@cyclonedx/cdxgen 12.4.0 → 12.4.2

package/lib/audit/index.js

@@ -6,6 +6,7 @@ import process from "node:process";
 import { createBom } from "../cli/index.js";
 import { DEFAULT_HBOM_AUDIT_CATEGORIES } from "../helpers/auditCategories.js";
 import {
+  getCycloneDxFormat,
   getNonCycloneDxErrorMessage,
   isCycloneDxBom,
 } from "../helpers/bomUtils.js";
@@ -230,7 +231,7 @@ export async function runDirectBomAuditFromBoms(inputBoms, options = {}) {
     const findings = await auditBom(inputBom.bomJson, directAuditOptions);
     results.push({
       auditOptions: directAuditOptions,
-      bomFormat: inputBom.bomJson?.bomFormat,
+      bomFormat: getCycloneDxFormat(inputBom.bomJson),
       findings,
       serialNumber: inputBom.bomJson?.serialNumber,
       source: inputBom.source,

package/lib/cli/index.js

@@ -41,8 +41,15 @@ import {
   rewriteExtractedArchivePaths,
 } from "../helpers/asarutils.js";
 import { expandBomAuditCategories } from "../helpers/auditCategories.js";
+import {
+  setCycloneDxFormat,
+  toCycloneDxSpecVersionString,
+} from "../helpers/bomUtils.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
-import { collectSourceCryptoComponents } from "../helpers/cbomutils.js";
+import {
+  collectDosaiCryptoComponents,
+  collectSourceCryptoComponents,
+} from "../helpers/cbomutils.js";
 import {
   CHROME_EXTENSION_PURL_TYPE,
   collectChromeExtensionsFromPath,
@@ -54,6 +61,13 @@ import {
   mergeServices,
   trimComponents,
 } from "../helpers/depsUtils.js";
+import {
+  collectDosaiServicesFromMethods,
+  createDosaiMethodsSlice,
+  isDosaiDotnetLanguage,
+  normalizeDosaiServiceMap,
+  readDosaiJsonFile,
+} from "../helpers/dosai.js";
 import { GIT_COMMAND } from "../helpers/envcontext.js";
 import {
   createHbomDocument,
@@ -242,7 +256,6 @@ import {
   enrichOSComponentsWithTrustData,
   executeOsQuery,
   getBinaryBom,
-  getDotnetSlices,
   getOSPackages,
   getPluginToolComponents,
 } from "../managers/binary.js";
@@ -396,6 +409,27 @@ const hasExplicitProjectTypeSelection = (options, baseProjectType) => {
   );
 };
 
+const hasDotnetProjectIndicators = (src, options = {}) => {
+  return Boolean(
+    getAllFiles(src, "**/*.{csproj,fsproj,vbproj,sln}", options)?.length,
+  );
+};
+
+const shouldCollectDosaiCrypto = (src, options = {}) => {
+  const projectTypes = Array.isArray(options.projectType)
+    ? options.projectType
+    : options.projectType
+      ? [options.projectType]
+      : [];
+  if (projectTypes.some((projectType) => isDosaiDotnetLanguage(projectType))) {
+    return true;
+  }
+  if (!projectTypes.length || projectTypes.includes("universal")) {
+    return hasDotnetProjectIndicators(src, options);
+  }
+  return false;
+};
+
 const determineParentComponent = (options) => {
   let parentComponent;
   if (options.parentComponent && Object.keys(options.parentComponent).length) {
@@ -1393,13 +1427,16 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
     // CycloneDX Json Template
     const jsonTpl = {
       bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || "1.7"}`,
+      specVersion: toCycloneDxSpecVersionString(options.specVersion || "1.7"),
       serialNumber: serialNum,
       version: 1,
       metadata: metadata,
       components,
       dependencies,
     };
+    setCycloneDxFormat(jsonTpl, jsonTpl.specVersion, {
+      preserveLegacyBomFormat: true,
+    });
     if (services.length) {
       jsonTpl.services = mergeServices([], services);
     }
@@ -7735,6 +7772,7 @@ export async function createCsharpBom(path, options) {
     }
   }
   const pkgNameVersions = {};
+  let services = [];
   if (csProjFiles.length) {
     manifestFiles = manifestFiles.concat(csProjFiles);
     // Parsing csproj is quite error-prone. Some project files may not have versions specified
@@ -7796,21 +7834,30 @@ export async function createCsharpBom(path, options) {
     // Perform deep analysis using dosai
     if (options.deep) {
       const slicesFile = resolve(
-        join(path, options.depsSlicesFile) || join(getTmpDir(), "dosai.json"),
+        options.depsSlicesFile
+          ? join(path, options.depsSlicesFile)
+          : join(getTmpDir(), "dosai.json"),
       );
       // Create the slices file if it doesn't exist
       if (!safeExistsSync(slicesFile)) {
         thoughtLog(
           "Alright, the next step is to invoke the dosai command to identify evidence of occurrences for various components.",
         );
-        const sliceResult = getDotnetSlices(resolve(path), resolve(slicesFile));
+        const sliceResult = createDosaiMethodsSlice(
+          resolve(path),
+          resolve(slicesFile),
+          options,
+        );
         if (!sliceResult && DEBUG_MODE) {
           console.log(
             "Slicing with dosai was unsuccessful. Check the errors reported in the logs above.",
           );
         }
       }
-      pkgList = addEvidenceForDotnet(pkgList, slicesFile, options);
+      pkgList = addEvidenceForDotnet(pkgList, slicesFile);
+      const methodsSlice = readDosaiJsonFile(slicesFile);
+      const servicesMap = collectDosaiServicesFromMethods(methodsSlice, {});
+      services = normalizeDosaiServiceMap(servicesMap);
     }
   }
   // Parent dependency tree
@@ -7836,6 +7883,8 @@ export async function createCsharpBom(path, options) {
     filename: manifestFiles.join(", "),
     dependencies,
     parentComponent,
+    services,
+    tools: options.deep ? getPluginToolComponents(["dosai"]) : [],
   });
 }
 
@@ -8347,6 +8396,15 @@ export async function createCryptoCertsBom(path, options) {
   if (sourceCryptoComponents.length) {
     pkgList.push(...sourceCryptoComponents);
   }
+  if (shouldCollectDosaiCrypto(path, options)) {
+    const dosaiCryptoComponents = await collectDosaiCryptoComponents(
+      path,
+      options,
+    );
+    if (dosaiCryptoComponents.length) {
+      pkgList.push(...dosaiCryptoComponents);
+    }
+  }
   return {
     bomJson: {
       components: pkgList,
@@ -8392,16 +8450,19 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
     options,
     parentComponent,
     components,
-    bomJson: {
-      bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || 1.7}`,
-      serialNumber: serialNum,
-      version: 1,
-      metadata: addMetadata(parentComponent, options, {}),
-      components,
-      services: options.services || [],
-      dependencies,
-    },
+    bomJson: setCycloneDxFormat(
+      {
+        specVersion: toCycloneDxSpecVersionString(options.specVersion || 1.7),
+        serialNumber: serialNum,
+        version: 1,
+        metadata: addMetadata(parentComponent, options, {}),
+        components,
+        services: options.services || [],
+        dependencies,
+      },
+      options.specVersion || 1.7,
+      { preserveLegacyBomFormat: true },
+    ),
   };
 }
 

package/lib/cli/index.poku.js

@@ -286,6 +286,86 @@ describe("CLI tests", () => {
       );
       assert.strictEqual(components[0].type, "data");
     });
+
+    it("does not invoke dosai crypto analysis for non-.NET CBOM scans", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-non-dotnet-"));
+      const collectDosaiCryptoComponents = sinon.stub().resolves([]);
+      try {
+        const { createCryptoCertsBom } = await esmock("./index.js", {
+          "../helpers/cbomutils.js": {
+            collectDosaiCryptoComponents,
+            collectSourceCryptoComponents: sinon.stub().resolves([]),
+          },
+        });
+
+        await createCryptoCertsBom(tempDir, {
+          projectType: ["js"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.notCalled(collectDosaiCryptoComponents);
+      } finally {
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
+
+    it("invokes dosai crypto analysis for explicit .NET CBOM scans", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-dotnet-"));
+      const collectDosaiCryptoComponents = sinon.stub().resolves([
+        {
+          name: "sha-256",
+          type: "cryptographic-asset",
+          "bom-ref": "crypto/algorithm/sha-256@2.16.840.1.101.3.4.2.1",
+          cryptoProperties: {
+            assetType: "algorithm",
+            oid: "2.16.840.1.101.3.4.2.1",
+          },
+        },
+      ]);
+      try {
+        const { createCryptoCertsBom } = await esmock("./index.js", {
+          "../helpers/cbomutils.js": {
+            collectDosaiCryptoComponents,
+            collectSourceCryptoComponents: sinon.stub().resolves([]),
+          },
+        });
+
+        const bomData = await createCryptoCertsBom(tempDir, {
+          projectType: ["dotnet"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.calledOnce(collectDosaiCryptoComponents);
+        assert.strictEqual(bomData.bomJson.components[0].name, "sha-256");
+      } finally {
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
+
+    it("invokes dosai crypto analysis when universal scans contain .NET project files", async () => {
+      const tempDir = mkdtempSync(
+        join(tmpdir(), "cdxgen-cbom-dotnet-indicator-"),
+      );
+      const collectDosaiCryptoComponents = sinon.stub().resolves([]);
+      try {
+        writeFileSync(join(tempDir, "app.csproj"), "<Project />");
+        const { createCryptoCertsBom } = await esmock("./index.js", {
+          "../helpers/cbomutils.js": {
+            collectDosaiCryptoComponents,
+            collectSourceCryptoComponents: sinon.stub().resolves([]),
+          },
+        });
+
+        await createCryptoCertsBom(tempDir, {
+          projectType: ["universal"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.calledOnce(collectDosaiCryptoComponents);
+      } finally {
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
   });
 
   describe("distribution filters", () => {
@@ -623,6 +703,7 @@ describe("CLI tests", () => {
               false,
             );
           },
+          isolateDepsSlicesFile: true,
           expectedSpecVersion: (specVersion) => specVersion,
           name: "cbom",
         },
@@ -651,6 +732,13 @@ describe("CLI tests", () => {
               fixtureRoot,
               `${scenario.name}-${specVersion}.spdx.json`,
             );
+            const depsSlicesPath = join(
+              fixtureRoot,
+              `${scenario.name}-${specVersion}.deps.slices.json`,
+            );
+            const depsSlicesArgs = scenario.isolateDepsSlicesFile
+              ? ["--deps-slices-file", depsSlicesPath]
+              : [];
             const generateResult = spawnSync(
               process.execPath,
               [
@@ -660,6 +748,7 @@ describe("CLI tests", () => {
                 jsonPath,
                 "--spec-version",
                 specVersion,
+                ...depsSlicesArgs,
                 "--export-proto",
                 "--proto-bin-file",
                 protoPath,
@@ -738,6 +827,114 @@ describe("CLI tests", () => {
             scenario.assertRoundTrip(roundTrippedBom);
           }
         }
+        assert.strictEqual(
+          existsSync(join(repoDir, "deps.slices.json")),
+          false,
+          "protobuf round-trip tests must not leave deps.slices.json in the repository root",
+        );
+      } finally {
+        rmSync(join(repoDir, "deps.slices.json"), { force: true });
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+  });
+
+  describe("CycloneDX 2.0 JSON output", () => {
+    it("generates valid experimental 2.0-dev JSON with specFormat", () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-json20-"));
+      try {
+        const jsonPath = join(fixtureRoot, "bom-2.0.json");
+        const generateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "-t",
+            "js",
+            mcpFixtureDir,
+            "-o",
+            jsonPath,
+            "--spec-version",
+            "2.0",
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        assert.strictEqual(
+          generateResult.status,
+          0,
+          `${generateResult.stdout}${generateResult.stderr}`,
+        );
+
+        const generatedBom = JSON.parse(readFileSync(jsonPath, "utf8"));
+        assert.strictEqual(generatedBom.specFormat, "CycloneDX");
+        assert.strictEqual(generatedBom.bomFormat, undefined);
+        assert.strictEqual(generatedBom.specVersion, "2.0");
+        assert.ok(Array.isArray(generatedBom.metadata?.tools?.components));
+
+        const validateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "validate.js"),
+            "-i",
+            jsonPath,
+            "--fail-severity",
+            "critical",
+            "--no-deep",
+            "--report",
+            "json",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        assert.strictEqual(
+          validateResult.status,
+          0,
+          `${validateResult.stdout}${validateResult.stderr}`,
+        );
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+
+    it("rejects experimental 2.0-dev protobuf export until cdx-proto supports it", () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-proto20-"));
+      try {
+        const jsonPath = join(fixtureRoot, "bom-2.0.json");
+        const protoPath = join(fixtureRoot, "bom-2.0.cdx");
+        const generateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "-t",
+            "js",
+            mcpFixtureDir,
+            "-o",
+            jsonPath,
+            "--spec-version",
+            "2.0",
+            "--export-proto",
+            "--proto-bin-file",
+            protoPath,
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        assert.strictEqual(generateResult.status, 1);
+        assert.match(
+          `${generateResult.stdout}${generateResult.stderr}`,
+          /CycloneDX 2\.0 is not currently supported for protobuf export/i,
+        );
       } finally {
         rmSync(fixtureRoot, { force: true, recursive: true });
       }

package/lib/evinser/evinser.js

@@ -4,7 +4,19 @@ import process from "node:process";
 
 import { PackageURL } from "packageurl-js";
 
-import { findCryptoAlgos } from "../helpers/cbomutils.js";
+import {
+  collectDosaiCryptoComponents,
+  findCryptoAlgos,
+} from "../helpers/cbomutils.js";
+import { mergeServices } from "../helpers/depsUtils.js";
+import {
+  collectDosaiDataFlowFrames,
+  collectDosaiPurlEvidence,
+  collectDosaiServicesFromMethods,
+  createDosaiDataFlowSlice,
+  createDosaiMethodsSlice,
+  isDosaiDotnetLanguage,
+} from "../helpers/dosai.js";
 import { parseOccurrenceEvidenceLocation } from "../helpers/evidenceUtils.js";
 import {
   collectGradleDependencies,
@@ -230,6 +242,8 @@ export async function createSlice(
     language = "python";
   } else if (PROJECT_TYPE_ALIASES.scala.includes(language)) {
     language = "scala";
+  } else if (isDosaiDotnetLanguage(language)) {
+    language = "csharp";
   }
   if (
     PROJECT_TYPE_ALIASES.swift.includes(language) &&
@@ -270,6 +284,33 @@ export async function createSlice(
     }
     return { tempDir: sliceOutputDir, tempDirOwned, slicesFile };
   }
+  if (isDosaiDotnetLanguage(language)) {
+    console.log(
+      `Creating ${sliceType} slice for ${resolve(filePath)} using dosai. Please wait ...`,
+    );
+    const sliceResult =
+      sliceType === "data-flow"
+        ? createDosaiDataFlowSlice(
+            resolve(filePath),
+            resolve(slicesFile),
+            options,
+          )
+        : createDosaiMethodsSlice(
+            resolve(filePath),
+            resolve(slicesFile),
+            options,
+          );
+    if (!sliceResult) {
+      console.warn(
+        `Unable to generate ${sliceType} slice using dosai. Check if this is a supported .NET project.`,
+      );
+    }
+    return {
+      tempDir: sliceOutputDir,
+      tempDirOwned,
+      slicesFile,
+    };
+  }
   console.log(
     `Creating ${sliceType} slice for ${resolve(filePath)}. Please wait ...`,
   );
@@ -393,6 +434,9 @@ export function purlToLanguage(purl, filePath) {
     case "gem":
       language = "ruby";
       break;
+    case "nuget":
+      language = "csharp";
+      break;
     case "generic":
       language = "c";
   }
@@ -474,6 +518,77 @@ export async function analyzeProject(dbObjMap, options) {
   // Load any existing purl-location information from the sbom.
   // For eg: cdxgen populates this information for javascript projects
   let { purlLocationMap, purlImportsMap } = initFromSbom(components, language);
+  if (isDosaiDotnetLanguage(language)) {
+    if (options.profile === "research") {
+      options.withDataFlow = true;
+      options.includeCrypto = true;
+    }
+    if (
+      options.usagesSlicesFile &&
+      usableSlicesFile(options.usagesSlicesFile)
+    ) {
+      usageSlice = JSON.parse(
+        fs.readFileSync(options.usagesSlicesFile, "utf-8"),
+      );
+      usagesSlicesFile = options.usagesSlicesFile;
+    } else {
+      retMap = await createSlice(language, dirPath, "usages", options);
+      if (retMap?.slicesFile && safeExistsSync(retMap.slicesFile)) {
+        usageSlice = JSON.parse(fs.readFileSync(retMap.slicesFile, "utf-8"));
+        usagesSlicesFile = retMap.slicesFile;
+      }
+    }
+    if (usageSlice && Object.keys(usageSlice).length) {
+      const dosaiEvidence = collectDosaiPurlEvidence(usageSlice, components);
+      for (const [purl, locations] of Object.entries(
+        dosaiEvidence.purlLocationMap,
+      )) {
+        purlLocationMap[purl] ??= new Set();
+        for (const location of locations) {
+          purlLocationMap[purl].add(location);
+        }
+      }
+      servicesMap = collectDosaiServicesFromMethods(usageSlice, servicesMap);
+      userDefinedTypesMap = {};
+    }
+    if (options.withDataFlow) {
+      if (
+        options.dataFlowSlicesFile &&
+        safeExistsSync(options.dataFlowSlicesFile)
+      ) {
+        dataFlowSlicesFile = options.dataFlowSlicesFile;
+        dataFlowSlice = JSON.parse(
+          fs.readFileSync(options.dataFlowSlicesFile, "utf-8"),
+        );
+      } else {
+        retMap = await createSlice(language, dirPath, "data-flow", options);
+        if (retMap?.slicesFile && safeExistsSync(retMap.slicesFile)) {
+          dataFlowSlicesFile = retMap.slicesFile;
+          dataFlowSlice = JSON.parse(
+            fs.readFileSync(retMap.slicesFile, "utf-8"),
+          );
+        }
+      }
+      if (dataFlowSlice && Object.keys(dataFlowSlice).length) {
+        dataFlowFrames = collectDosaiDataFlowFrames(dataFlowSlice, components);
+      }
+    }
+    if (options.includeCrypto) {
+      cryptoComponents = await collectDosaiCryptoComponents(dirPath, options);
+    }
+    return {
+      usagesSlicesFile,
+      dataFlowSlicesFile,
+      purlLocationMap,
+      servicesMap,
+      dataFlowFrames,
+      tempDir: retMap?.tempDir,
+      tempDirOwned: retMap?.tempDirOwned,
+      userDefinedTypesMap,
+      cryptoComponents,
+      cryptoGeneratePurls,
+    };
+  }
   // Do reachables first so that usages slicing can reuse the atom file
   // We need reachables slicing even when trying to infer crypto packages
   if (options.withReachables || options.includeCrypto) {
@@ -1472,8 +1587,8 @@ export function createEvinseFile(sliceArtefacts, options) {
         properties: servicesMap[serviceName].properties,
       });
     }
-    // Add to existing services
-    bomJson.services = (bomJson.services || []).concat(services);
+    // Add to existing services while preserving CycloneDX uniqueItems validity
+    bomJson.services = mergeServices(bomJson.services || [], services);
     servicesPresent = true;
   }
   // Add the crypto components to the components list