npm - @cyclonedx/cdxgen - Versions diffs - 12.3.2 → 12.3.3 - Mend

@cyclonedx/cdxgen 12.3.2 → 12.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/README.md +6 -0
package/data/rules/ci-permissions.yaml +132 -0
package/data/rules/dependency-sources.yaml +65 -5
package/data/rules/package-integrity.yaml +22 -0
package/lib/cli/index.js +141 -39
package/lib/cli/index.poku.js +579 -1
package/lib/helpers/agentFormulationParser.js +6 -2
package/lib/helpers/agentFormulationParser.poku.js +42 -0
package/lib/helpers/analyzer.js +38 -9
package/lib/helpers/analyzer.poku.js +67 -0
package/lib/helpers/chromextutils.js +25 -3
package/lib/helpers/chromextutils.poku.js +68 -0
package/lib/helpers/ciParsers/githubActions.js +79 -0
package/lib/helpers/ciParsers/githubActions.poku.js +103 -0
package/lib/helpers/communityAiConfigParser.js +15 -5
package/lib/helpers/communityAiConfigParser.poku.js +71 -0
package/lib/helpers/depsUtils.js +5 -0
package/lib/helpers/depsUtils.poku.js +55 -0
package/lib/helpers/display.js +45 -22
package/lib/helpers/display.poku.js +47 -60
package/lib/helpers/mcpConfigParser.js +21 -5
package/lib/helpers/mcpConfigParser.poku.js +39 -2
package/lib/helpers/propertySanitizer.js +121 -0
package/lib/helpers/utils.js +951 -40
package/lib/helpers/utils.poku.js +882 -0
package/lib/managers/binary.js +16 -0
package/lib/managers/binary.poku.js +1 -0
package/lib/managers/docker.js +240 -16
package/lib/managers/docker.poku.js +1142 -2
package/lib/server/server.js +7 -4
package/lib/server/server.poku.js +36 -1
package/lib/stages/postgen/auditBom.poku.js +644 -2
package/package.json +2 -1
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/helpers/agentFormulationParser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/chromextutils.d.ts.map +1 -1
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
package/types/lib/helpers/communityAiConfigParser.d.ts.map +1 -1
package/types/lib/helpers/depsUtils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts +1 -0
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/mcpConfigParser.d.ts +1 -1
package/types/lib/helpers/mcpConfigParser.d.ts.map +1 -1
package/types/lib/helpers/propertySanitizer.d.ts +3 -0
package/types/lib/helpers/propertySanitizer.d.ts.map +1 -0
package/types/lib/helpers/utils.d.ts +29 -0
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts +3 -0
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +1 -0
package/types/lib/server/server.d.ts.map +1 -1

package/lib/managers/docker.poku.js CHANGED Viewed

@@ -121,7 +121,11 @@ it("parseImageName tests", () => {
   );
 });
-async function loadDockerModule({ clientResponse, utilsOverrides } = {}) {
+async function loadDockerModule({
+  clientResponse,
+  fsOverrides,
+  utilsOverrides,
+} = {}) {
   const dockerClient = sinon.stub().resolves(
     clientResponse || {
       Id: "sha256:hello-world",
@@ -129,6 +133,13 @@ async function loadDockerModule({ clientResponse, utilsOverrides } = {}) {
     },
   );
   dockerClient.stream = sinon.stub();
+  const fsStub = {
+    createReadStream: sinon.stub(),
+    lstatSync: sinon.stub(),
+    readdirSync: sinon.stub().returns([]),
+    readFileSync: sinon.stub(),
+    ...fsOverrides,
+  };
   const gotStub = {
     extend: sinon.stub().returns(dockerClient),
     get: sinon.stub().resolves({ body: "OK" }),
@@ -150,12 +161,107 @@ async function loadDockerModule({ clientResponse, utilsOverrides } = {}) {
     ...utilsOverrides,
   };
   const dockerModule = await esmock("./docker.js", {
+    "node:fs": fsStub,
     got: { default: gotStub },
     "../helpers/utils.js": utilsStub,
   });
-  return { dockerClient, dockerModule, gotStub, utilsStub };
+  return { dockerClient, dockerModule, fsStub, gotStub, utilsStub };
+}
+const decodeRegistryAuthHeader = (header) =>
+  JSON.parse(Buffer.from(header, "base64url").toString("utf-8"));
+const dockerConfigExistsStub = () =>
+  sinon.stub().callsFake((filePath) => filePath.endsWith("config.json"));
+const encodedAuth = Buffer.from("trusted-user:trusted-pass").toString("base64");
+const authConfigData = (configuredRegistry) =>
+  JSON.stringify({
+    auths: {
+      [configuredRegistry]: {
+        auth: encodedAuth,
+      },
+    },
+  });
+const credHelperConfigData = (configuredRegistry) =>
+  JSON.stringify({
+    credHelpers: {
+      [configuredRegistry]: "osxkeychain",
+    },
+  });
+const credHelperExe = (helperSuffix) =>
+  isWin
+    ? `docker-credential-${helperSuffix}.exe`
+    : `docker-credential-${helperSuffix}`;
+async function loadDockerModuleWithAuths(configuredRegistry) {
+  return await loadDockerModule({
+    fsOverrides: {
+      readFileSync: sinon.stub().returns(authConfigData(configuredRegistry)),
+    },
+    utilsOverrides: {
+      safeExistsSync: dockerConfigExistsStub(),
+    },
+  });
+}
+async function loadDockerModuleWithCredHelpers(
+  configuredRegistry,
+  safeSpawnSync,
+) {
+  return await loadDockerModule({
+    fsOverrides: {
+      readFileSync: sinon
+        .stub()
+        .returns(credHelperConfigData(configuredRegistry)),
+    },
+    utilsOverrides: {
+      safeExistsSync: dockerConfigExistsStub(),
+      safeSpawnSync,
+    },
+  });
 }
+const withDockerConfig = async (callback) => {
+  const originalDockerConfig = process.env.DOCKER_CONFIG;
+  process.env.DOCKER_CONFIG = "/tmp/cdxgen-docker-config";
+  try {
+    await callback();
+  } finally {
+    if (originalDockerConfig === undefined) {
+      delete process.env.DOCKER_CONFIG;
+    } else {
+      process.env.DOCKER_CONFIG = originalDockerConfig;
+    }
+  }
+};
+const withEnv = async (updates, callback) => {
+  const originalEnv = {};
+  for (const envKey of Object.keys(updates)) {
+    originalEnv[envKey] = process.env[envKey];
+    if (updates[envKey] === undefined) {
+      delete process.env[envKey];
+    } else {
+      process.env[envKey] = updates[envKey];
+    }
+  }
+  try {
+    await callback();
+  } finally {
+    for (const envKey of Object.keys(updates)) {
+      if (originalEnv[envKey] === undefined) {
+        delete process.env[envKey];
+      } else {
+        process.env[envKey] = originalEnv[envKey];
+      }
+    }
+  }
+};
 await it("docker connection uses the detected daemon client", async () => {
   const { dockerModule, gotStub, dockerClient } = await loadDockerModule();
   const dockerConn = await dockerModule.getConnection();
@@ -323,6 +429,1040 @@ await it("docker exportImage ignores local directories", async () => {
   assert.strictEqual(imageData, undefined);
 });
+await it("docker makeRequest prefers DOCKER_AUTH_CONFIG over config.json entries for all registries", async () => {
+  await withDockerConfig(async () => {
+    await withEnv(
+      {
+        DOCKER_AUTH_CONFIG: "opaque-global-auth-token",
+      },
+      async () => {
+        const safeSpawnSync = sinon.stub().returns({
+          status: 0,
+          stdout: JSON.stringify({
+            username: "helper-user",
+            Secret: "helper-pass",
+          }),
+          stderr: "",
+        });
+        const { dockerClient, dockerModule } = await loadDockerModule({
+          fsOverrides: {
+            readFileSync: sinon.stub().returns(
+              JSON.stringify({
+                auths: {
+                  "registry.example.com": {
+                    auth: Buffer.from("trusted-user:trusted-pass").toString(
+                      "base64",
+                    ),
+                  },
+                },
+                credHelpers: {
+                  "registry.example.com": "osxkeychain",
+                },
+              }),
+            ),
+          },
+          utilsOverrides: {
+            safeExistsSync: dockerConfigExistsStub(),
+            safeSpawnSync,
+          },
+        });
+        await dockerModule.makeRequest(
+          "images/create?fromImage=registry.example.com/team/app:latest",
+          "POST",
+          "registry.example.com/team/app",
+        );
+        const requestOptions = dockerClient.firstCall.args[1];
+        assert.strictEqual(
+          requestOptions.headers["X-Registry-Auth"],
+          "opaque-global-auth-token",
+        );
+        sinon.assert.notCalled(safeSpawnSync);
+      },
+    );
+  });
+});
+await it("docker makeRequest prefers DOCKER_USER credentials over matching config.json entries", async () => {
+  await withDockerConfig(async () => {
+    await withEnv(
+      {
+        DOCKER_USER: "env-user",
+        DOCKER_PASSWORD: "env-pass",
+        DOCKER_EMAIL: "env@example.com",
+      },
+      async () => {
+        const { dockerClient, dockerModule } = await loadDockerModule({
+          fsOverrides: {
+            readFileSync: sinon.stub().returns(
+              JSON.stringify({
+                auths: {
+                  "registry.example.com": {
+                    auth: Buffer.from("trusted-user:trusted-pass").toString(
+                      "base64",
+                    ),
+                  },
+                },
+              }),
+            ),
+          },
+          utilsOverrides: {
+            safeExistsSync: dockerConfigExistsStub(),
+          },
+        });
+        await dockerModule.makeRequest(
+          "images/create?fromImage=registry.example.com/team/app:latest",
+          "POST",
+          "registry.example.com/team/app",
+        );
+        const registryAuthHeader =
+          dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+        assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+          username: "env-user",
+          password: "env-pass",
+          email: "env@example.com",
+          serveraddress: "registry.example.com",
+        });
+      },
+    );
+  });
+});
+await it("docker makeRequest applies DOCKER_USER credentials regardless of configured registry entries", async () => {
+  await withDockerConfig(async () => {
+    await withEnv(
+      {
+        DOCKER_USER: "env-user",
+        DOCKER_PASSWORD: "env-pass",
+        DOCKER_EMAIL: "env@example.com",
+      },
+      async () => {
+        const safeSpawnSync = sinon.stub().returns({
+          status: 0,
+          stdout: JSON.stringify({
+            username: "helper-user",
+            Secret: "helper-pass",
+          }),
+          stderr: "",
+        });
+        const { dockerClient, dockerModule } = await loadDockerModule({
+          fsOverrides: {
+            readFileSync: sinon.stub().returns(
+              JSON.stringify({
+                auths: {
+                  "other-registry.example.com": {
+                    auth: Buffer.from("trusted-user:trusted-pass").toString(
+                      "base64",
+                    ),
+                  },
+                },
+                credHelpers: {
+                  "other-registry.example.com": "osxkeychain",
+                },
+              }),
+            ),
+          },
+          utilsOverrides: {
+            safeExistsSync: dockerConfigExistsStub(),
+            safeSpawnSync,
+          },
+        });
+        await dockerModule.makeRequest(
+          "images/create?fromImage=registry.example.com/team/app:latest",
+          "POST",
+          "registry.example.com/team/app",
+        );
+        const registryAuthHeader =
+          dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+        assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+          username: "env-user",
+          password: "env-pass",
+          email: "env@example.com",
+          serveraddress: "registry.example.com",
+        });
+        sinon.assert.notCalled(safeSpawnSync);
+      },
+    );
+  });
+});
+await it("docker makeRequest does not forward auth for substring-matched registries", async () => {
+  const originalDockerConfig = process.env.DOCKER_CONFIG;
+  process.env.DOCKER_CONFIG = "/tmp/cdxgen-docker-config";
+  try {
+    const { dockerClient, dockerModule } = await loadDockerModule({
+      fsOverrides: {
+        readFileSync: sinon.stub().returns(
+          JSON.stringify({
+            auths: {
+              "private-registry.example.com": {
+                auth: Buffer.from("trusted-user:trusted-pass").toString(
+                  "base64",
+                ),
+              },
+            },
+          }),
+        ),
+      },
+      utilsOverrides: {
+        safeExistsSync: sinon
+          .stub()
+          .callsFake((filePath) => filePath.endsWith("config.json")),
+      },
+    });
+    await dockerModule.makeRequest(
+      "images/create?fromImage=registry.example.com/team/app:latest",
+      "POST",
+      "registry.example.com",
+    );
+    const requestOptions = dockerClient.firstCall.args[1];
+    assert.strictEqual(requestOptions.headers, undefined);
+  } finally {
+    if (originalDockerConfig === undefined) {
+      delete process.env.DOCKER_CONFIG;
+    } else {
+      process.env.DOCKER_CONFIG = originalDockerConfig;
+    }
+  }
+});
+await it("docker makeRequest accepts exact normalized registry matches from config auths", async () => {
+  const originalDockerConfig = process.env.DOCKER_CONFIG;
+  process.env.DOCKER_CONFIG = "/tmp/cdxgen-docker-config";
+  try {
+    const { dockerClient, dockerModule } = await loadDockerModule({
+      fsOverrides: {
+        readFileSync: sinon.stub().returns(
+          JSON.stringify({
+            auths: {
+              "https://registry.example.com/v2/": {
+                auth: Buffer.from("trusted-user:trusted-pass").toString(
+                  "base64",
+                ),
+              },
+            },
+          }),
+        ),
+      },
+      utilsOverrides: {
+        safeExistsSync: sinon
+          .stub()
+          .callsFake((filePath) => filePath.endsWith("config.json")),
+      },
+    });
+    await dockerModule.makeRequest(
+      "images/create?fromImage=registry.example.com/team/app:latest",
+      "POST",
+      "registry.example.com/team/app",
+    );
+    const registryAuthHeader =
+      dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+    assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+      username: "trusted-user",
+      password: "trusted-pass",
+      serveraddress: "https://registry.example.com/v2/",
+    });
+  } finally {
+    if (originalDockerConfig === undefined) {
+      delete process.env.DOCKER_CONFIG;
+    } else {
+      process.env.DOCKER_CONFIG = originalDockerConfig;
+    }
+  }
+});
+await it("docker makeRequest accepts normalized exact matches across ipv4 ipv6 explicit ports and scoped subpaths from config auths", async () => {
+  const cases = [
+    {
+      configuredRegistry: "127.0.0.1:5000",
+      requestedRegistry: "127.0.0.1:5000/team/app",
+      expectedServerAddress: "127.0.0.1:5000",
+    },
+    {
+      configuredRegistry: "[::1]:5000",
+      requestedRegistry: "[::1]:5000/team/app",
+      expectedServerAddress: "[::1]:5000",
+    },
+    {
+      configuredRegistry: "https://[2001:db8::1]:5000/v2/",
+      requestedRegistry: "[2001:db8::1]:5000/team/app",
+      expectedServerAddress: "https://[2001:db8::1]:5000/v2/",
+    },
+    {
+      configuredRegistry: "HTTPS://REGISTRY.EXAMPLE.COM/V2/",
+      requestedRegistry: "registry.example.com/team/app",
+      expectedServerAddress: "HTTPS://REGISTRY.EXAMPLE.COM/V2/",
+    },
+    {
+      configuredRegistry: "https://registry.example.com:443/v2/",
+      requestedRegistry: "registry.example.com:443/team/app",
+      expectedServerAddress: "https://registry.example.com:443/v2/",
+    },
+    {
+      configuredRegistry: "http://registry.example.com:80/v2/",
+      requestedRegistry: "registry.example.com:80/team/app",
+      expectedServerAddress: "http://registry.example.com:80/v2/",
+    },
+    {
+      configuredRegistry: "https://registry.example.com/custom/subpath",
+      requestedRegistry: "registry.example.com/custom/subpath/team/app",
+      expectedServerAddress: "https://registry.example.com/custom/subpath",
+    },
+    {
+      configuredRegistry: "https://registry.example.com/custom/subpath/v2/",
+      requestedRegistry: "registry.example.com/custom/subpath/team/app",
+      expectedServerAddress: "https://registry.example.com/custom/subpath/v2/",
+    },
+  ];
+  await withDockerConfig(async () => {
+    for (const testCase of cases) {
+      const { dockerClient, dockerModule } = await loadDockerModuleWithAuths(
+        testCase.configuredRegistry,
+      );
+      await dockerModule.makeRequest(
+        `images/create?fromImage=${testCase.requestedRegistry}:latest`,
+        "POST",
+        testCase.requestedRegistry,
+      );
+      const registryAuthHeader =
+        dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+      assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+        username: "trusted-user",
+        password: "trusted-pass",
+        serveraddress: testCase.expectedServerAddress,
+      });
+    }
+  });
+});
+await it("docker makeRequest rejects wildcard unicode bidi explicit-default-port port-boundary and unrelated scoped-path mismatches from config auths", async () => {
+  const bidiRegistry = "reg\u202eistry.example.com";
+  const unicodeConfusableRegistry = "reg\u0456stry.example.com";
+  const cases = [
+    {
+      configuredRegistry: "*.example.com",
+      requestedRegistry: "team.example.com/app",
+    },
+    {
+      configuredRegistry: "registry.example.com",
+      requestedRegistry: "registry.example.com:80/team/app",
+    },
+    {
+      configuredRegistry: "registry.example.com:443",
+      requestedRegistry: "registry.example.com/team/app",
+    },
+    {
+      configuredRegistry: "127.0.0.1:5001",
+      requestedRegistry: "127.0.0.1:5000/team/app",
+    },
+    {
+      configuredRegistry: "[::1]:5001",
+      requestedRegistry: "[::1]:5000/team/app",
+    },
+    {
+      configuredRegistry: "https://registry.example.com.evil.invalid/v2/",
+      requestedRegistry: "registry.example.com/team/app",
+    },
+    {
+      configuredRegistry: "https://registry.example.com/custom/subpath",
+      requestedRegistry: "registry.example.com/team/app",
+    },
+    {
+      configuredRegistry: "https://registry.example.com/custom/subpath",
+      requestedRegistry: "registry.example.com/custom/subpathology/team/app",
+    },
+    {
+      configuredRegistry: "https://registry.example.com:443/v2/",
+      requestedRegistry: "registry.example.com:444/team/app",
+    },
+    {
+      configuredRegistry: unicodeConfusableRegistry,
+      requestedRegistry: "registry.example.com/team/app",
+    },
+    {
+      configuredRegistry: bidiRegistry,
+      requestedRegistry: "registry.example.com/team/app",
+    },
+  ];
+  await withDockerConfig(async () => {
+    for (const testCase of cases) {
+      const { dockerClient, dockerModule } = await loadDockerModuleWithAuths(
+        testCase.configuredRegistry,
+      );
+      await dockerModule.makeRequest(
+        `images/create?fromImage=${testCase.requestedRegistry}:latest`,
+        "POST",
+        testCase.requestedRegistry,
+      );
+      const requestOptions = dockerClient.firstCall.args[1];
+      assert.strictEqual(requestOptions.headers, undefined);
+    }
+  });
+});
+await it("docker makeRequest accepts raw host:port registry matches from config auths", async () => {
+  await withDockerConfig(async () => {
+    const { dockerClient, dockerModule } = await loadDockerModule({
+      fsOverrides: {
+        readFileSync: sinon.stub().returns(
+          JSON.stringify({
+            auths: {
+              "localhost:5000": {
+                auth: Buffer.from("trusted-user:trusted-pass").toString(
+                  "base64",
+                ),
+              },
+            },
+          }),
+        ),
+      },
+      utilsOverrides: {
+        safeExistsSync: sinon
+          .stub()
+          .callsFake((filePath) => filePath.endsWith("config.json")),
+      },
+    });
+    await dockerModule.makeRequest(
+      "images/create?fromImage=localhost:5000/team/app:latest",
+      "POST",
+      "localhost:5000/team/app",
+    );
+    const registryAuthHeader =
+      dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+    assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+      username: "trusted-user",
+      password: "trusted-pass",
+      serveraddress: "localhost:5000",
+    });
+  });
+});
+await it("docker makeRequest keeps raw host:port registries separated by port", async () => {
+  await withDockerConfig(async () => {
+    const { dockerClient, dockerModule } = await loadDockerModule({
+      fsOverrides: {
+        readFileSync: sinon.stub().returns(
+          JSON.stringify({
+            auths: {
+              "localhost:5001": {
+                auth: Buffer.from("trusted-user:trusted-pass").toString(
+                  "base64",
+                ),
+              },
+            },
+          }),
+        ),
+      },
+      utilsOverrides: {
+        safeExistsSync: sinon
+          .stub()
+          .callsFake((filePath) => filePath.endsWith("config.json")),
+      },
+    });
+    await dockerModule.makeRequest(
+      "images/create?fromImage=localhost:5000/team/app:latest",
+      "POST",
+      "localhost:5000/team/app",
+    );
+    const requestOptions = dockerClient.firstCall.args[1];
+    assert.strictEqual(requestOptions.headers, undefined);
+  });
+});
+await it("docker makeRequest preserves Docker Hub auth aliases without substring matching", async () => {
+  const originalDockerConfig = process.env.DOCKER_CONFIG;
+  process.env.DOCKER_CONFIG = "/tmp/cdxgen-docker-config";
+  try {
+    const { dockerClient, dockerModule } = await loadDockerModule({
+      fsOverrides: {
+        readFileSync: sinon.stub().returns(
+          JSON.stringify({
+            auths: {
+              "https://index.docker.io/v1/": {
+                auth: Buffer.from("hub-user:hub-pass").toString("base64"),
+              },
+            },
+          }),
+        ),
+      },
+      utilsOverrides: {
+        safeExistsSync: sinon
+          .stub()
+          .callsFake((filePath) => filePath.endsWith("config.json")),
+      },
+    });
+    await dockerModule.makeRequest(
+      "images/create?fromImage=docker.io/library/alpine:latest",
+      "POST",
+      "docker.io",
+    );
+    const registryAuthHeader =
+      dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+    assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+      username: "hub-user",
+      password: "hub-pass",
+      serveraddress: "https://index.docker.io/v1/",
+    });
+  } finally {
+    if (originalDockerConfig === undefined) {
+      delete process.env.DOCKER_CONFIG;
+    } else {
+      process.env.DOCKER_CONFIG = originalDockerConfig;
+    }
+  }
+});
+await it("docker makeRequest resolves unqualified image pulls to Docker Hub auth entries", async () => {
+  const requestedImages = ["myorg/app:latest", "alpine:latest"];
+  await withDockerConfig(async () => {
+    for (const requestedImage of requestedImages) {
+      const { dockerClient, dockerModule } = await loadDockerModule({
+        fsOverrides: {
+          readFileSync: sinon.stub().returns(
+            JSON.stringify({
+              auths: {
+                "https://index.docker.io/v1/": {
+                  auth: Buffer.from("hub-user:hub-pass").toString("base64"),
+                },
+              },
+            }),
+          ),
+        },
+        utilsOverrides: {
+          safeExistsSync: dockerConfigExistsStub(),
+        },
+      });
+      await dockerModule.makeRequest(
+        `images/create?fromImage=${requestedImage}`,
+        "POST",
+        "",
+      );
+      const registryAuthHeader =
+        dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+      assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+        username: "hub-user",
+        password: "hub-pass",
+        serveraddress: "https://index.docker.io/v1/",
+      });
+    }
+  });
+});
+await it("docker makeRequest skips credHelpers for substring-matched registries", async () => {
+  const originalDockerConfig = process.env.DOCKER_CONFIG;
+  process.env.DOCKER_CONFIG = "/tmp/cdxgen-docker-config";
+  try {
+    const safeSpawnSync = sinon.stub().returns({
+      status: 0,
+      stdout: JSON.stringify({
+        Username: "trusted-user",
+        Secret: "trusted-pass",
+      }),
+      stderr: "",
+    });
+    const { dockerClient, dockerModule } = await loadDockerModule({
+      fsOverrides: {
+        readFileSync: sinon.stub().returns(
+          JSON.stringify({
+            credHelpers: {
+              "private-registry.example.com": "osxkeychain",
+            },
+          }),
+        ),
+      },
+      utilsOverrides: {
+        safeExistsSync: sinon
+          .stub()
+          .callsFake((filePath) => filePath.endsWith("config.json")),
+        safeSpawnSync,
+      },
+    });
+    await dockerModule.makeRequest(
+      "images/create?fromImage=registry.example.com/team/app:latest",
+      "POST",
+      "registry.example.com",
+    );
+    const requestOptions = dockerClient.firstCall.args[1];
+    assert.strictEqual(requestOptions.headers, undefined);
+    sinon.assert.notCalled(safeSpawnSync);
+  } finally {
+    if (originalDockerConfig === undefined) {
+      delete process.env.DOCKER_CONFIG;
+    } else {
+      process.env.DOCKER_CONFIG = originalDockerConfig;
+    }
+  }
+});
+await it("docker makeRequest accepts raw host:port registry matches from credHelpers", async () => {
+  await withDockerConfig(async () => {
+    const safeSpawnSync = sinon.stub().returns({
+      status: 0,
+      stdout: JSON.stringify({
+        username: "trusted-user",
+        Secret: "trusted-pass",
+      }),
+      stderr: "",
+    });
+    const { dockerClient, dockerModule } = await loadDockerModule({
+      fsOverrides: {
+        readFileSync: sinon.stub().returns(
+          JSON.stringify({
+            credHelpers: {
+              "localhost:5000": "osxkeychain",
+            },
+          }),
+        ),
+      },
+      utilsOverrides: {
+        safeExistsSync: sinon
+          .stub()
+          .callsFake((filePath) => filePath.endsWith("config.json")),
+        safeSpawnSync,
+      },
+    });
+    await dockerModule.makeRequest(
+      "images/create?fromImage=localhost:5000/team/app:latest",
+      "POST",
+      "localhost:5000/team/app",
+    );
+    sinon.assert.calledOnceWithExactly(
+      safeSpawnSync,
+      credHelperExe("osxkeychain"),
+      ["get"],
+      {
+        input: "localhost:5000",
+      },
+    );
+    const registryAuthHeader =
+      dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+    assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+      username: "trusted-user",
+      password: "trusted-pass",
+      email: "trusted-user",
+      serveraddress: "localhost:5000",
+    });
+  });
+});
+await it("docker getCredsFromHelper normalizes cache keys for equivalent registry hosts", async () => {
+  const safeSpawnSync = sinon.stub().returns({
+    status: 0,
+    stdout: JSON.stringify({
+      username: "trusted-user",
+      Secret: "trusted-pass",
+    }),
+    stderr: "",
+  });
+  const { dockerModule } = await loadDockerModule({
+    utilsOverrides: {
+      safeSpawnSync,
+    },
+  });
+  const firstToken = dockerModule.getCredsFromHelper(
+    "osxkeychain",
+    "registry.example.com",
+  );
+  const secondToken = dockerModule.getCredsFromHelper(
+    "osxkeychain",
+    "https://registry.example.com/v2/",
+  );
+  assert.strictEqual(firstToken, secondToken);
+  sinon.assert.calledOnceWithExactly(
+    safeSpawnSync,
+    credHelperExe("osxkeychain"),
+    ["get"],
+    {
+      input: "registry.example.com",
+    },
+  );
+});
+await it("docker getCredsFromHelper keeps scoped path cache keys isolated", async () => {
+  const safeSpawnSync = sinon.stub().returns({
+    status: 0,
+    stdout: JSON.stringify({
+      username: "trusted-user",
+      Secret: "trusted-pass",
+    }),
+    stderr: "",
+  });
+  const { dockerModule } = await loadDockerModule({
+    utilsOverrides: {
+      safeSpawnSync,
+    },
+  });
+  const firstToken = dockerModule.getCredsFromHelper(
+    "osxkeychain",
+    "https://registry.example.com/custom/subpath/v2/",
+  );
+  const secondToken = dockerModule.getCredsFromHelper(
+    "osxkeychain",
+    "https://registry.example.com/custom/subpath/v2/",
+  );
+  const thirdToken = dockerModule.getCredsFromHelper(
+    "osxkeychain",
+    "https://registry.example.com/other/subpath/v2/",
+  );
+  assert.strictEqual(firstToken, secondToken);
+  assert.notStrictEqual(firstToken, thirdToken);
+  assert.deepStrictEqual(decodeRegistryAuthHeader(firstToken), {
+    username: "trusted-user",
+    password: "trusted-pass",
+    email: "trusted-user",
+    serveraddress: "https://registry.example.com/custom/subpath/v2/",
+  });
+  sinon.assert.calledTwice(safeSpawnSync);
+});
+await it("docker makeRequest accepts ipv4 ipv6 explicit-port and scoped-subpath registry matches from credHelpers", async () => {
+  const cases = [
+    {
+      configuredRegistry: "127.0.0.1:5000",
+      requestedRegistry: "127.0.0.1:5000/team/app",
+    },
+    {
+      configuredRegistry: "[::1]:5000",
+      requestedRegistry: "[::1]:5000/team/app",
+    },
+    {
+      configuredRegistry: "https://registry.example.com:443/v2/",
+      requestedRegistry: "registry.example.com:443/team/app",
+    },
+    {
+      configuredRegistry: "http://registry.example.com:80/v2/",
+      requestedRegistry: "registry.example.com:80/team/app",
+    },
+    {
+      configuredRegistry: "https://registry.example.com/custom/subpath/v2/",
+      requestedRegistry: "registry.example.com/custom/subpath/team/app",
+    },
+  ];
+  await withDockerConfig(async () => {
+    for (const testCase of cases) {
+      const safeSpawnSync = sinon.stub().returns({
+        status: 0,
+        stdout: JSON.stringify({
+          username: "trusted-user",
+          Secret: "trusted-pass",
+        }),
+        stderr: "",
+      });
+      const { dockerClient, dockerModule } =
+        await loadDockerModuleWithCredHelpers(
+          testCase.configuredRegistry,
+          safeSpawnSync,
+        );
+      await dockerModule.makeRequest(
+        `images/create?fromImage=${testCase.requestedRegistry}:latest`,
+        "POST",
+        testCase.requestedRegistry,
+      );
+      sinon.assert.calledOnceWithExactly(
+        safeSpawnSync,
+        credHelperExe("osxkeychain"),
+        ["get"],
+        {
+          input: testCase.configuredRegistry,
+        },
+      );
+      const registryAuthHeader =
+        dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+      assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+        username: "trusted-user",
+        password: "trusted-pass",
+        email: "trusted-user",
+        serveraddress: testCase.configuredRegistry,
+      });
+    }
+  });
+});
+await it("docker makeRequest does not invoke credHelpers for wildcard unicode bidi explicit-default-port or port-boundary mismatches", async () => {
+  const bidiRegistry = "reg\u202eistry.example.com";
+  const unicodeConfusableRegistry = "reg\u0456stry.example.com";
+  const cases = [
+    {
+      configuredRegistry: "*.example.com",
+      requestedRegistry: "team.example.com/app",
+    },
+    {
+      configuredRegistry: "registry.example.com",
+      requestedRegistry: "registry.example.com:80/team/app",
+    },
+    {
+      configuredRegistry: "registry.example.com:443",
+      requestedRegistry: "registry.example.com/team/app",
+    },
+    {
+      configuredRegistry: "127.0.0.1:5001",
+      requestedRegistry: "127.0.0.1:5000/team/app",
+    },
+    {
+      configuredRegistry: "[::1]:5001",
+      requestedRegistry: "[::1]:5000/team/app",
+    },
+    {
+      configuredRegistry: "https://registry.example.com/custom/subpath/v2/",
+      requestedRegistry: "registry.example.com/team/app",
+    },
+    {
+      configuredRegistry: "https://registry.example.com/custom/subpath/v2/",
+      requestedRegistry: "registry.example.com/custom/subpathology/team/app",
+    },
+    {
+      configuredRegistry: "https://registry.example.com:443/v2/",
+      requestedRegistry: "registry.example.com:444/team/app",
+    },
+    {
+      configuredRegistry: unicodeConfusableRegistry,
+      requestedRegistry: "registry.example.com/team/app",
+    },
+    {
+      configuredRegistry: bidiRegistry,
+      requestedRegistry: "registry.example.com/team/app",
+    },
+  ];
+  await withDockerConfig(async () => {
+    for (const testCase of cases) {
+      const safeSpawnSync = sinon.stub().returns({
+        status: 0,
+        stdout: JSON.stringify({
+          username: "trusted-user",
+          Secret: "trusted-pass",
+        }),
+        stderr: "",
+      });
+      const { dockerClient, dockerModule } =
+        await loadDockerModuleWithCredHelpers(
+          testCase.configuredRegistry,
+          safeSpawnSync,
+        );
+      await dockerModule.makeRequest(
+        `images/create?fromImage=${testCase.requestedRegistry}:latest`,
+        "POST",
+        testCase.requestedRegistry,
+      );
+      const requestOptions = dockerClient.firstCall.args[1];
+      assert.strictEqual(requestOptions.headers, undefined);
+      sinon.assert.notCalled(safeSpawnSync);
+    }
+  });
+});
+await it("docker makeRequest resolves unqualified image pulls to Docker Hub credHelpers", async () => {
+  const requestedImages = ["myorg/app:latest", "alpine:latest"];
+  await withDockerConfig(async () => {
+    for (const requestedImage of requestedImages) {
+      const safeSpawnSync = sinon.stub().returns({
+        status: 0,
+        stdout: JSON.stringify({
+          username: "hub-user",
+          Secret: "hub-pass",
+        }),
+        stderr: "",
+      });
+      const { dockerClient, dockerModule } = await loadDockerModule({
+        fsOverrides: {
+          readFileSync: sinon.stub().returns(
+            JSON.stringify({
+              credHelpers: {
+                "docker.io": "osxkeychain",
+              },
+            }),
+          ),
+        },
+        utilsOverrides: {
+          safeExistsSync: dockerConfigExistsStub(),
+          safeSpawnSync,
+        },
+      });
+      await dockerModule.makeRequest(
+        `images/create?fromImage=${requestedImage}`,
+        "POST",
+        "",
+      );
+      sinon.assert.calledOnceWithExactly(
+        safeSpawnSync,
+        credHelperExe("osxkeychain"),
+        ["get"],
+        {
+          input: "docker.io",
+        },
+      );
+      const registryAuthHeader =
+        dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+      assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+        username: "hub-user",
+        password: "hub-pass",
+        email: "hub-user",
+        serveraddress: "docker.io",
+      });
+    }
+  });
+});
+await it("docker makeRequest accepts normalized exact matches for common public registries without aliasing hosts", async () => {
+  const cases = [
+    {
+      configuredRegistry: "https://ghcr.io/v2/",
+      requestedRegistry: "ghcr.io/org/image",
+    },
+    {
+      configuredRegistry: "https://quay.io/v2/",
+      requestedRegistry: "quay.io/org/image",
+    },
+    {
+      configuredRegistry: "https://public.ecr.aws/v2/",
+      requestedRegistry: "public.ecr.aws/alias/image",
+    },
+    {
+      configuredRegistry: "https://gcr.io/v2/",
+      requestedRegistry: "gcr.io/project/image",
+    },
+  ];
+  await withDockerConfig(async () => {
+    for (const { configuredRegistry, requestedRegistry } of cases) {
+      const { dockerClient, dockerModule } = await loadDockerModule({
+        fsOverrides: {
+          readFileSync: sinon.stub().returns(
+            JSON.stringify({
+              auths: {
+                [configuredRegistry]: {
+                  auth: Buffer.from("trusted-user:trusted-pass").toString(
+                    "base64",
+                  ),
+                },
+              },
+            }),
+          ),
+        },
+        utilsOverrides: {
+          safeExistsSync: sinon
+            .stub()
+            .callsFake((filePath) => filePath.endsWith("config.json")),
+        },
+      });
+      await dockerModule.makeRequest(
+        `images/create?fromImage=${requestedRegistry}:latest`,
+        "POST",
+        requestedRegistry,
+      );
+      const registryAuthHeader =
+        dockerClient.firstCall.args[1].headers["X-Registry-Auth"];
+      assert.deepStrictEqual(decodeRegistryAuthHeader(registryAuthHeader), {
+        username: "trusted-user",
+        password: "trusted-pass",
+        serveraddress: configuredRegistry,
+      });
+    }
+  });
+});
+await it("docker makeRequest keeps ghcr quay aws and gcp registries on separate trust boundaries", async () => {
+  const cases = [
+    {
+      configuredRegistry: "https://tenant.ghcr.io/v2/",
+      requestedRegistry: "ghcr.io",
+    },
+    {
+      configuredRegistry: "https://quay.io.evil.example/v2/",
+      requestedRegistry: "quay.io",
+    },
+    {
+      configuredRegistry:
+        "https://123456789012.dkr.ecr.us-east-1.amazonaws.com/v2/",
+      requestedRegistry: "public.ecr.aws",
+    },
+    {
+      configuredRegistry: "https://mirror.gcr.io/v2/",
+      requestedRegistry: "gcr.io",
+    },
+    {
+      configuredRegistry: "https://us-docker.pkg.dev/v2/",
+      requestedRegistry: "gcr.io",
+    },
+  ];
+  await withDockerConfig(async () => {
+    for (const { configuredRegistry, requestedRegistry } of cases) {
+      const { dockerClient, dockerModule } = await loadDockerModule({
+        fsOverrides: {
+          readFileSync: sinon.stub().returns(
+            JSON.stringify({
+              auths: {
+                [configuredRegistry]: {
+                  auth: Buffer.from("trusted-user:trusted-pass").toString(
+                    "base64",
+                  ),
+                },
+              },
+            }),
+          ),
+        },
+        utilsOverrides: {
+          safeExistsSync: sinon
+            .stub()
+            .callsFake((filePath) => filePath.endsWith("config.json")),
+        },
+      });
+      await dockerModule.makeRequest(
+        `images/create?fromImage=${requestedRegistry}/team/app:latest`,
+        "POST",
+        requestedRegistry,
+      );
+      const requestOptions = dockerClient.firstCall.args[1];
+      assert.strictEqual(requestOptions.headers, undefined);
+    }
+  });
+});
 await it("extractFromManifest derives PATH metadata from archive config", async () => {
   const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-docker-"));
   try {