@cyclonedx/cdxgen 12.3.2 → 12.4.0

package/lib/helpers/mcpConfigParser.poku.js

@@ -69,7 +69,7 @@ describe("mcpConfigParser", () => {
             args: [
               "--token",
               "sk_test_super_secret_value",
-              "https://docs.example.com/mcp",
+              "https://user:pass@docs.example.com/mcp?access_token=secret#frag",
             ],
             command: "npx",
             env: {
@@ -99,7 +99,7 @@ describe("mcpConfigParser", () => {
     );
     assert.strictEqual(
       getProp(service, "cdx:mcp:credentialExposureFieldCount"),
-      "3",
+      "4",
     );
     assert.strictEqual(
       getProp(service, "cdx:mcp:credentialReferenceCount"),
@@ -109,6 +109,12 @@ describe("mcpConfigParser", () => {
       getProp(component, "cdx:mcp:credentialExposedServiceCount"),
       "1",
     );
+    assert.strictEqual(getProp(service, "cdx:mcp:command"), "npx");
+    assert.deepStrictEqual(service.endpoints, ["https://docs.example.com/mcp"]);
+    assert.strictEqual(
+      getProp(component, "cdx:mcp:configuredEndpoints"),
+      "https://docs.example.com/mcp",
+    );
     assert.strictEqual(
       getProp(service, "cdx:mcp:credentialRiskIndicators"),
       undefined,
@@ -123,4 +129,35 @@ describe("mcpConfigParser", () => {
       undefined,
     );
   });
+
+  it("summarizes Windows executable paths with spaces safely", async () => {
+    const readFileSync = sinon.stub();
+    const scanTextForHiddenUnicode = sinon.stub().returns({
+      hasHiddenUnicode: false,
+    });
+    readFileSync.withArgs("/repo/.vscode/mcp.json", "utf-8").returns(
+      JSON.stringify({
+        mcpServers: {
+          releaseDocs: {
+            args: ["--inspect"],
+            command: "C:\\Program Files\\nodejs\\node.exe --inspect",
+            mcp: true,
+            transport: "stdio",
+          },
+        },
+      }),
+    );
+    const { mcpConfigParser } = await esmock("./mcpConfigParser.js", {
+      "node:fs": { readFileSync },
+      "./unicodeScan.js": { scanTextForHiddenUnicode },
+    });
+
+    const result = mcpConfigParser.parse(["/repo/.vscode/mcp.json"]);
+
+    assert.strictEqual(
+      getProp(result.services[0], "cdx:mcp:command") ||
+        getProp(result.components[0], "cdx:mcp:command"),
+      "node.exe",
+    );
+  });
 });

package/lib/helpers/osqueryTransform.js

@@ -65,6 +65,53 @@ export function sanitizeOsQueryIdentity(value) {
     .replace(/[}]$/g, "");
 }
 
+export function sanitizeOsQueryBomRefValue(value, fallback = "unknown") {
+  const normalizedValue = String(value || "")
+    .replace(/[\r\n\t]+/g, " ")
+    .replace(/\s+/g, " ")
+    .trim();
+  if (!normalizedValue || normalizedValue === "null") {
+    return fallback;
+  }
+  return normalizedValue.replace(/[:@#\[\]=]/g, "-");
+}
+
+export function createOsQueryFallbackBomRef(
+  queryCategory,
+  componentType,
+  name,
+  version,
+  identityField,
+  identityValue,
+) {
+  const categoryRef = sanitizeOsQueryBomRefValue(queryCategory, "component");
+  const componentTypeRef = sanitizeOsQueryBomRefValue(
+    componentType,
+    "component",
+  );
+  const nameRef = sanitizeOsQueryBomRefValue(
+    name || queryCategory,
+    "component",
+  );
+  const versionRef = sanitizeOsQueryBomRefValue(version, "unknown");
+  const baseBomRef = `osquery:${categoryRef}:${componentTypeRef}:${nameRef}@${versionRef}`;
+  if (!identityField || !identityValue) {
+    return baseBomRef;
+  }
+  const identityFieldRef = sanitizeOsQueryBomRefValue(
+    identityField,
+    "identity",
+  );
+  const identityValueRef = sanitizeOsQueryBomRefValue(identityValue, "unknown");
+  return `${baseBomRef}[${identityFieldRef}=${identityValueRef}]`;
+}
+
+export function shouldCreateOsQueryPurl(componentType) {
+  return !["cryptographic-asset", "data", "device", "information"].includes(
+    componentType || "",
+  );
+}
+
 export function createOsQueryPurl(
   purlType,
   group,

package/lib/helpers/osqueryTransform.poku.js

@@ -1,12 +1,15 @@
 import { assert, describe, it } from "poku";
 
 import {
+  createOsQueryFallbackBomRef,
   createOsQueryPurl,
   deriveOsQueryDescription,
   deriveOsQueryName,
   deriveOsQueryPublisher,
   deriveOsQueryVersion,
+  sanitizeOsQueryBomRefValue,
   sanitizeOsQueryIdentity,
+  shouldCreateOsQueryPurl,
 } from "./osqueryTransform.js";
 
 describe("osqueryTransform helpers", () => {
@@ -46,4 +49,48 @@ describe("osqueryTransform helpers", () => {
     assert.ok(purl.startsWith("pkg:swid/microsoft/"));
     assert.ok(purl.includes("@22H2"));
   });
+
+  it("creates readable fallback bom-ref strings for non-package osquery rows", () => {
+    const bomRef = createOsQueryFallbackBomRef(
+      "authorized_keys_snapshot",
+      "data",
+      "root",
+      "ssh-ed25519",
+      "key_file",
+      "/root/.ssh/authorized_keys",
+    );
+    assert.strictEqual(
+      bomRef,
+      "osquery:authorized_keys_snapshot:data:root@ssh-ed25519[key_file=/root/.ssh/authorized_keys]",
+    );
+  });
+
+  it("omits the bracketed suffix when no extra identity field exists", () => {
+    const bomRef = createOsQueryFallbackBomRef(
+      "windows_run_keys",
+      "data",
+      "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater",
+      undefined,
+    );
+    assert.strictEqual(
+      bomRef,
+      "osquery:windows_run_keys:data:HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater@unknown",
+    );
+  });
+
+  it("sanitizes fallback bom-ref fragments without percent-encoding them", () => {
+    assert.strictEqual(
+      sanitizeOsQueryBomRefValue(" launchd: updater@[user]=#1\n"),
+      "launchd- updater--user---1",
+    );
+  });
+
+  it("limits purl generation to package-like osquery component types", () => {
+    assert.strictEqual(shouldCreateOsQueryPurl(undefined), true);
+    assert.strictEqual(shouldCreateOsQueryPurl("application"), true);
+    assert.strictEqual(shouldCreateOsQueryPurl("operating-system"), true);
+    assert.strictEqual(shouldCreateOsQueryPurl("data"), false);
+    assert.strictEqual(shouldCreateOsQueryPurl("device"), false);
+    assert.strictEqual(shouldCreateOsQueryPurl("cryptographic-asset"), false);
+  });
 });

package/lib/helpers/plugins.js

@@ -0,0 +1,349 @@
+import { arch as runtimeArch, platform as runtimePlatform } from "node:os";
+import { delimiter, join } from "node:path";
+import process from "node:process";
+
+import {
+  DEBUG_MODE,
+  dirNameStr,
+  retrieveCdxgenPluginVersion,
+  safeExistsSync,
+  safeSpawnSync,
+} from "./utils.js";
+
+const PLUGIN_ENV_COMMAND_NAMES = {
+  "cargo-auditable": "CARGO_AUDITABLE_CMD",
+  dosai: "DOSAI_CMD",
+  osquery: "OSQUERY_CMD",
+  sourcekitten: "SOURCEKITTEN_CMD",
+  trivy: "TRIVY_CMD",
+  trustinspector: "TRUSTINSPECTOR_CMD",
+};
+
+function isMusl() {
+  const result = safeSpawnSync("ldd", ["--version"]);
+  return result?.stdout?.includes("musl") || result?.stderr?.includes("musl");
+}
+
+/**
+ * Determine the normalized plugin target tuple for the current runtime.
+ *
+ * @returns {{arch: string, extn: string, platform: string, pluginsBinSuffix: string}}
+ */
+export function getPluginsBinTarget() {
+  let platform = runtimePlatform();
+  let extn = "";
+  let pluginsBinSuffix = "";
+  if (platform === "win32") {
+    platform = "windows";
+    extn = ".exe";
+  } else if (platform === "linux" && isMusl()) {
+    platform = "linuxmusl";
+  }
+
+  let arch = `${runtimeArch()}`;
+  if (arch === "x32") {
+    arch = "386";
+  } else if (arch === "x64") {
+    arch = "amd64";
+    pluginsBinSuffix = `-${platform}-amd64`;
+  } else if (arch === "arm64") {
+    pluginsBinSuffix = `-${platform}-arm64`;
+  } else if (arch === "ppc64") {
+    arch = "ppc64le";
+    pluginsBinSuffix = "-ppc64";
+  }
+
+  return {
+    arch,
+    extn,
+    platform,
+    pluginsBinSuffix,
+  };
+}
+
+/**
+ * Resolve the cdxgen companion plugins directory for the current runtime.
+ *
+ * @returns {{
+ *   arch: string,
+ *   extn: string,
+ *   extraNMBinPath: string|undefined,
+ *   platform: string,
+ *   pluginManifestFile: string|undefined,
+ *   pluginVersion: string|undefined,
+ *   pluginsBinSuffix: string,
+ *   pluginsDir: string,
+ * }}
+ */
+export function resolveCdxgenPlugins() {
+  const target = getPluginsBinTarget();
+  const pluginVersion = retrieveCdxgenPluginVersion();
+  let pluginsDir = process.env.CDXGEN_PLUGINS_DIR || "";
+  let extraNMBinPath;
+
+  if (
+    !pluginsDir &&
+    safeExistsSync(join(dirNameStr, "plugins")) &&
+    safeExistsSync(join(dirNameStr, "plugins", "trivy"))
+  ) {
+    pluginsDir = join(dirNameStr, "plugins");
+  }
+
+  if (
+    !pluginsDir &&
+    safeExistsSync(
+      join(
+        dirNameStr,
+        "node_modules",
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      ),
+    ) &&
+    safeExistsSync(
+      join(
+        dirNameStr,
+        "node_modules",
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+        "trivy",
+      ),
+    )
+  ) {
+    pluginsDir = join(
+      dirNameStr,
+      "node_modules",
+      "@cdxgen",
+      `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+      "plugins",
+    );
+    if (safeExistsSync(join(dirNameStr, "node_modules", ".bin"))) {
+      extraNMBinPath = join(dirNameStr, "node_modules", ".bin");
+    }
+  }
+
+  if (!pluginsDir) {
+    let globalNodePath = process.env.GLOBAL_NODE_MODULES_PATH || undefined;
+    if (!globalNodePath) {
+      if (DEBUG_MODE) {
+        console.log(
+          'Trying to find the global node_modules path with "pnpm root -g" command.',
+        );
+      }
+      const result = safeSpawnSync(
+        target.platform === "windows" ? "pnpm.cmd" : "pnpm",
+        ["root", "-g"],
+      );
+      if (result?.stdout) {
+        globalNodePath = `${result.stdout.trim()}/`;
+      }
+    }
+
+    let globalPlugins;
+    if (globalNodePath) {
+      globalPlugins = join(
+        globalNodePath,
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      );
+      extraNMBinPath = join(
+        globalNodePath,
+        "..",
+        ".pnpm",
+        "node_modules",
+        ".bin",
+      );
+    }
+
+    let altGlobalPlugins;
+    if (
+      dirNameStr.includes(join("node_modules", ".pnpm", "@cyclonedx+cdxgen"))
+    ) {
+      const tmpA = dirNameStr.split(join("node_modules", ".pnpm"));
+      altGlobalPlugins = join(
+        tmpA[0],
+        "node_modules",
+        ".pnpm",
+        `@cdxgen+cdxgen-plugins-bin${target.pluginsBinSuffix}@${pluginVersion}`,
+        "node_modules",
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      );
+      if (safeExistsSync(join(tmpA[0], "node_modules", ".bin"))) {
+        extraNMBinPath = join(tmpA[0], "node_modules", ".bin");
+      }
+    } else if (dirNameStr.includes(join(".pnpm", "@cyclonedx+cdxgen"))) {
+      const tmpA = dirNameStr.split(".pnpm");
+      altGlobalPlugins = join(
+        tmpA[0],
+        ".pnpm",
+        `@cdxgen+cdxgen-plugins-bin${target.pluginsBinSuffix}@${pluginVersion}`,
+        "node_modules",
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      );
+      if (safeExistsSync(join(tmpA[0], ".bin"))) {
+        extraNMBinPath = join(tmpA[0], ".bin");
+      }
+    } else if (dirNameStr.includes(join("caxa", "applications"))) {
+      altGlobalPlugins = join(
+        dirNameStr,
+        "node_modules",
+        "pnpm",
+        `@cdxgen+cdxgen-plugins-bin${target.pluginsBinSuffix}@${pluginVersion}`,
+        "node_modules",
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      );
+      extraNMBinPath = join(dirNameStr, "node_modules", ".bin");
+    }
+
+    if (globalPlugins && safeExistsSync(globalPlugins)) {
+      pluginsDir = globalPlugins;
+      if (DEBUG_MODE) {
+        console.log("Found global plugins", pluginsDir);
+      }
+    } else if (altGlobalPlugins && safeExistsSync(altGlobalPlugins)) {
+      pluginsDir = altGlobalPlugins;
+      if (DEBUG_MODE) {
+        console.log("Found global plugins", pluginsDir);
+      }
+    }
+  }
+
+  if (!pluginsDir) {
+    if (DEBUG_MODE) {
+      console.warn(
+        "The optional cdxgen plugin was not found. Please install cdxgen without excluding optional dependencies if needed.",
+      );
+    }
+    pluginsDir = "";
+  }
+
+  const pluginManifestFile = safeExistsSync(
+    join(pluginsDir, "plugins-manifest.json"),
+  )
+    ? join(pluginsDir, "plugins-manifest.json")
+    : undefined;
+
+  return {
+    ...target,
+    extraNMBinPath,
+    pluginManifestFile,
+    pluginVersion,
+    pluginsDir,
+  };
+}
+
+function getPluginRuntimeCacheKey() {
+  return [
+    process.env.CDXGEN_PLUGINS_DIR || "",
+    process.env.GLOBAL_NODE_MODULES_PATH || "",
+  ].join("\u0000");
+}
+
+let cachedPluginRuntime;
+let cachedPluginRuntimeKey;
+
+/**
+ * Retrieve the default plugin runtime, recomputing it only when the
+ * environment that influences plugin discovery changes.
+ *
+ * @returns {ReturnType<typeof resolveCdxgenPlugins>} The resolved plugin runtime.
+ */
+export function getDefaultPluginRuntime() {
+  const cacheKey = getPluginRuntimeCacheKey();
+  if (!cachedPluginRuntime || cachedPluginRuntimeKey !== cacheKey) {
+    cachedPluginRuntime = resolveCdxgenPlugins();
+    cachedPluginRuntimeKey = cacheKey;
+  }
+  return cachedPluginRuntime;
+}
+
+/**
+ * Add the detected node_modules binary directory to PATH when present.
+ *
+ * @param {ReturnType<typeof resolveCdxgenPlugins>} [pluginRuntime] Detected plugin runtime.
+ * @returns {ReturnType<typeof resolveCdxgenPlugins>} The resolved plugin runtime.
+ */
+export function setPluginsPathEnv(pluginRuntime = undefined) {
+  pluginRuntime ??= getDefaultPluginRuntime();
+  if (
+    pluginRuntime.extraNMBinPath &&
+    !process.env?.PATH?.includes(pluginRuntime.extraNMBinPath)
+  ) {
+    process.env.PATH = `${pluginRuntime.extraNMBinPath}${delimiter}${process.env.PATH}`;
+  }
+  return pluginRuntime;
+}
+
+function resolveBundledPluginBinary(toolName, pluginRuntime) {
+  if (!pluginRuntime.pluginsDir) {
+    return undefined;
+  }
+  if (!safeExistsSync(join(pluginRuntime.pluginsDir, toolName))) {
+    return undefined;
+  }
+  switch (toolName) {
+    case "trivy":
+      return join(
+        pluginRuntime.pluginsDir,
+        "trivy",
+        `trivy-cdxgen-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+    case "cargo-auditable":
+      return join(
+        pluginRuntime.pluginsDir,
+        "cargo-auditable",
+        `cargo-auditable-cdxgen-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+    case "osquery": {
+      let osqueryBin = join(
+        pluginRuntime.pluginsDir,
+        "osquery",
+        `osqueryi-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+      if (pluginRuntime.platform === "darwin") {
+        osqueryBin = `${osqueryBin}.app/Contents/MacOS/osqueryd`;
+      }
+      return osqueryBin;
+    }
+    case "dosai":
+      return join(
+        pluginRuntime.pluginsDir,
+        "dosai",
+        `dosai-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+    case "trustinspector":
+      return join(
+        pluginRuntime.pluginsDir,
+        "trustinspector",
+        `trustinspector-cdxgen-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+    case "sourcekitten":
+      return join(pluginRuntime.pluginsDir, "sourcekitten", "sourcekitten");
+    default:
+      return undefined;
+  }
+}
+
+/**
+ * Resolve a known plugin binary path, honoring explicit environment overrides.
+ *
+ * @param {string} toolName Tool identifier.
+ * @param {ReturnType<typeof resolveCdxgenPlugins>} [pluginRuntime] Detected plugin runtime.
+ * @returns {string|undefined} Resolved binary path or configured override.
+ */
+export function resolvePluginBinary(toolName, pluginRuntime = undefined) {
+  pluginRuntime ??= getDefaultPluginRuntime();
+  const envCommandName = PLUGIN_ENV_COMMAND_NAMES[toolName];
+  if (envCommandName && process.env[envCommandName]) {
+    return process.env[envCommandName];
+  }
+  return resolveBundledPluginBinary(toolName, pluginRuntime);
+}

package/lib/helpers/plugins.poku.js

@@ -0,0 +1,57 @@
+import { mkdirSync, mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import process from "node:process";
+
+import { assert, describe, it } from "poku";
+
+import { resolveCdxgenPlugins, resolvePluginBinary } from "./plugins.js";
+
+describe("plugins helper", () => {
+  it("resolvePluginBinary() prefers explicit OSQUERY_CMD overrides", () => {
+    const previousOsqueryCmd = process.env.OSQUERY_CMD;
+    try {
+      process.env.OSQUERY_CMD = "/tmp/osqueryd";
+      assert.strictEqual(resolvePluginBinary("osquery"), "/tmp/osqueryd");
+    } finally {
+      if (previousOsqueryCmd === undefined) {
+        delete process.env.OSQUERY_CMD;
+      } else {
+        process.env.OSQUERY_CMD = previousOsqueryCmd;
+      }
+    }
+  });
+
+  it("resolveCdxgenPlugins() honors CDXGEN_PLUGINS_DIR for bundled osquery binaries", () => {
+    const pluginsDir = mkdtempSync(join(tmpdir(), "cdxgen-plugins-helper-"));
+    const previousPluginsDir = process.env.CDXGEN_PLUGINS_DIR;
+    try {
+      mkdirSync(join(pluginsDir, "osquery"), { recursive: true });
+      process.env.CDXGEN_PLUGINS_DIR = pluginsDir;
+      const pluginRuntime = resolveCdxgenPlugins();
+      const osqueryBinary = resolvePluginBinary("osquery", pluginRuntime);
+      const expectedPrefix = join(
+        pluginsDir,
+        "osquery",
+        `osqueryi-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+
+      assert.strictEqual(pluginRuntime.pluginsDir, pluginsDir);
+      if (pluginRuntime.platform === "darwin") {
+        assert.strictEqual(
+          osqueryBinary,
+          `${expectedPrefix}.app/Contents/MacOS/osqueryd`,
+        );
+      } else {
+        assert.strictEqual(osqueryBinary, expectedPrefix);
+      }
+    } finally {
+      rmSync(pluginsDir, { force: true, recursive: true });
+      if (previousPluginsDir === undefined) {
+        delete process.env.CDXGEN_PLUGINS_DIR;
+      } else {
+        process.env.CDXGEN_PLUGINS_DIR = previousPluginsDir;
+      }
+    }
+  });
+});