@cyclonedx/cdxgen 12.3.2 → 12.4.0

package/lib/helpers/analyzer.js

@@ -1,13 +1,29 @@
 import { lstatSync, readdirSync, readFileSync } from "node:fs";
-import { basename, isAbsolute, join, relative, resolve } from "node:path";
+import {
+  basename,
+  isAbsolute,
+  join,
+  matchesGlob,
+  relative,
+  resolve,
+} from "node:path";
 import process from "node:process";
 import { URL } from "node:url";
 
 import { parse } from "@babel/parser";
 import traverse from "@babel/traverse";
 
+import {
+  getScopedStaticValueByName,
+  getStaticObjectProperty,
+  resolveStaticValue,
+} from "./analyzerScope.js";
 import { classifyMcpReference } from "./mcp.js";
 import { isLocalHost, sanitizeMcpRefToken } from "./mcpDiscovery.js";
+import {
+  sanitizeBomPropertyValue,
+  sanitizeBomUrl,
+} from "./propertySanitizer.js";
 
 const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
   ? process.env.ASTGEN_IGNORE_DIRS.split(",")
@@ -40,10 +56,74 @@ const IGNORE_FILE_PATTERN = new RegExp(
   "i",
 );
 
-const getAllFiles = (deep, dir, extn, files, result, regex) => {
+const normalizeAnalyzerPathForGlob = (filePath) =>
+  String(filePath || "").replaceAll("\\", "/");
+
+const normalizeAnalyzerSearchOptions = (deepOrOptions = false) => {
+  if (deepOrOptions && typeof deepOrOptions === "object") {
+    return {
+      deep: Boolean(deepOrOptions.deep),
+      exclude: Array.isArray(deepOrOptions.exclude)
+        ? deepOrOptions.exclude
+        : [],
+    };
+  }
+  return {
+    deep: Boolean(deepOrOptions),
+    exclude: [],
+  };
+};
+
+const shouldExcludeAnalyzerPath = (
+  rootDir,
+  filePath,
+  excludePatterns,
+  isDirectory = false,
+) => {
+  if (!excludePatterns?.length) {
+    return false;
+  }
+  const normalizedAbsolutePath = normalizeAnalyzerPathForGlob(
+    resolve(filePath),
+  );
+  const normalizedRelativePath = normalizeAnalyzerPathForGlob(
+    relative(rootDir, filePath),
+  );
+  const candidatePaths = [
+    normalizedAbsolutePath,
+    normalizedRelativePath,
+    normalizedRelativePath ? `./${normalizedRelativePath}` : "",
+  ].filter(Boolean);
+  if (isDirectory) {
+    candidatePaths.push(
+      `${normalizedAbsolutePath}/`,
+      normalizedRelativePath ? `${normalizedRelativePath}/` : "",
+      normalizedRelativePath ? `./${normalizedRelativePath}/` : "",
+    );
+  }
+  return excludePatterns.some((pattern) => {
+    const normalizedPattern = normalizeAnalyzerPathForGlob(pattern);
+    return candidatePaths.some((candidatePath) =>
+      matchesGlob(candidatePath, normalizedPattern),
+    );
+  });
+};
+
+const getAllFiles = (
+  deep,
+  dir,
+  extn,
+  files,
+  result,
+  regex,
+  rootDir,
+  excludePatterns,
+) => {
   files = files || readdirSync(dir);
   result = result || [];
   regex = regex || new RegExp(`\\${extn}$`);
+  rootDir = rootDir || dir;
+  excludePatterns = excludePatterns || [];
 
   for (let i = 0; i < files.length; i++) {
     if (IGNORE_FILE_PATTERN.test(files[i]) || files[i].startsWith(".")) {
@@ -54,6 +134,16 @@ const getAllFiles = (deep, dir, extn, files, result, regex) => {
     if (fileStat.isSymbolicLink()) {
       continue;
     }
+    if (
+      shouldExcludeAnalyzerPath(
+        rootDir,
+        file,
+        excludePatterns,
+        fileStat.isDirectory(),
+      )
+    ) {
+      continue;
+    }
     if (fileStat.isDirectory()) {
       // Ignore directories
       const dirName = basename(file);
@@ -77,6 +167,8 @@ const getAllFiles = (deep, dir, extn, files, result, regex) => {
           readdirSync(file),
           result,
           regex,
+          rootDir,
+          excludePatterns,
         );
       } catch (_error) {
         // ignore
@@ -882,16 +974,23 @@ const parseFileASTTree = (src, file, allImports, allExports) => {
  * Return paths to all (j|tsx?) files.
  */
 const getAllSrcJSAndTSFiles = (src, deep) =>
-  Promise.all([
-    getAllFiles(deep, src, ".js"),
-    getAllFiles(deep, src, ".jsx"),
-    getAllFiles(deep, src, ".cjs"),
-    getAllFiles(deep, src, ".mjs"),
-    getAllFiles(deep, src, ".ts"),
-    getAllFiles(deep, src, ".tsx"),
-    getAllFiles(deep, src, ".vue"),
-    getAllFiles(deep, src, ".svelte"),
-  ]);
+  Promise.all(
+    [".js", ".jsx", ".cjs", ".mjs", ".ts", ".tsx", ".vue", ".svelte"].map(
+      (extension) => {
+        const searchOptions = normalizeAnalyzerSearchOptions(deep);
+        return getAllFiles(
+          searchOptions.deep,
+          src,
+          extension,
+          undefined,
+          undefined,
+          undefined,
+          src,
+          searchOptions.exclude,
+        );
+      },
+    ),
+  );
 
 export const CHROMIUM_EXTENSION_CAPABILITY_CATEGORIES = [
   "fileAccess",
@@ -960,6 +1059,113 @@ const SUSPICIOUS_JS_NETWORK_MODULES = new Set([
   "undici",
 ]);
 
+const JS_FILE_ACCESS_MODULES = new Set([
+  "fs",
+  "fs/promises",
+  "graceful-fs",
+  "node:fs",
+  "node:fs/promises",
+  "original-fs",
+]);
+const JS_NETWORK_MODULES = new Set([
+  ...SUSPICIOUS_JS_NETWORK_MODULES,
+  "engine.io-client",
+  "node:dgram",
+  "socket.io-client",
+  "sse.js",
+  "ws",
+]);
+const JS_HARDWARE_MODULES = new Set([
+  "@abandonware/noble",
+  "bluetooth-serial-port",
+  "electron-hid",
+  "i2c-bus",
+  "node-hid",
+  "noble",
+  "onoff",
+  "pigpio",
+  "raspi-io",
+  "serialport",
+  "spi-device",
+  "usb",
+  "webbluetooth",
+]);
+const JS_FILE_ACCESS_MEMBERS = new Set([
+  "access",
+  "appendFile",
+  "chmod",
+  "chown",
+  "copyFile",
+  "cp",
+  "createReadStream",
+  "createWriteStream",
+  "lstat",
+  "mkdir",
+  "mkdtemp",
+  "open",
+  "opendir",
+  "readFile",
+  "readdir",
+  "readlink",
+  "realpath",
+  "rename",
+  "rm",
+  "rmdir",
+  "stat",
+  "symlink",
+  "truncate",
+  "unlink",
+  "utimes",
+  "watch",
+  "watchFile",
+  "writeFile",
+]);
+const JS_NETWORK_MEMBERS = new Set([
+  "connect",
+  "createConnection",
+  "createSocket",
+  "fetch",
+  "get",
+  "patch",
+  "post",
+  "put",
+  "request",
+  "send",
+  "subscribe",
+]);
+const JS_HARDWARE_MEMBERS = new Set([
+  "getDevices",
+  "open",
+  "requestDevice",
+  "requestPort",
+]);
+const JS_CODE_GENERATION_MEMBERS = new Set([
+  "compileFunction",
+  "runInContext",
+  "runInNewContext",
+  "runInThisContext",
+]);
+const JS_HARDWARE_CHAIN_PATTERNS = [
+  /^navigator\.(bluetooth|hid|serial|usb)\b/i,
+  /^(chrome|browser)\.(bluetooth|hid|serial|usb|nfc)\b/i,
+];
+const JS_FILE_ACCESS_CHAIN_PATTERNS = [
+  /^(window\.)?show(Open|Save|Directory)FilePicker$/i,
+];
+const JS_NETWORK_CHAIN_PATTERNS = [
+  /^navigator\.sendBeacon$/i,
+  /^(window\.)?(EventSource|WebSocket|XMLHttpRequest)$/i,
+];
+export const JS_CAPABILITY_CATEGORIES = [
+  "fileAccess",
+  "network",
+  "hardware",
+  "childProcess",
+  "codeGeneration",
+  "dynamicFetch",
+  "dynamicImport",
+];
+
 const SUSPICIOUS_JS_EXECUTION_MEMBERS = new Set([
   "exec",
   "execFile",
@@ -1028,6 +1234,57 @@ const trackSuspiciousModuleReference = (
   }
 };
 
+const trackJsCapabilityModuleReference = (
+  moduleName,
+  localName,
+  capabilityIndicators,
+  aliasMaps,
+) => {
+  if (!moduleName || typeof moduleName !== "string") {
+    return;
+  }
+  if (JS_FILE_ACCESS_MODULES.has(moduleName)) {
+    capabilityIndicators.fileAccess.add(`import:${moduleName}`);
+    if (localName) {
+      aliasMaps.fileAccess.add(localName);
+    }
+  }
+  if (JS_NETWORK_MODULES.has(moduleName)) {
+    capabilityIndicators.network.add(`import:${moduleName}`);
+    if (localName) {
+      aliasMaps.network.add(localName);
+    }
+  }
+  if (JS_HARDWARE_MODULES.has(moduleName)) {
+    capabilityIndicators.hardware.add(`import:${moduleName}`);
+    if (localName) {
+      aliasMaps.hardware.add(localName);
+    }
+  }
+  if (SUSPICIOUS_JS_PROCESS_MODULES.has(moduleName)) {
+    capabilityIndicators.childProcess.add(`import:${moduleName}`);
+    if (localName) {
+      aliasMaps.childProcess.add(localName);
+    }
+  }
+};
+
+const isStaticStringNode = (node) =>
+  node?.type === "StringLiteral" ||
+  (node?.type === "TemplateLiteral" && node.expressions?.length === 0);
+
+const isStaticUrlNode = (node) => {
+  if (isStaticStringNode(node)) {
+    return true;
+  }
+  return (
+    node?.type === "NewExpression" &&
+    getMemberChainString(node.callee) === "URL" &&
+    node.arguments?.length &&
+    node.arguments.every((arg) => isStaticStringNode(arg))
+  );
+};
+
 const getMemberChainString = (node) => {
   if (!node) {
     return "";
@@ -1066,7 +1323,7 @@ const getMemberChainString = (node) => {
   return objectChain || propertyChain || "";
 };
 
-function analyzeSuspiciousJsSource(source) {
+export function analyzeSuspiciousJsSource(source) {
   const executionIndicators = new Set();
   const networkIndicators = new Set();
   const obfuscationIndicators = new Set();
@@ -1265,6 +1522,984 @@ export const analyzeSuspiciousJsFile = (filePath) => {
   return analyzeSuspiciousJsSource(source);
 };
 
+export function analyzeJsCapabilitiesSource(source) {
+  const capabilityIndicators = {
+    childProcess: new Set(),
+    codeGeneration: new Set(),
+    dynamicFetch: new Set(),
+    dynamicImport: new Set(),
+    fileAccess: new Set(),
+    hardware: new Set(),
+    network: new Set(),
+  };
+  const aliasMaps = {
+    childProcess: new Set(),
+    fileAccess: new Set(),
+    hardware: new Set(),
+    network: new Set(),
+  };
+  let ast;
+  try {
+    ast = parse(source, babelParserOptions);
+  } catch {
+    return {
+      capabilities: [],
+      hasDynamicFetch: false,
+      hasDynamicImport: false,
+      hasEval: false,
+      indicatorMap: {},
+    };
+  }
+  const addIndicator = (category, rawIndicator) => {
+    const indicator = String(rawIndicator || "").trim();
+    if (!indicator) {
+      return;
+    }
+    capabilityIndicators[category].add(indicator);
+  };
+  traverse.default(ast, {
+    ImportDeclaration: (path) => {
+      const moduleName = getLiteralStringValue(path?.node?.source);
+      path.node.specifiers.forEach((specifier) => {
+        trackJsCapabilityModuleReference(
+          moduleName,
+          specifier?.local?.name,
+          capabilityIndicators,
+          aliasMaps,
+        );
+      });
+      if (!path.node.specifiers?.length) {
+        trackJsCapabilityModuleReference(
+          moduleName,
+          undefined,
+          capabilityIndicators,
+          aliasMaps,
+        );
+      }
+    },
+    VariableDeclarator: (path) => {
+      const init = path?.node?.init;
+      if (
+        init?.type === "CallExpression" &&
+        init.callee?.type === "Identifier" &&
+        init.callee.name === "require"
+      ) {
+        const moduleName = getLiteralStringValue(init.arguments?.[0]);
+        const localName =
+          path?.node?.id?.type === "Identifier" ? path.node.id.name : undefined;
+        trackJsCapabilityModuleReference(
+          moduleName,
+          localName,
+          capabilityIndicators,
+          aliasMaps,
+        );
+      }
+    },
+    ImportExpression: (path) => {
+      if (!isStaticStringNode(path?.node?.source)) {
+        addIndicator("dynamicImport", "import(dynamic)");
+      }
+    },
+    MemberExpression: (path) => {
+      const memberChain = getMemberChainString(path?.node);
+      if (
+        JS_HARDWARE_CHAIN_PATTERNS.some((pattern) => pattern.test(memberChain))
+      ) {
+        addIndicator("hardware", memberChain);
+      }
+      if (
+        JS_FILE_ACCESS_CHAIN_PATTERNS.some((pattern) =>
+          pattern.test(memberChain),
+        )
+      ) {
+        addIndicator("fileAccess", memberChain);
+      }
+      if (
+        JS_NETWORK_CHAIN_PATTERNS.some((pattern) => pattern.test(memberChain))
+      ) {
+        addIndicator("network", memberChain);
+      }
+    },
+    OptionalMemberExpression: (path) => {
+      const memberChain = getMemberChainString(path?.node);
+      if (
+        JS_HARDWARE_CHAIN_PATTERNS.some((pattern) => pattern.test(memberChain))
+      ) {
+        addIndicator("hardware", memberChain);
+      }
+      if (
+        JS_FILE_ACCESS_CHAIN_PATTERNS.some((pattern) =>
+          pattern.test(memberChain),
+        )
+      ) {
+        addIndicator("fileAccess", memberChain);
+      }
+      if (
+        JS_NETWORK_CHAIN_PATTERNS.some((pattern) => pattern.test(memberChain))
+      ) {
+        addIndicator("network", memberChain);
+      }
+    },
+    CallExpression: (path) => {
+      const callee = path?.node?.callee;
+      const calleeChain = getMemberChainString(callee);
+      if (callee?.type === "Identifier") {
+        if (callee.name === "fetch") {
+          addIndicator("network", "fetch");
+          if (!isStaticUrlNode(path.node.arguments?.[0])) {
+            addIndicator("dynamicFetch", "fetch(dynamic)");
+          }
+        }
+        if (callee.name === "eval") {
+          addIndicator("codeGeneration", "eval");
+        }
+        if (
+          aliasMaps.network.has(callee.name) &&
+          ["axios", "got", "fetch"].includes(callee.name)
+        ) {
+          addIndicator("network", callee.name);
+          if (!isStaticUrlNode(path.node.arguments?.[0])) {
+            addIndicator("dynamicFetch", `${callee.name}(dynamic)`);
+          }
+        }
+      }
+      if (calleeChain === "Buffer.from") {
+        const encodingValue = getLiteralStringValue(path.node.arguments?.[1]);
+        if (encodingValue?.toLowerCase() === "base64") {
+          addIndicator("codeGeneration", "buffer-base64");
+        }
+      }
+      if (calleeChain.startsWith("vm.")) {
+        const vmMethod = calleeChain.split(".").slice(1).join(".");
+        if (JS_CODE_GENERATION_MEMBERS.has(vmMethod)) {
+          addIndicator("codeGeneration", calleeChain);
+        }
+      }
+      if (callee?.type === "MemberExpression") {
+        const objectName = getMemberChainString(callee.object);
+        const propertyName = getMemberChainString(callee.property);
+        if (
+          objectName &&
+          aliasMaps.fileAccess.has(objectName) &&
+          JS_FILE_ACCESS_MEMBERS.has(propertyName)
+        ) {
+          addIndicator("fileAccess", `${objectName}.${propertyName}`);
+        }
+        if (
+          objectName &&
+          aliasMaps.network.has(objectName) &&
+          JS_NETWORK_MEMBERS.has(propertyName)
+        ) {
+          addIndicator("network", `${objectName}.${propertyName}`);
+          if (!isStaticUrlNode(path.node.arguments?.[0])) {
+            addIndicator(
+              "dynamicFetch",
+              `${objectName}.${propertyName}(dynamic)`,
+            );
+          }
+        }
+        if (
+          objectName &&
+          aliasMaps.hardware.has(objectName) &&
+          JS_HARDWARE_MEMBERS.has(propertyName)
+        ) {
+          addIndicator("hardware", `${objectName}.${propertyName}`);
+        }
+        if (
+          objectName &&
+          aliasMaps.childProcess.has(objectName) &&
+          SUSPICIOUS_JS_EXECUTION_MEMBERS.has(propertyName)
+        ) {
+          addIndicator("childProcess", `${objectName}.${propertyName}`);
+        }
+      }
+      if (
+        callee?.type === "Identifier" &&
+        callee.name === "require" &&
+        !isStaticStringNode(path.node.arguments?.[0])
+      ) {
+        addIndicator("dynamicImport", "require(dynamic)");
+      }
+    },
+    NewExpression: (path) => {
+      const calleeChain = getMemberChainString(path?.node?.callee);
+      if (calleeChain === "Function") {
+        addIndicator("codeGeneration", "Function");
+      }
+      if (
+        ["WebSocket", "EventSource", "XMLHttpRequest"].includes(calleeChain)
+      ) {
+        addIndicator("network", calleeChain);
+      }
+    },
+  });
+  const indicatorMap = {};
+  const capabilities = [];
+  for (const category of JS_CAPABILITY_CATEGORIES) {
+    const indicators = Array.from(capabilityIndicators[category]).sort();
+    if (indicators.length) {
+      indicatorMap[category] = indicators;
+      capabilities.push(category);
+    }
+  }
+  return {
+    capabilities,
+    hasDynamicFetch: capabilityIndicators.dynamicFetch.size > 0,
+    hasDynamicImport: capabilityIndicators.dynamicImport.size > 0,
+    hasEval: capabilityIndicators.codeGeneration.has("eval"),
+    indicatorMap,
+  };
+}
+
+export const analyzeJsCapabilitiesFile = (filePath) => {
+  let source;
+  try {
+    source = fileToParseableCode(filePath);
+  } catch {
+    return {
+      capabilities: [],
+      hasDynamicFetch: false,
+      hasDynamicImport: false,
+      hasEval: false,
+      indicatorMap: {},
+    };
+  }
+  return analyzeJsCapabilitiesSource(source);
+};
+
+const CRYPTO_IMPORT_SOURCES = new Set([
+  "crypto",
+  "jose",
+  "jsonwebtoken",
+  "node:crypto",
+  "node:tls",
+  "openpgp",
+  "sshpk",
+  "tls",
+]);
+const NODE_CRYPTO_MODULE_SOURCES = new Set(["crypto", "node:crypto"]);
+const JWT_IMPORT_SOURCES = new Set(["jsonwebtoken"]);
+const JOSE_IMPORT_SOURCES = new Set(["jose"]);
+const JWS_ALGORITHM_LITERAL_PATTERN =
+  /^(?:ES|HS|PS|RS)(?:256|384|512)$|^Ed(?:25519|448)$/;
+const NODE_CRYPTO_CALL_PRIMITIVES = new Map([
+  ["createCipheriv", "cipher"],
+  ["createDecipheriv", "cipher"],
+  ["createHash", "hash"],
+  ["createHmac", "hmac"],
+  ["createSign", "signature"],
+  ["createVerify", "signature"],
+  ["generateKey", "key-generation"],
+  ["generateKeyPair", "key-generation"],
+  ["generateKeyPairSync", "key-generation"],
+  ["generateKeySync", "key-generation"],
+  ["hkdf", "kdf"],
+  ["hkdfSync", "kdf"],
+  ["pbkdf2", "kdf"],
+  ["pbkdf2Sync", "kdf"],
+  ["scrypt", "kdf"],
+  ["scryptSync", "kdf"],
+  ["sign", "signature"],
+  ["verify", "signature"],
+]);
+const WEBCRYPTO_METHOD_PRIMITIVES = new Map([
+  ["decrypt", "cipher"],
+  ["deriveBits", "kdf"],
+  ["deriveKey", "kdf"],
+  ["digest", "hash"],
+  ["encrypt", "cipher"],
+  ["generateKey", "key-generation"],
+  ["importKey", "key-management"],
+  ["sign", "signature"],
+  ["unwrapKey", "key-management"],
+  ["verify", "signature"],
+  ["wrapKey", "key-management"],
+]);
+const JWT_METHOD_NAMES = new Set([
+  "sign",
+  "verify",
+  "decode",
+  "encrypt",
+  "decrypt",
+]);
+const CRYPTO_OBJECT_PROPERTY_KEYS = new Map([
+  ["alg", "signature"],
+  ["algorithm", "signature"],
+  ["enc", "cipher"],
+  ["hash", "hash"],
+  ["name", "algorithm"],
+]);
+
+const recordCryptoAlgorithm = (
+  algorithms,
+  rawName,
+  primitive,
+  source,
+  loc,
+  extra = {},
+) => {
+  const algorithmName = typeof rawName === "string" ? rawName.trim() : "";
+  if (!algorithmName) {
+    return;
+  }
+  algorithms.push({
+    columnNumber: loc?.column ?? undefined,
+    keyLength:
+      typeof extra.keyLength === "number" ? extra.keyLength : undefined,
+    lineNumber: loc?.line ?? undefined,
+    name: algorithmName,
+    primitive,
+    source,
+  });
+};
+
+const recordCryptoAlgorithmsFromValue = (
+  algorithms,
+  value,
+  primitive,
+  source,
+  loc,
+) => {
+  if (!value) {
+    return;
+  }
+  if (Array.isArray(value)) {
+    value.forEach((entry) => {
+      recordCryptoAlgorithmsFromValue(
+        algorithms,
+        entry,
+        primitive,
+        source,
+        loc,
+      );
+    });
+    return;
+  }
+  if (typeof value === "string") {
+    recordCryptoAlgorithm(algorithms, value, primitive, source, loc);
+    return;
+  }
+  if (typeof value !== "object") {
+    return;
+  }
+  const algorithmName =
+    typeof value.name === "string"
+      ? value.name
+      : typeof value.algorithm === "string"
+        ? value.algorithm
+        : undefined;
+  if (algorithmName) {
+    recordCryptoAlgorithm(algorithms, algorithmName, primitive, source, loc, {
+      keyLength:
+        typeof value.length === "number"
+          ? value.length
+          : typeof value.modulusLength === "number"
+            ? value.modulusLength
+            : undefined,
+    });
+  }
+  if (typeof value.hash === "string") {
+    recordCryptoAlgorithm(
+      algorithms,
+      value.hash,
+      "hash",
+      `${source}:hash`,
+      loc,
+    );
+  } else if (
+    value.hash &&
+    typeof value.hash === "object" &&
+    typeof value.hash.name === "string"
+  ) {
+    recordCryptoAlgorithm(
+      algorithms,
+      value.hash.name,
+      "hash",
+      `${source}:hash`,
+      loc,
+    );
+  }
+  if (typeof value.alg === "string") {
+    recordCryptoAlgorithm(
+      algorithms,
+      value.alg,
+      "signature",
+      `${source}:alg`,
+      loc,
+    );
+  }
+  if (typeof value.enc === "string") {
+    recordCryptoAlgorithm(
+      algorithms,
+      value.enc,
+      "cipher",
+      `${source}:enc`,
+      loc,
+    );
+  }
+};
+
+const uniqueCryptoAlgorithms = (algorithms) => {
+  const seen = new Set();
+  const uniqueAlgorithms = [];
+  for (const algorithm of algorithms || []) {
+    const key = [
+      algorithm.fileName || "",
+      algorithm.name || "",
+      algorithm.primitive || "",
+      algorithm.source || "",
+      algorithm.lineNumber || "",
+      algorithm.columnNumber || "",
+    ].join("\u0000");
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    uniqueAlgorithms.push(algorithm);
+  }
+  return uniqueAlgorithms.sort((left, right) => {
+    return `${left.fileName || ""}:${left.lineNumber || 0}:${left.name || ""}`.localeCompare(
+      `${right.fileName || ""}:${right.lineNumber || 0}:${right.name || ""}`,
+    );
+  });
+};
+
+const createScopedStaticValueResolver = (path, staticValueByName) => {
+  const scopedStaticValueByName = getScopedStaticValueByName(
+    path,
+    staticValueByName,
+    getLiteralStringValue,
+    getMemberExpressionPropertyName,
+  );
+  return (astNode) =>
+    resolveStaticValue(
+      astNode,
+      scopedStaticValueByName,
+      getLiteralStringValue,
+      getMemberExpressionPropertyName,
+    );
+};
+
+const recordCryptoObjectPropertiesFromValue = (
+  algorithms,
+  optionsValue,
+  source,
+  loc,
+) => {
+  if (!optionsValue || typeof optionsValue !== "object") {
+    return;
+  }
+  for (const [propertyName, primitive] of CRYPTO_OBJECT_PROPERTY_KEYS) {
+    const propertyValue = getStaticObjectProperty(optionsValue, propertyName);
+    if (propertyValue === undefined) {
+      continue;
+    }
+    recordCryptoAlgorithmsFromValue(
+      algorithms,
+      propertyValue,
+      primitive,
+      source,
+      loc,
+    );
+  }
+};
+
+const normalizeCryptoLibraryName = (moduleName) => {
+  return String(moduleName || "").trim();
+};
+
+const getDirectCallInfo = (callee) => {
+  if (!callee) {
+    return {};
+  }
+  if (callee.type === "Identifier") {
+    return {
+      calleeName: callee.name,
+    };
+  }
+  if (
+    (callee.type === "MemberExpression" ||
+      callee.type === "OptionalMemberExpression") &&
+    callee.object?.type === "Identifier"
+  ) {
+    return {
+      methodName: getMemberExpressionPropertyName(callee.property),
+      rootAlias: callee.object.name,
+    };
+  }
+  return {};
+};
+
+export function analyzeJsCryptoSource(source) {
+  const algorithms = [];
+  const libraries = new Set();
+  const cryptoFunctionAliases = new Map();
+  const cryptoModuleAliases = new Set();
+  const jwtFunctionAliases = new Map();
+  const jwtModuleAliases = new Set();
+  const joseModuleAliases = new Set();
+  const staticValueByName = new Map();
+  const subtleAliases = new Set();
+  const webcryptoAliases = new Set();
+  let ast;
+  try {
+    ast = parse(source, babelParserOptions);
+  } catch {
+    return { algorithms: [], libraries: [] };
+  }
+  traverse.default(ast, {
+    ImportDeclaration: (path) => {
+      const sourceValue = getLiteralStringValue(path?.node?.source);
+      if (!sourceValue) {
+        return;
+      }
+      if (CRYPTO_IMPORT_SOURCES.has(sourceValue)) {
+        libraries.add(normalizeCryptoLibraryName(sourceValue));
+      }
+      for (const specifier of path.node.specifiers || []) {
+        if (NODE_CRYPTO_MODULE_SOURCES.has(sourceValue)) {
+          if (
+            specifier.type === "ImportDefaultSpecifier" ||
+            specifier.type === "ImportNamespaceSpecifier"
+          ) {
+            cryptoModuleAliases.add(specifier.local.name);
+          }
+          if (specifier.type === "ImportSpecifier") {
+            const importedName = specifier.imported?.name;
+            if (!importedName) {
+              continue;
+            }
+            if (importedName === "webcrypto") {
+              webcryptoAliases.add(specifier.local.name);
+              continue;
+            }
+            if (importedName === "subtle") {
+              subtleAliases.add(specifier.local.name);
+              continue;
+            }
+            cryptoFunctionAliases.set(specifier.local.name, importedName);
+          }
+        }
+        if (JWT_IMPORT_SOURCES.has(sourceValue)) {
+          if (
+            specifier.type === "ImportDefaultSpecifier" ||
+            specifier.type === "ImportNamespaceSpecifier"
+          ) {
+            jwtModuleAliases.add(specifier.local.name);
+          }
+          if (specifier.type === "ImportSpecifier") {
+            const importedName = specifier.imported?.name;
+            if (importedName) {
+              jwtFunctionAliases.set(specifier.local.name, importedName);
+            }
+          }
+        }
+        if (JOSE_IMPORT_SOURCES.has(sourceValue)) {
+          joseModuleAliases.add(specifier.local.name);
+        }
+      }
+    },
+    VariableDeclarator: (path) => {
+      const idNode = path?.node?.id;
+      const initNode = path?.node?.init;
+      if (!idNode || !initNode) {
+        return;
+      }
+      const resolveScopedValue = createScopedStaticValueResolver(
+        path,
+        staticValueByName,
+      );
+      const resolvedValue = resolveScopedValue(initNode);
+      if (idNode.type === "Identifier") {
+        if (resolvedValue !== undefined) {
+          staticValueByName.set(idNode.name, resolvedValue);
+        }
+        const initChain = getMemberChainString(initNode);
+        if (
+          initChain === "crypto.subtle" ||
+          initChain.startsWith("webcrypto.subtle") ||
+          (initNode.type === "MemberExpression" &&
+            webcryptoAliases.has(getMemberChainString(initNode.object)) &&
+            getMemberExpressionPropertyName(initNode.property) === "subtle")
+        ) {
+          subtleAliases.add(idNode.name);
+        }
+      }
+      if (
+        initNode.type === "CallExpression" &&
+        initNode.callee?.type === "Identifier" &&
+        initNode.callee.name === "require"
+      ) {
+        const moduleName = getLiteralStringValue(initNode.arguments?.[0]);
+        if (!moduleName) {
+          return;
+        }
+        if (CRYPTO_IMPORT_SOURCES.has(moduleName)) {
+          libraries.add(normalizeCryptoLibraryName(moduleName));
+        }
+        if (NODE_CRYPTO_MODULE_SOURCES.has(moduleName)) {
+          if (idNode.type === "Identifier") {
+            cryptoModuleAliases.add(idNode.name);
+          }
+          if (idNode.type === "ObjectPattern") {
+            for (const property of idNode.properties || []) {
+              if (property.type !== "ObjectProperty") {
+                continue;
+              }
+              const importedName = getMemberExpressionPropertyName(
+                property.key,
+              );
+              const localName =
+                property.value?.type === "Identifier"
+                  ? property.value.name
+                  : undefined;
+              if (!importedName || !localName) {
+                continue;
+              }
+              if (importedName === "webcrypto") {
+                webcryptoAliases.add(localName);
+              } else if (importedName === "subtle") {
+                subtleAliases.add(localName);
+              } else {
+                cryptoFunctionAliases.set(localName, importedName);
+              }
+            }
+          }
+        }
+        if (JWT_IMPORT_SOURCES.has(moduleName)) {
+          if (idNode.type === "Identifier") {
+            jwtModuleAliases.add(idNode.name);
+          }
+          if (idNode.type === "ObjectPattern") {
+            for (const property of idNode.properties || []) {
+              if (property.type !== "ObjectProperty") {
+                continue;
+              }
+              const importedName = getMemberExpressionPropertyName(
+                property.key,
+              );
+              const localName =
+                property.value?.type === "Identifier"
+                  ? property.value.name
+                  : undefined;
+              if (importedName && localName) {
+                jwtFunctionAliases.set(localName, importedName);
+              }
+            }
+          }
+        }
+        if (
+          JOSE_IMPORT_SOURCES.has(moduleName) &&
+          idNode.type === "Identifier"
+        ) {
+          joseModuleAliases.add(idNode.name);
+        }
+      }
+    },
+    AssignmentExpression: (path) => {
+      const leftNode = path?.node?.left;
+      const rightNode = path?.node?.right;
+      if (leftNode?.type !== "Identifier" || !rightNode) {
+        return;
+      }
+      const resolveScopedValue = createScopedStaticValueResolver(
+        path,
+        staticValueByName,
+      );
+      const resolvedValue = resolveScopedValue(rightNode);
+      if (resolvedValue === undefined) {
+        staticValueByName.delete(leftNode.name);
+        return;
+      }
+      staticValueByName.set(leftNode.name, resolvedValue);
+    },
+    CallExpression: (path) => {
+      const callNode = path?.node;
+      const loc = callNode?.loc?.start;
+      const callee = callNode?.callee;
+      const calleeChain = getMemberChainString(callee);
+      const directCallInfo = getDirectCallInfo(callee);
+      const resolveScopedValue = createScopedStaticValueResolver(
+        path,
+        staticValueByName,
+      );
+      let nodeCryptoMethod;
+      if (callee?.type === "Identifier") {
+        nodeCryptoMethod = cryptoFunctionAliases.get(callee.name);
+        const jwtMethod = jwtFunctionAliases.get(callee.name);
+        if (jwtMethod && JWT_METHOD_NAMES.has(jwtMethod)) {
+          for (const argument of callNode.arguments || []) {
+            const optionsValue = resolveScopedValue(argument);
+            recordCryptoObjectPropertiesFromValue(
+              algorithms,
+              optionsValue,
+              `jsonwebtoken.${jwtMethod}`,
+              loc,
+            );
+          }
+        }
+      } else if (calleeChain) {
+        const calleeParts = calleeChain.split(".");
+        const rootAlias = directCallInfo.rootAlias;
+        const directMethodName = directCallInfo.methodName;
+        if (
+          rootAlias &&
+          cryptoModuleAliases.has(rootAlias) &&
+          directMethodName
+        ) {
+          nodeCryptoMethod = directMethodName;
+        }
+        if (
+          rootAlias &&
+          jwtModuleAliases.has(rootAlias) &&
+          directMethodName &&
+          JWT_METHOD_NAMES.has(directMethodName)
+        ) {
+          for (const argument of callNode.arguments || []) {
+            const optionsValue = resolveScopedValue(argument);
+            recordCryptoObjectPropertiesFromValue(
+              algorithms,
+              optionsValue,
+              `jsonwebtoken.${directMethodName}`,
+              loc,
+            );
+          }
+        }
+        if (calleeParts[calleeParts.length - 1] === "setProtectedHeader") {
+          const headerValue = resolveScopedValue(callNode.arguments?.[0]);
+          if (headerValue && typeof headerValue === "object") {
+            if (typeof headerValue.alg === "string") {
+              recordCryptoAlgorithm(
+                algorithms,
+                headerValue.alg,
+                "signature",
+                "jwt.setProtectedHeader",
+                loc,
+              );
+            }
+            if (typeof headerValue.enc === "string") {
+              recordCryptoAlgorithm(
+                algorithms,
+                headerValue.enc,
+                "cipher",
+                "jwt.setProtectedHeader",
+                loc,
+              );
+            }
+          }
+        }
+      }
+      if (
+        nodeCryptoMethod &&
+        NODE_CRYPTO_CALL_PRIMITIVES.has(nodeCryptoMethod)
+      ) {
+        const primitive = NODE_CRYPTO_CALL_PRIMITIVES.get(nodeCryptoMethod);
+        if (
+          [
+            "createHash",
+            "createHmac",
+            "createCipheriv",
+            "createDecipheriv",
+            "createSign",
+            "createVerify",
+            "hkdf",
+            "hkdfSync",
+            "sign",
+            "verify",
+          ].includes(nodeCryptoMethod)
+        ) {
+          const argumentIndex = ["hkdf", "hkdfSync"].includes(nodeCryptoMethod)
+            ? 0
+            : 0;
+          const algorithmValue = resolveScopedValue(
+            callNode.arguments?.[argumentIndex],
+          );
+          recordCryptoAlgorithmsFromValue(
+            algorithms,
+            algorithmValue,
+            primitive,
+            `node:crypto.${nodeCryptoMethod}`,
+            loc,
+          );
+        }
+        if (["pbkdf2", "pbkdf2Sync"].includes(nodeCryptoMethod)) {
+          const digestValue = resolveScopedValue(callNode.arguments?.[4]);
+          recordCryptoAlgorithmsFromValue(
+            algorithms,
+            digestValue,
+            primitive,
+            `node:crypto.${nodeCryptoMethod}`,
+            loc,
+          );
+        }
+        if (["scrypt", "scryptSync"].includes(nodeCryptoMethod)) {
+          recordCryptoAlgorithm(
+            algorithms,
+            "scrypt",
+            primitive,
+            `node:crypto.${nodeCryptoMethod}`,
+            loc,
+          );
+        }
+        if (
+          [
+            "generateKey",
+            "generateKeySync",
+            "generateKeyPair",
+            "generateKeyPairSync",
+          ].includes(nodeCryptoMethod)
+        ) {
+          const typeValue = resolveScopedValue(callNode.arguments?.[0]);
+          const optionsValue = resolveScopedValue(callNode.arguments?.[1]);
+          if (typeof typeValue === "string") {
+            const keyLength =
+              typeof optionsValue?.length === "number"
+                ? optionsValue.length
+                : typeof optionsValue?.modulusLength === "number"
+                  ? optionsValue.modulusLength
+                  : undefined;
+            recordCryptoAlgorithm(
+              algorithms,
+              typeValue,
+              primitive,
+              `node:crypto.${nodeCryptoMethod}`,
+              loc,
+              { keyLength },
+            );
+          }
+        }
+      }
+      let webcryptoMethod;
+      if (calleeChain.startsWith("crypto.subtle.")) {
+        webcryptoMethod = calleeChain.split(".").slice(2).join(".");
+      } else if (calleeChain.startsWith("subtle.")) {
+        webcryptoMethod = subtleAliases.has("subtle")
+          ? calleeChain.split(".").slice(1).join(".")
+          : undefined;
+      } else {
+        const calleeParts = calleeChain.split(".");
+        if (subtleAliases.has(calleeParts[0])) {
+          webcryptoMethod = calleeParts.slice(1).join(".");
+        } else if (
+          webcryptoAliases.has(calleeParts[0]) &&
+          calleeParts[1] === "subtle"
+        ) {
+          webcryptoMethod = calleeParts.slice(2).join(".");
+        }
+      }
+      if (webcryptoMethod && WEBCRYPTO_METHOD_PRIMITIVES.has(webcryptoMethod)) {
+        const primitive = WEBCRYPTO_METHOD_PRIMITIVES.get(webcryptoMethod);
+        const primaryAlgorithmValue = resolveScopedValue(
+          callNode.arguments?.[0],
+        );
+        recordCryptoAlgorithmsFromValue(
+          algorithms,
+          primaryAlgorithmValue,
+          primitive,
+          `webcrypto.${webcryptoMethod}`,
+          loc,
+        );
+        if (webcryptoMethod === "deriveKey") {
+          const derivedAlgorithmValue = resolveScopedValue(
+            callNode.arguments?.[2],
+          );
+          recordCryptoAlgorithmsFromValue(
+            algorithms,
+            derivedAlgorithmValue,
+            "key-generation",
+            `webcrypto.${webcryptoMethod}:derived`,
+            loc,
+          );
+        }
+      }
+    },
+    StringLiteral: (path) => {
+      if (
+        !libraries.has("node:crypto") &&
+        !libraries.has("jose") &&
+        !libraries.has("jsonwebtoken")
+      ) {
+        return;
+      }
+      const literalValue = String(path?.node?.value || "").trim();
+      if (!JWS_ALGORITHM_LITERAL_PATTERN.test(literalValue)) {
+        return;
+      }
+      const parentNode = path.parent;
+      const grandParentNode = path.parentPath?.parent;
+      const isRelevantContext =
+        (parentNode?.type === "AssignmentPattern" &&
+          parentNode.right === path.node) ||
+        (parentNode?.type === "VariableDeclarator" &&
+          parentNode.init === path.node) ||
+        (parentNode?.type === "BinaryExpression" &&
+          ["===", "=="].includes(parentNode.operator)) ||
+        (parentNode?.type === "LogicalExpression" &&
+          ["||", "??"].includes(parentNode.operator) &&
+          ["AssignmentExpression", "VariableDeclarator"].includes(
+            grandParentNode?.type,
+          ));
+      if (!isRelevantContext) {
+        return;
+      }
+      recordCryptoAlgorithm(
+        algorithms,
+        literalValue,
+        "signature",
+        "source-literal:jws-algorithm",
+        path.node.loc?.start,
+      );
+    },
+  });
+  return {
+    algorithms: uniqueCryptoAlgorithms(algorithms),
+    libraries: Array.from(libraries).sort(),
+  };
+}
+
+export const analyzeJsCryptoFile = (filePath) => {
+  let source;
+  try {
+    source = fileToParseableCode(filePath);
+  } catch {
+    return { algorithms: [], libraries: [] };
+  }
+  return analyzeJsCryptoSource(source);
+};
+
+export const detectJsCryptoInventory = async (src, deep = false) => {
+  let srcFiles = [];
+  try {
+    const promiseMap = await getAllSrcJSAndTSFiles(src, deep);
+    srcFiles = promiseMap.flat();
+  } catch {
+    return { algorithms: [], libraries: [] };
+  }
+  const algorithms = [];
+  const libraries = new Set();
+  for (const file of srcFiles) {
+    let analysis;
+    try {
+      analysis = analyzeJsCryptoFile(file);
+    } catch {
+      continue;
+    }
+    for (const library of analysis.libraries || []) {
+      libraries.add(library);
+    }
+    for (const algorithm of analysis.algorithms || []) {
+      algorithms.push({
+        ...algorithm,
+        fileName: relative(src, file),
+      });
+    }
+  }
+  return {
+    algorithms: uniqueCryptoAlgorithms(algorithms),
+    libraries: Array.from(libraries).sort(),
+  };
+};
+
 /**
  * Detect browser-extension capability signals from source code using Babel AST analysis.
  *
@@ -1281,15 +2516,88 @@ export const detectExtensionCapabilities = (src, deep = false) => {
   }
   let srcFiles = [];
   try {
+    const searchOptions = normalizeAnalyzerSearchOptions(deep);
     srcFiles = [
-      ...getAllFiles(deep, src, ".js"),
-      ...getAllFiles(deep, src, ".jsx"),
-      ...getAllFiles(deep, src, ".cjs"),
-      ...getAllFiles(deep, src, ".mjs"),
-      ...getAllFiles(deep, src, ".ts"),
-      ...getAllFiles(deep, src, ".tsx"),
-      ...getAllFiles(deep, src, ".vue"),
-      ...getAllFiles(deep, src, ".svelte"),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".js",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".jsx",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".cjs",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".mjs",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".ts",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".tsx",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".vue",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".svelte",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
     ];
   } catch (_err) {
     return { capabilities: [], indicators: {} };
@@ -1509,13 +2817,26 @@ const providerFamilyFromModelName = (modelName) => {
 };
 
 const addUniqueProperty = (properties, name, value) => {
-  if (value === undefined || value === null || value === "") {
+  const sanitizedValue = sanitizeBomPropertyValue(name, value);
+  if (
+    sanitizedValue === undefined ||
+    sanitizedValue === null ||
+    sanitizedValue === ""
+  ) {
     return;
   }
-  if (properties.some((prop) => prop.name === name && prop.value === value)) {
+  const normalizedValue =
+    typeof sanitizedValue === "string"
+      ? sanitizedValue
+      : String(sanitizedValue);
+  if (
+    properties.some(
+      (prop) => prop.name === name && prop.value === normalizedValue,
+    )
+  ) {
     return;
   }
-  properties.push({ name, value });
+  properties.push({ name, value: normalizedValue });
 };
 
 const rootMemberName = (value) => String(value || "").split(".")[0];
@@ -1823,14 +3144,18 @@ const primitiveComponentForMcp = (serviceInfo, primitive) => {
     addUniqueProperty(
       properties,
       "cdx:mcp:toolAnnotations",
-      JSON.stringify(primitive.annotations),
+      primitive.annotations,
     );
   }
   return {
     "bom-ref": primitiveRef,
-    description:
-      primitive.description ||
-      `${primitive.role} exposed by ${serviceInfo.name || "mcp-server"}`,
+    description: String(
+      sanitizeBomPropertyValue(
+        "cdx:mcp:description",
+        primitive.description ||
+          `${primitive.role} exposed by ${serviceInfo.name || "mcp-server"}`,
+      ) || "",
+    ),
     name: primitiveName,
     properties,
     scope: "required",
@@ -2056,8 +3381,16 @@ const serviceObjectForMcp = (serviceInfo) => {
   return {
     "bom-ref": serviceRef,
     authenticated: serviceInfo.authenticated,
-    description: serviceInfo.description,
-    endpoints: Array.from(serviceInfo.endpoints).sort(),
+    description: String(
+      sanitizeBomPropertyValue(
+        "cdx:mcp:description",
+        serviceInfo.description || "",
+      ) || "",
+    ),
+    endpoints: Array.from(serviceInfo.endpoints)
+      .map((endpoint) => sanitizeBomUrl(endpoint))
+      .filter(Boolean)
+      .sort(),
     group: "mcp",
     name: serviceName,
     properties,
@@ -2451,15 +3784,88 @@ export const detectMcpInventory = (src, deep = false) => {
   const servicesByKey = new Map();
   let srcFiles = [];
   try {
+    const searchOptions = normalizeAnalyzerSearchOptions(deep);
     srcFiles = [
-      ...getAllFiles(deep, src, ".js"),
-      ...getAllFiles(deep, src, ".jsx"),
-      ...getAllFiles(deep, src, ".cjs"),
-      ...getAllFiles(deep, src, ".mjs"),
-      ...getAllFiles(deep, src, ".ts"),
-      ...getAllFiles(deep, src, ".tsx"),
-      ...getAllFiles(deep, src, ".vue"),
-      ...getAllFiles(deep, src, ".svelte"),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".js",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".jsx",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".cjs",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".mjs",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".ts",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".tsx",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".vue",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
+      ...getAllFiles(
+        searchOptions.deep,
+        src,
+        ".svelte",
+        undefined,
+        undefined,
+        undefined,
+        src,
+        searchOptions.exclude,
+      ),
     ];
   } catch {
     return { components: [], dependencies: [], services: [] };