@cyclonedx/cdxgen 12.3.2 → 12.3.3

package/lib/helpers/agentFormulationParser.poku.js

@@ -0,0 +1,42 @@
+import esmock from "esmock";
+import { assert, describe, it } from "poku";
+import sinon from "sinon";
+
+function getProp(obj, name) {
+  return obj?.properties?.find((property) => property.name === name)?.value;
+}
+
+describe("agentFormulationParser", () => {
+  it("sanitizes inferred MCP URLs before emitting them", async () => {
+    const readFileSync = sinon.stub();
+    const scanTextForHiddenUnicode = sinon.stub().returns({
+      hasHiddenUnicode: false,
+    });
+    readFileSync
+      .withArgs("/repo/AGENTS.md", "utf-8")
+      .returns(
+        [
+          "Use the remote MCP endpoint at",
+          "https://user:pass@example.com/mcp?access_token=abc#frag",
+          "during release preparation.",
+        ].join(" "),
+      );
+    const { agentFormulationParser } = await esmock(
+      "./agentFormulationParser.js",
+      {
+        "node:fs": { readFileSync },
+        "./unicodeScan.js": { scanTextForHiddenUnicode },
+      },
+    );
+
+    const result = agentFormulationParser.parse(["/repo/AGENTS.md"]);
+
+    assert.strictEqual(
+      getProp(result.components[0], "cdx:agent:hiddenMcpUrls"),
+      "https://example.com/mcp",
+    );
+    assert.deepStrictEqual(result.services[0].endpoints, [
+      "https://example.com/mcp",
+    ]);
+  });
+});

package/lib/helpers/analyzer.js

@@ -8,6 +8,10 @@ import traverse from "@babel/traverse";
 
 import { classifyMcpReference } from "./mcp.js";
 import { isLocalHost, sanitizeMcpRefToken } from "./mcpDiscovery.js";
+import {
+  sanitizeBomPropertyValue,
+  sanitizeBomUrl,
+} from "./propertySanitizer.js";
 
 const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
   ? process.env.ASTGEN_IGNORE_DIRS.split(",")
@@ -1509,13 +1513,26 @@ const providerFamilyFromModelName = (modelName) => {
 };
 
 const addUniqueProperty = (properties, name, value) => {
-  if (value === undefined || value === null || value === "") {
+  const sanitizedValue = sanitizeBomPropertyValue(name, value);
+  if (
+    sanitizedValue === undefined ||
+    sanitizedValue === null ||
+    sanitizedValue === ""
+  ) {
     return;
   }
-  if (properties.some((prop) => prop.name === name && prop.value === value)) {
+  const normalizedValue =
+    typeof sanitizedValue === "string"
+      ? sanitizedValue
+      : String(sanitizedValue);
+  if (
+    properties.some(
+      (prop) => prop.name === name && prop.value === normalizedValue,
+    )
+  ) {
     return;
   }
-  properties.push({ name, value });
+  properties.push({ name, value: normalizedValue });
 };
 
 const rootMemberName = (value) => String(value || "").split(".")[0];
@@ -1823,14 +1840,18 @@ const primitiveComponentForMcp = (serviceInfo, primitive) => {
     addUniqueProperty(
       properties,
       "cdx:mcp:toolAnnotations",
-      JSON.stringify(primitive.annotations),
+      primitive.annotations,
     );
   }
   return {
     "bom-ref": primitiveRef,
-    description:
-      primitive.description ||
-      `${primitive.role} exposed by ${serviceInfo.name || "mcp-server"}`,
+    description: String(
+      sanitizeBomPropertyValue(
+        "cdx:mcp:description",
+        primitive.description ||
+          `${primitive.role} exposed by ${serviceInfo.name || "mcp-server"}`,
+      ) || "",
+    ),
     name: primitiveName,
     properties,
     scope: "required",
@@ -2056,8 +2077,16 @@ const serviceObjectForMcp = (serviceInfo) => {
   return {
     "bom-ref": serviceRef,
     authenticated: serviceInfo.authenticated,
-    description: serviceInfo.description,
-    endpoints: Array.from(serviceInfo.endpoints).sort(),
+    description: String(
+      sanitizeBomPropertyValue(
+        "cdx:mcp:description",
+        serviceInfo.description || "",
+      ) || "",
+    ),
+    endpoints: Array.from(serviceInfo.endpoints)
+      .map((endpoint) => sanitizeBomUrl(endpoint))
+      .filter(Boolean)
+      .sort(),
     group: "mcp",
     name: serviceName,
     properties,

package/lib/helpers/analyzer.poku.js

@@ -7,6 +7,7 @@ import {
 } from "node:fs";
 import { tmpdir } from "node:os";
 import { dirname, join } from "node:path";
+import { URL } from "node:url";
 
 import { assert, describe, it } from "poku";
 
@@ -530,6 +531,72 @@ describe("detectMcpInventory()", () => {
       ),
     );
   });
+
+  it("sanitizes source-code-analysis MCP metadata before emission", () => {
+    const projectDir = createProjectFiles("mcp-sanitized-source-analysis", {
+      "src/server.ts": [
+        "import { McpServer } from '@modelcontextprotocol/server';",
+        "import { StreamableHTTPClientTransport } from '@modelcontextprotocol/client';",
+        "const server = new McpServer({",
+        "  name: 'sanitized-server',",
+        "  version: '0.3.0',",
+        "  description: 'Use https://user:pass@example.com/mcp?token=abc#frag and Bearer sk_test_super_secret_value',",
+        "});",
+        "server.registerTool(",
+        "  'download',",
+        "  {",
+        "    description: 'Download from https://user:pass@example.com/tool?token=abc#frag',",
+        "    annotations: {",
+        "      Authorization: 'Bearer sk_test_super_secret_value',",
+        "      nested: { __proto__: 'polluted', endpoint: 'https://user:pass@example.com/tool?token=abc#frag' },",
+        "    },",
+        "  },",
+        "  async () => ({ content: [] }),",
+        ");",
+        "server.registerResource(",
+        "  'private-docs',",
+        "  'https://user:pass@example.com/docs?token=abc#frag',",
+        "  { description: 'Private docs' },",
+        "  async () => ({ contents: [] }),",
+        ");",
+        "const transport = new StreamableHTTPClientTransport(new URL('https://user:pass@example.com/mcp?access_token=secret#frag'));",
+        "void transport;",
+      ].join("\n"),
+    });
+
+    const inventory = detectMcpInventory(projectDir);
+    const service = inventory.services[0];
+    const toolComponent = inventory.components.find(
+      (component) => component.name === "download",
+    );
+    const resourceComponent = inventory.components.find(
+      (component) => component.name === "private-docs",
+    );
+
+    assert.strictEqual(
+      service.description,
+      "Use https://example.com/mcp and [redacted]",
+    );
+    const serviceEndpoint = new URL(service.endpoints[0]);
+    assert.strictEqual(serviceEndpoint.hostname, "example.com");
+    assert.strictEqual(serviceEndpoint.pathname, "/mcp");
+    assert.strictEqual(
+      getProp(resourceComponent, "cdx:mcp:resourceUri"),
+      "https://example.com/docs",
+    );
+    assert.strictEqual(
+      toolComponent.description,
+      "Download from https://example.com/tool",
+    );
+    const toolAnnotations = JSON.parse(
+      getProp(toolComponent, "cdx:mcp:toolAnnotations"),
+    );
+    assert.strictEqual(toolAnnotations.Authorization, "[redacted]");
+    assert.ok(
+      !JSON.stringify(toolAnnotations).includes("sk_test_super_secret_value"),
+    );
+    assert.ok(!JSON.stringify(toolAnnotations).includes("__proto__"));
+  });
 });
 
 describe("detectPythonMcpInventory()", () => {

package/lib/helpers/chromextutils.js

@@ -9,6 +9,7 @@ import {
   CHROMIUM_EXTENSION_CAPABILITY_CATEGORIES,
   detectExtensionCapabilities,
 } from "./analyzer.js";
+import { sanitizeBomPropertyValue } from "./propertySanitizer.js";
 import { isMac, isWin, safeExistsSync } from "./utils.js";
 
 /**
@@ -850,7 +851,12 @@ export function toComponent(extInfo) {
   const component = {
     name: extensionId,
     version: extInfo.version || "",
-    description: extInfo.displayName || extInfo.description || "",
+    description: String(
+      sanitizeBomPropertyValue(
+        "cdx:chrome-extension:description",
+        extInfo.displayName || extInfo.description || "",
+      ) || "",
+    ),
     purl,
     "bom-ref": decodeURIComponent(purl),
     type: "application",
@@ -1035,8 +1041,24 @@ export function toComponent(extInfo) {
   if (extInfo.srcPath) {
     properties.push({ name: "SrcFile", value: extInfo.srcPath });
   }
-  if (properties.length) {
-    component.properties = properties;
+  const sanitizedProperties = properties
+    .map((property) => {
+      const sanitizedValue = sanitizeBomPropertyValue(
+        property.name,
+        property.value,
+      );
+      if (
+        sanitizedValue === undefined ||
+        sanitizedValue === null ||
+        sanitizedValue === ""
+      ) {
+        return undefined;
+      }
+      return { name: property.name, value: String(sanitizedValue) };
+    })
+    .filter(Boolean);
+  if (sanitizedProperties.length) {
+    component.properties = sanitizedProperties;
   }
   return component;
 }

package/lib/helpers/chromextutils.poku.js

@@ -142,6 +142,74 @@ describe("parseChromiumExtensionManifest", () => {
     assert.strictEqual(parsed.hasAutofill, false);
   });
 
+  it("sanitizes emitted URL properties before they enter the BOM", () => {
+    const extensionRoot = join(baseTempDir, "sanitized-extension");
+    const extensionId = "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii";
+    const extensionVersion = "1.0.0";
+    const versionDir = join(extensionRoot, extensionId, extensionVersion);
+    mkdirSync(versionDir, { recursive: true });
+    writeFileSync(
+      join(versionDir, "manifest.json"),
+      JSON.stringify({
+        manifest_version: 3,
+        name: "Sanitized URLs",
+        version: extensionVersion,
+        update_url: "https://user:pass@example.com/update.xml?token=abc#frag",
+        host_permissions: [
+          "https://user:pass@example.com/*?token=abc#frag",
+          "<all_urls>",
+        ],
+        externally_connectable: {
+          matches: ["https://user:pass@example.com/*?token=abc#frag"],
+        },
+      }),
+      "utf-8",
+    );
+
+    const result = collectChromeExtensionsFromPath(versionDir);
+
+    assert.strictEqual(
+      getProp(result.components[0], "cdx:chrome-extension:updateUrl"),
+      "https://example.com/update.xml",
+    );
+    assert.strictEqual(
+      getProp(result.components[0], "cdx:chrome-extension:hostPermissions"),
+      "https://example.com/*, <all_urls>",
+    );
+    assert.strictEqual(
+      getProp(
+        result.components[0],
+        "cdx:chrome-extension:externallyConnectableMatches",
+      ),
+      "https://example.com/*",
+    );
+  });
+
+  it("sanitizes emitted extension descriptions before they enter the BOM", () => {
+    const extensionRoot = join(baseTempDir, "sanitized-description-extension");
+    const extensionId = "jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj";
+    const extensionVersion = "1.0.0";
+    const versionDir = join(extensionRoot, extensionId, extensionVersion);
+    mkdirSync(versionDir, { recursive: true });
+    writeFileSync(
+      join(versionDir, "manifest.json"),
+      JSON.stringify({
+        manifest_version: 3,
+        description:
+          "Connect with Bearer sk_test_super_secret_value at https://user:pass@example.com/path?token=abc#frag",
+        version: extensionVersion,
+      }),
+      "utf-8",
+    );
+
+    const result = collectChromeExtensionsFromPath(versionDir);
+
+    assert.strictEqual(
+      result.components[0].description,
+      "Connect with [redacted] at https://example.com/path",
+    );
+  });
+
   it("should parse real manifest fixtures from Chrome, Chromium and Edge extensions", () => {
     const fixtureCases = [
       {

package/lib/helpers/ciParsers/githubActions.js

@@ -112,6 +112,34 @@ const CARGO_CACHE_ACTION_PATTERNS = [/^swatinem\/rust-cache(?:@|$)/i];
 
 const CARGO_TOOL_INSTALL_ACTION_PATTERNS = [/^taiki-e\/install-action(?:@|$)/i];
 
+const DEPENDENCY_CACHE_SETUP_ACTIONS = [
+  {
+    pattern: /^actions\/setup-node(?:@|$)/i,
+    ecosystem: "npm",
+    inputNames: ["package-manager-cache", "cache"],
+  },
+  {
+    pattern: /^actions\/setup-python(?:@|$)/i,
+    ecosystem: "pypi",
+    inputNames: ["cache"],
+  },
+  {
+    pattern: /^actions\/setup-go(?:@|$)/i,
+    ecosystem: "go",
+    inputNames: ["cache"],
+  },
+  {
+    pattern: /^actions\/setup-java(?:@|$)/i,
+    ecosystem: "java",
+    inputNames: ["cache"],
+  },
+  {
+    pattern: /^moonrepo\/setup-rust(?:@|$)/i,
+    ecosystem: "cargo",
+    inputNames: ["cache"],
+  },
+];
+
 const FORK_CONTEXT_PATTERNS = [
   [
     "github.event.pull_request.head.repo.fork",
@@ -479,6 +507,56 @@ function analyzeCargoActionStep(step) {
   return props;
 }
 
+function isExplicitFalseLikeValue(value) {
+  if (value === false) {
+    return true;
+  }
+  if (typeof value !== "string") {
+    return false;
+  }
+  return ["0", "false", "no", "off", "disabled"].includes(
+    value.trim().toLowerCase(),
+  );
+}
+
+function analyzeSetupActionCacheStep(step) {
+  const props = [];
+  if (!step?.uses || typeof step.uses !== "string") {
+    return props;
+  }
+  const setupAction = DEPENDENCY_CACHE_SETUP_ACTIONS.find((candidate) =>
+    candidate.pattern.test(step.uses),
+  );
+  if (!setupAction || !step.with || typeof step.with !== "object") {
+    return props;
+  }
+  const disableInputName = setupAction.inputNames.find(
+    (inputName) =>
+      Object.hasOwn(step.with, inputName) &&
+      isExplicitFalseLikeValue(step.with[inputName]),
+  );
+  if (!disableInputName) {
+    return props;
+  }
+  props.push({
+    name: "cdx:github:action:disablesBuildCache",
+    value: "true",
+  });
+  props.push({
+    name: "cdx:github:action:buildCacheEcosystem",
+    value: setupAction.ecosystem,
+  });
+  props.push({
+    name: "cdx:github:action:buildCacheDisableInput",
+    value: disableInputName,
+  });
+  props.push({
+    name: "cdx:github:action:buildCacheDisableValue",
+    value: String(step.with[disableInputName]),
+  });
+  return props;
+}
+
 function analyzeCargoRunStep(normalizedRun) {
   const props = [];
   if (!normalizedRun || typeof normalizedRun !== "string") {
@@ -2018,6 +2096,7 @@ export function parseWorkflowFile(f, options) {
           actionProperties.push(...analyzeCheckoutStep(step));
           actionProperties.push(...analyzeCacheStep(step));
           actionProperties.push(...analyzeCargoActionStep(step));
+          actionProperties.push(...analyzeSetupActionCacheStep(step));
           actionProperties.push(...analyzeDispatchActionStep(step));
           if (
             step.uses?.includes("actions/github-script") &&

package/lib/helpers/ciParsers/githubActions.poku.js

@@ -505,6 +505,109 @@ describe("githubActionsParser", () => {
     });
   });
 
+  describe("setup action cache disable property emission", () => {
+    it("emits cache disable properties for setup-node, setup-python, and setup-rust", () => {
+      const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdxgen-gha-cache-"));
+      const workflowFile = path.join(tmpDir, "cache-disable.yml");
+      writeFileSync(
+        workflowFile,
+        [
+          "name: Cache disable",
+          "on: push",
+          "jobs:",
+          "  build:",
+          "    runs-on: ubuntu-latest",
+          "    steps:",
+          "      - uses: actions/setup-node@v4",
+          "        with:",
+          "          node-version: 20",
+          "          package-manager-cache: false",
+          "      - uses: actions/setup-python@v5",
+          "        with:",
+          "          python-version: '3.12'",
+          "          cache: false",
+          "      - uses: moonrepo/setup-rust@v1",
+          "        with:",
+          "          cache: false",
+        ].join("\n"),
+      );
+
+      try {
+        const result = parseWorkflowFile(workflowFile, { specVersion: 1.7 });
+        const setupNodeComp = result.components.find(
+          (component) =>
+            getProp(component, "cdx:github:action:uses") ===
+            "actions/setup-node@v4",
+        );
+        const setupPythonComp = result.components.find(
+          (component) =>
+            getProp(component, "cdx:github:action:uses") ===
+            "actions/setup-python@v5",
+        );
+        const setupRustComp = result.components.find(
+          (component) =>
+            getProp(component, "cdx:github:action:uses") ===
+            "moonrepo/setup-rust@v1",
+        );
+        assert.ok(setupNodeComp, "expected setup-node component");
+        assert.ok(setupPythonComp, "expected setup-python component");
+        assert.ok(setupRustComp, "expected setup-rust component");
+        assert.strictEqual(
+          getProp(setupNodeComp, "cdx:github:action:disablesBuildCache"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(setupNodeComp, "cdx:github:action:buildCacheEcosystem"),
+          "npm",
+        );
+        assert.strictEqual(
+          getProp(setupNodeComp, "cdx:github:action:buildCacheDisableInput"),
+          "package-manager-cache",
+        );
+        assert.strictEqual(
+          getProp(setupPythonComp, "cdx:github:action:disablesBuildCache"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(setupPythonComp, "cdx:github:action:buildCacheEcosystem"),
+          "pypi",
+        );
+        assert.strictEqual(
+          getProp(setupPythonComp, "cdx:github:action:buildCacheDisableInput"),
+          "cache",
+        );
+        assert.strictEqual(
+          getProp(setupRustComp, "cdx:github:action:disablesBuildCache"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(setupRustComp, "cdx:github:action:buildCacheEcosystem"),
+          "cargo",
+        );
+        assert.strictEqual(
+          getProp(setupRustComp, "cdx:github:action:buildCacheDisableInput"),
+          "cache",
+        );
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("does not emit cache disable properties when cache is not explicitly disabled", () => {
+      const result = parseWorkflow("simple-build.yml");
+      const setupNodeComp = result.components.find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "actions/setup-node@v4",
+      );
+      assert.ok(setupNodeComp, "expected setup-node component");
+      assert.strictEqual(
+        getProp(setupNodeComp, "cdx:github:action:disablesBuildCache"),
+        undefined,
+      );
+    });
+  });
+
   describe("script injection interpolation detection", () => {
     it("detects github.event.pull_request interpolation", () => {
       const result = parseWorkflow("injection-pull-request-title.yml");

package/lib/helpers/communityAiConfigParser.js

@@ -8,6 +8,7 @@ import {
   credentialIndicatorsForText,
   sanitizeMcpRefToken,
 } from "./mcpDiscovery.js";
+import { sanitizeBomPropertyValue } from "./propertySanitizer.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 
 const COMMUNITY_AI_PATTERNS = [
@@ -46,13 +47,22 @@ const COMMUNITY_AI_PATTERNS = [
 ];
 
 function addUniqueProperty(properties, name, value) {
-  if (value === undefined || value === null || value === "") {
+  const sanitizedValue = sanitizeBomPropertyValue(name, value);
+  if (
+    sanitizedValue === undefined ||
+    sanitizedValue === null ||
+    sanitizedValue === ""
+  ) {
     return;
   }
-  if (properties.some((prop) => prop.name === name && prop.value === value)) {
+  if (
+    properties.some(
+      (prop) => prop.name === name && prop.value === String(sanitizedValue),
+    )
+  ) {
     return;
   }
-  properties.push({ name, value: String(value) });
+  properties.push({ name, value: String(sanitizedValue) });
 }
 
 function normalizeFilePath(filePath) {
@@ -217,7 +227,7 @@ function parseSkillFile(filePath, raw) {
     addUniqueProperty(
       component.properties,
       "cdx:skill:metadata",
-      JSON.stringify(metadata.metadata),
+      metadata.metadata,
     );
   }
   maybeAddFileSignals(component.properties, filePath, raw);
@@ -399,7 +409,7 @@ function parseOpencodeConfig(filePath, raw) {
       addUniqueProperty(
         component.properties,
         "cdx:agent:permission",
-        JSON.stringify(agentConfig.permission),
+        agentConfig.permission,
       );
     }
     components.push(component);

package/lib/helpers/communityAiConfigParser.poku.js

@@ -60,4 +60,75 @@ describe("communityAiConfigParser", () => {
       ),
     );
   });
+
+  it("sanitizes secret-bearing AI inventory properties before emission", async () => {
+    const readFileSync = sinon.stub();
+    readFileSync.withArgs("/repo/opencode.json", "utf-8").returns(
+      JSON.stringify({
+        agent: {
+          release: {
+            description:
+              "Deploy with https://user:pass@example.com/release?access_token=abc#frag and sk_test_super_secret_value",
+            permission: {
+              endpoints: [
+                "https://user:pass@example.com/private?token=abc#frag",
+              ],
+              __proto__: {
+                polluted: true,
+              },
+            },
+          },
+        },
+      }),
+    );
+    readFileSync
+      .withArgs("/repo/.claude/skills/release/SKILL.md", "utf-8")
+      .returns(
+        [
+          "---",
+          "name: release",
+          "description: Publish release notes",
+          "metadata:",
+          "  endpoint: https://user:pass@example.com/skill?token=abc#frag",
+          "  apiKey: sk_test_skill_secret_value",
+          "---",
+          "Use the release workflow.",
+        ].join("\n"),
+      );
+    const { communityAiConfigParser } = await esmock(
+      "./communityAiConfigParser.js",
+      {
+        "node:fs": { readFileSync },
+      },
+    );
+
+    const result = communityAiConfigParser.parse([
+      "/repo/opencode.json",
+      "/repo/.claude/skills/release/SKILL.md",
+    ]);
+    const agent = result.components.find(
+      (component) => getProp(component, "cdx:file:kind") === "agent-config",
+    );
+    const skill = result.components.find(
+      (component) => getProp(component, "cdx:file:kind") === "skill-file",
+    );
+
+    assert.strictEqual(
+      getProp(agent, "cdx:agent:description"),
+      "Deploy with https://example.com/release and [redacted]",
+    );
+    assert.strictEqual(
+      getProp(agent, "cdx:agent:permission"),
+      JSON.stringify({
+        endpoints: ["https://example.com/private"],
+      }),
+    );
+    assert.strictEqual(
+      getProp(skill, "cdx:skill:metadata"),
+      JSON.stringify({
+        endpoint: "https://example.com/skill",
+        apiKey: "[redacted]",
+      }),
+    );
+  });
 });

package/lib/helpers/depsUtils.js

@@ -272,6 +272,11 @@ export function trimComponents(components) {
                   if (!existIdent.methods) {
                     existIdent.methods = [];
                   }
+                  if (aident.tools?.length) {
+                    existIdent.tools = Array.from(
+                      new Set([...(existIdent.tools || []), ...aident.tools]),
+                    );
+                  }
                   let isDup = false;
                   for (const emethod of existIdent.methods) {
                     if (emethod?.value === amethod?.value) {