@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/helpers/auditCategories.js

@@ -0,0 +1,76 @@
+export const BOM_AUDIT_CATEGORY_ALIASES = Object.freeze({
+  "ai-inventory": ["ai-agent", "mcp-server"],
+});
+
+function uniqueNonEmptyCategories(categories) {
+  return [...new Set((categories || []).filter(Boolean))];
+}
+
+export function normalizeBomAuditCategories(categories) {
+  if (Array.isArray(categories)) {
+    return uniqueNonEmptyCategories(
+      categories.map((category) => String(category).trim()).filter(Boolean),
+    );
+  }
+  if (typeof categories !== "string") {
+    return [];
+  }
+  return uniqueNonEmptyCategories(
+    categories
+      .split(",")
+      .map((category) => category.trim())
+      .filter(Boolean),
+  );
+}
+
+export function expandBomAuditCategories(categories) {
+  const normalizedCategories = normalizeBomAuditCategories(categories);
+  const expandedCategories = [];
+  for (const category of normalizedCategories) {
+    if (BOM_AUDIT_CATEGORY_ALIASES[category]?.length) {
+      expandedCategories.push(...BOM_AUDIT_CATEGORY_ALIASES[category]);
+      continue;
+    }
+    expandedCategories.push(category);
+  }
+  return uniqueNonEmptyCategories(expandedCategories);
+}
+
+export function availableBomAuditCategories(rules) {
+  return uniqueNonEmptyCategories(
+    (rules || []).map((rule) => rule?.category).filter(Boolean),
+  ).sort();
+}
+
+function formatBomAuditCategoryOption(category) {
+  const aliasedCategories = BOM_AUDIT_CATEGORY_ALIASES[category];
+  if (!aliasedCategories?.length) {
+    return category;
+  }
+  return `${category} (alias for ${aliasedCategories.join(",")})`;
+}
+
+export function validateBomAuditCategories(categories, rules) {
+  const normalizedCategories = normalizeBomAuditCategories(categories);
+  const validCategories = availableBomAuditCategories(rules);
+  const allowedCategories = new Set([
+    ...validCategories,
+    ...Object.keys(BOM_AUDIT_CATEGORY_ALIASES),
+  ]);
+  const invalidCategories = normalizedCategories.filter(
+    (category) => !allowedCategories.has(category),
+  );
+  if (invalidCategories.length) {
+    const validCategoryOptions = [...allowedCategories]
+      .sort()
+      .map((category) => formatBomAuditCategoryOption(category));
+    throw new Error(
+      `Unknown BOM audit categor${invalidCategories.length === 1 ? "y" : "ies"}: ${invalidCategories.join(", ")}. Valid categories: ${validCategoryOptions.join(", ")}.`,
+    );
+  }
+  return {
+    categories: normalizedCategories,
+    expandedCategories: expandBomAuditCategories(normalizedCategories),
+    validCategories,
+  };
+}

package/lib/helpers/chromextutils.js

@@ -9,6 +9,7 @@ import {
   CHROMIUM_EXTENSION_CAPABILITY_CATEGORIES,
   detectExtensionCapabilities,
 } from "./analyzer.js";
+import { sanitizeBomPropertyValue } from "./propertySanitizer.js";
 import { isMac, isWin, safeExistsSync } from "./utils.js";
 
 /**
@@ -850,7 +851,12 @@ export function toComponent(extInfo) {
   const component = {
     name: extensionId,
     version: extInfo.version || "",
-    description: extInfo.displayName || extInfo.description || "",
+    description: String(
+      sanitizeBomPropertyValue(
+        "cdx:chrome-extension:description",
+        extInfo.displayName || extInfo.description || "",
+      ) || "",
+    ),
     purl,
     "bom-ref": decodeURIComponent(purl),
     type: "application",
@@ -1035,8 +1041,24 @@ export function toComponent(extInfo) {
   if (extInfo.srcPath) {
     properties.push({ name: "SrcFile", value: extInfo.srcPath });
   }
-  if (properties.length) {
-    component.properties = properties;
+  const sanitizedProperties = properties
+    .map((property) => {
+      const sanitizedValue = sanitizeBomPropertyValue(
+        property.name,
+        property.value,
+      );
+      if (
+        sanitizedValue === undefined ||
+        sanitizedValue === null ||
+        sanitizedValue === ""
+      ) {
+        return undefined;
+      }
+      return { name: property.name, value: String(sanitizedValue) };
+    })
+    .filter(Boolean);
+  if (sanitizedProperties.length) {
+    component.properties = sanitizedProperties;
   }
   return component;
 }

package/lib/helpers/chromextutils.poku.js

@@ -142,6 +142,74 @@ describe("parseChromiumExtensionManifest", () => {
     assert.strictEqual(parsed.hasAutofill, false);
   });
 
+  it("sanitizes emitted URL properties before they enter the BOM", () => {
+    const extensionRoot = join(baseTempDir, "sanitized-extension");
+    const extensionId = "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii";
+    const extensionVersion = "1.0.0";
+    const versionDir = join(extensionRoot, extensionId, extensionVersion);
+    mkdirSync(versionDir, { recursive: true });
+    writeFileSync(
+      join(versionDir, "manifest.json"),
+      JSON.stringify({
+        manifest_version: 3,
+        name: "Sanitized URLs",
+        version: extensionVersion,
+        update_url: "https://user:pass@example.com/update.xml?token=abc#frag",
+        host_permissions: [
+          "https://user:pass@example.com/*?token=abc#frag",
+          "<all_urls>",
+        ],
+        externally_connectable: {
+          matches: ["https://user:pass@example.com/*?token=abc#frag"],
+        },
+      }),
+      "utf-8",
+    );
+
+    const result = collectChromeExtensionsFromPath(versionDir);
+
+    assert.strictEqual(
+      getProp(result.components[0], "cdx:chrome-extension:updateUrl"),
+      "https://example.com/update.xml",
+    );
+    assert.strictEqual(
+      getProp(result.components[0], "cdx:chrome-extension:hostPermissions"),
+      "https://example.com/*, <all_urls>",
+    );
+    assert.strictEqual(
+      getProp(
+        result.components[0],
+        "cdx:chrome-extension:externallyConnectableMatches",
+      ),
+      "https://example.com/*",
+    );
+  });
+
+  it("sanitizes emitted extension descriptions before they enter the BOM", () => {
+    const extensionRoot = join(baseTempDir, "sanitized-description-extension");
+    const extensionId = "jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj";
+    const extensionVersion = "1.0.0";
+    const versionDir = join(extensionRoot, extensionId, extensionVersion);
+    mkdirSync(versionDir, { recursive: true });
+    writeFileSync(
+      join(versionDir, "manifest.json"),
+      JSON.stringify({
+        manifest_version: 3,
+        description:
+          "Connect with Bearer sk_test_super_secret_value at https://user:pass@example.com/path?token=abc#frag",
+        version: extensionVersion,
+      }),
+      "utf-8",
+    );
+
+    const result = collectChromeExtensionsFromPath(versionDir);
+
+    assert.strictEqual(
+      result.components[0].description,
+      "Connect with [redacted] at https://example.com/path",
+    );
+  });
+
   it("should parse real manifest fixtures from Chrome, Chromium and Edge extensions", () => {
     const fixtureCases = [
       {

package/lib/helpers/ciParsers/githubActions.js

@@ -112,6 +112,34 @@ const CARGO_CACHE_ACTION_PATTERNS = [/^swatinem\/rust-cache(?:@|$)/i];
 
 const CARGO_TOOL_INSTALL_ACTION_PATTERNS = [/^taiki-e\/install-action(?:@|$)/i];
 
+const DEPENDENCY_CACHE_SETUP_ACTIONS = [
+  {
+    pattern: /^actions\/setup-node(?:@|$)/i,
+    ecosystem: "npm",
+    inputNames: ["package-manager-cache", "cache"],
+  },
+  {
+    pattern: /^actions\/setup-python(?:@|$)/i,
+    ecosystem: "pypi",
+    inputNames: ["cache"],
+  },
+  {
+    pattern: /^actions\/setup-go(?:@|$)/i,
+    ecosystem: "go",
+    inputNames: ["cache"],
+  },
+  {
+    pattern: /^actions\/setup-java(?:@|$)/i,
+    ecosystem: "java",
+    inputNames: ["cache"],
+  },
+  {
+    pattern: /^moonrepo\/setup-rust(?:@|$)/i,
+    ecosystem: "cargo",
+    inputNames: ["cache"],
+  },
+];
+
 const FORK_CONTEXT_PATTERNS = [
   [
     "github.event.pull_request.head.repo.fork",
@@ -479,6 +507,56 @@ function analyzeCargoActionStep(step) {
   return props;
 }
 
+function isExplicitFalseLikeValue(value) {
+  if (value === false) {
+    return true;
+  }
+  if (typeof value !== "string") {
+    return false;
+  }
+  return ["0", "false", "no", "off", "disabled"].includes(
+    value.trim().toLowerCase(),
+  );
+}
+
+function analyzeSetupActionCacheStep(step) {
+  const props = [];
+  if (!step?.uses || typeof step.uses !== "string") {
+    return props;
+  }
+  const setupAction = DEPENDENCY_CACHE_SETUP_ACTIONS.find((candidate) =>
+    candidate.pattern.test(step.uses),
+  );
+  if (!setupAction || !step.with || typeof step.with !== "object") {
+    return props;
+  }
+  const disableInputName = setupAction.inputNames.find(
+    (inputName) =>
+      Object.hasOwn(step.with, inputName) &&
+      isExplicitFalseLikeValue(step.with[inputName]),
+  );
+  if (!disableInputName) {
+    return props;
+  }
+  props.push({
+    name: "cdx:github:action:disablesBuildCache",
+    value: "true",
+  });
+  props.push({
+    name: "cdx:github:action:buildCacheEcosystem",
+    value: setupAction.ecosystem,
+  });
+  props.push({
+    name: "cdx:github:action:buildCacheDisableInput",
+    value: disableInputName,
+  });
+  props.push({
+    name: "cdx:github:action:buildCacheDisableValue",
+    value: String(step.with[disableInputName]),
+  });
+  return props;
+}
+
 function analyzeCargoRunStep(normalizedRun) {
   const props = [];
   if (!normalizedRun || typeof normalizedRun !== "string") {
@@ -2018,6 +2096,7 @@ export function parseWorkflowFile(f, options) {
           actionProperties.push(...analyzeCheckoutStep(step));
           actionProperties.push(...analyzeCacheStep(step));
           actionProperties.push(...analyzeCargoActionStep(step));
+          actionProperties.push(...analyzeSetupActionCacheStep(step));
           actionProperties.push(...analyzeDispatchActionStep(step));
           if (
             step.uses?.includes("actions/github-script") &&

package/lib/helpers/ciParsers/githubActions.poku.js

@@ -505,6 +505,109 @@ describe("githubActionsParser", () => {
     });
   });
 
+  describe("setup action cache disable property emission", () => {
+    it("emits cache disable properties for setup-node, setup-python, and setup-rust", () => {
+      const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdxgen-gha-cache-"));
+      const workflowFile = path.join(tmpDir, "cache-disable.yml");
+      writeFileSync(
+        workflowFile,
+        [
+          "name: Cache disable",
+          "on: push",
+          "jobs:",
+          "  build:",
+          "    runs-on: ubuntu-latest",
+          "    steps:",
+          "      - uses: actions/setup-node@v4",
+          "        with:",
+          "          node-version: 20",
+          "          package-manager-cache: false",
+          "      - uses: actions/setup-python@v5",
+          "        with:",
+          "          python-version: '3.12'",
+          "          cache: false",
+          "      - uses: moonrepo/setup-rust@v1",
+          "        with:",
+          "          cache: false",
+        ].join("\n"),
+      );
+
+      try {
+        const result = parseWorkflowFile(workflowFile, { specVersion: 1.7 });
+        const setupNodeComp = result.components.find(
+          (component) =>
+            getProp(component, "cdx:github:action:uses") ===
+            "actions/setup-node@v4",
+        );
+        const setupPythonComp = result.components.find(
+          (component) =>
+            getProp(component, "cdx:github:action:uses") ===
+            "actions/setup-python@v5",
+        );
+        const setupRustComp = result.components.find(
+          (component) =>
+            getProp(component, "cdx:github:action:uses") ===
+            "moonrepo/setup-rust@v1",
+        );
+        assert.ok(setupNodeComp, "expected setup-node component");
+        assert.ok(setupPythonComp, "expected setup-python component");
+        assert.ok(setupRustComp, "expected setup-rust component");
+        assert.strictEqual(
+          getProp(setupNodeComp, "cdx:github:action:disablesBuildCache"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(setupNodeComp, "cdx:github:action:buildCacheEcosystem"),
+          "npm",
+        );
+        assert.strictEqual(
+          getProp(setupNodeComp, "cdx:github:action:buildCacheDisableInput"),
+          "package-manager-cache",
+        );
+        assert.strictEqual(
+          getProp(setupPythonComp, "cdx:github:action:disablesBuildCache"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(setupPythonComp, "cdx:github:action:buildCacheEcosystem"),
+          "pypi",
+        );
+        assert.strictEqual(
+          getProp(setupPythonComp, "cdx:github:action:buildCacheDisableInput"),
+          "cache",
+        );
+        assert.strictEqual(
+          getProp(setupRustComp, "cdx:github:action:disablesBuildCache"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(setupRustComp, "cdx:github:action:buildCacheEcosystem"),
+          "cargo",
+        );
+        assert.strictEqual(
+          getProp(setupRustComp, "cdx:github:action:buildCacheDisableInput"),
+          "cache",
+        );
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("does not emit cache disable properties when cache is not explicitly disabled", () => {
+      const result = parseWorkflow("simple-build.yml");
+      const setupNodeComp = result.components.find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "actions/setup-node@v4",
+      );
+      assert.ok(setupNodeComp, "expected setup-node component");
+      assert.strictEqual(
+        getProp(setupNodeComp, "cdx:github:action:disablesBuildCache"),
+        undefined,
+      );
+    });
+  });
+
   describe("script injection interpolation detection", () => {
     it("detects github.event.pull_request interpolation", () => {
       const result = parseWorkflow("injection-pull-request-title.yml");

package/lib/helpers/communityAiConfigParser.js

@@ -8,6 +8,7 @@ import {
   credentialIndicatorsForText,
   sanitizeMcpRefToken,
 } from "./mcpDiscovery.js";
+import { sanitizeBomPropertyValue } from "./propertySanitizer.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 
 const COMMUNITY_AI_PATTERNS = [
@@ -46,13 +47,22 @@ const COMMUNITY_AI_PATTERNS = [
 ];
 
 function addUniqueProperty(properties, name, value) {
-  if (value === undefined || value === null || value === "") {
+  const sanitizedValue = sanitizeBomPropertyValue(name, value);
+  if (
+    sanitizedValue === undefined ||
+    sanitizedValue === null ||
+    sanitizedValue === ""
+  ) {
     return;
   }
-  if (properties.some((prop) => prop.name === name && prop.value === value)) {
+  if (
+    properties.some(
+      (prop) => prop.name === name && prop.value === String(sanitizedValue),
+    )
+  ) {
     return;
   }
-  properties.push({ name, value: String(value) });
+  properties.push({ name, value: String(sanitizedValue) });
 }
 
 function normalizeFilePath(filePath) {
@@ -217,7 +227,7 @@ function parseSkillFile(filePath, raw) {
     addUniqueProperty(
       component.properties,
       "cdx:skill:metadata",
-      JSON.stringify(metadata.metadata),
+      metadata.metadata,
     );
   }
   maybeAddFileSignals(component.properties, filePath, raw);
@@ -399,7 +409,7 @@ function parseOpencodeConfig(filePath, raw) {
       addUniqueProperty(
         component.properties,
         "cdx:agent:permission",
-        JSON.stringify(agentConfig.permission),
+        agentConfig.permission,
       );
     }
     components.push(component);

package/lib/helpers/communityAiConfigParser.poku.js

@@ -60,4 +60,75 @@ describe("communityAiConfigParser", () => {
       ),
     );
   });
+
+  it("sanitizes secret-bearing AI inventory properties before emission", async () => {
+    const readFileSync = sinon.stub();
+    readFileSync.withArgs("/repo/opencode.json", "utf-8").returns(
+      JSON.stringify({
+        agent: {
+          release: {
+            description:
+              "Deploy with https://user:pass@example.com/release?access_token=abc#frag and sk_test_super_secret_value",
+            permission: {
+              endpoints: [
+                "https://user:pass@example.com/private?token=abc#frag",
+              ],
+              __proto__: {
+                polluted: true,
+              },
+            },
+          },
+        },
+      }),
+    );
+    readFileSync
+      .withArgs("/repo/.claude/skills/release/SKILL.md", "utf-8")
+      .returns(
+        [
+          "---",
+          "name: release",
+          "description: Publish release notes",
+          "metadata:",
+          "  endpoint: https://user:pass@example.com/skill?token=abc#frag",
+          "  apiKey: sk_test_skill_secret_value",
+          "---",
+          "Use the release workflow.",
+        ].join("\n"),
+      );
+    const { communityAiConfigParser } = await esmock(
+      "./communityAiConfigParser.js",
+      {
+        "node:fs": { readFileSync },
+      },
+    );
+
+    const result = communityAiConfigParser.parse([
+      "/repo/opencode.json",
+      "/repo/.claude/skills/release/SKILL.md",
+    ]);
+    const agent = result.components.find(
+      (component) => getProp(component, "cdx:file:kind") === "agent-config",
+    );
+    const skill = result.components.find(
+      (component) => getProp(component, "cdx:file:kind") === "skill-file",
+    );
+
+    assert.strictEqual(
+      getProp(agent, "cdx:agent:description"),
+      "Deploy with https://example.com/release and [redacted]",
+    );
+    assert.strictEqual(
+      getProp(agent, "cdx:agent:permission"),
+      JSON.stringify({
+        endpoints: ["https://example.com/private"],
+      }),
+    );
+    assert.strictEqual(
+      getProp(skill, "cdx:skill:metadata"),
+      JSON.stringify({
+        endpoint: "https://example.com/skill",
+        apiKey: "[redacted]",
+      }),
+    );
+  });
 });

package/lib/helpers/depsUtils.js

@@ -272,6 +272,11 @@ export function trimComponents(components) {
                   if (!existIdent.methods) {
                     existIdent.methods = [];
                   }
+                  if (aident.tools?.length) {
+                    existIdent.tools = Array.from(
+                      new Set([...(existIdent.tools || []), ...aident.tools]),
+                    );
+                  }
                   let isDup = false;
                   for (const emethod of existIdent.methods) {
                     if (emethod?.value === amethod?.value) {

package/lib/helpers/depsUtils.poku.js

@@ -208,6 +208,61 @@ describe("trimComponents()", () => {
       { alg: "SHA-256", content: "def456" },
     ]);
   });
+
+  it("retains identity tool references when merging duplicate components", () => {
+    const components = [
+      {
+        name: "openssl",
+        version: "3.0.0",
+        purl: "pkg:rpm/redhat/openssl@3.0.0",
+        type: "library",
+        evidence: {
+          identity: [
+            {
+              field: "purl",
+              confidence: 1,
+              methods: [
+                {
+                  technique: "binary-analysis",
+                  confidence: 1,
+                  value: "openssl",
+                },
+              ],
+              tools: ["pkg:generic/trivy@0.1.0"],
+            },
+          ],
+        },
+      },
+      {
+        name: "openssl",
+        version: "3.0.0",
+        purl: "pkg:rpm/redhat/openssl@3.0.0",
+        type: "library",
+        evidence: {
+          identity: [
+            {
+              field: "purl",
+              confidence: 1,
+              methods: [
+                {
+                  technique: "binary-analysis",
+                  confidence: 1,
+                  value: "openssl",
+                },
+              ],
+              tools: ["pkg:generic/blint@1.2.3"],
+            },
+          ],
+        },
+      },
+    ];
+    const result = trimComponents(components);
+    assert.strictEqual(result.length, 1);
+    assert.deepStrictEqual(result[0].evidence.identity[0].tools, [
+      "pkg:generic/trivy@0.1.0",
+      "pkg:generic/blint@1.2.3",
+    ]);
+  });
 });
 
 describe("mergeServices()", () => {