@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/helpers/agentFormulationParser.js

@@ -7,6 +7,7 @@ import {
   providerNamesForText,
   sanitizeMcpRefToken,
 } from "./mcpDiscovery.js";
+import { sanitizeBomUrl } from "./propertySanitizer.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 
 const AGENT_FILE_PATTERNS = [
@@ -125,7 +126,7 @@ function buildInferredMcpServices(filePath, mcpUrls, authHints, providerNames) {
       "bom-ref": `urn:service:agent-mcp:${sanitizeMcpRefToken(hostname || basename(filePath))}:${index + 1}`,
       group: "mcp",
       name: hostname || `${basename(filePath)}-mcp-endpoint`,
-      endpoints: [urlValue],
+      endpoints: [sanitizeBomUrl(urlValue)],
       properties,
       version: "inferred",
     };
@@ -167,7 +168,10 @@ export const agentFormulationParser = {
         packageRefs.length > 0 ||
         /\bmcp\b/i.test(raw) ||
         /modelcontextprotocol/i.test(raw);
-      if (!hiddenUnicodeScan.hasHiddenUnicode && !hasMcpReferences) {
+      // Inventory all matched agent/instruction files, even when they do not
+      // yet contain hidden Unicode or explicit MCP references, so shipped files
+      // such as CLAUDE.md and AGENTS.md still surface in build/post-build BOMs.
+      if (!raw.trim().length) {
         continue;
       }
       const hiddenComponentKinds = [];
@@ -230,10 +234,13 @@ export const agentFormulationParser = {
         }
       }
       if (mcpUrls.length) {
+        const sanitizedMcpUrls = mcpUrls.map((urlValue) =>
+          sanitizeBomUrl(urlValue),
+        );
         properties.push(
           {
             name: "cdx:agent:hiddenMcpUrls",
-            value: mcpUrls.join(","),
+            value: sanitizedMcpUrls.join(","),
           },
           {
             name: "cdx:agent:hiddenMcpHosts",

package/lib/helpers/agentFormulationParser.poku.js

@@ -0,0 +1,42 @@
+import esmock from "esmock";
+import { assert, describe, it } from "poku";
+import sinon from "sinon";
+
+function getProp(obj, name) {
+  return obj?.properties?.find((property) => property.name === name)?.value;
+}
+
+describe("agentFormulationParser", () => {
+  it("sanitizes inferred MCP URLs before emitting them", async () => {
+    const readFileSync = sinon.stub();
+    const scanTextForHiddenUnicode = sinon.stub().returns({
+      hasHiddenUnicode: false,
+    });
+    readFileSync
+      .withArgs("/repo/AGENTS.md", "utf-8")
+      .returns(
+        [
+          "Use the remote MCP endpoint at",
+          "https://user:pass@example.com/mcp?access_token=abc#frag",
+          "during release preparation.",
+        ].join(" "),
+      );
+    const { agentFormulationParser } = await esmock(
+      "./agentFormulationParser.js",
+      {
+        "node:fs": { readFileSync },
+        "./unicodeScan.js": { scanTextForHiddenUnicode },
+      },
+    );
+
+    const result = agentFormulationParser.parse(["/repo/AGENTS.md"]);
+
+    assert.strictEqual(
+      getProp(result.components[0], "cdx:agent:hiddenMcpUrls"),
+      "https://example.com/mcp",
+    );
+    assert.deepStrictEqual(result.services[0].endpoints, [
+      "https://example.com/mcp",
+    ]);
+  });
+});

package/lib/helpers/aiInventory.js

@@ -0,0 +1,262 @@
+import { agentFormulationParser } from "./agentFormulationParser.js";
+import { communityAiConfigParser } from "./communityAiConfigParser.js";
+import { mergeServices, trimComponents } from "./depsUtils.js";
+import { classifyMcpReference } from "./mcp.js";
+import { mcpConfigParser } from "./mcpConfigParser.js";
+import { getAllFiles } from "./utils.js";
+
+export const AI_INVENTORY_PROJECT_TYPES = ["mcp", "ai-skill"];
+export const AI_INSTRUCTION_FILE_KINDS = new Set([
+  "agent-config",
+  "agent-definition",
+  "agent-instructions",
+  "ai-agent-file",
+  "copilot-instructions",
+  "copilot-setup-workflow",
+  "crew-agent",
+  "crew-task",
+  "crew-tool",
+  "custom-command",
+  "custom-tool",
+  "graph-definition",
+]);
+export const AI_SKILL_FILE_KIND = "skill-file";
+export const MCP_CONFIG_FILE_KIND = "mcp-config";
+
+const AI_INVENTORY_FILE_KINDS = new Set([
+  "agent-config",
+  "agent-definition",
+  "agent-instructions",
+  "ai-agent-file",
+  "copilot-instructions",
+  "copilot-setup-workflow",
+  "crew-agent",
+  "crew-task",
+  "crew-tool",
+  "custom-command",
+  "custom-tool",
+  "graph-definition",
+  AI_SKILL_FILE_KIND,
+]);
+
+const AI_INVENTORY_PARSERS = [
+  {
+    id: agentFormulationParser.id,
+    parser: agentFormulationParser,
+    types: ["mcp", "ai-skill"],
+  },
+  {
+    id: mcpConfigParser.id,
+    parser: mcpConfigParser,
+    types: ["mcp"],
+  },
+  {
+    id: communityAiConfigParser.id,
+    parser: communityAiConfigParser,
+    types: ["ai-skill"],
+  },
+];
+
+export function inventoryPropertyValue(subject, name) {
+  return subject?.properties?.find((property) => property.name === name)?.value;
+}
+
+function hasPropertyPrefix(subject, prefix) {
+  return (subject?.properties || []).some((property) =>
+    property?.name?.startsWith(prefix),
+  );
+}
+
+function uniqueNonEmptyTypes(types) {
+  return [...new Set((types || []).filter(Boolean))];
+}
+
+export function optionIncludesAiInventoryProjectType(optionValue, type) {
+  const values = Array.isArray(optionValue)
+    ? optionValue
+    : optionValue
+      ? [optionValue]
+      : [];
+  return values.some((value) => {
+    const normalizedValue = String(value).toLowerCase();
+    if (type === "ai-skill") {
+      return ["ai-skill", "skill", "skills"].includes(normalizedValue);
+    }
+    return normalizedValue === type;
+  });
+}
+
+export function inventoryTypesForSubject(subject) {
+  const types = new Set();
+  const fileKind = inventoryPropertyValue(subject, "cdx:file:kind");
+  if (
+    subject?.group === "mcp" ||
+    classifyMcpReference(subject).isMcp ||
+    hasPropertyPrefix(subject, "cdx:mcp:") ||
+    (subject?.tags || []).some((tag) => String(tag || "").startsWith("mcp"))
+  ) {
+    types.add("mcp");
+  }
+  if (
+    AI_INVENTORY_FILE_KINDS.has(fileKind) ||
+    hasPropertyPrefix(subject, "cdx:agent:") ||
+    hasPropertyPrefix(subject, "cdx:skill:") ||
+    hasPropertyPrefix(subject, "cdx:tool:") ||
+    hasPropertyPrefix(subject, "cdx:langgraph:") ||
+    hasPropertyPrefix(subject, "cdx:crewai:")
+  ) {
+    types.add("ai-skill");
+  }
+  if (
+    inventoryPropertyValue(subject, "cdx:mcp:inventorySource") === "agent-file"
+  ) {
+    types.add("ai-skill");
+  }
+  return Array.from(types);
+}
+
+export function matchesAiInventoryType(subject, type) {
+  return inventoryTypesForSubject(subject).includes(type);
+}
+
+export function matchesAiInventoryExcludeType(subject, type) {
+  if (type === "mcp") {
+    const fileKind = inventoryPropertyValue(subject, "cdx:file:kind");
+    return (
+      fileKind === MCP_CONFIG_FILE_KIND ||
+      subject?.group === "mcp" ||
+      inventoryPropertyValue(subject, "cdx:mcp:inventorySource") !==
+        undefined ||
+      inventoryPropertyValue(subject, "cdx:mcp:role") !== undefined
+    );
+  }
+  return matchesAiInventoryType(subject, type);
+}
+
+export function filterInventorySubjectsByTypes(subjects, types) {
+  const allowedTypes = uniqueNonEmptyTypes(types);
+  if (!allowedTypes.length) {
+    return [];
+  }
+  return (subjects || []).filter((subject) =>
+    inventoryTypesForSubject(subject).some((type) =>
+      allowedTypes.includes(type),
+    ),
+  );
+}
+
+export function filterInventoryDependencies(
+  dependencies,
+  components,
+  services,
+) {
+  const allowedRefs = new Set(
+    []
+      .concat(components || [])
+      .concat(services || [])
+      .map((subject) => subject?.["bom-ref"])
+      .filter(Boolean),
+  );
+  return (dependencies || [])
+    .filter((dependency) => allowedRefs.has(dependency.ref))
+    .map((dependency) => {
+      const filteredDependency = {
+        ref: dependency.ref,
+      };
+      if (dependency.dependsOn?.length) {
+        filteredDependency.dependsOn = dependency.dependsOn.filter((ref) =>
+          allowedRefs.has(ref),
+        );
+      }
+      if (dependency.provides?.length) {
+        filteredDependency.provides = dependency.provides.filter((ref) =>
+          allowedRefs.has(ref),
+        );
+      }
+      return filteredDependency;
+    });
+}
+
+export function collectAiInventory(discoveryPath, options, types) {
+  const requestedTypes = uniqueNonEmptyTypes(types);
+  if (!requestedTypes.length) {
+    return { components: [], dependencies: [], services: [] };
+  }
+  let components = [];
+  const dependencies = [];
+  let services = [];
+  for (const parserEntry of AI_INVENTORY_PARSERS) {
+    if (!parserEntry.types.some((type) => requestedTypes.includes(type))) {
+      continue;
+    }
+    const matchedFiles = [];
+    for (const pattern of parserEntry.parser.patterns) {
+      const found = getAllFiles(discoveryPath, pattern, options);
+      if (found?.length) {
+        matchedFiles.push(...found);
+      }
+    }
+    const uniqueMatchedFiles = [...new Set(matchedFiles)];
+    if (!uniqueMatchedFiles.length) {
+      continue;
+    }
+    let result;
+    try {
+      result = parserEntry.parser.parse(uniqueMatchedFiles, options);
+    } catch (err) {
+      console.warn(
+        `[aiInventory] Parser "${parserEntry.id}" threw an error:`,
+        err.message,
+      );
+      continue;
+    }
+    if (result?.components?.length) {
+      components = components.concat(result.components);
+    }
+    if (result?.services?.length) {
+      services = mergeServices(services, result.services);
+    }
+    if (result?.dependencies?.length) {
+      dependencies.push(...result.dependencies);
+    }
+  }
+  components = trimComponents(
+    filterInventorySubjectsByTypes(components, requestedTypes),
+  );
+  services = mergeServices(
+    [],
+    filterInventorySubjectsByTypes(services, requestedTypes),
+  );
+  return {
+    components,
+    dependencies: filterInventoryDependencies(
+      dependencies,
+      components,
+      services,
+    ),
+    services,
+  };
+}
+
+export function summarizeAiInventory(inventory) {
+  const components = inventory?.components || [];
+  const services = inventory?.services || [];
+  return {
+    instructionCount: components.filter((component) =>
+      AI_INSTRUCTION_FILE_KINDS.has(
+        inventoryPropertyValue(component, "cdx:file:kind"),
+      ),
+    ).length,
+    mcpConfigCount: components.filter(
+      (component) =>
+        inventoryPropertyValue(component, "cdx:file:kind") ===
+        MCP_CONFIG_FILE_KIND,
+    ).length,
+    mcpServiceCount: services.length,
+    skillCount: components.filter(
+      (component) =>
+        inventoryPropertyValue(component, "cdx:file:kind") ===
+        AI_SKILL_FILE_KIND,
+    ).length,
+  };
+}

package/lib/helpers/aiInventory.poku.js

@@ -0,0 +1,111 @@
+import { assert, describe, it } from "poku";
+
+import {
+  filterInventoryDependencies,
+  inventoryTypesForSubject,
+  matchesAiInventoryExcludeType,
+  matchesAiInventoryType,
+  summarizeAiInventory,
+} from "./aiInventory.js";
+
+describe("aiInventory", () => {
+  it("classifies agent-derived MCP services as both mcp and ai-skill", () => {
+    const service = {
+      "bom-ref": "urn:service:agent-mcp:demo:1",
+      group: "mcp",
+      properties: [
+        { name: "cdx:mcp:inventorySource", value: "agent-file" },
+        { name: "cdx:mcp:serviceType", value: "inferred-endpoint" },
+      ],
+    };
+    assert.deepStrictEqual(inventoryTypesForSubject(service).sort(), [
+      "ai-skill",
+      "mcp",
+    ]);
+    assert.strictEqual(matchesAiInventoryType(service, "mcp"), true);
+    assert.strictEqual(matchesAiInventoryType(service, "ai-skill"), true);
+  });
+
+  it("limits MCP exclusion matching to AI inventory services, files, and primitives", () => {
+    const mcpPackage = {
+      "bom-ref": "pkg:npm/@modelcontextprotocol/server-filesystem@1.0.0",
+      name: "@modelcontextprotocol/server-filesystem",
+      purl: "pkg:npm/%40modelcontextprotocol/server-filesystem@1.0.0",
+    };
+    const mcpPrimitive = {
+      "bom-ref": "urn:mcp:tool:docs:search",
+      properties: [{ name: "cdx:mcp:role", value: "tool" }],
+      tags: ["mcp", "mcp-tool"],
+    };
+    const mcpConfig = {
+      "bom-ref": "file:/repo/.vscode/mcp.json",
+      properties: [{ name: "cdx:file:kind", value: "mcp-config" }],
+      type: "file",
+    };
+    const mcpService = {
+      "bom-ref": "urn:service:mcp:docs:latest",
+      group: "mcp",
+      properties: [{ name: "cdx:mcp:inventorySource", value: "config-file" }],
+    };
+    assert.strictEqual(matchesAiInventoryExcludeType(mcpPackage, "mcp"), false);
+    assert.strictEqual(
+      matchesAiInventoryExcludeType(mcpPrimitive, "mcp"),
+      true,
+    );
+    assert.strictEqual(matchesAiInventoryExcludeType(mcpConfig, "mcp"), true);
+    assert.strictEqual(matchesAiInventoryExcludeType(mcpService, "mcp"), true);
+  });
+
+  it("filters dependencies to retained component and service refs", () => {
+    const components = [{ "bom-ref": "file:/repo/CLAUDE.md" }];
+    const services = [{ "bom-ref": "urn:service:mcp:docs:latest" }];
+    const filtered = filterInventoryDependencies(
+      [
+        {
+          ref: "urn:service:mcp:docs:latest",
+          provides: ["file:/repo/CLAUDE.md", "urn:service:mcp:other:latest"],
+        },
+        {
+          ref: "urn:service:mcp:missing:latest",
+          provides: ["file:/repo/CLAUDE.md"],
+        },
+      ],
+      components,
+      services,
+    );
+    assert.deepStrictEqual(filtered, [
+      {
+        ref: "urn:service:mcp:docs:latest",
+        provides: ["file:/repo/CLAUDE.md"],
+      },
+    ]);
+  });
+
+  it("summarizes AI inventory counts for instructions, skills, configs, and services", () => {
+    const summary = summarizeAiInventory({
+      components: [
+        {
+          properties: [{ name: "cdx:file:kind", value: "agent-instructions" }],
+        },
+        {
+          properties: [
+            { name: "cdx:file:kind", value: "copilot-instructions" },
+          ],
+        },
+        {
+          properties: [{ name: "cdx:file:kind", value: "skill-file" }],
+        },
+        {
+          properties: [{ name: "cdx:file:kind", value: "mcp-config" }],
+        },
+      ],
+      services: [{ name: "releaseDocs" }, { name: "deployBot" }],
+    });
+    assert.deepStrictEqual(summary, {
+      instructionCount: 2,
+      mcpConfigCount: 1,
+      mcpServiceCount: 2,
+      skillCount: 1,
+    });
+  });
+});