@cyclonedx/cdxgen 12.3.2 → 12.4.0

package/lib/helpers/propertySanitizer.js

@@ -0,0 +1,121 @@
+import path from "node:path";
+
+const DANGEROUS_OBJECT_KEYS = new Set([
+  "__proto__",
+  "constructor",
+  "prototype",
+]);
+const INLINE_CREDENTIAL_PATTERNS = [
+  /\bAKIA[0-9A-Z]{16}\b/gu,
+  /\bbearer\s+[a-z0-9._-]{16,}\b/giu,
+  /\b(?:sk|rk|pk)_[a-z0-9_-]{8,}\b/giu,
+  /\bgh[pousr]_[a-z0-9]{20,}\b/giu,
+  /\bAIza[0-9A-Za-z_-]{20,}\b/gu,
+];
+const JSON_PROPERTY_NAMES = new Set([
+  "cdx:agent:permission",
+  "cdx:mcp:toolAnnotations",
+  "cdx:skill:metadata",
+]);
+const URL_PATTERN = /https?:\/\/[^\s<>"'),\]}]+/giu;
+
+function sanitizeUrlForBom(value) {
+  const input = String(value || "").trim();
+  if (!input) {
+    return input;
+  }
+  try {
+    const parsed = new URL(input);
+    parsed.username = "";
+    parsed.password = "";
+    parsed.search = "";
+    parsed.hash = "";
+    return parsed.toString();
+  } catch {
+    return input;
+  }
+}
+
+function sanitizeTextForBom(value) {
+  let sanitized = String(value ?? "");
+  sanitized = sanitized.replace(URL_PATTERN, (match) =>
+    sanitizeUrlForBom(match),
+  );
+  for (const pattern of INLINE_CREDENTIAL_PATTERNS) {
+    sanitized = sanitized.replace(pattern, "[redacted]");
+  }
+  return sanitized;
+}
+
+function sanitizeStructuredValueForBom(value) {
+  if (typeof value === "string") {
+    return sanitizeTextForBom(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => sanitizeStructuredValueForBom(entry));
+  }
+  if (value && typeof value === "object") {
+    const sanitized = {};
+    for (const [key, entryValue] of Object.entries(value)) {
+      if (DANGEROUS_OBJECT_KEYS.has(key)) {
+        continue;
+      }
+      sanitized[key] = sanitizeStructuredValueForBom(entryValue);
+    }
+    return sanitized;
+  }
+  return value;
+}
+
+function extractCommandExecutable(command) {
+  const trimmedCommand = String(command || "").trim();
+  if (!trimmedCommand) {
+    return "";
+  }
+  const quotedMatch = trimmedCommand.match(/^(['"])(.*?)\1/u);
+  if (quotedMatch?.[2]) {
+    return quotedMatch[2];
+  }
+  const absolutePathMatch = trimmedCommand.match(
+    /^((?:[A-Za-z]:\\|\/).*?\.(?:bat|bin|cjs|cmd|com|exe|jar|js|mjs|ps1|py|rb|sh|ts|tsx))(?=\s|$)/iu,
+  );
+  if (absolutePathMatch?.[1]) {
+    return absolutePathMatch[1];
+  }
+  return trimmedCommand.split(/\s+/u)[0];
+}
+
+function summarizeExecutable(command) {
+  const executable = extractCommandExecutable(command);
+  if (!executable) {
+    return "configured";
+  }
+  if (executable.includes("\\")) {
+    return path.win32.basename(executable) || "configured";
+  }
+  return path.posix.basename(executable) || "configured";
+}
+
+export function sanitizeBomUrl(value) {
+  return sanitizeUrlForBom(value);
+}
+
+export function sanitizeBomPropertyValue(name, value) {
+  if (value === undefined || value === null || value === "") {
+    return value;
+  }
+  if (name === "cdx:mcp:command") {
+    const sanitizedCommand = sanitizeTextForBom(value).trim();
+    if (!sanitizedCommand) {
+      return sanitizedCommand;
+    }
+    return summarizeExecutable(sanitizedCommand);
+  }
+  if (JSON_PROPERTY_NAMES.has(name) || typeof value === "object") {
+    return JSON.stringify(sanitizeStructuredValueForBom(value));
+  }
+  if (typeof value === "string") {
+    return sanitizeTextForBom(value);
+  }
+  return value;
+}

package/lib/helpers/protobom.js

@@ -1,26 +1,151 @@
 import { readFileSync } from "node:fs";
 
-import { cdx_16, cdx_17 } from "@appthreat/cdx-proto";
 import {
-  fromBinary,
-  fromJsonString,
-  toBinary,
-  toJson,
-} from "@bufbuild/protobuf";
+  createBom,
+  decodeBomBinary,
+  decodeBomJson,
+  encodeBomBinary,
+  encodeBomJson,
+  parseBomBinary,
+  parseBomJson,
+  supportedSpecVersions,
+} from "@appthreat/cdx-proto";
 
 import { safeExistsSync, safeWriteSync } from "./utils.js";
 
+const JSON_READ_OPTIONS = {
+  ignoreUnknownFields: true,
+};
+
+const BINARY_READ_OPTIONS = {
+  readUnknownFields: true,
+};
+
+const BINARY_WRITE_OPTIONS = {
+  writeUnknownFields: true,
+};
+
+const PROTO_BOM_FILE_EXTENSIONS = [".cdx", ".cdx.bin", ".proto"];
+
+const DEFAULT_SPEC_VERSION =
+  supportedSpecVersions[supportedSpecVersions.length - 1];
+
+const isProtoMessageBom = (bom) =>
+  Boolean(
+    bom &&
+      typeof bom === "object" &&
+      !Array.isArray(bom) &&
+      typeof bom.$typeName === "string" &&
+      bom.specVersion,
+  );
+
+const hasExplicitSpecVersion = (bomJson) =>
+  Boolean(
+    bomJson &&
+      typeof bomJson === "object" &&
+      !Array.isArray(bomJson) &&
+      (bomJson.specVersion !== undefined || bomJson.spec_version !== undefined),
+  );
+
+const OBJECT_WRAPPED_LIST_FIELDS = ["declarations", "definitions"];
+
+const isPlainObject = (value) =>
+  Boolean(value && typeof value === "object" && !Array.isArray(value));
+
+const normalizeObjectWrappedListsForProto = (bomJson) => {
+  if (!isPlainObject(bomJson)) {
+    return bomJson;
+  }
+  const normalizedBomJson = { ...bomJson };
+  for (const fieldName of OBJECT_WRAPPED_LIST_FIELDS) {
+    if (isPlainObject(normalizedBomJson[fieldName])) {
+      normalizedBomJson[fieldName] = [normalizedBomJson[fieldName]];
+    }
+  }
+  return normalizedBomJson;
+};
+
+const mergeObjectWrappedListEntries = (entries) => {
+  const mergedEntry = {};
+  for (const entry of entries) {
+    if (!isPlainObject(entry)) {
+      continue;
+    }
+    for (const [key, value] of Object.entries(entry)) {
+      if (value === undefined) {
+        continue;
+      }
+      if (Array.isArray(value)) {
+        mergedEntry[key] = [...(mergedEntry[key] || []), ...value];
+        continue;
+      }
+      if (isPlainObject(value) && isPlainObject(mergedEntry[key])) {
+        mergedEntry[key] = { ...mergedEntry[key], ...value };
+        continue;
+      }
+      if (mergedEntry[key] === undefined) {
+        mergedEntry[key] = value;
+      }
+    }
+  }
+  return Object.keys(mergedEntry).length ? mergedEntry : undefined;
+};
+
+const normalizeObjectWrappedListsFromProto = (bomJson) => {
+  if (!isPlainObject(bomJson)) {
+    return bomJson;
+  }
+  const normalizedBomJson = { ...bomJson };
+  for (const fieldName of OBJECT_WRAPPED_LIST_FIELDS) {
+    if (!Array.isArray(normalizedBomJson[fieldName])) {
+      continue;
+    }
+    const mergedEntry = mergeObjectWrappedListEntries(
+      normalizedBomJson[fieldName],
+    );
+    if (mergedEntry) {
+      normalizedBomJson[fieldName] = mergedEntry;
+    } else {
+      delete normalizedBomJson[fieldName];
+    }
+  }
+  return normalizedBomJson;
+};
+
+const resolveBomMessage = (bomJson, specVersion = DEFAULT_SPEC_VERSION) => {
+  if (isProtoMessageBom(bomJson)) {
+    return bomJson;
+  }
+  if (typeof bomJson === "string" || bomJson instanceof String) {
+    const parsedBomJson = normalizeObjectWrappedListsForProto(
+      JSON.parse(`${bomJson}`),
+    );
+    if (hasExplicitSpecVersion(parsedBomJson)) {
+      return parseBomJson(parsedBomJson, JSON_READ_OPTIONS);
+    }
+    return decodeBomJson(specVersion, parsedBomJson, JSON_READ_OPTIONS);
+  }
+  if (bomJson && typeof bomJson === "object" && !Array.isArray(bomJson)) {
+    const normalizedBomJson = normalizeObjectWrappedListsForProto(bomJson);
+    if (hasExplicitSpecVersion(normalizedBomJson)) {
+      return parseBomJson(normalizedBomJson, JSON_READ_OPTIONS);
+    }
+    return decodeBomJson(specVersion, normalizedBomJson, JSON_READ_OPTIONS);
+  }
+  return createBom(specVersion);
+};
+
 /**
- * Stringify the given bom json based on the type.
+ * Determine whether a path looks like a CycloneDX protobuf file.
  *
- * @param {string | Object} bomJson string or object
- * @returns {string} BOM json string
+ * @param {string} filePath File path
+ * @returns {boolean} true when the path looks like a protobuf BOM file
  */
-const stringifyIfNeeded = (bomJson) => {
-  if (typeof bomJson === "string" || bomJson instanceof String) {
-    return bomJson;
-  }
-  return JSON.stringify(bomJson);
+export const isProtoBomFile = (filePath) => {
+  const normalizedPath = `${filePath || ""}`.toLowerCase();
+  return PROTO_BOM_FILE_EXTENSIONS.some((extension) =>
+    normalizedPath.endsWith(extension),
+  );
 };
 
 /**
@@ -28,27 +153,16 @@ const stringifyIfNeeded = (bomJson) => {
  *
  * @param {string | Object} bomJson BOM Json
  * @param {string} binFile Binary file name
+ * @param {string | number} [specVersion] CycloneDX spec version fallback for BOMs without specVersion
  */
-export const writeBinary = (bomJson, binFile) => {
+export const writeBinary = (
+  bomJson,
+  binFile,
+  specVersion = DEFAULT_SPEC_VERSION,
+) => {
   if (bomJson && binFile) {
-    let bomSchema;
-    if (+bomJson.specVersion === 1.7) {
-      bomSchema = cdx_17.BomSchema;
-    } else {
-      bomSchema = cdx_16.BomSchema;
-    }
-    safeWriteSync(
-      binFile,
-      toBinary(
-        bomSchema,
-        fromJsonString(bomSchema, stringifyIfNeeded(bomJson), {
-          ignoreUnknownFields: true,
-        }),
-      ),
-      {
-        writeUnknownFields: true,
-      },
-    );
+    const bomMessage = resolveBomMessage(bomJson, specVersion);
+    safeWriteSync(binFile, encodeBomBinary(bomMessage, BINARY_WRITE_OPTIONS));
   }
 };
 
@@ -57,23 +171,20 @@ export const writeBinary = (bomJson, binFile) => {
  *
  * @param {string} binFile Binary file name
  * @param {boolean} asJson Convert to JSON
- * @param {number} specVersion Specification version. Defaults to 1.7
+ * @param {string | number} [specVersion] Optional specification version. When omitted, cdxgen auto-detects the matching schema.
  */
-export const readBinary = (binFile, asJson = true, specVersion = 1.7) => {
+export const readBinary = (binFile, asJson, specVersion) => {
+  asJson = asJson ?? true;
   if (!safeExistsSync(binFile)) {
     return undefined;
   }
-  let bomSchema;
-  if (specVersion === 1.7) {
-    bomSchema = cdx_17.BomSchema;
-  } else {
-    bomSchema = cdx_16.BomSchema;
-  }
-  const bomObject = fromBinary(bomSchema, readFileSync(binFile), {
-    readUnknownFields: true,
-  });
+  const binaryData = readFileSync(binFile);
+  const bomObject =
+    specVersion !== undefined && specVersion !== null && specVersion !== ""
+      ? decodeBomBinary(specVersion, binaryData, BINARY_READ_OPTIONS)
+      : parseBomBinary(binaryData, BINARY_READ_OPTIONS);
   if (asJson) {
-    return toJson(bomSchema, bomObject, { emitDefaultValues: true });
+    return normalizeObjectWrappedListsFromProto(encodeBomJson(bomObject));
   }
   return bomObject;
 };

package/lib/helpers/protobom.poku.js

@@ -3,27 +3,46 @@ import { join } from "node:path";
 
 import { assert, it } from "poku";
 
-import { readBinary, writeBinary } from "./protobom.js";
+import { isProtoBomFile, readBinary, writeBinary } from "./protobom.js";
 import { getTmpDir } from "./utils.js";
 
-const tempDir = mkdtempSync(join(getTmpDir(), "bin-tests-"));
 const testBom = JSON.parse(
   readFileSync("./test/data/bom-java.json", { encoding: "utf-8" }),
 );
+const cbomFixture = JSON.parse(
+  readFileSync("./test/data/bom-cbom-js-fixture.json", { encoding: "utf-8" }),
+);
+
+const createTempDir = () => mkdtempSync(join(getTmpDir(), "bin-tests-"));
+
+const cleanupTempDir = (tempDir) => {
+  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+};
 
 it("proto binary tests", () => {
+  const tempDir = createTempDir();
   const binFile = join(tempDir, "test.cdx.bin");
   writeBinary({}, binFile);
   assert.deepStrictEqual(existsSync(binFile), true);
   writeBinary(testBom, binFile);
   assert.deepStrictEqual(existsSync(binFile), true);
+  assert.equal(isProtoBomFile(binFile), true);
+  assert.equal(isProtoBomFile("test.proto"), true);
+  assert.equal(isProtoBomFile("bom.json"), false);
   let bomObject = readBinary(binFile);
   assert.ok(bomObject);
   assert.deepStrictEqual(
     bomObject.serialNumber,
     "urn:uuid:cc8b5a04-2698-4375-b04c-cedfa4317fee",
   );
+  assert.deepStrictEqual(bomObject.bomFormat, "CycloneDX");
   assert.deepStrictEqual(bomObject.specVersion, "1.5");
+  assert.equal(
+    bomObject.metadata.component.type.startsWith("CLASSIFICATION_"),
+    false,
+  );
   bomObject = readBinary(binFile, false, 1.5);
   assert.ok(bomObject);
   assert.deepStrictEqual(
@@ -31,7 +50,123 @@ it("proto binary tests", () => {
     "urn:uuid:cc8b5a04-2698-4375-b04c-cedfa4317fee",
   );
   assert.deepStrictEqual(bomObject.specVersion, "1.5");
-  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
-    rmSync(tempDir, { recursive: true, force: true });
-  }
+  const modernBinFile = join(tempDir, "test-1.7.cdx");
+  writeBinary(
+    {
+      bomFormat: "CycloneDX",
+      metadata: {
+        component: {
+          name: "cdxgen",
+          type: "application",
+        },
+      },
+      serialNumber: "urn:uuid:11111111-1111-1111-1111-111111111111",
+      specVersion: "1.7",
+      version: 1,
+    },
+    modernBinFile,
+  );
+  const modernBomObject = readBinary(modernBinFile);
+  assert.ok(modernBomObject);
+  assert.deepStrictEqual(modernBomObject.bomFormat, "CycloneDX");
+  assert.deepStrictEqual(modernBomObject.specVersion, "1.7");
+  assert.deepStrictEqual(
+    modernBomObject.metadata.component.type,
+    "application",
+  );
+  assert.deepStrictEqual(modernBomObject.metadata.component.name, "cdxgen");
+  cleanupTempDir(tempDir);
+});
+
+it("keeps canonical definitions and declarations as objects during proto round-trip", () => {
+  const tempDir = createTempDir();
+  const binFile = join(tempDir, "standard-sections.cdx");
+  writeBinary(
+    {
+      bomFormat: "CycloneDX",
+      declarations: {
+        affirmation: {
+          statement: "verified",
+        },
+        claims: [
+          {
+            predicate: "meets-control",
+            target: "pkg:npm/demo-app@1.0.0",
+          },
+        ],
+      },
+      definitions: {
+        standards: [
+          {
+            name: "ASVS",
+            requirements: [
+              {
+                identifier: "V1.1",
+                title: "Authenticate requests",
+              },
+            ],
+            version: "5.0",
+          },
+        ],
+      },
+      metadata: {
+        component: {
+          name: "demo-app",
+          type: "application",
+          version: "1.0.0",
+        },
+      },
+      serialNumber: "urn:uuid:22222222-2222-2222-2222-222222222222",
+      specVersion: "1.7",
+      version: 1,
+    },
+    binFile,
+  );
+
+  const bomObject = readBinary(binFile);
+  assert.ok(bomObject);
+  assert.equal(Array.isArray(bomObject.definitions), false);
+  assert.equal(Array.isArray(bomObject.declarations), false);
+  assert.equal(bomObject.definitions.standards[0].name, "ASVS");
+  assert.equal(
+    bomObject.definitions.standards[0].requirements[0].identifier,
+    "V1.1",
+  );
+  assert.equal(bomObject.declarations.claims[0].predicate, "meets-control");
+  assert.equal(bomObject.declarations.affirmation.statement, "verified");
+  cleanupTempDir(tempDir);
+});
+
+it("round-trips real CBOM fixture data with cryptographic assets intact", () => {
+  const tempDir = createTempDir();
+  const binFile = join(tempDir, "cbom-fixture.cdx");
+  writeBinary(cbomFixture, binFile);
+
+  const bomObject = readBinary(binFile);
+  const cryptoComponents = (bomObject.components || []).filter(
+    (component) => component.type === "cryptographic-asset",
+  );
+
+  assert.ok(bomObject);
+  assert.equal(bomObject.specVersion, "1.7");
+  assert.ok(cryptoComponents.length >= 3);
+  assert.equal(
+    cryptoComponents.some(
+      (component) => component.cryptoProperties?.assetType === "algorithm",
+    ),
+    true,
+  );
+  assert.equal(
+    cryptoComponents.some((component) => component.purl !== undefined),
+    false,
+  );
+  assert.equal(
+    cryptoComponents.some(
+      (component) =>
+        component.name === "sha-512" &&
+        component.cryptoProperties?.oid === "2.16.840.1.101.3.4.2.3",
+    ),
+    true,
+  );
+  cleanupTempDir(tempDir);
 });

package/lib/helpers/remote/dependency-track.js

@@ -1,13 +1,46 @@
 import { Buffer } from "node:buffer";
 
+import { hasDangerousUnicode } from "../utils.js";
+
+/**
+ * Returns the Dependency-Track BOM API URL as a sanitized URL object.
+ *
+ * @param {string} serverUrl Dependency-Track server URL
+ * @returns {URL | undefined} API URL to submit BOM payload
+ */
+export function getDependencyTrackBomApiUrl(serverUrl) {
+  const rawServerUrl = `${serverUrl || ""}`.trim();
+  if (!rawServerUrl || hasDangerousUnicode(rawServerUrl)) {
+    return undefined;
+  }
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(rawServerUrl);
+  } catch {
+    return undefined;
+  }
+  if (!["http:", "https:"].includes(parsedUrl.protocol)) {
+    return undefined;
+  }
+  if (!parsedUrl.hostname || hasDangerousUnicode(parsedUrl.hostname)) {
+    return undefined;
+  }
+  parsedUrl.username = "";
+  parsedUrl.password = "";
+  parsedUrl.search = "";
+  parsedUrl.hash = "";
+  parsedUrl.pathname = `${parsedUrl.pathname.replace(/\/+$/, "")}/api/v1/bom`;
+  return parsedUrl;
+}
+
 /**
- * Returns the Dependency-Track BOM API URL.
+ * Returns the Dependency-Track BOM API URL string.
  *
  * @param {string} serverUrl Dependency-Track server URL
- * @returns {string} API URL to submit BOM payload
+ * @returns {string | undefined} API URL to submit BOM payload
  */
 export function getDependencyTrackBomUrl(serverUrl) {
-  return `${serverUrl.replace(/\/$/, "")}/api/v1/bom`;
+  return getDependencyTrackBomApiUrl(serverUrl)?.toString();
 }
 
 /**

package/lib/helpers/remote/dependency-track.poku.js

@@ -2,6 +2,7 @@ import { assert, describe, it } from "poku";
 
 import {
   buildDependencyTrackBomPayload,
+  getDependencyTrackBomApiUrl,
   getDependencyTrackBomUrl,
 } from "./dependency-track.js";
 
@@ -17,6 +18,49 @@ describe("Dependency-Track helper tests", () => {
     );
   });
 
+  it("removes credentials, query strings, and fragments from the submission URL", () => {
+    assert.strictEqual(
+      getDependencyTrackBomUrl(
+        "https://user:pass@dtrack.example.com/base/?token=secret#frag",
+      ),
+      "https://dtrack.example.com/base/api/v1/bom",
+    );
+  });
+
+  it("returns a sanitized URL object for Dependency-Track requests", () => {
+    const apiUrl = getDependencyTrackBomApiUrl(
+      "https://user:pass@dtrack.example.com/base/?token=secret#frag",
+    );
+    assert.ok(apiUrl instanceof URL);
+    assert.strictEqual(apiUrl?.hostname, "dtrack.example.com");
+    assert.strictEqual(apiUrl?.pathname, "/base/api/v1/bom");
+    assert.strictEqual(apiUrl?.username, "");
+    assert.strictEqual(apiUrl?.password, "");
+    assert.strictEqual(apiUrl?.search, "");
+    assert.strictEqual(apiUrl?.hash, "");
+  });
+
+  it("rejects malformed or unsupported submission URLs", () => {
+    assert.strictEqual(
+      getDependencyTrackBomUrl("file:///tmp/dtrack"),
+      undefined,
+    );
+    assert.strictEqual(
+      getDependencyTrackBomApiUrl("file:///tmp/dtrack"),
+      undefined,
+    );
+    assert.strictEqual(
+      getDependencyTrackBomUrl("javascript:alert(1)"),
+      undefined,
+    );
+    assert.strictEqual(
+      getDependencyTrackBomApiUrl("javascript:alert(1)"),
+      undefined,
+    );
+    assert.strictEqual(getDependencyTrackBomUrl("not a url"), undefined);
+    assert.strictEqual(getDependencyTrackBomApiUrl("not a url"), undefined);
+  });
+
   it("builds payload with parentUUID and tags", () => {
     const payload = buildDependencyTrackBomPayload(
       {

package/lib/helpers/source.js

@@ -77,6 +77,21 @@ function isSafeGitRefName(refName) {
   return /^[A-Za-z0-9._/@+-]+$/.test(refName);
 }
 
+function inferGitOperation(args = []) {
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+    if (arg === "-c" || arg === "--config-env") {
+      index += 1;
+      continue;
+    }
+    if (typeof arg === "string" && arg.startsWith("-")) {
+      continue;
+    }
+    return arg || "command";
+  }
+  return "command";
+}
+
 /**
  * Execute git with hardened defaults.
  *
@@ -86,6 +101,7 @@ function isSafeGitRefName(refName) {
  * @returns {Object} spawn result
  */
 export function hardenedGitCommand(args, options = {}) {
+  const gitOperation = inferGitOperation(args);
   const gitAllowProtocol = getGitAllowProtocol();
   const envConfigs = {
     GIT_CONFIG_COUNT: "2",
@@ -109,6 +125,14 @@ export function hardenedGitCommand(args, options = {}) {
         GIT_ALLOW_PROTOCOL: gitAllowProtocol,
       };
   return safeSpawnSync("git", args, {
+    cdxgenActivity: {
+      blockedReason: `Dry run mode blocks git ${gitOperation} operations.`,
+      gitOperation,
+      kind: `git-${gitOperation}`,
+      metadata: {
+        capability: "git-operation",
+      },
+    },
     shell: false,
     cwd: options.cwd,
     env,