npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.0 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/README.md +64 -22
package/bin/audit.js +21 -7
package/bin/cdxgen.js +238 -116
package/bin/convert.js +28 -13
package/bin/hbom.js +490 -0
package/bin/repl.js +580 -29
package/bin/validate.js +34 -4
package/bin/verify.js +40 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +209 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +506 -88
package/lib/cli/index.poku.js +1352 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +349 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +156 -45
package/lib/helpers/protobom.poku.js +140 -5
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +2 -27
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +192 -1
package/lib/stages/postgen/postgen.poku.js +321 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +62 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +3 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/cli/asar.poku.js ADDED Viewed

@@ -0,0 +1,328 @@
+import { createHash } from "node:crypto";
+import { mkdirSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import process from "node:process";
+import { assert, describe, it } from "poku";
+import {
+  createAsarFixture,
+  writeElectronAsarIntegrityPlist,
+} from "../../test/helpers/asar-fixture-builder.js";
+import { readAsarArchiveHeaderSync } from "../helpers/asarutils.js";
+import { auditBom } from "../stages/postgen/auditBom.js";
+import { postProcess } from "../stages/postgen/postgen.js";
+import { validateBom } from "../validator/bomValidator.js";
+import { createAsarBom } from "./index.js";
+function getProp(obj, name) {
+  return obj?.properties?.find((property) => property.name === name)?.value;
+}
+if (process.platform !== "win32") {
+  describe("createAsarBom()", () => {
+    it("catalogs ASAR archives, extracts nested npm metadata, and surfaces audit findings", async () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-asar-cli-"));
+      const archivePath = join(fixtureRoot, "app.asar");
+      createAsarFixture(archivePath, {
+        corruptIntegrityPaths: ["config/settings.json"],
+        executablePaths: ["scripts/postinstall.js"],
+        unpackedPaths: ["native/addon.node"],
+      });
+      try {
+        const bomData = await createAsarBom(archivePath, {
+          installDeps: false,
+          multiProject: false,
+          projectType: ["asar"],
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+        assert.strictEqual(bomData.parentComponent.name, "Sample Electron App");
+        assert.strictEqual(
+          getProp(bomData.parentComponent, "cdx:asar:hasEval"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(bomData.parentComponent, "cdx:asar:hasDynamicFetch"),
+          "true",
+        );
+        assert.strictEqual(
+          getProp(bomData.parentComponent, "cdx:asar:hasNativeAddons"),
+          "true",
+        );
+        const mainFileComponent = bomData.bomJson.components.find(
+          (component) => getProp(component, "cdx:asar:path") === "src/main.js",
+        );
+        assert.ok(mainFileComponent, "expected src/main.js component");
+        assert.strictEqual(
+          getProp(mainFileComponent, "cdx:asar:js:capability:network"),
+          "true",
+        );
+        const sketchyAddon = bomData.bomJson.components.find(
+          (component) => component.name === "sketchy-addon",
+        );
+        assert.ok(sketchyAddon, "expected extracted npm component");
+        assert.ok(
+          String(getProp(sketchyAddon, "SrcFile") || "").includes(
+            `${archivePath}#/`,
+          ),
+        );
+        const postProcessed = postProcess(bomData, {
+          bomAudit: true,
+          bomAuditCategories: ["asar-archive"],
+          installDeps: false,
+          projectType: ["asar"],
+          specVersion: 1.7,
+        });
+        const findings = await auditBom(postProcessed.bomJson, {
+          bomAuditCategories: ["asar-archive"],
+        });
+        assert.ok(
+          findings.some((finding) => finding.ruleId === "ASAR-001"),
+          "expected ASAR eval/dynamic execution finding",
+        );
+        assert.ok(
+          findings.some((finding) => finding.ruleId === "ASAR-004"),
+          "expected embedded npm install-script finding",
+        );
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+    it("scans directories containing multiple ASAR archives", async () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-asar-dir-"));
+      const firstArchivePath = join(fixtureRoot, "app-one.asar");
+      const secondArchivePath = join(fixtureRoot, "nested", "app-two.asar");
+      mkdirSync(join(fixtureRoot, "nested"), { recursive: true });
+      createAsarFixture(firstArchivePath, {
+        extraEntries: {
+          "src/one.js": { content: "export const one = 1;\n" },
+        },
+      });
+      createAsarFixture(secondArchivePath, {
+        extraEntries: {
+          "package.json": {
+            content: JSON.stringify({
+              name: "sample-electron-app-two",
+              version: "2.0.0",
+              main: "src/two.js",
+            }),
+          },
+          "src/two.js": { content: "export const two = 2;\n" },
+        },
+      });
+      try {
+        const bomData = await createAsarBom(fixtureRoot, {
+          installDeps: false,
+          multiProject: true,
+          projectType: ["asar"],
+          specVersion: 1.7,
+        });
+        const archiveComponents = (bomData.bomJson?.components || []).filter(
+          (component) => getProp(component, "cdx:file:kind") === "asar-archive",
+        );
+        assert.strictEqual(archiveComponents.length, 2);
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+    it("keeps distinct nested ASAR archives with different virtual paths", async () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-asar-case-"));
+      const outerArchivePath = join(fixtureRoot, "outer.asar");
+      const firstNestedArchivePath = join(fixtureRoot, "first-nested.asar");
+      const secondNestedArchivePath = join(fixtureRoot, "second-nested.asar");
+      createAsarFixture(firstNestedArchivePath);
+      createAsarFixture(secondNestedArchivePath, {
+        extraEntries: {
+          "package.json": {
+            content: JSON.stringify({
+              name: "sample-electron-app-upper",
+              version: "4.5.6",
+              main: "src/main.js",
+            }),
+          },
+        },
+      });
+      createAsarFixture(outerArchivePath, {
+        extraEntries: {
+          "nested/first/core.asar": {
+            content: readFileSync(firstNestedArchivePath),
+          },
+          "nested/second/core.asar": {
+            content: readFileSync(secondNestedArchivePath),
+          },
+        },
+      });
+      try {
+        const bomData = await createAsarBom(outerArchivePath, {
+          installDeps: false,
+          multiProject: false,
+          projectType: ["asar"],
+          specVersion: 1.7,
+        });
+        const nestedArchiveComponents = (
+          bomData.bomJson?.components || []
+        ).filter(
+          (component) =>
+            getProp(component, "cdx:file:kind") === "asar-archive" &&
+            String(getProp(component, "SrcFile") || "").startsWith(
+              `${outerArchivePath}#/nested/`,
+            ),
+        );
+        assert.strictEqual(nestedArchiveComponents.length, 2);
+        assert.ok(
+          nestedArchiveComponents.some(
+            (component) =>
+              getProp(component, "SrcFile") ===
+              `${outerArchivePath}#/nested/first/core.asar`,
+          ),
+        );
+        assert.ok(
+          nestedArchiveComponents.some(
+            (component) =>
+              getProp(component, "SrcFile") ===
+              `${outerArchivePath}#/nested/second/core.asar`,
+          ),
+        );
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+    it("recursively scans nested ASAR archives and rewrites nested evidence paths", async () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-asar-nested-"));
+      const archivePath = join(fixtureRoot, "outer.asar");
+      const nestedArchivePath = join(fixtureRoot, "inner.asar");
+      createAsarFixture(nestedArchivePath, {
+        extraEntries: {
+          "node_modules/inner-addon/package.json": {
+            content: JSON.stringify({
+              name: "inner-addon",
+              version: "1.0.0",
+            }),
+          },
+          "package-lock.json": {
+            content: JSON.stringify({
+              lockfileVersion: 3,
+              name: "inner-electron-app",
+              packages: {
+                "": {
+                  dependencies: {
+                    "inner-addon": "1.0.0",
+                  },
+                  name: "inner-electron-app",
+                  version: "9.9.9",
+                },
+                "node_modules/inner-addon": {
+                  name: "inner-addon",
+                  version: "1.0.0",
+                },
+              },
+            }),
+          },
+          "package.json": {
+            content: JSON.stringify({
+              dependencies: {
+                "inner-addon": "1.0.0",
+              },
+              name: "inner-electron-app",
+              version: "9.9.9",
+              main: "src/main.js",
+            }),
+          },
+        },
+      });
+      createAsarFixture(archivePath, {
+        extraEntries: {
+          "nested/core.asar": {
+            content: readFileSync(nestedArchivePath),
+          },
+        },
+      });
+      try {
+        const bomData = await createAsarBom(archivePath, {
+          installDeps: false,
+          multiProject: false,
+          projectType: ["asar"],
+          specVersion: 1.7,
+        });
+        const nestedArchiveComponent = bomData.bomJson.components.find(
+          (component) =>
+            getProp(component, "cdx:file:kind") === "asar-archive" &&
+            getProp(component, "SrcFile") ===
+              `${archivePath}#/nested/core.asar`,
+        );
+        const nestedMainFileComponent = bomData.bomJson.components.find(
+          (component) =>
+            getProp(component, "cdx:asar:path") === "src/main.js" &&
+            component.evidence?.occurrences?.some(
+              (occurrence) =>
+                occurrence.location ===
+                `${archivePath}#/nested/core.asar#/src/main.js`,
+            ),
+        );
+        const nestedNpmComponent = bomData.bomJson.components.find(
+          (component) =>
+            component.name === "inner-addon" &&
+            String(getProp(component, "SrcFile") || "").startsWith(
+              `${archivePath}#/nested/core.asar#/`,
+            ),
+        );
+        assert.ok(nestedArchiveComponent, "expected nested archive component");
+        assert.ok(
+          nestedMainFileComponent,
+          "expected nested archive file inventory component",
+        );
+        assert.ok(nestedNpmComponent, "expected nested archive npm component");
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+    it("produces a schema-valid BOM with ASAR signing crypto components", async () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-asar-signed-"));
+      const appDir = join(fixtureRoot, "Signed.app");
+      const archivePath = join(appDir, "Contents", "Resources", "app.asar");
+      mkdirSync(join(appDir, "Contents", "Resources"), { recursive: true });
+      createAsarFixture(archivePath);
+      const { headerString } = readAsarArchiveHeaderSync(archivePath);
+      const headerHash = createHash("sha256")
+        .update(headerString, "utf8")
+        .digest("hex");
+      writeElectronAsarIntegrityPlist(join(appDir, "Contents", "Info.plist"), {
+        "Resources/app.asar": {
+          algorithm: "SHA256",
+          hash: headerHash,
+        },
+      });
+      try {
+        const bomData = await createAsarBom(archivePath, {
+          installDeps: false,
+          multiProject: false,
+          projectType: ["asar"],
+          specVersion: 1.7,
+        });
+        const postProcessed = postProcess(bomData, {
+          installDeps: false,
+          projectType: ["asar"],
+          specVersion: 1.7,
+        });
+        assert.strictEqual(validateBom(postProcessed.bomJson), true);
+        assert.ok(
+          postProcessed.bomJson.components.some(
+            (component) =>
+              component.type === "cryptographic-asset" &&
+              getProp(component, "cdx:asar:signingVerified") === "true",
+          ),
+          "expected a verified ASAR signing crypto component",
+        );
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+  });
+}