@cyclonedx/cdxgen 12.3.3 → 12.4.1

package/lib/stages/postgen/hostTopologyAudit.poku.js

@@ -0,0 +1,186 @@
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { assert, describe, it } from "poku";
+
+import { evaluateRule, loadRules } from "./ruleEngine.js";
+
+const __dirname = fileURLToPath(new URL(".", import.meta.url));
+const RULES_DIR = join(__dirname, "..", "..", "..", "data", "rules");
+
+function makeProperty(name, value) {
+  return { name, value };
+}
+
+function makeHostBom(
+  components = [],
+  metadataProperties = [],
+  bomProperties = [],
+) {
+  return {
+    bomFormat: "CycloneDX",
+    specVersion: "1.7",
+    serialNumber: "urn:uuid:test-host-view",
+    metadata: {
+      tools: {
+        components: [
+          {
+            type: "application",
+            name: "cdxgen",
+            version: "12.4.0",
+            "bom-ref": "pkg:npm/%40cyclonedx/cdxgen@12.4.0",
+          },
+        ],
+      },
+      component: {
+        name: "test-host",
+        type: "device",
+        "bom-ref": "urn:uuid:test-host",
+        properties: metadataProperties.map(([k, v]) => makeProperty(k, v)),
+      },
+    },
+    components,
+    properties: bomProperties.map(([k, v]) => makeProperty(k, v)),
+  };
+}
+
+function makeHbomComponent(name, hardwareClass, properties = []) {
+  return {
+    type: "device",
+    name,
+    "bom-ref": `urn:uuid:${hardwareClass}:${name}`,
+    properties: [
+      makeProperty("cdx:hbom:hardwareClass", hardwareClass),
+      ...properties.map(([k, v]) => makeProperty(k, v)),
+    ],
+  };
+}
+
+function makeOsqueryComponent(name, queryCategory, properties = []) {
+  return {
+    type: "data",
+    name,
+    "bom-ref": `osquery:${queryCategory}:${name}`,
+    properties: [
+      makeProperty("cdx:osquery:category", queryCategory),
+      ...properties.map(([k, v]) => makeProperty(k, v)),
+    ],
+  };
+}
+
+describe("host-topology audit rules", () => {
+  it("detects weak wireless security when live runtime addresses confirm the link is active (HMX-002)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((candidate) => candidate.id === "HMX-002");
+    assert.ok(rule, "HMX-002 should be present");
+
+    const bom = makeHostBom(
+      [
+        makeHbomComponent("wlp2s0", "wireless-adapter", [
+          ["cdx:hbom:securityMode", "open"],
+          ["cdx:hostview:interface_addresses:count", "1"],
+          ["cdx:hostview:linkedRuntimeCategory", "interface_addresses"],
+        ]),
+        makeOsqueryComponent("192.168.1.55", "interface_addresses", [
+          ["interface", "wlp2s0"],
+          ["address", "192.168.1.55"],
+        ]),
+      ],
+      [["cdx:hbom:platform", "linux"]],
+      [
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:topologyLinkCount", "1"],
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.strictEqual(findings[0].ruleId, "HMX-002");
+  });
+
+  it("detects merged host inventories that still have zero strict topology links (HMX-003)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((candidate) => candidate.id === "HMX-003");
+    assert.ok(rule, "HMX-003 should be present");
+
+    const bom = makeHostBom(
+      [makeHbomComponent("enp1s0", "network-interface")],
+      [
+        ["cdx:hbom:platform", "linux"],
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:hardwareComponentCount", "1"],
+        ["cdx:hostview:runtimeComponentCount", "2"],
+        ["cdx:hostview:topologyLinkCount", "0"],
+      ],
+      [
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:hardwareComponentCount", "1"],
+        ["cdx:hostview:runtimeComponentCount", "2"],
+        ["cdx:hostview:topologyLinkCount", "0"],
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.strictEqual(findings[0].ruleId, "HMX-003");
+  });
+
+  it("detects degraded storage when explicit runtime mount evidence shows the device is in use (HMX-004)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((candidate) => candidate.id === "HMX-004");
+    assert.ok(rule, "HMX-004 should be present");
+
+    const bom = makeHostBom(
+      [
+        makeHbomComponent("nvme0", "storage", [
+          ["cdx:hbom:smartStatus", "Failing"],
+          ["cdx:hbom:wearPercentageUsed", "92"],
+          ["cdx:hostview:mount_hardening:count", "1"],
+          ["cdx:hostview:runtime-storage:count", "1"],
+        ]),
+        makeOsqueryComponent("/home", "mount_hardening", [
+          ["device", "/dev/nvme0n1"],
+          ["path", "/home"],
+        ]),
+      ],
+      [["cdx:hbom:platform", "linux"]],
+      [
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:topologyLinkCount", "2"],
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.strictEqual(findings[0].ruleId, "HMX-004");
+  });
+
+  it("detects revoked secure boot trust anchors only after an explicit HBOM trust link exists (HMX-005)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((candidate) => candidate.id === "HMX-005");
+    assert.ok(rule, "HMX-005 should be present");
+
+    const bom = makeHostBom(
+      [
+        makeOsqueryComponent("dbx-entry", "secureboot_certificates", [
+          ["revoked", "1"],
+          ["sha1", "db-cert-1"],
+          ["subject", "CN=Legacy Bootloader"],
+        ]),
+      ],
+      [
+        ["cdx:hbom:platform", "linux"],
+        ["cdx:hostview:secureboot_certificates:count", "1"],
+      ],
+      [
+        ["cdx:hostview:mode", "hbom-obom-merged"],
+        ["cdx:hostview:secureboot_certificates:count", "1"],
+        ["cdx:hostview:topologyLinkCount", "1"],
+      ],
+    );
+
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.strictEqual(findings[0].ruleId, "HMX-005");
+  });
+});

package/lib/stages/postgen/postgen.js

@@ -9,8 +9,15 @@ import {
   matchesAiInventoryExcludeType,
   optionIncludesAiInventoryProjectType,
 } from "../../helpers/aiInventory.js";
+import {
+  isCycloneDx20SpecVersion,
+  normalizeCycloneDxSpecVersion,
+  setCycloneDxFormat,
+  toCycloneDxSpecVersionString,
+} from "../../helpers/bomUtils.js";
 import { mergeDependencies, mergeServices } from "../../helpers/depsUtils.js";
 import { addFormulationSection } from "../../helpers/formulationParsers.js";
+import { getContainerFileInventoryStats } from "../../helpers/inventoryStats.js";
 import { thoughtLog } from "../../helpers/logger.js";
 import { buildReleaseNotesFromGit } from "../../helpers/source.js";
 import {
@@ -78,6 +85,8 @@ function applyFormulation(bomJson, options, filePath, formulationList) {
   }
   const context = formulationList?.length ? { formulationList } : {};
   setActivityContext({
+    bomMutation: "formulation",
+    capability: "bom-mutation",
     projectType: "Formulation",
     sourcePath: filePath || options.filePath || process.cwd(),
   });
@@ -141,10 +150,24 @@ const SIGNED_URL_PARAM_NAMES = new Set([
   "x-amz-signature",
   "x-goog-signature",
 ]);
-
-function normalizeSpecVersion(specVersion) {
-  return Number.parseFloat(String(specVersion || 0));
-}
+const COMPONENT_1_6_ONLY_FIELDS = new Set([
+  "authors",
+  "manufacturer",
+  "omniborId",
+  "swhid",
+  "tags",
+]);
+const COMPONENT_1_7_ONLY_FIELDS = new Set([
+  "isExternal",
+  "patentAssertions",
+  "versionRange",
+]);
+const SERVICE_1_6_ONLY_FIELDS = new Set(["tags"]);
+const SERVICE_1_7_ONLY_FIELDS = new Set(["patentAssertions"]);
+const METADATA_1_6_ONLY_FIELDS = new Set(["manufacturer"]);
+const METADATA_1_7_ONLY_FIELDS = new Set(["distributionConstraints"]);
+const METADATA_2_0_REMOVED_FIELDS = new Set(["manufacture"]);
+const COMPONENT_2_0_REMOVED_FIELDS = new Set(["author", "modified"]);
 
 function normalizeTlpClassification(tlpClassification) {
   return String(tlpClassification || "")
@@ -255,9 +278,10 @@ function collectSensitivePropertyViolations(
 }
 
 function validateTlpClassification(bomJson, options) {
-  const specVersion = normalizeSpecVersion(
-    bomJson?.specVersion || options?.specVersion,
-  );
+  const specVersion =
+    normalizeCycloneDxSpecVersion(
+      bomJson?.specVersion || options?.specVersion,
+    ) || 0;
   if (specVersion < 1.7) {
     return bomJson;
   }
@@ -292,11 +316,373 @@ function validateTlpClassification(bomJson, options) {
   return bomJson;
 }
 
+function applyContainerInventoryMetadata(bomJson) {
+  if (!bomJson?.metadata) {
+    return bomJson;
+  }
+  const { unpackagedExecutableCount, unpackagedSharedLibraryCount } =
+    getContainerFileInventoryStats(bomJson.components);
+  const metadataProperties = Array.isArray(bomJson.metadata.properties)
+    ? [...bomJson.metadata.properties]
+    : [];
+  const propertyNamesToReplace = new Set([
+    "cdx:container:unpackagedExecutableCount",
+    "cdx:container:unpackagedSharedLibraryCount",
+  ]);
+  const retainedProperties = metadataProperties.filter(
+    (property) => !propertyNamesToReplace.has(property?.name),
+  );
+  if (
+    unpackagedExecutableCount ||
+    metadataProperties.some(
+      (property) =>
+        property?.name === "cdx:container:unpackagedExecutableCount",
+    )
+  ) {
+    retainedProperties.push({
+      name: "cdx:container:unpackagedExecutableCount",
+      value: String(unpackagedExecutableCount),
+    });
+  }
+  if (
+    unpackagedSharedLibraryCount ||
+    metadataProperties.some(
+      (property) =>
+        property?.name === "cdx:container:unpackagedSharedLibraryCount",
+    )
+  ) {
+    retainedProperties.push({
+      name: "cdx:container:unpackagedSharedLibraryCount",
+      value: String(unpackagedSharedLibraryCount),
+    });
+  }
+  if (retainedProperties.length) {
+    bomJson.metadata.properties = retainedProperties;
+  }
+  return bomJson;
+}
+
+function deleteFields(subject, fields) {
+  if (!subject || typeof subject !== "object") {
+    return;
+  }
+  for (const fieldName of fields) {
+    delete subject[fieldName];
+  }
+}
+
+function isObjectRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+
+function normalizeComponentForSpecVersion(subject, specVersion) {
+  if (specVersion < 1.6) {
+    deleteFields(subject, COMPONENT_1_6_ONLY_FIELDS);
+  }
+  if (specVersion < 1.7) {
+    deleteFields(subject, COMPONENT_1_7_ONLY_FIELDS);
+  }
+}
+
+function normalizeServiceForSpecVersion(subject, specVersion) {
+  if (specVersion < 1.6) {
+    deleteFields(subject, SERVICE_1_6_ONLY_FIELDS);
+  }
+  if (specVersion < 1.7) {
+    deleteFields(subject, SERVICE_1_7_ONLY_FIELDS);
+  }
+}
+
+function normalizeMetadataForSpecVersion(subject, specVersion) {
+  if (specVersion < 1.6) {
+    deleteFields(subject, METADATA_1_6_ONLY_FIELDS);
+  }
+  if (specVersion < 1.7) {
+    deleteFields(subject, METADATA_1_7_ONLY_FIELDS);
+  }
+}
+
+function authorStringToAuthors(authorValue) {
+  if (typeof authorValue !== "string") {
+    return undefined;
+  }
+  const authors = authorValue
+    .split(",")
+    .map((author) => author.trim())
+    .filter(Boolean)
+    .map((name) => ({ name }));
+  return authors.length ? authors : undefined;
+}
+
+function normalizeLegacyToolComponent(tool) {
+  if (!isObjectRecord(tool)) {
+    return tool;
+  }
+  if (!tool.type) {
+    tool.type = "application";
+  }
+  if (tool.vendor && !tool.publisher) {
+    tool.publisher = tool.vendor;
+  }
+  delete tool.vendor;
+  if (!tool.authors && tool.author) {
+    tool.authors = authorStringToAuthors(tool.author);
+  }
+  deleteFields(tool, COMPONENT_2_0_REMOVED_FIELDS);
+  normalizeComponentsForSpecVersion(tool.components);
+  return tool;
+}
+
+function hasExplicitSpecVersion(specVersion) {
+  return (
+    specVersion !== undefined &&
+    specVersion !== null &&
+    `${specVersion}`.trim() !== ""
+  );
+}
+
+function resolveSpecVersionForCompatibility(bomJson, options) {
+  if (hasExplicitSpecVersion(options?.specVersion)) {
+    return options.specVersion;
+  }
+  if (hasExplicitSpecVersion(bomJson?.specVersion)) {
+    return bomJson.specVersion;
+  }
+  return "1.7";
+}
+
+function normalizeLegacyToolService(service) {
+  if (!isObjectRecord(service)) {
+    return service;
+  }
+  if (service.vendor && !service.provider) {
+    service.provider =
+      typeof service.vendor === "string"
+        ? { name: service.vendor }
+        : service.vendor;
+  }
+  delete service.vendor;
+  deleteFields(service, COMPONENT_2_0_REMOVED_FIELDS);
+  normalizeServicesForSpecVersion(service.services);
+  return service;
+}
+
+function normalizeComponentsForSpecVersion(components) {
+  if (!Array.isArray(components)) {
+    return;
+  }
+  for (const component of components) {
+    normalizeComponentForSpecVersion20(component);
+  }
+}
+
+function normalizeComponentForSpecVersion20(component) {
+  if (!isObjectRecord(component)) {
+    return;
+  }
+  if (!component.authors && component.author) {
+    component.authors = authorStringToAuthors(component.author);
+  }
+  deleteFields(component, COMPONENT_2_0_REMOVED_FIELDS);
+  normalizeComponentsForSpecVersion(component.components);
+}
+
+function normalizeServicesForSpecVersion(services) {
+  if (!Array.isArray(services)) {
+    return;
+  }
+  for (const service of services) {
+    normalizeLegacyToolService(service);
+  }
+}
+
+function normalizeFormulationForSpecVersion(formulation) {
+  if (!Array.isArray(formulation)) {
+    return;
+  }
+  for (const formula of formulation) {
+    if (!isObjectRecord(formula)) {
+      continue;
+    }
+    normalizeComponentsForSpecVersion(formula.components);
+    normalizeServicesForSpecVersion(formula.services);
+  }
+}
+
+function normalizeVulnerabilitiesForSpecVersion(vulnerabilities) {
+  if (!Array.isArray(vulnerabilities)) {
+    return;
+  }
+  for (const vulnerability of vulnerabilities) {
+    if (!isObjectRecord(vulnerability?.tools)) {
+      continue;
+    }
+    normalizeComponentsForSpecVersion(vulnerability.tools.components);
+    normalizeServicesForSpecVersion(vulnerability.tools.services);
+  }
+}
+
+function normalizeDefinitionsForSpecVersion(definitions) {
+  if (!isObjectRecord(definitions)) {
+    return;
+  }
+  normalizeComponentsForSpecVersion(definitions.components);
+  normalizeServicesForSpecVersion(definitions.services);
+}
+
+function migrateLegacyManufactureForSpecVersion(metadata) {
+  if (!metadata.manufacture) {
+    return;
+  }
+  if (isObjectRecord(metadata.component) && !metadata.component.manufacturer) {
+    metadata.component.manufacturer = metadata.manufacture;
+    return;
+  }
+  if (!metadata.manufacturer) {
+    metadata.manufacturer = metadata.manufacture;
+  }
+}
+
+function normalizeToolsForSpecVersion(subject, specVersion) {
+  if (!subject || !isCycloneDx20SpecVersion(specVersion)) {
+    return;
+  }
+  if (Array.isArray(subject.tools)) {
+    subject.tools = {
+      components: subject.tools.map((tool) =>
+        normalizeLegacyToolComponent(isObjectRecord(tool) ? { ...tool } : tool),
+      ),
+    };
+    return;
+  }
+  if (!isObjectRecord(subject.tools)) {
+    return;
+  }
+  if (Array.isArray(subject.tools.components)) {
+    subject.tools.components = subject.tools.components.map((tool) =>
+      normalizeLegacyToolComponent(tool),
+    );
+  }
+  if (Array.isArray(subject.tools.services)) {
+    subject.tools.services = subject.tools.services.map((service) =>
+      normalizeLegacyToolService(service),
+    );
+  }
+}
+
+function upgradeSubjectForSpecVersion(subject, specVersion) {
+  if (!isObjectRecord(subject) || !isCycloneDx20SpecVersion(specVersion)) {
+    return;
+  }
+  if (isObjectRecord(subject.metadata)) {
+    migrateLegacyManufactureForSpecVersion(subject.metadata);
+    deleteFields(subject.metadata, METADATA_2_0_REMOVED_FIELDS);
+    normalizeToolsForSpecVersion(subject.metadata, specVersion);
+    normalizeComponentForSpecVersion20(subject.metadata.component);
+  }
+  normalizeComponentsForSpecVersion(subject.components);
+  normalizeFormulationForSpecVersion(subject.formulation);
+  normalizeDefinitionsForSpecVersion(subject.definitions);
+  normalizeVulnerabilitiesForSpecVersion(subject.vulnerabilities);
+}
+
+function downgradeSubjectForSpecVersion(subject, specVersion, parentKey) {
+  if (!subject || typeof subject !== "object") {
+    return;
+  }
+  if (Array.isArray(subject)) {
+    subject.forEach((entry) => {
+      downgradeSubjectForSpecVersion(entry, specVersion, parentKey);
+    });
+    return;
+  }
+  if (parentKey === "metadata") {
+    normalizeMetadataForSpecVersion(subject, specVersion);
+  }
+  if (parentKey === "component" || parentKey === "components") {
+    normalizeComponentForSpecVersion(subject, specVersion);
+  }
+  if (parentKey === "service" || parentKey === "services") {
+    normalizeServiceForSpecVersion(subject, specVersion);
+  }
+  if (specVersion < 1.6) {
+    if (subject.cryptoProperties) {
+      delete subject.cryptoProperties;
+    }
+    if (
+      subject?.evidence?.occurrences &&
+      Array.isArray(subject.evidence.occurrences)
+    ) {
+      subject.evidence.occurrences.forEach((occurrence) => {
+        delete occurrence.line;
+        delete occurrence.offset;
+        delete occurrence.symbol;
+        delete occurrence.additionalContext;
+      });
+    }
+    if (
+      subject?.evidence?.identity &&
+      Array.isArray(subject.evidence.identity)
+    ) {
+      subject.evidence.identity = subject.evidence.identity[0];
+      if (subject.evidence.identity?.concludedValue) {
+        delete subject.evidence.identity.concludedValue;
+      }
+    }
+  } else if (
+    specVersion < 1.7 &&
+    subject.cryptoProperties?.assetType === "certificate" &&
+    subject.cryptoProperties.certificateProperties
+  ) {
+    const certificateProperties =
+      subject.cryptoProperties.certificateProperties;
+    if (
+      !certificateProperties.certificateExtension &&
+      certificateProperties.certificateFileExtension
+    ) {
+      certificateProperties.certificateExtension =
+        certificateProperties.certificateFileExtension;
+    }
+    delete certificateProperties.serialNumber;
+    delete certificateProperties.certificateFileExtension;
+    delete certificateProperties.fingerprint;
+  }
+  Object.entries(subject).forEach(([key, value]) => {
+    downgradeSubjectForSpecVersion(value, specVersion, key);
+  });
+}
+
+function applySpecVersionCompatibility(bomJson, options) {
+  const requestedSpecVersion = resolveSpecVersionForCompatibility(
+    bomJson,
+    options,
+  );
+  const normalizedSpecVersion =
+    toCycloneDxSpecVersionString(requestedSpecVersion);
+  if (!normalizedSpecVersion) {
+    thoughtLog(
+      "Skipping CycloneDX specVersion compatibility updates for malformed explicit specVersion.",
+      {
+        specVersion: requestedSpecVersion,
+      },
+    );
+    return bomJson;
+  }
+  const specVersion = normalizeCycloneDxSpecVersion(normalizedSpecVersion);
+  if (specVersion < 1.7) {
+    downgradeSubjectForSpecVersion(bomJson, specVersion);
+  } else if (isCycloneDx20SpecVersion(specVersion)) {
+    upgradeSubjectForSpecVersion(bomJson, specVersion);
+  }
+  return setCycloneDxFormat(bomJson, normalizedSpecVersion);
+}
+
 /**
  * Filter and enhance BOM post generation.
  *
  * @param {Object} bomNSData BOM with namespaces object
  * @param {Object} options CLI options
+ * @param {string} [filePath] Source path used for formulation and metadata context
  *
  * @returns {Object} Modified bomNSData
  */
@@ -312,6 +698,7 @@ export function postProcess(bomNSData, options, filePath) {
   bomNSData.bomJson = filterBom(jsonPayload, options);
   bomNSData.bomJson = applyStandards(bomNSData.bomJson, options);
   bomNSData.bomJson = applyMetadata(bomNSData.bomJson, options);
+  bomNSData.bomJson = applyContainerInventoryMetadata(bomNSData.bomJson);
   bomNSData.bomJson = applyFormulation(
     bomNSData.bomJson,
     options,
@@ -319,10 +706,21 @@ export function postProcess(bomNSData, options, filePath) {
     bomNSData.formulationList,
   );
   bomNSData.bomJson = applyReleaseNotes(bomNSData.bomJson, options, filePath);
+  bomNSData.bomJson = applySpecVersionCompatibility(bomNSData.bomJson, options);
   bomNSData.bomJson = validateTlpClassification(bomNSData.bomJson, options);
   // Support for automatic annotations
   if (options.specVersion >= 1.6) {
-    bomNSData.bomJson = annotate(bomNSData.bomJson, options);
+    setActivityContext({
+      bomMutation: "annotations",
+      capability: "bom-mutation",
+      projectType: "Annotations",
+      sourcePath: filePath || options.filePath || process.cwd(),
+    });
+    try {
+      bomNSData.bomJson = annotate(bomNSData.bomJson, options);
+    } finally {
+      resetActivityContext();
+    }
   }
   cleanupEnv(options);
   cleanupTmpDir();