npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.0 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/README.md +64 -22
package/bin/audit.js +21 -7
package/bin/cdxgen.js +238 -116
package/bin/convert.js +28 -13
package/bin/hbom.js +490 -0
package/bin/repl.js +580 -29
package/bin/validate.js +34 -4
package/bin/verify.js +40 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +209 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +506 -88
package/lib/cli/index.poku.js +1352 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +349 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +156 -45
package/lib/helpers/protobom.poku.js +140 -5
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +2 -27
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +192 -1
package/lib/stages/postgen/postgen.poku.js +321 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +62 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +3 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/helpers/cbomutils.js CHANGED Viewed

@@ -2,6 +2,11 @@ import { readFileSync } from "node:fs";
 import { join } from "node:path";
 import { executeOsQuery } from "../managers/binary.js";
+import { detectJsCryptoInventory } from "./analyzer.js";
+import {
+  createOccurrenceEvidence,
+  formatOccurrenceEvidence,
+} from "./evidenceUtils.js";
 import { convertOSQueryResults, dirNameStr } from "./utils.js";
 const cbomosDbQueries = JSON.parse(
@@ -47,10 +52,275 @@ function cleanStr(str) {
   return str.toLowerCase().replace(/[^0-9a-z ]/gi, "");
 }
+function normalizeDetectedCryptoAlgorithmName(name, primitive, keyLength) {
+  const trimmedName = String(name || "").trim();
+  if (!trimmedName) {
+    return undefined;
+  }
+  const upperName = trimmedName.toUpperCase();
+  const compactName = upperName.replace(/[^A-Z0-9]/g, "");
+  const lowerName = trimmedName.toLowerCase();
+  const normalizedLower = lowerName.replace(/[ _]/g, "-");
+  const jwtMappings = {
+    ES256: "ecdsaWithSHA256",
+    ES384: "ecdsaWithSHA384",
+    ES512: "ecdsaWithSHA512",
+    HS256: "hmacWithSHA256",
+    HS384: "hmacWithSHA384",
+    HS512: "hmacWithSHA512",
+    RS256: "sha256WithRSAEncryption",
+    RS384: "sha384WithRSAEncryption",
+    RS512: "sha512WithRSAEncryption",
+  };
+  if (jwtMappings[upperName]) {
+    return jwtMappings[upperName];
+  }
+  if (/^A(128|192|256)GCM$/.test(compactName)) {
+    return `aes${compactName.slice(1, 4)}-GCM`;
+  }
+  if (/^SHA(1|224|256|384|512)$/.test(compactName)) {
+    return `sha-${compactName.slice(3)}`;
+  }
+  if (/^SHA3(224|256|384|512)$/.test(compactName)) {
+    return `sha3-${compactName.slice(4)}`;
+  }
+  if (compactName === "PBKDF2") {
+    return "PBKDF2";
+  }
+  if (compactName === "SCRYPT") {
+    return "scrypt";
+  }
+  if (
+    normalizedLower === "aes-gcm" &&
+    typeof keyLength === "number" &&
+    [128, 192, 256].includes(keyLength)
+  ) {
+    return `aes${keyLength}-GCM`;
+  }
+  if (
+    normalizedLower === "aes-cbc" &&
+    typeof keyLength === "number" &&
+    [128, 192, 256].includes(keyLength)
+  ) {
+    return `aes${keyLength}-CBC`;
+  }
+  if (
+    normalizedLower === "aes-ctr" &&
+    typeof keyLength === "number" &&
+    [128, 192, 256].includes(keyLength)
+  ) {
+    return `aes${keyLength}-CTR`;
+  }
+  if (cbomCryptoOids[trimmedName]) {
+    return trimmedName;
+  }
+  if (cbomCryptoOids[normalizedLower]) {
+    return normalizedLower;
+  }
+  if (primitive === "algorithm" && cbomCryptoOids[upperName]) {
+    return upperName;
+  }
+  return trimmedName;
+}
+function cryptoAlgorithmBomRef(name, oid) {
+  const version = oid || cleanStr(name) || "unknown";
+  return `crypto/algorithm/${encodeURIComponent(name)}@${version}`;
+}
+function usageLocationValue(usage) {
+  if (typeof usage?.lineNumber !== "number") {
+    return undefined;
+  }
+  return `${usage.fileName || "<inline>"}:${usage.lineNumber}${typeof usage.columnNumber === "number" ? `:${usage.columnNumber}` : ""}`;
+}
+function mergeAlgorithmComponentEvidence(component, usage, options) {
+  if (!options?.evidence) {
+    return component;
+  }
+  const locationValue = usageLocationValue(usage);
+  const occurrence = createOccurrenceEvidence(usage.fileName || "<inline>", {
+    additionalContext: usage.primitive,
+    ...(typeof usage.lineNumber === "number" ? { line: usage.lineNumber } : {}),
+    ...(usage.source ? { symbol: usage.source } : {}),
+  });
+  const evidence = component.evidence || {};
+  const identity = Array.isArray(evidence.identity)
+    ? (evidence.identity[0] ?? {
+        field: "name",
+        confidence: 1,
+        concludedValue: component.name,
+        methods: [],
+      })
+    : (evidence.identity ?? {
+        field: "name",
+        confidence: 1,
+        concludedValue: component.name,
+        methods: [],
+      });
+  const methodValue = occurrence
+    ? formatOccurrenceEvidence(occurrence)
+    : locationValue || component.name;
+  if (
+    !identity.methods?.some(
+      (method) =>
+        method.technique === "source-code-analysis" &&
+        method.value === methodValue,
+    )
+  ) {
+    identity.methods = identity.methods || [];
+    identity.methods.push({
+      technique: "source-code-analysis",
+      confidence: 1,
+      value: methodValue,
+    });
+  }
+  evidence.identity = identity;
+  if (occurrence) {
+    const occurrences = evidence.occurrences || [];
+    if (
+      !occurrences.some(
+        (existingOccurrence) =>
+          formatOccurrenceEvidence(existingOccurrence) ===
+          formatOccurrenceEvidence(occurrence),
+      )
+    ) {
+      occurrences.push(occurrence);
+    }
+    evidence.occurrences = occurrences;
+  }
+  component.evidence = evidence;
+  return component;
+}
+function normalizeCryptoComponentEvidence(component, options) {
+  if (!component?.evidence?.identity) {
+    return component;
+  }
+  if (
+    options?.specVersion >= 1.6 &&
+    !Array.isArray(component.evidence.identity)
+  ) {
+    component.evidence.identity = [component.evidence.identity];
+  }
+  if (
+    options?.specVersion === 1.5 &&
+    Array.isArray(component.evidence.identity)
+  ) {
+    component.evidence.identity = component.evidence.identity[0];
+  }
+  return component;
+}
+function mergeAlgorithmComponentUsage(component, usage, src, options) {
+  const sourceFile = usage.fileName ? join(src, usage.fileName) : undefined;
+  const properties = component.properties || [];
+  const locationValue = usageLocationValue(usage);
+  if (sourceFile) {
+    if (
+      !properties.some(
+        (property) =>
+          property.name === "SrcFile" && property.value === sourceFile,
+      )
+    ) {
+      properties.push({ name: "SrcFile", value: sourceFile });
+    }
+  }
+  if (usage.primitive) {
+    if (
+      !properties.some(
+        (property) =>
+          property.name === "cdx:crypto:primitive" &&
+          property.value === usage.primitive,
+      )
+    ) {
+      properties.push({ name: "cdx:crypto:primitive", value: usage.primitive });
+    }
+  }
+  if (usage.source) {
+    if (
+      !properties.some(
+        (property) =>
+          property.name === "cdx:crypto:sourceType" &&
+          property.value === `js-ast:${usage.source}`,
+      )
+    ) {
+      properties.push({
+        name: "cdx:crypto:sourceType",
+        value: `js-ast:${usage.source}`,
+      });
+    }
+  }
+  if (locationValue) {
+    if (
+      !properties.some(
+        (property) =>
+          property.name === "cdx:crypto:sourceLocation" &&
+          property.value === locationValue,
+      )
+    ) {
+      properties.push({
+        name: "cdx:crypto:sourceLocation",
+        value: locationValue,
+      });
+    }
+  }
+  component.properties = properties;
+  mergeAlgorithmComponentEvidence(component, usage, options);
+  return component;
+}
+export async function collectSourceCryptoComponents(src, options = {}) {
+  const inventory = await detectJsCryptoInventory(src, Boolean(options.deep));
+  const componentsByRef = new Map();
+  for (const usage of inventory.algorithms || []) {
+    const normalizedName = normalizeDetectedCryptoAlgorithmName(
+      usage.name,
+      usage.primitive,
+      usage.keyLength,
+    );
+    if (!normalizedName) {
+      continue;
+    }
+    const algorithmMetadata =
+      cbomCryptoOids[normalizedName] || cbomCryptoOids[usage.name];
+    if (!algorithmMetadata?.oid) {
+      continue;
+    }
+    const componentName = algorithmMetadata ? normalizedName : usage.name;
+    const bomRef = cryptoAlgorithmBomRef(componentName, algorithmMetadata?.oid);
+    const component = componentsByRef.get(bomRef) || {
+      type: "cryptographic-asset",
+      name: componentName,
+      "bom-ref": bomRef,
+      description:
+        algorithmMetadata?.description ||
+        `${usage.primitive || "cryptographic"} algorithm detected in source analysis`,
+      cryptoProperties: {
+        assetType: "algorithm",
+        ...(algorithmMetadata?.oid ? { oid: algorithmMetadata.oid } : {}),
+      },
+      properties: [],
+    };
+    mergeAlgorithmComponentUsage(component, usage, src, options);
+    componentsByRef.set(bomRef, component);
+  }
+  const components = Array.from(componentsByRef.values());
+  components.forEach((component) => {
+    normalizeCryptoComponentEvidence(component, options);
+  });
+  return components.sort((left, right) =>
+    `${left.name}:${left["bom-ref"]}`.localeCompare(
+      `${right.name}:${right["bom-ref"]}`,
+    ),
+  );
+}
 /**
  * Find crypto algorithm in the given code snippet
  *
- * @param {String} Code snippet
+ * @param {string} code Code snippet
  * @returns {Array} Arary of crypto algorithm objects with oid and description
  */
 export function findCryptoAlgos(code) {

package/lib/helpers/cbomutils.poku.js CHANGED Viewed

@@ -1,8 +1,251 @@
-import { assert, it } from "poku";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
-import { collectOSCryptoLibs } from "./cbomutils.js";
+import { assert, describe, it } from "poku";
-it("cbom utils tests", () => {
-  const cryptoLibs = collectOSCryptoLibs();
-  assert.ok(cryptoLibs);
+import {
+  collectOSCryptoLibs,
+  collectSourceCryptoComponents,
+} from "./cbomutils.js";
+describe("cbom utils", () => {
+  it("collectOSCryptoLibs() returns a result set", () => {
+    const cryptoLibs = collectOSCryptoLibs();
+    assert.ok(cryptoLibs);
+  });
+  it("collectSourceCryptoComponents() extracts algorithms from JS source", async () => {
+    const projectDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-source-"));
+    try {
+      writeFileSync(
+        join(projectDir, "index.js"),
+        [
+          "import { createHash, webcrypto } from 'node:crypto';",
+          "import jwt from 'jsonwebtoken';",
+          "const subtle = webcrypto.subtle;",
+          "const digest = 'sha256';",
+          "const signingAlgorithm = 'Ed25519';",
+          "const profile = { name: 'AES-GCM', length: 256 };",
+          "createHash(digest);",
+          "subtle.generateKey(profile, true, ['encrypt']);",
+          "jwt.sign({ sub: '123' }, 'secret', { algorithm: 'RS256' });",
+        ].join("\n"),
+        "utf-8",
+      );
+      const components = await collectSourceCryptoComponents(projectDir, {
+        deep: false,
+        evidence: true,
+        specVersion: 1.7,
+      });
+      const names = components.map((component) => component.name);
+      const sha256Component = components.find(
+        (component) => component.name === "sha-256",
+      );
+      assert.ok(names.includes("sha-256"));
+      assert.ok(names.includes("aes256-GCM"));
+      assert.ok(names.includes("Ed25519"));
+      assert.ok(names.includes("sha256WithRSAEncryption"));
+      assert.ok(!names.includes("hmac"));
+      assert.ok(sha256Component);
+      assert.ok(Array.isArray(sha256Component.evidence.identity));
+      assert.strictEqual(sha256Component.evidence.identity[0].field, "name");
+      assert.strictEqual(
+        sha256Component.evidence.identity[0].concludedValue,
+        "sha-256",
+      );
+      assert.ok(
+        sha256Component.evidence.identity[0].methods.some(
+          (method) => method.technique === "source-code-analysis",
+        ),
+      );
+      assert.ok(
+        sha256Component.evidence.occurrences.some(
+          (occurrence) =>
+            occurrence.location === "index.js" && occurrence.line === 7,
+        ),
+      );
+      const sha256Occurrence = sha256Component.evidence.occurrences.find(
+        (occurrence) =>
+          occurrence.location === "index.js" && occurrence.line === 7,
+      );
+      assert.ok(sha256Occurrence);
+      assert.strictEqual(sha256Occurrence.additionalContext, "hash");
+      assert.strictEqual(sha256Occurrence.symbol, "node:crypto.createHash");
+      assert.ok(!Object.hasOwn(sha256Occurrence, "offset"));
+      assert.ok(
+        components.every(
+          (component) => component.cryptoProperties?.oid?.length,
+        ),
+      );
+      assert.ok(
+        components.some((component) =>
+          component.properties.some(
+            (property) =>
+              property.name === "cdx:crypto:sourceType" &&
+              property.value.startsWith("js-ast:"),
+          ),
+        ),
+      );
+    } finally {
+      rmSync(projectDir, { recursive: true, force: true });
+    }
+  });
+  it("collectSourceCryptoComponents() keeps branch-derived evidence for dynamic crypto values", async () => {
+    const projectDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-branches-"));
+    try {
+      writeFileSync(
+        join(projectDir, "dynamic-branches.mjs"),
+        [
+          "import crypto, { createHash, webcrypto } from 'node:crypto';",
+          "import jwt from 'jsonwebtoken';",
+          "const subtle = webcrypto.subtle;",
+          "const digestName = process.env.CDXGEN_TEST_DIGEST || 'sha384';",
+          "const keyProfiles = globalThis.__legacyCipher",
+          "  ? { active: { name: 'AES-CBC', length: 256 } }",
+          "  : { active: { name: 'AES-GCM', length: 256 } };",
+          "const signingAlgorithm = globalThis.__legacySignature ? 'RS256' : 'RS512';",
+          "const jwtOptions = globalThis.__jwtOptions ?? { algorithm: signingAlgorithm };",
+          "createHash(digestName);",
+          "await subtle.generateKey(keyProfiles.active, true, ['encrypt', 'decrypt']);",
+          "jwt.sign({ sub: '123' }, 'secret', jwtOptions);",
+          "export function signPayload(payload, privateKey, alg) {",
+          "  let hashAlg = null;",
+          "  if (alg === 'RS256' || alg === 'RS512') {",
+          "    hashAlg = alg.replace('RS', 'SHA');",
+          "    return crypto.sign(hashAlg, Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  }",
+          "  if (alg !== 'RS384') {",
+          "    return crypto.sign('SHA-224', Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  } else {",
+          "    hashAlg = alg.replace('RS', 'SHA');",
+          "    return crypto.sign(hashAlg, Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  }",
+          "}",
+          "export function signPayloadWithSwitch(payload, privateKey, alg) {",
+          "  switch (alg) {",
+          "    case 'RS256':",
+          "    case 'RS512':",
+          "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "    case 'RS384':",
+          "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "    default:",
+          "      return crypto.sign('SHA-224', Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  }",
+          "}",
+          "export function signPayloadWithSwitchDefault(payload, privateKey) {",
+          "  const alg = globalThis.__preferLegacy ? 'RS256' : 'RS384';",
+          "  switch (alg) {",
+          "    case 'RS256':",
+          "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "    default:",
+          "      return crypto.sign(alg.replace('RS', 'SHA'), Buffer.from(payload, 'utf8'), { key: privateKey });",
+          "  }",
+          "}",
+        ].join("\n"),
+        "utf-8",
+      );
+      const components = await collectSourceCryptoComponents(projectDir, {
+        deep: false,
+        evidence: true,
+        specVersion: 1.7,
+      });
+      const names = components.map((component) => component.name);
+      const sha384Component = components.find(
+        (component) => component.name === "sha-384",
+      );
+      assert.ok(names.includes("sha-384"));
+      assert.ok(names.includes("sha-224"));
+      assert.ok(names.includes("sha-256"));
+      assert.ok(names.includes("sha-512"));
+      assert.ok(names.includes("aes256-CBC"));
+      assert.ok(names.includes("aes256-GCM"));
+      assert.ok(names.includes("sha256WithRSAEncryption"));
+      assert.ok(names.includes("sha512WithRSAEncryption"));
+      assert.ok(sha384Component);
+      assert.ok(
+        sha384Component.evidence.occurrences.some(
+          (occurrence) =>
+            occurrence.location === "dynamic-branches.mjs" &&
+            occurrence.line === 10 &&
+            occurrence.symbol === "node:crypto.createHash" &&
+            occurrence.additionalContext === "hash",
+        ),
+      );
+      assert.ok(
+        sha384Component.properties.some(
+          (property) =>
+            property.name === "cdx:crypto:sourceLocation" &&
+            property.value === "dynamic-branches.mjs:10:0",
+        ),
+      );
+      assert.ok(
+        sha384Component.properties.some(
+          (property) =>
+            property.name === "cdx:crypto:sourceType" &&
+            property.value === "js-ast:node:crypto.sign",
+        ),
+      );
+      assert.ok(
+        sha384Component.evidence.occurrences.some(
+          (occurrence) =>
+            occurrence.location === "dynamic-branches.mjs" &&
+            occurrence.symbol === "node:crypto.sign" &&
+            occurrence.additionalContext === "signature",
+        ),
+      );
+      assert.ok(
+        components.some(
+          (component) =>
+            component.name === "sha-256" &&
+            component.properties.some(
+              (property) =>
+                property.name === "cdx:crypto:sourceType" &&
+                property.value === "js-ast:node:crypto.sign",
+            ) &&
+            component.evidence.occurrences.some(
+              (occurrence) =>
+                occurrence.location === "dynamic-branches.mjs" &&
+                occurrence.symbol === "node:crypto.sign" &&
+                occurrence.additionalContext === "signature",
+            ),
+        ),
+      );
+      assert.ok(
+        components.some(
+          (component) =>
+            component.name === "sha-512" &&
+            component.properties.some(
+              (property) =>
+                property.name === "cdx:crypto:sourceType" &&
+                property.value === "js-ast:node:crypto.sign",
+            ) &&
+            component.evidence.occurrences.some(
+              (occurrence) =>
+                occurrence.location === "dynamic-branches.mjs" &&
+                occurrence.line === 30 &&
+                occurrence.symbol === "node:crypto.sign" &&
+                occurrence.additionalContext === "signature",
+            ),
+        ),
+      );
+      assert.ok(
+        components.some(
+          (component) =>
+            component.name === "sha-384" &&
+            component.evidence.occurrences.some(
+              (occurrence) =>
+                occurrence.location === "dynamic-branches.mjs" &&
+                occurrence.symbol === "node:crypto.sign" &&
+                occurrence.additionalContext === "signature" &&
+                occurrence.line > 30,
+            ),
+        ),
+      );
+    } finally {
+      rmSync(projectDir, { recursive: true, force: true });
+    }
+  });
 });