@cyclonedx/cdxgen 12.4.0 → 12.4.2

package/lib/helpers/bomUtils.js

@@ -1,8 +1,16 @@
 const SPDX_CONTEXT_PREFIX = "https://spdx.org/rdf/";
 const CYCLONEDX_FORMAT = "CycloneDX";
+const LEGACY_CYCLONEDX_ROOT_KEY = "bomFormat";
+const MODERN_CYCLONEDX_ROOT_KEY = "specFormat";
 const BOM_FORMAT_CYCLONEDX = "cyclonedx";
 const BOM_FORMAT_SPDX = "spdx";
 const BOM_FORMAT_UNKNOWN = "unknown";
+const CYCLONEDX_SPEC_VERSION_PATTERN = /^(\d+)(?:\.(\d+))?$/u;
+const CYCLONEDX_FORMAT_KEYS = new Set([
+  LEGACY_CYCLONEDX_ROOT_KEY,
+  MODERN_CYCLONEDX_ROOT_KEY,
+  "specVersion",
+]);
 
 export const isSpdxJsonLd = (bomJson) =>
   Boolean(
@@ -11,8 +19,154 @@ export const isSpdxJsonLd = (bomJson) =>
       bomJson["@graph"].some((element) => element?.type === "SpdxDocument"),
   );
 
+const parseCycloneDxSpecVersion = (specVersion) => {
+  const match = `${specVersion ?? ""}`
+    .trim()
+    .match(CYCLONEDX_SPEC_VERSION_PATTERN);
+  if (!match) {
+    return undefined;
+  }
+  return {
+    major: Number.parseInt(match[1], 10),
+    minor: Number.parseInt(match[2] || "0", 10),
+    minorText: match[2] || "0",
+  };
+};
+
+export const normalizeCycloneDxSpecVersion = (specVersion) => {
+  const parsed = parseCycloneDxSpecVersion(specVersion);
+  if (!parsed) {
+    return undefined;
+  }
+  return Number(`${parsed.major}.${parsed.minor}`);
+};
+
+export const toCycloneDxSpecVersionString = (specVersion) => {
+  const parsed = parseCycloneDxSpecVersion(specVersion);
+  if (!parsed) {
+    return undefined;
+  }
+  if (typeof specVersion === "string" && parsed.minorText !== "0") {
+    return `${parsed.major}.${parsed.minorText}`;
+  }
+  return `${parsed.major}.${parsed.minor}`;
+};
+
+export const isCycloneDxSpecVersionAtLeast = (specVersion, minimumVersion) => {
+  const parsedSpecVersion = parseCycloneDxSpecVersion(specVersion);
+  const parsedMinimumVersion = parseCycloneDxSpecVersion(minimumVersion);
+  if (!parsedSpecVersion || !parsedMinimumVersion) {
+    return false;
+  }
+  if (parsedSpecVersion.major !== parsedMinimumVersion.major) {
+    return parsedSpecVersion.major > parsedMinimumVersion.major;
+  }
+  return parsedSpecVersion.minor >= parsedMinimumVersion.minor;
+};
+
+export const isCycloneDx20SpecVersion = (specVersion) =>
+  isCycloneDxSpecVersionAtLeast(specVersion, 2);
+
+export const getCycloneDxRootFormatKey = (specVersionOrBom) => {
+  const specVersion =
+    specVersionOrBom && typeof specVersionOrBom === "object"
+      ? specVersionOrBom.specVersion
+      : specVersionOrBom;
+  return isCycloneDx20SpecVersion(specVersion)
+    ? MODERN_CYCLONEDX_ROOT_KEY
+    : LEGACY_CYCLONEDX_ROOT_KEY;
+};
+
+export const getCycloneDxFormat = (bomJson) =>
+  bomJson?.specFormat || bomJson?.bomFormat;
+
+export const hasCycloneDxFormat = (bomJson) =>
+  getCycloneDxFormat(bomJson) === CYCLONEDX_FORMAT;
+
 export const isCycloneDxBom = (bomJson) =>
-  bomJson?.bomFormat === CYCLONEDX_FORMAT && Boolean(bomJson?.specVersion);
+  hasCycloneDxFormat(bomJson) &&
+  normalizeCycloneDxSpecVersion(bomJson?.specVersion) !== undefined;
+
+const rewriteCycloneDxRootFields = (
+  bomJson,
+  rootKey,
+  specVersion,
+  preserveLegacyBomFormat,
+) => {
+  const remainingEntries = Object.entries(bomJson).filter(
+    ([key]) => !CYCLONEDX_FORMAT_KEYS.has(key),
+  );
+  for (const key of Object.keys(bomJson)) {
+    delete bomJson[key];
+  }
+  if (rootKey === LEGACY_CYCLONEDX_ROOT_KEY) {
+    bomJson.bomFormat = CYCLONEDX_FORMAT;
+    if (specVersion !== undefined) {
+      bomJson.specVersion = specVersion;
+    }
+  } else if (preserveLegacyBomFormat) {
+    bomJson.bomFormat = CYCLONEDX_FORMAT;
+    if (specVersion !== undefined) {
+      bomJson.specVersion = specVersion;
+    }
+    bomJson.specFormat = CYCLONEDX_FORMAT;
+  } else {
+    bomJson.specFormat = CYCLONEDX_FORMAT;
+    if (specVersion !== undefined) {
+      bomJson.specVersion = specVersion;
+    }
+  }
+  for (const [key, value] of remainingEntries) {
+    bomJson[key] = value;
+  }
+};
+
+/**
+ * Mutates a CycloneDX BOM object so the appropriate root format key is present
+ * for the requested spec version, while preserving conventional serialized
+ * root-key ordering (`bomFormat`/`specFormat` and `specVersion` first). Only the currently
+ * supported CycloneDX major.minor version shape is accepted; multi-component
+ * future versions such as `2.0.1` intentionally return `undefined` from the
+ * normalizer rather than being silently truncated.
+ *
+ * @param {object} bomJson BOM JSON object to mutate.
+ * @param {string|number} specVersion Desired CycloneDX spec version.
+ * @param {object} options Root-key compatibility options.
+ * @returns {object} The same `bomJson` object, after in-place mutation.
+ */
+export const setCycloneDxFormat = (
+  bomJson,
+  specVersion,
+  { preserveLegacyBomFormat = false } = {},
+) => {
+  if (!bomJson || typeof bomJson !== "object" || Array.isArray(bomJson)) {
+    return bomJson;
+  }
+  const resolvedSpecVersion =
+    toCycloneDxSpecVersionString(specVersion ?? bomJson.specVersion) ||
+    bomJson.specVersion;
+  if (resolvedSpecVersion !== undefined) {
+    bomJson.specVersion = resolvedSpecVersion;
+  }
+  if (
+    getCycloneDxRootFormatKey(resolvedSpecVersion) === MODERN_CYCLONEDX_ROOT_KEY
+  ) {
+    rewriteCycloneDxRootFields(
+      bomJson,
+      MODERN_CYCLONEDX_ROOT_KEY,
+      resolvedSpecVersion,
+      preserveLegacyBomFormat,
+    );
+    return bomJson;
+  }
+  rewriteCycloneDxRootFields(
+    bomJson,
+    LEGACY_CYCLONEDX_ROOT_KEY,
+    resolvedSpecVersion,
+    false,
+  );
+  return bomJson;
+};
 
 export const detectBomFormat = (bomJson) => {
   if (isCycloneDxBom(bomJson)) {

package/lib/helpers/bomUtils.poku.js

@@ -2,9 +2,16 @@ import { assert, describe, it } from "poku";
 
 import {
   detectBomFormat,
+  getCycloneDxFormat,
+  getCycloneDxRootFormatKey,
   getNonCycloneDxErrorMessage,
+  isCycloneDx20SpecVersion,
   isCycloneDxBom,
+  isCycloneDxSpecVersionAtLeast,
   isSpdxJsonLd,
+  normalizeCycloneDxSpecVersion,
+  setCycloneDxFormat,
+  toCycloneDxSpecVersionString,
 } from "./bomUtils.js";
 
 const sampleSpdx = {
@@ -13,7 +20,7 @@ const sampleSpdx = {
 };
 
 describe("bomUtils", () => {
-  it("detects CycloneDX documents", () => {
+  it("detects CycloneDX documents across root format styles", () => {
     assert.strictEqual(
       isCycloneDxBom({
         bomFormat: "CycloneDX",
@@ -21,6 +28,13 @@ describe("bomUtils", () => {
       }),
       true,
     );
+    assert.strictEqual(
+      isCycloneDxBom({
+        specFormat: "CycloneDX",
+        specVersion: "2.0",
+      }),
+      true,
+    );
     assert.strictEqual(isCycloneDxBom(sampleSpdx), false);
   });
 
@@ -35,6 +49,10 @@ describe("bomUtils", () => {
       detectBomFormat({ bomFormat: "CycloneDX", specVersion: "1.6" }),
       "cyclonedx",
     );
+    assert.strictEqual(
+      detectBomFormat({ specFormat: "CycloneDX", specVersion: "2.0" }),
+      "cyclonedx",
+    );
     assert.strictEqual(detectBomFormat({ foo: "bar" }), "unknown");
   });
 
@@ -48,4 +66,64 @@ describe("bomUtils", () => {
       "cdx-sign expects a CycloneDX JSON BOM.",
     );
   });
+
+  it("normalizes CycloneDX spec versions and capability checks", () => {
+    assert.strictEqual(normalizeCycloneDxSpecVersion("2.0"), 2);
+    assert.strictEqual(normalizeCycloneDxSpecVersion(undefined), undefined);
+    assert.strictEqual(normalizeCycloneDxSpecVersion("2.0.1"), undefined);
+    assert.strictEqual(toCycloneDxSpecVersionString(2), "2.0");
+    assert.strictEqual(toCycloneDxSpecVersionString("1.10"), "1.10");
+    assert.strictEqual(toCycloneDxSpecVersionString("2.0.1"), undefined);
+    assert.strictEqual(isCycloneDx20SpecVersion("2.0"), true);
+    assert.strictEqual(isCycloneDx20SpecVersion("1.7"), false);
+    assert.strictEqual(isCycloneDxSpecVersionAtLeast("2.0", 1.7), true);
+    assert.strictEqual(isCycloneDxSpecVersionAtLeast("1.10", "1.7"), true);
+    assert.strictEqual(isCycloneDxSpecVersionAtLeast(undefined, 1.7), false);
+  });
+
+  it("selects and writes the correct CycloneDX root format key", () => {
+    assert.strictEqual(getCycloneDxRootFormatKey("1.7"), "bomFormat");
+    assert.strictEqual(getCycloneDxRootFormatKey("2.0"), "specFormat");
+
+    const bom17 = setCycloneDxFormat(
+      { name: "demo", specVersion: "1.7" },
+      "1.7",
+    );
+    assert.strictEqual(bom17.bomFormat, "CycloneDX");
+    assert.strictEqual(bom17.specFormat, undefined);
+    assert.strictEqual(getCycloneDxFormat(bom17), "CycloneDX");
+    assert.deepStrictEqual(Object.keys(bom17), [
+      "bomFormat",
+      "specVersion",
+      "name",
+    ]);
+
+    const bom20Input = { name: "demo", specVersion: 2 };
+    const bom20 = setCycloneDxFormat(bom20Input, 2);
+    assert.strictEqual(bom20, bom20Input);
+    assert.strictEqual(bom20.specFormat, "CycloneDX");
+    assert.strictEqual(bom20.bomFormat, undefined);
+    assert.strictEqual(bom20.specVersion, "2.0");
+    assert.deepStrictEqual(Object.keys(bom20), [
+      "specFormat",
+      "specVersion",
+      "name",
+    ]);
+
+    const internalBom20 = setCycloneDxFormat(
+      { name: "demo", specVersion: 2 },
+      2,
+      {
+        preserveLegacyBomFormat: true,
+      },
+    );
+    assert.strictEqual(internalBom20.specFormat, "CycloneDX");
+    assert.strictEqual(internalBom20.bomFormat, "CycloneDX");
+    assert.deepStrictEqual(Object.keys(internalBom20), [
+      "bomFormat",
+      "specVersion",
+      "specFormat",
+      "name",
+    ]);
+  });
 });

package/lib/helpers/cbomutils.js

@@ -3,6 +3,7 @@ import { join } from "node:path";
 
 import { executeOsQuery } from "../managers/binary.js";
 import { detectJsCryptoInventory } from "./analyzer.js";
+import { analyzeDosaiCrypto } from "./dosai.js";
 import {
   createOccurrenceEvidence,
   formatOccurrenceEvidence,
@@ -239,16 +240,19 @@ function mergeAlgorithmComponentUsage(component, usage, src, options) {
     }
   }
   if (usage.source) {
+    const sourceType =
+      usage.source === "dosai" ? undefined : `js-ast:${usage.source}`;
     if (
+      sourceType &&
       !properties.some(
         (property) =>
           property.name === "cdx:crypto:sourceType" &&
-          property.value === `js-ast:${usage.source}`,
+          property.value === sourceType,
       )
     ) {
       properties.push({
         name: "cdx:crypto:sourceType",
-        value: `js-ast:${usage.source}`,
+        value: sourceType,
       });
     }
   }
@@ -271,6 +275,93 @@ function mergeAlgorithmComponentUsage(component, usage, src, options) {
   return component;
 }
 
+function normalizeDosaiCryptoNames(cryptoObject) {
+  const rawName = cryptoObject?.Name || cryptoObject;
+  const names = new Set([rawName]);
+  const cleanName = String(rawName || "").trim();
+  if (!cleanName) {
+    return [];
+  }
+  if (cleanName.includes("/")) {
+    for (const part of cleanName
+      .split("/")
+      .map((candidate) => candidate.trim())
+      .filter(Boolean)) {
+      names.add(part);
+    }
+  }
+  if (/^SHA-?256$/i.test(cleanName)) {
+    names.add("sha-256");
+  } else if (/^SHA-?384$/i.test(cleanName)) {
+    names.add("sha-384");
+  } else if (/^SHA-?512$/i.test(cleanName)) {
+    names.add("sha-512");
+  } else if (/^SHA-?1$/i.test(cleanName)) {
+    names.add("sha-1");
+  }
+  const context = [
+    cryptoObject?.Symbol,
+    cryptoObject?.Code,
+    cryptoObject?.Algorithm,
+  ]
+    .filter(Boolean)
+    .join(" ");
+  if (/^SHA-?2$/i.test(cleanName)) {
+    if (/SHA-?256/i.test(context)) {
+      names.add("sha-256");
+    }
+    if (/SHA-?384/i.test(context)) {
+      names.add("sha-384");
+    }
+    if (/SHA-?512/i.test(context)) {
+      names.add("sha-512");
+    }
+  }
+  return Array.from(names);
+}
+
+function dosaiCryptoUsage(assetOrOperation) {
+  const location = assetOrOperation.Location || {};
+  return {
+    fileName: location.Path || location.FileName,
+    lineNumber: location.LineNumber || undefined,
+    columnNumber: location.ColumnNumber || undefined,
+    primitive: assetOrOperation.Family || assetOrOperation.OperationType,
+    source: "dosai",
+  };
+}
+
+function addDosaiProperties(component, dosaiObject, evidenceType) {
+  const properties = component.properties || [];
+  const addProperty = (name, value) => {
+    if (value === undefined || value === null || value === "") {
+      return;
+    }
+    if (
+      !properties.some(
+        (property) =>
+          property.name === name && property.value === String(value),
+      )
+    ) {
+      properties.push({ name, value: String(value) });
+    }
+  };
+  addProperty("cdx:crypto:sourceType", `dosai:${evidenceType}`);
+  addProperty("cdx:dosai:crypto:id", dosaiObject.Id);
+  addProperty("cdx:dosai:crypto:strength", dosaiObject.Strength);
+  addProperty(
+    "cdx:dosai:crypto:reachableFromEntryPoint",
+    dosaiObject.ReachableFromEntryPoint,
+  );
+  if (dosaiObject.EntryPointIds?.length) {
+    addProperty(
+      "cdx:dosai:crypto:entryPointCount",
+      dosaiObject.EntryPointIds.length,
+    );
+  }
+  component.properties = properties;
+}
+
 export async function collectSourceCryptoComponents(src, options = {}) {
   const inventory = await detectJsCryptoInventory(src, Boolean(options.deep));
   const componentsByRef = new Map();
@@ -317,6 +408,75 @@ export async function collectSourceCryptoComponents(src, options = {}) {
   );
 }
 
+export async function collectDosaiCryptoComponents(src, options = {}) {
+  const dosaiCrypto = analyzeDosaiCrypto(src, options);
+  if (!dosaiCrypto) {
+    return [];
+  }
+  const componentsByRef = new Map();
+  const cryptoObjects = [
+    ...(dosaiCrypto.Assets || []).filter(
+      (asset) => asset.AssetType === "algorithm",
+    ),
+    ...(dosaiCrypto.Operations || []).map((operation) => ({
+      ...operation,
+      Name: operation.Algorithm,
+      Family: operation.OperationType,
+    })),
+  ];
+  for (const cryptoObject of cryptoObjects) {
+    for (const candidateName of normalizeDosaiCryptoNames(cryptoObject)) {
+      const normalizedName = normalizeDetectedCryptoAlgorithmName(
+        candidateName,
+        "algorithm",
+      );
+      const algorithmMetadata =
+        cbomCryptoOids[normalizedName] || cbomCryptoOids[candidateName];
+      if (!algorithmMetadata?.oid) {
+        continue;
+      }
+      const bomRef = cryptoAlgorithmBomRef(
+        normalizedName,
+        algorithmMetadata.oid,
+      );
+      const component = componentsByRef.get(bomRef) || {
+        type: "cryptographic-asset",
+        name: normalizedName,
+        "bom-ref": bomRef,
+        description:
+          algorithmMetadata.description ||
+          "Cryptographic algorithm detected by dosai source analysis",
+        cryptoProperties: {
+          assetType: "algorithm",
+          oid: algorithmMetadata.oid,
+        },
+        properties: [],
+      };
+      mergeAlgorithmComponentUsage(
+        component,
+        dosaiCryptoUsage(cryptoObject),
+        src,
+        options,
+      );
+      addDosaiProperties(
+        component,
+        cryptoObject,
+        cryptoObject.OperationType ? "operation" : "asset",
+      );
+      componentsByRef.set(bomRef, component);
+    }
+  }
+  const components = Array.from(componentsByRef.values());
+  components.forEach((component) => {
+    normalizeCryptoComponentEvidence(component, options);
+  });
+  return components.sort((left, right) =>
+    `${left.name}:${left["bom-ref"]}`.localeCompare(
+      `${right.name}:${right["bom-ref"]}`,
+    ),
+  );
+}
+
 /**
  * Find crypto algorithm in the given code snippet
  *

package/lib/helpers/cbomutils.poku.js

@@ -2,6 +2,7 @@ import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 
+import esmock from "esmock";
 import { assert, describe, it } from "poku";
 
 import {
@@ -248,4 +249,103 @@ describe("cbom utils", () => {
       rmSync(projectDir, { recursive: true, force: true });
     }
   });
+
+  it("collectDosaiCryptoComponents() maps dosai algorithms to CBOM components with OIDs", async () => {
+    const { collectDosaiCryptoComponents } = await esmock("./cbomutils.js", {
+      "./dosai.js": {
+        analyzeDosaiCrypto: () => ({
+          Assets: [
+            {
+              Id: "cas1",
+              AssetType: "algorithm",
+              Name: "SHA-256",
+              Family: "hash",
+              Strength: "strong",
+              Location: {
+                Path: "Program.cs",
+                FileName: "Program.cs",
+                LineNumber: 12,
+                ColumnNumber: 9,
+              },
+              ReachableFromEntryPoint: true,
+              EntryPointIds: ["ep1"],
+            },
+            {
+              Id: "cas2",
+              AssetType: "algorithm",
+              Name: "UnknownCipher",
+              Location: {
+                Path: "Program.cs",
+                FileName: "Program.cs",
+                LineNumber: 20,
+                ColumnNumber: 9,
+              },
+            },
+          ],
+          Operations: [
+            {
+              Id: "cop1",
+              OperationType: "hash",
+              Algorithm: "SHA-256",
+              Location: {
+                Path: "Program.cs",
+                FileName: "Program.cs",
+                LineNumber: 12,
+                ColumnNumber: 9,
+              },
+            },
+            {
+              Id: "cop2",
+              OperationType: "use",
+              Algorithm: "SHA-2",
+              Symbol: "SHA256.HashData",
+              Location: {
+                Path: "Program.vb",
+                FileName: "Program.vb",
+                LineNumber: 42,
+                ColumnNumber: 22,
+              },
+            },
+          ],
+        }),
+      },
+    });
+
+    const components = await collectDosaiCryptoComponents("/tmp/project", {
+      evidence: true,
+      specVersion: 1.7,
+    });
+
+    assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].name, "sha-256");
+    assert.strictEqual(components[0].type, "cryptographic-asset");
+    assert.strictEqual(components[0].cryptoProperties.assetType, "algorithm");
+    assert.ok(components[0].cryptoProperties.oid);
+    assert.ok(
+      components[0].properties.some(
+        (property) =>
+          property.name === "cdx:crypto:sourceType" &&
+          property.value === "dosai:operation",
+      ),
+    );
+    assert.ok(
+      !components[0].properties.some(
+        (property) =>
+          property.name === "cdx:crypto:sourceType" &&
+          ["dosai", "js-ast:dosai"].includes(property.value),
+      ),
+    );
+    assert.ok(
+      components[0].evidence.occurrences.some(
+        (occurrence) =>
+          occurrence.location === "Program.cs" && occurrence.line === 12,
+      ),
+    );
+    assert.ok(
+      components[0].evidence.occurrences.some(
+        (occurrence) =>
+          occurrence.location === "Program.vb" && occurrence.line === 42,
+      ),
+    );
+  });
 });

package/lib/helpers/ciParsers/githubActions.js

@@ -342,9 +342,21 @@ function normalizeRunnerLabels(runsOn) {
       .map((label) => label.trim())
       .filter(Boolean);
   }
+  if (typeof runsOn === "object") {
+    return normalizeRunnerLabels(runsOn.labels);
+  }
   return [];
 }
 
+function normalizeRunnerValue(runsOn) {
+  const labels = normalizeRunnerLabels(runsOn);
+  if (runsOn && typeof runsOn === "object" && !Array.isArray(runsOn)) {
+    const group = runsOn.group ? String(runsOn.group).trim() : "";
+    return [group, ...labels].filter(Boolean).join(",") || "unknown";
+  }
+  return labels.join(",") || "unknown";
+}
+
 function isSelfHostedRunner(runsOn) {
   return normalizeRunnerLabels(runsOn).some((label) =>
     label.toLowerCase().includes("self-hosted"),
@@ -1761,7 +1773,7 @@ function buildReusableWorkflowComponent(
     { name: "cdx:github:job:name", value: jobName },
     {
       name: "cdx:github:job:runner",
-      value: Array.isArray(jobRunner) ? jobRunner.join(",") : jobRunner,
+      value: normalizeRunnerValue(jobRunner),
     },
     { name: "cdx:github:reusableWorkflow:uses", value: uses },
     {
@@ -1951,7 +1963,7 @@ export function parseWorkflowFile(f, options) {
       { name: "cdx:github:job:name", value: jobName },
       {
         name: "cdx:github:job:runner",
-        value: Array.isArray(jobRunner) ? jobRunner.join(",") : jobRunner,
+        value: normalizeRunnerValue(jobRunner),
       },
     ];
     if (jobEnvironment) {
@@ -2042,7 +2054,7 @@ export function parseWorkflowFile(f, options) {
             { name: "cdx:github:job:name", value: jobName },
             {
               name: "cdx:github:job:runner",
-              value: Array.isArray(jobRunner) ? jobRunner.join(",") : jobRunner,
+              value: normalizeRunnerValue(jobRunner),
             },
             { name: "cdx:github:action:uses", value: step.uses },
             {

package/lib/helpers/ciParsers/githubActions.poku.js

@@ -180,6 +180,58 @@ describe("githubActionsParser", () => {
     }
   });
 
+  it("normalizes object-form runs-on values", () => {
+    const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdxgen-gha-"));
+    const workflowFile = path.join(tmpDir, "object-runs-on.yml");
+    writeFileSync(
+      workflowFile,
+      [
+        "name: Object runs-on",
+        "on: push",
+        "jobs:",
+        "  grouped:",
+        "    runs-on:",
+        "      group: ubuntu-runners",
+        "      labels: ubuntu-20.04-16core",
+        "    steps:",
+        "      - uses: actions/checkout@v4",
+        "  selfHosted:",
+        "    runs-on:",
+        "      group: larger-runners",
+        "      labels: [self-hosted, linux, x64]",
+        "    steps:",
+        '      - run: echo "ok"',
+      ].join("\n"),
+    );
+
+    try {
+      const result = parseWorkflowFile(workflowFile, { specVersion: 1.7 });
+      const actionComp = result.components.find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "actions/checkout@v4",
+      );
+      assert.strictEqual(
+        getProp(actionComp, "cdx:github:job:runner"),
+        "ubuntu-runners,ubuntu-20.04-16core",
+      );
+
+      const selfHostedTask = result.workflows[0].tasks.find(
+        (task) => task.name === "selfHosted",
+      );
+      assert.strictEqual(
+        getProp(selfHostedTask, "cdx:github:job:runner"),
+        "larger-runners,self-hosted,linux,x64",
+      );
+      assert.strictEqual(
+        getProp(selfHostedTask, "cdx:github:job:isSelfHosted"),
+        "true",
+      );
+    } finally {
+      rmSync(tmpDir, { force: true, recursive: true });
+    }
+  });
+
   it("derives unnamed workflow names from the file stem without leaking Windows-style path segments", () => {
     const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdxgen-gha-"));
     const workflowFile = path.join(tmpDir, "nested\\workflow-file.yml");