@cyclonedx/cdxgen 12.3.3 → 12.4.0

package/bin/cdxgen.js

@@ -38,6 +38,12 @@ import {
   createOutputPlan,
   getOutputDirectory,
 } from "../lib/helpers/exportUtils.js";
+import {
+  ensureNoMixedHbomProjectTypes,
+  ensureSupportedHbomSpecVersion,
+  hasHbomProjectType,
+  isHbomOnlyProjectTypes,
+} from "../lib/helpers/hbom.js";
 import { TRACE_MODE, thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
 import {
   cleanupSourceDir,
@@ -57,7 +63,9 @@ import {
 import {
   commandsExecuted,
   DEBUG_MODE,
+  getDefaultBomAuditCategories,
   getTmpDir,
+  isAllowedHttpHost,
   isBun,
   isDeno,
   isDryRun,
@@ -65,7 +73,9 @@ import {
   isNode,
   isSecureMode,
   isWin,
+  readEnvironmentVariable,
   recordActivity,
+  recordSensitiveFileRead,
   remoteHostsAccessed,
   retrieveCdxgenVersion,
   safeExistsSync,
@@ -73,6 +83,7 @@ import {
   safeWriteSync,
   setActivityContext,
   setDryRunMode,
+  shouldRunPredictiveBomAudit,
   toCamel,
 } from "../lib/helpers/utils.js";
 import { postProcess } from "../lib/stages/postgen/postgen.js";
@@ -244,6 +255,12 @@ const args = _yargs
     description:
       "Read-only mode. cdxgen only performs file reads and reports blocked writes, command execution, temp creation, network access, and submissions.",
   })
+  .option("include-runtime", {
+    type: "boolean",
+    default: false,
+    description:
+      "For HBOM runs, also collect OBOM runtime inventory and emit a merged host view with strict hardware/runtime topology links.",
+  })
   .option("activity-report", {
     choices: ["json", "jsonl"],
     description: "Render the activity report as JSON or JSON Lines.",
@@ -556,6 +573,7 @@ const args = _yargs
       "$0 -t java -t js .",
       "Generate a SBOM for Java and JavaScript in the current directory",
     ],
+    ["$0 -t hbom .", "Generate an HBOM for the current host"],
     [
       "$0 -t java --profile ml .",
       "Generate a Java SBOM for machine learning purposes.",
@@ -699,6 +717,15 @@ for (const outputFile of Object.values(outputPlan.outputs)) {
 if (options.projectType && Array.isArray(options.projectType)) {
   options.projectType = Array.from(new Set(options.projectType));
 }
+try {
+  ensureNoMixedHbomProjectTypes(options.projectType);
+  if (hasHbomProjectType(options.projectType)) {
+    ensureSupportedHbomSpecVersion(options.specVersion);
+  }
+} catch (error) {
+  console.error(error.message);
+  process.exit(1);
+}
 if (!options.projectType) {
   thoughtLog(
     "Ok, the user wants me to identify all the project types and generate a consolidated BOM document.",
@@ -744,7 +771,16 @@ if (isDryRun) {
 if (options.standard) {
   options.specVersion = 1.7;
 }
-if (options.includeFormulation) {
+const isHbomOnlyInvocation = isHbomOnlyProjectTypes(options.projectType);
+if (options.includeFormulation && isHbomOnlyInvocation) {
+  thoughtLog(
+    "HBOM-only invocations do not benefit from formulation data. Let's ignore this option to keep the resulting document focused on hardware inventory.",
+  );
+  console.log(
+    "NOTE: Ignoring formulation collection for HBOM-only invocations because the resulting hardware BOM does not need workflow or dependency-tree enrichment.",
+  );
+  options.includeFormulation = false;
+} else if (options.includeFormulation) {
   if (options.serverUrl) {
     thoughtLog(
       "Wait, the user specified a server URL and wants to include formulation data. Let's warn about accidentally disclosing sensitive data to a remote server.",
@@ -898,16 +934,32 @@ const applyAdvancedOptions = (options) => {
     );
   }
   if (options.bomAudit) {
-    if (!options.includeFormulation) {
+    if (isHbomOnlyInvocation) {
+      thoughtLog(
+        "HBOM-only bom-audit runs should stay focused on hardware inventory. Skipping automatic formulation collection.",
+      );
+    } else if (!options.includeFormulation) {
       console.log(
         "NOTE: Automatically collecting formulation information. The section may include sensitive data such as emails and secrets.\nPlease review the generated SBOM before distribution or LLM training.\n",
       );
+      options.includeFormulation = true;
     }
-    options.includeFormulation = true;
   }
   return options;
 };
 applyAdvancedOptions(options);
+if (options.bomAudit && !options.bomAuditCategories) {
+  const defaultBomAuditCategories = getDefaultBomAuditCategories(
+    options,
+    process.argv[1],
+  );
+  if (defaultBomAuditCategories) {
+    options.bomAuditCategories = defaultBomAuditCategories;
+    thoughtLog(
+      `Defaulting BOM audit categories to '${defaultBomAuditCategories}' for this OBOM or explicit os-only invocation.`,
+    );
+  }
+}
 
 const envAuditFindings = auditEnvironment();
 if (options.envAudit) {
@@ -1063,11 +1115,27 @@ const checkPermissions = (filePath, options) => {
 
 const needsBomSigning = ({ generateKeyAndSign }) =>
   generateKeyAndSign ||
-  (process.env.SBOM_SIGN_ALGORITHM &&
-    process.env.SBOM_SIGN_ALGORITHM !== "none" &&
-    ((process.env.SBOM_SIGN_PRIVATE_KEY &&
-      safeExistsSync(process.env.SBOM_SIGN_PRIVATE_KEY)) ||
-      process.env.SBOM_SIGN_PRIVATE_KEY_BASE64));
+  (() => {
+    const sbomSignAlgorithm = readEnvironmentVariable("SBOM_SIGN_ALGORITHM");
+    const sbomSignPrivateKey = readEnvironmentVariable(
+      "SBOM_SIGN_PRIVATE_KEY",
+      {
+        sensitive: true,
+      },
+    );
+    const sbomSignPrivateKeyBase64 = readEnvironmentVariable(
+      "SBOM_SIGN_PRIVATE_KEY_BASE64",
+      {
+        sensitive: true,
+      },
+    );
+    return (
+      sbomSignAlgorithm &&
+      sbomSignAlgorithm !== "none" &&
+      ((sbomSignPrivateKey && safeExistsSync(sbomSignPrivateKey)) ||
+        sbomSignPrivateKeyBase64)
+    );
+  })();
 
 const stringifyJson = (jsonPayload, jsonPretty) =>
   typeof jsonPayload === "string" || jsonPayload instanceof String
@@ -1096,7 +1164,21 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     });
     return jsonPayload;
   }
-  let alg = process.env.SBOM_SIGN_ALGORITHM || "RS512";
+  const sbomSignAlgorithm = readEnvironmentVariable("SBOM_SIGN_ALGORITHM");
+  const sbomSignPrivateKey = readEnvironmentVariable("SBOM_SIGN_PRIVATE_KEY", {
+    sensitive: true,
+  });
+  const sbomSignPrivateKeyBase64 = readEnvironmentVariable(
+    "SBOM_SIGN_PRIVATE_KEY_BASE64",
+    {
+      sensitive: true,
+    },
+  );
+  const sbomSignPublicKey = readEnvironmentVariable("SBOM_SIGN_PUBLIC_KEY");
+  const sbomSignPublicKeyBase64 = readEnvironmentVariable(
+    "SBOM_SIGN_PUBLIC_KEY_BASE64",
+  );
+  let alg = sbomSignAlgorithm || "RS512";
   if (alg.includes("none")) {
     alg = "RS512";
   }
@@ -1134,31 +1216,25 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     privateKeyToUse = privateKey;
     jwkPublicKey = crypto.createPublicKey(publicKey).export({ format: "jwk" });
   } else {
-    if (process.env?.SBOM_SIGN_PRIVATE_KEY) {
-      privateKeyToUse = fs.readFileSync(
-        process.env.SBOM_SIGN_PRIVATE_KEY,
-        "utf8",
-      );
-    } else if (process.env?.SBOM_SIGN_PRIVATE_KEY_BASE64) {
+    if (sbomSignPrivateKey) {
+      recordSensitiveFileRead(sbomSignPrivateKey, {
+        label: "SBOM signing private key",
+      });
+      privateKeyToUse = fs.readFileSync(sbomSignPrivateKey, "utf8");
+    } else if (sbomSignPrivateKeyBase64) {
       privateKeyToUse = Buffer.from(
-        process.env.SBOM_SIGN_PRIVATE_KEY_BASE64,
+        sbomSignPrivateKeyBase64,
         "base64",
       ).toString("utf8");
     }
-    if (
-      process.env.SBOM_SIGN_PUBLIC_KEY &&
-      safeExistsSync(process.env.SBOM_SIGN_PUBLIC_KEY)
-    ) {
+    if (sbomSignPublicKey && safeExistsSync(sbomSignPublicKey)) {
       jwkPublicKey = crypto
-        .createPublicKey(
-          fs.readFileSync(process.env.SBOM_SIGN_PUBLIC_KEY, "utf8"),
-        )
+        .createPublicKey(fs.readFileSync(sbomSignPublicKey, "utf8"))
         .export({ format: "jwk" });
-    } else if (process.env?.SBOM_SIGN_PUBLIC_KEY_BASE64) {
-      jwkPublicKey = Buffer.from(
-        process.env.SBOM_SIGN_PUBLIC_KEY_BASE64,
-        "base64",
-      ).toString("utf8");
+    } else if (sbomSignPublicKeyBase64) {
+      jwkPublicKey = Buffer.from(sbomSignPublicKeyBase64, "base64").toString(
+        "utf8",
+      );
     }
   }
   try {
@@ -1167,7 +1243,7 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
       privateKey: privateKeyToUse,
       algorithm: alg,
       publicKeyJwk: jwkPublicKey,
-      mode: process.env.SBOM_SIGN_MODE || "replace",
+      mode: readEnvironmentVariable("SBOM_SIGN_MODE") || "replace",
       signComponents: true,
       signServices: true,
       signAnnotations: true,
@@ -1345,10 +1421,16 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     cleanup = true;
   }
   setActivityContext({ sourcePath: srcDir });
-  prepareEnv(srcDir, options);
+  if (!hasHbomProjectType(options.projectType)) {
+    prepareEnv(srcDir, options);
+  }
   thoughtLog("Getting ready to generate the BOM ⚡️.");
   const originalFetchPackageMetadata = process.env.CDXGEN_FETCH_PKG_METADATA;
-  if (options.bomAudit) {
+  const shouldRunPredictiveAudit = shouldRunPredictiveBomAudit(
+    options,
+    process.argv[1],
+  );
+  if (options.bomAudit && shouldRunPredictiveAudit) {
     process.env.CDXGEN_FETCH_PKG_METADATA = "true";
   }
   let bomNSData;
@@ -1385,8 +1467,10 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     );
     const {
       auditBom,
+      formatDryRunSupportSummary,
       formatAnnotations,
       formatConsoleOutput,
+      getBomAuditDryRunSupportSummary,
       hasCriticalFindings,
     } = await import("../lib/stages/postgen/auditBom.js");
     thoughtLog("Let's run security audit...");
@@ -1396,6 +1480,15 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     } else if (DEBUG_MODE) {
       console.log("BOM audit: No findings");
     }
+    if (isDryRun) {
+      const dryRunSupportSummary =
+        await getBomAuditDryRunSupportSummary(options);
+      const dryRunSupportMessage =
+        formatDryRunSupportSummary(dryRunSupportSummary);
+      if (dryRunSupportMessage) {
+        console.log(dryRunSupportMessage);
+      }
+    }
     if (postAuditFindings.length && options.specVersion >= 1.4) {
       bomNSData.bomJson.annotations = [
         ...(bomNSData.bomJson.annotations || []),
@@ -1416,37 +1509,21 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
       process.exit(1);
     }
 
-    thoughtLog("Let's run predictive dependency audit...");
-    const progressTracker = createProgressTracker();
-    const predictiveAuditScope =
-      options.bomAuditScope === "required" ? "required" : undefined;
-    const predictiveAuditTrusted = options.bomAuditOnlyTrusted
-      ? "only"
-      : options.bomAuditIncludeTrusted
-        ? "include"
-        : undefined;
-    const requiredAuditTargetCount = collectAuditTargets(
-      [
-        {
-          bomJson: bomNSData.bomJson,
-          source: filePath,
-        },
-      ],
-      {
-        scope: "required",
-        trusted: predictiveAuditTrusted,
-      },
-    ).targets.length;
-    const predictiveAuditMaxTargets =
-      typeof options.bomAuditMaxTargets === "number" &&
-      options.bomAuditMaxTargets > 0
-        ? options.bomAuditMaxTargets
-        : predictiveAuditScope === "required"
-          ? undefined
-          : Math.max(50, requiredAuditTargetCount);
-    let predictiveReport;
-    try {
-      predictiveReport = await runAuditFromBoms(
+    if (!shouldRunPredictiveAudit) {
+      thoughtLog(
+        "Skipping predictive dependency audit for this OBOM or explicit os-only invocation.",
+      );
+    } else {
+      thoughtLog("Let's run predictive dependency audit...");
+      const progressTracker = createProgressTracker();
+      const predictiveAuditScope =
+        options.bomAuditScope === "required" ? "required" : undefined;
+      const predictiveAuditTrusted = options.bomAuditOnlyTrusted
+        ? "only"
+        : options.bomAuditIncludeTrusted
+          ? "include"
+          : undefined;
+      const requiredAuditTargetCount = collectAuditTargets(
         [
           {
             bomJson: bomNSData.bomJson,
@@ -1454,66 +1531,90 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
           },
         ],
         {
-          categories: options.bomAuditCategories
-            ? options.bomAuditCategories
-                .split(",")
-                .map((category) => category.trim())
-                .filter(Boolean)
-            : undefined,
-          failSeverity: options.bomAuditFailSeverity,
-          maxTargets: predictiveAuditMaxTargets,
-          minSeverity: options.bomAuditMinSeverity,
-          onProgress: progressTracker.onProgress,
-          scope: predictiveAuditScope,
+          scope: "required",
           trusted: predictiveAuditTrusted,
-          trustedSelectionHelp:
-            "Use --bom-audit-include-trusted to include them or --bom-audit-only-trusted to audit just those packages.",
         },
-      );
-    } finally {
-      progressTracker.stop();
-    }
-    if (predictiveReport.summary.totalTargets > 0) {
-      process.stderr.write(
-        renderConsoleReport(predictiveReport, {
+      ).targets.length;
+      const predictiveAuditMaxTargets =
+        typeof options.bomAuditMaxTargets === "number" &&
+        options.bomAuditMaxTargets > 0
+          ? options.bomAuditMaxTargets
+          : predictiveAuditScope === "required"
+            ? undefined
+            : Math.max(50, requiredAuditTargetCount);
+      let predictiveReport;
+      try {
+        predictiveReport = await runAuditFromBoms(
+          [
+            {
+              bomJson: bomNSData.bomJson,
+              source: filePath,
+            },
+          ],
+          {
+            categories: options.bomAuditCategories
+              ? options.bomAuditCategories
+                  .split(",")
+                  .map((category) => category.trim())
+                  .filter(Boolean)
+              : undefined,
+            failSeverity: options.bomAuditFailSeverity,
+            maxTargets: predictiveAuditMaxTargets,
+            minSeverity: options.bomAuditMinSeverity,
+            onProgress: progressTracker.onProgress,
+            scope: predictiveAuditScope,
+            trusted: predictiveAuditTrusted,
+            trustedSelectionHelp:
+              "Use --bom-audit-include-trusted to include them or --bom-audit-only-trusted to audit just those packages.",
+          },
+        );
+      } finally {
+        progressTracker.stop();
+      }
+      if (predictiveReport.summary.totalTargets > 0) {
+        process.stderr.write(
+          renderConsoleReport(predictiveReport, {
+            minSeverity: options.bomAuditMinSeverity,
+          }),
+        );
+      } else if (DEBUG_MODE) {
+        console.log(
+          "Predictive BOM audit: No supported npm/PyPI targets found",
+        );
+      }
+      const predictiveAnnotations = formatPredictiveAnnotations(
+        predictiveReport,
+        bomNSData.bomJson,
+        {
           minSeverity: options.bomAuditMinSeverity,
-        }),
+        },
       );
-    } else if (DEBUG_MODE) {
-      console.log("Predictive BOM audit: No supported npm/PyPI targets found");
-    }
-    const predictiveAnnotations = formatPredictiveAnnotations(
-      predictiveReport,
-      bomNSData.bomJson,
-      {
+      if (predictiveAnnotations.length && options.specVersion >= 1.4) {
+        bomNSData.bomJson.annotations = [
+          ...(bomNSData.bomJson.annotations || []),
+          ...predictiveAnnotations,
+        ];
+        thoughtLog(
+          `Embedded ${predictiveAnnotations.length} predictive audit annotations`,
+        );
+      }
+      const predictiveResult = finalizeAuditReport(predictiveReport, {
+        failSeverity: options.bomAuditFailSeverity,
         minSeverity: options.bomAuditMinSeverity,
-      },
-    );
-    if (predictiveAnnotations.length && options.specVersion >= 1.4) {
-      bomNSData.bomJson.annotations = [
-        ...(bomNSData.bomJson.annotations || []),
-        ...predictiveAnnotations,
-      ];
-      thoughtLog(
-        `Embedded ${predictiveAnnotations.length} predictive audit annotations`,
-      );
-    }
-    const predictiveResult = finalizeAuditReport(predictiveReport, {
-      failSeverity: options.bomAuditFailSeverity,
-      minSeverity: options.bomAuditMinSeverity,
-      report: "console",
-    });
-    if (isSecureMode && predictiveResult.exitCode === 3) {
-      console.error(
-        "\nSecure mode: Predictive audit findings exceeded the configured threshold.",
-      );
-      console.error(
-        "Review findings above or adjust --bom-audit-fail-severity to proceed.",
-      );
-      if (cleanup) {
-        cleanupSourceDir(srcDir);
+        report: "console",
+      });
+      if (isSecureMode && predictiveResult.exitCode === 3) {
+        console.error(
+          "\nSecure mode: Predictive audit findings exceeded the configured threshold.",
+        );
+        console.error(
+          "Review findings above or adjust --bom-audit-fail-severity to proceed.",
+        );
+        if (cleanup) {
+          cleanupSourceDir(srcDir);
+        }
+        process.exit(1);
       }
-      process.exit(1);
     }
   }
   let internalCycloneDxInputPath = outputPlan.outputs.cyclonedx;
@@ -1684,6 +1785,27 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   // Automatically submit the bom data
   // biome-ignore lint/suspicious/noDoubleEquals: yargs passes true for empty values
   if (options.serverUrl && options.serverUrl != true && options.apiKey) {
+    if (isSecureMode) {
+      let serverHostname;
+      try {
+        serverHostname = new URL(options.serverUrl).hostname;
+      } catch (err) {
+        console.log("Invalid Dependency-Track server URL", err);
+        process.exit(1);
+      }
+      if (!isAllowedHttpHost(serverHostname)) {
+        recordActivity({
+          kind: "submit",
+          reason: "The URL host is not allowed as per the allowlist.",
+          status: "blocked",
+          target: options.serverUrl,
+        });
+        console.log(
+          `Dependency-Track server host '${serverHostname}' is not allowed by CDXGEN_ALLOWED_HOSTS.`,
+        );
+        process.exit(1);
+      }
+    }
     if (isDryRun) {
       recordActivity({
         kind: "submit",

package/bin/convert.js

@@ -16,6 +16,7 @@ import {
   retrieveCdxgenVersion,
   safeExistsSync,
   safeMkdirSync,
+  safeWriteSync,
 } from "../lib/helpers/utils.js";
 import { convertCycloneDxToSpdx } from "../lib/stages/postgen/spdxConverter.js";
 import { validateSpdx } from "../lib/validator/bomValidator.js";
@@ -26,7 +27,7 @@ const args = _yargs
   .option("input", {
     alias: "i",
     default: "bom.json",
-    description: "Input CycloneDX BOM JSON file.",
+    description: "Input CycloneDX BOM JSON or protobuf file.",
   })
   .option("output", {
     alias: "o",
@@ -50,18 +51,32 @@ const args = _yargs
   .help()
   .wrap(Math.min(120, yargs().terminalWidth())).argv;
 
-if (!safeExistsSync(args.input)) {
-  console.error(`Input file '${args.input}' not found.`);
-  process.exit(1);
-}
+const loadCycloneDxBom = async (inputPath) => {
+  if (!safeExistsSync(inputPath)) {
+    console.error(`Input file '${inputPath}' not found.`);
+    process.exit(1);
+  }
+  const normalizedInputPath = `${inputPath}`.toLowerCase();
+  const isProtoInput =
+    normalizedInputPath.endsWith(".cdx") ||
+    normalizedInputPath.endsWith(".cdx.bin") ||
+    normalizedInputPath.endsWith(".proto");
+  try {
+    if (isProtoInput) {
+      const { readBinary } = await import("../lib/helpers/protobom.js");
+      return readBinary(inputPath, true);
+    }
+    return JSON.parse(fs.readFileSync(inputPath, "utf8"));
+  } catch (error) {
+    const inputType = isProtoInput ? "protobuf" : "JSON";
+    console.error(
+      `Failed to parse '${inputPath}' as CycloneDX ${inputType}: ${error.message}`,
+    );
+    process.exit(1);
+  }
+};
 
-let bomJson;
-try {
-  bomJson = JSON.parse(fs.readFileSync(args.input, "utf8"));
-} catch (error) {
-  console.error(`Failed to parse '${args.input}' as JSON: ${error.message}`);
-  process.exit(1);
-}
+const bomJson = await loadCycloneDxBom(args.input);
 
 if (!isCycloneDxBom(bomJson)) {
   console.error(getNonCycloneDxErrorMessage(bomJson, "cdx-convert"));
@@ -92,7 +107,7 @@ if (outputParent && outputParent !== "." && !safeExistsSync(outputParent)) {
   safeMkdirSync(outputParent, { recursive: true });
 }
 
-fs.writeFileSync(
+safeWriteSync(
   outputPath,
   JSON.stringify(spdxJson, null, args.jsonPretty ? 2 : null),
 );