@cyclonedx/cdxgen 12.4.0 → 12.4.2

package/README.md

@@ -136,16 +136,18 @@ Installing `@cyclonedx/cdxgen` exposes these commands:
 | `cdx-verify`    | Verify BOM signatures                                                                                | yes                              |
 | `cdxi`          | Open the interactive REPL                                                                            | no                               |
 | `evinse`        | Add evidence, reachability, and service context                                                      | no                               |
-| `cbom`          | Alias for CBOM-oriented `cdxgen` defaults                                                            | use `cdxgen`                     |
-| `obom`          | Alias for `cdxgen -t os`                                                                             | use `cdxgen`                     |
-| `saasbom`       | Alias for SaaSBOM-oriented `cdxgen` defaults                                                         | use `cdxgen`                     |
+| `cbom`          | Alias for CBOM-oriented `cdxgen` defaults                                                            | yes                              |
+| `obom`          | Alias for `cdxgen -t os`                                                                             | yes                              |
+| `saasbom`       | Alias for SaaSBOM-oriented `cdxgen` defaults                                                         | yes                              |
 | `spdxgen`       | Alias for `cdxgen --format spdx`                                                                     | use `cdxgen`                     |
 | `cdxgen-secure` | Alias for hardened `cdxgen` defaults                                                                 | use `cdxgen`                     |
 
-Standalone GitHub release binaries are published for `cdxgen`, `cdxgen-slim`, `hbom`, `hbom-slim`, `cdx-audit`, `cdx-convert`, `cdx-sign`, `cdx-validate`, and `cdx-verify`.
+Standalone GitHub release binaries are published for `cdxgen`, `cdxgen-slim`, `cbom`, `obom`, `saasbom`, `hbom`, `hbom-slim`, `cdx-audit`, `cdx-convert`, `cdx-sign`, `cdx-validate`, and `cdx-verify`.
 
 `hbom` release binaries bundle both `@cdxgen/cdx-hbom` and the matching `@cdxgen/cdxgen-plugins-bin*` companion helpers for the target platform. `hbom-slim` keeps the dedicated hardware collector (`@cdxgen/cdx-hbom`) but omits the companion plugin bundle when you want the smallest single-file HBOM executable.
 
+The `cbom` and `saasbom` release binaries bundle the Atom analysis stack (`@appthreat/atom` and `@appthreat/atom-parsetools`) plus protobuf export support (`@appthreat/cdx-proto` and `@bufbuild/protobuf`). The `obom` release binary bundles the matching platform plugin package, pruned to runtime OS inventory helpers, plus the same protobuf export support. These aliases therefore support `--export-proto --proto-bin-file <file>` without requiring a separate npm install.
+
 `cdx-audit` is designed to accelerate upstream dependency review with explainable, evidence-backed risk prioritization. It complements provenance, reproducibility, and manual investigation rather than replacing them.
 
 For host inventories, `hbom --include-runtime` produces a merged HBOM + OBOM view with strict topology links such as interface-name, driver-module, storage/runtime, and explicit secure-boot trust matches, plus a `host-topology` BOM audit pack for higher-confidence host findings. When the live hardware collector reports missing utilities or permission-sensitive enrichments, use `hbom diagnostics` (or inspect the derived `cdx:hbom:analysis:*` summary properties) before deciding whether a rerun with `--privileged` is justified.

package/bin/cdxgen.js

@@ -20,6 +20,7 @@ import { hideBin } from "yargs/helpers";
 
 import { createBom, submitBom } from "../lib/cli/index.js";
 import { signBom, verifyBom } from "../lib/helpers/bomSigner.js";
+import { isCycloneDxBom } from "../lib/helpers/bomUtils.js";
 import {
   displaySelfThreatModel,
   printActivitySummary,
@@ -45,6 +46,7 @@ import {
   isHbomOnlyProjectTypes,
 } from "../lib/helpers/hbom.js";
 import { TRACE_MODE, thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
+import { importProtobomModule } from "../lib/helpers/protobomLoader.js";
 import {
   cleanupSourceDir,
   findGitRefForPurlVersion,
@@ -129,6 +131,10 @@ for (const configPattern of configPaths) {
 }
 
 const _yargs = yargs(hideBin(process.argv));
+const invokedCommandName = basename(process.argv[1] || "cdxgen").replace(
+  /\.(?:[cm]?js|exe)$/u,
+  "",
+);
 
 const args = _yargs
   .env("CDXGEN")
@@ -338,7 +344,7 @@ const args = _yargs
     description: "CycloneDX Specification version to use. Defaults to 1.7",
     default: 1.7,
     type: "number",
-    choices: [1.4, 1.5, 1.6, 1.7],
+    choices: [1.4, 1.5, 1.6, 1.7, 2.0],
   })
   .option("filter", {
     description:
@@ -586,7 +592,7 @@ const args = _yargs
   ])
   .epilogue("for documentation, visit https://cdxgen.github.io/cdxgen")
   .config(config)
-  .scriptName("cdxgen")
+  .scriptName(invokedCommandName || "cdxgen")
   .version(retrieveCdxgenVersion())
   .alias("v", "version")
   .help(false)
@@ -666,13 +672,13 @@ if (
   }
 }
 // Support for obom/cbom aliases
-if (process.argv[1].includes("obom") && !args.type) {
-  args.type = "os";
+if (invokedCommandName.includes("obom") && !args.type) {
+  args.type = ["os"];
   thoughtLog(
     "Ok, the user wants to generate an Operations Bill-of-Materials (OBOM).",
   );
 }
-if (process.argv[1].includes("spdxgen") && !args.format) {
+if (invokedCommandName.includes("spdxgen") && !args.format) {
   args.format = "spdx";
   thoughtLog("Ok, defaulting the export format to SPDX.");
 }
@@ -732,13 +738,13 @@ if (!options.projectType) {
   );
 }
 // Handle dedicated cbom and saasbom commands
-if (["cbom", "saasbom"].includes(process.argv[1])) {
-  if (process.argv[1].includes("cbom")) {
+if (["cbom", "saasbom"].includes(invokedCommandName)) {
+  if (invokedCommandName.includes("cbom")) {
     thoughtLog(
       "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
     );
     options.includeCrypto = true;
-  } else if (process.argv[1].includes("saasbom")) {
+  } else if (invokedCommandName.includes("saasbom")) {
     thoughtLog(
       "Ok, the user wants to generate a Software as a Service Bill-of-Materials (SaaSBOM). I should carefully collect the services, endpoints, and data flows.",
     );
@@ -752,7 +758,7 @@ if (["cbom", "saasbom"].includes(process.argv[1])) {
   options.specVersion = 1.7;
   options.deep = true;
 }
-if (process.argv[1].includes("cdxgen-secure")) {
+if (invokedCommandName.includes("cdxgen-secure")) {
   thoughtLog(
     "Ok, the user wants cdxgen to run in secure mode by default. Let's try and use the permissions api.",
   );
@@ -1710,7 +1716,7 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   if (
     outputPlan.formats.has("spdx") &&
     bomNSData?.bomJson &&
-    bomNSData?.bomJson?.bomFormat === "CycloneDX"
+    isCycloneDxBom(bomNSData.bomJson)
   ) {
     thoughtLog(
       "Preparing the SPDX 3.0.1 export from the validated CycloneDX BOM.",
@@ -1840,7 +1846,22 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
         target: options.protoBinFile,
       });
     } else {
-      const protobomModule = await import("../lib/helpers/protobom.js");
+      const protobomModule = await importProtobomModule(
+        invokedCommandName || "cdxgen",
+        "protobuf export",
+      );
+      try {
+        protobomModule.assertProtoSupportedSpecVersion(
+          bomNSData?.bomJson?.specVersion || options.specVersion,
+          "protobuf export",
+        );
+      } catch (error) {
+        console.error(error.message);
+        if (cleanup) {
+          cleanupSourceDir(srcDir);
+        }
+        process.exit(1);
+      }
       protobomModule.writeBinary(bomNSData.bomJson, options.protoBinFile);
       thoughtLog("BOM file is also available in .proto format!");
     }

package/bin/convert.js

@@ -10,8 +10,13 @@ import { hideBin } from "yargs/helpers";
 import {
   getNonCycloneDxErrorMessage,
   isCycloneDxBom,
+  toCycloneDxSpecVersionString,
 } from "../lib/helpers/bomUtils.js";
 import { deriveSpdxOutputPath } from "../lib/helpers/exportUtils.js";
+import {
+  importProtobomModule,
+  isProtoBomPath,
+} from "../lib/helpers/protobomLoader.js";
 import {
   retrieveCdxgenVersion,
   safeExistsSync,
@@ -56,14 +61,13 @@ const loadCycloneDxBom = async (inputPath) => {
     console.error(`Input file '${inputPath}' not found.`);
     process.exit(1);
   }
-  const normalizedInputPath = `${inputPath}`.toLowerCase();
-  const isProtoInput =
-    normalizedInputPath.endsWith(".cdx") ||
-    normalizedInputPath.endsWith(".cdx.bin") ||
-    normalizedInputPath.endsWith(".proto");
+  const isProtoInput = isProtoBomPath(inputPath);
   try {
     if (isProtoInput) {
-      const { readBinary } = await import("../lib/helpers/protobom.js");
+      const { readBinary } = await importProtobomModule(
+        "cdx-convert",
+        "protobuf BOM input",
+      );
       return readBinary(inputPath, true);
     }
     return JSON.parse(fs.readFileSync(inputPath, "utf8"));
@@ -82,8 +86,8 @@ if (!isCycloneDxBom(bomJson)) {
   console.error(getNonCycloneDxErrorMessage(bomJson, "cdx-convert"));
   process.exit(1);
 }
-const cdxSpecVersion = Number.parseFloat(`${bomJson?.specVersion || ""}`);
-if (![1.6, 1.7].includes(cdxSpecVersion)) {
+const cdxSpecVersion = toCycloneDxSpecVersionString(bomJson?.specVersion);
+if (!["1.6", "1.7"].includes(cdxSpecVersion)) {
   console.error(
     `Unsupported CycloneDX specVersion '${bomJson?.specVersion}'. cdx-convert currently supports CycloneDX 1.6 or 1.7 input and exports SPDX 3.0.1.`,
   );

package/bin/evinse.js

@@ -51,15 +51,30 @@ const args = yargs(hideBin(process.argv))
       "py",
       "python",
       "android",
+      "csharp",
+      "cs",
       "c",
       "cpp",
+      "dotnet",
       "php",
       "swift",
       "ios",
       "ruby",
       "scala",
+      "vb",
+      "vbnet",
+      "visualbasic",
+      "f#",
+      "fs",
+      "fsharp",
     ],
   })
+  .option("profile", {
+    description:
+      "Evidence profile. The research profile enables dosai data-flow and crypto analysis for .NET projects.",
+    default: "generic",
+    choices: ["generic", "research"],
+  })
   .option("db-path", {
     description: "Atom slices DB path. Unused",
     default: undefined,

package/bin/hbom.js

@@ -16,6 +16,10 @@ import {
 } from "../lib/helpers/hbom.js";
 import { getHbomSummary } from "../lib/helpers/hbomAnalysis.js";
 import { thoughtLog } from "../lib/helpers/logger.js";
+import {
+  importProtobomModule,
+  isProtoBomPath,
+} from "../lib/helpers/protobomLoader.js";
 import {
   DEBUG_MODE,
   isDryRun,
@@ -317,13 +321,11 @@ async function loadBomFromInputFile(inputFile) {
   if (!inputFile || !safeExistsSync(inputFile)) {
     throw new Error(`HBOM input file not found: ${inputFile}`);
   }
-  const normalizedInputFile = `${inputFile}`.toLowerCase();
-  if (
-    normalizedInputFile.endsWith(".cdx") ||
-    normalizedInputFile.endsWith(".cdx.bin") ||
-    normalizedInputFile.endsWith(".proto")
-  ) {
-    const { readBinary } = await import("../lib/helpers/protobom.js");
+  if (isProtoBomPath(inputFile)) {
+    const { readBinary } = await importProtobomModule(
+      hbomCommandName,
+      "protobuf BOM input",
+    );
     return readBinary(inputFile, true);
   }
   return JSON.parse(readFileSync(inputFile, { encoding: "utf8" }));
@@ -471,7 +473,10 @@ async function runDiagnosticsCommand() {
     if (protoOutputDirectory && !safeExistsSync(protoOutputDirectory)) {
       safeMkdirSync(protoOutputDirectory, { recursive: true });
     }
-    const { writeBinary } = await import("../lib/helpers/protobom.js");
+    const { writeBinary } = await importProtobomModule(
+      hbomCommandName,
+      "protobuf export",
+    );
     writeBinary(bomJson, options.protoBinFile);
     thoughtLog(
       `Let's also save the HBOM protobuf binary to '${options.protoBinFile}'.`,

package/bin/repl.js

@@ -32,7 +32,10 @@ import {
   getUnpackagedExecutableComponents,
   getUnpackagedSharedLibraryComponents,
 } from "../lib/helpers/inventoryStats.js";
-import { readBinary } from "../lib/helpers/protobom.js";
+import {
+  importProtobomModule,
+  isProtoBomPath,
+} from "../lib/helpers/protobomLoader.js";
 import {
   getProvenanceComponents,
   getTrustedComponents,
@@ -360,7 +363,7 @@ if (!process.env.CDXGEN_REPL_HISTORY && !safeExistsSync(historyConfigDir)) {
   historyFile = join(historyConfigDir, ".repl_history");
 }
 
-export const importSbom = (sbomOrPath) => {
+export const importSbom = async (sbomOrPath) => {
   const importTarget = String(sbomOrPath || "").trim();
   if (!importTarget) {
     console.log("⚠ An SBOM path or image reference is required.");
@@ -403,10 +406,11 @@ export const importSbom = (sbomOrPath) => {
         `⚠ Unable to import the BOM from ${importTarget} due to ${e}`,
       );
     }
-  } else if (
-    (importTarget.endsWith(".cdx") || importTarget.endsWith(".proto")) &&
-    safeExistsSync(importTarget)
-  ) {
+  } else if (isProtoBomPath(importTarget) && safeExistsSync(importTarget)) {
+    const { readBinary } = await importProtobomModule(
+      "cdxi",
+      "protobuf BOM input",
+    );
     sbom = readBinary(importTarget, true);
     printSummary(sbom);
   } else if (isSupportedSbomRegistryReference(importTarget)) {
@@ -430,7 +434,7 @@ export const importSbom = (sbomOrPath) => {
 };
 // Load any sbom passed from the command line
 if (process.argv.length > 2) {
-  importSbom(process.argv[process.argv.length - 1]);
+  await importSbom(process.argv[process.argv.length - 1]);
   console.log("💭 Type .print to view the BOM as a table");
   console.log("💭 Type .trusted to list components with trusted publishing.");
   console.log(
@@ -448,7 +452,7 @@ if (process.argv.length > 2) {
   }
 } else if (safeExistsSync("bom.json")) {
   // If the current directory has a bom.json load it
-  importSbom("bom.json");
+  await importSbom("bom.json");
 } else {
   console.log("💭 Use .create <path> to create an SBOM for the given path.");
   console.log("💭 Use .import <json> to import an existing BOM.");
@@ -518,9 +522,9 @@ cdxgenRepl.defineCommand("create", {
 });
 cdxgenRepl.defineCommand("import", {
   help: "import an existing BOM",
-  action(sbomOrPath) {
+  async action(sbomOrPath) {
     this.clearBufferedCommand();
-    importSbom(sbomOrPath);
+    await importSbom(sbomOrPath);
     this.displayPrompt();
   },
 });

package/bin/validate.js

@@ -23,6 +23,10 @@ import {
   getNonCycloneDxErrorMessage,
   isCycloneDxBom,
 } from "../lib/helpers/bomUtils.js";
+import {
+  importProtobomModule,
+  isProtoBomPath,
+} from "../lib/helpers/protobomLoader.js";
 import {
   dirNameStr,
   retrieveCdxgenVersion,
@@ -131,14 +135,12 @@ const args = _yargs
 
 async function loadBom(input, platform) {
   if (safeExistsSync(input)) {
-    const normalizedInput = `${input}`.toLowerCase();
     try {
-      if (
-        normalizedInput.endsWith(".cdx") ||
-        normalizedInput.endsWith(".cdx.bin") ||
-        normalizedInput.endsWith(".proto")
-      ) {
-        const { readBinary } = await import("../lib/helpers/protobom.js");
+      if (isProtoBomPath(input)) {
+        const { readBinary } = await importProtobomModule(
+          "cdx-validate",
+          "protobuf BOM input",
+        );
         return readBinary(input, true);
       }
       return JSON.parse(fs.readFileSync(input, "utf8"));
@@ -193,12 +195,7 @@ function isLocalProtoBomInput(input) {
   if (!safeExistsSync(input)) {
     return false;
   }
-  const normalizedInput = `${input}`.toLowerCase();
-  return (
-    normalizedInput.endsWith(".cdx") ||
-    normalizedInput.endsWith(".cdx.bin") ||
-    normalizedInput.endsWith(".proto")
-  );
+  return isProtoBomPath(input);
 }
 
 const bomJson = await loadBom(args.input, args.platform);

package/bin/verify.js

@@ -12,6 +12,7 @@ import {
   getNonCycloneDxErrorMessage,
   isCycloneDxBom,
 } from "../lib/helpers/bomUtils.js";
+import { isProtoBomPath } from "../lib/helpers/protobomLoader.js";
 import {
   dirNameStr,
   retrieveCdxgenVersion,
@@ -78,16 +79,13 @@ if (process.env?.CDXGEN_NODE_OPTIONS) {
 
 async function getBom(args) {
   if (safeExistsSync(args.input)) {
-    const normalizedInput = `${args.input}`.toLowerCase();
+    if (isProtoBomPath(args.input)) {
+      console.log(
+        "cdx-verify: protobuf BOM input does not currently preserve JSF signature blocks. Verify signatures against the source JSON BOM instead.",
+      );
+      process.exit(1);
+    }
     try {
-      if (
-        normalizedInput.endsWith(".cdx") ||
-        normalizedInput.endsWith(".cdx.bin") ||
-        normalizedInput.endsWith(".proto")
-      ) {
-        const { readBinary } = await import("../lib/helpers/protobom.js");
-        return readBinary(args.input, true);
-      }
       return JSON.parse(fs.readFileSync(args.input, "utf8"));
     } catch (error) {
       console.log(`Failed to parse '${args.input}': ${error.message}`);
@@ -104,20 +102,7 @@ async function getBom(args) {
   return undefined;
 }
 
-function isLocalProtoBomInput(input) {
-  if (!safeExistsSync(input)) {
-    return false;
-  }
-  const normalizedInput = `${input}`.toLowerCase();
-  return (
-    normalizedInput.endsWith(".cdx") ||
-    normalizedInput.endsWith(".cdx.bin") ||
-    normalizedInput.endsWith(".proto")
-  );
-}
-
 const bomJson = await getBom(args);
-const inputIsLocalProtoBom = isLocalProtoBomInput(args.input);
 
 if (!bomJson) {
   console.log(`${args.input} is invalid!`);
@@ -128,13 +113,6 @@ if (!isCycloneDxBom(bomJson)) {
   process.exit(1);
 }
 
-if (inputIsLocalProtoBom) {
-  console.log(
-    "cdx-verify: protobuf BOM input does not currently preserve JSF signature blocks. Verify signatures against the source JSON BOM instead.",
-  );
-  process.exit(1);
-}
-
 if (bomJson && !safeExistsSync(args.publicKey)) {
   console.log("Public key for signature verification is missing!");
   process.exit(1);