npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.1 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/README.md +69 -25
package/bin/audit.js +21 -7
package/bin/cdxgen.js +270 -127
package/bin/convert.js +34 -15
package/bin/hbom.js +495 -0
package/bin/repl.js +592 -37
package/bin/validate.js +31 -4
package/bin/verify.js +18 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/cyclonedx-2.0-bundled.schema.json +7182 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +210 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +527 -99
package/lib/cli/index.poku.js +1469 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/bomUtils.js +155 -1
package/lib/helpers/bomUtils.poku.js +79 -1
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +350 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +209 -45
package/lib/helpers/protobom.poku.js +183 -5
package/lib/helpers/protobomLoader.js +43 -0
package/lib/helpers/protobomLoader.poku.js +31 -0
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +4 -28
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +406 -8
package/lib/stages/postgen/postgen.poku.js +484 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/lib/validator/bomValidator.js +90 -38
package/lib/validator/bomValidator.poku.js +90 -0
package/lib/validator/complianceRules.js +4 -2
package/lib/validator/index.poku.js +14 -0
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts +1 -1
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/bomUtils.d.ts +10 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +76 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +5 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/protobomLoader.d.ts +17 -0
package/types/lib/helpers/protobomLoader.d.ts.map +1 -0
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/node.d.ts +23 -0
package/types/lib/third-party/arborist/lib/node.d.ts.map +1 -1
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/helpers/protobom.poku.js CHANGED Viewed

@@ -3,27 +3,51 @@ import { join } from "node:path";
 import { assert, it } from "poku";
-import { readBinary, writeBinary } from "./protobom.js";
+import {
+  assertProtoSupportedSpecVersion,
+  isProtoBomFile,
+  readBinary,
+  writeBinary,
+} from "./protobom.js";
 import { getTmpDir } from "./utils.js";
-const tempDir = mkdtempSync(join(getTmpDir(), "bin-tests-"));
 const testBom = JSON.parse(
   readFileSync("./test/data/bom-java.json", { encoding: "utf-8" }),
 );
+const cbomFixture = JSON.parse(
+  readFileSync("./test/data/bom-cbom-js-fixture.json", { encoding: "utf-8" }),
+);
+const createTempDir = () => mkdtempSync(join(getTmpDir(), "bin-tests-"));
+const cleanupTempDir = (tempDir) => {
+  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+};
 it("proto binary tests", () => {
+  const tempDir = createTempDir();
   const binFile = join(tempDir, "test.cdx.bin");
   writeBinary({}, binFile);
   assert.deepStrictEqual(existsSync(binFile), true);
   writeBinary(testBom, binFile);
   assert.deepStrictEqual(existsSync(binFile), true);
+  assert.equal(isProtoBomFile(binFile), true);
+  assert.equal(isProtoBomFile("test.proto"), true);
+  assert.equal(isProtoBomFile("bom.json"), false);
   let bomObject = readBinary(binFile);
   assert.ok(bomObject);
   assert.deepStrictEqual(
     bomObject.serialNumber,
     "urn:uuid:cc8b5a04-2698-4375-b04c-cedfa4317fee",
   );
+  assert.deepStrictEqual(bomObject.bomFormat, "CycloneDX");
   assert.deepStrictEqual(bomObject.specVersion, "1.5");
+  assert.equal(
+    bomObject.metadata.component.type.startsWith("CLASSIFICATION_"),
+    false,
+  );
   bomObject = readBinary(binFile, false, 1.5);
   assert.ok(bomObject);
   assert.deepStrictEqual(
@@ -31,7 +55,161 @@ it("proto binary tests", () => {
     "urn:uuid:cc8b5a04-2698-4375-b04c-cedfa4317fee",
   );
   assert.deepStrictEqual(bomObject.specVersion, "1.5");
-  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
-    rmSync(tempDir, { recursive: true, force: true });
-  }
+  const modernBinFile = join(tempDir, "test-1.7.cdx");
+  writeBinary(
+    {
+      bomFormat: "CycloneDX",
+      metadata: {
+        component: {
+          name: "cdxgen",
+          type: "application",
+        },
+      },
+      serialNumber: "urn:uuid:11111111-1111-1111-1111-111111111111",
+      specVersion: "1.7",
+      version: 1,
+    },
+    modernBinFile,
+  );
+  const modernBomObject = readBinary(modernBinFile);
+  assert.ok(modernBomObject);
+  assert.deepStrictEqual(modernBomObject.bomFormat, "CycloneDX");
+  assert.deepStrictEqual(modernBomObject.specVersion, "1.7");
+  assert.deepStrictEqual(
+    modernBomObject.metadata.component.type,
+    "application",
+  );
+  assert.deepStrictEqual(modernBomObject.metadata.component.name, "cdxgen");
+  cleanupTempDir(tempDir);
+});
+it("keeps canonical definitions and declarations as objects during proto round-trip", () => {
+  const tempDir = createTempDir();
+  const binFile = join(tempDir, "standard-sections.cdx");
+  writeBinary(
+    {
+      bomFormat: "CycloneDX",
+      declarations: {
+        affirmation: {
+          statement: "verified",
+        },
+        claims: [
+          {
+            predicate: "meets-control",
+            target: "pkg:npm/demo-app@1.0.0",
+          },
+        ],
+      },
+      definitions: {
+        standards: [
+          {
+            name: "ASVS",
+            requirements: [
+              {
+                identifier: "V1.1",
+                title: "Authenticate requests",
+              },
+            ],
+            version: "5.0",
+          },
+        ],
+      },
+      metadata: {
+        component: {
+          name: "demo-app",
+          type: "application",
+          version: "1.0.0",
+        },
+      },
+      serialNumber: "urn:uuid:22222222-2222-2222-2222-222222222222",
+      specVersion: "1.7",
+      version: 1,
+    },
+    binFile,
+  );
+  const bomObject = readBinary(binFile);
+  assert.ok(bomObject);
+  assert.equal(Array.isArray(bomObject.definitions), false);
+  assert.equal(Array.isArray(bomObject.declarations), false);
+  assert.equal(bomObject.definitions.standards[0].name, "ASVS");
+  assert.equal(
+    bomObject.definitions.standards[0].requirements[0].identifier,
+    "V1.1",
+  );
+  assert.equal(bomObject.declarations.claims[0].predicate, "meets-control");
+  assert.equal(bomObject.declarations.affirmation.statement, "verified");
+  cleanupTempDir(tempDir);
+});
+it("rejects unsupported CycloneDX 2.0 protobuf operations with a clear error", () => {
+  const tempDir = createTempDir();
+  const binFile = join(tempDir, "unsupported-2.0.cdx");
+  assert.throws(
+    () =>
+      writeBinary(
+        {
+          specFormat: "CycloneDX",
+          specVersion: "2.0",
+          version: 1,
+        },
+        binFile,
+      ),
+    /CycloneDX 2\.0 is not currently supported for protobuf serialization/,
+  );
+  assert.throws(
+    () => assertProtoSupportedSpecVersion("2.0", "protobuf export"),
+    /@appthreat\/cdx-proto supports 1\.5, 1\.6, 1\.7 only/,
+  );
+  assert.throws(
+    () =>
+      writeBinary(
+        {
+          bomFormat: "CycloneDX",
+          specVersion: "2.0.1",
+          version: 1,
+        },
+        binFile,
+      ),
+    /CycloneDX 2\.0\.1 is not currently supported for protobuf serialization/,
+  );
+  assert.throws(
+    () => assertProtoSupportedSpecVersion("2.0.1", "protobuf export"),
+    /CycloneDX 2\.0\.1 is not currently supported for protobuf export/,
+  );
+  cleanupTempDir(tempDir);
+});
+it("round-trips real CBOM fixture data with cryptographic assets intact", () => {
+  const tempDir = createTempDir();
+  const binFile = join(tempDir, "cbom-fixture.cdx");
+  writeBinary(cbomFixture, binFile);
+  const bomObject = readBinary(binFile);
+  const cryptoComponents = (bomObject.components || []).filter(
+    (component) => component.type === "cryptographic-asset",
+  );
+  assert.ok(bomObject);
+  assert.equal(bomObject.specVersion, "1.7");
+  assert.ok(cryptoComponents.length >= 3);
+  assert.equal(
+    cryptoComponents.some(
+      (component) => component.cryptoProperties?.assetType === "algorithm",
+    ),
+    true,
+  );
+  assert.equal(
+    cryptoComponents.some((component) => component.purl !== undefined),
+    false,
+  );
+  assert.equal(
+    cryptoComponents.some(
+      (component) =>
+        component.name === "sha-512" &&
+        component.cryptoProperties?.oid === "2.16.840.1.101.3.4.2.3",
+    ),
+    true,
+  );
+  cleanupTempDir(tempDir);
 });

package/lib/helpers/protobomLoader.js ADDED Viewed

@@ -0,0 +1,43 @@
+const PROTO_BOM_FILE_EXTENSIONS = [".cdx", ".cdx.bin", ".proto"];
+/**
+ * Determine whether a path looks like a CycloneDX protobuf BOM file.
+ *
+ * @param {string} filePath File path
+ * @returns {boolean} true when the path uses a protobuf BOM extension
+ */
+export function isProtoBomPath(filePath) {
+  const normalizedPath = `${filePath || ""}`.toLowerCase();
+  return PROTO_BOM_FILE_EXTENSIONS.some((extension) =>
+    normalizedPath.endsWith(extension),
+  );
+}
+/**
+ * Import protobuf BOM helpers and replace optional-dependency loader failures
+ * with actionable command-specific messages.
+ *
+ * @param {string} [commandName="cdxgen"] CLI command name
+ * @param {string} [featureDescription="protobuf support"] Feature being used
+ * @returns {Promise<object>} Loaded protobom module namespace
+ */
+export async function importProtobomModule(
+  commandName = "cdxgen",
+  featureDescription = "protobuf support",
+) {
+  try {
+    return await import("./protobom.js");
+  } catch (error) {
+    const message = `${error?.message || ""}`;
+    if (
+      error?.code === "ERR_MODULE_NOT_FOUND" ||
+      message.includes("@appthreat/cdx-proto") ||
+      message.includes("@bufbuild/protobuf")
+    ) {
+      throw new Error(
+        `${commandName} ${featureDescription} requires the optional '@appthreat/cdx-proto' and '@bufbuild/protobuf' dependencies. Install optional dependencies or use a binary that bundles protobuf support.`,
+      );
+    }
+    throw error;
+  }
+}

package/lib/helpers/protobomLoader.poku.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { assert, describe, it } from "poku";
+import { importProtobomModule, isProtoBomPath } from "./protobomLoader.js";
+describe("protobomLoader", () => {
+  it("detects protobuf BOM file extensions", () => {
+    assert.strictEqual(isProtoBomPath("bom.cdx"), true);
+    assert.strictEqual(isProtoBomPath("bom.CDX.BIN"), true);
+    assert.strictEqual(isProtoBomPath("bom.proto"), true);
+    assert.strictEqual(isProtoBomPath("bom.json"), false);
+    assert.strictEqual(isProtoBomPath(""), false);
+  });
+  it("imports the protobuf BOM helper when optional support is installed", async () => {
+    let protobomModule;
+    try {
+      protobomModule = await importProtobomModule(
+        "cdx-test",
+        "protobuf BOM input",
+      );
+    } catch (error) {
+      assert.match(
+        error.message,
+        /requires the optional '@appthreat\/cdx-proto' and '@bufbuild\/protobuf' dependencies/u,
+      );
+      return;
+    }
+    assert.strictEqual(typeof protobomModule.readBinary, "function");
+    assert.strictEqual(typeof protobomModule.writeBinary, "function");
+  });
+});

package/lib/helpers/remote/dependency-track.js CHANGED Viewed

@@ -1,13 +1,46 @@
 import { Buffer } from "node:buffer";
+import { hasDangerousUnicode } from "../utils.js";
+/**
+ * Returns the Dependency-Track BOM API URL as a sanitized URL object.
+ *
+ * @param {string} serverUrl Dependency-Track server URL
+ * @returns {URL | undefined} API URL to submit BOM payload
+ */
+export function getDependencyTrackBomApiUrl(serverUrl) {
+  const rawServerUrl = `${serverUrl || ""}`.trim();
+  if (!rawServerUrl || hasDangerousUnicode(rawServerUrl)) {
+    return undefined;
+  }
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(rawServerUrl);
+  } catch {
+    return undefined;
+  }
+  if (!["http:", "https:"].includes(parsedUrl.protocol)) {
+    return undefined;
+  }
+  if (!parsedUrl.hostname || hasDangerousUnicode(parsedUrl.hostname)) {
+    return undefined;
+  }
+  parsedUrl.username = "";
+  parsedUrl.password = "";
+  parsedUrl.search = "";
+  parsedUrl.hash = "";
+  parsedUrl.pathname = `${parsedUrl.pathname.replace(/\/+$/, "")}/api/v1/bom`;
+  return parsedUrl;
+}
 /**
- * Returns the Dependency-Track BOM API URL.
+ * Returns the Dependency-Track BOM API URL string.
  *
  * @param {string} serverUrl Dependency-Track server URL
- * @returns {string} API URL to submit BOM payload
+ * @returns {string | undefined} API URL to submit BOM payload
  */
 export function getDependencyTrackBomUrl(serverUrl) {
-  return `${serverUrl.replace(/\/$/, "")}/api/v1/bom`;
+  return getDependencyTrackBomApiUrl(serverUrl)?.toString();
 }
 /**

package/lib/helpers/remote/dependency-track.poku.js CHANGED Viewed

@@ -2,6 +2,7 @@ import { assert, describe, it } from "poku";
 import {
   buildDependencyTrackBomPayload,
+  getDependencyTrackBomApiUrl,
   getDependencyTrackBomUrl,
 } from "./dependency-track.js";
@@ -17,6 +18,49 @@ describe("Dependency-Track helper tests", () => {
     );
   });
+  it("removes credentials, query strings, and fragments from the submission URL", () => {
+    assert.strictEqual(
+      getDependencyTrackBomUrl(
+        "https://user:pass@dtrack.example.com/base/?token=secret#frag",
+      ),
+      "https://dtrack.example.com/base/api/v1/bom",
+    );
+  });
+  it("returns a sanitized URL object for Dependency-Track requests", () => {
+    const apiUrl = getDependencyTrackBomApiUrl(
+      "https://user:pass@dtrack.example.com/base/?token=secret#frag",
+    );
+    assert.ok(apiUrl instanceof URL);
+    assert.strictEqual(apiUrl?.hostname, "dtrack.example.com");
+    assert.strictEqual(apiUrl?.pathname, "/base/api/v1/bom");
+    assert.strictEqual(apiUrl?.username, "");
+    assert.strictEqual(apiUrl?.password, "");
+    assert.strictEqual(apiUrl?.search, "");
+    assert.strictEqual(apiUrl?.hash, "");
+  });
+  it("rejects malformed or unsupported submission URLs", () => {
+    assert.strictEqual(
+      getDependencyTrackBomUrl("file:///tmp/dtrack"),
+      undefined,
+    );
+    assert.strictEqual(
+      getDependencyTrackBomApiUrl("file:///tmp/dtrack"),
+      undefined,
+    );
+    assert.strictEqual(
+      getDependencyTrackBomUrl("javascript:alert(1)"),
+      undefined,
+    );
+    assert.strictEqual(
+      getDependencyTrackBomApiUrl("javascript:alert(1)"),
+      undefined,
+    );
+    assert.strictEqual(getDependencyTrackBomUrl("not a url"), undefined);
+    assert.strictEqual(getDependencyTrackBomApiUrl("not a url"), undefined);
+  });
   it("builds payload with parentUUID and tags", () => {
     const payload = buildDependencyTrackBomPayload(
       {

package/lib/helpers/source.js CHANGED Viewed

@@ -77,6 +77,21 @@ function isSafeGitRefName(refName) {
   return /^[A-Za-z0-9._/@+-]+$/.test(refName);
 }
+function inferGitOperation(args = []) {
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+    if (arg === "-c" || arg === "--config-env") {
+      index += 1;
+      continue;
+    }
+    if (typeof arg === "string" && arg.startsWith("-")) {
+      continue;
+    }
+    return arg || "command";
+  }
+  return "command";
+}
 /**
  * Execute git with hardened defaults.
  *
@@ -86,6 +101,7 @@ function isSafeGitRefName(refName) {
  * @returns {Object} spawn result
  */
 export function hardenedGitCommand(args, options = {}) {
+  const gitOperation = inferGitOperation(args);
   const gitAllowProtocol = getGitAllowProtocol();
   const envConfigs = {
     GIT_CONFIG_COUNT: "2",
@@ -109,6 +125,14 @@ export function hardenedGitCommand(args, options = {}) {
         GIT_ALLOW_PROTOCOL: gitAllowProtocol,
       };
   return safeSpawnSync("git", args, {
+    cdxgenActivity: {
+      blockedReason: `Dry run mode blocks git ${gitOperation} operations.`,
+      gitOperation,
+      kind: `git-${gitOperation}`,
+      metadata: {
+        capability: "git-operation",
+      },
+    },
     shell: false,
     cwd: options.cwd,
     env,

package/lib/helpers/source.poku.js CHANGED Viewed

@@ -45,6 +45,38 @@ describe("source helper purl resolution", () => {
     assert.strictEqual(recordActivity.firstCall.args[0].status, "blocked");
   });
+  it("hardenedGitCommand() tags git operations with the specific subcommand", async () => {
+    const safeSpawnSync = sinon
+      .stub()
+      .returns({ status: 0, stdout: "", stderr: "" });
+    const { hardenedGitCommand } = await esmock("./source.js", {
+      "./utils.js": {
+        cdxgenAgent: { get: sinon.stub() },
+        DEBUG_MODE: false,
+        fetchPomXmlAsJson: sinon.stub(),
+        getTmpDir: sinon.stub().returns(os.tmpdir()),
+        hasDangerousUnicode: sinon.stub().returns(false),
+        isDryRun: false,
+        isSecureMode: false,
+        isValidDriveRoot: sinon.stub().returns(true),
+        isWin: false,
+        safeMkdtempSync: sinon.stub(),
+        safeRmSync: sinon.stub(),
+        safeSpawnSync,
+      },
+    });
+    hardenedGitCommand(["fetch", "--tags"], { cwd: "/tmp/repo" });
+    sinon.assert.calledWithMatch(safeSpawnSync, "git", ["fetch", "--tags"], {
+      cdxgenActivity: sinon.match({
+        gitOperation: "fetch",
+        kind: "git-fetch",
+      }),
+      cwd: "/tmp/repo",
+    });
+  });
   it("resolves npm purl to repository URL", async () => {
     const getStub = sinon.stub().resolves({
       body: {