@cyclonedx/cdxgen 12.3.3 → 12.4.0

package/lib/helpers/analyzer.poku.js

@@ -12,8 +12,11 @@ import { URL } from "node:url";
 import { assert, describe, it } from "poku";
 
 import {
+  analyzeJsCapabilitiesFile,
+  analyzeJsCryptoFile,
   analyzeSuspiciousJsFile,
   detectExtensionCapabilities,
+  detectJsCryptoInventory,
   detectMcpInventory,
   detectPythonMcpInventory,
   findJSImportsExports,
@@ -255,6 +258,24 @@ wasi.start(instance);
       );
     }
   });
+
+  it("honors exclude globs during JS import/export discovery", async () => {
+    const projectDir = createProjectFiles("imports-with-excludes", {
+      "src/index.js":
+        "import { readFileSync } from 'node:fs';\nvoid readFileSync;\n",
+      "test/ignored.js": "import net from 'node:net';\nvoid net;\n",
+      "node_modules/demo/index.js": "import tls from 'node:tls';\nvoid tls;\n",
+    });
+
+    const { allImports } = await findJSImportsExports(projectDir, {
+      deep: true,
+      exclude: ["**/test/**", "**/node_modules/**"],
+    });
+
+    assert.ok(allImports["node:fs"]);
+    assert.equal(allImports["node:net"], undefined);
+    assert.equal(allImports["node:tls"], undefined);
+  });
 });
 
 describe("detectExtensionCapabilities()", () => {
@@ -324,7 +345,328 @@ describe("analyzeSuspiciousJsFile()", () => {
   });
 });
 
+describe("analyzeJsCapabilitiesFile()", () => {
+  it("detects file, network, hardware, child-process, and dynamic fetch signals", () => {
+    const projectDir = createProject(
+      "js-capabilities",
+      [
+        "import fs from 'node:fs/promises';",
+        "import { execFile } from 'node:child_process';",
+        "import usb from 'usb';",
+        "const endpoint = process.env.API_URL;",
+        "await fs.readFile('config.json');",
+        "await fetch(endpoint);",
+        "await import(process.env.PLUGIN_NAME);",
+        "usb.getDeviceList();",
+        "execFile('sh', ['-c', 'echo hi']);",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeJsCapabilitiesFile(join(projectDir, "index.js"));
+
+    assert.ok(analysis.capabilities.includes("fileAccess"));
+    assert.ok(analysis.capabilities.includes("network"));
+    assert.ok(analysis.capabilities.includes("hardware"));
+    assert.ok(analysis.capabilities.includes("childProcess"));
+    assert.ok(analysis.capabilities.includes("dynamicFetch"));
+    assert.ok(analysis.capabilities.includes("dynamicImport"));
+    assert.strictEqual(analysis.hasDynamicFetch, true);
+    assert.strictEqual(analysis.hasDynamicImport, true);
+  });
+
+  it("detects eval and vm-based code generation signals", () => {
+    const projectDir = createProject(
+      "js-capabilities-eval",
+      [
+        "import vm from 'node:vm';",
+        "eval('console.log(1)');",
+        "vm.runInNewContext('console.log(2)');",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeJsCapabilitiesFile(join(projectDir, "index.js"));
+
+    assert.ok(analysis.capabilities.includes("codeGeneration"));
+    assert.strictEqual(analysis.hasEval, true);
+    assert.match(
+      (analysis.indicatorMap.codeGeneration || []).join(","),
+      /eval|vm\.runInNewContext/,
+    );
+  });
+});
+
+describe("analyzeJsCryptoFile()", () => {
+  it("detects crypto algorithms with light constant propagation", () => {
+    const projectDir = createProject(
+      "js-crypto-analysis",
+      [
+        "import { createHash, pbkdf2Sync, webcrypto } from 'node:crypto';",
+        "import jwt from 'jsonwebtoken';",
+        "import { SignJWT } from 'jose';",
+        "const subtle = webcrypto.subtle;",
+        "const digestName = 'sha256';",
+        "const digestOptions = { algorithm: 'RS256' };",
+        "const aesProfile = { name: 'AES-GCM', length: 256 };",
+        "const deriveProfile = { name: 'PBKDF2', hash: 'SHA-256' };",
+        "createHash(digestName);",
+        "pbkdf2Sync('secret', 'salt', 1000, 32, digestName);",
+        "subtle.digest('SHA-384', new Uint8Array());",
+        "subtle.generateKey(aesProfile, true, ['encrypt']);",
+        "subtle.deriveKey(deriveProfile, keyMaterial, aesProfile, false, ['encrypt']);",
+        "jwt.sign({ sub: '123' }, 'secret', digestOptions);",
+        "new SignJWT({ sub: '123' }).setProtectedHeader({ alg: 'ES256', enc: 'A256GCM' });",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeJsCryptoFile(join(projectDir, "index.js"));
+    const names = analysis.algorithms.map((algorithm) => algorithm.name);
+
+    assert.ok(names.includes("sha256"));
+    assert.ok(names.includes("SHA-384"));
+    assert.ok(names.includes("AES-GCM"));
+    assert.ok(names.includes("PBKDF2"));
+    assert.ok(names.includes("RS256"));
+    assert.ok(names.includes("ES256"));
+    assert.ok(names.includes("A256GCM"));
+    assert.ok(analysis.libraries.includes("jsonwebtoken"));
+    assert.ok(analysis.libraries.includes("jose"));
+    assert.ok(analysis.libraries.includes("node:crypto"));
+  });
+
+  it("avoids chained-call false positives and captures signing algorithm literals", () => {
+    const projectDir = createProject(
+      "js-crypto-signing-analysis",
+      [
+        "import crypto from 'node:crypto';",
+        "function createSignatureBlock(payload, privateKey, alg) {",
+        "  const hash = alg.replace('HS', 'sha');",
+        "  const value = crypto.createHmac(hash, privateKey).update(payload, 'utf8').digest('base64url');",
+        "  if (alg === 'Ed25519' || alg === 'Ed448') {",
+        "    return crypto.sign(null, Buffer.from(payload, 'utf8'), { key: privateKey });",
+        "  }",
+        "  return value;",
+        "}",
+        "export function signBom(payload, privateKey, algorithm = 'RS512') {",
+        "  return createSignatureBlock(payload, privateKey, algorithm);",
+        "}",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeJsCryptoFile(join(projectDir, "index.js"));
+    const names = analysis.algorithms.map((algorithm) => algorithm.name);
+
+    assert.ok(names.includes("RS512"));
+    assert.ok(names.includes("Ed25519"));
+    assert.ok(names.includes("Ed448"));
+    assert.ok(!names.includes("base64url"));
+  });
+
+  it("resolves crypto values through conditional branches, fallbacks, and reassignment", () => {
+    const projectDir = createProject(
+      "js-crypto-dynamic-branches",
+      [
+        "import { createHash, createHmac, webcrypto } from 'node:crypto';",
+        "import jwt from 'jsonwebtoken';",
+        "const subtle = webcrypto.subtle;",
+        "let digestName = 'sha256';",
+        "digestName = globalThis.__preferStrongDigest ? 'sha512' : 'sha384';",
+        "const hmacAlgorithm = globalThis.__preferStrongMac ? 'HS512' : 'HS256';",
+        "const derivedHash = hmacAlgorithm.replace('HS', 'sha');",
+        "const cipherProfiles = globalThis.__legacyCipher",
+        "  ? { active: { name: 'AES-CBC', length: 256 } }",
+        "  : { active: { name: 'AES-GCM', length: 256 } };",
+        "const signingAlgorithm = globalThis.__legacySignature ? 'RS256' : 'RS512';",
+        "const jwtOptions = globalThis.__jwtOptions ?? { algorithm: signingAlgorithm };",
+        "createHash(digestName);",
+        "createHmac(derivedHash, 'secret').update('payload').digest('hex');",
+        "subtle.generateKey(cipherProfiles.active, true, ['encrypt', 'decrypt']);",
+        "jwt.sign({ sub: '123' }, 'secret', jwtOptions);",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeJsCryptoFile(join(projectDir, "index.js"));
+    const names = analysis.algorithms.map((algorithm) => algorithm.name);
+
+    assert.ok(names.includes("sha256"));
+    assert.ok(names.includes("sha384"));
+    assert.ok(names.includes("sha512"));
+    assert.ok(names.includes("AES-CBC"));
+    assert.ok(names.includes("AES-GCM"));
+    assert.ok(names.includes("RS256"));
+    assert.ok(names.includes("RS512"));
+  });
+
+  it("narrows identifier values inside if-guarded crypto branches", () => {
+    const projectDir = createProject(
+      "js-crypto-if-guard-narrowing",
+      [
+        "import crypto from 'node:crypto';",
+        "function signPayload(payload, privateKey, alg) {",
+        "  let hashAlg = null;",
+        "  if (alg === 'RS256' || alg === 'RS512') {",
+        "    hashAlg = alg.replace('RS', 'SHA');",
+        "    return crypto.sign(hashAlg, Buffer.from(payload, 'utf8'), { key: privateKey });",
+        "  }",
+        "  if (alg !== 'RS384') {",
+        "    return crypto.sign('SHA-224', Buffer.from(payload, 'utf8'), { key: privateKey });",
+        "  } else {",
+        "    hashAlg = alg.replace('RS', 'SHA');",
+        "    return crypto.sign(hashAlg, Buffer.from(payload, 'utf8'), { key: privateKey });",
+        "  }",
+        "}",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeJsCryptoFile(join(projectDir, "index.js"));
+    const names = analysis.algorithms.map((algorithm) => algorithm.name);
+    const signAlgorithms = analysis.algorithms
+      .filter((algorithm) => algorithm.source === "node:crypto.sign")
+      .map((algorithm) => algorithm.name);
+
+    assert.ok(names.includes("RS256"));
+    assert.ok(names.includes("RS512"));
+    assert.ok(signAlgorithms.includes("SHA256"));
+    assert.ok(signAlgorithms.includes("SHA512"));
+    assert.ok(signAlgorithms.includes("SHA384"));
+    assert.ok(signAlgorithms.includes("SHA-224"));
+  });
+
+  it("narrows identifier values inside switch/case crypto branches", () => {
+    const projectDir = createProject(
+      "js-crypto-switch-guard-narrowing",
+      [
+        "import crypto from 'node:crypto';",
+        "function signPayloadWithSwitch(payload, privateKey, alg) {",
+        "  switch (alg) {",
+        "    case 'RS256':",
+        "    case 'RS512':",
+        "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+        "    case 'RS384':",
+        "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+        "    default:",
+        "      return crypto.sign('SHA-224', Buffer.from(payload, 'utf8'), { key: privateKey });",
+        "  }",
+        "}",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeJsCryptoFile(join(projectDir, "index.js"));
+    const signAlgorithms = analysis.algorithms
+      .filter((algorithm) => algorithm.source === "node:crypto.sign")
+      .map((algorithm) => algorithm.name);
+
+    assert.ok(signAlgorithms.includes("SHA256"));
+    assert.ok(signAlgorithms.includes("SHA512"));
+    assert.ok(signAlgorithms.includes("SHA384"));
+    assert.ok(signAlgorithms.includes("SHA-224"));
+  });
+
+  it("narrows switch default branches using a known finite identifier union", () => {
+    const projectDir = createProject(
+      "js-crypto-switch-default-narrowing",
+      [
+        "import crypto from 'node:crypto';",
+        "function signPayloadWithSwitchDefault(payload, privateKey) {",
+        "  const alg = globalThis.__preferLegacy ? 'RS256' : 'RS384';",
+        "  switch (alg) {",
+        "    case 'RS256':",
+        "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+        "    default:",
+        "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+        "  }",
+        "}",
+      ].join("\n"),
+    );
+
+    const analysis = analyzeJsCryptoFile(join(projectDir, "index.js"));
+    const signAlgorithms = analysis.algorithms
+      .filter((algorithm) => algorithm.source === "node:crypto.sign")
+      .map((algorithm) => algorithm.name);
+
+    assert.ok(signAlgorithms.includes("SHA256"));
+    assert.ok(signAlgorithms.includes("SHA384"));
+    assert.ok(!signAlgorithms.includes("SHA512"));
+  });
+});
+
+describe("detectJsCryptoInventory()", () => {
+  it("aggregates crypto algorithm usage across source files", async () => {
+    const projectDir = createProjectFiles("js-crypto-inventory", {
+      "src/hash.js": [
+        "import { createHash } from 'node:crypto';",
+        "const algo = 'sha512';",
+        "createHash(algo);",
+      ].join("\n"),
+      "src/webcrypto.js": [
+        "const profile = { name: 'AES-GCM', length: 256 };",
+        "crypto.subtle.generateKey(profile, true, ['encrypt']);",
+      ].join("\n"),
+    });
+
+    const inventory = await detectJsCryptoInventory(projectDir, false);
+    const names = inventory.algorithms.map((algorithm) => algorithm.name);
+    const files = inventory.algorithms.map((algorithm) =>
+      normalizePathForAssertion(algorithm.fileName),
+    );
+
+    assert.ok(names.includes("sha512"));
+    assert.ok(names.includes("AES-GCM"));
+    assert.ok(files.includes("src/hash.js"));
+    assert.ok(files.includes("src/webcrypto.js"));
+  });
+
+  it("honors exclude globs during crypto inventory collection", async () => {
+    const projectDir = createProjectFiles("js-crypto-inventory-excludes", {
+      "src/hash.js": [
+        "import { createHash } from 'node:crypto';",
+        "createHash('sha256');",
+      ].join("\n"),
+      "test/ignored.js": [
+        "import { createHash } from 'node:crypto';",
+        "createHash('sha512');",
+      ].join("\n"),
+      "node_modules/demo/index.js": [
+        "import { createHash } from 'node:crypto';",
+        "createHash('sha1');",
+      ].join("\n"),
+    });
+
+    const inventory = await detectJsCryptoInventory(projectDir, {
+      deep: true,
+      exclude: ["**/test/**", "**/node_modules/**"],
+    });
+    const names = inventory.algorithms.map((algorithm) => algorithm.name);
+
+    assert.ok(names.includes("sha256"));
+    assert.equal(names.includes("sha512"), false);
+    assert.equal(names.includes("sha1"), false);
+  });
+});
+
 describe("detectMcpInventory()", () => {
+  it("honors exclude globs during MCP source discovery", () => {
+    const projectDir = createProjectFiles("mcp-with-excludes", {
+      "src/server.js": [
+        "import { McpServer } from '@modelcontextprotocol/server';",
+        "const server = new McpServer({ name: 'included-server', version: '1.0.0' });",
+        "void server;",
+      ].join("\n"),
+      "test/ignored.js": [
+        "import { McpServer } from '@modelcontextprotocol/server';",
+        "const server = new McpServer({ name: 'ignored-server', version: '9.9.9' });",
+        "void server;",
+      ].join("\n"),
+    });
+
+    const inventory = detectMcpInventory(projectDir, {
+      deep: true,
+      exclude: ["**/test/**"],
+    });
+
+    assert.strictEqual(inventory.services.length, 1);
+    assert.strictEqual(inventory.services[0].name, "included-server");
+  });
+
   it("detects an official authenticated streamable HTTP MCP server", () => {
     const projectDir = createProjectFiles("mcp-http-server", {
       "src/server.js": [