npm - @cyclonedx/cdxgen - Versions diffs - 12.3.2 → 12.3.3 - Mend

@cyclonedx/cdxgen 12.3.2 → 12.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/README.md +6 -0
package/data/rules/ci-permissions.yaml +132 -0
package/data/rules/dependency-sources.yaml +65 -5
package/data/rules/package-integrity.yaml +22 -0
package/lib/cli/index.js +141 -39
package/lib/cli/index.poku.js +579 -1
package/lib/helpers/agentFormulationParser.js +6 -2
package/lib/helpers/agentFormulationParser.poku.js +42 -0
package/lib/helpers/analyzer.js +38 -9
package/lib/helpers/analyzer.poku.js +67 -0
package/lib/helpers/chromextutils.js +25 -3
package/lib/helpers/chromextutils.poku.js +68 -0
package/lib/helpers/ciParsers/githubActions.js +79 -0
package/lib/helpers/ciParsers/githubActions.poku.js +103 -0
package/lib/helpers/communityAiConfigParser.js +15 -5
package/lib/helpers/communityAiConfigParser.poku.js +71 -0
package/lib/helpers/depsUtils.js +5 -0
package/lib/helpers/depsUtils.poku.js +55 -0
package/lib/helpers/display.js +45 -22
package/lib/helpers/display.poku.js +47 -60
package/lib/helpers/mcpConfigParser.js +21 -5
package/lib/helpers/mcpConfigParser.poku.js +39 -2
package/lib/helpers/propertySanitizer.js +121 -0
package/lib/helpers/utils.js +951 -40
package/lib/helpers/utils.poku.js +882 -0
package/lib/managers/binary.js +16 -0
package/lib/managers/binary.poku.js +1 -0
package/lib/managers/docker.js +240 -16
package/lib/managers/docker.poku.js +1142 -2
package/lib/server/server.js +7 -4
package/lib/server/server.poku.js +36 -1
package/lib/stages/postgen/auditBom.poku.js +644 -2
package/package.json +2 -1
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/helpers/agentFormulationParser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/chromextutils.d.ts.map +1 -1
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
package/types/lib/helpers/communityAiConfigParser.d.ts.map +1 -1
package/types/lib/helpers/depsUtils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts +1 -0
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/mcpConfigParser.d.ts +1 -1
package/types/lib/helpers/mcpConfigParser.d.ts.map +1 -1
package/types/lib/helpers/propertySanitizer.d.ts +3 -0
package/types/lib/helpers/propertySanitizer.d.ts.map +1 -0
package/types/lib/helpers/utils.d.ts +29 -0
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts +3 -0
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +1 -0
package/types/lib/server/server.d.ts.map +1 -1

package/lib/stages/postgen/auditBom.poku.js CHANGED Viewed

@@ -190,7 +190,7 @@ describe("evaluateRule", () => {
     );
   });
-  it("should detect npm install script from non-registry source (PKG-001)", async () => {
+  it("should detect npm install script from direct manifest source (PKG-001)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "PKG-001");
     assert.ok(rule, "PKG-001 rule should exist");
@@ -198,7 +198,11 @@ describe("evaluateRule", () => {
     const bom = makeBom([
       makeComponent("sketchy-pkg", "1.0.0", [
         ["cdx:npm:hasInstallScript", "true"],
-        ["cdx:npm:isRegistryDependency", "false"],
+        ["cdx:npm:manifestSourceType", "git"],
+        [
+          "cdx:npm:manifestSource",
+          "git+https://github.com/acme/sketchy-pkg.git",
+        ],
       ]),
     ]);
@@ -207,6 +211,122 @@ describe("evaluateRule", () => {
     assert.strictEqual(findings[0].severity, "high");
   });
+  it("should detect npm install scripts from url and path manifest sources for PKG-001", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-001");
+    assert.ok(rule, "PKG-001 rule should exist");
+    for (const manifestSourceType of ["url", "path"]) {
+      const bom = makeBom([
+        makeComponent(`sketchy-${manifestSourceType}`, "1.0.0", [
+          ["cdx:npm:hasInstallScript", "true"],
+          ["cdx:npm:manifestSourceType", manifestSourceType],
+          ["cdx:npm:manifestSource", `${manifestSourceType}:example`],
+        ]),
+      ]);
+      const findings = await evaluateRule(rule, bom);
+      assert.ok(findings.length > 0);
+    }
+  });
+  it("should not detect npm install script without manifest source evidence for PKG-001", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-001");
+    assert.ok(rule, "PKG-001 rule should exist");
+    const bom = makeBom([
+      makeComponent("registry-pkg", "1.0.0", [
+        ["cdx:npm:hasInstallScript", "true"],
+        ["cdx:npm:isRegistryDependency", "false"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should detect Collider packages from insecure HTTP origins (PKG-009)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-009");
+    assert.ok(rule, "PKG-009 rule should exist");
+    const bom = makeBom([
+      makeComponent("fmt", "11.0.2", [
+        ["cdx:collider:dependencyKind", "direct"],
+        ["cdx:collider:origin", "http://mirror.example.com/collider/v2/"],
+        ["cdx:collider:originScheme", "http"],
+        ["cdx:collider:originHost", "mirror.example.com"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect insecure Collider origin");
+    assert.strictEqual(findings[0].ruleId, "PKG-009");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+  it("should detect Collider origins that required sanitization (PKG-010)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-010");
+    assert.ok(rule, "PKG-010 rule should exist");
+    const bom = makeBom([
+      makeComponent("spdlog", "1.15.0", [
+        ["cdx:collider:dependencyKind", "direct"],
+        ["cdx:collider:origin", "https://example.com/collider/v2/"],
+        ["cdx:collider:originScheme", "https"],
+        ["cdx:collider:originSanitized", "true"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect sanitized Collider origin");
+    assert.strictEqual(findings[0].ruleId, "PKG-010");
+    assert.strictEqual(findings[0].severity, "low");
+  });
+  it("should detect python dependency from direct manifest source (PKG-011)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "PKG-011");
+    assert.ok(rule, "PKG-011 rule should exist");
+    const bom = makeBom([
+      makeComponent("suspicious-python-pkg", "1.0.0", [
+        ["cdx:pypi:manifestSourceType", "url"],
+        [
+          "cdx:pypi:manifestSource",
+          "https://example.com/suspicious-python-pkg.whl",
+        ],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect python direct source risk");
+    assert.strictEqual(findings[0].ruleId, "PKG-011");
+    assert.strictEqual(findings[0].severity, "high");
+  });
+  it("should detect Collider packages missing valid wrap hashes (INT-014)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "INT-014");
+    assert.ok(rule, "INT-014 rule should exist");
+    const bom = makeBom([
+      makeComponent("fast_float", "8.0.2", [
+        ["cdx:collider:dependencyKind", "transitive"],
+        ["cdx:collider:hasWrapHash", "false"],
+        ["cdx:collider:wrapHash", "not-a-sha256"],
+        ["cdx:collider:wrapHashInvalid", "true"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect missing Collider wrap hash");
+    assert.strictEqual(findings[0].ruleId, "INT-014");
+    assert.strictEqual(findings[0].severity, "high");
+  });
   it("should detect OIDC token issuance to a non-official action (CI-002)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "CI-002");
@@ -1434,6 +1554,528 @@ describe("evaluateRule", () => {
     assert.match(findings[0].message, /Heuristic review/);
   });
+  it("should detect disabled npm cache when npm distributions are resolved remotely (CI-022)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-022");
+    assert.ok(rule, "CI-022 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "left-pad",
+          version: "1.3.0",
+          purl: "pkg:npm/left-pad@1.3.0",
+          "bom-ref": "pkg:npm/left-pad@1.3.0",
+          externalReferences: [
+            {
+              type: "distribution",
+              url: "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
+            },
+          ],
+          properties: [
+            {
+              name: "cdx:npm:manifestSourceType",
+              value: "url",
+            },
+            {
+              name: "cdx:npm:manifestSource",
+              value: "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-node",
+          version: "v4",
+          purl: "pkg:github/actions/setup-node@v4",
+          "bom-ref": "pkg:github/actions/setup-node@v4",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-node@v4",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "npm" },
+            {
+              name: "cdx:github:action:buildCacheDisableInput",
+              value: "package-manager-cache",
+            },
+            {
+              name: "cdx:github:action:buildCacheDisableValue",
+              value: "false",
+            },
+            {
+              name: "cdx:github:workflow:file",
+              value: ".github/workflows/ci.yml",
+            },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled npm cache");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+  it("should detect disabled npm cache for git manifest sources (CI-022)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-022");
+    assert.ok(rule, "CI-022 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "git-dep",
+          version: "2.0.0",
+          purl: "pkg:npm/git-dep@2.0.0",
+          "bom-ref": "pkg:npm/git-dep@2.0.0",
+          externalReferences: [
+            {
+              type: "distribution",
+              url: "git+https://github.com/acme/git-dep.git",
+            },
+          ],
+          properties: [
+            {
+              name: "cdx:npm:manifestSourceType",
+              value: "git",
+            },
+            {
+              name: "cdx:npm:manifestSource",
+              value: "git+https://github.com/acme/git-dep.git",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-node",
+          version: "v4",
+          purl: "pkg:github/actions/setup-node@v4",
+          "bom-ref": "pkg:github/actions/setup-node@v4",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-node@v4",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "npm" },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled npm cache");
+  });
+  it("should not detect disabled npm cache for registry-only npm dependencies (CI-022)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-022");
+    assert.ok(rule, "CI-022 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "left-pad",
+          version: "1.3.0",
+          purl: "pkg:npm/left-pad@1.3.0",
+          "bom-ref": "pkg:npm/left-pad@1.3.0",
+          externalReferences: [
+            {
+              type: "distribution",
+              url: "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-node",
+          version: "v4",
+          purl: "pkg:github/actions/setup-node@v4",
+          "bom-ref": "pkg:github/actions/setup-node@v4",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-node@v4",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "npm" },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should not detect disabled npm cache for local path manifest sources (CI-022)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-022");
+    assert.ok(rule, "CI-022 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "local-dep",
+          version: "1.0.0",
+          purl: "pkg:npm/local-dep@1.0.0",
+          "bom-ref": "pkg:npm/local-dep@1.0.0",
+          externalReferences: [
+            {
+              type: "distribution",
+              url: "file:../libs/local-dep",
+            },
+          ],
+          properties: [
+            {
+              name: "cdx:npm:manifestSourceType",
+              value: "path",
+            },
+            {
+              name: "cdx:npm:manifestSource",
+              value: "file:../libs/local-dep",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-node",
+          version: "v4",
+          purl: "pkg:github/actions/setup-node@v4",
+          "bom-ref": "pkg:github/actions/setup-node@v4",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-node@v4",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "npm" },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should detect disabled Python cache when pylock sources use remote artifacts (CI-023)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-023");
+    assert.ok(rule, "CI-023 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "requests",
+          version: "2.32.0",
+          purl: "pkg:pypi/requests@2.32.0",
+          "bom-ref": "pkg:pypi/requests@2.32.0",
+          properties: [
+            {
+              name: "cdx:pypi:manifestSourceType",
+              value: "url",
+            },
+            {
+              name: "cdx:pypi:manifestSource",
+              value:
+                "https://files.pythonhosted.org/packages/requests-2.32.0.tar.gz",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-python",
+          version: "v5",
+          purl: "pkg:github/actions/setup-python@v5",
+          "bom-ref": "pkg:github/actions/setup-python@v5",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-python@v5",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "pypi" },
+            {
+              name: "cdx:github:action:buildCacheDisableInput",
+              value: "cache",
+            },
+            {
+              name: "cdx:github:action:buildCacheDisableValue",
+              value: "false",
+            },
+            {
+              name: "cdx:github:workflow:file",
+              value: ".github/workflows/ci.yml",
+            },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled Python cache");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+  it("should detect disabled Python cache for git manifest sources (CI-023)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-023");
+    assert.ok(rule, "CI-023 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "private-lib",
+          version: "1.0.0",
+          purl: "pkg:pypi/private-lib@1.0.0",
+          "bom-ref": "pkg:pypi/private-lib@1.0.0",
+          properties: [
+            {
+              name: "cdx:pypi:manifestSourceType",
+              value: "git",
+            },
+            {
+              name: "cdx:pypi:manifestSource",
+              value: "git+https://github.com/acme/private-lib.git",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-python",
+          version: "v5",
+          purl: "pkg:github/actions/setup-python@v5",
+          "bom-ref": "pkg:github/actions/setup-python@v5",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-python@v5",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "pypi" },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled Python cache");
+  });
+  it("should not detect disabled Python cache for registry-only lockfile sources (CI-023)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-023");
+    assert.ok(rule, "CI-023 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "requests",
+          version: "2.32.0",
+          purl: "pkg:pypi/requests@2.32.0",
+          "bom-ref": "pkg:pypi/requests@2.32.0",
+          properties: [
+            {
+              name: "cdx:pylock:archive",
+              value:
+                '{"url":"https://files.pythonhosted.org/packages/requests-2.32.0.tar.gz"}',
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-python",
+          version: "v5",
+          purl: "pkg:github/actions/setup-python@v5",
+          "bom-ref": "pkg:github/actions/setup-python@v5",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-python@v5",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "pypi" },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should not detect disabled Python cache for local path manifest sources (CI-023)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-023");
+    assert.ok(rule, "CI-023 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "local-lib",
+          version: "1.0.0",
+          purl: "pkg:pypi/local-lib@1.0.0",
+          "bom-ref": "pkg:pypi/local-lib@1.0.0",
+          properties: [
+            {
+              name: "cdx:pypi:manifestSourceType",
+              value: "path",
+            },
+            {
+              name: "cdx:pypi:manifestSource",
+              value: "../libs/local-lib",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-python",
+          version: "v5",
+          purl: "pkg:github/actions/setup-python@v5",
+          "bom-ref": "pkg:github/actions/setup-python@v5",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "actions/setup-python@v5",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "pypi" },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should detect disabled Cargo cache for git manifest sources (CI-024)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-024");
+    assert.ok(rule, "CI-024 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "git-crate",
+          version: "git+https://github.com/acme/git-crate.git",
+          purl: "pkg:cargo/git-crate@git+https://github.com/acme/git-crate.git",
+          "bom-ref":
+            "pkg:cargo/git-crate@git+https://github.com/acme/git-crate.git",
+          properties: [
+            {
+              name: "cdx:cargo:git",
+              value: "https://github.com/acme/git-crate.git",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-rust",
+          version: "v1",
+          purl: "pkg:github/moonrepo/setup-rust@v1",
+          "bom-ref": "pkg:github/moonrepo/setup-rust@v1",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "moonrepo/setup-rust@v1",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "cargo" },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled Cargo cache");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+  it("should not detect disabled Cargo cache for local path manifest sources (CI-024)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-024");
+    assert.ok(rule, "CI-024 rule should exist");
+    const bom = makeBom(
+      [
+        {
+          type: "library",
+          name: "path-crate",
+          version: "path+../path-crate",
+          purl: "pkg:cargo/path-crate@path+../path-crate",
+          "bom-ref": "pkg:cargo/path-crate@path+../path-crate",
+          properties: [
+            {
+              name: "cdx:cargo:path",
+              value: "../path-crate",
+            },
+          ],
+        },
+      ],
+      [],
+      [
+        {
+          type: "application",
+          name: "setup-rust",
+          version: "v1",
+          purl: "pkg:github/moonrepo/setup-rust@v1",
+          "bom-ref": "pkg:github/moonrepo/setup-rust@v1",
+          properties: [
+            {
+              name: "cdx:github:action:uses",
+              value: "moonrepo/setup-rust@v1",
+            },
+            { name: "cdx:github:action:disablesBuildCache", value: "true" },
+            { name: "cdx:github:action:buildCacheEcosystem", value: "cargo" },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
   it("should detect root authorized_keys without restrictions (OBOM-LNX-003)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "OBOM-LNX-003");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "12.3.2",
+  "version": "12.3.3",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "keywords": [
     "sbom",
@@ -98,6 +98,7 @@
   "files": [
     "*.js",
     "lib/**",
+    "!lib/**/*.poku.js",
     "bin/",
     "data/",
     "types/",