npm - @cyclonedx/cdxgen - Versions diffs - 12.3.2 → 12.4.0 - Mend

@cyclonedx/cdxgen 12.3.2 → 12.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (182) hide show

package/README.md +70 -22
package/bin/audit.js +21 -7
package/bin/cdxgen.js +238 -116
package/bin/convert.js +28 -13
package/bin/hbom.js +490 -0
package/bin/repl.js +580 -29
package/bin/validate.js +34 -4
package/bin/verify.js +40 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +171 -15
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +76 -5
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +36 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +209 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +647 -127
package/lib/cli/index.poku.js +1905 -187
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/agentFormulationParser.js +6 -2
package/lib/helpers/agentFormulationParser.poku.js +42 -0
package/lib/helpers/analyzer.js +1444 -38
package/lib/helpers/analyzer.poku.js +409 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/chromextutils.js +25 -3
package/lib/helpers/chromextutils.poku.js +68 -0
package/lib/helpers/ciParsers/githubActions.js +79 -0
package/lib/helpers/ciParsers/githubActions.poku.js +103 -0
package/lib/helpers/communityAiConfigParser.js +15 -5
package/lib/helpers/communityAiConfigParser.poku.js +71 -0
package/lib/helpers/depsUtils.js +5 -0
package/lib/helpers/depsUtils.poku.js +55 -0
package/lib/helpers/display.js +336 -23
package/lib/helpers/display.poku.js +179 -43
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/mcpConfigParser.js +21 -5
package/lib/helpers/mcpConfigParser.poku.js +39 -2
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +349 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/propertySanitizer.js +121 -0
package/lib/helpers/protobom.js +156 -45
package/lib/helpers/protobom.poku.js +140 -5
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +2454 -198
package/lib/helpers/utils.poku.js +1798 -74
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2306 -350
package/lib/managers/binary.poku.js +1700 -1
package/lib/managers/docker.js +441 -95
package/lib/managers/docker.poku.js +1479 -14
package/lib/server/server.js +2 -24
package/lib/server/server.poku.js +36 -1
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +2967 -990
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +192 -1
package/lib/stages/postgen/postgen.poku.js +321 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/package.json +24 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/agentFormulationParser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/chromextutils.d.ts.map +1 -1
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
package/types/lib/helpers/communityAiConfigParser.d.ts.map +1 -1
package/types/lib/helpers/depsUtils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts +1 -0
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +62 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/mcpConfigParser.d.ts +1 -1
package/types/lib/helpers/mcpConfigParser.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/propertySanitizer.d.ts +3 -0
package/types/lib/helpers/propertySanitizer.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +3 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +74 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts +3 -0
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -0
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/helpers/cbomutils.js CHANGED Viewed

@@ -2,6 +2,11 @@ import { readFileSync } from "node:fs";
 import { join } from "node:path";
 import { executeOsQuery } from "../managers/binary.js";
+import { detectJsCryptoInventory } from "./analyzer.js";
+import {
+  createOccurrenceEvidence,
+  formatOccurrenceEvidence,
+} from "./evidenceUtils.js";
 import { convertOSQueryResults, dirNameStr } from "./utils.js";
 const cbomosDbQueries = JSON.parse(
@@ -47,10 +52,275 @@ function cleanStr(str) {
   return str.toLowerCase().replace(/[^0-9a-z ]/gi, "");
 }
+function normalizeDetectedCryptoAlgorithmName(name, primitive, keyLength) {
+  const trimmedName = String(name || "").trim();
+  if (!trimmedName) {
+    return undefined;
+  }
+  const upperName = trimmedName.toUpperCase();
+  const compactName = upperName.replace(/[^A-Z0-9]/g, "");
+  const lowerName = trimmedName.toLowerCase();
+  const normalizedLower = lowerName.replace(/[ _]/g, "-");
+  const jwtMappings = {
+    ES256: "ecdsaWithSHA256",
+    ES384: "ecdsaWithSHA384",
+    ES512: "ecdsaWithSHA512",
+    HS256: "hmacWithSHA256",
+    HS384: "hmacWithSHA384",
+    HS512: "hmacWithSHA512",
+    RS256: "sha256WithRSAEncryption",
+    RS384: "sha384WithRSAEncryption",
+    RS512: "sha512WithRSAEncryption",
+  };
+  if (jwtMappings[upperName]) {
+    return jwtMappings[upperName];
+  }
+  if (/^A(128|192|256)GCM$/.test(compactName)) {
+    return `aes${compactName.slice(1, 4)}-GCM`;
+  }
+  if (/^SHA(1|224|256|384|512)$/.test(compactName)) {
+    return `sha-${compactName.slice(3)}`;
+  }
+  if (/^SHA3(224|256|384|512)$/.test(compactName)) {
+    return `sha3-${compactName.slice(4)}`;
+  }
+  if (compactName === "PBKDF2") {
+    return "PBKDF2";
+  }
+  if (compactName === "SCRYPT") {
+    return "scrypt";
+  }
+  if (
+    normalizedLower === "aes-gcm" &&
+    typeof keyLength === "number" &&
+    [128, 192, 256].includes(keyLength)
+  ) {
+    return `aes${keyLength}-GCM`;
+  }
+  if (
+    normalizedLower === "aes-cbc" &&
+    typeof keyLength === "number" &&
+    [128, 192, 256].includes(keyLength)
+  ) {
+    return `aes${keyLength}-CBC`;
+  }
+  if (
+    normalizedLower === "aes-ctr" &&
+    typeof keyLength === "number" &&
+    [128, 192, 256].includes(keyLength)
+  ) {
+    return `aes${keyLength}-CTR`;
+  }
+  if (cbomCryptoOids[trimmedName]) {
+    return trimmedName;
+  }
+  if (cbomCryptoOids[normalizedLower]) {
+    return normalizedLower;
+  }
+  if (primitive === "algorithm" && cbomCryptoOids[upperName]) {
+    return upperName;
+  }
+  return trimmedName;
+}
+function cryptoAlgorithmBomRef(name, oid) {
+  const version = oid || cleanStr(name) || "unknown";
+  return `crypto/algorithm/${encodeURIComponent(name)}@${version}`;
+}
+function usageLocationValue(usage) {
+  if (typeof usage?.lineNumber !== "number") {
+    return undefined;
+  }
+  return `${usage.fileName || "<inline>"}:${usage.lineNumber}${typeof usage.columnNumber === "number" ? `:${usage.columnNumber}` : ""}`;
+}
+function mergeAlgorithmComponentEvidence(component, usage, options) {
+  if (!options?.evidence) {
+    return component;
+  }
+  const locationValue = usageLocationValue(usage);
+  const occurrence = createOccurrenceEvidence(usage.fileName || "<inline>", {
+    additionalContext: usage.primitive,
+    ...(typeof usage.lineNumber === "number" ? { line: usage.lineNumber } : {}),
+    ...(usage.source ? { symbol: usage.source } : {}),
+  });
+  const evidence = component.evidence || {};
+  const identity = Array.isArray(evidence.identity)
+    ? (evidence.identity[0] ?? {
+        field: "name",
+        confidence: 1,
+        concludedValue: component.name,
+        methods: [],
+      })
+    : (evidence.identity ?? {
+        field: "name",
+        confidence: 1,
+        concludedValue: component.name,
+        methods: [],
+      });
+  const methodValue = occurrence
+    ? formatOccurrenceEvidence(occurrence)
+    : locationValue || component.name;
+  if (
+    !identity.methods?.some(
+      (method) =>
+        method.technique === "source-code-analysis" &&
+        method.value === methodValue,
+    )
+  ) {
+    identity.methods = identity.methods || [];
+    identity.methods.push({
+      technique: "source-code-analysis",
+      confidence: 1,
+      value: methodValue,
+    });
+  }
+  evidence.identity = identity;
+  if (occurrence) {
+    const occurrences = evidence.occurrences || [];
+    if (
+      !occurrences.some(
+        (existingOccurrence) =>
+          formatOccurrenceEvidence(existingOccurrence) ===
+          formatOccurrenceEvidence(occurrence),
+      )
+    ) {
+      occurrences.push(occurrence);
+    }
+    evidence.occurrences = occurrences;
+  }
+  component.evidence = evidence;
+  return component;
+}
+function normalizeCryptoComponentEvidence(component, options) {
+  if (!component?.evidence?.identity) {
+    return component;
+  }
+  if (
+    options?.specVersion >= 1.6 &&
+    !Array.isArray(component.evidence.identity)
+  ) {
+    component.evidence.identity = [component.evidence.identity];
+  }
+  if (
+    options?.specVersion === 1.5 &&
+    Array.isArray(component.evidence.identity)
+  ) {
+    component.evidence.identity = component.evidence.identity[0];
+  }
+  return component;
+}
+function mergeAlgorithmComponentUsage(component, usage, src, options) {
+  const sourceFile = usage.fileName ? join(src, usage.fileName) : undefined;
+  const properties = component.properties || [];
+  const locationValue = usageLocationValue(usage);
+  if (sourceFile) {
+    if (
+      !properties.some(
+        (property) =>
+          property.name === "SrcFile" && property.value === sourceFile,
+      )
+    ) {
+      properties.push({ name: "SrcFile", value: sourceFile });
+    }
+  }
+  if (usage.primitive) {
+    if (
+      !properties.some(
+        (property) =>
+          property.name === "cdx:crypto:primitive" &&
+          property.value === usage.primitive,
+      )
+    ) {
+      properties.push({ name: "cdx:crypto:primitive", value: usage.primitive });
+    }
+  }
+  if (usage.source) {
+    if (
+      !properties.some(
+        (property) =>
+          property.name === "cdx:crypto:sourceType" &&
+          property.value === `js-ast:${usage.source}`,
+      )
+    ) {
+      properties.push({
+        name: "cdx:crypto:sourceType",
+        value: `js-ast:${usage.source}`,
+      });
+    }
+  }
+  if (locationValue) {
+    if (
+      !properties.some(
+        (property) =>
+          property.name === "cdx:crypto:sourceLocation" &&
+          property.value === locationValue,
+      )
+    ) {
+      properties.push({
+        name: "cdx:crypto:sourceLocation",
+        value: locationValue,
+      });
+    }
+  }
+  component.properties = properties;
+  mergeAlgorithmComponentEvidence(component, usage, options);
+  return component;
+}
+export async function collectSourceCryptoComponents(src, options = {}) {
+  const inventory = await detectJsCryptoInventory(src, Boolean(options.deep));
+  const componentsByRef = new Map();
+  for (const usage of inventory.algorithms || []) {
+    const normalizedName = normalizeDetectedCryptoAlgorithmName(
+      usage.name,
+      usage.primitive,
+      usage.keyLength,
+    );
+    if (!normalizedName) {
+      continue;
+    }
+    const algorithmMetadata =
+      cbomCryptoOids[normalizedName] || cbomCryptoOids[usage.name];
+    if (!algorithmMetadata?.oid) {
+      continue;
+    }
+    const componentName = algorithmMetadata ? normalizedName : usage.name;
+    const bomRef = cryptoAlgorithmBomRef(componentName, algorithmMetadata?.oid);
+    const component = componentsByRef.get(bomRef) || {
+      type: "cryptographic-asset",
+      name: componentName,
+      "bom-ref": bomRef,
+      description:
+        algorithmMetadata?.description ||
+        `${usage.primitive || "cryptographic"} algorithm detected in source analysis`,
+      cryptoProperties: {
+        assetType: "algorithm",
+        ...(algorithmMetadata?.oid ? { oid: algorithmMetadata.oid } : {}),
+      },
+      properties: [],
+    };
+    mergeAlgorithmComponentUsage(component, usage, src, options);
+    componentsByRef.set(bomRef, component);
+  }
+  const components = Array.from(componentsByRef.values());
+  components.forEach((component) => {
+    normalizeCryptoComponentEvidence(component, options);
+  });
+  return components.sort((left, right) =>
+    `${left.name}:${left["bom-ref"]}`.localeCompare(
+      `${right.name}:${right["bom-ref"]}`,
+    ),
+  );
+}
 /**
  * Find crypto algorithm in the given code snippet
  *
- * @param {String} Code snippet
+ * @param {string} code Code snippet
  * @returns {Array} Arary of crypto algorithm objects with oid and description
  */
 export function findCryptoAlgos(code) {

package/lib/helpers/cbomutils.poku.js CHANGED Viewed

@@ -1,8 +1,251 @@
-import { assert, it } from "poku";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
-import { collectOSCryptoLibs } from "./cbomutils.js";
+import { assert, describe, it } from "poku";
-it("cbom utils tests", () => {
-  const cryptoLibs = collectOSCryptoLibs();
-  assert.ok(cryptoLibs);
+import {
+  collectOSCryptoLibs,
+  collectSourceCryptoComponents,
+} from "./cbomutils.js";
+describe("cbom utils", () => {
+  it("collectOSCryptoLibs() returns a result set", () => {
+    const cryptoLibs = collectOSCryptoLibs();
+    assert.ok(cryptoLibs);
+  });
+  it("collectSourceCryptoComponents() extracts algorithms from JS source", async () => {
+    const projectDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-source-"));
+    try {
+      writeFileSync(
+        join(projectDir, "index.js"),
+        [
+          "import { createHash, webcrypto } from 'node:crypto';",
+          "import jwt from 'jsonwebtoken';",
+          "const subtle = webcrypto.subtle;",
+          "const digest = 'sha256';",
+          "const signingAlgorithm = 'Ed25519';",
+          "const profile = { name: 'AES-GCM', length: 256 };",
+          "createHash(digest);",
+          "subtle.generateKey(profile, true, ['encrypt']);",
+          "jwt.sign({ sub: '123' }, 'secret', { algorithm: 'RS256' });",
+        ].join("\n"),
+        "utf-8",
+      );
+      const components = await collectSourceCryptoComponents(projectDir, {
+        deep: false,
+        evidence: true,
+        specVersion: 1.7,
+      });
+      const names = components.map((component) => component.name);
+      const sha256Component = components.find(
+        (component) => component.name === "sha-256",
+      );
+      assert.ok(names.includes("sha-256"));
+      assert.ok(names.includes("aes256-GCM"));
+      assert.ok(names.includes("Ed25519"));
+      assert.ok(names.includes("sha256WithRSAEncryption"));
+      assert.ok(!names.includes("hmac"));
+      assert.ok(sha256Component);
+      assert.ok(Array.isArray(sha256Component.evidence.identity));
+      assert.strictEqual(sha256Component.evidence.identity[0].field, "name");
+      assert.strictEqual(
+        sha256Component.evidence.identity[0].concludedValue,
+        "sha-256",
+      );
+      assert.ok(
+        sha256Component.evidence.identity[0].methods.some(
+          (method) => method.technique === "source-code-analysis",
+        ),
+      );
+      assert.ok(
+        sha256Component.evidence.occurrences.some(
+          (occurrence) =>
+            occurrence.location === "index.js" && occurrence.line === 7,
+        ),
+      );
+      const sha256Occurrence = sha256Component.evidence.occurrences.find(
+        (occurrence) =>
+          occurrence.location === "index.js" && occurrence.line === 7,
+      );
+      assert.ok(sha256Occurrence);
+      assert.strictEqual(sha256Occurrence.additionalContext, "hash");
+      assert.strictEqual(sha256Occurrence.symbol, "node:crypto.createHash");
+      assert.ok(!Object.hasOwn(sha256Occurrence, "offset"));
+      assert.ok(
+        components.every(
+          (component) => component.cryptoProperties?.oid?.length,
+        ),
+      );
+      assert.ok(
+        components.some((component) =>
+          component.properties.some(
+            (property) =>
+              property.name === "cdx:crypto:sourceType" &&
+              property.value.startsWith("js-ast:"),
+          ),
+        ),
+      );
+    } finally {
+      rmSync(projectDir, { recursive: true, force: true });
+    }
+  });
+  it("collectSourceCryptoComponents() keeps branch-derived evidence for dynamic crypto values", async () => {
+    const projectDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-branches-"));
+    try {
+      writeFileSync(
+        join(projectDir, "dynamic-branches.mjs"),
+        [
+          "import crypto, { createHash, webcrypto } from 'node:crypto';",
+          "import jwt from 'jsonwebtoken';",
+          "const subtle = webcrypto.subtle;",
+          "const digestName = process.env.CDXGEN_TEST_DIGEST || 'sha384';",
+          "const keyProfiles = globalThis.__legacyCipher",
+          "  ? { active: { name: 'AES-CBC', length: 256 } }",
+          "  : { active: { name: 'AES-GCM', length: 256 } };",
+          "const signingAlgorithm = globalThis.__legacySignature ? 'RS256' : 'RS512';",
+          "const jwtOptions = globalThis.__jwtOptions ?? { algorithm: signingAlgorithm };",
+          "createHash(digestName);",
+          "await subtle.generateKey(keyProfiles.active, true, ['encrypt', 'decrypt']);",
+          "jwt.sign({ sub: '123' }, 'secret', jwtOptions);",
+          "export function signPayload(payload, privateKey, alg) {",
+          "  let hashAlg = null;",
+          "  if (alg === 'RS256' || alg === 'RS512') {",
+          "    hashAlg = alg.replace('RS', 'SHA');",
+          "    return crypto.sign(hashAlg, Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  }",
+          "  if (alg !== 'RS384') {",
+          "    return crypto.sign('SHA-224', Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  } else {",
+          "    hashAlg = alg.replace('RS', 'SHA');",
+          "    return crypto.sign(hashAlg, Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  }",
+          "}",
+          "export function signPayloadWithSwitch(payload, privateKey, alg) {",
+          "  switch (alg) {",
+          "    case 'RS256':",
+          "    case 'RS512':",
+          "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "    case 'RS384':",
+          "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "    default:",
+          "      return crypto.sign('SHA-224', Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  }",
+          "}",
+          "export function signPayloadWithSwitchDefault(payload, privateKey) {",
+          "  const alg = globalThis.__preferLegacy ? 'RS256' : 'RS384';",
+          "  switch (alg) {",
+          "    case 'RS256':",
+          "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "    default:",
+          "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  }",
+          "}",
+        ].join("\n"),
+        "utf-8",
+      );
+      const components = await collectSourceCryptoComponents(projectDir, {
+        deep: false,
+        evidence: true,
+        specVersion: 1.7,
+      });
+      const names = components.map((component) => component.name);
+      const sha384Component = components.find(
+        (component) => component.name === "sha-384",
+      );
+      assert.ok(names.includes("sha-384"));
+      assert.ok(names.includes("sha-224"));
+      assert.ok(names.includes("sha-256"));
+      assert.ok(names.includes("sha-512"));
+      assert.ok(names.includes("aes256-CBC"));
+      assert.ok(names.includes("aes256-GCM"));
+      assert.ok(names.includes("sha256WithRSAEncryption"));
+      assert.ok(names.includes("sha512WithRSAEncryption"));
+      assert.ok(sha384Component);
+      assert.ok(
+        sha384Component.evidence.occurrences.some(
+          (occurrence) =>
+            occurrence.location === "dynamic-branches.mjs" &&
+            occurrence.line === 10 &&
+            occurrence.symbol === "node:crypto.createHash" &&
+            occurrence.additionalContext === "hash",
+        ),
+      );
+      assert.ok(
+        sha384Component.properties.some(
+          (property) =>
+            property.name === "cdx:crypto:sourceLocation" &&
+            property.value === "dynamic-branches.mjs:10:0",
+        ),
+      );
+      assert.ok(
+        sha384Component.properties.some(
+          (property) =>
+            property.name === "cdx:crypto:sourceType" &&
+            property.value === "js-ast:node:crypto.sign",
+        ),
+      );
+      assert.ok(
+        sha384Component.evidence.occurrences.some(
+          (occurrence) =>
+            occurrence.location === "dynamic-branches.mjs" &&
+            occurrence.symbol === "node:crypto.sign" &&
+            occurrence.additionalContext === "signature",
+        ),
+      );
+      assert.ok(
+        components.some(
+          (component) =>
+            component.name === "sha-256" &&
+            component.properties.some(
+              (property) =>
+                property.name === "cdx:crypto:sourceType" &&
+                property.value === "js-ast:node:crypto.sign",
+            ) &&
+            component.evidence.occurrences.some(
+              (occurrence) =>
+                occurrence.location === "dynamic-branches.mjs" &&
+                occurrence.symbol === "node:crypto.sign" &&
+                occurrence.additionalContext === "signature",
+            ),
+        ),
+      );
+      assert.ok(
+        components.some(
+          (component) =>
+            component.name === "sha-512" &&
+            component.properties.some(
+              (property) =>
+                property.name === "cdx:crypto:sourceType" &&
+                property.value === "js-ast:node:crypto.sign",
+            ) &&
+            component.evidence.occurrences.some(
+              (occurrence) =>
+                occurrence.location === "dynamic-branches.mjs" &&
+                occurrence.line === 30 &&
+                occurrence.symbol === "node:crypto.sign" &&
+                occurrence.additionalContext === "signature",
+            ),
+        ),
+      );
+      assert.ok(
+        components.some(
+          (component) =>
+            component.name === "sha-384" &&
+            component.evidence.occurrences.some(
+              (occurrence) =>
+                occurrence.location === "dynamic-branches.mjs" &&
+                occurrence.symbol === "node:crypto.sign" &&
+                occurrence.additionalContext === "signature" &&
+                occurrence.line > 30,
+            ),
+        ),
+      );
+    } finally {
+      rmSync(projectDir, { recursive: true, force: true });
+    }
+  });
 });

package/lib/helpers/chromextutils.js CHANGED Viewed

@@ -9,6 +9,7 @@ import {
   CHROMIUM_EXTENSION_CAPABILITY_CATEGORIES,
   detectExtensionCapabilities,
 } from "./analyzer.js";
+import { sanitizeBomPropertyValue } from "./propertySanitizer.js";
 import { isMac, isWin, safeExistsSync } from "./utils.js";
 /**
@@ -850,7 +851,12 @@ export function toComponent(extInfo) {
   const component = {
     name: extensionId,
     version: extInfo.version || "",
-    description: extInfo.displayName || extInfo.description || "",
+    description: String(
+      sanitizeBomPropertyValue(
+        "cdx:chrome-extension:description",
+        extInfo.displayName || extInfo.description || "",
+      ) || "",
+    ),
     purl,
     "bom-ref": decodeURIComponent(purl),
     type: "application",
@@ -1035,8 +1041,24 @@ export function toComponent(extInfo) {
   if (extInfo.srcPath) {
     properties.push({ name: "SrcFile", value: extInfo.srcPath });
   }
-  if (properties.length) {
-    component.properties = properties;
+  const sanitizedProperties = properties
+    .map((property) => {
+      const sanitizedValue = sanitizeBomPropertyValue(
+        property.name,
+        property.value,
+      );
+      if (
+        sanitizedValue === undefined ||
+        sanitizedValue === null ||
+        sanitizedValue === ""
+      ) {
+        return undefined;
+      }
+      return { name: property.name, value: String(sanitizedValue) };
+    })
+    .filter(Boolean);
+  if (sanitizedProperties.length) {
+    component.properties = sanitizedProperties;
   }
   return component;
 }

package/lib/helpers/chromextutils.poku.js CHANGED Viewed

@@ -142,6 +142,74 @@ describe("parseChromiumExtensionManifest", () => {
     assert.strictEqual(parsed.hasAutofill, false);
   });
+  it("sanitizes emitted URL properties before they enter the BOM", () => {
+    const extensionRoot = join(baseTempDir, "sanitized-extension");
+    const extensionId = "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii";
+    const extensionVersion = "1.0.0";
+    const versionDir = join(extensionRoot, extensionId, extensionVersion);
+    mkdirSync(versionDir, { recursive: true });
+    writeFileSync(
+      join(versionDir, "manifest.json"),
+      JSON.stringify({
+        manifest_version: 3,
+        name: "Sanitized URLs",
+        version: extensionVersion,
+        update_url: "https://user:pass@example.com/update.xml?token=abc#frag",
+        host_permissions: [
+          "https://user:pass@example.com/*?token=abc#frag",
+          "<all_urls>",
+        ],
+        externally_connectable: {
+          matches: ["https://user:pass@example.com/*?token=abc#frag"],
+        },
+      }),
+      "utf-8",
+    );
+    const result = collectChromeExtensionsFromPath(versionDir);
+    assert.strictEqual(
+      getProp(result.components[0], "cdx:chrome-extension:updateUrl"),
+      "https://example.com/update.xml",
+    );
+    assert.strictEqual(
+      getProp(result.components[0], "cdx:chrome-extension:hostPermissions"),
+      "https://example.com/*, <all_urls>",
+    );
+    assert.strictEqual(
+      getProp(
+        result.components[0],
+        "cdx:chrome-extension:externallyConnectableMatches",
+      ),
+      "https://example.com/*",
+    );
+  });
+  it("sanitizes emitted extension descriptions before they enter the BOM", () => {
+    const extensionRoot = join(baseTempDir, "sanitized-description-extension");
+    const extensionId = "jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj";
+    const extensionVersion = "1.0.0";
+    const versionDir = join(extensionRoot, extensionId, extensionVersion);
+    mkdirSync(versionDir, { recursive: true });
+    writeFileSync(
+      join(versionDir, "manifest.json"),
+      JSON.stringify({
+        manifest_version: 3,
+        description:
+          "Connect with Bearer sk_test_super_secret_value at https://user:pass@example.com/path?token=abc#frag",
+        version: extensionVersion,
+      }),
+      "utf-8",
+    );
+    const result = collectChromeExtensionsFromPath(versionDir);
+    assert.strictEqual(
+      result.components[0].description,
+      "Connect with [redacted] at https://example.com/path",
+    );
+  });
   it("should parse real manifest fixtures from Chrome, Chromium and Edge extensions", () => {
     const fixtureCases = [
       {