npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.0 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/README.md +64 -22
package/bin/audit.js +21 -7
package/bin/cdxgen.js +238 -116
package/bin/convert.js +28 -13
package/bin/hbom.js +490 -0
package/bin/repl.js +580 -29
package/bin/validate.js +34 -4
package/bin/verify.js +40 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +209 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +506 -88
package/lib/cli/index.poku.js +1352 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +349 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +156 -45
package/lib/helpers/protobom.poku.js +140 -5
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +2 -27
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +192 -1
package/lib/stages/postgen/postgen.poku.js +321 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +62 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +3 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/helpers/hbom.poku.js ADDED Viewed

@@ -0,0 +1,496 @@
+import esmock from "esmock";
+import { assert, describe, it } from "poku";
+import sinon from "sinon";
+import {
+  addHbomAnalysisProperties,
+  ensureNoMixedHbomProjectTypes,
+  ensureSupportedHbomSpecVersion,
+  hasHbomProjectType,
+  isHbomOnlyProjectTypes,
+  normalizeHbomOptions,
+} from "./hbom.js";
+describe("hbom helpers", () => {
+  it("detects hbom project types and rejects mixed project selections", () => {
+    assert.strictEqual(hasHbomProjectType(undefined), false);
+    assert.strictEqual(hasHbomProjectType(["js"]), false);
+    assert.strictEqual(hasHbomProjectType(["hbom"]), true);
+    assert.strictEqual(hasHbomProjectType(["hardware"]), true);
+    assert.strictEqual(isHbomOnlyProjectTypes(undefined), false);
+    assert.strictEqual(isHbomOnlyProjectTypes(["hbom"]), true);
+    assert.strictEqual(isHbomOnlyProjectTypes(["hardware"]), true);
+    assert.strictEqual(isHbomOnlyProjectTypes(["hbom", "hardware"]), true);
+    assert.strictEqual(isHbomOnlyProjectTypes(["hbom", "js"]), false);
+    ensureNoMixedHbomProjectTypes(["hbom"]);
+    ensureNoMixedHbomProjectTypes(["hardware"]);
+    assert.throws(
+      () => ensureNoMixedHbomProjectTypes(["hbom", "js"]),
+      /cannot be mixed/u,
+    );
+  });
+  it("enforces CycloneDX 1.7 for hbom generation", () => {
+    ensureSupportedHbomSpecVersion(undefined);
+    ensureSupportedHbomSpecVersion(1.7);
+    assert.throws(
+      () => ensureSupportedHbomSpecVersion(1.6),
+      /only CycloneDX 1\.7/u,
+    );
+  });
+  it("normalizes hbom collector options", () => {
+    assert.deepStrictEqual(
+      normalizeHbomOptions({
+        arch: "arm64",
+        noCommandEnrichment: true,
+        platform: "darwin",
+        plistEnrichment: true,
+        privileged: true,
+        sensitive: true,
+        strict: true,
+        timeout: "2500",
+      }),
+      {
+        allowPartial: false,
+        architecture: "arm64",
+        dryRun: false,
+        includeCommandEnrichment: false,
+        includePlistEnrichment: true,
+        includePrivilegedEnrichment: true,
+        includeSensitiveIdentifiers: true,
+        platform: "darwin",
+        timeoutMs: 2500,
+      },
+    );
+  });
+  it("adds derived analysis properties for hbom command diagnostics", () => {
+    const bomJson = addHbomAnalysisProperties({
+      components: [],
+      metadata: {
+        component: {
+          name: "demo-host",
+          properties: [
+            { name: "cdx:hbom:platform", value: "linux" },
+            { name: "cdx:hbom:architecture", value: "amd64" },
+          ],
+          type: "device",
+        },
+      },
+      properties: [
+        { name: "cdx:hbom:evidence:commandDiagnosticCount", value: "2" },
+        {
+          name: "cdx:hbom:evidence:commandDiagnostic",
+          value: JSON.stringify({
+            command: "lsusb",
+            installHint:
+              "Command not found: install the Linux package providing lsusb (commonly `usbutils`).",
+            issue: "missing-command",
+          }),
+        },
+        {
+          name: "cdx:hbom:evidence:commandDiagnostic",
+          value: JSON.stringify({
+            command: "drm_info",
+            issue: "permission-denied",
+            privilegeHint:
+              "Retry with --privileged to allow a non-interactive sudo attempt for permission-sensitive Linux commands.",
+          }),
+        },
+      ],
+    });
+    assert.ok(
+      bomJson.properties.some(
+        (property) =>
+          property.name === "cdx:hbom:analysis:commandDiagnosticCount" &&
+          property.value === "2",
+      ),
+    );
+    assert.ok(
+      bomJson.properties.some(
+        (property) =>
+          property.name === "cdx:hbom:analysis:missingCommands" &&
+          property.value === "lsusb",
+      ),
+    );
+    assert.ok(
+      bomJson.properties.some(
+        (property) =>
+          property.name === "cdx:hbom:analysis:missingCommandIds" &&
+          property.value === "lsusb",
+      ),
+    );
+    assert.ok(
+      bomJson.properties.some(
+        (property) =>
+          property.name === "cdx:hbom:analysis:installHintCount" &&
+          property.value === "1",
+      ),
+    );
+    assert.ok(
+      bomJson.properties.some(
+        (property) =>
+          property.name === "cdx:hbom:analysis:permissionDeniedCommands" &&
+          property.value === "drm_info",
+      ),
+    );
+    assert.ok(
+      bomJson.properties.some(
+        (property) =>
+          property.name === "cdx:hbom:analysis:permissionDeniedIds" &&
+          property.value === "drm_info",
+      ),
+    );
+    assert.ok(
+      bomJson.properties.some(
+        (property) =>
+          property.name === "cdx:hbom:analysis:privilegeHintCount" &&
+          property.value === "1",
+      ),
+    );
+    assert.ok(
+      bomJson.properties.some(
+        (property) =>
+          property.name === "cdx:hbom:analysis:requiresPrivileged" &&
+          property.value === "true",
+      ),
+    );
+  });
+  it("propagates native cdx-hbom dry-run trace activities into cdxgen", async () => {
+    const recordActivity = sinon.stub();
+    let collectorTrace;
+    const { createHbomDocument } = await esmock("./hbom.js", {
+      "./utils.js": {
+        isDryRun: true,
+        recordActivity,
+      },
+      "./hbomLoader.js": {
+        importHbomModule: sinon.stub().resolves({
+          collectHardware: sinon.stub().callsFake(async (options) => {
+            collectorTrace = options.trace;
+            collectorTrace.activities.push({
+              category: "cpu-memory",
+              command: "/usr/sbin/sysctl",
+              id: "sysctl-baseline",
+              kind: "command",
+              reason: "Dry run mode blocks HBOM command 'sysctl-baseline'.",
+              status: "blocked",
+              target: "/usr/sbin/sysctl -n hw.model",
+            });
+            collectorTrace.activities.push({
+              kind: "file-read",
+              status: "completed",
+              target: "/etc/os-release",
+            });
+            return {
+              bomFormat: "CycloneDX",
+              components: [],
+              dependencies: [],
+              metadata: {
+                timestamp: "2026-05-13T00:00:00.000Z",
+                tools: {
+                  components: [],
+                },
+              },
+              specVersion: "1.7",
+              version: 1,
+            };
+          }),
+          createCollectorTrace: sinon
+            .stub()
+            .callsFake(() => ({ activities: [] })),
+          getCollectorTrace: sinon.stub().callsFake(() => collectorTrace),
+        }),
+      },
+    });
+    const bomJson = await createHbomDocument({
+      arch: "arm64",
+      platform: "linux",
+      specVersion: 1.7,
+    });
+    assert.strictEqual(recordActivity.callCount, 2);
+    sinon.assert.calledWithMatch(recordActivity.firstCall, {
+      commandId: "sysctl-baseline",
+      kind: "execute",
+      reason: sinon.match(/Dry run mode blocks HBOM command/u),
+      status: "blocked",
+      target: "/usr/sbin/sysctl -n hw.model",
+    });
+    sinon.assert.calledWithMatch(recordActivity.secondCall, {
+      kind: "read",
+      reason: undefined,
+      status: "completed",
+      target: "/etc/os-release",
+    });
+    assert.strictEqual(bomJson.bomFormat, "CycloneDX");
+    assert.strictEqual(bomJson.specVersion, "1.7");
+    assert.strictEqual(bomJson.version, 1);
+    assert.deepStrictEqual(bomJson.components, []);
+    assert.deepStrictEqual(bomJson.dependencies, []);
+    assert.ok(typeof bomJson.metadata?.timestamp === "string");
+    assert.deepStrictEqual(bomJson.metadata?.tools?.components, []);
+  });
+  it("returns a synthetic hbom document during dry-run mode when cdx-hbom lacks trace support", async () => {
+    const recordActivity = sinon.stub();
+    const { createHbomDocument } = await esmock("./hbom.js", {
+      "./utils.js": {
+        isDryRun: true,
+        recordActivity,
+      },
+      "./hbomLoader.js": {
+        importHbomModule: sinon.stub().resolves({
+          collectHardware: sinon.stub(),
+        }),
+      },
+    });
+    const bomJson = await createHbomDocument({
+      arch: "arm64",
+      platform: "linux",
+      specVersion: 1.7,
+    });
+    sinon.assert.calledOnce(recordActivity);
+    sinon.assert.calledWithMatch(recordActivity, {
+      kind: "hbom",
+      reason: sinon.match(/Dry run mode blocks HBOM collection/u),
+      status: "blocked",
+      target: "linux/arm64",
+    });
+    assert.strictEqual(bomJson.bomFormat, "CycloneDX");
+    assert.strictEqual(bomJson.specVersion, "1.7");
+  });
+  it("blocks secure-mode live collection when the HBOM plan includes disallowed commands or paths", async () => {
+    const collectHardware = sinon.stub().resolves({
+      bomFormat: "CycloneDX",
+      components: [],
+      dependencies: [],
+      metadata: {
+        timestamp: "2026-05-13T00:00:00.000Z",
+        tools: {
+          components: [],
+        },
+      },
+      specVersion: "1.7",
+      version: 1,
+    });
+    let preflightTrace;
+    collectHardware.onFirstCall().callsFake(async (options) => {
+      preflightTrace = options.trace;
+      preflightTrace.activities.push(
+        {
+          command: "/usr/sbin/system_profiler",
+          id: "system-profiler-json",
+          kind: "command",
+          target: "/usr/sbin/system_profiler SPHardwareDataType -json",
+        },
+        {
+          id: "plist-read",
+          kind: "file-read",
+          path: "/Library/Preferences/SystemConfiguration/preferences.plist",
+          target: "/Library/Preferences/SystemConfiguration/preferences.plist",
+        },
+      );
+      return {
+        bomFormat: "CycloneDX",
+        components: [],
+        dependencies: [],
+        metadata: {
+          timestamp: "2026-05-13T00:00:00.000Z",
+          tools: {
+            components: [],
+          },
+        },
+        specVersion: "1.7",
+        version: 1,
+      };
+    });
+    const recordActivity = sinon.stub();
+    const { createHbomDocument: createSecureHbomDocument } = await esmock(
+      "./hbom.js",
+      {
+        "./hbomLoader.js": {
+          importHbomModule: sinon.stub().resolves({
+            collectHardware,
+            createCollectorTrace: sinon
+              .stub()
+              .callsFake(() => ({ activities: [] })),
+            getCollectorTrace: sinon.stub().callsFake(() => preflightTrace),
+          }),
+        },
+        "./source.js": {
+          isAllowedPath: sinon.stub().returns(false),
+        },
+        "./utils.js": {
+          isDryRun: false,
+          isSecureMode: true,
+          readEnvironmentVariable: sinon.stub().callsFake((name) => {
+            if (name === "CDXGEN_ALLOWED_COMMANDS") {
+              return "sysctl";
+            }
+            if (name === "CDXGEN_ALLOWED_PATHS") {
+              return "/Users/example/allowed";
+            }
+            return undefined;
+          }),
+          recordActivity,
+        },
+      },
+    );
+    await assert.rejects(
+      () =>
+        createSecureHbomDocument({
+          platform: "darwin",
+          arch: "arm64",
+          specVersion: 1.7,
+        }),
+      /Commands not allowed by CDXGEN_ALLOWED_COMMANDS:[\s\S]*\/usr\/sbin\/system_profiler[\s\S]*Paths not allowed by CDXGEN_ALLOWED_PATHS:[\s\S]*preferences\.plist/u,
+    );
+    sinon.assert.calledOnce(collectHardware);
+    sinon.assert.calledTwice(recordActivity);
+    sinon.assert.calledWithMatch(recordActivity.firstCall, {
+      kind: "policy",
+      policyType: "hbom-command-allowlist",
+      status: "blocked",
+      target: "/usr/sbin/system_profiler",
+    });
+    sinon.assert.calledWithMatch(recordActivity.secondCall, {
+      kind: "policy",
+      policyType: "hbom-path-allowlist",
+      status: "blocked",
+      target: "/Library/Preferences/SystemConfiguration/preferences.plist",
+    });
+  });
+  it("skips secure-mode allowlist preflight when the caller explicitly requested dry-run mode", async () => {
+    const collectHardware = sinon.stub().resolves({
+      bomFormat: "CycloneDX",
+      components: [],
+      dependencies: [],
+      metadata: {
+        timestamp: "2026-05-13T00:00:00.000Z",
+        tools: {
+          components: [],
+        },
+      },
+      specVersion: "1.7",
+      version: 1,
+    });
+    const { createHbomDocument: createDryRunHbomDocument } = await esmock(
+      "./hbom.js",
+      {
+        "./hbomLoader.js": {
+          importHbomModule: sinon.stub().resolves({
+            collectHardware,
+            createCollectorTrace: sinon
+              .stub()
+              .callsFake(() => ({ activities: [] })),
+          }),
+        },
+        "./source.js": {
+          isAllowedPath: sinon.stub().returns(false),
+        },
+        "./utils.js": {
+          isDryRun: true,
+          isSecureMode: true,
+          readEnvironmentVariable: sinon.stub().callsFake((name) => {
+            if (name === "CDXGEN_ALLOWED_COMMANDS") {
+              return "sysctl";
+            }
+            if (name === "CDXGEN_ALLOWED_PATHS") {
+              return "/Users/example/allowed";
+            }
+            return undefined;
+          }),
+          recordActivity: sinon.stub(),
+        },
+      },
+    );
+    const bomJson = await createDryRunHbomDocument({
+      platform: "darwin",
+      arch: "arm64",
+      specVersion: 1.7,
+    });
+    sinon.assert.calledOnce(collectHardware);
+    assert.strictEqual(bomJson.bomFormat, "CycloneDX");
+  });
+  it("blocks secure-mode privileged Linux collection when the plan can retry with sudo but sudo is not allowlisted", async () => {
+    const collectHardware = sinon.stub().resolves({
+      bomFormat: "CycloneDX",
+      components: [],
+      dependencies: [],
+      metadata: {
+        timestamp: "2026-05-13T00:00:00.000Z",
+        tools: {
+          components: [],
+        },
+      },
+      specVersion: "1.7",
+      version: 1,
+    });
+    const recordActivity = sinon.stub();
+    const { createHbomDocument: createSecureHbomDocument } = await esmock(
+      "./hbom.js",
+      {
+        "./hbomLoader.js": {
+          importHbomModule: sinon.stub().resolves({
+            collectHardware,
+            getCommandPlan: sinon.stub().returns([
+              {
+                args: ["-j"],
+                command: "drm_info",
+                id: "drm-info-json",
+                sudoRetryOnPermissionDenied: true,
+              },
+            ]),
+          }),
+        },
+        "./source.js": {
+          isAllowedPath: sinon.stub().returns(true),
+        },
+        "./utils.js": {
+          isDryRun: false,
+          isSecureMode: true,
+          readEnvironmentVariable: sinon.stub().callsFake((name) => {
+            if (name === "CDXGEN_ALLOWED_COMMANDS") {
+              return "drm_info";
+            }
+            return undefined;
+          }),
+          recordActivity,
+        },
+      },
+    );
+    await assert.rejects(
+      () =>
+        createSecureHbomDocument({
+          arch: "amd64",
+          platform: "linux",
+          privileged: true,
+          specVersion: 1.7,
+        }),
+      /Commands not allowed by CDXGEN_ALLOWED_COMMANDS:[\s\S]*- sudo — ids=drm-info-json:sudo-retry; targets=sudo -n drm_info -j/u,
+    );
+    sinon.assert.notCalled(collectHardware);
+    sinon.assert.calledOnce(recordActivity);
+    sinon.assert.calledWithMatch(recordActivity, {
+      kind: "policy",
+      policyType: "hbom-command-allowlist",
+      status: "blocked",
+      target: "sudo",
+    });
+  });
+});