npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.1 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/README.md +69 -25
package/bin/audit.js +21 -7
package/bin/cdxgen.js +270 -127
package/bin/convert.js +34 -15
package/bin/hbom.js +495 -0
package/bin/repl.js +592 -37
package/bin/validate.js +31 -4
package/bin/verify.js +18 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/cyclonedx-2.0-bundled.schema.json +7182 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +210 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +527 -99
package/lib/cli/index.poku.js +1469 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/bomUtils.js +155 -1
package/lib/helpers/bomUtils.poku.js +79 -1
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +350 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +209 -45
package/lib/helpers/protobom.poku.js +183 -5
package/lib/helpers/protobomLoader.js +43 -0
package/lib/helpers/protobomLoader.poku.js +31 -0
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +4 -28
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +406 -8
package/lib/stages/postgen/postgen.poku.js +484 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/lib/validator/bomValidator.js +90 -38
package/lib/validator/bomValidator.poku.js +90 -0
package/lib/validator/complianceRules.js +4 -2
package/lib/validator/index.poku.js +14 -0
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts +1 -1
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/bomUtils.d.ts +10 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +76 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +5 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/protobomLoader.d.ts +17 -0
package/types/lib/helpers/protobomLoader.d.ts.map +1 -0
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/node.d.ts +23 -0
package/types/lib/third-party/arborist/lib/node.d.ts.map +1 -1
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/audit/targets.js CHANGED Viewed

@@ -1,7 +1,11 @@
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
 import { PackageURL } from "packageurl-js";
 import { hasTrustedPublishingProperties } from "../helpers/provenanceUtils.js";
 import {
+  dirNameStr,
   getCratesMetadata,
   getNpmMetadata,
   getPyMetadata,
@@ -9,13 +13,126 @@ import {
 const SUPPORTED_PURL_TYPES = new Set(["cargo", "npm", "pypi"]);
 const NON_REQUIRED_SCOPES = new Set(["excluded", "optional"]);
+const BUILTIN_PREDICTIVE_AUDIT_ALLOWLIST = Object.freeze(
+  loadAllowlistPrefixes(
+    join(dirNameStr, "data", "predictive-audit-allowlist.json"),
+    "built-in predictive audit allowlist",
+  ),
+);
+function normalizeAllowlistPrefix(prefix) {
+  if (typeof prefix !== "string") {
+    return undefined;
+  }
+  const normalizedPrefix = prefix.trim().toLowerCase();
+  return normalizedPrefix.startsWith("pkg:") ? normalizedPrefix : undefined;
+}
+function normalizeAllowlistPrefixes(prefixes) {
+  return [
+    ...new Set((prefixes || []).map(normalizeAllowlistPrefix).filter(Boolean)),
+  ];
+}
+function parseAllowlistPrefixes(rawContent, sourceLabel) {
+  const trimmedContent = rawContent?.trim();
+  if (!trimmedContent) {
+    return [];
+  }
+  if (trimmedContent.startsWith("[") || trimmedContent.startsWith("{")) {
+    const parsedValue = JSON.parse(trimmedContent);
+    if (Array.isArray(parsedValue)) {
+      return normalizeAllowlistPrefixes(parsedValue);
+    }
+    if (Array.isArray(parsedValue?.prefixes)) {
+      return normalizeAllowlistPrefixes(parsedValue.prefixes);
+    }
+    throw new Error(
+      `${sourceLabel} must be a JSON array or an object with a 'prefixes' array.`,
+    );
+  }
+  return normalizeAllowlistPrefixes(
+    trimmedContent
+      .split(/\r?\n/u)
+      .map((line) => line.replace(/\s+#.*$/u, "").trim())
+      .filter(Boolean),
+  );
+}
+function loadAllowlistPrefixes(filePath, sourceLabel) {
+  let rawContent;
+  try {
+    rawContent = readFileSync(filePath, "utf8");
+  } catch (error) {
+    const errorCodeSuffix =
+      typeof error?.code === "string" ? ` (${error.code})` : "";
+    throw new Error(
+      `Failed to load ${sourceLabel} from ${filePath}${errorCodeSuffix}.`,
+      {
+        cause: error,
+      },
+    );
+  }
+  try {
+    return parseAllowlistPrefixes(rawContent, sourceLabel);
+  } catch (error) {
+    throw new Error(
+      `Invalid ${sourceLabel} in ${filePath}. Use a JSON array, a JSON object with a 'prefixes' array, or newline-delimited purl prefixes.`,
+      {
+        cause: error,
+      },
+    );
+  }
+}
+function getAllowlistPrefixes(options) {
+  const customPrefixes = options?.allowlistFile
+    ? loadAllowlistPrefixes(options.allowlistFile, "predictive audit allowlist")
+    : normalizeAllowlistPrefixes(options?.allowlistPrefixes);
+  return normalizeAllowlistPrefixes([
+    ...BUILTIN_PREDICTIVE_AUDIT_ALLOWLIST,
+    ...customPrefixes,
+  ]);
+}
+/**
+ * Find the first allowlisted purl prefix that matches a component purl using
+ * a real purl boundary.
+ *
+ * This avoids over-filtering when one package name is only a lexical prefix of
+ * another package name (for example `pkg:npm/npm` vs `pkg:npm/npm-run-all`).
+ *
+ * @param {string | undefined} componentPurl Candidate component purl
+ * @param {string[] | undefined} allowlistPrefixes Normalized allowlist prefixes
+ * @returns {string | undefined} matched allowlist prefix, if any
+ */
+function findMatchingAllowlistPrefix(componentPurl, allowlistPrefixes) {
+  const normalizedPurl = componentPurl?.toLowerCase();
+  if (!normalizedPurl || !allowlistPrefixes?.length) {
+    return undefined;
+  }
+  return allowlistPrefixes.find((prefix) => {
+    if (!normalizedPurl.startsWith(prefix)) {
+      return false;
+    }
+    const boundaryCharacter = normalizedPurl[prefix.length];
+    return (
+      // Purl boundaries after a matched prefix can be the version separator,
+      // namespace/package separator, qualifier separator, or subpath separator.
+      boundaryCharacter === undefined ||
+      ["/", "@", "?", "#"].includes(boundaryCharacter)
+    );
+  });
+}
 /**
  * Normalize predictive audit target selection options.
  *
  * @param {number | object | undefined} options selector options or legacy maxTargets value
  * @returns {{
+ *   allowlistPrefixes: string[],
  *   maxTargets: number | undefined,
+ *   prioritizeDirectRuntime: boolean,
  *   scope: string | undefined,
  *   trusted: "exclude" | "include" | "only",
  * }} normalized options
@@ -23,6 +140,7 @@ const NON_REQUIRED_SCOPES = new Set(["excluded", "optional"]);
 function normalizeTargetSelectionOptions(options) {
   if (typeof options === "number") {
     return {
+      allowlistPrefixes: BUILTIN_PREDICTIVE_AUDIT_ALLOWLIST,
       maxTargets: options,
       prioritizeDirectRuntime: true,
       scope: undefined,
@@ -30,6 +148,7 @@ function normalizeTargetSelectionOptions(options) {
     };
   }
   return {
+    allowlistPrefixes: getAllowlistPrefixes(options),
     maxTargets: options?.maxTargets,
     prioritizeDirectRuntime: options?.prioritizeDirectRuntime ?? true,
     scope: options?.scope === "required" ? "required" : undefined,
@@ -452,6 +571,22 @@ export function extractPurlTargetsFromBom(bomJson, sourceName, options) {
       });
       continue;
     }
+    const matchedAllowlistPrefix = findMatchingAllowlistPrefix(
+      componentPurl,
+      selectorOptions.allowlistPrefixes,
+    );
+    if (matchedAllowlistPrefix) {
+      skipped.push({
+        reason: "allowlisted-purl-prefix",
+        matchedPrefix: matchedAllowlistPrefix,
+        source: sourceName,
+        purl: componentPurl,
+        bomRef: component?.["bom-ref"],
+        name: component?.name,
+        type: purlObj.type,
+      });
+      continue;
+    }
     targets.push({
       bomRef: component?.["bom-ref"],
       buildOnlyWorkspace:
@@ -511,6 +646,7 @@ export function extractPurlTargetsFromBom(bomJson, sourceName, options) {
  */
 export function collectAuditTargets(inputBoms, options) {
   const selectorOptions = normalizeTargetSelectionOptions(options);
+  const allowlistedTargetPurls = new Set();
   const skipped = [];
   const targetMap = new Map();
   for (const inputBom of inputBoms) {
@@ -519,7 +655,15 @@ export function collectAuditTargets(inputBoms, options) {
       inputBom.source,
       selectorOptions,
     );
-    skipped.push(...extracted.skipped);
+    for (const skippedEntry of extracted.skipped) {
+      skipped.push(skippedEntry);
+      if (
+        skippedEntry?.reason === "allowlisted-purl-prefix" &&
+        skippedEntry?.purl
+      ) {
+        allowlistedTargetPurls.add(skippedEntry.purl);
+      }
+    }
     for (const target of extracted.targets) {
       const existing = targetMap.get(target.purl);
       if (existing) {
@@ -630,6 +774,7 @@ export function collectAuditTargets(inputBoms, options) {
     skipped,
     stats: {
       availableTargets,
+      allowlistedTargetsExcluded: allowlistedTargetPurls.size,
       directRuntimeTargets: directRuntimeTargets.length,
       buildOnlyWorkspaceTargets: buildOnlyWorkspaceTargets.length,
       cargoRuntimeFacingTargets: cargoRuntimeFacingTargets.length,

package/lib/audit/targets.poku.js CHANGED Viewed

@@ -1,3 +1,7 @@
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
 import esmock from "esmock";
 import { assert, describe, it } from "poku";
@@ -17,6 +21,42 @@ function makeBom(components, extra = {}) {
   };
 }
+function makeAllowlistInputBom(source) {
+  return {
+    bomJson: makeBom([
+      {
+        "bom-ref": "pkg:npm/%40acme/core@1.0.0",
+        name: "core",
+        purl: "pkg:npm/%40acme/core@1.0.0",
+      },
+      {
+        "bom-ref": "pkg:pypi/internal-tool@1.0.0",
+        name: "internal-tool",
+        purl: "pkg:pypi/internal-tool@1.0.0",
+      },
+      {
+        "bom-ref": "pkg:npm/left-pad@1.3.0",
+        name: "left-pad",
+        purl: "pkg:npm/left-pad@1.3.0",
+      },
+    ]),
+    source,
+  };
+}
+function withTemporaryAllowlistFile(fileName, content, callback) {
+  const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdx-audit-allowlist-"));
+  const allowlistFile = path.join(tmpDir, fileName);
+  writeFileSync(allowlistFile, content);
+  try {
+    // Let test failures propagate after cleanup so the original assertion error
+    // is preserved for the runner.
+    callback(allowlistFile);
+  } finally {
+    rmSync(tmpDir, { force: true, recursive: true });
+  }
+}
 describe("normalizePackageName()", () => {
   it("normalizes Python-style package separators", () => {
     assert.strictEqual(
@@ -312,6 +352,152 @@ describe("collectAuditTargets()", () => {
     assert.strictEqual(collected.stats.nonRequiredTargets, 0);
   });
+  it("skips built-in well-known npm allowlist prefixes by default", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/%40babel/parser@7.29.3",
+            name: "parser",
+            purl: "pkg:npm/%40babel/parser@7.29.3",
+          },
+          {
+            "bom-ref": "pkg:npm/npm@10.9.0",
+            name: "npm",
+            purl: "pkg:npm/npm@10.9.0",
+          },
+          {
+            "bom-ref": "pkg:npm/%40types/node@24.0.0",
+            name: "node",
+            purl: "pkg:npm/%40types/node@24.0.0",
+          },
+          {
+            "bom-ref": "pkg:npm/left-pad@1.3.0",
+            name: "left-pad",
+            purl: "pkg:npm/left-pad@1.3.0",
+          },
+        ]),
+        source: "allowlist-default.json",
+      },
+    ];
+    const collected = collectAuditTargets(inputBoms, { trusted: "include" });
+    assert.deepStrictEqual(
+      collected.targets.map((target) => target.purl),
+      ["pkg:npm/left-pad@1.3.0"],
+    );
+    assert.strictEqual(collected.stats.allowlistedTargetsExcluded, 3);
+    assert.strictEqual(
+      collected.skipped.filter(
+        (entry) => entry.reason === "allowlisted-purl-prefix",
+      ).length,
+      3,
+    );
+  });
+  it("supports additive custom predictive audit allowlists", () => {
+    withTemporaryAllowlistFile(
+      "custom-allowlist.json",
+      `${JSON.stringify(["pkg:npm/%40acme", "pkg:pypi/internal-tool"])}\n`,
+      (allowlistFile) => {
+        const inputBoms = [makeAllowlistInputBom("allowlist-custom.json")];
+        const collected = collectAuditTargets(inputBoms, {
+          allowlistFile,
+          trusted: "include",
+        });
+        assert.deepStrictEqual(
+          collected.targets.map((target) => target.purl),
+          ["pkg:npm/left-pad@1.3.0"],
+        );
+        assert.strictEqual(collected.stats.allowlistedTargetsExcluded, 2);
+      },
+    );
+  });
+  it("supports newline-delimited custom allowlists with comments", () => {
+    withTemporaryAllowlistFile(
+      "custom-allowlist.txt",
+      [
+        "pkg:npm/%40acme # internal namespace",
+        "",
+        "pkg:pypi/internal-tool",
+      ].join("\n"),
+      (allowlistFile) => {
+        const inputBoms = [makeAllowlistInputBom("allowlist-custom-text.json")];
+        const collected = collectAuditTargets(inputBoms, {
+          allowlistFile,
+          trusted: "include",
+        });
+        assert.deepStrictEqual(
+          collected.targets.map((target) => target.purl),
+          ["pkg:npm/left-pad@1.3.0"],
+        );
+        assert.strictEqual(collected.stats.allowlistedTargetsExcluded, 2);
+      },
+    );
+  });
+  it("supports custom allowlists provided as a prefixes object", () => {
+    withTemporaryAllowlistFile(
+      "custom-allowlist.json",
+      `${JSON.stringify({ prefixes: ["pkg:npm/%40acme", "pkg:pypi/internal-tool"] })}\n`,
+      (allowlistFile) => {
+        const inputBoms = [
+          makeAllowlistInputBom("allowlist-custom-prefixes.json"),
+        ];
+        const collected = collectAuditTargets(inputBoms, {
+          allowlistFile,
+          trusted: "include",
+        });
+        assert.deepStrictEqual(
+          collected.targets.map((target) => target.purl),
+          ["pkg:npm/left-pad@1.3.0"],
+        );
+        assert.strictEqual(collected.stats.allowlistedTargetsExcluded, 2);
+      },
+    );
+  });
+  it("requires a purl boundary after an allowlisted prefix", () => {
+    const inputBoms = [
+      {
+        bomJson: makeBom([
+          {
+            "bom-ref": "pkg:npm/npm@10.9.0",
+            name: "npm",
+            purl: "pkg:npm/npm@10.9.0",
+          },
+          {
+            "bom-ref": "pkg:npm/npm-run-all@4.1.5",
+            name: "npm-run-all",
+            purl: "pkg:npm/npm-run-all@4.1.5",
+          },
+          {
+            "bom-ref": "pkg:npm/npm-check-updates@17.1.0",
+            name: "npm-check-updates",
+            purl: "pkg:npm/npm-check-updates@17.1.0",
+          },
+        ]),
+        source: "allowlist-boundary.json",
+      },
+    ];
+    const collected = collectAuditTargets(inputBoms, { trusted: "include" });
+    assert.deepStrictEqual(
+      collected.targets.map((target) => target.purl),
+      ["pkg:npm/npm-check-updates@17.1.0", "pkg:npm/npm-run-all@4.1.5"],
+    );
+    assert.strictEqual(collected.stats.allowlistedTargetsExcluded, 1);
+  });
   it("prioritizes required targets before optional ones when maxTargets is set", () => {
     const inputBoms = [
       {