@cyclonedx/cdxgen 12.4.0 → 12.4.1

package/lib/helpers/protobom.poku.js

@@ -3,7 +3,12 @@ import { join } from "node:path";
 
 import { assert, it } from "poku";
 
-import { isProtoBomFile, readBinary, writeBinary } from "./protobom.js";
+import {
+  assertProtoSupportedSpecVersion,
+  isProtoBomFile,
+  readBinary,
+  writeBinary,
+} from "./protobom.js";
 import { getTmpDir } from "./utils.js";
 
 const testBom = JSON.parse(
@@ -137,6 +142,44 @@ it("keeps canonical definitions and declarations as objects during proto round-t
   cleanupTempDir(tempDir);
 });
 
+it("rejects unsupported CycloneDX 2.0 protobuf operations with a clear error", () => {
+  const tempDir = createTempDir();
+  const binFile = join(tempDir, "unsupported-2.0.cdx");
+  assert.throws(
+    () =>
+      writeBinary(
+        {
+          specFormat: "CycloneDX",
+          specVersion: "2.0",
+          version: 1,
+        },
+        binFile,
+      ),
+    /CycloneDX 2\.0 is not currently supported for protobuf serialization/,
+  );
+  assert.throws(
+    () => assertProtoSupportedSpecVersion("2.0", "protobuf export"),
+    /@appthreat\/cdx-proto supports 1\.5, 1\.6, 1\.7 only/,
+  );
+  assert.throws(
+    () =>
+      writeBinary(
+        {
+          bomFormat: "CycloneDX",
+          specVersion: "2.0.1",
+          version: 1,
+        },
+        binFile,
+      ),
+    /CycloneDX 2\.0\.1 is not currently supported for protobuf serialization/,
+  );
+  assert.throws(
+    () => assertProtoSupportedSpecVersion("2.0.1", "protobuf export"),
+    /CycloneDX 2\.0\.1 is not currently supported for protobuf export/,
+  );
+  cleanupTempDir(tempDir);
+});
+
 it("round-trips real CBOM fixture data with cryptographic assets intact", () => {
   const tempDir = createTempDir();
   const binFile = join(tempDir, "cbom-fixture.cdx");

package/lib/helpers/protobomLoader.js

@@ -0,0 +1,43 @@
+const PROTO_BOM_FILE_EXTENSIONS = [".cdx", ".cdx.bin", ".proto"];
+
+/**
+ * Determine whether a path looks like a CycloneDX protobuf BOM file.
+ *
+ * @param {string} filePath File path
+ * @returns {boolean} true when the path uses a protobuf BOM extension
+ */
+export function isProtoBomPath(filePath) {
+  const normalizedPath = `${filePath || ""}`.toLowerCase();
+  return PROTO_BOM_FILE_EXTENSIONS.some((extension) =>
+    normalizedPath.endsWith(extension),
+  );
+}
+
+/**
+ * Import protobuf BOM helpers and replace optional-dependency loader failures
+ * with actionable command-specific messages.
+ *
+ * @param {string} [commandName="cdxgen"] CLI command name
+ * @param {string} [featureDescription="protobuf support"] Feature being used
+ * @returns {Promise<object>} Loaded protobom module namespace
+ */
+export async function importProtobomModule(
+  commandName = "cdxgen",
+  featureDescription = "protobuf support",
+) {
+  try {
+    return await import("./protobom.js");
+  } catch (error) {
+    const message = `${error?.message || ""}`;
+    if (
+      error?.code === "ERR_MODULE_NOT_FOUND" ||
+      message.includes("@appthreat/cdx-proto") ||
+      message.includes("@bufbuild/protobuf")
+    ) {
+      throw new Error(
+        `${commandName} ${featureDescription} requires the optional '@appthreat/cdx-proto' and '@bufbuild/protobuf' dependencies. Install optional dependencies or use a binary that bundles protobuf support.`,
+      );
+    }
+    throw error;
+  }
+}

package/lib/helpers/protobomLoader.poku.js

@@ -0,0 +1,31 @@
+import { assert, describe, it } from "poku";
+
+import { importProtobomModule, isProtoBomPath } from "./protobomLoader.js";
+
+describe("protobomLoader", () => {
+  it("detects protobuf BOM file extensions", () => {
+    assert.strictEqual(isProtoBomPath("bom.cdx"), true);
+    assert.strictEqual(isProtoBomPath("bom.CDX.BIN"), true);
+    assert.strictEqual(isProtoBomPath("bom.proto"), true);
+    assert.strictEqual(isProtoBomPath("bom.json"), false);
+    assert.strictEqual(isProtoBomPath(""), false);
+  });
+
+  it("imports the protobuf BOM helper when optional support is installed", async () => {
+    let protobomModule;
+    try {
+      protobomModule = await importProtobomModule(
+        "cdx-test",
+        "protobuf BOM input",
+      );
+    } catch (error) {
+      assert.match(
+        error.message,
+        /requires the optional '@appthreat\/cdx-proto' and '@bufbuild\/protobuf' dependencies/u,
+      );
+      return;
+    }
+    assert.strictEqual(typeof protobomModule.readBinary, "function");
+    assert.strictEqual(typeof protobomModule.writeBinary, "function");
+  });
+});

package/lib/server/server.js

@@ -8,6 +8,7 @@ import compression from "compression";
 import connect from "connect";
 
 import { createBom, submitBom } from "../cli/index.js";
+import { isCycloneDxBom } from "../helpers/bomUtils.js";
 import { normalizeOutputFormats } from "../helpers/exportUtils.js";
 import {
   cleanupSourceDir,
@@ -467,7 +468,7 @@ const start = (options) => {
       let responseBomJson = bomNSData.bomJson;
       if (
         requestedFormats.includes("spdx") &&
-        bomNSData?.bomJson?.bomFormat === "CycloneDX"
+        isCycloneDxBom(bomNSData?.bomJson)
       ) {
         responseBomJson = convertCycloneDxToSpdx(bomNSData.bomJson, reqOptions);
       }

package/lib/stages/postgen/postgen.js

@@ -9,6 +9,12 @@ import {
   matchesAiInventoryExcludeType,
   optionIncludesAiInventoryProjectType,
 } from "../../helpers/aiInventory.js";
+import {
+  isCycloneDx20SpecVersion,
+  normalizeCycloneDxSpecVersion,
+  setCycloneDxFormat,
+  toCycloneDxSpecVersionString,
+} from "../../helpers/bomUtils.js";
 import { mergeDependencies, mergeServices } from "../../helpers/depsUtils.js";
 import { addFormulationSection } from "../../helpers/formulationParsers.js";
 import { getContainerFileInventoryStats } from "../../helpers/inventoryStats.js";
@@ -160,10 +166,8 @@ const SERVICE_1_6_ONLY_FIELDS = new Set(["tags"]);
 const SERVICE_1_7_ONLY_FIELDS = new Set(["patentAssertions"]);
 const METADATA_1_6_ONLY_FIELDS = new Set(["manufacturer"]);
 const METADATA_1_7_ONLY_FIELDS = new Set(["distributionConstraints"]);
-
-function normalizeSpecVersion(specVersion) {
-  return Number.parseFloat(String(specVersion || 0));
-}
+const METADATA_2_0_REMOVED_FIELDS = new Set(["manufacture"]);
+const COMPONENT_2_0_REMOVED_FIELDS = new Set(["author", "modified"]);
 
 function normalizeTlpClassification(tlpClassification) {
   return String(tlpClassification || "")
@@ -274,9 +278,10 @@ function collectSensitivePropertyViolations(
 }
 
 function validateTlpClassification(bomJson, options) {
-  const specVersion = normalizeSpecVersion(
-    bomJson?.specVersion || options?.specVersion,
-  );
+  const specVersion =
+    normalizeCycloneDxSpecVersion(
+      bomJson?.specVersion || options?.specVersion,
+    ) || 0;
   if (specVersion < 1.7) {
     return bomJson;
   }
@@ -366,6 +371,10 @@ function deleteFields(subject, fields) {
   }
 }
 
+function isObjectRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+
 function normalizeComponentForSpecVersion(subject, specVersion) {
   if (specVersion < 1.6) {
     deleteFields(subject, COMPONENT_1_6_ONLY_FIELDS);
@@ -393,6 +402,190 @@ function normalizeMetadataForSpecVersion(subject, specVersion) {
   }
 }
 
+function authorStringToAuthors(authorValue) {
+  if (typeof authorValue !== "string") {
+    return undefined;
+  }
+  const authors = authorValue
+    .split(",")
+    .map((author) => author.trim())
+    .filter(Boolean)
+    .map((name) => ({ name }));
+  return authors.length ? authors : undefined;
+}
+
+function normalizeLegacyToolComponent(tool) {
+  if (!isObjectRecord(tool)) {
+    return tool;
+  }
+  if (!tool.type) {
+    tool.type = "application";
+  }
+  if (tool.vendor && !tool.publisher) {
+    tool.publisher = tool.vendor;
+  }
+  delete tool.vendor;
+  if (!tool.authors && tool.author) {
+    tool.authors = authorStringToAuthors(tool.author);
+  }
+  deleteFields(tool, COMPONENT_2_0_REMOVED_FIELDS);
+  normalizeComponentsForSpecVersion(tool.components);
+  return tool;
+}
+
+function hasExplicitSpecVersion(specVersion) {
+  return (
+    specVersion !== undefined &&
+    specVersion !== null &&
+    `${specVersion}`.trim() !== ""
+  );
+}
+
+function resolveSpecVersionForCompatibility(bomJson, options) {
+  if (hasExplicitSpecVersion(options?.specVersion)) {
+    return options.specVersion;
+  }
+  if (hasExplicitSpecVersion(bomJson?.specVersion)) {
+    return bomJson.specVersion;
+  }
+  return "1.7";
+}
+
+function normalizeLegacyToolService(service) {
+  if (!isObjectRecord(service)) {
+    return service;
+  }
+  if (service.vendor && !service.provider) {
+    service.provider =
+      typeof service.vendor === "string"
+        ? { name: service.vendor }
+        : service.vendor;
+  }
+  delete service.vendor;
+  deleteFields(service, COMPONENT_2_0_REMOVED_FIELDS);
+  normalizeServicesForSpecVersion(service.services);
+  return service;
+}
+
+function normalizeComponentsForSpecVersion(components) {
+  if (!Array.isArray(components)) {
+    return;
+  }
+  for (const component of components) {
+    normalizeComponentForSpecVersion20(component);
+  }
+}
+
+function normalizeComponentForSpecVersion20(component) {
+  if (!isObjectRecord(component)) {
+    return;
+  }
+  if (!component.authors && component.author) {
+    component.authors = authorStringToAuthors(component.author);
+  }
+  deleteFields(component, COMPONENT_2_0_REMOVED_FIELDS);
+  normalizeComponentsForSpecVersion(component.components);
+}
+
+function normalizeServicesForSpecVersion(services) {
+  if (!Array.isArray(services)) {
+    return;
+  }
+  for (const service of services) {
+    normalizeLegacyToolService(service);
+  }
+}
+
+function normalizeFormulationForSpecVersion(formulation) {
+  if (!Array.isArray(formulation)) {
+    return;
+  }
+  for (const formula of formulation) {
+    if (!isObjectRecord(formula)) {
+      continue;
+    }
+    normalizeComponentsForSpecVersion(formula.components);
+    normalizeServicesForSpecVersion(formula.services);
+  }
+}
+
+function normalizeVulnerabilitiesForSpecVersion(vulnerabilities) {
+  if (!Array.isArray(vulnerabilities)) {
+    return;
+  }
+  for (const vulnerability of vulnerabilities) {
+    if (!isObjectRecord(vulnerability?.tools)) {
+      continue;
+    }
+    normalizeComponentsForSpecVersion(vulnerability.tools.components);
+    normalizeServicesForSpecVersion(vulnerability.tools.services);
+  }
+}
+
+function normalizeDefinitionsForSpecVersion(definitions) {
+  if (!isObjectRecord(definitions)) {
+    return;
+  }
+  normalizeComponentsForSpecVersion(definitions.components);
+  normalizeServicesForSpecVersion(definitions.services);
+}
+
+function migrateLegacyManufactureForSpecVersion(metadata) {
+  if (!metadata.manufacture) {
+    return;
+  }
+  if (isObjectRecord(metadata.component) && !metadata.component.manufacturer) {
+    metadata.component.manufacturer = metadata.manufacture;
+    return;
+  }
+  if (!metadata.manufacturer) {
+    metadata.manufacturer = metadata.manufacture;
+  }
+}
+
+function normalizeToolsForSpecVersion(subject, specVersion) {
+  if (!subject || !isCycloneDx20SpecVersion(specVersion)) {
+    return;
+  }
+  if (Array.isArray(subject.tools)) {
+    subject.tools = {
+      components: subject.tools.map((tool) =>
+        normalizeLegacyToolComponent(isObjectRecord(tool) ? { ...tool } : tool),
+      ),
+    };
+    return;
+  }
+  if (!isObjectRecord(subject.tools)) {
+    return;
+  }
+  if (Array.isArray(subject.tools.components)) {
+    subject.tools.components = subject.tools.components.map((tool) =>
+      normalizeLegacyToolComponent(tool),
+    );
+  }
+  if (Array.isArray(subject.tools.services)) {
+    subject.tools.services = subject.tools.services.map((service) =>
+      normalizeLegacyToolService(service),
+    );
+  }
+}
+
+function upgradeSubjectForSpecVersion(subject, specVersion) {
+  if (!isObjectRecord(subject) || !isCycloneDx20SpecVersion(specVersion)) {
+    return;
+  }
+  if (isObjectRecord(subject.metadata)) {
+    migrateLegacyManufactureForSpecVersion(subject.metadata);
+    deleteFields(subject.metadata, METADATA_2_0_REMOVED_FIELDS);
+    normalizeToolsForSpecVersion(subject.metadata, specVersion);
+    normalizeComponentForSpecVersion20(subject.metadata.component);
+  }
+  normalizeComponentsForSpecVersion(subject.components);
+  normalizeFormulationForSpecVersion(subject.formulation);
+  normalizeDefinitionsForSpecVersion(subject.definitions);
+  normalizeVulnerabilitiesForSpecVersion(subject.vulnerabilities);
+}
+
 function downgradeSubjectForSpecVersion(subject, specVersion, parentKey) {
   if (!subject || typeof subject !== "object") {
     return;
@@ -460,14 +653,28 @@ function downgradeSubjectForSpecVersion(subject, specVersion, parentKey) {
 }
 
 function applySpecVersionCompatibility(bomJson, options) {
-  const specVersion = normalizeSpecVersion(
-    options?.specVersion || bomJson?.specVersion || 1.7,
+  const requestedSpecVersion = resolveSpecVersionForCompatibility(
+    bomJson,
+    options,
   );
-  if (specVersion >= 1.7) {
+  const normalizedSpecVersion =
+    toCycloneDxSpecVersionString(requestedSpecVersion);
+  if (!normalizedSpecVersion) {
+    thoughtLog(
+      "Skipping CycloneDX specVersion compatibility updates for malformed explicit specVersion.",
+      {
+        specVersion: requestedSpecVersion,
+      },
+    );
     return bomJson;
   }
-  downgradeSubjectForSpecVersion(bomJson, specVersion);
-  return bomJson;
+  const specVersion = normalizeCycloneDxSpecVersion(normalizedSpecVersion);
+  if (specVersion < 1.7) {
+    downgradeSubjectForSpecVersion(bomJson, specVersion);
+  } else if (isCycloneDx20SpecVersion(specVersion)) {
+    upgradeSubjectForSpecVersion(bomJson, specVersion);
+  }
+  return setCycloneDxFormat(bomJson, normalizedSpecVersion);
 }
 
 /**

package/lib/stages/postgen/postgen.poku.js

@@ -241,6 +241,169 @@ it("postProcess passes formulationList from bomNSData into the formulation secti
   );
 });
 
+it("postProcess finalizes CycloneDX 2.0-dev root fields and strips legacy fields", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      metadata: {
+        manufacture: { name: "Legacy Factory" },
+        component: "not-a-component-object",
+        tools: [
+          {
+            author: "OWASP Foundation",
+            name: "cdxgen",
+            vendor: "OWASP Foundation",
+            version: "12.4.0",
+            components: [
+              {
+                author: "Nested Tool Author",
+                modified: true,
+                name: "cdxgen-plugin",
+                type: "library",
+              },
+            ],
+          },
+        ],
+      },
+      components: [
+        {
+          author: "Jane Doe",
+          modified: false,
+          name: "demo-lib",
+          type: "library",
+          version: "1.0.0",
+          components: [
+            {
+              author: "Nested Author",
+              modified: true,
+              name: "nested-lib",
+              type: "library",
+            },
+          ],
+        },
+      ],
+    },
+  };
+
+  const result = postProcess(bomNSData, { specVersion: 2.0 });
+  const [toolComponent] = result.bomJson.metadata.tools.components;
+  const [component] = result.bomJson.components;
+
+  assert.strictEqual(result.bomJson.specFormat, "CycloneDX");
+  assert.strictEqual(result.bomJson.bomFormat, undefined);
+  assert.strictEqual(result.bomJson.specVersion, "2.0");
+  assert.strictEqual(result.bomJson.metadata.manufacture, undefined);
+  assert.deepStrictEqual(result.bomJson.metadata.manufacturer, {
+    name: "Legacy Factory",
+  });
+  assert.strictEqual(
+    result.bomJson.metadata.component,
+    "not-a-component-object",
+  );
+  assert.strictEqual(toolComponent.publisher, "OWASP Foundation");
+  assert.deepStrictEqual(toolComponent.authors, [{ name: "OWASP Foundation" }]);
+  assert.strictEqual(toolComponent.author, undefined);
+  assert.deepStrictEqual(toolComponent.components[0].authors, [
+    { name: "Nested Tool Author" },
+  ]);
+  assert.strictEqual(toolComponent.components[0].author, undefined);
+  assert.strictEqual(toolComponent.components[0].modified, undefined);
+  assert.deepStrictEqual(component.authors, [{ name: "Jane Doe" }]);
+  assert.strictEqual(component.author, undefined);
+  assert.strictEqual(component.modified, undefined);
+  assert.deepStrictEqual(component.components[0].authors, [
+    { name: "Nested Author" },
+  ]);
+  assert.strictEqual(component.components[0].author, undefined);
+  assert.strictEqual(component.components[0].modified, undefined);
+});
+
+it("postProcess preserves malformed explicit specVersion values instead of coercing them to 1.7", () => {
+  const malformedBomResult = postProcess(
+    {
+      bomJson: {
+        bomFormat: "CycloneDX",
+        specVersion: "2.0.1",
+        components: [],
+        dependencies: [],
+        metadata: { properties: [] },
+      },
+    },
+    {},
+  );
+  assert.strictEqual(malformedBomResult.bomJson.specVersion, "2.0.1");
+  assert.strictEqual(malformedBomResult.bomJson.bomFormat, "CycloneDX");
+  assert.strictEqual(malformedBomResult.bomJson.specFormat, undefined);
+
+  const malformedOptionResult = postProcess(
+    {
+      bomJson: {
+        bomFormat: "CycloneDX",
+        specVersion: "1.7",
+        components: [],
+        dependencies: [],
+        metadata: { properties: [] },
+      },
+    },
+    { specVersion: "2.0.1" },
+  );
+  assert.strictEqual(malformedOptionResult.bomJson.specVersion, "1.7");
+  assert.strictEqual(malformedOptionResult.bomJson.bomFormat, "CycloneDX");
+  assert.strictEqual(malformedOptionResult.bomJson.specFormat, undefined);
+});
+
+it("postProcess migrates CycloneDX 2.0 metadata manufacture and tool services without broad recursion", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      metadata: {
+        manufacture: { name: "Component Factory" },
+        component: {
+          name: "demo-app",
+          type: "application",
+        },
+        tools: {
+          components: [],
+          services: [
+            {
+              author: "Legacy Author",
+              name: "scanner-service",
+              vendor: "Scanner Vendor",
+            },
+          ],
+        },
+      },
+      components: [],
+      dependencies: [{ ref: "pkg:generic/demo@1.0.0", dependsOn: [] }],
+      unrelatedInventory: {
+        components: [
+          {
+            author: "Should Not Be Traversed",
+            name: "not-a-component-list",
+          },
+        ],
+      },
+    },
+  };
+
+  const result = postProcess(bomNSData, { specVersion: 2.0 });
+  const [toolService] = result.bomJson.metadata.tools.services;
+
+  assert.strictEqual(result.bomJson.metadata.manufacture, undefined);
+  assert.deepStrictEqual(result.bomJson.metadata.component.manufacturer, {
+    name: "Component Factory",
+  });
+  assert.deepStrictEqual(toolService.provider, { name: "Scanner Vendor" });
+  assert.strictEqual(toolService.vendor, undefined);
+  assert.strictEqual(toolService.author, undefined);
+  assert.strictEqual(
+    result.bomJson.unrelatedInventory.components[0].author,
+    "Should Not Be Traversed",
+  );
+});
+
 it("postProcess downgrades certificate crypto properties for spec version 1.6", () => {
   const bomNSData = {
     bomJson: {