@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/helpers/display.js

@@ -65,10 +65,44 @@ const formatComponentName = (component, highlight) => {
   return displayName;
 };
 
-const printProvenanceLegend = () => {
-  console.log(
-    `Legend: ${REGISTRY_PROVENANCE_ICON} = registry provenance or trusted publishing evidence`,
-  );
+/**
+ * Builds the summary and provenance lines printed after the component table.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object
+ * @param {string[]|undefined} filterTypes Optional list of component types to include
+ * @param {string|undefined} summaryText Optional summary message to print after the table
+ * @param {number} displayedProvenanceCount Number of displayed components with registry provenance
+ * @returns {string[]} Summary lines to print
+ */
+export const buildTableSummaryLines = (
+  bomJson,
+  filterTypes,
+  summaryText,
+  displayedProvenanceCount = 0,
+) => {
+  const summaryLines = [];
+  if (summaryText) {
+    summaryLines.push(summaryText);
+  } else if (!filterTypes) {
+    summaryLines.push(
+      `BOM includes ${bomJson?.components?.length || 0} components and ${
+        bomJson?.dependencies?.length || 0
+      } dependencies`,
+    );
+  } else {
+    summaryLines.push(
+      `Components filtered based on type: ${filterTypes.join(", ")}`,
+    );
+  }
+  if (displayedProvenanceCount > 0) {
+    summaryLines.push(
+      `Legend: ${REGISTRY_PROVENANCE_ICON} = registry provenance or trusted publishing evidence`,
+    );
+    summaryLines.push(
+      `${REGISTRY_PROVENANCE_ICON} ${displayedProvenanceCount} component(s) include registry provenance or trusted publishing metadata.`,
+    );
+  }
+  return summaryLines;
 };
 
 /**
@@ -247,24 +281,13 @@ export function printTable(
   }
   stream.end();
   console.log();
-  if (summaryText) {
-    console.log(summaryText);
-  } else if (!filterTypes) {
-    console.log(
-      "BOM includes",
-      bomJson?.components?.length || 0,
-      "components and",
-      bomJson?.dependencies?.length || 0,
-      "dependencies",
-    );
-  } else {
-    console.log(`Components filtered based on type: ${filterTypes.join(", ")}`);
-  }
-  if (displayedProvenanceCount > 0) {
-    printProvenanceLegend();
-    console.log(
-      `${REGISTRY_PROVENANCE_ICON} ${displayedProvenanceCount} component(s) include registry provenance or trusted publishing metadata.`,
-    );
+  for (const line of buildTableSummaryLines(
+    bomJson,
+    filterTypes,
+    summaryText,
+    displayedProvenanceCount,
+  )) {
+    console.log(line);
   }
 }
 const formatProps = (props) => {
@@ -1103,7 +1126,7 @@ export function displaySelfThreatModel(
   options,
   envAuditFindings,
 ) {
-  const TLP = options.tlpClassification || "CLEAR";
+  const TLP = options.tlpClassification;
   const risks = [];
   let riskScore = 0;
 
@@ -1242,8 +1265,11 @@ export function displaySelfThreatModel(
     AMBER_AND_STRICT: "Organisation only. No external sharing.",
     RED: "Named recipients only. Do not forward or store beyond session.",
   };
+  const tlpValue = TLP
+    ? `${TLP} — ${tlpGuidance[TLP]}`
+    : "Not set — no distribution constraints recorded.";
   const headerData = [
-    ["TLP Classification", `${TLP} — ${tlpGuidance[TLP]}`],
+    ["TLP Classification", tlpValue],
     ["Risk Score", `${riskScore}/10`],
     ["Risk Level", `${riskColor[riskLevel]}${riskLevel}${reset}`],
   ];

package/lib/helpers/display.poku.js

@@ -8,6 +8,7 @@ import {
   buildActivitySummaryPayload,
   buildDependencyTreeLegendLines,
   buildDependencyTreeLines,
+  buildTableSummaryLines,
   printDependencyTree,
   serializeActivitySummary,
 } from "./display.js";
@@ -22,74 +23,85 @@ it("print tree test", () => {
 
 it("prints a provenance icon for registry-backed components", async () => {
   const rows = [];
-  const consoleLogStub = sinon.stub(console, "log");
-  try {
-    const { printTable } = await esmock("./display.js", {
-      "./table.js": {
-        createStream: () => ({
-          end() {
-            // intentional no-op for stream stub
-          },
-          write(row) {
-            rows.push(row);
-          },
-        }),
-        table: sinon.stub().returns(""),
-      },
-      "./utils.js": {
-        isSecureMode: false,
-        safeExistsSync: sinon.stub(),
-        toCamel: sinon.stub(),
-      },
-    });
-
-    printTable(
+  const bomJson = {
+    components: [
       {
-        components: [
+        group: "",
+        name: "left-pad",
+        properties: [
           {
-            group: "",
-            name: "left-pad",
-            properties: [
-              {
-                name: "cdx:npm:provenanceUrl",
-                value:
-                  "https://registry.npmjs.org/-/npm/v1/attestations/left-pad",
-              },
-            ],
-            type: "library",
-            version: "1.3.0",
-          },
-          {
-            group: "",
-            name: "lodash",
-            properties: [],
-            type: "library",
-            version: "4.17.21",
+            name: "cdx:npm:provenanceUrl",
+            value: "https://registry.npmjs.org/-/npm/v1/attestations/left-pad",
           },
         ],
-        dependencies: [],
+        type: "library",
+        version: "1.3.0",
       },
-      undefined,
-      undefined,
-      "Found 1 trusted component.",
-    );
+      {
+        group: "",
+        name: "lodash",
+        properties: [],
+        type: "library",
+        version: "4.17.21",
+      },
+    ],
+    dependencies: [],
+  };
+  const { printTable } = await esmock("./display.js", {
+    "./table.js": {
+      createStream: () => ({
+        end() {
+          // intentional no-op for stream stub
+        },
+        write(row) {
+          rows.push(row);
+        },
+      }),
+      table: sinon.stub().returns(""),
+    },
+    "./utils.js": {
+      isSecureMode: false,
+      safeExistsSync: sinon.stub(),
+      toCamel: sinon.stub(),
+    },
+  });
 
-    assert.strictEqual(rows[1][1], `${REGISTRY_PROVENANCE_ICON} left-pad`);
-    assert.strictEqual(rows[2][1], "lodash");
-    sinon.assert.calledWithExactly(
-      consoleLogStub,
+  printTable(bomJson, undefined, undefined, "Found 1 trusted component.");
+
+  assert.strictEqual(rows[1][1], `${REGISTRY_PROVENANCE_ICON} left-pad`);
+  assert.strictEqual(rows[2][1], "lodash");
+  assert.deepStrictEqual(
+    buildTableSummaryLines(bomJson, undefined, "Found 1 trusted component.", 1),
+    [
       "Found 1 trusted component.",
-    );
-    sinon.assert.calledWithExactly(
-      consoleLogStub,
       `Legend: ${REGISTRY_PROVENANCE_ICON} = registry provenance or trusted publishing evidence`,
-    );
-    sinon.assert.calledWithExactly(
-      consoleLogStub,
       `${REGISTRY_PROVENANCE_ICON} 1 component(s) include registry provenance or trusted publishing metadata.`,
-    );
+    ],
+  );
+});
+
+it("displaySelfThreatModel does not assume a default TLP classification", async () => {
+  const tableStub = sinon.stub().returns("table-output");
+  try {
+    const { displaySelfThreatModel } = await esmock("./display.js", {
+      "./table.js": {
+        createStream: sinon.stub(),
+        table: tableStub,
+      },
+      "./utils.js": {
+        isSecureMode: false,
+        safeExistsSync: sinon.stub(),
+        toCamel: sinon.stub().callsFake((value) => value),
+      },
+    });
+    displaySelfThreatModel("/workspace/project", {}, {}, []);
+    const [headerData] = tableStub.firstCall.args;
+    assert.deepStrictEqual(headerData[0], [
+      "TLP Classification",
+      "Not set — no distribution constraints recorded.",
+    ]);
   } finally {
-    consoleLogStub.restore();
+    sinon.restore();
   }
 });
 

package/lib/helpers/formulationParsers.js

@@ -4,14 +4,17 @@ import process from "node:process";
 
 import { v4 as uuidv4 } from "uuid";
 
-import { agentFormulationParser } from "./agentFormulationParser.js";
+import {
+  AI_INVENTORY_PROJECT_TYPES,
+  collectAiInventory,
+  optionIncludesAiInventoryProjectType,
+} from "./aiInventory.js";
 import { collectOSCryptoLibs } from "./cbomutils.js";
 import { azurePipelinesParser } from "./ciParsers/azurePipelines.js";
 import { circleCiParser } from "./ciParsers/circleCi.js";
 import { githubActionsParser } from "./ciParsers/githubActions.js";
 import { gitlabCiParser } from "./ciParsers/gitlabCi.js";
 import { jenkinsParser } from "./ciParsers/jenkins.js";
-import { communityAiConfigParser } from "./communityAiConfigParser.js";
 import { trimComponents } from "./depsUtils.js";
 import {
   collectEnvInfo,
@@ -20,7 +23,6 @@ import {
   gitTreeHashes,
   listFiles,
 } from "./envcontext.js";
-import { mcpConfigParser } from "./mcpConfigParser.js";
 import { rustFormulationParser } from "./rustFormulationParser.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 import { getAllFiles } from "./utils.js";
@@ -100,9 +102,6 @@ function buildReadmeSecurityComponents(discoveryPath, options) {
  */
 const _parsers = [
   rustFormulationParser,
-  agentFormulationParser,
-  mcpConfigParser,
-  communityAiConfigParser,
   githubActionsParser,
   gitlabCiParser,
   jenkinsParser,
@@ -312,6 +311,12 @@ export function addFormulationSection(filePath, options, context = {}) {
   const ciProperties = [];
 
   const discoveryPath = projectPath || ".";
+  const excludedInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter((type) => {
+    return optionIncludesAiInventoryProjectType(options?.excludeType, type);
+  });
+  const includedInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter(
+    (type) => !excludedInventoryTypes.includes(type),
+  );
 
   for (const parser of _parsers) {
     const matchedFiles = [];
@@ -355,6 +360,21 @@ export function addFormulationSection(filePath, options, context = {}) {
     }
   }
 
+  const aiInventory = collectAiInventory(
+    discoveryPath,
+    options,
+    includedInventoryTypes,
+  );
+  if (aiInventory.components.length) {
+    ciComponents.push(...aiInventory.components);
+  }
+  if (aiInventory.services.length) {
+    ciServices.push(...aiInventory.services);
+  }
+  if (aiInventory.dependencies.length) {
+    dependencies.push(...aiInventory.dependencies);
+  }
+
   // Merge CI components into the formulation component list
   if (ciComponents.length) {
     components = components.concat(ciComponents);

package/lib/helpers/jsonLike.js

@@ -1,22 +1,32 @@
+/**
+ * Returns whether the quote at `index` is escaped by an odd-length run of
+ * backslashes immediately preceding it.
+ *
+ * @param {string} raw Raw JSON-like text being scanned
+ * @param {number} index Index of the quote character to evaluate
+ * @returns {boolean} `true` when the quote is escaped and should not terminate
+ * the current string literal
+ */
+function isEscapedQuote(raw, index) {
+  let backslashCount = 0;
+  let lookBehind = index - 1;
+  while (lookBehind >= 0 && raw[lookBehind] === "\\") {
+    backslashCount += 1;
+    lookBehind -= 1;
+  }
+  return backslashCount % 2 === 1;
+}
+
 export function stripJsonComments(raw) {
   let output = "";
   let inString = false;
   let stringQuote = "";
-  let escaped = false;
   for (let index = 0; index < raw.length; index++) {
     const char = raw[index];
     const nextChar = raw[index + 1];
     if (inString) {
       output += char;
-      if (escaped) {
-        escaped = false;
-        continue;
-      }
-      if (char === "\\") {
-        escaped = true;
-        continue;
-      }
-      if (char === stringQuote) {
+      if (char === stringQuote && !isEscapedQuote(raw, index)) {
         inString = false;
         stringQuote = "";
       }
@@ -57,20 +67,11 @@ export function stripJsonTrailingCommas(raw) {
   let output = "";
   let inString = false;
   let stringQuote = "";
-  let escaped = false;
   for (let index = 0; index < raw.length; index++) {
     const char = raw[index];
     if (inString) {
       output += char;
-      if (escaped) {
-        escaped = false;
-        continue;
-      }
-      if (char === "\\") {
-        escaped = true;
-        continue;
-      }
-      if (char === stringQuote) {
+      if (char === stringQuote && !isEscapedQuote(raw, index)) {
         inString = false;
         stringQuote = "";
       }

package/lib/helpers/jsonLike.poku.js

@@ -0,0 +1,34 @@
+import { assert, describe, it } from "poku";
+
+import { parseJsonLike, stripJsonComments } from "./jsonLike.js";
+
+describe("jsonLike", () => {
+  it("preserves escaped quotes while stripping comments", () => {
+    const parsedMessage = 'escaped quote: " // not a comment';
+    const rawMessage = String.raw`escaped quote: \" // not a comment`;
+    const raw = String.raw`{
+      "message": "escaped quote: \" // not a comment",
+      // trailing comment
+      "enabled": true
+    }`;
+    const stripped = stripJsonComments(raw);
+    assert.ok(stripped.includes(rawMessage));
+    assert.ok(!stripped.includes("trailing comment"));
+    assert.deepStrictEqual(parseJsonLike(raw), {
+      enabled: true,
+      message: parsedMessage,
+    });
+  });
+
+  it("preserves comment markers after escaped backslashes inside strings", () => {
+    const raw = `{
+      "path": "C:\\\\\\\\temp\\\\\\\\file // keep",
+      /* block comment */
+      "count": 1
+    }`;
+    assert.deepStrictEqual(parseJsonLike(raw), {
+      count: 1,
+      path: "C:\\\\temp\\\\file // keep",
+    });
+  });
+});

package/lib/helpers/mcpConfigParser.js

@@ -9,6 +9,10 @@ import {
   providerNamesForText,
   sanitizeMcpRefToken,
 } from "./mcpDiscovery.js";
+import {
+  sanitizeBomPropertyValue,
+  sanitizeBomUrl,
+} from "./propertySanitizer.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 
 const MCP_CONFIG_PATTERNS = [
@@ -40,13 +44,22 @@ const SECRET_FIELD_NAME_PATTERN =
 const ENV_REFERENCE_PATTERN = /(?:\$\{?[A-Z0-9_]+\}?|%[A-Z0-9_]+%)/u;
 
 function addUniqueProperty(properties, name, value) {
-  if (value === undefined || value === null || value === "") {
+  const sanitizedValue = sanitizeBomPropertyValue(name, value);
+  if (
+    sanitizedValue === undefined ||
+    sanitizedValue === null ||
+    sanitizedValue === ""
+  ) {
     return;
   }
-  if (properties.some((prop) => prop.name === name && prop.value === value)) {
+  if (
+    properties.some(
+      (prop) => prop.name === name && prop.value === String(sanitizedValue),
+    )
+  ) {
     return;
   }
-  properties.push({ name, value: String(value) });
+  properties.push({ name, value: String(sanitizedValue) });
 }
 
 function normalizeFilePath(filePath) {
@@ -214,6 +227,9 @@ function detectConfigCredentialSignals(serverConfig) {
     }
   }
   return {
+    credentialIndicatorCount: inlineIndicators.size,
+    credentialReferenceCount: credentialRefs.size,
+    exposureFieldCount: exposureFields.size,
     credentialRefs: Array.from(credentialRefs).sort(),
     exposureFields: Array.from(exposureFields).sort(),
     inlineIndicators: Array.from(inlineIndicators).sort(),
@@ -377,6 +393,9 @@ function createServiceFromConfig(
   const command = normalized.command;
   const args = normalized.args;
   const endpoints = extractEndpoints(serverConfig);
+  const sanitizedEndpoints = endpoints.map((endpoint) =>
+    sanitizeBomUrl(endpoint),
+  );
   const transport = inferTransport(serverConfig, endpoints);
   const authHints = authHintsFromValue(serverConfig);
   const authPosture = authPostureForConfig(serverConfig, endpoints, authHints);
@@ -393,7 +412,7 @@ function createServiceFromConfig(
     JSON.stringify({
       args,
       command,
-      endpoints,
+      endpoints: sanitizedEndpoints,
       env: serverConfig?.env || serverConfig?.environment || {},
     }),
   );
@@ -468,22 +487,22 @@ function createServiceFromConfig(
     addUniqueProperty(properties, "cdx:mcp:credentialExposure", "true");
     addUniqueProperty(
       properties,
-      "cdx:mcp:credentialRiskIndicators",
-      credentialSignals.inlineIndicators.join(","),
+      "cdx:mcp:credentialIndicatorCount",
+      String(credentialSignals.credentialIndicatorCount),
     );
   }
   if (credentialSignals.exposureFields.length) {
     addUniqueProperty(
       properties,
-      "cdx:mcp:credentialExposureFields",
-      credentialSignals.exposureFields.join(","),
+      "cdx:mcp:credentialExposureFieldCount",
+      String(credentialSignals.exposureFieldCount),
     );
   }
   if (credentialSignals.credentialRefs.length) {
     addUniqueProperty(
       properties,
-      "cdx:mcp:credentialRefs",
-      credentialSignals.credentialRefs.join(","),
+      "cdx:mcp:credentialReferenceCount",
+      String(credentialSignals.credentialReferenceCount),
     );
   }
   if (supportsDcr) {
@@ -531,7 +550,7 @@ function createServiceFromConfig(
   return {
     "bom-ref": `urn:service:mcp:${sanitizeMcpRefToken(serviceName)}:${sanitizeMcpRefToken(version)}`,
     authenticated,
-    endpoints,
+    endpoints: sanitizedEndpoints,
     group: "mcp",
     name: serviceName,
     properties,
@@ -593,11 +612,8 @@ function createConfigComponent(filePath, format, raw, services) {
     addUniqueProperty(properties, "cdx:mcp:credentialExposure", "true");
     addUniqueProperty(
       properties,
-      "cdx:mcp:credentialExposedServices",
-      credentialServices
-        .map((service) => service.name)
-        .sort()
-        .join(","),
+      "cdx:mcp:credentialExposedServiceCount",
+      String(credentialServices.length),
     );
   }
   return {

package/lib/helpers/mcpConfigParser.poku.js

@@ -56,4 +56,108 @@ describe("mcpConfigParser", () => {
       syntax: "json",
     });
   });
+
+  it("records credential exposure without embedding raw secret metadata", async () => {
+    const readFileSync = sinon.stub();
+    const scanTextForHiddenUnicode = sinon.stub().returns({
+      hasHiddenUnicode: false,
+    });
+    readFileSync.withArgs("/repo/.vscode/mcp.json", "utf-8").returns(
+      JSON.stringify({
+        mcpServers: {
+          releaseDocs: {
+            args: [
+              "--token",
+              "sk_test_super_secret_value",
+              "https://user:pass@docs.example.com/mcp?access_token=secret#frag",
+            ],
+            command: "npx",
+            env: {
+              API_KEY: "$" + "{API_KEY}",
+            },
+            headers: {
+              Authorization: "Bearer sk_test_another_secret_value",
+            },
+            transport: "http",
+          },
+        },
+      }),
+    );
+    const { mcpConfigParser } = await esmock("./mcpConfigParser.js", {
+      "node:fs": { readFileSync },
+      "./unicodeScan.js": { scanTextForHiddenUnicode },
+    });
+
+    const result = mcpConfigParser.parse(["/repo/.vscode/mcp.json"]);
+    const service = result.services[0];
+    const component = result.components[0];
+
+    assert.strictEqual(getProp(service, "cdx:mcp:credentialExposure"), "true");
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialIndicatorCount"),
+      "3",
+    );
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialExposureFieldCount"),
+      "4",
+    );
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialReferenceCount"),
+      "1",
+    );
+    assert.strictEqual(
+      getProp(component, "cdx:mcp:credentialExposedServiceCount"),
+      "1",
+    );
+    assert.strictEqual(getProp(service, "cdx:mcp:command"), "npx");
+    assert.deepStrictEqual(service.endpoints, ["https://docs.example.com/mcp"]);
+    assert.strictEqual(
+      getProp(component, "cdx:mcp:configuredEndpoints"),
+      "https://docs.example.com/mcp",
+    );
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialRiskIndicators"),
+      undefined,
+    );
+    assert.strictEqual(
+      getProp(service, "cdx:mcp:credentialExposureFields"),
+      undefined,
+    );
+    assert.strictEqual(getProp(service, "cdx:mcp:credentialRefs"), undefined);
+    assert.strictEqual(
+      getProp(component, "cdx:mcp:credentialExposedServices"),
+      undefined,
+    );
+  });
+
+  it("summarizes Windows executable paths with spaces safely", async () => {
+    const readFileSync = sinon.stub();
+    const scanTextForHiddenUnicode = sinon.stub().returns({
+      hasHiddenUnicode: false,
+    });
+    readFileSync.withArgs("/repo/.vscode/mcp.json", "utf-8").returns(
+      JSON.stringify({
+        mcpServers: {
+          releaseDocs: {
+            args: ["--inspect"],
+            command: "C:\\Program Files\\nodejs\\node.exe --inspect",
+            mcp: true,
+            transport: "stdio",
+          },
+        },
+      }),
+    );
+    const { mcpConfigParser } = await esmock("./mcpConfigParser.js", {
+      "node:fs": { readFileSync },
+      "./unicodeScan.js": { scanTextForHiddenUnicode },
+    });
+
+    const result = mcpConfigParser.parse(["/repo/.vscode/mcp.json"]);
+
+    assert.strictEqual(
+      getProp(result.services[0], "cdx:mcp:command") ||
+        getProp(result.components[0], "cdx:mcp:command"),
+      "node.exe",
+    );
+  });
 });