npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.0 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/README.md +64 -22
package/bin/audit.js +21 -7
package/bin/cdxgen.js +238 -116
package/bin/convert.js +28 -13
package/bin/hbom.js +490 -0
package/bin/repl.js +580 -29
package/bin/validate.js +34 -4
package/bin/verify.js +40 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +209 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +506 -88
package/lib/cli/index.poku.js +1352 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +349 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +156 -45
package/lib/helpers/protobom.poku.js +140 -5
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +2 -27
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +192 -1
package/lib/stages/postgen/postgen.poku.js +321 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +62 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +3 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/stages/postgen/postgen.poku.js CHANGED Viewed

@@ -241,6 +241,280 @@ it("postProcess passes formulationList from bomNSData into the formulation secti
   );
 });
+it("postProcess downgrades certificate crypto properties for spec version 1.6", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.6",
+      components: [
+        {
+          type: "cryptographic-asset",
+          name: "demo-cert",
+          cryptoProperties: {
+            assetType: "certificate",
+            certificateProperties: {
+              serialNumber: "1234",
+              subjectName: "CN=demo",
+              issuerName: "CN=demo",
+              notValidBefore: "2024-01-01T00:00:00.000Z",
+              notValidAfter: "2034-01-01T00:00:00.000Z",
+              certificateFormat: "X.509",
+              certificateFileExtension: "crt",
+              fingerprint: { alg: "SHA-1", content: "a".repeat(40) },
+            },
+          },
+        },
+      ],
+      dependencies: [],
+      formulation: [
+        {
+          components: [
+            {
+              type: "cryptographic-asset",
+              name: "formulation-cert",
+              cryptoProperties: {
+                assetType: "certificate",
+                certificateProperties: {
+                  serialNumber: "5678",
+                  subjectName: "CN=formulation",
+                  certificateFileExtension: "pem",
+                  fingerprint: { alg: "SHA-1", content: "b".repeat(40) },
+                },
+              },
+            },
+          ],
+        },
+      ],
+      metadata: {
+        properties: [],
+        tools: {
+          components: [{ name: "cdxgen" }],
+        },
+      },
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.6 });
+  const componentCert =
+    result.bomJson.components[0].cryptoProperties.certificateProperties;
+  const formulationCert =
+    result.bomJson.formulation[0].components[0].cryptoProperties
+      .certificateProperties;
+  assert.deepStrictEqual(componentCert, {
+    subjectName: "CN=demo",
+    issuerName: "CN=demo",
+    notValidBefore: "2024-01-01T00:00:00.000Z",
+    notValidAfter: "2034-01-01T00:00:00.000Z",
+    certificateFormat: "X.509",
+    certificateExtension: "crt",
+  });
+  assert.deepStrictEqual(formulationCert, {
+    subjectName: "CN=formulation",
+    certificateExtension: "pem",
+  });
+});
+it("postProcess removes remaining 1.7-only fields from metadata, components, and formulation inventories for spec version 1.6", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.6",
+      components: [
+        {
+          type: "library",
+          name: "demo-lib",
+          version: "1.0.0",
+          isExternal: true,
+          patentAssertions: [{ patentNumber: "US-123" }],
+          versionRange: "vers:npm/>=1.0.0|<2.0.0",
+        },
+      ],
+      dependencies: [],
+      formulation: [
+        {
+          components: [
+            {
+              type: "library",
+              name: "formulation-lib",
+              version: "2.0.0",
+              isExternal: true,
+              versionRange: "vers:npm/>=2.0.0|<3.0.0",
+            },
+          ],
+          services: [
+            {
+              name: "formulation-service",
+              patentAssertions: [{ patentNumber: "US-456" }],
+            },
+          ],
+        },
+      ],
+      metadata: {
+        distributionConstraints: { tlp: "GREEN" },
+        component: {
+          type: "application",
+          name: "demo-app",
+          version: "1.0.0",
+          isExternal: true,
+          versionRange: "vers:npm/>=1.0.0|<2.0.0",
+        },
+        properties: [],
+        tools: {
+          components: [{ name: "cdxgen" }],
+        },
+      },
+      services: [
+        {
+          name: "demo-service",
+          patentAssertions: [{ patentNumber: "US-789" }],
+        },
+      ],
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.6 });
+  const rootComponent = result.bomJson.components[0];
+  const formulationComponent = result.bomJson.formulation[0].components[0];
+  const rootService = result.bomJson.services[0];
+  const formulationService = result.bomJson.formulation[0].services[0];
+  const metadataComponent = result.bomJson.metadata.component;
+  assert.strictEqual(
+    result.bomJson.metadata.distributionConstraints,
+    undefined,
+  );
+  assert.strictEqual(rootComponent.isExternal, undefined);
+  assert.strictEqual(rootComponent.patentAssertions, undefined);
+  assert.strictEqual(rootComponent.versionRange, undefined);
+  assert.strictEqual(formulationComponent.isExternal, undefined);
+  assert.strictEqual(formulationComponent.versionRange, undefined);
+  assert.strictEqual(rootService.patentAssertions, undefined);
+  assert.strictEqual(formulationService.patentAssertions, undefined);
+  assert.strictEqual(metadataComponent.isExternal, undefined);
+  assert.strictEqual(metadataComponent.versionRange, undefined);
+});
+it("postProcess removes remaining 1.6-only fields from metadata, components, and formulation inventories for spec version 1.5", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.5",
+      components: [
+        {
+          type: "library",
+          name: "demo-lib",
+          version: "1.0.0",
+          authors: [{ name: "Alice" }],
+          manufacturer: { name: "Acme" },
+          omniborId: ["gitoid:blob:sha1:abc"],
+          swhid: ["swh:1:rev:def"],
+          tags: ["demo"],
+        },
+      ],
+      dependencies: [],
+      formulation: [
+        {
+          components: [
+            {
+              type: "library",
+              name: "formulation-lib",
+              version: "2.0.0",
+              authors: [{ name: "Bob" }],
+              manufacturer: { name: "Builder" },
+              omniborId: ["gitoid:blob:sha1:ghi"],
+              swhid: ["swh:1:dir:jkl"],
+              tags: ["workflow"],
+            },
+          ],
+          services: [
+            {
+              name: "formulation-service",
+              tags: ["ci"],
+            },
+          ],
+        },
+      ],
+      metadata: {
+        manufacturer: { name: "BOM Factory" },
+        component: {
+          type: "application",
+          name: "demo-app",
+          version: "1.0.0",
+          authors: [{ name: "Carol" }],
+          manufacturer: { name: "Acme" },
+          tags: ["root"],
+        },
+        properties: [],
+      },
+      services: [
+        {
+          name: "demo-service",
+          tags: ["runtime"],
+        },
+      ],
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.5 });
+  const rootComponent = result.bomJson.components[0];
+  const formulationComponent = result.bomJson.formulation[0].components[0];
+  const rootService = result.bomJson.services[0];
+  const formulationService = result.bomJson.formulation[0].services[0];
+  const metadataComponent = result.bomJson.metadata.component;
+  assert.strictEqual(result.bomJson.metadata.manufacturer, undefined);
+  assert.strictEqual(rootComponent.authors, undefined);
+  assert.strictEqual(rootComponent.manufacturer, undefined);
+  assert.strictEqual(rootComponent.omniborId, undefined);
+  assert.strictEqual(rootComponent.swhid, undefined);
+  assert.strictEqual(rootComponent.tags, undefined);
+  assert.strictEqual(formulationComponent.authors, undefined);
+  assert.strictEqual(formulationComponent.manufacturer, undefined);
+  assert.strictEqual(formulationComponent.omniborId, undefined);
+  assert.strictEqual(formulationComponent.swhid, undefined);
+  assert.strictEqual(formulationComponent.tags, undefined);
+  assert.strictEqual(rootService.tags, undefined);
+  assert.strictEqual(formulationService.tags, undefined);
+  assert.strictEqual(metadataComponent.authors, undefined);
+  assert.strictEqual(metadataComponent.manufacturer, undefined);
+  assert.strictEqual(metadataComponent.tags, undefined);
+});
+it("postProcess removes unsupported evidence occurrence details for spec version 1.5", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.5",
+      components: [
+        {
+          type: "file",
+          name: "deviceTypeManager.js",
+          evidence: {
+            occurrences: [
+              {
+                location: "source/microservices/lib/deviceTypeManager.js",
+                line: 11,
+                offset: 2,
+                symbol: "deviceTypeManager",
+                additionalContext: "source-import",
+              },
+            ],
+          },
+        },
+      ],
+      dependencies: [],
+      metadata: { properties: [] },
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.5 });
+  assert.deepStrictEqual(result.bomJson.components[0].evidence.occurrences, [
+    {
+      location: "source/microservices/lib/deviceTypeManager.js",
+    },
+  ]);
+});
 it("postProcess merges formulation-discovered MCP config services into bomJson.services", () => {
   const tmpDir = join(tmpdir(), `cdxgen-postgen-${Date.now()}`);
   mkdirSync(join(tmpDir, ".vscode"), { recursive: true });
@@ -372,6 +646,53 @@ it("postProcess attaches releaseNotes to cdxgen metadata tool component", () =>
   }
 });
+it("postProcess refreshes unpackaged native file inventory counts from the final BOM", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      components: [
+        {
+          name: "demo",
+          type: "file",
+          properties: [{ name: "internal:is_executable", value: "true" }],
+        },
+        {
+          name: "libdemo.so",
+          type: "file",
+          properties: [{ name: "internal:is_shared_library", value: "true" }],
+        },
+      ],
+      dependencies: [],
+      metadata: {
+        properties: [
+          { name: "cdx:container:unpackagedExecutableCount", value: "0" },
+          {
+            name: "cdx:container:unpackagedSharedLibraryCount",
+            value: "0",
+          },
+        ],
+        tools: {
+          components: [
+            { group: "@cyclonedx", name: "cdxgen", version: "test" },
+          ],
+        },
+      },
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.7 });
+  assert.deepStrictEqual(
+    result.bomJson.metadata.properties.filter((property) =>
+      property.name.startsWith("cdx:container:unpackaged"),
+    ),
+    [
+      { name: "cdx:container:unpackagedExecutableCount", value: "1" },
+      { name: "cdx:container:unpackagedSharedLibraryCount", value: "1" },
+    ],
+  );
+});
 it("postProcess fails for weak TLP when sensitive property values are present", () => {
   const bomNSData = {
     bomJson: {

package/lib/stages/postgen/ruleEngine.js CHANGED Viewed

@@ -136,6 +136,24 @@ function normalizeStandardsMetadata(rule) {
   return Object.keys(normalized).length ? normalized : undefined;
 }
+function normalizeDryRunSupport(rule) {
+  const rawValue =
+    typeof rule?.["dry-run-support"] === "string"
+      ? rule["dry-run-support"]
+      : typeof rule?.dryRunSupport === "string"
+        ? rule.dryRunSupport
+        : undefined;
+  if (rawValue !== undefined && !["no", "partial", "full"].includes(rawValue)) {
+    if (DEBUG_MODE) {
+      console.warn(
+        `Rule ${rule?.id || "unknown"} has invalid dry-run-support '${rawValue}'; defaulting to 'partial'`,
+      );
+    }
+    return "partial";
+  }
+  return ["no", "partial", "full"].includes(rawValue) ? rawValue : "partial";
+}
 /**
  * Helper: Check if property exists and equals expected value
  * Usage: $hasProp(component, 'cdx:foo', 'bar')
@@ -247,6 +265,103 @@ function registerCdxHelpers(expression) {
   expression.registerFunction("safeStr", (val) => {
     return val === null || val === undefined ? "" : String(val).trim();
   });
+  expression.registerFunction("parseSizeBytes", (val) => {
+    if (val === null || val === undefined || val === "") {
+      return null;
+    }
+    if (typeof val === "number") {
+      return Number.isFinite(val) ? val : null;
+    }
+    const normalizedValue = String(val).trim();
+    if (!normalizedValue) {
+      return null;
+    }
+    const matchedValue = normalizedValue.match(
+      /^(\d+(?:\.\d+)?)\s*([kmgtpe]?i?b)?$/iu,
+    );
+    if (!matchedValue) {
+      return null;
+    }
+    const numericValue = Number.parseFloat(matchedValue[1]);
+    if (!Number.isFinite(numericValue)) {
+      return null;
+    }
+    const unit = (matchedValue[2] || "").toLowerCase();
+    const unitMap = {
+      b: 1,
+      kb: 1000,
+      kib: 1024,
+      mb: 1000 ** 2,
+      mib: 1024 ** 2,
+      gb: 1000 ** 3,
+      gib: 1024 ** 3,
+      tb: 1000 ** 4,
+      tib: 1024 ** 4,
+      pb: 1000 ** 5,
+      pib: 1024 ** 5,
+      eb: 1000 ** 6,
+      eib: 1024 ** 6,
+    };
+    const multiplier = unitMap[unit || "b"];
+    if (!multiplier) {
+      return null;
+    }
+    return numericValue * multiplier;
+  });
+  expression.registerFunction("firstNonEmpty", (...values) => {
+    for (const value of values) {
+      if (value === null || value === undefined) {
+        continue;
+      }
+      if (Array.isArray(value)) {
+        const candidate = value
+          .map((entry) =>
+            entry === null || entry === undefined ? "" : String(entry).trim(),
+          )
+          .filter(Boolean)
+          .join(", ");
+        if (candidate) {
+          return candidate;
+        }
+        continue;
+      }
+      const candidate = String(value).trim();
+      if (candidate) {
+        return candidate;
+      }
+    }
+    return "";
+  });
+  expression.registerFunction("isDarwinSystemPath", (value) => {
+    if (typeof value !== "string") {
+      return false;
+    }
+    const normalized = value.trim();
+    return (
+      normalized.startsWith("/bin/") ||
+      normalized.startsWith("/sbin/") ||
+      normalized.startsWith("/System/") ||
+      normalized.startsWith("/usr/bin/") ||
+      normalized.startsWith("/usr/libexec/") ||
+      normalized.startsWith("/usr/sbin/") ||
+      normalized.startsWith("/Library/Apple/System/") ||
+      normalized.startsWith("/System/Volumes/Preboot/Cryptexes/")
+    );
+  });
+  expression.registerFunction("isWindowsUserControlledPath", (value) => {
+    if (typeof value !== "string") {
+      return false;
+    }
+    const normalized = value.trim().replaceAll("/", "\\").toLowerCase();
+    return (
+      normalized.includes("\\users\\") ||
+      normalized.includes("\\programdata\\") ||
+      normalized.includes("\\appdata\\") ||
+      normalized.includes("\\downloads\\") ||
+      normalized.includes("\\desktop\\") ||
+      normalized.includes("\\temp\\")
+    );
+  });
   expression.registerFunction("auditComponents", (bomJson) =>
     getAuditComponents(bomJson),
   );
@@ -331,6 +446,7 @@ export async function loadRules(rulesDir) {
         }
         rule.severity = rule.severity || "medium";
         rule.category = rule.category || "unknown";
+        rule.dryRunSupport = normalizeDryRunSupport(rule);
         const attack = normalizeAttackMetadata(rule);
         if (attack.tactics.length || attack.techniques.length) {
           rule.attack = attack;

package/lib/stages/pregen/envAudit.js CHANGED Viewed

@@ -1,5 +1,7 @@
 import process from "node:process";
+import { recordEnvironmentRead } from "../../helpers/utils.js";
 const PERMISSION_FLAGS = [
   "--permission",
   "--allow-fs-read",
@@ -57,8 +59,13 @@ const PERMISSION_FLAG_PATTERNS = PERMISSION_FLAGS.map(
 export function auditEnvironment(env = process.env) {
   const findings = [];
-  const nodeOptions = env.NODE_OPTIONS || "";
-  const cdxgenNodeOptions = env.CDXGEN_NODE_OPTIONS || "";
+  const envSource = env === process.env ? "process.env" : "env";
+  const readEnv = (varName) => {
+    recordEnvironmentRead(varName, { source: envSource });
+    return env[varName];
+  };
+  const nodeOptions = readEnv("NODE_OPTIONS") || "";
+  const cdxgenNodeOptions = readEnv("CDXGEN_NODE_OPTIONS") || "";
   const hasPermission = PERMISSION_FLAG_PATTERNS.some((re) =>
     re.test(nodeOptions),
   );
@@ -93,7 +100,7 @@ export function auditEnvironment(env = process.env) {
     });
   }
   // NODE_TLS_REJECT_UNAUTHORIZED=0 disables TLS verification; any other value is benign.
-  if (env.NODE_TLS_REJECT_UNAUTHORIZED === "0") {
+  if (readEnv("NODE_TLS_REJECT_UNAUTHORIZED") === "0") {
     findings.push({
       type: "environment-variable",
       variable: "NODE_TLS_REJECT_UNAUTHORIZED",
@@ -107,6 +114,7 @@ export function auditEnvironment(env = process.env) {
   for (const varName of RISKY_PRESENCE_VARS) {
     if (env[varName] != null && env[varName] !== "") {
+      recordEnvironmentRead(varName, { source: envSource });
       const messages = {
         NODE_PATH:
           "NODE_PATH is set and may cause unexpected modules to be loaded, enabling module-resolution poisoning.",
@@ -166,6 +174,7 @@ export function auditEnvironment(env = process.env) {
     "JDK_JAVA_OPTIONS",
   ]) {
     const jvmOptions = env[jvmVar] || "";
+    recordEnvironmentRead(jvmVar, { source: envSource });
     if (jvmOptions) {
       for (const pattern of JVM_CODE_EXECUTION_PATTERNS) {
         if (pattern.test(jvmOptions)) {
@@ -184,6 +193,7 @@ export function auditEnvironment(env = process.env) {
   // Proxy interception — informational
   const activeProxy = PROXY_VARS.find((v) => env[v] != null && env[v] !== "");
   if (activeProxy) {
+    recordEnvironmentRead(activeProxy, { source: envSource });
     findings.push({
       type: "network-interception",
       variable: activeProxy,
@@ -197,6 +207,7 @@ export function auditEnvironment(env = process.env) {
   // Credential exposure — detect any env var whose name follows a credential-naming convention.
   for (const [varName, varValue] of Object.entries(env)) {
     if (varValue && CREDENTIAL_VAR_PATTERN.test(varName)) {
+      recordEnvironmentRead(varName, { source: envSource });
       findings.push({
         type: "credential-exposure",
         variable: varName,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "12.3.3",
+  "version": "12.4.0",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "keywords": [
     "sbom",
@@ -91,6 +91,7 @@
     "cdxgen-secure": "bin/cdxgen.js",
     "cdxi": "bin/repl.js",
     "evinse": "bin/evinse.js",
+    "hbom": "bin/hbom.js",
     "obom": "bin/cdxgen.js",
     "saasbom": "bin/cdxgen.js",
     "spdxgen": "bin/cdxgen.js"
@@ -105,7 +106,7 @@
     "index.cjs"
   ],
   "dependencies": {
-    "@babel/parser": "7.29.2",
+    "@babel/parser": "7.29.3",
     "@babel/traverse": "7.29.0",
     "@iarna/toml": "2.2.5",
     "@isaacs/string-locale-compare": "1.1.0",
@@ -131,40 +132,41 @@
     "proc-log": "6.1.0",
     "properties-reader": "3.0.1",
     "read-package-json-fast": "5.0.0",
-    "semver": "7.7.4",
+    "semver": "7.8.0",
     "ssri": "13.0.1",
-    "tar": "7.5.13",
+    "tar": "7.5.15",
     "treeverse": "3.0.0",
     "uuid": "14.0.0",
     "walk-up-path": "4.0.0",
     "xml-js": "1.6.11",
-    "yaml": "2.8.3",
+    "yaml": "2.8.4",
     "yargs": "18.0.0",
     "yoctocolors": "2.1.2"
   },
   "devDependencies": {
-    "@biomejs/biome": "2.4.13",
-    "esmock": "2.7.3",
+    "@biomejs/biome": "2.4.15",
+    "esmock": "2.7.5",
     "poku": "4.3.0",
-    "sinon": "21.1.2",
+    "sinon": "22.0.0",
     "typescript": "6.0.3"
   },
   "optionalDependencies": {
     "@appthreat/atom": "2.5.2",
     "@appthreat/atom-parsetools": "1.1.4",
-    "@appthreat/cdx-proto": "1.3.0",
-    "@bufbuild/protobuf": "2.11.0",
-    "@cdxgen/cdxgen-plugins-bin": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-darwin-amd64": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-darwin-arm64": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-linux-amd64": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-linux-arm": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-linux-arm64": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-linux-ppc64": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-linuxmusl-amd64": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-linuxmusl-arm64": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-windows-amd64": "2.0.3",
-    "@cdxgen/cdxgen-plugins-bin-windows-arm64": "2.0.3",
+    "@appthreat/cdx-proto": "2.0.1",
+    "@bufbuild/protobuf": "2.12.0",
+    "@cdxgen/cdx-hbom": "0.5.0",
+    "@cdxgen/cdxgen-plugins-bin": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-darwin-amd64": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-darwin-arm64": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-linux-amd64": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-linux-arm": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-linux-arm64": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-linux-ppc64": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-linuxmusl-amd64": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-linuxmusl-arm64": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-windows-amd64": "2.1.1",
+    "@cdxgen/cdxgen-plugins-bin-windows-arm64": "2.1.1",
     "body-parser": "2.2.2",
     "compression": "1.8.1",
     "connect": "3.7.0",

package/types/bin/hbom.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=hbom.d.ts.map

package/types/bin/hbom.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"hbom.d.ts","sourceRoot":"","sources":["../../bin/hbom.js"],"names":[],"mappings":""}

package/types/bin/repl.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"repl.d.ts","sourceRoot":"","sources":["../../bin/repl.js"],"names":[],"mappings":";~~AA4OO~~,~~kDAwDN~~"}
1	+ {"version":3,"file":"repl.d.ts","sourceRoot":"","sources":["../../bin/repl.js"],"names":[],"mappings":";AA0WO,kDAmEN"}

package/types/lib/audit/index.d.ts CHANGED Viewed

@@ -22,6 +22,50 @@ export function loadInputBoms(options: object): {
     source: string;
     bomJson: object;
 }[];
+export function runDirectBomAuditFromBoms(inputBoms: any, options?: {}): Promise<{
+    auditMode: string;
+    generatedAt: string;
+    inputs: any;
+    results: {
+        auditOptions: {
+            bomAuditCategories: any;
+            bomAuditMinSeverity: any;
+            bomAuditRulesDir: any;
+        };
+        bomFormat: any;
+        findings: any[];
+        serialNumber: any;
+        source: any;
+        specVersion: any;
+        status: string;
+        summary: {
+            findingsBySeverity: {
+                critical: number;
+                high: number;
+                low: number;
+                medium: number;
+            };
+            findingsCount: number;
+            maxSeverity: string;
+        };
+    }[];
+    summary: {
+        findingsBySeverity: {
+            critical: number;
+            high: number;
+            low: number;
+            medium: number;
+        };
+        inputBomCount: any;
+        maxSeverity: string;
+        totalFindings: number;
+        bomsWithFindings: number;
+    };
+    tool: {
+        name: string;
+        version: string;
+    };
+}>;
 /**
  * Build low-noise provenance-aware contextual findings from the root BOM target.
  *