@cyclonedx/cdxgen 12.3.3 → 12.4.0

package/lib/helpers/protobom.poku.js

@@ -3,27 +3,46 @@ import { join } from "node:path";
 
 import { assert, it } from "poku";
 
-import { readBinary, writeBinary } from "./protobom.js";
+import { isProtoBomFile, readBinary, writeBinary } from "./protobom.js";
 import { getTmpDir } from "./utils.js";
 
-const tempDir = mkdtempSync(join(getTmpDir(), "bin-tests-"));
 const testBom = JSON.parse(
   readFileSync("./test/data/bom-java.json", { encoding: "utf-8" }),
 );
+const cbomFixture = JSON.parse(
+  readFileSync("./test/data/bom-cbom-js-fixture.json", { encoding: "utf-8" }),
+);
+
+const createTempDir = () => mkdtempSync(join(getTmpDir(), "bin-tests-"));
+
+const cleanupTempDir = (tempDir) => {
+  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+};
 
 it("proto binary tests", () => {
+  const tempDir = createTempDir();
   const binFile = join(tempDir, "test.cdx.bin");
   writeBinary({}, binFile);
   assert.deepStrictEqual(existsSync(binFile), true);
   writeBinary(testBom, binFile);
   assert.deepStrictEqual(existsSync(binFile), true);
+  assert.equal(isProtoBomFile(binFile), true);
+  assert.equal(isProtoBomFile("test.proto"), true);
+  assert.equal(isProtoBomFile("bom.json"), false);
   let bomObject = readBinary(binFile);
   assert.ok(bomObject);
   assert.deepStrictEqual(
     bomObject.serialNumber,
     "urn:uuid:cc8b5a04-2698-4375-b04c-cedfa4317fee",
   );
+  assert.deepStrictEqual(bomObject.bomFormat, "CycloneDX");
   assert.deepStrictEqual(bomObject.specVersion, "1.5");
+  assert.equal(
+    bomObject.metadata.component.type.startsWith("CLASSIFICATION_"),
+    false,
+  );
   bomObject = readBinary(binFile, false, 1.5);
   assert.ok(bomObject);
   assert.deepStrictEqual(
@@ -31,7 +50,123 @@ it("proto binary tests", () => {
     "urn:uuid:cc8b5a04-2698-4375-b04c-cedfa4317fee",
   );
   assert.deepStrictEqual(bomObject.specVersion, "1.5");
-  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
-    rmSync(tempDir, { recursive: true, force: true });
-  }
+  const modernBinFile = join(tempDir, "test-1.7.cdx");
+  writeBinary(
+    {
+      bomFormat: "CycloneDX",
+      metadata: {
+        component: {
+          name: "cdxgen",
+          type: "application",
+        },
+      },
+      serialNumber: "urn:uuid:11111111-1111-1111-1111-111111111111",
+      specVersion: "1.7",
+      version: 1,
+    },
+    modernBinFile,
+  );
+  const modernBomObject = readBinary(modernBinFile);
+  assert.ok(modernBomObject);
+  assert.deepStrictEqual(modernBomObject.bomFormat, "CycloneDX");
+  assert.deepStrictEqual(modernBomObject.specVersion, "1.7");
+  assert.deepStrictEqual(
+    modernBomObject.metadata.component.type,
+    "application",
+  );
+  assert.deepStrictEqual(modernBomObject.metadata.component.name, "cdxgen");
+  cleanupTempDir(tempDir);
+});
+
+it("keeps canonical definitions and declarations as objects during proto round-trip", () => {
+  const tempDir = createTempDir();
+  const binFile = join(tempDir, "standard-sections.cdx");
+  writeBinary(
+    {
+      bomFormat: "CycloneDX",
+      declarations: {
+        affirmation: {
+          statement: "verified",
+        },
+        claims: [
+          {
+            predicate: "meets-control",
+            target: "pkg:npm/demo-app@1.0.0",
+          },
+        ],
+      },
+      definitions: {
+        standards: [
+          {
+            name: "ASVS",
+            requirements: [
+              {
+                identifier: "V1.1",
+                title: "Authenticate requests",
+              },
+            ],
+            version: "5.0",
+          },
+        ],
+      },
+      metadata: {
+        component: {
+          name: "demo-app",
+          type: "application",
+          version: "1.0.0",
+        },
+      },
+      serialNumber: "urn:uuid:22222222-2222-2222-2222-222222222222",
+      specVersion: "1.7",
+      version: 1,
+    },
+    binFile,
+  );
+
+  const bomObject = readBinary(binFile);
+  assert.ok(bomObject);
+  assert.equal(Array.isArray(bomObject.definitions), false);
+  assert.equal(Array.isArray(bomObject.declarations), false);
+  assert.equal(bomObject.definitions.standards[0].name, "ASVS");
+  assert.equal(
+    bomObject.definitions.standards[0].requirements[0].identifier,
+    "V1.1",
+  );
+  assert.equal(bomObject.declarations.claims[0].predicate, "meets-control");
+  assert.equal(bomObject.declarations.affirmation.statement, "verified");
+  cleanupTempDir(tempDir);
+});
+
+it("round-trips real CBOM fixture data with cryptographic assets intact", () => {
+  const tempDir = createTempDir();
+  const binFile = join(tempDir, "cbom-fixture.cdx");
+  writeBinary(cbomFixture, binFile);
+
+  const bomObject = readBinary(binFile);
+  const cryptoComponents = (bomObject.components || []).filter(
+    (component) => component.type === "cryptographic-asset",
+  );
+
+  assert.ok(bomObject);
+  assert.equal(bomObject.specVersion, "1.7");
+  assert.ok(cryptoComponents.length >= 3);
+  assert.equal(
+    cryptoComponents.some(
+      (component) => component.cryptoProperties?.assetType === "algorithm",
+    ),
+    true,
+  );
+  assert.equal(
+    cryptoComponents.some((component) => component.purl !== undefined),
+    false,
+  );
+  assert.equal(
+    cryptoComponents.some(
+      (component) =>
+        component.name === "sha-512" &&
+        component.cryptoProperties?.oid === "2.16.840.1.101.3.4.2.3",
+    ),
+    true,
+  );
+  cleanupTempDir(tempDir);
 });

package/lib/helpers/remote/dependency-track.js

@@ -1,13 +1,46 @@
 import { Buffer } from "node:buffer";
 
+import { hasDangerousUnicode } from "../utils.js";
+
+/**
+ * Returns the Dependency-Track BOM API URL as a sanitized URL object.
+ *
+ * @param {string} serverUrl Dependency-Track server URL
+ * @returns {URL | undefined} API URL to submit BOM payload
+ */
+export function getDependencyTrackBomApiUrl(serverUrl) {
+  const rawServerUrl = `${serverUrl || ""}`.trim();
+  if (!rawServerUrl || hasDangerousUnicode(rawServerUrl)) {
+    return undefined;
+  }
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(rawServerUrl);
+  } catch {
+    return undefined;
+  }
+  if (!["http:", "https:"].includes(parsedUrl.protocol)) {
+    return undefined;
+  }
+  if (!parsedUrl.hostname || hasDangerousUnicode(parsedUrl.hostname)) {
+    return undefined;
+  }
+  parsedUrl.username = "";
+  parsedUrl.password = "";
+  parsedUrl.search = "";
+  parsedUrl.hash = "";
+  parsedUrl.pathname = `${parsedUrl.pathname.replace(/\/+$/, "")}/api/v1/bom`;
+  return parsedUrl;
+}
+
 /**
- * Returns the Dependency-Track BOM API URL.
+ * Returns the Dependency-Track BOM API URL string.
  *
  * @param {string} serverUrl Dependency-Track server URL
- * @returns {string} API URL to submit BOM payload
+ * @returns {string | undefined} API URL to submit BOM payload
  */
 export function getDependencyTrackBomUrl(serverUrl) {
-  return `${serverUrl.replace(/\/$/, "")}/api/v1/bom`;
+  return getDependencyTrackBomApiUrl(serverUrl)?.toString();
 }
 
 /**

package/lib/helpers/remote/dependency-track.poku.js

@@ -2,6 +2,7 @@ import { assert, describe, it } from "poku";
 
 import {
   buildDependencyTrackBomPayload,
+  getDependencyTrackBomApiUrl,
   getDependencyTrackBomUrl,
 } from "./dependency-track.js";
 
@@ -17,6 +18,49 @@ describe("Dependency-Track helper tests", () => {
     );
   });
 
+  it("removes credentials, query strings, and fragments from the submission URL", () => {
+    assert.strictEqual(
+      getDependencyTrackBomUrl(
+        "https://user:pass@dtrack.example.com/base/?token=secret#frag",
+      ),
+      "https://dtrack.example.com/base/api/v1/bom",
+    );
+  });
+
+  it("returns a sanitized URL object for Dependency-Track requests", () => {
+    const apiUrl = getDependencyTrackBomApiUrl(
+      "https://user:pass@dtrack.example.com/base/?token=secret#frag",
+    );
+    assert.ok(apiUrl instanceof URL);
+    assert.strictEqual(apiUrl?.hostname, "dtrack.example.com");
+    assert.strictEqual(apiUrl?.pathname, "/base/api/v1/bom");
+    assert.strictEqual(apiUrl?.username, "");
+    assert.strictEqual(apiUrl?.password, "");
+    assert.strictEqual(apiUrl?.search, "");
+    assert.strictEqual(apiUrl?.hash, "");
+  });
+
+  it("rejects malformed or unsupported submission URLs", () => {
+    assert.strictEqual(
+      getDependencyTrackBomUrl("file:///tmp/dtrack"),
+      undefined,
+    );
+    assert.strictEqual(
+      getDependencyTrackBomApiUrl("file:///tmp/dtrack"),
+      undefined,
+    );
+    assert.strictEqual(
+      getDependencyTrackBomUrl("javascript:alert(1)"),
+      undefined,
+    );
+    assert.strictEqual(
+      getDependencyTrackBomApiUrl("javascript:alert(1)"),
+      undefined,
+    );
+    assert.strictEqual(getDependencyTrackBomUrl("not a url"), undefined);
+    assert.strictEqual(getDependencyTrackBomApiUrl("not a url"), undefined);
+  });
+
   it("builds payload with parentUUID and tags", () => {
     const payload = buildDependencyTrackBomPayload(
       {

package/lib/helpers/source.js

@@ -77,6 +77,21 @@ function isSafeGitRefName(refName) {
   return /^[A-Za-z0-9._/@+-]+$/.test(refName);
 }
 
+function inferGitOperation(args = []) {
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+    if (arg === "-c" || arg === "--config-env") {
+      index += 1;
+      continue;
+    }
+    if (typeof arg === "string" && arg.startsWith("-")) {
+      continue;
+    }
+    return arg || "command";
+  }
+  return "command";
+}
+
 /**
  * Execute git with hardened defaults.
  *
@@ -86,6 +101,7 @@ function isSafeGitRefName(refName) {
  * @returns {Object} spawn result
  */
 export function hardenedGitCommand(args, options = {}) {
+  const gitOperation = inferGitOperation(args);
   const gitAllowProtocol = getGitAllowProtocol();
   const envConfigs = {
     GIT_CONFIG_COUNT: "2",
@@ -109,6 +125,14 @@ export function hardenedGitCommand(args, options = {}) {
         GIT_ALLOW_PROTOCOL: gitAllowProtocol,
       };
   return safeSpawnSync("git", args, {
+    cdxgenActivity: {
+      blockedReason: `Dry run mode blocks git ${gitOperation} operations.`,
+      gitOperation,
+      kind: `git-${gitOperation}`,
+      metadata: {
+        capability: "git-operation",
+      },
+    },
     shell: false,
     cwd: options.cwd,
     env,

package/lib/helpers/source.poku.js

@@ -45,6 +45,38 @@ describe("source helper purl resolution", () => {
     assert.strictEqual(recordActivity.firstCall.args[0].status, "blocked");
   });
 
+  it("hardenedGitCommand() tags git operations with the specific subcommand", async () => {
+    const safeSpawnSync = sinon
+      .stub()
+      .returns({ status: 0, stdout: "", stderr: "" });
+    const { hardenedGitCommand } = await esmock("./source.js", {
+      "./utils.js": {
+        cdxgenAgent: { get: sinon.stub() },
+        DEBUG_MODE: false,
+        fetchPomXmlAsJson: sinon.stub(),
+        getTmpDir: sinon.stub().returns(os.tmpdir()),
+        hasDangerousUnicode: sinon.stub().returns(false),
+        isDryRun: false,
+        isSecureMode: false,
+        isValidDriveRoot: sinon.stub().returns(true),
+        isWin: false,
+        safeMkdtempSync: sinon.stub(),
+        safeRmSync: sinon.stub(),
+        safeSpawnSync,
+      },
+    });
+
+    hardenedGitCommand(["fetch", "--tags"], { cwd: "/tmp/repo" });
+
+    sinon.assert.calledWithMatch(safeSpawnSync, "git", ["fetch", "--tags"], {
+      cdxgenActivity: sinon.match({
+        gitOperation: "fetch",
+        kind: "git-fetch",
+      }),
+      cwd: "/tmp/repo",
+    });
+  });
+
   it("resolves npm purl to repository URL", async () => {
     const getStub = sinon.stub().resolves({
       body: {