npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.1 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/README.md +69 -25
package/bin/audit.js +21 -7
package/bin/cdxgen.js +270 -127
package/bin/convert.js +34 -15
package/bin/hbom.js +495 -0
package/bin/repl.js +592 -37
package/bin/validate.js +31 -4
package/bin/verify.js +18 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/cyclonedx-2.0-bundled.schema.json +7182 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +210 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +527 -99
package/lib/cli/index.poku.js +1469 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/bomUtils.js +155 -1
package/lib/helpers/bomUtils.poku.js +79 -1
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +350 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +209 -45
package/lib/helpers/protobom.poku.js +183 -5
package/lib/helpers/protobomLoader.js +43 -0
package/lib/helpers/protobomLoader.poku.js +31 -0
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +4 -28
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +406 -8
package/lib/stages/postgen/postgen.poku.js +484 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/lib/validator/bomValidator.js +90 -38
package/lib/validator/bomValidator.poku.js +90 -0
package/lib/validator/complianceRules.js +4 -2
package/lib/validator/index.poku.js +14 -0
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts +1 -1
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/bomUtils.d.ts +10 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +76 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +5 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/protobomLoader.d.ts +17 -0
package/types/lib/helpers/protobomLoader.d.ts.map +1 -0
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/node.d.ts +23 -0
package/types/lib/third-party/arborist/lib/node.d.ts.map +1 -1
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/stages/postgen/postgen.poku.js CHANGED Viewed

@@ -241,6 +241,443 @@ it("postProcess passes formulationList from bomNSData into the formulation secti
   );
 });
+it("postProcess finalizes CycloneDX 2.0-dev root fields and strips legacy fields", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      metadata: {
+        manufacture: { name: "Legacy Factory" },
+        component: "not-a-component-object",
+        tools: [
+          {
+            author: "OWASP Foundation",
+            name: "cdxgen",
+            vendor: "OWASP Foundation",
+            version: "12.4.0",
+            components: [
+              {
+                author: "Nested Tool Author",
+                modified: true,
+                name: "cdxgen-plugin",
+                type: "library",
+              },
+            ],
+          },
+        ],
+      },
+      components: [
+        {
+          author: "Jane Doe",
+          modified: false,
+          name: "demo-lib",
+          type: "library",
+          version: "1.0.0",
+          components: [
+            {
+              author: "Nested Author",
+              modified: true,
+              name: "nested-lib",
+              type: "library",
+            },
+          ],
+        },
+      ],
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 2.0 });
+  const [toolComponent] = result.bomJson.metadata.tools.components;
+  const [component] = result.bomJson.components;
+  assert.strictEqual(result.bomJson.specFormat, "CycloneDX");
+  assert.strictEqual(result.bomJson.bomFormat, undefined);
+  assert.strictEqual(result.bomJson.specVersion, "2.0");
+  assert.strictEqual(result.bomJson.metadata.manufacture, undefined);
+  assert.deepStrictEqual(result.bomJson.metadata.manufacturer, {
+    name: "Legacy Factory",
+  });
+  assert.strictEqual(
+    result.bomJson.metadata.component,
+    "not-a-component-object",
+  );
+  assert.strictEqual(toolComponent.publisher, "OWASP Foundation");
+  assert.deepStrictEqual(toolComponent.authors, [{ name: "OWASP Foundation" }]);
+  assert.strictEqual(toolComponent.author, undefined);
+  assert.deepStrictEqual(toolComponent.components[0].authors, [
+    { name: "Nested Tool Author" },
+  ]);
+  assert.strictEqual(toolComponent.components[0].author, undefined);
+  assert.strictEqual(toolComponent.components[0].modified, undefined);
+  assert.deepStrictEqual(component.authors, [{ name: "Jane Doe" }]);
+  assert.strictEqual(component.author, undefined);
+  assert.strictEqual(component.modified, undefined);
+  assert.deepStrictEqual(component.components[0].authors, [
+    { name: "Nested Author" },
+  ]);
+  assert.strictEqual(component.components[0].author, undefined);
+  assert.strictEqual(component.components[0].modified, undefined);
+});
+it("postProcess preserves malformed explicit specVersion values instead of coercing them to 1.7", () => {
+  const malformedBomResult = postProcess(
+    {
+      bomJson: {
+        bomFormat: "CycloneDX",
+        specVersion: "2.0.1",
+        components: [],
+        dependencies: [],
+        metadata: { properties: [] },
+      },
+    },
+    {},
+  );
+  assert.strictEqual(malformedBomResult.bomJson.specVersion, "2.0.1");
+  assert.strictEqual(malformedBomResult.bomJson.bomFormat, "CycloneDX");
+  assert.strictEqual(malformedBomResult.bomJson.specFormat, undefined);
+  const malformedOptionResult = postProcess(
+    {
+      bomJson: {
+        bomFormat: "CycloneDX",
+        specVersion: "1.7",
+        components: [],
+        dependencies: [],
+        metadata: { properties: [] },
+      },
+    },
+    { specVersion: "2.0.1" },
+  );
+  assert.strictEqual(malformedOptionResult.bomJson.specVersion, "1.7");
+  assert.strictEqual(malformedOptionResult.bomJson.bomFormat, "CycloneDX");
+  assert.strictEqual(malformedOptionResult.bomJson.specFormat, undefined);
+});
+it("postProcess migrates CycloneDX 2.0 metadata manufacture and tool services without broad recursion", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      metadata: {
+        manufacture: { name: "Component Factory" },
+        component: {
+          name: "demo-app",
+          type: "application",
+        },
+        tools: {
+          components: [],
+          services: [
+            {
+              author: "Legacy Author",
+              name: "scanner-service",
+              vendor: "Scanner Vendor",
+            },
+          ],
+        },
+      },
+      components: [],
+      dependencies: [{ ref: "pkg:generic/demo@1.0.0", dependsOn: [] }],
+      unrelatedInventory: {
+        components: [
+          {
+            author: "Should Not Be Traversed",
+            name: "not-a-component-list",
+          },
+        ],
+      },
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 2.0 });
+  const [toolService] = result.bomJson.metadata.tools.services;
+  assert.strictEqual(result.bomJson.metadata.manufacture, undefined);
+  assert.deepStrictEqual(result.bomJson.metadata.component.manufacturer, {
+    name: "Component Factory",
+  });
+  assert.deepStrictEqual(toolService.provider, { name: "Scanner Vendor" });
+  assert.strictEqual(toolService.vendor, undefined);
+  assert.strictEqual(toolService.author, undefined);
+  assert.strictEqual(
+    result.bomJson.unrelatedInventory.components[0].author,
+    "Should Not Be Traversed",
+  );
+});
+it("postProcess downgrades certificate crypto properties for spec version 1.6", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.6",
+      components: [
+        {
+          type: "cryptographic-asset",
+          name: "demo-cert",
+          cryptoProperties: {
+            assetType: "certificate",
+            certificateProperties: {
+              serialNumber: "1234",
+              subjectName: "CN=demo",
+              issuerName: "CN=demo",
+              notValidBefore: "2024-01-01T00:00:00.000Z",
+              notValidAfter: "2034-01-01T00:00:00.000Z",
+              certificateFormat: "X.509",
+              certificateFileExtension: "crt",
+              fingerprint: { alg: "SHA-1", content: "a".repeat(40) },
+            },
+          },
+        },
+      ],
+      dependencies: [],
+      formulation: [
+        {
+          components: [
+            {
+              type: "cryptographic-asset",
+              name: "formulation-cert",
+              cryptoProperties: {
+                assetType: "certificate",
+                certificateProperties: {
+                  serialNumber: "5678",
+                  subjectName: "CN=formulation",
+                  certificateFileExtension: "pem",
+                  fingerprint: { alg: "SHA-1", content: "b".repeat(40) },
+                },
+              },
+            },
+          ],
+        },
+      ],
+      metadata: {
+        properties: [],
+        tools: {
+          components: [{ name: "cdxgen" }],
+        },
+      },
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.6 });
+  const componentCert =
+    result.bomJson.components[0].cryptoProperties.certificateProperties;
+  const formulationCert =
+    result.bomJson.formulation[0].components[0].cryptoProperties
+      .certificateProperties;
+  assert.deepStrictEqual(componentCert, {
+    subjectName: "CN=demo",
+    issuerName: "CN=demo",
+    notValidBefore: "2024-01-01T00:00:00.000Z",
+    notValidAfter: "2034-01-01T00:00:00.000Z",
+    certificateFormat: "X.509",
+    certificateExtension: "crt",
+  });
+  assert.deepStrictEqual(formulationCert, {
+    subjectName: "CN=formulation",
+    certificateExtension: "pem",
+  });
+});
+it("postProcess removes remaining 1.7-only fields from metadata, components, and formulation inventories for spec version 1.6", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.6",
+      components: [
+        {
+          type: "library",
+          name: "demo-lib",
+          version: "1.0.0",
+          isExternal: true,
+          patentAssertions: [{ patentNumber: "US-123" }],
+          versionRange: "vers:npm/>=1.0.0|<2.0.0",
+        },
+      ],
+      dependencies: [],
+      formulation: [
+        {
+          components: [
+            {
+              type: "library",
+              name: "formulation-lib",
+              version: "2.0.0",
+              isExternal: true,
+              versionRange: "vers:npm/>=2.0.0|<3.0.0",
+            },
+          ],
+          services: [
+            {
+              name: "formulation-service",
+              patentAssertions: [{ patentNumber: "US-456" }],
+            },
+          ],
+        },
+      ],
+      metadata: {
+        distributionConstraints: { tlp: "GREEN" },
+        component: {
+          type: "application",
+          name: "demo-app",
+          version: "1.0.0",
+          isExternal: true,
+          versionRange: "vers:npm/>=1.0.0|<2.0.0",
+        },
+        properties: [],
+        tools: {
+          components: [{ name: "cdxgen" }],
+        },
+      },
+      services: [
+        {
+          name: "demo-service",
+          patentAssertions: [{ patentNumber: "US-789" }],
+        },
+      ],
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.6 });
+  const rootComponent = result.bomJson.components[0];
+  const formulationComponent = result.bomJson.formulation[0].components[0];
+  const rootService = result.bomJson.services[0];
+  const formulationService = result.bomJson.formulation[0].services[0];
+  const metadataComponent = result.bomJson.metadata.component;
+  assert.strictEqual(
+    result.bomJson.metadata.distributionConstraints,
+    undefined,
+  );
+  assert.strictEqual(rootComponent.isExternal, undefined);
+  assert.strictEqual(rootComponent.patentAssertions, undefined);
+  assert.strictEqual(rootComponent.versionRange, undefined);
+  assert.strictEqual(formulationComponent.isExternal, undefined);
+  assert.strictEqual(formulationComponent.versionRange, undefined);
+  assert.strictEqual(rootService.patentAssertions, undefined);
+  assert.strictEqual(formulationService.patentAssertions, undefined);
+  assert.strictEqual(metadataComponent.isExternal, undefined);
+  assert.strictEqual(metadataComponent.versionRange, undefined);
+});
+it("postProcess removes remaining 1.6-only fields from metadata, components, and formulation inventories for spec version 1.5", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.5",
+      components: [
+        {
+          type: "library",
+          name: "demo-lib",
+          version: "1.0.0",
+          authors: [{ name: "Alice" }],
+          manufacturer: { name: "Acme" },
+          omniborId: ["gitoid:blob:sha1:abc"],
+          swhid: ["swh:1:rev:def"],
+          tags: ["demo"],
+        },
+      ],
+      dependencies: [],
+      formulation: [
+        {
+          components: [
+            {
+              type: "library",
+              name: "formulation-lib",
+              version: "2.0.0",
+              authors: [{ name: "Bob" }],
+              manufacturer: { name: "Builder" },
+              omniborId: ["gitoid:blob:sha1:ghi"],
+              swhid: ["swh:1:dir:jkl"],
+              tags: ["workflow"],
+            },
+          ],
+          services: [
+            {
+              name: "formulation-service",
+              tags: ["ci"],
+            },
+          ],
+        },
+      ],
+      metadata: {
+        manufacturer: { name: "BOM Factory" },
+        component: {
+          type: "application",
+          name: "demo-app",
+          version: "1.0.0",
+          authors: [{ name: "Carol" }],
+          manufacturer: { name: "Acme" },
+          tags: ["root"],
+        },
+        properties: [],
+      },
+      services: [
+        {
+          name: "demo-service",
+          tags: ["runtime"],
+        },
+      ],
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.5 });
+  const rootComponent = result.bomJson.components[0];
+  const formulationComponent = result.bomJson.formulation[0].components[0];
+  const rootService = result.bomJson.services[0];
+  const formulationService = result.bomJson.formulation[0].services[0];
+  const metadataComponent = result.bomJson.metadata.component;
+  assert.strictEqual(result.bomJson.metadata.manufacturer, undefined);
+  assert.strictEqual(rootComponent.authors, undefined);
+  assert.strictEqual(rootComponent.manufacturer, undefined);
+  assert.strictEqual(rootComponent.omniborId, undefined);
+  assert.strictEqual(rootComponent.swhid, undefined);
+  assert.strictEqual(rootComponent.tags, undefined);
+  assert.strictEqual(formulationComponent.authors, undefined);
+  assert.strictEqual(formulationComponent.manufacturer, undefined);
+  assert.strictEqual(formulationComponent.omniborId, undefined);
+  assert.strictEqual(formulationComponent.swhid, undefined);
+  assert.strictEqual(formulationComponent.tags, undefined);
+  assert.strictEqual(rootService.tags, undefined);
+  assert.strictEqual(formulationService.tags, undefined);
+  assert.strictEqual(metadataComponent.authors, undefined);
+  assert.strictEqual(metadataComponent.manufacturer, undefined);
+  assert.strictEqual(metadataComponent.tags, undefined);
+});
+it("postProcess removes unsupported evidence occurrence details for spec version 1.5", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.5",
+      components: [
+        {
+          type: "file",
+          name: "deviceTypeManager.js",
+          evidence: {
+            occurrences: [
+              {
+                location: "source/microservices/lib/deviceTypeManager.js",
+                line: 11,
+                offset: 2,
+                symbol: "deviceTypeManager",
+                additionalContext: "source-import",
+              },
+            ],
+          },
+        },
+      ],
+      dependencies: [],
+      metadata: { properties: [] },
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.5 });
+  assert.deepStrictEqual(result.bomJson.components[0].evidence.occurrences, [
+    {
+      location: "source/microservices/lib/deviceTypeManager.js",
+    },
+  ]);
+});
 it("postProcess merges formulation-discovered MCP config services into bomJson.services", () => {
   const tmpDir = join(tmpdir(), `cdxgen-postgen-${Date.now()}`);
   mkdirSync(join(tmpDir, ".vscode"), { recursive: true });
@@ -372,6 +809,53 @@ it("postProcess attaches releaseNotes to cdxgen metadata tool component", () =>
   }
 });
+it("postProcess refreshes unpackaged native file inventory counts from the final BOM", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      components: [
+        {
+          name: "demo",
+          type: "file",
+          properties: [{ name: "internal:is_executable", value: "true" }],
+        },
+        {
+          name: "libdemo.so",
+          type: "file",
+          properties: [{ name: "internal:is_shared_library", value: "true" }],
+        },
+      ],
+      dependencies: [],
+      metadata: {
+        properties: [
+          { name: "cdx:container:unpackagedExecutableCount", value: "0" },
+          {
+            name: "cdx:container:unpackagedSharedLibraryCount",
+            value: "0",
+          },
+        ],
+        tools: {
+          components: [
+            { group: "@cyclonedx", name: "cdxgen", version: "test" },
+          ],
+        },
+      },
+    },
+  };
+  const result = postProcess(bomNSData, { specVersion: 1.7 });
+  assert.deepStrictEqual(
+    result.bomJson.metadata.properties.filter((property) =>
+      property.name.startsWith("cdx:container:unpackaged"),
+    ),
+    [
+      { name: "cdx:container:unpackagedExecutableCount", value: "1" },
+      { name: "cdx:container:unpackagedSharedLibraryCount", value: "1" },
+    ],
+  );
+});
 it("postProcess fails for weak TLP when sensitive property values are present", () => {
   const bomNSData = {
     bomJson: {

package/lib/stages/postgen/ruleEngine.js CHANGED Viewed

@@ -136,6 +136,24 @@ function normalizeStandardsMetadata(rule) {
   return Object.keys(normalized).length ? normalized : undefined;
 }
+function normalizeDryRunSupport(rule) {
+  const rawValue =
+    typeof rule?.["dry-run-support"] === "string"
+      ? rule["dry-run-support"]
+      : typeof rule?.dryRunSupport === "string"
+        ? rule.dryRunSupport
+        : undefined;
+  if (rawValue !== undefined && !["no", "partial", "full"].includes(rawValue)) {
+    if (DEBUG_MODE) {
+      console.warn(
+        `Rule ${rule?.id || "unknown"} has invalid dry-run-support '${rawValue}'; defaulting to 'partial'`,
+      );
+    }
+    return "partial";
+  }
+  return ["no", "partial", "full"].includes(rawValue) ? rawValue : "partial";
+}
 /**
  * Helper: Check if property exists and equals expected value
  * Usage: $hasProp(component, 'cdx:foo', 'bar')
@@ -247,6 +265,103 @@ function registerCdxHelpers(expression) {
   expression.registerFunction("safeStr", (val) => {
     return val === null || val === undefined ? "" : String(val).trim();
   });
+  expression.registerFunction("parseSizeBytes", (val) => {
+    if (val === null || val === undefined || val === "") {
+      return null;
+    }
+    if (typeof val === "number") {
+      return Number.isFinite(val) ? val : null;
+    }
+    const normalizedValue = String(val).trim();
+    if (!normalizedValue) {
+      return null;
+    }
+    const matchedValue = normalizedValue.match(
+      /^(\d+(?:\.\d+)?)\s*([kmgtpe]?i?b)?$/iu,
+    );
+    if (!matchedValue) {
+      return null;
+    }
+    const numericValue = Number.parseFloat(matchedValue[1]);
+    if (!Number.isFinite(numericValue)) {
+      return null;
+    }
+    const unit = (matchedValue[2] || "").toLowerCase();
+    const unitMap = {
+      b: 1,
+      kb: 1000,
+      kib: 1024,
+      mb: 1000 ** 2,
+      mib: 1024 ** 2,
+      gb: 1000 ** 3,
+      gib: 1024 ** 3,
+      tb: 1000 ** 4,
+      tib: 1024 ** 4,
+      pb: 1000 ** 5,
+      pib: 1024 ** 5,
+      eb: 1000 ** 6,
+      eib: 1024 ** 6,
+    };
+    const multiplier = unitMap[unit || "b"];
+    if (!multiplier) {
+      return null;
+    }
+    return numericValue * multiplier;
+  });
+  expression.registerFunction("firstNonEmpty", (...values) => {
+    for (const value of values) {
+      if (value === null || value === undefined) {
+        continue;
+      }
+      if (Array.isArray(value)) {
+        const candidate = value
+          .map((entry) =>
+            entry === null || entry === undefined ? "" : String(entry).trim(),
+          )
+          .filter(Boolean)
+          .join(", ");
+        if (candidate) {
+          return candidate;
+        }
+        continue;
+      }
+      const candidate = String(value).trim();
+      if (candidate) {
+        return candidate;
+      }
+    }
+    return "";
+  });
+  expression.registerFunction("isDarwinSystemPath", (value) => {
+    if (typeof value !== "string") {
+      return false;
+    }
+    const normalized = value.trim();
+    return (
+      normalized.startsWith("/bin/") ||
+      normalized.startsWith("/sbin/") ||
+      normalized.startsWith("/System/") ||
+      normalized.startsWith("/usr/bin/") ||
+      normalized.startsWith("/usr/libexec/") ||
+      normalized.startsWith("/usr/sbin/") ||
+      normalized.startsWith("/Library/Apple/System/") ||
+      normalized.startsWith("/System/Volumes/Preboot/Cryptexes/")
+    );
+  });
+  expression.registerFunction("isWindowsUserControlledPath", (value) => {
+    if (typeof value !== "string") {
+      return false;
+    }
+    const normalized = value.trim().replaceAll("/", "\\").toLowerCase();
+    return (
+      normalized.includes("\\users\\") ||
+      normalized.includes("\\programdata\\") ||
+      normalized.includes("\\appdata\\") ||
+      normalized.includes("\\downloads\\") ||
+      normalized.includes("\\desktop\\") ||
+      normalized.includes("\\temp\\")
+    );
+  });
   expression.registerFunction("auditComponents", (bomJson) =>
     getAuditComponents(bomJson),
   );
@@ -331,6 +446,7 @@ export async function loadRules(rulesDir) {
         }
         rule.severity = rule.severity || "medium";
         rule.category = rule.category || "unknown";
+        rule.dryRunSupport = normalizeDryRunSupport(rule);
         const attack = normalizeAttackMetadata(rule);
         if (attack.tactics.length || attack.techniques.length) {
           rule.attack = attack;

package/lib/stages/pregen/envAudit.js CHANGED Viewed

@@ -1,5 +1,7 @@
 import process from "node:process";
+import { recordEnvironmentRead } from "../../helpers/utils.js";
 const PERMISSION_FLAGS = [
   "--permission",
   "--allow-fs-read",
@@ -57,8 +59,13 @@ const PERMISSION_FLAG_PATTERNS = PERMISSION_FLAGS.map(
 export function auditEnvironment(env = process.env) {
   const findings = [];
-  const nodeOptions = env.NODE_OPTIONS || "";
-  const cdxgenNodeOptions = env.CDXGEN_NODE_OPTIONS || "";
+  const envSource = env === process.env ? "process.env" : "env";
+  const readEnv = (varName) => {
+    recordEnvironmentRead(varName, { source: envSource });
+    return env[varName];
+  };
+  const nodeOptions = readEnv("NODE_OPTIONS") || "";
+  const cdxgenNodeOptions = readEnv("CDXGEN_NODE_OPTIONS") || "";
   const hasPermission = PERMISSION_FLAG_PATTERNS.some((re) =>
     re.test(nodeOptions),
   );
@@ -93,7 +100,7 @@ export function auditEnvironment(env = process.env) {
     });
   }
   // NODE_TLS_REJECT_UNAUTHORIZED=0 disables TLS verification; any other value is benign.
-  if (env.NODE_TLS_REJECT_UNAUTHORIZED === "0") {
+  if (readEnv("NODE_TLS_REJECT_UNAUTHORIZED") === "0") {
     findings.push({
       type: "environment-variable",
       variable: "NODE_TLS_REJECT_UNAUTHORIZED",
@@ -107,6 +114,7 @@ export function auditEnvironment(env = process.env) {
   for (const varName of RISKY_PRESENCE_VARS) {
     if (env[varName] != null && env[varName] !== "") {
+      recordEnvironmentRead(varName, { source: envSource });
       const messages = {
         NODE_PATH:
           "NODE_PATH is set and may cause unexpected modules to be loaded, enabling module-resolution poisoning.",
@@ -166,6 +174,7 @@ export function auditEnvironment(env = process.env) {
     "JDK_JAVA_OPTIONS",
   ]) {
     const jvmOptions = env[jvmVar] || "";
+    recordEnvironmentRead(jvmVar, { source: envSource });
     if (jvmOptions) {
       for (const pattern of JVM_CODE_EXECUTION_PATTERNS) {
         if (pattern.test(jvmOptions)) {
@@ -184,6 +193,7 @@ export function auditEnvironment(env = process.env) {
   // Proxy interception — informational
   const activeProxy = PROXY_VARS.find((v) => env[v] != null && env[v] !== "");
   if (activeProxy) {
+    recordEnvironmentRead(activeProxy, { source: envSource });
     findings.push({
       type: "network-interception",
       variable: activeProxy,
@@ -197,6 +207,7 @@ export function auditEnvironment(env = process.env) {
   // Credential exposure — detect any env var whose name follows a credential-naming convention.
   for (const [varName, varValue] of Object.entries(env)) {
     if (varValue && CREDENTIAL_VAR_PATTERN.test(varName)) {
+      recordEnvironmentRead(varName, { source: envSource });
       findings.push({
         type: "credential-exposure",
         variable: varName,