      setProjectTypeActivityContext(exactAiInventoryType || "js", path);
       bomData = await createNodejsBom(path, options);
       if (bomData?.bomJson?.components?.length) {
-        thoughtLog(
-          `I found ${bomData.bomJson.components.length} npm packages. Let's keep looking.`,
-        );
+        if (exactAiInventoryType) {
+          thoughtLog(
+            `I found ${bomData.bomJson.components.length} ${exactAiInventoryType} component(s). Let's keep looking.`,
+          );
+        } else {
+          thoughtLog(
+            `I found ${bomData.bomJson.components.length} npm packages. Let's keep looking.`,
+          );
+        }
         if (DEBUG_MODE) {
           console.log(
-            `Found ${bomData.bomJson.components.length} npm packages at ${path}`,
+            `Found ${bomData.bomJson.components.length} ${exactAiInventoryType || "npm"} components at ${path}`,
           );
         }
         components = components.concat(bomData.bomJson.components);
@@ -9238,6 +9510,12 @@ export async function createBom(path, options) {
   ) {
     return await createNodejsBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["mcp"].includes(projectType[0])) {
+    return await createNodejsBom(path, options);
+  }
+  if (PROJECT_TYPE_ALIASES["ai-skill"].includes(projectType[0])) {
+    return await createNodejsBom(path, options);
+  }
   if (
     PROJECT_TYPE_ALIASES["py"].includes(projectType[0]) ||
     projectType?.[0]?.startsWith("python")