npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.1 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/README.md +69 -25
package/bin/audit.js +21 -7
package/bin/cdxgen.js +270 -127
package/bin/convert.js +34 -15
package/bin/hbom.js +495 -0
package/bin/repl.js +592 -37
package/bin/validate.js +31 -4
package/bin/verify.js +18 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/cyclonedx-2.0-bundled.schema.json +7182 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +210 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +527 -99
package/lib/cli/index.poku.js +1469 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/bomUtils.js +155 -1
package/lib/helpers/bomUtils.poku.js +79 -1
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +350 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +209 -45
package/lib/helpers/protobom.poku.js +183 -5
package/lib/helpers/protobomLoader.js +43 -0
package/lib/helpers/protobomLoader.poku.js +31 -0
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +4 -28
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +406 -8
package/lib/stages/postgen/postgen.poku.js +484 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/lib/validator/bomValidator.js +90 -38
package/lib/validator/bomValidator.poku.js +90 -0
package/lib/validator/complianceRules.js +4 -2
package/lib/validator/index.poku.js +14 -0
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts +1 -1
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/bomUtils.d.ts +10 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +76 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +5 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/protobomLoader.d.ts +17 -0
package/types/lib/helpers/protobomLoader.d.ts.map +1 -0
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/node.d.ts +23 -0
package/types/lib/third-party/arborist/lib/node.d.ts.map +1 -1
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/stages/postgen/auditBom.js CHANGED Viewed

@@ -10,6 +10,7 @@ import {
   expandBomAuditCategories,
   validateBomAuditCategories,
 } from "../../helpers/auditCategories.js";
+import { isHbomLikeBom as isHbomLikeBomDocument } from "../../helpers/hbomAnalysis.js";
 import { table } from "../../helpers/table.js";
 import {
   DEBUG_MODE,
@@ -21,17 +22,7 @@ import { evaluateRules, loadRules } from "./ruleEngine.js";
 const __dirname = fileURLToPath(new URL(".", import.meta.url));
 const BUILTIN_RULES_DIR = join(__dirname, "..", "..", "..", "data", "rules");
-/**
- * Audit BOM formulation section using JSONata-powered rule engine
- * @param {Object} bomJson - Generated CycloneDX BOM
- * @param {Object} options - CLI options
- * @returns {Promise<Array>} Array of audit findings
- */
-export async function auditBom(bomJson, options) {
-  if (!bomJson) {
-    return [];
-  }
-  const findings = [];
+async function loadConfiguredBomAuditRules(options = {}) {
   const rules = await loadRules(BUILTIN_RULES_DIR);
   if (options.bomAuditRulesDir && safeExistsSync(options.bomAuditRulesDir)) {
     const userRulesDir = resolve(options.bomAuditRulesDir);
@@ -41,11 +32,11 @@ export async function auditBom(bomJson, options) {
     }
     rules.push(...userRules);
   }
-  if (rules.length === 0) {
-    if (DEBUG_MODE) {
-      console.log("No audit rules loaded; formulation audit skipped");
-    }
-    return findings;
+  if (!rules.length) {
+    return {
+      activeRules: [],
+      rules,
+    };
   }
   let activeRules = rules;
   if (options.bomAuditCategories) {
@@ -64,6 +55,107 @@ export async function auditBom(bomJson, options) {
       }
     }
   }
+  return {
+    activeRules,
+    rules,
+  };
+}
+/**
+ * Detect whether a BOM looks like an HBOM inventory.
+ *
+ * @param {object} bomJson CycloneDX BOM
+ * @returns {boolean} True when the BOM appears to represent hardware inventory
+ */
+export function isHbomLikeBom(bomJson) {
+  return isHbomLikeBomDocument(bomJson);
+}
+/**
+ * Detect whether a BOM looks like an OBOM/runtime inventory.
+ *
+ * @param {object} bomJson CycloneDX BOM
+ * @returns {boolean} True when the BOM appears to represent operations/runtime data
+ */
+export function isObomLikeBom(bomJson) {
+  if (!bomJson) {
+    return false;
+  }
+  if (isHbomLikeBom(bomJson)) {
+    return false;
+  }
+  if (
+    bomJson?.metadata?.component?.type === "operating-system" ||
+    bomJson?.metadata?.component?.type === "device"
+  ) {
+    return true;
+  }
+  if (
+    Array.isArray(bomJson?.metadata?.lifecycles) &&
+    bomJson.metadata.lifecycles.some(
+      (lifecycle) => lifecycle?.phase === "operations",
+    )
+  ) {
+    return true;
+  }
+  return (bomJson?.components || []).some((component) =>
+    (component?.properties || []).some(
+      (property) => property?.name === "cdx:osquery:category",
+    ),
+  );
+}
+function summarizeDryRunSupport(activeRules = []) {
+  const summary = {
+    fullCount: 0,
+    noCount: 0,
+    partialCount: 0,
+    totalRules: activeRules.length,
+  };
+  for (const rule of activeRules) {
+    if (rule?.dryRunSupport === "no") {
+      summary.noCount += 1;
+      continue;
+    }
+    if (rule?.dryRunSupport === "full") {
+      summary.fullCount += 1;
+      continue;
+    }
+    summary.partialCount += 1;
+  }
+  return summary;
+}
+export async function getBomAuditDryRunSupportSummary(options = {}) {
+  const { activeRules } = await loadConfiguredBomAuditRules(options);
+  return summarizeDryRunSupport(activeRules);
+}
+export function formatDryRunSupportSummary(summary) {
+  if (!summary) {
+    return "";
+  }
+  return `BOM audit dry-run summary: ${summary.noCount} rule(s) do not support dry-run, ${summary.partialCount} rule(s) have partial dry-run support, ${summary.totalRules} active rule(s) total.`;
+}
+/**
+ * Audit BOM formulation section using JSONata-powered rule engine
+ * @param {Object} bomJson - Generated CycloneDX BOM
+ * @param {Object} options - CLI options
+ * @returns {Promise<Array>} Array of audit findings
+ */
+export async function auditBom(bomJson, options) {
+  if (!bomJson) {
+    return [];
+  }
+  const findings = [];
+  const { activeRules, rules } = await loadConfiguredBomAuditRules(options);
+  if (rules.length === 0) {
+    if (DEBUG_MODE) {
+      console.log("No audit rules loaded; formulation audit skipped");
+    }
+    return findings;
+  }
   const allFindings = await evaluateRules(activeRules, bomJson);
   if (options.bomAuditMinSeverity) {
     const minSeverity = options.bomAuditMinSeverity.toLowerCase();
@@ -87,7 +179,7 @@ export async function auditBom(bomJson, options) {
 /**
  * Format findings for console output with color-coded severity
  */
-export function formatConsoleOutput(findings) {
+export function renderBomAuditConsoleReport(findings) {
   if (!findings?.length) {
     return "";
   }
@@ -119,7 +211,18 @@ export function formatConsoleOutput(findings) {
     line.push(f.location?.file || "");
     data.push(line);
   }
-  console.log(table(data, config));
+  return table(data, config);
+}
+/**
+ * Format findings for console output with color-coded severity
+ */
+export function formatConsoleOutput(findings) {
+  const output = renderBomAuditConsoleReport(findings);
+  if (output) {
+    console.log(output);
+  }
+  return output;
 }
 /**