@cyclonedx/cdxgen 12.3.2 → 12.4.0

package/lib/helpers/ciParsers/githubActions.js

@@ -112,6 +112,34 @@ const CARGO_CACHE_ACTION_PATTERNS = [/^swatinem\/rust-cache(?:@|$)/i];
 
 const CARGO_TOOL_INSTALL_ACTION_PATTERNS = [/^taiki-e\/install-action(?:@|$)/i];
 
+const DEPENDENCY_CACHE_SETUP_ACTIONS = [
+  {
+    pattern: /^actions\/setup-node(?:@|$)/i,
+    ecosystem: "npm",
+    inputNames: ["package-manager-cache", "cache"],
+  },
+  {
+    pattern: /^actions\/setup-python(?:@|$)/i,
+    ecosystem: "pypi",
+    inputNames: ["cache"],
+  },
+  {
+    pattern: /^actions\/setup-go(?:@|$)/i,
+    ecosystem: "go",
+    inputNames: ["cache"],
+  },
+  {
+    pattern: /^actions\/setup-java(?:@|$)/i,
+    ecosystem: "java",
+    inputNames: ["cache"],
+  },
+  {
+    pattern: /^moonrepo\/setup-rust(?:@|$)/i,
+    ecosystem: "cargo",
+    inputNames: ["cache"],
+  },
+];
+
 const FORK_CONTEXT_PATTERNS = [
   [
     "github.event.pull_request.head.repo.fork",
@@ -479,6 +507,56 @@ function analyzeCargoActionStep(step) {
   return props;
 }
 
+function isExplicitFalseLikeValue(value) {
+  if (value === false) {
+    return true;
+  }
+  if (typeof value !== "string") {
+    return false;
+  }
+  return ["0", "false", "no", "off", "disabled"].includes(
+    value.trim().toLowerCase(),
+  );
+}
+
+function analyzeSetupActionCacheStep(step) {
+  const props = [];
+  if (!step?.uses || typeof step.uses !== "string") {
+    return props;
+  }
+  const setupAction = DEPENDENCY_CACHE_SETUP_ACTIONS.find((candidate) =>
+    candidate.pattern.test(step.uses),
+  );
+  if (!setupAction || !step.with || typeof step.with !== "object") {
+    return props;
+  }
+  const disableInputName = setupAction.inputNames.find(
+    (inputName) =>
+      Object.hasOwn(step.with, inputName) &&
+      isExplicitFalseLikeValue(step.with[inputName]),
+  );
+  if (!disableInputName) {
+    return props;
+  }
+  props.push({
+    name: "cdx:github:action:disablesBuildCache",
+    value: "true",
+  });
+  props.push({
+    name: "cdx:github:action:buildCacheEcosystem",
+    value: setupAction.ecosystem,
+  });
+  props.push({
+    name: "cdx:github:action:buildCacheDisableInput",
+    value: disableInputName,
+  });
+  props.push({
+    name: "cdx:github:action:buildCacheDisableValue",
+    value: String(step.with[disableInputName]),
+  });
+  return props;
+}
+
 function analyzeCargoRunStep(normalizedRun) {
   const props = [];
   if (!normalizedRun || typeof normalizedRun !== "string") {
@@ -2018,6 +2096,7 @@ export function parseWorkflowFile(f, options) {
           actionProperties.push(...analyzeCheckoutStep(step));
           actionProperties.push(...analyzeCacheStep(step));
           actionProperties.push(...analyzeCargoActionStep(step));
+          actionProperties.push(...analyzeSetupActionCacheStep(step));
           actionProperties.push(...analyzeDispatchActionStep(step));
           if (
             step.uses?.includes("actions/github-script") &&

package/lib/helpers/ciParsers/githubActions.poku.js

@@ -505,6 +505,109 @@ describe("githubActionsParser", () => {
     });
   });
 
+  describe("setup action cache disable property emission", () => {
+    it("emits cache disable properties for setup-node, setup-python, and setup-rust", () => {
+      const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdxgen-gha-cache-"));
+      const workflowFile = path.join(tmpDir, "cache-disable.yml");
+      writeFileSync(
+        workflowFile,
+        [
+          "name: Cache disable",
+          "on: push",
+          "jobs:",
+          "  build:",
+          "    runs-on: ubuntu-latest",
+          "    steps:",
+          "      - uses: actions/setup-node@v4",
+          "        with:",
+          "          node-version: 20",
+          "          package-manager-cache: false",
+          "      - uses: actions/setup-python@v5",
+          "        with:",
+          "          python-version: '3.12'",
+          "          cache: false",
+          "      - uses: moonrepo/setup-rust@v1",
+          "        with:",
+          "          cache: false",
+        ].join("\n"),
+      );
+
+      try {
+        const result = parseWorkflowFile(workflowFile, { specVersion: 1.7 });
+        const setupNodeComp = result.components.find(
+          (component) =>
+            getProp(component, "cdx:github:action:uses") ===
+            "actions/setup-node@v4",
+        );
+        const setupPythonComp = result.components.find(
+          (component) =>
+            getProp(component, "cdx:github:action:uses") ===
+            "actions/setup-python@v5",
+        );
+        const setupRustComp = result.components.find(
+          (component) =>
+            getProp(component, "cdx:github:action:uses") ===
+            "moonrepo/setup-rust@v1",
+        );
+        assert.ok(setupNodeComp, "expected setup-node component");
+        assert.ok(setupPythonComp, "expected setup-python component");
+        assert.ok(setupRustComp, "expected setup-rust component");
+        assert.strictEqual(
+          getProp(setupNodeComp, "cdx:github:action:disablesBuildCache"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(setupNodeComp, "cdx:github:action:buildCacheEcosystem"),
+          "npm",
+        );
+        assert.strictEqual(
+          getProp(setupNodeComp, "cdx:github:action:buildCacheDisableInput"),
+          "package-manager-cache",
+        );
+        assert.strictEqual(
+          getProp(setupPythonComp, "cdx:github:action:disablesBuildCache"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(setupPythonComp, "cdx:github:action:buildCacheEcosystem"),
+          "pypi",
+        );
+        assert.strictEqual(
+          getProp(setupPythonComp, "cdx:github:action:buildCacheDisableInput"),
+          "cache",
+        );
+        assert.strictEqual(
+          getProp(setupRustComp, "cdx:github:action:disablesBuildCache"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(setupRustComp, "cdx:github:action:buildCacheEcosystem"),
+          "cargo",
+        );
+        assert.strictEqual(
+          getProp(setupRustComp, "cdx:github:action:buildCacheDisableInput"),
+          "cache",
+        );
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("does not emit cache disable properties when cache is not explicitly disabled", () => {
+      const result = parseWorkflow("simple-build.yml");
+      const setupNodeComp = result.components.find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "actions/setup-node@v4",
+      );
+      assert.ok(setupNodeComp, "expected setup-node component");
+      assert.strictEqual(
+        getProp(setupNodeComp, "cdx:github:action:disablesBuildCache"),
+        undefined,
+      );
+    });
+  });
+
   describe("script injection interpolation detection", () => {
     it("detects github.event.pull_request interpolation", () => {
       const result = parseWorkflow("injection-pull-request-title.yml");

package/lib/helpers/communityAiConfigParser.js

@@ -8,6 +8,7 @@ import {
   credentialIndicatorsForText,
   sanitizeMcpRefToken,
 } from "./mcpDiscovery.js";
+import { sanitizeBomPropertyValue } from "./propertySanitizer.js";
 import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 
 const COMMUNITY_AI_PATTERNS = [
@@ -46,13 +47,22 @@ const COMMUNITY_AI_PATTERNS = [
 ];
 
 function addUniqueProperty(properties, name, value) {
-  if (value === undefined || value === null || value === "") {
+  const sanitizedValue = sanitizeBomPropertyValue(name, value);
+  if (
+    sanitizedValue === undefined ||
+    sanitizedValue === null ||
+    sanitizedValue === ""
+  ) {
     return;
   }
-  if (properties.some((prop) => prop.name === name && prop.value === value)) {
+  if (
+    properties.some(
+      (prop) => prop.name === name && prop.value === String(sanitizedValue),
+    )
+  ) {
     return;
   }
-  properties.push({ name, value: String(value) });
+  properties.push({ name, value: String(sanitizedValue) });
 }
 
 function normalizeFilePath(filePath) {
@@ -217,7 +227,7 @@ function parseSkillFile(filePath, raw) {
     addUniqueProperty(
       component.properties,
       "cdx:skill:metadata",
-      JSON.stringify(metadata.metadata),
+      metadata.metadata,
     );
   }
   maybeAddFileSignals(component.properties, filePath, raw);
@@ -399,7 +409,7 @@ function parseOpencodeConfig(filePath, raw) {
       addUniqueProperty(
         component.properties,
         "cdx:agent:permission",
-        JSON.stringify(agentConfig.permission),
+        agentConfig.permission,
       );
     }
     components.push(component);

package/lib/helpers/communityAiConfigParser.poku.js

@@ -60,4 +60,75 @@ describe("communityAiConfigParser", () => {
       ),
     );
   });
+
+  it("sanitizes secret-bearing AI inventory properties before emission", async () => {
+    const readFileSync = sinon.stub();
+    readFileSync.withArgs("/repo/opencode.json", "utf-8").returns(
+      JSON.stringify({
+        agent: {
+          release: {
+            description:
+              "Deploy with https://user:pass@example.com/release?access_token=abc#frag and sk_test_super_secret_value",
+            permission: {
+              endpoints: [
+                "https://user:pass@example.com/private?token=abc#frag",
+              ],
+              __proto__: {
+                polluted: true,
+              },
+            },
+          },
+        },
+      }),
+    );
+    readFileSync
+      .withArgs("/repo/.claude/skills/release/SKILL.md", "utf-8")
+      .returns(
+        [
+          "---",
+          "name: release",
+          "description: Publish release notes",
+          "metadata:",
+          "  endpoint: https://user:pass@example.com/skill?token=abc#frag",
+          "  apiKey: sk_test_skill_secret_value",
+          "---",
+          "Use the release workflow.",
+        ].join("\n"),
+      );
+    const { communityAiConfigParser } = await esmock(
+      "./communityAiConfigParser.js",
+      {
+        "node:fs": { readFileSync },
+      },
+    );
+
+    const result = communityAiConfigParser.parse([
+      "/repo/opencode.json",
+      "/repo/.claude/skills/release/SKILL.md",
+    ]);
+    const agent = result.components.find(
+      (component) => getProp(component, "cdx:file:kind") === "agent-config",
+    );
+    const skill = result.components.find(
+      (component) => getProp(component, "cdx:file:kind") === "skill-file",
+    );
+
+    assert.strictEqual(
+      getProp(agent, "cdx:agent:description"),
+      "Deploy with https://example.com/release and [redacted]",
+    );
+    assert.strictEqual(
+      getProp(agent, "cdx:agent:permission"),
+      JSON.stringify({
+        endpoints: ["https://example.com/private"],
+      }),
+    );
+    assert.strictEqual(
+      getProp(skill, "cdx:skill:metadata"),
+      JSON.stringify({
+        endpoint: "https://example.com/skill",
+        apiKey: "[redacted]",
+      }),
+    );
+  });
 });

package/lib/helpers/depsUtils.js

@@ -272,6 +272,11 @@ export function trimComponents(components) {
                   if (!existIdent.methods) {
                     existIdent.methods = [];
                   }
+                  if (aident.tools?.length) {
+                    existIdent.tools = Array.from(
+                      new Set([...(existIdent.tools || []), ...aident.tools]),
+                    );
+                  }
                   let isDup = false;
                   for (const emethod of existIdent.methods) {
                     if (emethod?.value === amethod?.value) {

package/lib/helpers/depsUtils.poku.js

@@ -208,6 +208,61 @@ describe("trimComponents()", () => {
       { alg: "SHA-256", content: "def456" },
     ]);
   });
+
+  it("retains identity tool references when merging duplicate components", () => {
+    const components = [
+      {
+        name: "openssl",
+        version: "3.0.0",
+        purl: "pkg:rpm/redhat/openssl@3.0.0",
+        type: "library",
+        evidence: {
+          identity: [
+            {
+              field: "purl",
+              confidence: 1,
+              methods: [
+                {
+                  technique: "binary-analysis",
+                  confidence: 1,
+                  value: "openssl",
+                },
+              ],
+              tools: ["pkg:generic/trivy@0.1.0"],
+            },
+          ],
+        },
+      },
+      {
+        name: "openssl",
+        version: "3.0.0",
+        purl: "pkg:rpm/redhat/openssl@3.0.0",
+        type: "library",
+        evidence: {
+          identity: [
+            {
+              field: "purl",
+              confidence: 1,
+              methods: [
+                {
+                  technique: "binary-analysis",
+                  confidence: 1,
+                  value: "openssl",
+                },
+              ],
+              tools: ["pkg:generic/blint@1.2.3"],
+            },
+          ],
+        },
+      },
+    ];
+    const result = trimComponents(components);
+    assert.strictEqual(result.length, 1);
+    assert.deepStrictEqual(result[0].evidence.identity[0].tools, [
+      "pkg:generic/trivy@0.1.0",
+      "pkg:generic/blint@1.2.3",
+    ]);
+  });
 });
 
 describe("mergeServices()", () => {