@cyclonedx/cdxgen 12.3.3 → 12.4.1

package/bin/cdxgen.js

@@ -20,6 +20,7 @@ import { hideBin } from "yargs/helpers";
 
 import { createBom, submitBom } from "../lib/cli/index.js";
 import { signBom, verifyBom } from "../lib/helpers/bomSigner.js";
+import { isCycloneDxBom } from "../lib/helpers/bomUtils.js";
 import {
   displaySelfThreatModel,
   printActivitySummary,
@@ -38,7 +39,14 @@ import {
   createOutputPlan,
   getOutputDirectory,
 } from "../lib/helpers/exportUtils.js";
+import {
+  ensureNoMixedHbomProjectTypes,
+  ensureSupportedHbomSpecVersion,
+  hasHbomProjectType,
+  isHbomOnlyProjectTypes,
+} from "../lib/helpers/hbom.js";
 import { TRACE_MODE, thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
+import { importProtobomModule } from "../lib/helpers/protobomLoader.js";
 import {
   cleanupSourceDir,
   findGitRefForPurlVersion,
@@ -57,7 +65,9 @@ import {
 import {
   commandsExecuted,
   DEBUG_MODE,
+  getDefaultBomAuditCategories,
   getTmpDir,
+  isAllowedHttpHost,
   isBun,
   isDeno,
   isDryRun,
@@ -65,7 +75,9 @@ import {
   isNode,
   isSecureMode,
   isWin,
+  readEnvironmentVariable,
   recordActivity,
+  recordSensitiveFileRead,
   remoteHostsAccessed,
   retrieveCdxgenVersion,
   safeExistsSync,
@@ -73,6 +85,7 @@ import {
   safeWriteSync,
   setActivityContext,
   setDryRunMode,
+  shouldRunPredictiveBomAudit,
   toCamel,
 } from "../lib/helpers/utils.js";
 import { postProcess } from "../lib/stages/postgen/postgen.js";
@@ -118,6 +131,10 @@ for (const configPattern of configPaths) {
 }
 
 const _yargs = yargs(hideBin(process.argv));
+const invokedCommandName = basename(process.argv[1] || "cdxgen").replace(
+  /\.(?:[cm]?js|exe)$/u,
+  "",
+);
 
 const args = _yargs
   .env("CDXGEN")
@@ -244,6 +261,12 @@ const args = _yargs
     description:
       "Read-only mode. cdxgen only performs file reads and reports blocked writes, command execution, temp creation, network access, and submissions.",
   })
+  .option("include-runtime", {
+    type: "boolean",
+    default: false,
+    description:
+      "For HBOM runs, also collect OBOM runtime inventory and emit a merged host view with strict hardware/runtime topology links.",
+  })
   .option("activity-report", {
     choices: ["json", "jsonl"],
     description: "Render the activity report as JSON or JSON Lines.",
@@ -321,7 +344,7 @@ const args = _yargs
     description: "CycloneDX Specification version to use. Defaults to 1.7",
     default: 1.7,
     type: "number",
-    choices: [1.4, 1.5, 1.6, 1.7],
+    choices: [1.4, 1.5, 1.6, 1.7, 2.0],
   })
   .option("filter", {
     description:
@@ -556,6 +579,7 @@ const args = _yargs
       "$0 -t java -t js .",
       "Generate a SBOM for Java and JavaScript in the current directory",
     ],
+    ["$0 -t hbom .", "Generate an HBOM for the current host"],
     [
       "$0 -t java --profile ml .",
       "Generate a Java SBOM for machine learning purposes.",
@@ -568,7 +592,7 @@ const args = _yargs
   ])
   .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
   .config(config)
-  .scriptName("cdxgen")
+  .scriptName(invokedCommandName || "cdxgen")
   .version(retrieveCdxgenVersion())
   .alias("v", "version")
   .help(false)
@@ -648,13 +672,13 @@ if (
   }
 }
 // Support for obom/cbom aliases
-if (process.argv[1].includes("obom") && !args.type) {
-  args.type = "os";
+if (invokedCommandName.includes("obom") && !args.type) {
+  args.type = ["os"];
   thoughtLog(
     "Ok, the user wants to generate an Operations Bill-of-Materials (OBOM).",
   );
 }
-if (process.argv[1].includes("spdxgen") && !args.format) {
+if (invokedCommandName.includes("spdxgen") && !args.format) {
   args.format = "spdx";
   thoughtLog("Ok, defaulting the export format to SPDX.");
 }
@@ -699,19 +723,28 @@ for (const outputFile of Object.values(outputPlan.outputs)) {
 if (options.projectType && Array.isArray(options.projectType)) {
   options.projectType = Array.from(new Set(options.projectType));
 }
+try {
+  ensureNoMixedHbomProjectTypes(options.projectType);
+  if (hasHbomProjectType(options.projectType)) {
+    ensureSupportedHbomSpecVersion(options.specVersion);
+  }
+} catch (error) {
+  console.error(error.message);
+  process.exit(1);
+}
 if (!options.projectType) {
   thoughtLog(
     "Ok, the user wants me to identify all the project types and generate a consolidated BOM document.",
   );
 }
 // Handle dedicated cbom and saasbom commands
-if (["cbom", "saasbom"].includes(process.argv[1])) {
-  if (process.argv[1].includes("cbom")) {
+if (["cbom", "saasbom"].includes(invokedCommandName)) {
+  if (invokedCommandName.includes("cbom")) {
     thoughtLog(
       "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
     );
     options.includeCrypto = true;
-  } else if (process.argv[1].includes("saasbom")) {
+  } else if (invokedCommandName.includes("saasbom")) {
     thoughtLog(
       "Ok, the user wants to generate a Software as a Service Bill-of-Materials (SaaSBOM). I should carefully collect the services, endpoints, and data flows.",
     );
@@ -725,7 +758,7 @@ if (["cbom", "saasbom"].includes(process.argv[1])) {
   options.specVersion = 1.7;
   options.deep = true;
 }
-if (process.argv[1].includes("cdxgen-secure")) {
+if (invokedCommandName.includes("cdxgen-secure")) {
   thoughtLog(
     "Ok, the user wants cdxgen to run in secure mode by default. Let's try and use the permissions api.",
   );
@@ -744,7 +777,16 @@ if (isDryRun) {
 if (options.standard) {
   options.specVersion = 1.7;
 }
-if (options.includeFormulation) {
+const isHbomOnlyInvocation = isHbomOnlyProjectTypes(options.projectType);
+if (options.includeFormulation && isHbomOnlyInvocation) {
+  thoughtLog(
+    "HBOM-only invocations do not benefit from formulation data. Let's ignore this option to keep the resulting document focused on hardware inventory.",
+  );
+  console.log(
+    "NOTE: Ignoring formulation collection for HBOM-only invocations because the resulting hardware BOM does not need workflow or dependency-tree enrichment.",
+  );
+  options.includeFormulation = false;
+} else if (options.includeFormulation) {
   if (options.serverUrl) {
     thoughtLog(
       "Wait, the user specified a server URL and wants to include formulation data. Let's warn about accidentally disclosing sensitive data to a remote server.",
@@ -898,16 +940,32 @@ const applyAdvancedOptions = (options) => {
     );
   }
   if (options.bomAudit) {
-    if (!options.includeFormulation) {
+    if (isHbomOnlyInvocation) {
+      thoughtLog(
+        "HBOM-only bom-audit runs should stay focused on hardware inventory. Skipping automatic formulation collection.",
+      );
+    } else if (!options.includeFormulation) {
       console.log(
         "NOTE: Automatically collecting formulation information. The section may include sensitive data such as emails and secrets.\nPlease review the generated SBOM before distribution or LLM training.\n",
       );
+      options.includeFormulation = true;
     }
-    options.includeFormulation = true;
   }
   return options;
 };
 applyAdvancedOptions(options);
+if (options.bomAudit && !options.bomAuditCategories) {
+  const defaultBomAuditCategories = getDefaultBomAuditCategories(
+    options,
+    process.argv[1],
+  );
+  if (defaultBomAuditCategories) {
+    options.bomAuditCategories = defaultBomAuditCategories;
+    thoughtLog(
+      `Defaulting BOM audit categories to '${defaultBomAuditCategories}' for this OBOM or explicit os-only invocation.`,
+    );
+  }
+}
 
 const envAuditFindings = auditEnvironment();
 if (options.envAudit) {
@@ -1063,11 +1121,27 @@ const checkPermissions = (filePath, options) => {
 
 const needsBomSigning = ({ generateKeyAndSign }) =>
   generateKeyAndSign ||
-  (process.env.SBOM_SIGN_ALGORITHM &&
-    process.env.SBOM_SIGN_ALGORITHM !== "none" &&
-    ((process.env.SBOM_SIGN_PRIVATE_KEY &&
-      safeExistsSync(process.env.SBOM_SIGN_PRIVATE_KEY)) ||
-      process.env.SBOM_SIGN_PRIVATE_KEY_BASE64));
+  (() => {
+    const sbomSignAlgorithm = readEnvironmentVariable("SBOM_SIGN_ALGORITHM");
+    const sbomSignPrivateKey = readEnvironmentVariable(
+      "SBOM_SIGN_PRIVATE_KEY",
+      {
+        sensitive: true,
+      },
+    );
+    const sbomSignPrivateKeyBase64 = readEnvironmentVariable(
+      "SBOM_SIGN_PRIVATE_KEY_BASE64",
+      {
+        sensitive: true,
+      },
+    );
+    return (
+      sbomSignAlgorithm &&
+      sbomSignAlgorithm !== "none" &&
+      ((sbomSignPrivateKey && safeExistsSync(sbomSignPrivateKey)) ||
+        sbomSignPrivateKeyBase64)
+    );
+  })();
 
 const stringifyJson = (jsonPayload, jsonPretty) =>
   typeof jsonPayload === "string" || jsonPayload instanceof String
@@ -1096,7 +1170,21 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     });
     return jsonPayload;
   }
-  let alg = process.env.SBOM_SIGN_ALGORITHM || "RS512";
+  const sbomSignAlgorithm = readEnvironmentVariable("SBOM_SIGN_ALGORITHM");
+  const sbomSignPrivateKey = readEnvironmentVariable("SBOM_SIGN_PRIVATE_KEY", {
+    sensitive: true,
+  });
+  const sbomSignPrivateKeyBase64 = readEnvironmentVariable(
+    "SBOM_SIGN_PRIVATE_KEY_BASE64",
+    {
+      sensitive: true,
+    },
+  );
+  const sbomSignPublicKey = readEnvironmentVariable("SBOM_SIGN_PUBLIC_KEY");
+  const sbomSignPublicKeyBase64 = readEnvironmentVariable(
+    "SBOM_SIGN_PUBLIC_KEY_BASE64",
+  );
+  let alg = sbomSignAlgorithm || "RS512";
   if (alg.includes("none")) {
     alg = "RS512";
   }
@@ -1134,31 +1222,25 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     privateKeyToUse = privateKey;
     jwkPublicKey = crypto.createPublicKey(publicKey).export({ format: "jwk" });
   } else {
-    if (process.env?.SBOM_SIGN_PRIVATE_KEY) {
-      privateKeyToUse = fs.readFileSync(
-        process.env.SBOM_SIGN_PRIVATE_KEY,
-        "utf8",
-      );
-    } else if (process.env?.SBOM_SIGN_PRIVATE_KEY_BASE64) {
+    if (sbomSignPrivateKey) {
+      recordSensitiveFileRead(sbomSignPrivateKey, {
+        label: "SBOM signing private key",
+      });
+      privateKeyToUse = fs.readFileSync(sbomSignPrivateKey, "utf8");
+    } else if (sbomSignPrivateKeyBase64) {
       privateKeyToUse = Buffer.from(
-        process.env.SBOM_SIGN_PRIVATE_KEY_BASE64,
+        sbomSignPrivateKeyBase64,
         "base64",
       ).toString("utf8");
     }
-    if (
-      process.env.SBOM_SIGN_PUBLIC_KEY &&
-      safeExistsSync(process.env.SBOM_SIGN_PUBLIC_KEY)
-    ) {
+    if (sbomSignPublicKey && safeExistsSync(sbomSignPublicKey)) {
       jwkPublicKey = crypto
-        .createPublicKey(
-          fs.readFileSync(process.env.SBOM_SIGN_PUBLIC_KEY, "utf8"),
-        )
+        .createPublicKey(fs.readFileSync(sbomSignPublicKey, "utf8"))
         .export({ format: "jwk" });
-    } else if (process.env?.SBOM_SIGN_PUBLIC_KEY_BASE64) {
-      jwkPublicKey = Buffer.from(
-        process.env.SBOM_SIGN_PUBLIC_KEY_BASE64,
-        "base64",
-      ).toString("utf8");
+    } else if (sbomSignPublicKeyBase64) {
+      jwkPublicKey = Buffer.from(sbomSignPublicKeyBase64, "base64").toString(
+        "utf8",
+      );
     }
   }
   try {
@@ -1167,7 +1249,7 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
       privateKey: privateKeyToUse,
       algorithm: alg,
       publicKeyJwk: jwkPublicKey,
-      mode: process.env.SBOM_SIGN_MODE || "replace",
+      mode: readEnvironmentVariable("SBOM_SIGN_MODE") || "replace",
       signComponents: true,
       signServices: true,
       signAnnotations: true,
@@ -1345,10 +1427,16 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     cleanup = true;
   }
   setActivityContext({ sourcePath: srcDir });
-  prepareEnv(srcDir, options);
+  if (!hasHbomProjectType(options.projectType)) {
+    prepareEnv(srcDir, options);
+  }
   thoughtLog("Getting ready to generate the BOM ⚡️.");
   const originalFetchPackageMetadata = process.env.CDXGEN_FETCH_PKG_METADATA;
-  if (options.bomAudit) {
+  const shouldRunPredictiveAudit = shouldRunPredictiveBomAudit(
+    options,
+    process.argv[1],
+  );
+  if (options.bomAudit && shouldRunPredictiveAudit) {
     process.env.CDXGEN_FETCH_PKG_METADATA = "true";
   }
   let bomNSData;
@@ -1385,8 +1473,10 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     );
     const {
       auditBom,
+      formatDryRunSupportSummary,
       formatAnnotations,
       formatConsoleOutput,
+      getBomAuditDryRunSupportSummary,
       hasCriticalFindings,
     } = await import("../lib/stages/postgen/auditBom.js");
     thoughtLog("Let's run security audit...");
@@ -1396,6 +1486,15 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     } else if (DEBUG_MODE) {
       console.log("BOM audit: No findings");
     }
+    if (isDryRun) {
+      const dryRunSupportSummary =
+        await getBomAuditDryRunSupportSummary(options);
+      const dryRunSupportMessage =
+        formatDryRunSupportSummary(dryRunSupportSummary);
+      if (dryRunSupportMessage) {
+        console.log(dryRunSupportMessage);
+      }
+    }
     if (postAuditFindings.length && options.specVersion >= 1.4) {
       bomNSData.bomJson.annotations = [
         ...(bomNSData.bomJson.annotations || []),
@@ -1416,37 +1515,21 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
       process.exit(1);
     }
 
-    thoughtLog("Let's run predictive dependency audit...");
-    const progressTracker = createProgressTracker();
-    const predictiveAuditScope =
-      options.bomAuditScope === "required" ? "required" : undefined;
-    const predictiveAuditTrusted = options.bomAuditOnlyTrusted
-      ? "only"
-      : options.bomAuditIncludeTrusted
-        ? "include"
-        : undefined;
-    const requiredAuditTargetCount = collectAuditTargets(
-      [
-        {
-          bomJson: bomNSData.bomJson,
-          source: filePath,
-        },
-      ],
-      {
-        scope: "required",
-        trusted: predictiveAuditTrusted,
-      },
-    ).targets.length;
-    const predictiveAuditMaxTargets =
-      typeof options.bomAuditMaxTargets === "number" &&
-      options.bomAuditMaxTargets > 0
-        ? options.bomAuditMaxTargets
-        : predictiveAuditScope === "required"
-          ? undefined
-          : Math.max(50, requiredAuditTargetCount);
-    let predictiveReport;
-    try {
-      predictiveReport = await runAuditFromBoms(
+    if (!shouldRunPredictiveAudit) {
+      thoughtLog(
+        "Skipping predictive dependency audit for this OBOM or explicit os-only invocation.",
+      );
+    } else {
+      thoughtLog("Let's run predictive dependency audit...");
+      const progressTracker = createProgressTracker();
+      const predictiveAuditScope =
+        options.bomAuditScope === "required" ? "required" : undefined;
+      const predictiveAuditTrusted = options.bomAuditOnlyTrusted
+        ? "only"
+        : options.bomAuditIncludeTrusted
+          ? "include"
+          : undefined;
+      const requiredAuditTargetCount = collectAuditTargets(
         [
           {
             bomJson: bomNSData.bomJson,
@@ -1454,66 +1537,90 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
           },
         ],
         {
-          categories: options.bomAuditCategories
-            ? options.bomAuditCategories
-                .split(",")
-                .map((category) => category.trim())
-                .filter(Boolean)
-            : undefined,
-          failSeverity: options.bomAuditFailSeverity,
-          maxTargets: predictiveAuditMaxTargets,
-          minSeverity: options.bomAuditMinSeverity,
-          onProgress: progressTracker.onProgress,
-          scope: predictiveAuditScope,
+          scope: "required",
           trusted: predictiveAuditTrusted,
-          trustedSelectionHelp:
-            "Use --bom-audit-include-trusted to include them or --bom-audit-only-trusted to audit just those packages.",
         },
-      );
-    } finally {
-      progressTracker.stop();
-    }
-    if (predictiveReport.summary.totalTargets > 0) {
-      process.stderr.write(
-        renderConsoleReport(predictiveReport, {
+      ).targets.length;
+      const predictiveAuditMaxTargets =
+        typeof options.bomAuditMaxTargets === "number" &&
+        options.bomAuditMaxTargets > 0
+          ? options.bomAuditMaxTargets
+          : predictiveAuditScope === "required"
+            ? undefined
+            : Math.max(50, requiredAuditTargetCount);
+      let predictiveReport;
+      try {
+        predictiveReport = await runAuditFromBoms(
+          [
+            {
+              bomJson: bomNSData.bomJson,
+              source: filePath,
+            },
+          ],
+          {
+            categories: options.bomAuditCategories
+              ? options.bomAuditCategories
+                  .split(",")
+                  .map((category) => category.trim())
+                  .filter(Boolean)
+              : undefined,
+            failSeverity: options.bomAuditFailSeverity,
+            maxTargets: predictiveAuditMaxTargets,
+            minSeverity: options.bomAuditMinSeverity,
+            onProgress: progressTracker.onProgress,
+            scope: predictiveAuditScope,
+            trusted: predictiveAuditTrusted,
+            trustedSelectionHelp:
+              "Use --bom-audit-include-trusted to include them or --bom-audit-only-trusted to audit just those packages.",
+          },
+        );
+      } finally {
+        progressTracker.stop();
+      }
+      if (predictiveReport.summary.totalTargets > 0) {
+        process.stderr.write(
+          renderConsoleReport(predictiveReport, {
+            minSeverity: options.bomAuditMinSeverity,
+          }),
+        );
+      } else if (DEBUG_MODE) {
+        console.log(
+          "Predictive BOM audit: No supported npm/PyPI targets found",
+        );
+      }
+      const predictiveAnnotations = formatPredictiveAnnotations(
+        predictiveReport,
+        bomNSData.bomJson,
+        {
           minSeverity: options.bomAuditMinSeverity,
-        }),
+        },
       );
-    } else if (DEBUG_MODE) {
-      console.log("Predictive BOM audit: No supported npm/PyPI targets found");
-    }
-    const predictiveAnnotations = formatPredictiveAnnotations(
-      predictiveReport,
-      bomNSData.bomJson,
-      {
+      if (predictiveAnnotations.length && options.specVersion >= 1.4) {
+        bomNSData.bomJson.annotations = [
+          ...(bomNSData.bomJson.annotations || []),
+          ...predictiveAnnotations,
+        ];
+        thoughtLog(
+          `Embedded ${predictiveAnnotations.length} predictive audit annotations`,
+        );
+      }
+      const predictiveResult = finalizeAuditReport(predictiveReport, {
+        failSeverity: options.bomAuditFailSeverity,
         minSeverity: options.bomAuditMinSeverity,
-      },
-    );
-    if (predictiveAnnotations.length && options.specVersion >= 1.4) {
-      bomNSData.bomJson.annotations = [
-        ...(bomNSData.bomJson.annotations || []),
-        ...predictiveAnnotations,
-      ];
-      thoughtLog(
-        `Embedded ${predictiveAnnotations.length} predictive audit annotations`,
-      );
-    }
-    const predictiveResult = finalizeAuditReport(predictiveReport, {
-      failSeverity: options.bomAuditFailSeverity,
-      minSeverity: options.bomAuditMinSeverity,
-      report: "console",
-    });
-    if (isSecureMode && predictiveResult.exitCode === 3) {
-      console.error(
-        "\nSecure mode: Predictive audit findings exceeded the configured threshold.",
-      );
-      console.error(
-        "Review findings above or adjust --bom-audit-fail-severity to proceed.",
-      );
-      if (cleanup) {
-        cleanupSourceDir(srcDir);
+        report: "console",
+      });
+      if (isSecureMode && predictiveResult.exitCode === 3) {
+        console.error(
+          "\nSecure mode: Predictive audit findings exceeded the configured threshold.",
+        );
+        console.error(
+          "Review findings above or adjust --bom-audit-fail-severity to proceed.",
+        );
+        if (cleanup) {
+          cleanupSourceDir(srcDir);
+        }
+        process.exit(1);
       }
-      process.exit(1);
     }
   }
   let internalCycloneDxInputPath = outputPlan.outputs.cyclonedx;
@@ -1609,7 +1716,7 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   if (
     outputPlan.formats.has("spdx") &&
     bomNSData?.bomJson &&
-    bomNSData?.bomJson?.bomFormat === "CycloneDX"
+    isCycloneDxBom(bomNSData.bomJson)
   ) {
     thoughtLog(
       "Preparing the SPDX 3.0.1 export from the validated CycloneDX BOM.",
@@ -1684,6 +1791,27 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   // Automatically submit the bom data
   // biome-ignore lint/suspicious/noDoubleEquals: yargs passes true for empty values
   if (options.serverUrl && options.serverUrl != true && options.apiKey) {
+    if (isSecureMode) {
+      let serverHostname;
+      try {
+        serverHostname = new URL(options.serverUrl).hostname;
+      } catch (err) {
+        console.log("Invalid Dependency-Track server URL", err);
+        process.exit(1);
+      }
+      if (!isAllowedHttpHost(serverHostname)) {
+        recordActivity({
+          kind: "submit",
+          reason: "The URL host is not allowed as per the allowlist.",
+          status: "blocked",
+          target: options.serverUrl,
+        });
+        console.log(
+          `Dependency-Track server host '${serverHostname}' is not allowed by CDXGEN_ALLOWED_HOSTS.`,
+        );
+        process.exit(1);
+      }
+    }
     if (isDryRun) {
       recordActivity({
         kind: "submit",
@@ -1718,7 +1846,22 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
         target: options.protoBinFile,
       });
     } else {
-      const protobomModule = await import("../lib/helpers/protobom.js");
+      const protobomModule = await importProtobomModule(
+        invokedCommandName || "cdxgen",
+        "protobuf export",
+      );
+      try {
+        protobomModule.assertProtoSupportedSpecVersion(
+          bomNSData?.bomJson?.specVersion || options.specVersion,
+          "protobuf export",
+        );
+      } catch (error) {
+        console.error(error.message);
+        if (cleanup) {
+          cleanupSourceDir(srcDir);
+        }
+        process.exit(1);
+      }
       protobomModule.writeBinary(bomNSData.bomJson, options.protoBinFile);
       thoughtLog("BOM file is also available in .proto format!");
     }