@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/helpers/analyzer.js

@@ -8,6 +8,10 @@ import traverse from "@babel/traverse";
 
 import { classifyMcpReference } from "./mcp.js";
 import { isLocalHost, sanitizeMcpRefToken } from "./mcpDiscovery.js";
+import {
+  sanitizeBomPropertyValue,
+  sanitizeBomUrl,
+} from "./propertySanitizer.js";
 
 const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
   ? process.env.ASTGEN_IGNORE_DIRS.split(",")
@@ -1509,13 +1513,26 @@ const providerFamilyFromModelName = (modelName) => {
 };
 
 const addUniqueProperty = (properties, name, value) => {
-  if (value === undefined || value === null || value === "") {
+  const sanitizedValue = sanitizeBomPropertyValue(name, value);
+  if (
+    sanitizedValue === undefined ||
+    sanitizedValue === null ||
+    sanitizedValue === ""
+  ) {
     return;
   }
-  if (properties.some((prop) => prop.name === name && prop.value === value)) {
+  const normalizedValue =
+    typeof sanitizedValue === "string"
+      ? sanitizedValue
+      : String(sanitizedValue);
+  if (
+    properties.some(
+      (prop) => prop.name === name && prop.value === normalizedValue,
+    )
+  ) {
     return;
   }
-  properties.push({ name, value });
+  properties.push({ name, value: normalizedValue });
 };
 
 const rootMemberName = (value) => String(value || "").split(".")[0];
@@ -1823,14 +1840,18 @@ const primitiveComponentForMcp = (serviceInfo, primitive) => {
     addUniqueProperty(
       properties,
       "cdx:mcp:toolAnnotations",
-      JSON.stringify(primitive.annotations),
+      primitive.annotations,
     );
   }
   return {
     "bom-ref": primitiveRef,
-    description:
-      primitive.description ||
-      `${primitive.role} exposed by ${serviceInfo.name || "mcp-server"}`,
+    description: String(
+      sanitizeBomPropertyValue(
+        "cdx:mcp:description",
+        primitive.description ||
+          `${primitive.role} exposed by ${serviceInfo.name || "mcp-server"}`,
+      ) || "",
+    ),
     name: primitiveName,
     properties,
     scope: "required",
@@ -2056,8 +2077,16 @@ const serviceObjectForMcp = (serviceInfo) => {
   return {
     "bom-ref": serviceRef,
     authenticated: serviceInfo.authenticated,
-    description: serviceInfo.description,
-    endpoints: Array.from(serviceInfo.endpoints).sort(),
+    description: String(
+      sanitizeBomPropertyValue(
+        "cdx:mcp:description",
+        serviceInfo.description || "",
+      ) || "",
+    ),
+    endpoints: Array.from(serviceInfo.endpoints)
+      .map((endpoint) => sanitizeBomUrl(endpoint))
+      .filter(Boolean)
+      .sort(),
     group: "mcp",
     name: serviceName,
     properties,
@@ -2066,6 +2095,380 @@ const serviceObjectForMcp = (serviceInfo) => {
   };
 };
 
+const buildMcpInventoryFromServices = (servicesByKey) => {
+  const services = [];
+  const components = [];
+  const dependencies = [];
+  for (const serviceInfo of servicesByKey.values()) {
+    if (
+      !serviceInfo.primitives.length &&
+      !serviceInfo.transports.size &&
+      !serviceInfo.endpoints.size &&
+      !serviceInfo.capabilities.size &&
+      !serviceInfo.sourceLine &&
+      !serviceInfo.outboundHosts.size &&
+      !serviceInfo.usageSignals.size
+    ) {
+      continue;
+    }
+    if (
+      serviceInfo.endpoints.size &&
+      !serviceInfo.transports.has("stdio") &&
+      !serviceInfo.transports.size
+    ) {
+      serviceInfo.transports.add("streamable-http");
+    }
+    if (
+      serviceInfo.transports.has("streamable-http") &&
+      typeof serviceInfo.authenticated === "undefined"
+    ) {
+      serviceInfo.authenticated = false;
+    }
+    const service = serviceObjectForMcp(serviceInfo);
+    services.push(service);
+    const providedRefs = [];
+    for (const primitive of serviceInfo.primitives) {
+      const component = primitiveComponentForMcp(serviceInfo, primitive);
+      components.push(component);
+      providedRefs.push(component["bom-ref"]);
+    }
+    if (providedRefs.length) {
+      dependencies.push({
+        ref: service["bom-ref"],
+        dependsOn: [],
+        provides: providedRefs.sort(),
+      });
+    }
+  }
+  return { components, dependencies, services };
+};
+
+// Capture groups:
+// 1 = module path in `from x import y`
+// 2 = imported symbols in `from x import y`
+// 3 = imported modules in `import x, y`
+const PYTHON_IMPORT_PATTERN =
+  /^\s*(?:from\s+([a-zA-Z0-9_.]+)\s+import\s+([^\n#]+)|import\s+([^\n#]+))/gmu;
+const PYTHON_DECORATOR_PATTERN = /@([a-zA-Z_][a-zA-Z0-9_]*)\.(\w+)\s*\(/gmu;
+const PYTHON_STDIO_PATTERN = /\bstdio_server\s*\(/u;
+const PYTHON_HTTP_TRANSPORT_PATTERN = /\b(streamable|sse|http)\b/iu;
+
+const PYTHON_DECORATOR_ROLE_MAP = new Map([
+  ["call_tool", "tool"],
+  ["get_prompt", "prompt"],
+  ["list_prompts", "prompt"],
+  ["list_resources", "resource"],
+  ["list_tools", "tool"],
+  ["prompt", "prompt"],
+  ["read_resource", "resource"],
+  ["resource", "resource"],
+  ["resource_template", "resource-template"],
+  ["tool", "tool"],
+]);
+
+const lineNumberForIndex = (text, index) =>
+  text.slice(0, index).split("\n").length || 1;
+
+const extractPythonNamedString = (argumentText, key) => {
+  const directPattern = new RegExp(`${key}\\s*=\\s*["']([^"'\\n]+)["']`, "u");
+  const directMatch = argumentText.match(directPattern);
+  if (directMatch?.[1]) {
+    return directMatch[1];
+  }
+  const wrappedPattern = new RegExp(
+    `${key}\\s*=\\s*[a-zA-Z_][a-zA-Z0-9_.]*\\(\\s*["']([^"'\\n]+)["']`,
+    "u",
+  );
+  return argumentText.match(wrappedPattern)?.[1];
+};
+
+const extractFirstPythonString = (argumentText) =>
+  argumentText.match(/^\s*["']([^"'\n]+)["']/u)?.[1];
+
+const extractPythonCallArguments = (raw, alias) => {
+  const aliasPattern = new RegExp(
+    `(\\w+)\\s*=\\s*${alias.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*\\(`,
+    "gmu",
+  );
+  const calls = [];
+  for (const match of raw.matchAll(aliasPattern)) {
+    let callStart = -1;
+    for (let index = match.index; index < raw.length; index++) {
+      if (raw[index] === "(") {
+        callStart = index;
+        break;
+      }
+    }
+    if (callStart === -1) {
+      continue;
+    }
+    let depth = 0;
+    let callEnd = -1;
+    for (let index = callStart; index < raw.length; index++) {
+      if (raw[index] === "(") {
+        depth += 1;
+      } else if (raw[index] === ")") {
+        depth -= 1;
+        if (depth === 0) {
+          callEnd = index;
+          break;
+        }
+      }
+    }
+    if (callEnd === -1) {
+      continue;
+    }
+    calls.push({
+      argumentText: raw.slice(callStart + 1, callEnd),
+      index: match.index,
+      serviceVarName: match[1],
+    });
+  }
+  return calls;
+};
+
+const extractPythonFunctionCalls = (raw, callName) => {
+  const callPattern = new RegExp(
+    `${callName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*\\(`,
+    "gmu",
+  );
+  const calls = [];
+  for (const match of raw.matchAll(callPattern)) {
+    const callStart = match.index + match[0].lastIndexOf("(");
+    let depth = 0;
+    let callEnd = -1;
+    for (let index = callStart; index < raw.length; index++) {
+      if (raw[index] === "(") {
+        depth += 1;
+      } else if (raw[index] === ")") {
+        depth -= 1;
+        if (depth === 0) {
+          callEnd = index;
+          break;
+        }
+      }
+    }
+    if (callEnd === -1) {
+      continue;
+    }
+    calls.push({
+      argumentText: raw.slice(callStart + 1, callEnd),
+      index: match.index,
+    });
+  }
+  return calls;
+};
+
+const parsePythonImports = (raw) => {
+  const imports = [];
+  for (const match of raw.matchAll(PYTHON_IMPORT_PATTERN)) {
+    const fromSource = match[1];
+    const fromImports = match[2];
+    const directImports = match[3];
+    if (fromSource && fromImports) {
+      for (const importEntry of fromImports.split(",")) {
+        const [importedName, localName] = importEntry
+          .trim()
+          .split(/\s+as\s+/u)
+          .map((value) => value?.trim());
+        if (importedName) {
+          imports.push({
+            importedName,
+            localName: localName || importedName,
+            sourceValue: fromSource,
+          });
+        }
+      }
+      continue;
+    }
+    for (const importEntry of (directImports || "").split(",")) {
+      const [sourceValue, localName] = importEntry
+        .trim()
+        .split(/\s+as\s+/u)
+        .map((value) => value?.trim());
+      if (sourceValue) {
+        imports.push({
+          importedName: sourceValue.split(".").pop(),
+          localName: localName || sourceValue.split(".").pop(),
+          sourceValue,
+        });
+      }
+    }
+  }
+  return imports;
+};
+
+const registerPythonPrimitive = (
+  serviceInfo,
+  role,
+  name,
+  description,
+  uri,
+  sourceLine,
+) => {
+  if (!role) {
+    return;
+  }
+  const primitiveName =
+    name ||
+    uri ||
+    `${role}-${serviceInfo.primitives.filter((item) => item.role === role).length + 1}`;
+  serviceInfo.primitives.push({
+    description,
+    name: primitiveName,
+    role,
+    sourceLine,
+    uri,
+  });
+  if (role === "tool") {
+    serviceInfo.usageSignals.add("registered-tool");
+  }
+  if (["resource", "resource-template"].includes(role)) {
+    serviceInfo.usageSignals.add("registered-resource");
+  }
+};
+
+/**
+ * Detect MCP server inventory from Python source using import and decorator heuristics.
+ *
+ * @param {string} src Absolute or relative path to the project source directory
+ * @param {boolean} deep When true, also scans nested paths more aggressively
+ * @returns {{components: Object[], dependencies: Object[], services: Object[]}}
+ */
+export const detectPythonMcpInventory = (src, deep = false) => {
+  const servicesByKey = new Map();
+  let srcFiles = [];
+  try {
+    srcFiles = getAllFiles(deep, src, ".py");
+  } catch {
+    return { components: [], dependencies: [], services: [] };
+  }
+  for (const file of srcFiles) {
+    let raw;
+    try {
+      raw = readFileSync(file, "utf-8");
+    } catch {
+      continue;
+    }
+    const fileRelativeLoc = relative(src, file);
+    const serverConstructorAliases = new Set(["Server", "FastMCP"]);
+    const importEntries = parsePythonImports(raw);
+    let fileHasMcpImports = false;
+    for (const importEntry of importEntries) {
+      const sourceValue = importEntry.sourceValue;
+      const classification = classifyMcpReference(sourceValue);
+      if (!classification.isMcp && !sourceValue.startsWith("mcp")) {
+        continue;
+      }
+      fileHasMcpImports = true;
+      const serviceInfo = ensureMcpService(
+        servicesByKey,
+        file,
+        fileRelativeLoc,
+      );
+      if (sourceValue.startsWith("mcp")) {
+        serviceInfo.sdkImports.add(sourceValue);
+        serviceInfo.usageSignals.add("mcp-sdk-import");
+        serviceInfo.officialSdk = true;
+      } else {
+        recordMcpSdkImport(serviceInfo, sourceValue);
+      }
+      if (
+        sourceValue.startsWith("mcp.server") ||
+        sourceValue === "fastmcp" ||
+        /server/i.test(importEntry.importedName || "") ||
+        /server/i.test(importEntry.localName || "")
+      ) {
+        serverConstructorAliases.add(importEntry.localName);
+      }
+    }
+    for (const alias of serverConstructorAliases) {
+      for (const match of extractPythonCallArguments(raw, alias)) {
+        const serviceVarName = match.serviceVarName;
+        const argumentText = match.argumentText || "";
+        const serviceInfo = ensureMcpService(
+          servicesByKey,
+          file,
+          fileRelativeLoc,
+        );
+        serviceInfo.name =
+          extractPythonNamedString(argumentText, "name") ||
+          extractFirstPythonString(argumentText) ||
+          serviceInfo.name;
+        serviceInfo.version =
+          extractPythonNamedString(argumentText, "version") ||
+          serviceInfo.version;
+        serviceInfo.description =
+          extractPythonNamedString(argumentText, "instructions") ||
+          extractPythonNamedString(argumentText, "description") ||
+          serviceInfo.description;
+        serviceInfo.serviceKinds.add("server");
+        serviceInfo.usageSignals.add("server-constructor");
+        serviceInfo.sourceLine = lineNumberForIndex(raw, match.index);
+        for (const decoratorMatch of raw.matchAll(PYTHON_DECORATOR_PATTERN)) {
+          if (decoratorMatch[1] !== serviceVarName) {
+            continue;
+          }
+          const primitiveRole = PYTHON_DECORATOR_ROLE_MAP.get(
+            decoratorMatch[2],
+          );
+          if (!primitiveRole) {
+            continue;
+          }
+          if (primitiveRole === "tool") {
+            serviceInfo.capabilities.add("tools");
+          } else if (primitiveRole === "prompt") {
+            serviceInfo.capabilities.add("prompts");
+          } else {
+            serviceInfo.capabilities.add("resources");
+          }
+        }
+      }
+    }
+    if (PYTHON_STDIO_PATTERN.test(raw)) {
+      const serviceInfo = ensureMcpService(
+        servicesByKey,
+        file,
+        fileRelativeLoc,
+      );
+      serviceInfo.transports.add("stdio");
+    } else if (fileHasMcpImports && PYTHON_HTTP_TRANSPORT_PATTERN.test(raw)) {
+      const serviceInfo = ensureMcpService(
+        servicesByKey,
+        file,
+        fileRelativeLoc,
+      );
+      serviceInfo.transports.add("streamable-http");
+    }
+    const primitivePatterns = [
+      ["mtypes.Tool", "tool"],
+      ["mtypes.Prompt", "prompt"],
+      ["mtypes.Resource", "resource"],
+    ];
+    for (const [callName, role] of primitivePatterns) {
+      for (const match of extractPythonFunctionCalls(raw, callName)) {
+        const serviceInfo = ensureMcpService(
+          servicesByKey,
+          file,
+          fileRelativeLoc,
+        );
+        registerPythonPrimitive(
+          serviceInfo,
+          role,
+          extractPythonNamedString(match.argumentText || "", "name"),
+          extractPythonNamedString(match.argumentText || "", "description"),
+          extractPythonNamedString(match.argumentText || "", "uri"),
+          lineNumberForIndex(raw, match.index),
+        );
+      }
+    }
+    if (fileHasMcpImports) {
+      ensureMcpService(servicesByKey, file, fileRelativeLoc);
+    }
+  }
+  return buildMcpInventoryFromServices(servicesByKey);
+};
+
 /**
  * Detect MCP server inventory from JavaScript/TypeScript source using AST analysis.
  *
@@ -2748,49 +3151,5 @@ export const detectMcpInventory = (src, deep = false) => {
       ensureMcpService(servicesByKey, file, fileRelativeLoc);
     }
   }
-  const services = [];
-  const components = [];
-  const dependencies = [];
-  for (const serviceInfo of servicesByKey.values()) {
-    if (
-      !serviceInfo.primitives.length &&
-      !serviceInfo.transports.size &&
-      !serviceInfo.endpoints.size &&
-      !serviceInfo.capabilities.size &&
-      !serviceInfo.sourceLine &&
-      !serviceInfo.outboundHosts.size &&
-      !serviceInfo.usageSignals.size
-    ) {
-      continue;
-    }
-    if (
-      serviceInfo.endpoints.size &&
-      !serviceInfo.transports.has("stdio") &&
-      !serviceInfo.transports.size
-    ) {
-      serviceInfo.transports.add("streamable-http");
-    }
-    if (
-      serviceInfo.transports.has("streamable-http") &&
-      typeof serviceInfo.authenticated === "undefined"
-    ) {
-      serviceInfo.authenticated = false;
-    }
-    const service = serviceObjectForMcp(serviceInfo);
-    services.push(service);
-    const providedRefs = [];
-    for (const primitive of serviceInfo.primitives) {
-      const component = primitiveComponentForMcp(serviceInfo, primitive);
-      components.push(component);
-      providedRefs.push(component["bom-ref"]);
-    }
-    if (providedRefs.length) {
-      dependencies.push({
-        ref: service["bom-ref"],
-        dependsOn: [],
-        provides: providedRefs.sort(),
-      });
-    }
-  }
-  return { components, dependencies, services };
+  return buildMcpInventoryFromServices(servicesByKey);
 };

package/lib/helpers/analyzer.poku.js

@@ -7,6 +7,7 @@ import {
 } from "node:fs";
 import { tmpdir } from "node:os";
 import { dirname, join } from "node:path";
+import { URL } from "node:url";
 
 import { assert, describe, it } from "poku";
 
@@ -14,6 +15,7 @@ import {
   analyzeSuspiciousJsFile,
   detectExtensionCapabilities,
   detectMcpInventory,
+  detectPythonMcpInventory,
   findJSImportsExports,
 } from "./analyzer.js";
 
@@ -529,4 +531,119 @@ describe("detectMcpInventory()", () => {
       ),
     );
   });
+
+  it("sanitizes source-code-analysis MCP metadata before emission", () => {
+    const projectDir = createProjectFiles("mcp-sanitized-source-analysis", {
+      "src/server.ts": [
+        "import { McpServer } from '@modelcontextprotocol/server';",
+        "import { StreamableHTTPClientTransport } from '@modelcontextprotocol/client';",
+        "const server = new McpServer({",
+        "  name: 'sanitized-server',",
+        "  version: '0.3.0',",
+        "  description: 'Use https://user:pass@example.com/mcp?token=abc#frag and Bearer sk_test_super_secret_value',",
+        "});",
+        "server.registerTool(",
+        "  'download',",
+        "  {",
+        "    description: 'Download from https://user:pass@example.com/tool?token=abc#frag',",
+        "    annotations: {",
+        "      Authorization: 'Bearer sk_test_super_secret_value',",
+        "      nested: { __proto__: 'polluted', endpoint: 'https://user:pass@example.com/tool?token=abc#frag' },",
+        "    },",
+        "  },",
+        "  async () => ({ content: [] }),",
+        ");",
+        "server.registerResource(",
+        "  'private-docs',",
+        "  'https://user:pass@example.com/docs?token=abc#frag',",
+        "  { description: 'Private docs' },",
+        "  async () => ({ contents: [] }),",
+        ");",
+        "const transport = new StreamableHTTPClientTransport(new URL('https://user:pass@example.com/mcp?access_token=secret#frag'));",
+        "void transport;",
+      ].join("\n"),
+    });
+
+    const inventory = detectMcpInventory(projectDir);
+    const service = inventory.services[0];
+    const toolComponent = inventory.components.find(
+      (component) => component.name === "download",
+    );
+    const resourceComponent = inventory.components.find(
+      (component) => component.name === "private-docs",
+    );
+
+    assert.strictEqual(
+      service.description,
+      "Use https://example.com/mcp and [redacted]",
+    );
+    const serviceEndpoint = new URL(service.endpoints[0]);
+    assert.strictEqual(serviceEndpoint.hostname, "example.com");
+    assert.strictEqual(serviceEndpoint.pathname, "/mcp");
+    assert.strictEqual(
+      getProp(resourceComponent, "cdx:mcp:resourceUri"),
+      "https://example.com/docs",
+    );
+    assert.strictEqual(
+      toolComponent.description,
+      "Download from https://example.com/tool",
+    );
+    const toolAnnotations = JSON.parse(
+      getProp(toolComponent, "cdx:mcp:toolAnnotations"),
+    );
+    assert.strictEqual(toolAnnotations.Authorization, "[redacted]");
+    assert.ok(
+      !JSON.stringify(toolAnnotations).includes("sk_test_super_secret_value"),
+    );
+    assert.ok(!JSON.stringify(toolAnnotations).includes("__proto__"));
+  });
+});
+
+describe("detectPythonMcpInventory()", () => {
+  it("detects a Python stdio MCP server and exported primitives", () => {
+    const projectDir = createProjectFiles("mcp-python-server", {
+      "src/server.py": [
+        "import mcp.server.stdio",
+        "import mcp.types as mtypes",
+        "from mcp.server import NotificationOptions, Server",
+        "",
+        'server = Server("appthreat-vulnerability-db", version="1.0.1")',
+        "",
+        "@server.list_resources()",
+        "async def handle_list_resources():",
+        '    return [mtypes.Resource(uri=mtypes.AnyUrl("cve://"), name="CVE Information", description="Get detailed information about a CVE")]',
+        "",
+        "@server.list_tools()",
+        "async def handle_list_tools():",
+        '    return [mtypes.Tool(name="search_by_purl_like", description="Search by purl", inputSchema={"type": "object"})]',
+        "",
+        "async with mcp.server.stdio.stdio_server() as (read_stream, write_stream):",
+        "    await server.run(",
+        "        read_stream,",
+        "        write_stream,",
+        '        InitializationOptions(server_name="appthreat-vulnerability-db", server_version="1.0.1", capabilities=server.get_capabilities(notification_options=NotificationOptions(), experimental_capabilities={}))',
+        "    )",
+      ].join("\n"),
+    });
+    const inventory = detectPythonMcpInventory(projectDir);
+    assert.strictEqual(inventory.services.length, 1);
+    assert.strictEqual(inventory.components.length, 2);
+    const service = inventory.services[0];
+    assert.strictEqual(service.name, "appthreat-vulnerability-db");
+    assert.strictEqual(service.version, "1.0.1");
+    assert.strictEqual(getProp(service, "cdx:mcp:transport"), "stdio");
+    assert.strictEqual(getProp(service, "cdx:mcp:officialSdk"), "true");
+    assert.strictEqual(getProp(service, "cdx:mcp:toolCount"), "1");
+    assert.strictEqual(getProp(service, "cdx:mcp:resourceCount"), "1");
+    assert.ok(
+      inventory.components.some(
+        (component) => component.name === "search_by_purl_like",
+      ),
+    );
+    assert.ok(
+      inventory.components.some(
+        (component) => component.name === "CVE Information",
+      ),
+    );
+  });
 });