@cyclonedx/cdxgen 12.3.1 → 12.3.2

package/lib/cli/index.poku.js

@@ -16,7 +16,12 @@ import sinon from "sinon";
 
 import { auditBom } from "../stages/postgen/auditBom.js";
 import { postProcess } from "../stages/postgen/postgen.js";
-import { createBom, createChromeExtensionBom, createRustBom } from "./index.js";
+import {
+  createBom,
+  createChromeExtensionBom,
+  createNodejsBom,
+  createRustBom,
+} from "./index.js";
 
 const fixtureDir = join(
   dirname(fileURLToPath(import.meta.url)),
@@ -54,6 +59,10 @@ const mcpFixtureDir = join(
   "mcp-repotest",
 );
 
+function getProp(obj, name) {
+  return obj?.properties?.find((property) => property.name === name)?.value;
+}
+
 describe("CLI tests", () => {
   describe("submitBom()", () => {
     it("should report blocked Dependency-Track submission during dry-run", async () => {
@@ -902,6 +911,32 @@ checksum = "${"a".repeat(64)}"
       assert.ok(findings.some((finding) => finding.ruleId === "MCP-003"));
     });
 
+    it("supports the ai-inventory audit category alias for MCP discovery", async () => {
+      const options = {
+        bomAudit: true,
+        bomAuditCategories: "ai-inventory",
+        bomAuditMinSeverity: "low",
+        failOnError: true,
+        installDeps: false,
+        multiProject: false,
+        projectType: ["js"],
+        specVersion: 1.7,
+      };
+      const bomNSData = await createBom(mcpFixtureDir, options);
+      const processedBomNSData = postProcess(bomNSData, options, mcpFixtureDir);
+      const bomJson = processedBomNSData?.bomJson || {};
+      assert.ok(
+        (bomJson.services || []).some(
+          (service) => service.name === "unsafe-http-server",
+        ),
+      );
+      const findings = await auditBom(bomJson, {
+        bomAuditCategories: "ai-inventory",
+        bomAuditMinSeverity: "low",
+      });
+      assert.ok(findings.some((finding) => finding.ruleId === "MCP-001"));
+    });
+
     it("supports the dedicated mcp project type alias", async () => {
       const options = {
         bomAudit: false,
@@ -927,5 +962,265 @@ checksum = "${"a".repeat(64)}"
         ),
       );
     });
+
+    it("supports exact AI skill scans and js exclude-type filtering for AI inventory", async () => {
+      const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-ai-inventory-"));
+      mkdirSync(join(tmpDir, ".claude", "skills", "release"), {
+        recursive: true,
+      });
+      mkdirSync(join(tmpDir, ".vscode"), { recursive: true });
+      writeFileSync(
+        join(tmpDir, "package.json"),
+        JSON.stringify(
+          {
+            dependencies: {
+              "left-pad": "1.3.0",
+            },
+            name: "ai-inventory-demo",
+            version: "1.0.0",
+          },
+          null,
+          2,
+        ),
+      );
+      writeFileSync(
+        join(tmpDir, "package-lock.json"),
+        JSON.stringify(
+          {
+            lockfileVersion: 3,
+            name: "ai-inventory-demo",
+            packages: {
+              "": {
+                dependencies: {
+                  "left-pad": "1.3.0",
+                },
+                name: "ai-inventory-demo",
+                version: "1.0.0",
+              },
+              "node_modules/left-pad": {
+                resolved:
+                  "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
+                version: "1.3.0",
+              },
+            },
+            requires: true,
+            version: "1.0.0",
+          },
+          null,
+          2,
+        ),
+      );
+      writeFileSync(
+        join(tmpDir, "CLAUDE.md"),
+        "Use the release skill before publishing artifacts.",
+      );
+      writeFileSync(
+        join(tmpDir, ".claude", "skills", "release", "SKILL.md"),
+        [
+          "---",
+          "name: release",
+          "description: Prepare release artifacts",
+          "---",
+          "Use this skill before shipping.",
+        ].join("\n"),
+      );
+      writeFileSync(
+        join(tmpDir, ".vscode", "mcp.json"),
+        JSON.stringify(
+          {
+            mcpServers: {
+              releaseDocs: {
+                endpoint: "https://example.com/mcp",
+                transport: "http",
+              },
+            },
+          },
+          null,
+          2,
+        ),
+      );
+      writeFileSync(
+        join(tmpDir, "pyproject.toml"),
+        [
+          "[project]",
+          'name = "demo-python-app"',
+          'version = "0.1.0"',
+          'requires-python = ">=3.10"',
+        ].join("\n"),
+      );
+      writeFileSync(
+        join(tmpDir, "server.py"),
+        [
+          "import mcp.server.stdio",
+          "import mcp.types as mtypes",
+          "from mcp.server import Server",
+          "",
+          'server = Server("python-release-docs", version="0.2.0")',
+          "",
+          "@server.list_tools()",
+          "async def handle_list_tools():",
+          '    return [mtypes.Tool(name="summarize_vulns", description="Summarize vulns", inputSchema={"type": "object"})]',
+          "",
+          "async with mcp.server.stdio.stdio_server() as (read_stream, write_stream):",
+          "    await server.run(read_stream, write_stream, None)",
+        ].join("\n"),
+      );
+      try {
+        const baseOptions = {
+          installDeps: false,
+          multiProject: false,
+          specVersion: 1.7,
+        };
+        const jsOptions = {
+          ...baseOptions,
+          projectType: ["js"],
+        };
+        const jsBomJson = postProcess(
+          await createBom(tmpDir, jsOptions),
+          jsOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (jsBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in js scan",
+        );
+        assert.ok(
+          (jsBomJson.components || []).some(
+            (component) =>
+              component.name === "CLAUDE.md" &&
+              getProp(component, "cdx:file:kind") === "agent-instructions",
+          ),
+          "expected CLAUDE.md in js scan",
+        );
+        assert.ok(
+          (jsBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in js scan",
+        );
+        assert.ok(
+          (jsBomJson.services || []).some(
+            (service) =>
+              service.name === "releaseDocs" &&
+              getProp(service, "cdx:mcp:inventorySource") === "config-file",
+          ),
+          "expected MCP config service in js scan",
+        );
+
+        const dockerOptions = {
+          ...baseOptions,
+          projectType: ["js", "docker"],
+        };
+        const dockerBomJson = postProcess(
+          await createNodejsBom(tmpDir, dockerOptions),
+          dockerOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (dockerBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in docker js scan",
+        );
+        assert.ok(
+          (dockerBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in docker js scan",
+        );
+
+        const exactAiSkillOptions = {
+          ...baseOptions,
+          projectType: ["ai-skill"],
+        };
+        const aiSkillBomJson = postProcess(
+          await createBom(tmpDir, exactAiSkillOptions),
+          exactAiSkillOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (aiSkillBomJson.components || []).some(
+            (component) =>
+              component.name === "CLAUDE.md" &&
+              getProp(component, "cdx:file:kind") === "agent-instructions",
+          ),
+          "expected CLAUDE.md in exact ai-skill scan",
+        );
+        assert.ok(
+          !(aiSkillBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "did not expect MCP configs in exact ai-skill scan",
+        );
+
+        const filteredOptions = {
+          ...baseOptions,
+          excludeType: ["ai-skill", "mcp"],
+          projectType: ["js"],
+        };
+        const filteredBomJson = postProcess(
+          await createBom(tmpDir, filteredOptions),
+          filteredOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          !(filteredBomJson.components || []).some((component) =>
+            ["agent-instructions", "mcp-config", "skill-file"].includes(
+              getProp(component, "cdx:file:kind"),
+            ),
+          ),
+          "did not expect AI inventory components after exclude-type filtering",
+        );
+        assert.ok(
+          !(filteredBomJson.services || []).some((service) =>
+            service.properties?.some((property) =>
+              property.name.startsWith("cdx:mcp:"),
+            ),
+          ),
+          "did not expect MCP services after exclude-type filtering",
+        );
+
+        const pyOptions = {
+          ...baseOptions,
+          projectType: ["py"],
+        };
+        const pyBomJson = postProcess(
+          await createBom(tmpDir, pyOptions),
+          pyOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (pyBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in python scan",
+        );
+        assert.ok(
+          (pyBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in python scan",
+        );
+        assert.ok(
+          (pyBomJson.services || []).some(
+            (service) =>
+              service.name === "python-release-docs" &&
+              getProp(service, "cdx:mcp:inventorySource") ===
+                "source-code-analysis",
+          ),
+          "expected Python MCP service in python scan",
+        );
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
   });
 });

package/lib/helpers/agentFormulationParser.js

@@ -167,7 +167,10 @@ export const agentFormulationParser = {
         packageRefs.length > 0 ||
         /\bmcp\b/i.test(raw) ||
         /modelcontextprotocol/i.test(raw);
-      if (!hiddenUnicodeScan.hasHiddenUnicode && !hasMcpReferences) {
+      // Inventory all matched agent/instruction files, even when they do not
+      // yet contain hidden Unicode or explicit MCP references, so shipped files
+      // such as CLAUDE.md and AGENTS.md still surface in build/post-build BOMs.
+      if (!raw.trim().length) {
         continue;
       }
       const hiddenComponentKinds = [];

package/lib/helpers/aiInventory.js

@@ -0,0 +1,262 @@
+import { agentFormulationParser } from "./agentFormulationParser.js";
+import { communityAiConfigParser } from "./communityAiConfigParser.js";
+import { mergeServices, trimComponents } from "./depsUtils.js";
+import { classifyMcpReference } from "./mcp.js";
+import { mcpConfigParser } from "./mcpConfigParser.js";
+import { getAllFiles } from "./utils.js";
+
+export const AI_INVENTORY_PROJECT_TYPES = ["mcp", "ai-skill"];
+export const AI_INSTRUCTION_FILE_KINDS = new Set([
+  "agent-config",
+  "agent-definition",
+  "agent-instructions",
+  "ai-agent-file",
+  "copilot-instructions",
+  "copilot-setup-workflow",
+  "crew-agent",
+  "crew-task",
+  "crew-tool",
+  "custom-command",
+  "custom-tool",
+  "graph-definition",
+]);
+export const AI_SKILL_FILE_KIND = "skill-file";
+export const MCP_CONFIG_FILE_KIND = "mcp-config";
+
+const AI_INVENTORY_FILE_KINDS = new Set([
+  "agent-config",
+  "agent-definition",
+  "agent-instructions",
+  "ai-agent-file",
+  "copilot-instructions",
+  "copilot-setup-workflow",
+  "crew-agent",
+  "crew-task",
+  "crew-tool",
+  "custom-command",
+  "custom-tool",
+  "graph-definition",
+  AI_SKILL_FILE_KIND,
+]);
+
+const AI_INVENTORY_PARSERS = [
+  {
+    id: agentFormulationParser.id,
+    parser: agentFormulationParser,
+    types: ["mcp", "ai-skill"],
+  },
+  {
+    id: mcpConfigParser.id,
+    parser: mcpConfigParser,
+    types: ["mcp"],
+  },
+  {
+    id: communityAiConfigParser.id,
+    parser: communityAiConfigParser,
+    types: ["ai-skill"],
+  },
+];
+
+export function inventoryPropertyValue(subject, name) {
+  return subject?.properties?.find((property) => property.name === name)?.value;
+}
+
+function hasPropertyPrefix(subject, prefix) {
+  return (subject?.properties || []).some((property) =>
+    property?.name?.startsWith(prefix),
+  );
+}
+
+function uniqueNonEmptyTypes(types) {
+  return [...new Set((types || []).filter(Boolean))];
+}
+
+export function optionIncludesAiInventoryProjectType(optionValue, type) {
+  const values = Array.isArray(optionValue)
+    ? optionValue
+    : optionValue
+      ? [optionValue]
+      : [];
+  return values.some((value) => {
+    const normalizedValue = String(value).toLowerCase();
+    if (type === "ai-skill") {
+      return ["ai-skill", "skill", "skills"].includes(normalizedValue);
+    }
+    return normalizedValue === type;
+  });
+}
+
+export function inventoryTypesForSubject(subject) {
+  const types = new Set();
+  const fileKind = inventoryPropertyValue(subject, "cdx:file:kind");
+  if (
+    subject?.group === "mcp" ||
+    classifyMcpReference(subject).isMcp ||
+    hasPropertyPrefix(subject, "cdx:mcp:") ||
+    (subject?.tags || []).some((tag) => String(tag || "").startsWith("mcp"))
+  ) {
+    types.add("mcp");
+  }
+  if (
+    AI_INVENTORY_FILE_KINDS.has(fileKind) ||
+    hasPropertyPrefix(subject, "cdx:agent:") ||
+    hasPropertyPrefix(subject, "cdx:skill:") ||
+    hasPropertyPrefix(subject, "cdx:tool:") ||
+    hasPropertyPrefix(subject, "cdx:langgraph:") ||
+    hasPropertyPrefix(subject, "cdx:crewai:")
+  ) {
+    types.add("ai-skill");
+  }
+  if (
+    inventoryPropertyValue(subject, "cdx:mcp:inventorySource") === "agent-file"
+  ) {
+    types.add("ai-skill");
+  }
+  return Array.from(types);
+}
+
+export function matchesAiInventoryType(subject, type) {
+  return inventoryTypesForSubject(subject).includes(type);
+}
+
+export function matchesAiInventoryExcludeType(subject, type) {
+  if (type === "mcp") {
+    const fileKind = inventoryPropertyValue(subject, "cdx:file:kind");
+    return (
+      fileKind === MCP_CONFIG_FILE_KIND ||
+      subject?.group === "mcp" ||
+      inventoryPropertyValue(subject, "cdx:mcp:inventorySource") !==
+        undefined ||
+      inventoryPropertyValue(subject, "cdx:mcp:role") !== undefined
+    );
+  }
+  return matchesAiInventoryType(subject, type);
+}
+
+export function filterInventorySubjectsByTypes(subjects, types) {
+  const allowedTypes = uniqueNonEmptyTypes(types);
+  if (!allowedTypes.length) {
+    return [];
+  }
+  return (subjects || []).filter((subject) =>
+    inventoryTypesForSubject(subject).some((type) =>
+      allowedTypes.includes(type),
+    ),
+  );
+}
+
+export function filterInventoryDependencies(
+  dependencies,
+  components,
+  services,
+) {
+  const allowedRefs = new Set(
+    []
+      .concat(components || [])
+      .concat(services || [])
+      .map((subject) => subject?.["bom-ref"])
+      .filter(Boolean),
+  );
+  return (dependencies || [])
+    .filter((dependency) => allowedRefs.has(dependency.ref))
+    .map((dependency) => {
+      const filteredDependency = {
+        ref: dependency.ref,
+      };
+      if (dependency.dependsOn?.length) {
+        filteredDependency.dependsOn = dependency.dependsOn.filter((ref) =>
+          allowedRefs.has(ref),
+        );
+      }
+      if (dependency.provides?.length) {
+        filteredDependency.provides = dependency.provides.filter((ref) =>
+          allowedRefs.has(ref),
+        );
+      }
+      return filteredDependency;
+    });
+}
+
+export function collectAiInventory(discoveryPath, options, types) {
+  const requestedTypes = uniqueNonEmptyTypes(types);
+  if (!requestedTypes.length) {
+    return { components: [], dependencies: [], services: [] };
+  }
+  let components = [];
+  const dependencies = [];
+  let services = [];
+  for (const parserEntry of AI_INVENTORY_PARSERS) {
+    if (!parserEntry.types.some((type) => requestedTypes.includes(type))) {
+      continue;
+    }
+    const matchedFiles = [];
+    for (const pattern of parserEntry.parser.patterns) {
+      const found = getAllFiles(discoveryPath, pattern, options);
+      if (found?.length) {
+        matchedFiles.push(...found);
+      }
+    }
+    const uniqueMatchedFiles = [...new Set(matchedFiles)];
+    if (!uniqueMatchedFiles.length) {
+      continue;
+    }
+    let result;
+    try {
+      result = parserEntry.parser.parse(uniqueMatchedFiles, options);
+    } catch (err) {
+      console.warn(
+        `[aiInventory] Parser "${parserEntry.id}" threw an error:`,
+        err.message,
+      );
+      continue;
+    }
+    if (result?.components?.length) {
+      components = components.concat(result.components);
+    }
+    if (result?.services?.length) {
+      services = mergeServices(services, result.services);
+    }
+    if (result?.dependencies?.length) {
+      dependencies.push(...result.dependencies);
+    }
+  }
+  components = trimComponents(
+    filterInventorySubjectsByTypes(components, requestedTypes),
+  );
+  services = mergeServices(
+    [],
+    filterInventorySubjectsByTypes(services, requestedTypes),
+  );
+  return {
+    components,
+    dependencies: filterInventoryDependencies(
+      dependencies,
+      components,
+      services,
+    ),
+    services,
+  };
+}
+
+export function summarizeAiInventory(inventory) {
+  const components = inventory?.components || [];
+  const services = inventory?.services || [];
+  return {
+    instructionCount: components.filter((component) =>
+      AI_INSTRUCTION_FILE_KINDS.has(
+        inventoryPropertyValue(component, "cdx:file:kind"),
+      ),
+    ).length,
+    mcpConfigCount: components.filter(
+      (component) =>
+        inventoryPropertyValue(component, "cdx:file:kind") ===
+        MCP_CONFIG_FILE_KIND,
+    ).length,
+    mcpServiceCount: services.length,
+    skillCount: components.filter(
+      (component) =>
+        inventoryPropertyValue(component, "cdx:file:kind") ===
+        AI_SKILL_FILE_KIND,
+    ).length,
+  };
+}

package/lib/helpers/aiInventory.poku.js

@@ -0,0 +1,111 @@
+import { assert, describe, it } from "poku";
+
+import {
+  filterInventoryDependencies,
+  inventoryTypesForSubject,
+  matchesAiInventoryExcludeType,
+  matchesAiInventoryType,
+  summarizeAiInventory,
+} from "./aiInventory.js";
+
+describe("aiInventory", () => {
+  it("classifies agent-derived MCP services as both mcp and ai-skill", () => {
+    const service = {
+      "bom-ref": "urn:service:agent-mcp:demo:1",
+      group: "mcp",
+      properties: [
+        { name: "cdx:mcp:inventorySource", value: "agent-file" },
+        { name: "cdx:mcp:serviceType", value: "inferred-endpoint" },
+      ],
+    };
+    assert.deepStrictEqual(inventoryTypesForSubject(service).sort(), [
+      "ai-skill",
+      "mcp",
+    ]);
+    assert.strictEqual(matchesAiInventoryType(service, "mcp"), true);
+    assert.strictEqual(matchesAiInventoryType(service, "ai-skill"), true);
+  });
+
+  it("limits MCP exclusion matching to AI inventory services, files, and primitives", () => {
+    const mcpPackage = {
+      "bom-ref": "pkg:npm/@modelcontextprotocol/server-filesystem@1.0.0",
+      name: "@modelcontextprotocol/server-filesystem",
+      purl: "pkg:npm/%40modelcontextprotocol/server-filesystem@1.0.0",
+    };
+    const mcpPrimitive = {
+      "bom-ref": "urn:mcp:tool:docs:search",
+      properties: [{ name: "cdx:mcp:role", value: "tool" }],
+      tags: ["mcp", "mcp-tool"],
+    };
+    const mcpConfig = {
+      "bom-ref": "file:/repo/.vscode/mcp.json",
+      properties: [{ name: "cdx:file:kind", value: "mcp-config" }],
+      type: "file",
+    };
+    const mcpService = {
+      "bom-ref": "urn:service:mcp:docs:latest",
+      group: "mcp",
+      properties: [{ name: "cdx:mcp:inventorySource", value: "config-file" }],
+    };
+    assert.strictEqual(matchesAiInventoryExcludeType(mcpPackage, "mcp"), false);
+    assert.strictEqual(
+      matchesAiInventoryExcludeType(mcpPrimitive, "mcp"),
+      true,
+    );
+    assert.strictEqual(matchesAiInventoryExcludeType(mcpConfig, "mcp"), true);
+    assert.strictEqual(matchesAiInventoryExcludeType(mcpService, "mcp"), true);
+  });
+
+  it("filters dependencies to retained component and service refs", () => {
+    const components = [{ "bom-ref": "file:/repo/CLAUDE.md" }];
+    const services = [{ "bom-ref": "urn:service:mcp:docs:latest" }];
+    const filtered = filterInventoryDependencies(
+      [
+        {
+          ref: "urn:service:mcp:docs:latest",
+          provides: ["file:/repo/CLAUDE.md", "urn:service:mcp:other:latest"],
+        },
+        {
+          ref: "urn:service:mcp:missing:latest",
+          provides: ["file:/repo/CLAUDE.md"],
+        },
+      ],
+      components,
+      services,
+    );
+    assert.deepStrictEqual(filtered, [
+      {
+        ref: "urn:service:mcp:docs:latest",
+        provides: ["file:/repo/CLAUDE.md"],
+      },
+    ]);
+  });
+
+  it("summarizes AI inventory counts for instructions, skills, configs, and services", () => {
+    const summary = summarizeAiInventory({
+      components: [
+        {
+          properties: [{ name: "cdx:file:kind", value: "agent-instructions" }],
+        },
+        {
+          properties: [
+            { name: "cdx:file:kind", value: "copilot-instructions" },
+          ],
+        },
+        {
+          properties: [{ name: "cdx:file:kind", value: "skill-file" }],
+        },
+        {
+          properties: [{ name: "cdx:file:kind", value: "mcp-config" }],
+        },
+      ],
+      services: [{ name: "releaseDocs" }, { name: "deployBot" }],
+    });
+    assert.deepStrictEqual(summary, {
+      instructionCount: 2,
+      mcpConfigCount: 1,
+      mcpServiceCount: 2,
+      skillCount: 1,
+    });
+  });
+});