@cyclonedx/cdxgen 12.3.2 → 12.3.3

package/lib/helpers/depsUtils.poku.js

@@ -208,6 +208,61 @@ describe("trimComponents()", () => {
       { alg: "SHA-256", content: "def456" },
     ]);
   });
+
+  it("retains identity tool references when merging duplicate components", () => {
+    const components = [
+      {
+        name: "openssl",
+        version: "3.0.0",
+        purl: "pkg:rpm/redhat/openssl@3.0.0",
+        type: "library",
+        evidence: {
+          identity: [
+            {
+              field: "purl",
+              confidence: 1,
+              methods: [
+                {
+                  technique: "binary-analysis",
+                  confidence: 1,
+                  value: "openssl",
+                },
+              ],
+              tools: ["pkg:generic/trivy@0.1.0"],
+            },
+          ],
+        },
+      },
+      {
+        name: "openssl",
+        version: "3.0.0",
+        purl: "pkg:rpm/redhat/openssl@3.0.0",
+        type: "library",
+        evidence: {
+          identity: [
+            {
+              field: "purl",
+              confidence: 1,
+              methods: [
+                {
+                  technique: "binary-analysis",
+                  confidence: 1,
+                  value: "openssl",
+                },
+              ],
+              tools: ["pkg:generic/blint@1.2.3"],
+            },
+          ],
+        },
+      },
+    ];
+    const result = trimComponents(components);
+    assert.strictEqual(result.length, 1);
+    assert.deepStrictEqual(result[0].evidence.identity[0].tools, [
+      "pkg:generic/trivy@0.1.0",
+      "pkg:generic/blint@1.2.3",
+    ]);
+  });
 });
 
 describe("mergeServices()", () => {

package/lib/helpers/display.js

@@ -65,10 +65,44 @@ const formatComponentName = (component, highlight) => {
   return displayName;
 };
 
-const printProvenanceLegend = () => {
-  console.log(
-    `Legend: ${REGISTRY_PROVENANCE_ICON} = registry provenance or trusted publishing evidence`,
-  );
+/**
+ * Builds the summary and provenance lines printed after the component table.
+ *
+ * @param {Object} bomJson CycloneDX BOM JSON object
+ * @param {string[]|undefined} filterTypes Optional list of component types to include
+ * @param {string|undefined} summaryText Optional summary message to print after the table
+ * @param {number} displayedProvenanceCount Number of displayed components with registry provenance
+ * @returns {string[]} Summary lines to print
+ */
+export const buildTableSummaryLines = (
+  bomJson,
+  filterTypes,
+  summaryText,
+  displayedProvenanceCount = 0,
+) => {
+  const summaryLines = [];
+  if (summaryText) {
+    summaryLines.push(summaryText);
+  } else if (!filterTypes) {
+    summaryLines.push(
+      `BOM includes ${bomJson?.components?.length || 0} components and ${
+        bomJson?.dependencies?.length || 0
+      } dependencies`,
+    );
+  } else {
+    summaryLines.push(
+      `Components filtered based on type: ${filterTypes.join(", ")}`,
+    );
+  }
+  if (displayedProvenanceCount > 0) {
+    summaryLines.push(
+      `Legend: ${REGISTRY_PROVENANCE_ICON} = registry provenance or trusted publishing evidence`,
+    );
+    summaryLines.push(
+      `${REGISTRY_PROVENANCE_ICON} ${displayedProvenanceCount} component(s) include registry provenance or trusted publishing metadata.`,
+    );
+  }
+  return summaryLines;
 };
 
 /**
@@ -247,24 +281,13 @@ export function printTable(
   }
   stream.end();
   console.log();
-  if (summaryText) {
-    console.log(summaryText);
-  } else if (!filterTypes) {
-    console.log(
-      "BOM includes",
-      bomJson?.components?.length || 0,
-      "components and",
-      bomJson?.dependencies?.length || 0,
-      "dependencies",
-    );
-  } else {
-    console.log(`Components filtered based on type: ${filterTypes.join(", ")}`);
-  }
-  if (displayedProvenanceCount > 0) {
-    printProvenanceLegend();
-    console.log(
-      `${REGISTRY_PROVENANCE_ICON} ${displayedProvenanceCount} component(s) include registry provenance or trusted publishing metadata.`,
-    );
+  for (const line of buildTableSummaryLines(
+    bomJson,
+    filterTypes,
+    summaryText,
+    displayedProvenanceCount,
+  )) {
+    console.log(line);
   }
 }
 const formatProps = (props) => {

package/lib/helpers/display.poku.js

@@ -8,6 +8,7 @@ import {
   buildActivitySummaryPayload,
   buildDependencyTreeLegendLines,
   buildDependencyTreeLines,
+  buildTableSummaryLines,
   printDependencyTree,
   serializeActivitySummary,
 } from "./display.js";
@@ -22,75 +23,61 @@ it("print tree test", () => {
 
 it("prints a provenance icon for registry-backed components", async () => {
   const rows = [];
-  const consoleLogStub = sinon.stub(console, "log");
-  try {
-    const { printTable } = await esmock("./display.js", {
-      "./table.js": {
-        createStream: () => ({
-          end() {
-            // intentional no-op for stream stub
-          },
-          write(row) {
-            rows.push(row);
-          },
-        }),
-        table: sinon.stub().returns(""),
-      },
-      "./utils.js": {
-        isSecureMode: false,
-        safeExistsSync: sinon.stub(),
-        toCamel: sinon.stub(),
-      },
-    });
-
-    printTable(
+  const bomJson = {
+    components: [
       {
-        components: [
-          {
-            group: "",
-            name: "left-pad",
-            properties: [
-              {
-                name: "cdx:npm:provenanceUrl",
-                value:
-                  "https://registry.npmjs.org/-/npm/v1/attestations/left-pad",
-              },
-            ],
-            type: "library",
-            version: "1.3.0",
-          },
+        group: "",
+        name: "left-pad",
+        properties: [
           {
-            group: "",
-            name: "lodash",
-            properties: [],
-            type: "library",
-            version: "4.17.21",
+            name: "cdx:npm:provenanceUrl",
+            value: "https://registry.npmjs.org/-/npm/v1/attestations/left-pad",
           },
         ],
-        dependencies: [],
+        type: "library",
+        version: "1.3.0",
       },
-      undefined,
-      undefined,
-      "Found 1 trusted component.",
-    );
+      {
+        group: "",
+        name: "lodash",
+        properties: [],
+        type: "library",
+        version: "4.17.21",
+      },
+    ],
+    dependencies: [],
+  };
+  const { printTable } = await esmock("./display.js", {
+    "./table.js": {
+      createStream: () => ({
+        end() {
+          // intentional no-op for stream stub
+        },
+        write(row) {
+          rows.push(row);
+        },
+      }),
+      table: sinon.stub().returns(""),
+    },
+    "./utils.js": {
+      isSecureMode: false,
+      safeExistsSync: sinon.stub(),
+      toCamel: sinon.stub(),
+    },
+  });
 
-    assert.strictEqual(rows[1][1], `${REGISTRY_PROVENANCE_ICON} left-pad`);
-    assert.strictEqual(rows[2][1], "lodash");
-    sinon.assert.calledWithExactly(
-      consoleLogStub,
+  printTable(bomJson, undefined, undefined, "Found 1 trusted component.");
+
+  assert.strictEqual(rows[1][1], `${REGISTRY_PROVENANCE_ICON} left-pad`);
+  assert.strictEqual(rows[2][1], "lodash");
+  assert.deepStrictEqual(
+    buildTableSummaryLines(bomJson, undefined, "Found 1 trusted component.", 1),
+    [
       "Found 1 trusted component.",
-    );
-    sinon.assert.calledWithExactly(
-      consoleLogStub,
       `Legend: ${REGISTRY_PROVENANCE_ICON} = registry provenance or trusted publishing evidence`,
-    );
-    sinon.assert.calledWithExactly(
-      consoleLogStub,
       `${REGISTRY_PROVENANCE_ICON} 1 component(s) include registry provenance or trusted publishing metadata.`,
-    );
-  } finally {
-    consoleLogStub.restore();
-  }
+    ],
+  );
 });
 
 it("displaySelfThreatModel does not assume a default TLP classification", async () => {

package/lib/helpers/mcpConfigParser.js

@@ -9,6 +9,10 @@ import {
   providerNamesForText,
   sanitizeMcpRefToken,
 } from "./mcpDiscovery.js";
+import {
+  sanitizeBomPropertyValue,
+  sanitizeBomUrl,
+} from "./propertySanitizer.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 
 const MCP_CONFIG_PATTERNS = [
@@ -40,13 +44,22 @@ const SECRET_FIELD_NAME_PATTERN =
 const ENV_REFERENCE_PATTERN = /(?:\$\{?[A-Z0-9_]+\}?|%[A-Z0-9_]+%)/u;
 
 function addUniqueProperty(properties, name, value) {
-  if (value === undefined || value === null || value === "") {
+  const sanitizedValue = sanitizeBomPropertyValue(name, value);
+  if (
+    sanitizedValue === undefined ||
+    sanitizedValue === null ||
+    sanitizedValue === ""
+  ) {
     return;
   }
-  if (properties.some((prop) => prop.name === name && prop.value === value)) {
+  if (
+    properties.some(
+      (prop) => prop.name === name && prop.value === String(sanitizedValue),
+    )
+  ) {
     return;
   }
-  properties.push({ name, value: String(value) });
+  properties.push({ name, value: String(sanitizedValue) });
 }
 
 function normalizeFilePath(filePath) {
@@ -380,6 +393,9 @@ function createServiceFromConfig(
   const command = normalized.command;
   const args = normalized.args;
   const endpoints = extractEndpoints(serverConfig);
+  const sanitizedEndpoints = endpoints.map((endpoint) =>
+    sanitizeBomUrl(endpoint),
+  );
   const transport = inferTransport(serverConfig, endpoints);
   const authHints = authHintsFromValue(serverConfig);
   const authPosture = authPostureForConfig(serverConfig, endpoints, authHints);
@@ -396,7 +412,7 @@ function createServiceFromConfig(
     JSON.stringify({
       args,
       command,
-      endpoints,
+      endpoints: sanitizedEndpoints,
       env: serverConfig?.env || serverConfig?.environment || {},
     }),
   );
@@ -534,7 +550,7 @@ function createServiceFromConfig(
   return {
     "bom-ref": `urn:service:mcp:${sanitizeMcpRefToken(serviceName)}:${sanitizeMcpRefToken(version)}`,
     authenticated,
-    endpoints,
+    endpoints: sanitizedEndpoints,
     group: "mcp",
     name: serviceName,
     properties,

package/lib/helpers/mcpConfigParser.poku.js

@@ -69,7 +69,7 @@ describe("mcpConfigParser", () => {
             args: [
               "--token",
               "sk_test_super_secret_value",
-              "https://docs.example.com/mcp",
+              "https://user:pass@docs.example.com/mcp?access_token=secret#frag",
             ],
             command: "npx",
             env: {
@@ -99,7 +99,7 @@ describe("mcpConfigParser", () => {
     );
     assert.strictEqual(
       getProp(service, "cdx:mcp:credentialExposureFieldCount"),
-      "3",
+      "4",
     );
     assert.strictEqual(
       getProp(service, "cdx:mcp:credentialReferenceCount"),
@@ -109,6 +109,12 @@ describe("mcpConfigParser", () => {
       getProp(component, "cdx:mcp:credentialExposedServiceCount"),
       "1",
     );
+    assert.strictEqual(getProp(service, "cdx:mcp:command"), "npx");
+    assert.deepStrictEqual(service.endpoints, ["https://docs.example.com/mcp"]);
+    assert.strictEqual(
+      getProp(component, "cdx:mcp:configuredEndpoints"),
+      "https://docs.example.com/mcp",
+    );
     assert.strictEqual(
       getProp(service, "cdx:mcp:credentialRiskIndicators"),
       undefined,
@@ -123,4 +129,35 @@ describe("mcpConfigParser", () => {
       undefined,
     );
   });
+
+  it("summarizes Windows executable paths with spaces safely", async () => {
+    const readFileSync = sinon.stub();
+    const scanTextForHiddenUnicode = sinon.stub().returns({
+      hasHiddenUnicode: false,
+    });
+    readFileSync.withArgs("/repo/.vscode/mcp.json", "utf-8").returns(
+      JSON.stringify({
+        mcpServers: {
+          releaseDocs: {
+            args: ["--inspect"],
+            command: "C:\\Program Files\\nodejs\\node.exe --inspect",
+            mcp: true,
+            transport: "stdio",
+          },
+        },
+      }),
+    );
+    const { mcpConfigParser } = await esmock("./mcpConfigParser.js", {
+      "node:fs": { readFileSync },
+      "./unicodeScan.js": { scanTextForHiddenUnicode },
+    });
+
+    const result = mcpConfigParser.parse(["/repo/.vscode/mcp.json"]);
+
+    assert.strictEqual(
+      getProp(result.services[0], "cdx:mcp:command") ||
+        getProp(result.components[0], "cdx:mcp:command"),
+      "node.exe",
+    );
+  });
 });

package/lib/helpers/propertySanitizer.js

@@ -0,0 +1,121 @@
+import path from "node:path";
+
+const DANGEROUS_OBJECT_KEYS = new Set([
+  "__proto__",
+  "constructor",
+  "prototype",
+]);
+const INLINE_CREDENTIAL_PATTERNS = [
+  /\bAKIA[0-9A-Z]{16}\b/gu,
+  /\bbearer\s+[a-z0-9._-]{16,}\b/giu,
+  /\b(?:sk|rk|pk)_[a-z0-9_-]{8,}\b/giu,
+  /\bgh[pousr]_[a-z0-9]{20,}\b/giu,
+  /\bAIza[0-9A-Za-z_-]{20,}\b/gu,
+];
+const JSON_PROPERTY_NAMES = new Set([
+  "cdx:agent:permission",
+  "cdx:mcp:toolAnnotations",
+  "cdx:skill:metadata",
+]);
+const URL_PATTERN = /https?:\/\/[^\s<>"'),\]}]+/giu;
+
+function sanitizeUrlForBom(value) {
+  const input = String(value || "").trim();
+  if (!input) {
+    return input;
+  }
+  try {
+    const parsed = new URL(input);
+    parsed.username = "";
+    parsed.password = "";
+    parsed.search = "";
+    parsed.hash = "";
+    return parsed.toString();
+  } catch {
+    return input;
+  }
+}
+
+function sanitizeTextForBom(value) {
+  let sanitized = String(value ?? "");
+  sanitized = sanitized.replace(URL_PATTERN, (match) =>
+    sanitizeUrlForBom(match),
+  );
+  for (const pattern of INLINE_CREDENTIAL_PATTERNS) {
+    sanitized = sanitized.replace(pattern, "[redacted]");
+  }
+  return sanitized;
+}
+
+function sanitizeStructuredValueForBom(value) {
+  if (typeof value === "string") {
+    return sanitizeTextForBom(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => sanitizeStructuredValueForBom(entry));
+  }
+  if (value && typeof value === "object") {
+    const sanitized = {};
+    for (const [key, entryValue] of Object.entries(value)) {
+      if (DANGEROUS_OBJECT_KEYS.has(key)) {
+        continue;
+      }
+      sanitized[key] = sanitizeStructuredValueForBom(entryValue);
+    }
+    return sanitized;
+  }
+  return value;
+}
+
+function extractCommandExecutable(command) {
+  const trimmedCommand = String(command || "").trim();
+  if (!trimmedCommand) {
+    return "";
+  }
+  const quotedMatch = trimmedCommand.match(/^(['"])(.*?)\1/u);
+  if (quotedMatch?.[2]) {
+    return quotedMatch[2];
+  }
+  const absolutePathMatch = trimmedCommand.match(
+    /^((?:[A-Za-z]:\\|\/).*?\.(?:bat|bin|cjs|cmd|com|exe|jar|js|mjs|ps1|py|rb|sh|ts|tsx))(?=\s|$)/iu,
+  );
+  if (absolutePathMatch?.[1]) {
+    return absolutePathMatch[1];
+  }
+  return trimmedCommand.split(/\s+/u)[0];
+}
+
+function summarizeExecutable(command) {
+  const executable = extractCommandExecutable(command);
+  if (!executable) {
+    return "configured";
+  }
+  if (executable.includes("\\")) {
+    return path.win32.basename(executable) || "configured";
+  }
+  return path.posix.basename(executable) || "configured";
+}
+
+export function sanitizeBomUrl(value) {
+  return sanitizeUrlForBom(value);
+}
+
+export function sanitizeBomPropertyValue(name, value) {
+  if (value === undefined || value === null || value === "") {
+    return value;
+  }
+  if (name === "cdx:mcp:command") {
+    const sanitizedCommand = sanitizeTextForBom(value).trim();
+    if (!sanitizedCommand) {
+      return sanitizedCommand;
+    }
+    return summarizeExecutable(sanitizedCommand);
+  }
+  if (JSON_PROPERTY_NAMES.has(name) || typeof value === "object") {
+    return JSON.stringify(sanitizeStructuredValueForBom(value));
+  }
+  if (typeof value === "string") {
+    return sanitizeTextForBom(value);
+  }
+  return value;
+}