@cyclonedx/cdxgen 12.3.1 → 12.3.2

package/lib/helpers/analyzer.js

@@ -2066,6 +2066,380 @@ const serviceObjectForMcp = (serviceInfo) => {
   };
 };
 
+const buildMcpInventoryFromServices = (servicesByKey) => {
+  const services = [];
+  const components = [];
+  const dependencies = [];
+  for (const serviceInfo of servicesByKey.values()) {
+    if (
+      !serviceInfo.primitives.length &&
+      !serviceInfo.transports.size &&
+      !serviceInfo.endpoints.size &&
+      !serviceInfo.capabilities.size &&
+      !serviceInfo.sourceLine &&
+      !serviceInfo.outboundHosts.size &&
+      !serviceInfo.usageSignals.size
+    ) {
+      continue;
+    }
+    if (
+      serviceInfo.endpoints.size &&
+      !serviceInfo.transports.has("stdio") &&
+      !serviceInfo.transports.size
+    ) {
+      serviceInfo.transports.add("streamable-http");
+    }
+    if (
+      serviceInfo.transports.has("streamable-http") &&
+      typeof serviceInfo.authenticated === "undefined"
+    ) {
+      serviceInfo.authenticated = false;
+    }
+    const service = serviceObjectForMcp(serviceInfo);
+    services.push(service);
+    const providedRefs = [];
+    for (const primitive of serviceInfo.primitives) {
+      const component = primitiveComponentForMcp(serviceInfo, primitive);
+      components.push(component);
+      providedRefs.push(component["bom-ref"]);
+    }
+    if (providedRefs.length) {
+      dependencies.push({
+        ref: service["bom-ref"],
+        dependsOn: [],
+        provides: providedRefs.sort(),
+      });
+    }
+  }
+  return { components, dependencies, services };
+};
+
+// Capture groups:
+// 1 = module path in `from x import y`
+// 2 = imported symbols in `from x import y`
+// 3 = imported modules in `import x, y`
+const PYTHON_IMPORT_PATTERN =
+  /^\s*(?:from\s+([a-zA-Z0-9_.]+)\s+import\s+([^\n#]+)|import\s+([^\n#]+))/gmu;
+const PYTHON_DECORATOR_PATTERN = /@([a-zA-Z_][a-zA-Z0-9_]*)\.(\w+)\s*\(/gmu;
+const PYTHON_STDIO_PATTERN = /\bstdio_server\s*\(/u;
+const PYTHON_HTTP_TRANSPORT_PATTERN = /\b(streamable|sse|http)\b/iu;
+
+const PYTHON_DECORATOR_ROLE_MAP = new Map([
+  ["call_tool", "tool"],
+  ["get_prompt", "prompt"],
+  ["list_prompts", "prompt"],
+  ["list_resources", "resource"],
+  ["list_tools", "tool"],
+  ["prompt", "prompt"],
+  ["read_resource", "resource"],
+  ["resource", "resource"],
+  ["resource_template", "resource-template"],
+  ["tool", "tool"],
+]);
+
+const lineNumberForIndex = (text, index) =>
+  text.slice(0, index).split("\n").length || 1;
+
+const extractPythonNamedString = (argumentText, key) => {
+  const directPattern = new RegExp(`${key}\\s*=\\s*["']([^"'\\n]+)["']`, "u");
+  const directMatch = argumentText.match(directPattern);
+  if (directMatch?.[1]) {
+    return directMatch[1];
+  }
+  const wrappedPattern = new RegExp(
+    `${key}\\s*=\\s*[a-zA-Z_][a-zA-Z0-9_.]*\\(\\s*["']([^"'\\n]+)["']`,
+    "u",
+  );
+  return argumentText.match(wrappedPattern)?.[1];
+};
+
+const extractFirstPythonString = (argumentText) =>
+  argumentText.match(/^\s*["']([^"'\n]+)["']/u)?.[1];
+
+const extractPythonCallArguments = (raw, alias) => {
+  const aliasPattern = new RegExp(
+    `(\\w+)\\s*=\\s*${alias.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*\\(`,
+    "gmu",
+  );
+  const calls = [];
+  for (const match of raw.matchAll(aliasPattern)) {
+    let callStart = -1;
+    for (let index = match.index; index < raw.length; index++) {
+      if (raw[index] === "(") {
+        callStart = index;
+        break;
+      }
+    }
+    if (callStart === -1) {
+      continue;
+    }
+    let depth = 0;
+    let callEnd = -1;
+    for (let index = callStart; index < raw.length; index++) {
+      if (raw[index] === "(") {
+        depth += 1;
+      } else if (raw[index] === ")") {
+        depth -= 1;
+        if (depth === 0) {
+          callEnd = index;
+          break;
+        }
+      }
+    }
+    if (callEnd === -1) {
+      continue;
+    }
+    calls.push({
+      argumentText: raw.slice(callStart + 1, callEnd),
+      index: match.index,
+      serviceVarName: match[1],
+    });
+  }
+  return calls;
+};
+
+const extractPythonFunctionCalls = (raw, callName) => {
+  const callPattern = new RegExp(
+    `${callName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*\\(`,
+    "gmu",
+  );
+  const calls = [];
+  for (const match of raw.matchAll(callPattern)) {
+    const callStart = match.index + match[0].lastIndexOf("(");
+    let depth = 0;
+    let callEnd = -1;
+    for (let index = callStart; index < raw.length; index++) {
+      if (raw[index] === "(") {
+        depth += 1;
+      } else if (raw[index] === ")") {
+        depth -= 1;
+        if (depth === 0) {
+          callEnd = index;
+          break;
+        }
+      }
+    }
+    if (callEnd === -1) {
+      continue;
+    }
+    calls.push({
+      argumentText: raw.slice(callStart + 1, callEnd),
+      index: match.index,
+    });
+  }
+  return calls;
+};
+
+const parsePythonImports = (raw) => {
+  const imports = [];
+  for (const match of raw.matchAll(PYTHON_IMPORT_PATTERN)) {
+    const fromSource = match[1];
+    const fromImports = match[2];
+    const directImports = match[3];
+    if (fromSource && fromImports) {
+      for (const importEntry of fromImports.split(",")) {
+        const [importedName, localName] = importEntry
+          .trim()
+          .split(/\s+as\s+/u)
+          .map((value) => value?.trim());
+        if (importedName) {
+          imports.push({
+            importedName,
+            localName: localName || importedName,
+            sourceValue: fromSource,
+          });
+        }
+      }
+      continue;
+    }
+    for (const importEntry of (directImports || "").split(",")) {
+      const [sourceValue, localName] = importEntry
+        .trim()
+        .split(/\s+as\s+/u)
+        .map((value) => value?.trim());
+      if (sourceValue) {
+        imports.push({
+          importedName: sourceValue.split(".").pop(),
+          localName: localName || sourceValue.split(".").pop(),
+          sourceValue,
+        });
+      }
+    }
+  }
+  return imports;
+};
+
+const registerPythonPrimitive = (
+  serviceInfo,
+  role,
+  name,
+  description,
+  uri,
+  sourceLine,
+) => {
+  if (!role) {
+    return;
+  }
+  const primitiveName =
+    name ||
+    uri ||
+    `${role}-${serviceInfo.primitives.filter((item) => item.role === role).length + 1}`;
+  serviceInfo.primitives.push({
+    description,
+    name: primitiveName,
+    role,
+    sourceLine,
+    uri,
+  });
+  if (role === "tool") {
+    serviceInfo.usageSignals.add("registered-tool");
+  }
+  if (["resource", "resource-template"].includes(role)) {
+    serviceInfo.usageSignals.add("registered-resource");
+  }
+};
+
+/**
+ * Detect MCP server inventory from Python source using import and decorator heuristics.
+ *
+ * @param {string} src Absolute or relative path to the project source directory
+ * @param {boolean} deep When true, also scans nested paths more aggressively
+ * @returns {{components: Object[], dependencies: Object[], services: Object[]}}
+ */
+export const detectPythonMcpInventory = (src, deep = false) => {
+  const servicesByKey = new Map();
+  let srcFiles = [];
+  try {
+    srcFiles = getAllFiles(deep, src, ".py");
+  } catch {
+    return { components: [], dependencies: [], services: [] };
+  }
+  for (const file of srcFiles) {
+    let raw;
+    try {
+      raw = readFileSync(file, "utf-8");
+    } catch {
+      continue;
+    }
+    const fileRelativeLoc = relative(src, file);
+    const serverConstructorAliases = new Set(["Server", "FastMCP"]);
+    const importEntries = parsePythonImports(raw);
+    let fileHasMcpImports = false;
+    for (const importEntry of importEntries) {
+      const sourceValue = importEntry.sourceValue;
+      const classification = classifyMcpReference(sourceValue);
+      if (!classification.isMcp && !sourceValue.startsWith("mcp")) {
+        continue;
+      }
+      fileHasMcpImports = true;
+      const serviceInfo = ensureMcpService(
+        servicesByKey,
+        file,
+        fileRelativeLoc,
+      );
+      if (sourceValue.startsWith("mcp")) {
+        serviceInfo.sdkImports.add(sourceValue);
+        serviceInfo.usageSignals.add("mcp-sdk-import");
+        serviceInfo.officialSdk = true;
+      } else {
+        recordMcpSdkImport(serviceInfo, sourceValue);
+      }
+      if (
+        sourceValue.startsWith("mcp.server") ||
+        sourceValue === "fastmcp" ||
+        /server/i.test(importEntry.importedName || "") ||
+        /server/i.test(importEntry.localName || "")
+      ) {
+        serverConstructorAliases.add(importEntry.localName);
+      }
+    }
+    for (const alias of serverConstructorAliases) {
+      for (const match of extractPythonCallArguments(raw, alias)) {
+        const serviceVarName = match.serviceVarName;
+        const argumentText = match.argumentText || "";
+        const serviceInfo = ensureMcpService(
+          servicesByKey,
+          file,
+          fileRelativeLoc,
+        );
+        serviceInfo.name =
+          extractPythonNamedString(argumentText, "name") ||
+          extractFirstPythonString(argumentText) ||
+          serviceInfo.name;
+        serviceInfo.version =
+          extractPythonNamedString(argumentText, "version") ||
+          serviceInfo.version;
+        serviceInfo.description =
+          extractPythonNamedString(argumentText, "instructions") ||
+          extractPythonNamedString(argumentText, "description") ||
+          serviceInfo.description;
+        serviceInfo.serviceKinds.add("server");
+        serviceInfo.usageSignals.add("server-constructor");
+        serviceInfo.sourceLine = lineNumberForIndex(raw, match.index);
+        for (const decoratorMatch of raw.matchAll(PYTHON_DECORATOR_PATTERN)) {
+          if (decoratorMatch[1] !== serviceVarName) {
+            continue;
+          }
+          const primitiveRole = PYTHON_DECORATOR_ROLE_MAP.get(
+            decoratorMatch[2],
+          );
+          if (!primitiveRole) {
+            continue;
+          }
+          if (primitiveRole === "tool") {
+            serviceInfo.capabilities.add("tools");
+          } else if (primitiveRole === "prompt") {
+            serviceInfo.capabilities.add("prompts");
+          } else {
+            serviceInfo.capabilities.add("resources");
+          }
+        }
+      }
+    }
+    if (PYTHON_STDIO_PATTERN.test(raw)) {
+      const serviceInfo = ensureMcpService(
+        servicesByKey,
+        file,
+        fileRelativeLoc,
+      );
+      serviceInfo.transports.add("stdio");
+    } else if (fileHasMcpImports && PYTHON_HTTP_TRANSPORT_PATTERN.test(raw)) {
+      const serviceInfo = ensureMcpService(
+        servicesByKey,
+        file,
+        fileRelativeLoc,
+      );
+      serviceInfo.transports.add("streamable-http");
+    }
+    const primitivePatterns = [
+      ["mtypes.Tool", "tool"],
+      ["mtypes.Prompt", "prompt"],
+      ["mtypes.Resource", "resource"],
+    ];
+    for (const [callName, role] of primitivePatterns) {
+      for (const match of extractPythonFunctionCalls(raw, callName)) {
+        const serviceInfo = ensureMcpService(
+          servicesByKey,
+          file,
+          fileRelativeLoc,
+        );
+        registerPythonPrimitive(
+          serviceInfo,
+          role,
+          extractPythonNamedString(match.argumentText || "", "name"),
+          extractPythonNamedString(match.argumentText || "", "description"),
+          extractPythonNamedString(match.argumentText || "", "uri"),
+          lineNumberForIndex(raw, match.index),
+        );
+      }
+    }
+    if (fileHasMcpImports) {
+      ensureMcpService(servicesByKey, file, fileRelativeLoc);
+    }
+  }
+  return buildMcpInventoryFromServices(servicesByKey);
+};
+
 /**
  * Detect MCP server inventory from JavaScript/TypeScript source using AST analysis.
  *
@@ -2748,49 +3122,5 @@ export const detectMcpInventory = (src, deep = false) => {
       ensureMcpService(servicesByKey, file, fileRelativeLoc);
     }
   }
-  const services = [];
-  const components = [];
-  const dependencies = [];
-  for (const serviceInfo of servicesByKey.values()) {
-    if (
-      !serviceInfo.primitives.length &&
-      !serviceInfo.transports.size &&
-      !serviceInfo.endpoints.size &&
-      !serviceInfo.capabilities.size &&
-      !serviceInfo.sourceLine &&
-      !serviceInfo.outboundHosts.size &&
-      !serviceInfo.usageSignals.size
-    ) {
-      continue;
-    }
-    if (
-      serviceInfo.endpoints.size &&
-      !serviceInfo.transports.has("stdio") &&
-      !serviceInfo.transports.size
-    ) {
-      serviceInfo.transports.add("streamable-http");
-    }
-    if (
-      serviceInfo.transports.has("streamable-http") &&
-      typeof serviceInfo.authenticated === "undefined"
-    ) {
-      serviceInfo.authenticated = false;
-    }
-    const service = serviceObjectForMcp(serviceInfo);
-    services.push(service);
-    const providedRefs = [];
-    for (const primitive of serviceInfo.primitives) {
-      const component = primitiveComponentForMcp(serviceInfo, primitive);
-      components.push(component);
-      providedRefs.push(component["bom-ref"]);
-    }
-    if (providedRefs.length) {
-      dependencies.push({
-        ref: service["bom-ref"],
-        dependsOn: [],
-        provides: providedRefs.sort(),
-      });
-    }
-  }
-  return { components, dependencies, services };
+  return buildMcpInventoryFromServices(servicesByKey);
 };

package/lib/helpers/analyzer.poku.js

@@ -14,6 +14,7 @@ import {
   analyzeSuspiciousJsFile,
   detectExtensionCapabilities,
   detectMcpInventory,
+  detectPythonMcpInventory,
   findJSImportsExports,
 } from "./analyzer.js";
 
@@ -530,3 +531,52 @@ describe("detectMcpInventory()", () => {
     );
   });
 });
+
+describe("detectPythonMcpInventory()", () => {
+  it("detects a Python stdio MCP server and exported primitives", () => {
+    const projectDir = createProjectFiles("mcp-python-server", {
+      "src/server.py": [
+        "import mcp.server.stdio",
+        "import mcp.types as mtypes",
+        "from mcp.server import NotificationOptions, Server",
+        "",
+        'server = Server("appthreat-vulnerability-db", version="1.0.1")',
+        "",
+        "@server.list_resources()",
+        "async def handle_list_resources():",
+        '    return [mtypes.Resource(uri=mtypes.AnyUrl("cve://"), name="CVE Information", description="Get detailed information about a CVE")]',
+        "",
+        "@server.list_tools()",
+        "async def handle_list_tools():",
+        '    return [mtypes.Tool(name="search_by_purl_like", description="Search by purl", inputSchema={"type": "object"})]',
+        "",
+        "async with mcp.server.stdio.stdio_server() as (read_stream, write_stream):",
+        "    await server.run(",
+        "        read_stream,",
+        "        write_stream,",
+        '        InitializationOptions(server_name="appthreat-vulnerability-db", server_version="1.0.1", capabilities=server.get_capabilities(notification_options=NotificationOptions(), experimental_capabilities={}))',
+        "    )",
+      ].join("\n"),
+    });
+    const inventory = detectPythonMcpInventory(projectDir);
+    assert.strictEqual(inventory.services.length, 1);
+    assert.strictEqual(inventory.components.length, 2);
+    const service = inventory.services[0];
+    assert.strictEqual(service.name, "appthreat-vulnerability-db");
+    assert.strictEqual(service.version, "1.0.1");
+    assert.strictEqual(getProp(service, "cdx:mcp:transport"), "stdio");
+    assert.strictEqual(getProp(service, "cdx:mcp:officialSdk"), "true");
+    assert.strictEqual(getProp(service, "cdx:mcp:toolCount"), "1");
+    assert.strictEqual(getProp(service, "cdx:mcp:resourceCount"), "1");
+    assert.ok(
+      inventory.components.some(
+        (component) => component.name === "search_by_purl_like",
+      ),
+    );
+    assert.ok(
+      inventory.components.some(
+        (component) => component.name === "CVE Information",
+      ),
+    );
+  });
+});

package/lib/helpers/auditCategories.js

@@ -0,0 +1,76 @@
+export const BOM_AUDIT_CATEGORY_ALIASES = Object.freeze({
+  "ai-inventory": ["ai-agent", "mcp-server"],
+});
+
+function uniqueNonEmptyCategories(categories) {
+  return [...new Set((categories || []).filter(Boolean))];
+}
+
+export function normalizeBomAuditCategories(categories) {
+  if (Array.isArray(categories)) {
+    return uniqueNonEmptyCategories(
+      categories.map((category) => String(category).trim()).filter(Boolean),
+    );
+  }
+  if (typeof categories !== "string") {
+    return [];
+  }
+  return uniqueNonEmptyCategories(
+    categories
+      .split(",")
+      .map((category) => category.trim())
+      .filter(Boolean),
+  );
+}
+
+export function expandBomAuditCategories(categories) {
+  const normalizedCategories = normalizeBomAuditCategories(categories);
+  const expandedCategories = [];
+  for (const category of normalizedCategories) {
+    if (BOM_AUDIT_CATEGORY_ALIASES[category]?.length) {
+      expandedCategories.push(...BOM_AUDIT_CATEGORY_ALIASES[category]);
+      continue;
+    }
+    expandedCategories.push(category);
+  }
+  return uniqueNonEmptyCategories(expandedCategories);
+}
+
+export function availableBomAuditCategories(rules) {
+  return uniqueNonEmptyCategories(
+    (rules || []).map((rule) => rule?.category).filter(Boolean),
+  ).sort();
+}
+
+function formatBomAuditCategoryOption(category) {
+  const aliasedCategories = BOM_AUDIT_CATEGORY_ALIASES[category];
+  if (!aliasedCategories?.length) {
+    return category;
+  }
+  return `${category} (alias for ${aliasedCategories.join(",")})`;
+}
+
+export function validateBomAuditCategories(categories, rules) {
+  const normalizedCategories = normalizeBomAuditCategories(categories);
+  const validCategories = availableBomAuditCategories(rules);
+  const allowedCategories = new Set([
+    ...validCategories,
+    ...Object.keys(BOM_AUDIT_CATEGORY_ALIASES),
+  ]);
+  const invalidCategories = normalizedCategories.filter(
+    (category) => !allowedCategories.has(category),
+  );
+  if (invalidCategories.length) {
+    const validCategoryOptions = [...allowedCategories]
+      .sort()
+      .map((category) => formatBomAuditCategoryOption(category));
+    throw new Error(
+      `Unknown BOM audit categor${invalidCategories.length === 1 ? "y" : "ies"}: ${invalidCategories.join(", ")}. Valid categories: ${validCategoryOptions.join(", ")}.`,
+    );
+  }
+  return {
+    categories: normalizedCategories,
+    expandedCategories: expandBomAuditCategories(normalizedCategories),
+    validCategories,
+  };
+}

package/lib/helpers/display.js

@@ -1103,7 +1103,7 @@ export function displaySelfThreatModel(
   options,
   envAuditFindings,
 ) {
-  const TLP = options.tlpClassification || "CLEAR";
+  const TLP = options.tlpClassification;
   const risks = [];
   let riskScore = 0;
 
@@ -1242,8 +1242,11 @@ export function displaySelfThreatModel(
     AMBER_AND_STRICT: "Organisation only. No external sharing.",
     RED: "Named recipients only. Do not forward or store beyond session.",
   };
+  const tlpValue = TLP
+    ? `${TLP} — ${tlpGuidance[TLP]}`
+    : "Not set — no distribution constraints recorded.";
   const headerData = [
-    ["TLP Classification", `${TLP} — ${tlpGuidance[TLP]}`],
+    ["TLP Classification", tlpValue],
     ["Risk Score", `${riskScore}/10`],
     ["Risk Level", `${riskColor[riskLevel]}${riskLevel}${reset}`],
   ];

package/lib/helpers/display.poku.js

@@ -93,6 +93,31 @@ it("prints a provenance icon for registry-backed components", async () => {
   }
 });
 
+it("displaySelfThreatModel does not assume a default TLP classification", async () => {
+  const tableStub = sinon.stub().returns("table-output");
+  try {
+    const { displaySelfThreatModel } = await esmock("./display.js", {
+      "./table.js": {
+        createStream: sinon.stub(),
+        table: tableStub,
+      },
+      "./utils.js": {
+        isSecureMode: false,
+        safeExistsSync: sinon.stub(),
+        toCamel: sinon.stub().callsFake((value) => value),
+      },
+    });
+    displaySelfThreatModel("/workspace/project", {}, {}, []);
+    const [headerData] = tableStub.firstCall.args;
+    assert.deepStrictEqual(headerData[0], [
+      "TLP Classification",
+      "Not set — no distribution constraints recorded.",
+    ]);
+  } finally {
+    sinon.restore();
+  }
+});
+
 it("renders shared dependencies once while including dangling trees", () => {
   const treeLines = buildDependencyTreeLines([
     {

package/lib/helpers/formulationParsers.js

@@ -4,14 +4,17 @@ import process from "node:process";
 
 import { v4 as uuidv4 } from "uuid";
 
-import { agentFormulationParser } from "./agentFormulationParser.js";
+import {
+  AI_INVENTORY_PROJECT_TYPES,
+  collectAiInventory,
+  optionIncludesAiInventoryProjectType,
+} from "./aiInventory.js";
 import { collectOSCryptoLibs } from "./cbomutils.js";
 import { azurePipelinesParser } from "./ciParsers/azurePipelines.js";
 import { circleCiParser } from "./ciParsers/circleCi.js";
 import { githubActionsParser } from "./ciParsers/githubActions.js";
 import { gitlabCiParser } from "./ciParsers/gitlabCi.js";
 import { jenkinsParser } from "./ciParsers/jenkins.js";
-import { communityAiConfigParser } from "./communityAiConfigParser.js";
 import { trimComponents } from "./depsUtils.js";
 import {
   collectEnvInfo,
@@ -20,7 +23,6 @@ import {
   gitTreeHashes,
   listFiles,
 } from "./envcontext.js";
-import { mcpConfigParser } from "./mcpConfigParser.js";
 import { rustFormulationParser } from "./rustFormulationParser.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 import { getAllFiles } from "./utils.js";
@@ -100,9 +102,6 @@ function buildReadmeSecurityComponents(discoveryPath, options) {
  */
 const _parsers = [
   rustFormulationParser,
-  agentFormulationParser,
-  mcpConfigParser,
-  communityAiConfigParser,
   githubActionsParser,
   gitlabCiParser,
   jenkinsParser,
@@ -312,6 +311,12 @@ export function addFormulationSection(filePath, options, context = {}) {
   const ciProperties = [];
 
   const discoveryPath = projectPath || ".";
+  const excludedInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter((type) => {
+    return optionIncludesAiInventoryProjectType(options?.excludeType, type);
+  });
+  const includedInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter(
+    (type) => !excludedInventoryTypes.includes(type),
+  );
 
   for (const parser of _parsers) {
     const matchedFiles = [];
@@ -355,6 +360,21 @@ export function addFormulationSection(filePath, options, context = {}) {
     }
   }
 
+  const aiInventory = collectAiInventory(
+    discoveryPath,
+    options,
+    includedInventoryTypes,
+  );
+  if (aiInventory.components.length) {
+    ciComponents.push(...aiInventory.components);
+  }
+  if (aiInventory.services.length) {
+    ciServices.push(...aiInventory.services);
+  }
+  if (aiInventory.dependencies.length) {
+    dependencies.push(...aiInventory.dependencies);
+  }
+
   // Merge CI components into the formulation component list
   if (ciComponents.length) {
     components = components.concat(ciComponents);