@cyclonedx/cdxgen 12.3.3 → 12.4.0

package/lib/stages/postgen/hostTopologyAudit.poku.js

@@ -0,0 +1,186 @@
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { assert, describe, it } from "poku";
+
+import { evaluateRule, loadRules } from "./ruleEngine.js";
+
+const __dirname = fileURLToPath(new URL(".", import.meta.url));
+const RULES_DIR = join(__dirname, "..", "..", "..", "data", "rules");
+
+function makeProperty(name, value) {
+  return { name, value };
+}
+
+function makeHostBom(
+  components = [],
+  metadataProperties = [],
+  bomProperties = [],
+) {
+  return {
+    bomFormat: "CycloneDX",
+    specVersion: "1.7",
+    serialNumber: "urn:uuid:test-host-view",
+    metadata: {
+      tools: {
+        components: [
+          {
+            type: "application",
+            name: "cdxgen",
+            version: "12.4.0",
+            "bom-ref": "pkg:npm/%40cyclonedx/cdxgen@12.4.0",
+          },
+        ],
+      },
+      component: {
+        name: "test-host",
+        type: "device",
+        "bom-ref": "urn:uuid:test-host",
+        properties: metadataProperties.map(([k, v]) => makeProperty(k, v)),
+      },
+    },
+    components,
+    properties: bomProperties.map(([k, v]) => makeProperty(k, v)),
+  };
+}
+
+function makeHbomComponent(name, hardwareClass, properties = []) {
+  return {
+    type: "device",
+    name,
+    "bom-ref": `urn:uuid:${hardwareClass}:${name}`,
+    properties: [
+      makeProperty("cdx:hbom:hardwareClass", hardwareClass),
+      ...properties.map(([k, v]) => makeProperty(k, v)),
+    ],
+  };
+}
+
+function makeOsqueryComponent(name, queryCategory, properties = []) {
+  return {
+    type: "data",
+    name,
+    "bom-ref": `osquery:${queryCategory}:${name}`,
+    properties: [
+      makeProperty("cdx:osquery:category", queryCategory),
+      ...properties.map(([k, v]) => makeProperty(k, v)),
+    ],
+  };
+}
+
+describe("host-topology audit rules", () => {
+  it("detects weak wireless security when live runtime addresses confirm the link is active (HMX-002)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((candidate) => candidate.id === "HMX-002");
+    assert.ok(rule, "HMX-002 should be present");
+
+    const bom = makeHostBom(
+      [
+        makeHbomComponent("wlp2s0", "wireless-adapter", [
+          ["cdx:hbom:securityMode", "open"],
+          ["cdx:hostview:interface_addresses:count", "1"],
+          ["cdx:hostview:linkedRuntimeCategory", "interface_addresses"],
+        ]),
+        makeOsqueryComponent("192.168.1.55", "interface_addresses", [
+          ["interface", "wlp2s0"],
+          ["address", "192.168.1.55"],
+        ]),
+      ],
+      [["cdx:hbom:platform", "linux"]],
+      [
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:topologyLinkCount", "1"],
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.strictEqual(findings[0].ruleId, "HMX-002");
+  });
+
+  it("detects merged host inventories that still have zero strict topology links (HMX-003)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((candidate) => candidate.id === "HMX-003");
+    assert.ok(rule, "HMX-003 should be present");
+
+    const bom = makeHostBom(
+      [makeHbomComponent("enp1s0", "network-interface")],
+      [
+        ["cdx:hbom:platform", "linux"],
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:hardwareComponentCount", "1"],
+        ["cdx:hostview:runtimeComponentCount", "2"],
+        ["cdx:hostview:topologyLinkCount", "0"],
+      ],
+      [
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:hardwareComponentCount", "1"],
+        ["cdx:hostview:runtimeComponentCount", "2"],
+        ["cdx:hostview:topologyLinkCount", "0"],
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.strictEqual(findings[0].ruleId, "HMX-003");
+  });
+
+  it("detects degraded storage when explicit runtime mount evidence shows the device is in use (HMX-004)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((candidate) => candidate.id === "HMX-004");
+    assert.ok(rule, "HMX-004 should be present");
+
+    const bom = makeHostBom(
+      [
+        makeHbomComponent("nvme0", "storage", [
+          ["cdx:hbom:smartStatus", "Failing"],
+          ["cdx:hbom:wearPercentageUsed", "92"],
+          ["cdx:hostview:mount_hardening:count", "1"],
+          ["cdx:hostview:runtime-storage:count", "1"],
+        ]),
+        makeOsqueryComponent("/home", "mount_hardening", [
+          ["device", "/dev/nvme0n1"],
+          ["path", "/home"],
+        ]),
+      ],
+      [["cdx:hbom:platform", "linux"]],
+      [
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:topologyLinkCount", "2"],
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.strictEqual(findings[0].ruleId, "HMX-004");
+  });
+
+  it("detects revoked secure boot trust anchors only after an explicit HBOM trust link exists (HMX-005)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((candidate) => candidate.id === "HMX-005");
+    assert.ok(rule, "HMX-005 should be present");
+
+    const bom = makeHostBom(
+      [
+        makeOsqueryComponent("dbx-entry", "secureboot_certificates", [
+          ["revoked", "1"],
+          ["sha1", "db-cert-1"],
+          ["subject", "CN=Legacy Bootloader"],
+        ]),
+      ],
+      [
+        ["cdx:hbom:platform", "linux"],
+        ["cdx:hostview:secureboot_certificates:count", "1"],
+      ],
+      [
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:secureboot_certificates:count", "1"],
+        ["cdx:hostview:topologyLinkCount", "1"],
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.strictEqual(findings[0].ruleId, "HMX-005");
+  });
+});

package/lib/stages/postgen/postgen.js

@@ -11,6 +11,7 @@ import {
 } from "../../helpers/aiInventory.js";
 import { mergeDependencies, mergeServices } from "../../helpers/depsUtils.js";
 import { addFormulationSection } from "../../helpers/formulationParsers.js";
+import { getContainerFileInventoryStats } from "../../helpers/inventoryStats.js";
 import { thoughtLog } from "../../helpers/logger.js";
 import { buildReleaseNotesFromGit } from "../../helpers/source.js";
 import {
@@ -78,6 +79,8 @@ function applyFormulation(bomJson, options, filePath, formulationList) {
   }
   const context = formulationList?.length ? { formulationList } : {};
   setActivityContext({
+    bomMutation: "formulation",
+    capability: "bom-mutation",
     projectType: "Formulation",
     sourcePath: filePath || options.filePath || process.cwd(),
   });
@@ -141,6 +144,22 @@ const SIGNED_URL_PARAM_NAMES = new Set([
   "x-amz-signature",
   "x-goog-signature",
 ]);
+const COMPONENT_1_6_ONLY_FIELDS = new Set([
+  "authors",
+  "manufacturer",
+  "omniborId",
+  "swhid",
+  "tags",
+]);
+const COMPONENT_1_7_ONLY_FIELDS = new Set([
+  "isExternal",
+  "patentAssertions",
+  "versionRange",
+]);
+const SERVICE_1_6_ONLY_FIELDS = new Set(["tags"]);
+const SERVICE_1_7_ONLY_FIELDS = new Set(["patentAssertions"]);
+const METADATA_1_6_ONLY_FIELDS = new Set(["manufacturer"]);
+const METADATA_1_7_ONLY_FIELDS = new Set(["distributionConstraints"]);
 
 function normalizeSpecVersion(specVersion) {
   return Number.parseFloat(String(specVersion || 0));
@@ -292,11 +311,171 @@ function validateTlpClassification(bomJson, options) {
   return bomJson;
 }
 
+function applyContainerInventoryMetadata(bomJson) {
+  if (!bomJson?.metadata) {
+    return bomJson;
+  }
+  const { unpackagedExecutableCount, unpackagedSharedLibraryCount } =
+    getContainerFileInventoryStats(bomJson.components);
+  const metadataProperties = Array.isArray(bomJson.metadata.properties)
+    ? [...bomJson.metadata.properties]
+    : [];
+  const propertyNamesToReplace = new Set([
+    "cdx:container:unpackagedExecutableCount",
+    "cdx:container:unpackagedSharedLibraryCount",
+  ]);
+  const retainedProperties = metadataProperties.filter(
+    (property) => !propertyNamesToReplace.has(property?.name),
+  );
+  if (
+    unpackagedExecutableCount ||
+    metadataProperties.some(
+      (property) =>
+        property?.name === "cdx:container:unpackagedExecutableCount",
+    )
+  ) {
+    retainedProperties.push({
+      name: "cdx:container:unpackagedExecutableCount",
+      value: String(unpackagedExecutableCount),
+    });
+  }
+  if (
+    unpackagedSharedLibraryCount ||
+    metadataProperties.some(
+      (property) =>
+        property?.name === "cdx:container:unpackagedSharedLibraryCount",
+    )
+  ) {
+    retainedProperties.push({
+      name: "cdx:container:unpackagedSharedLibraryCount",
+      value: String(unpackagedSharedLibraryCount),
+    });
+  }
+  if (retainedProperties.length) {
+    bomJson.metadata.properties = retainedProperties;
+  }
+  return bomJson;
+}
+
+function deleteFields(subject, fields) {
+  if (!subject || typeof subject !== "object") {
+    return;
+  }
+  for (const fieldName of fields) {
+    delete subject[fieldName];
+  }
+}
+
+function normalizeComponentForSpecVersion(subject, specVersion) {
+  if (specVersion < 1.6) {
+    deleteFields(subject, COMPONENT_1_6_ONLY_FIELDS);
+  }
+  if (specVersion < 1.7) {
+    deleteFields(subject, COMPONENT_1_7_ONLY_FIELDS);
+  }
+}
+
+function normalizeServiceForSpecVersion(subject, specVersion) {
+  if (specVersion < 1.6) {
+    deleteFields(subject, SERVICE_1_6_ONLY_FIELDS);
+  }
+  if (specVersion < 1.7) {
+    deleteFields(subject, SERVICE_1_7_ONLY_FIELDS);
+  }
+}
+
+function normalizeMetadataForSpecVersion(subject, specVersion) {
+  if (specVersion < 1.6) {
+    deleteFields(subject, METADATA_1_6_ONLY_FIELDS);
+  }
+  if (specVersion < 1.7) {
+    deleteFields(subject, METADATA_1_7_ONLY_FIELDS);
+  }
+}
+
+function downgradeSubjectForSpecVersion(subject, specVersion, parentKey) {
+  if (!subject || typeof subject !== "object") {
+    return;
+  }
+  if (Array.isArray(subject)) {
+    subject.forEach((entry) => {
+      downgradeSubjectForSpecVersion(entry, specVersion, parentKey);
+    });
+    return;
+  }
+  if (parentKey === "metadata") {
+    normalizeMetadataForSpecVersion(subject, specVersion);
+  }
+  if (parentKey === "component" || parentKey === "components") {
+    normalizeComponentForSpecVersion(subject, specVersion);
+  }
+  if (parentKey === "service" || parentKey === "services") {
+    normalizeServiceForSpecVersion(subject, specVersion);
+  }
+  if (specVersion < 1.6) {
+    if (subject.cryptoProperties) {
+      delete subject.cryptoProperties;
+    }
+    if (
+      subject?.evidence?.occurrences &&
+      Array.isArray(subject.evidence.occurrences)
+    ) {
+      subject.evidence.occurrences.forEach((occurrence) => {
+        delete occurrence.line;
+        delete occurrence.offset;
+        delete occurrence.symbol;
+        delete occurrence.additionalContext;
+      });
+    }
+    if (
+      subject?.evidence?.identity &&
+      Array.isArray(subject.evidence.identity)
+    ) {
+      subject.evidence.identity = subject.evidence.identity[0];
+      if (subject.evidence.identity?.concludedValue) {
+        delete subject.evidence.identity.concludedValue;
+      }
+    }
+  } else if (
+    specVersion < 1.7 &&
+    subject.cryptoProperties?.assetType === "certificate" &&
+    subject.cryptoProperties.certificateProperties
+  ) {
+    const certificateProperties =
+      subject.cryptoProperties.certificateProperties;
+    if (
+      !certificateProperties.certificateExtension &&
+      certificateProperties.certificateFileExtension
+    ) {
+      certificateProperties.certificateExtension =
+        certificateProperties.certificateFileExtension;
+    }
+    delete certificateProperties.serialNumber;
+    delete certificateProperties.certificateFileExtension;
+    delete certificateProperties.fingerprint;
+  }
+  Object.entries(subject).forEach(([key, value]) => {
+    downgradeSubjectForSpecVersion(value, specVersion, key);
+  });
+}
+
+function applySpecVersionCompatibility(bomJson, options) {
+  const specVersion = normalizeSpecVersion(
+    options?.specVersion || bomJson?.specVersion || 1.7,
+  );
+  if (specVersion >= 1.7) {
+    return bomJson;
+  }
+  downgradeSubjectForSpecVersion(bomJson, specVersion);
+  return bomJson;
+}
+
 /**
  * Filter and enhance BOM post generation.
  *
  * @param {Object} bomNSData BOM with namespaces object
  * @param {Object} options CLI options
+ * @param {string} [filePath] Source path used for formulation and metadata context
  *
  * @returns {Object} Modified bomNSData
  */
@@ -312,6 +491,7 @@ export function postProcess(bomNSData, options, filePath) {
   bomNSData.bomJson = filterBom(jsonPayload, options);
   bomNSData.bomJson = applyStandards(bomNSData.bomJson, options);
   bomNSData.bomJson = applyMetadata(bomNSData.bomJson, options);
+  bomNSData.bomJson = applyContainerInventoryMetadata(bomNSData.bomJson);
   bomNSData.bomJson = applyFormulation(
     bomNSData.bomJson,
     options,
@@ -319,10 +499,21 @@ export function postProcess(bomNSData, options, filePath) {
     bomNSData.formulationList,
   );
   bomNSData.bomJson = applyReleaseNotes(bomNSData.bomJson, options, filePath);
+  bomNSData.bomJson = applySpecVersionCompatibility(bomNSData.bomJson, options);
   bomNSData.bomJson = validateTlpClassification(bomNSData.bomJson, options);
   // Support for automatic annotations
   if (options.specVersion >= 1.6) {
-    bomNSData.bomJson = annotate(bomNSData.bomJson, options);
+    setActivityContext({
+      bomMutation: "annotations",
+      capability: "bom-mutation",
+      projectType: "Annotations",
+      sourcePath: filePath || options.filePath || process.cwd(),
+    });
+    try {
+      bomNSData.bomJson = annotate(bomNSData.bomJson, options);
+    } finally {
+      resetActivityContext();
+    }
   }
   cleanupEnv(options);
   cleanupTmpDir();