@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/stages/postgen/auditBom.poku.js

@@ -190,7 +190,7 @@ describe("evaluateRule", () => {
     );
   });
 
-  it("should detect npm install script from non-registry source (PKG-001)", async () => {
+  it("should detect npm install script from direct manifest source (PKG-001)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "PKG-001");
     assert.ok(rule, "PKG-001 rule should exist");
@@ -198,7 +198,11 @@ describe("evaluateRule", () => {
     const bom = makeBom([
       makeComponent("sketchy-pkg", "1.0.0", [
         ["cdx:npm:hasInstallScript", "true"],
-        ["cdx:npm:isRegistryDependency", "false"],
+        ["cdx:npm:manifestSourceType", "git"],
+        [
+          "cdx:npm:manifestSource",
+          "git+https://github.com/acme/sketchy-pkg.git",
+        ],
       ]),
     ]);
 
@@ -207,6 +211,122 @@ describe("evaluateRule", () => {
     assert.strictEqual(findings[0].severity, "high");
   });
 
+  it("should detect npm install scripts from url and path manifest sources for PKG-001", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-001");
+    assert.ok(rule, "PKG-001 rule should exist");
+
+    for (const manifestSourceType of ["url", "path"]) {
+      const bom = makeBom([
+        makeComponent(`sketchy-${manifestSourceType}`, "1.0.0", [
+          ["cdx:npm:hasInstallScript", "true"],
+          ["cdx:npm:manifestSourceType", manifestSourceType],
+          ["cdx:npm:manifestSource", `${manifestSourceType}:example`],
+        ]),
+      ]);
+
+      const findings = await evaluateRule(rule, bom);
+      assert.ok(findings.length > 0);
+    }
+  });
+
+  it("should not detect npm install script without manifest source evidence for PKG-001", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-001");
+    assert.ok(rule, "PKG-001 rule should exist");
+
+    const bom = makeBom([
+      makeComponent("registry-pkg", "1.0.0", [
+        ["cdx:npm:hasInstallScript", "true"],
+        ["cdx:npm:isRegistryDependency", "false"],
+      ]),
+    ]);
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+
+  it("should detect Collider packages from insecure HTTP origins (PKG-009)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-009");
+    assert.ok(rule, "PKG-009 rule should exist");
+
+    const bom = makeBom([
+      makeComponent("fmt", "11.0.2", [
+        ["cdx:collider:dependencyKind", "direct"],
+        ["cdx:collider:origin", "http://mirror.example.com/collider/v2/"],
+        ["cdx:collider:originScheme", "http"],
+        ["cdx:collider:originHost", "mirror.example.com"],
+      ]),
+    ]);
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect insecure Collider origin");
+    assert.strictEqual(findings[0].ruleId, "PKG-009");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+
+  it("should detect Collider origins that required sanitization (PKG-010)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-010");
+    assert.ok(rule, "PKG-010 rule should exist");
+
+    const bom = makeBom([
+      makeComponent("spdlog", "1.15.0", [
+        ["cdx:collider:dependencyKind", "direct"],
+        ["cdx:collider:origin", "https://example.com/collider/v2/"],
+        ["cdx:collider:originScheme", "https"],
+        ["cdx:collider:originSanitized", "true"],
+      ]),
+    ]);
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect sanitized Collider origin");
+    assert.strictEqual(findings[0].ruleId, "PKG-010");
+    assert.strictEqual(findings[0].severity, "low");
+  });
+
+  it("should detect python dependency from direct manifest source (PKG-011)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-011");
+    assert.ok(rule, "PKG-011 rule should exist");
+
+    const bom = makeBom([
+      makeComponent("suspicious-python-pkg", "1.0.0", [
+        ["cdx:pypi:manifestSourceType", "url"],
+        [
+          "cdx:pypi:manifestSource",
+          "https://example.com/suspicious-python-pkg.whl",
+        ],
+      ]),
+    ]);
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect python direct source risk");
+    assert.strictEqual(findings[0].ruleId, "PKG-011");
+    assert.strictEqual(findings[0].severity, "high");
+  });
+
+  it("should detect Collider packages missing valid wrap hashes (INT-014)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "INT-014");
+    assert.ok(rule, "INT-014 rule should exist");
+
+    const bom = makeBom([
+      makeComponent("fast_float", "8.0.2", [
+        ["cdx:collider:dependencyKind", "transitive"],
+        ["cdx:collider:hasWrapHash", "false"],
+        ["cdx:collider:wrapHash", "not-a-sha256"],
+        ["cdx:collider:wrapHashInvalid", "true"],
+      ]),
+    ]);
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect missing Collider wrap hash");
+    assert.strictEqual(findings[0].ruleId, "INT-014");
+    assert.strictEqual(findings[0].severity, "high");
+  });
+
   it("should detect OIDC token issuance to a non-official action (CI-002)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "CI-002");
@@ -524,13 +644,14 @@ describe("evaluateRule", () => {
             { name: "cdx:mcp:inventorySource", value: "config-file" },
             { name: "cdx:mcp:credentialExposure", value: "true" },
             {
-              name: "cdx:mcp:credentialExposureFields",
-              value: "header:Authorization,env:OPENAI_API_KEY",
+              name: "cdx:mcp:credentialExposureFieldCount",
+              value: "2",
             },
             {
-              name: "cdx:mcp:credentialRiskIndicators",
-              value: "bearer-token,generic-secret",
+              name: "cdx:mcp:credentialIndicatorCount",
+              value: "2",
             },
+            { name: "cdx:mcp:credentialReferenceCount", value: "1" },
           ],
         },
       ],
@@ -602,6 +723,56 @@ describe("evaluateRule", () => {
     assert.ok(findings.length > 0, "Should detect token passthrough risk");
   });
 
+  it("should flag shipped AI instruction files in build/post-build BOMs (AGT-007)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "AGT-007");
+    assert.ok(rule, "AGT-007 rule should exist");
+
+    const bom = makeBom([
+      {
+        "bom-ref": "file:/repo/CLAUDE.md",
+        name: "CLAUDE.md",
+        type: "file",
+        properties: [
+          { name: "SrcFile", value: "/repo/CLAUDE.md" },
+          { name: "cdx:file:kind", value: "agent-instructions" },
+          { name: "cdx:agent:inventorySource", value: "agent-file" },
+        ],
+      },
+    ]);
+    bom.metadata.lifecycles = [{ phase: "build" }, { phase: "post-build" }];
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect shipped AI instructions");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+
+  it("should flag shipped MCP config files in build/post-build BOMs (MCP-008)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "MCP-008");
+    assert.ok(rule, "MCP-008 rule should exist");
+
+    const bom = makeBom([
+      {
+        "bom-ref": "file:/repo/.vscode/mcp.json",
+        name: "mcp.json",
+        type: "file",
+        properties: [
+          { name: "SrcFile", value: "/repo/.vscode/mcp.json" },
+          { name: "cdx:file:kind", value: "mcp-config" },
+          { name: "cdx:mcp:configFormat", value: "vscode" },
+          { name: "cdx:mcp:configuredServiceCount", value: "1" },
+          { name: "cdx:mcp:configuredServiceNames", value: "releaseDocs" },
+        ],
+      },
+    ]);
+    bom.metadata.lifecycles = [{ phase: "build" }];
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect shipped MCP config");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+
   it("should detect npm name mismatch (INT-002)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "INT-002");
@@ -1383,6 +1554,528 @@ describe("evaluateRule", () => {
     assert.match(findings[0].message, /Heuristic review/);
   });
 
+  it("should detect disabled npm cache when npm distributions are resolved remotely (CI-022)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-022");
+    assert.ok(rule, "CI-022 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "left-pad",
+          version: "1.3.0",
+          purl: "pkg:npm/left-pad@1.3.0",
+          "bom-ref": "pkg:npm/left-pad@1.3.0",
+          externalReferences: [
+            {
+              type: "distribution",
+              url: "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
+            },
+          ],
+          properties: [
+            {
+              name: "cdx:npm:manifestSourceType",
+              value: "url",
+            },
+            {
+              name: "cdx:npm:manifestSource",
+              value: "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-node",
+          version: "v4",
+          purl: "pkg:github/actions/setup-node@v4",
+          "bom-ref": "pkg:github/actions/setup-node@v4",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-node@v4",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "npm" },
+            {
+              name: "cdx:github:action:buildCacheDisableInput",
+              value: "package-manager-cache",
+            },
+            {
+              name: "cdx:github:action:buildCacheDisableValue",
+              value: "false",
+            },
+            {
+              name: "cdx:github:workflow:file",
+              value: ".github/workflows/ci.yml",
+            },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled npm cache");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+
+  it("should detect disabled npm cache for git manifest sources (CI-022)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-022");
+    assert.ok(rule, "CI-022 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "git-dep",
+          version: "2.0.0",
+          purl: "pkg:npm/git-dep@2.0.0",
+          "bom-ref": "pkg:npm/git-dep@2.0.0",
+          externalReferences: [
+            {
+              type: "distribution",
+              url: "git+https://github.com/acme/git-dep.git",
+            },
+          ],
+          properties: [
+            {
+              name: "cdx:npm:manifestSourceType",
+              value: "git",
+            },
+            {
+              name: "cdx:npm:manifestSource",
+              value: "git+https://github.com/acme/git-dep.git",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-node",
+          version: "v4",
+          purl: "pkg:github/actions/setup-node@v4",
+          "bom-ref": "pkg:github/actions/setup-node@v4",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-node@v4",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "npm" },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled npm cache");
+  });
+
+  it("should not detect disabled npm cache for registry-only npm dependencies (CI-022)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-022");
+    assert.ok(rule, "CI-022 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "left-pad",
+          version: "1.3.0",
+          purl: "pkg:npm/left-pad@1.3.0",
+          "bom-ref": "pkg:npm/left-pad@1.3.0",
+          externalReferences: [
+            {
+              type: "distribution",
+              url: "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-node",
+          version: "v4",
+          purl: "pkg:github/actions/setup-node@v4",
+          "bom-ref": "pkg:github/actions/setup-node@v4",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-node@v4",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "npm" },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+
+  it("should not detect disabled npm cache for local path manifest sources (CI-022)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-022");
+    assert.ok(rule, "CI-022 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "local-dep",
+          version: "1.0.0",
+          purl: "pkg:npm/local-dep@1.0.0",
+          "bom-ref": "pkg:npm/local-dep@1.0.0",
+          externalReferences: [
+            {
+              type: "distribution",
+              url: "file:../libs/local-dep",
+            },
+          ],
+          properties: [
+            {
+              name: "cdx:npm:manifestSourceType",
+              value: "path",
+            },
+            {
+              name: "cdx:npm:manifestSource",
+              value: "file:../libs/local-dep",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-node",
+          version: "v4",
+          purl: "pkg:github/actions/setup-node@v4",
+          "bom-ref": "pkg:github/actions/setup-node@v4",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-node@v4",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "npm" },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+
+  it("should detect disabled Python cache when pylock sources use remote artifacts (CI-023)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-023");
+    assert.ok(rule, "CI-023 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "requests",
+          version: "2.32.0",
+          purl: "pkg:pypi/requests@2.32.0",
+          "bom-ref": "pkg:pypi/requests@2.32.0",
+          properties: [
+            {
+              name: "cdx:pypi:manifestSourceType",
+              value: "url",
+            },
+            {
+              name: "cdx:pypi:manifestSource",
+              value:
+                "https://files.pythonhosted.org/packages/requests-2.32.0.tar.gz",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-python",
+          version: "v5",
+          purl: "pkg:github/actions/setup-python@v5",
+          "bom-ref": "pkg:github/actions/setup-python@v5",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-python@v5",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "pypi" },
+            {
+              name: "cdx:github:action:buildCacheDisableInput",
+              value: "cache",
+            },
+            {
+              name: "cdx:github:action:buildCacheDisableValue",
+              value: "false",
+            },
+            {
+              name: "cdx:github:workflow:file",
+              value: ".github/workflows/ci.yml",
+            },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled Python cache");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+
+  it("should detect disabled Python cache for git manifest sources (CI-023)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-023");
+    assert.ok(rule, "CI-023 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "private-lib",
+          version: "1.0.0",
+          purl: "pkg:pypi/private-lib@1.0.0",
+          "bom-ref": "pkg:pypi/private-lib@1.0.0",
+          properties: [
+            {
+              name: "cdx:pypi:manifestSourceType",
+              value: "git",
+            },
+            {
+              name: "cdx:pypi:manifestSource",
+              value: "git+https://github.com/acme/private-lib.git",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-python",
+          version: "v5",
+          purl: "pkg:github/actions/setup-python@v5",
+          "bom-ref": "pkg:github/actions/setup-python@v5",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-python@v5",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "pypi" },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled Python cache");
+  });
+
+  it("should not detect disabled Python cache for registry-only lockfile sources (CI-023)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-023");
+    assert.ok(rule, "CI-023 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "requests",
+          version: "2.32.0",
+          purl: "pkg:pypi/requests@2.32.0",
+          "bom-ref": "pkg:pypi/requests@2.32.0",
+          properties: [
+            {
+              name: "cdx:pylock:archive",
+              value:
+                '{"url":"https://files.pythonhosted.org/packages/requests-2.32.0.tar.gz"}',
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-python",
+          version: "v5",
+          purl: "pkg:github/actions/setup-python@v5",
+          "bom-ref": "pkg:github/actions/setup-python@v5",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-python@v5",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "pypi" },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+
+  it("should not detect disabled Python cache for local path manifest sources (CI-023)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-023");
+    assert.ok(rule, "CI-023 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "local-lib",
+          version: "1.0.0",
+          purl: "pkg:pypi/local-lib@1.0.0",
+          "bom-ref": "pkg:pypi/local-lib@1.0.0",
+          properties: [
+            {
+              name: "cdx:pypi:manifestSourceType",
+              value: "path",
+            },
+            {
+              name: "cdx:pypi:manifestSource",
+              value: "../libs/local-lib",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-python",
+          version: "v5",
+          purl: "pkg:github/actions/setup-python@v5",
+          "bom-ref": "pkg:github/actions/setup-python@v5",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-python@v5",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "pypi" },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+
+  it("should detect disabled Cargo cache for git manifest sources (CI-024)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-024");
+    assert.ok(rule, "CI-024 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "git-crate",
+          version: "git+https://github.com/acme/git-crate.git",
+          purl: "pkg:cargo/git-crate@git+https://github.com/acme/git-crate.git",
+          "bom-ref":
+            "pkg:cargo/git-crate@git+https://github.com/acme/git-crate.git",
+          properties: [
+            {
+              name: "cdx:cargo:git",
+              value: "https://github.com/acme/git-crate.git",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-rust",
+          version: "v1",
+          purl: "pkg:github/moonrepo/setup-rust@v1",
+          "bom-ref": "pkg:github/moonrepo/setup-rust@v1",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "moonrepo/setup-rust@v1",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "cargo" },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled Cargo cache");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+
+  it("should not detect disabled Cargo cache for local path manifest sources (CI-024)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-024");
+    assert.ok(rule, "CI-024 rule should exist");
+
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "path-crate",
+          version: "path+../path-crate",
+          purl: "pkg:cargo/path-crate@path+../path-crate",
+          "bom-ref": "pkg:cargo/path-crate@path+../path-crate",
+          properties: [
+            {
+              name: "cdx:cargo:path",
+              value: "../path-crate",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-rust",
+          version: "v1",
+          purl: "pkg:github/moonrepo/setup-rust@v1",
+          "bom-ref": "pkg:github/moonrepo/setup-rust@v1",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "moonrepo/setup-rust@v1",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "cargo" },
+          ],
+        },
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+
   it("should detect root authorized_keys without restrictions (OBOM-LNX-003)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "OBOM-LNX-003");
@@ -2301,6 +2994,62 @@ describe("auditBom", () => {
     }
   });
 
+  it("expands the ai-inventory category alias", async () => {
+    const bom = makeBom(
+      [],
+      [],
+      [
+        {
+          type: "application",
+          name: "agent-guide",
+          version: "latest",
+          "bom-ref": "file:/repo/AGENTS.md",
+          properties: [
+            { name: "SrcFile", value: "/repo/AGENTS.md" },
+            { name: "cdx:agent:inventorySource", value: "agent-file" },
+            { name: "cdx:file:kind", value: "agent-instructions" },
+            {
+              name: "cdx:agent:hasNonOfficialMcpReference",
+              value: "true",
+            },
+            { name: "cdx:agent:mcpPackageRefs", value: "@acme/mcp-server" },
+          ],
+        },
+      ],
+      [
+        {
+          "bom-ref": "urn:service:mcp:demo:1",
+          group: "mcp",
+          name: "demo-server",
+          authenticated: false,
+          endpoints: ["https://mcp.example.com/mcp"],
+          properties: [
+            { name: "cdx:mcp:transport", value: "streamable-http" },
+            { name: "cdx:mcp:serviceType", value: "inferred-endpoint" },
+            { name: "cdx:mcp:inventorySource", value: "agent-file" },
+            { name: "cdx:mcp:toolCount", value: "1" },
+            { name: "cdx:mcp:officialSdk", value: "false" },
+          ],
+        },
+      ],
+    );
+
+    const findings = await auditBom(bom, {
+      bomAuditCategories: "ai-inventory",
+    });
+    assert.ok(findings.some((finding) => finding.category === "ai-agent"));
+    assert.ok(findings.some((finding) => finding.category === "mcp-server"));
+  });
+
+  it("rejects unknown audit categories with valid choices", async () => {
+    await assert.rejects(
+      auditBom(makeBom([]), {
+        bomAuditCategories: "unknown-category",
+      }),
+      /Unknown BOM audit category: unknown-category\. Valid categories: .*ai-inventory \(alias for ai-agent,mcp-server\).*ci-permission.*mcp-server/,
+    );
+  });
+
   it("should filter by minimum severity", async () => {
     const bom = makeBom([
       makeComponent("actions/setup-node", "v3", [