@cyclonedx/cdxgen 12.4.0 → 12.4.2

package/lib/helpers/utils.js

@@ -58,6 +58,13 @@ import Arborist from "../third-party/arborist/lib/index.js";
 import { analyzeSuspiciousJsFile } from "./analyzer.js";
 import { DEFAULT_HBOM_AUDIT_CATEGORIES } from "./auditCategories.js";
 import { parseWorkflowFile } from "./ciParsers/githubActions.js";
+import {
+  addDosaiSetValue,
+  buildDosaiPurlAliasMap,
+  dosaiSourceLocation,
+  dosaiSourceLocationFromNode,
+  resolveDosaiComponentPurl,
+} from "./dosaiParsers.js";
 import { extractPackageInfoFromHintPath } from "./dotnetutils.js";
 import {
   createOccurrenceEvidence,
@@ -1286,6 +1293,8 @@ export function safeSpawnSync(command, args, options) {
     options = {
       ...options,
     };
+  }
+  if (options.cdxgenActivity) {
     delete options.cdxgenActivity;
   }
   // Inject maxBuffer
@@ -1753,6 +1762,10 @@ export const PROJECT_TYPE_ALIASES = {
     "dotnet-framework47",
     "dotnet-framework48",
     "vb",
+    "vbnet",
+    "visualbasic",
+    "f#",
+    "fs",
     "fsharp",
     "twincat",
     "csproj",
@@ -21739,6 +21752,42 @@ export async function getNugetMetadata(pkgList, dependencies = undefined) {
   };
 }
 
+function addDotnetIdentityMethod(apkg, value) {
+  if (!value) {
+    return;
+  }
+  apkg.evidence = apkg.evidence || {};
+  const identityList = Array.isArray(apkg.evidence.identity)
+    ? apkg.evidence.identity
+    : undefined;
+  let identity = identityList
+    ? identityList.find((entry) => entry?.field === "purl") ||
+      identityList.find((entry) => !entry?.field)
+    : apkg.evidence.identity;
+  if (!identity) {
+    identity = { field: "purl", confidence: 1, methods: [] };
+    if (identityList) {
+      identityList.push(identity);
+    }
+  }
+  identity.field ??= "purl";
+  identity.confidence ??= 1;
+  identity.methods ??= [];
+  if (
+    !identity.methods.some(
+      (method) =>
+        method.technique === "source-code-analysis" && method.value === value,
+    )
+  ) {
+    identity.methods.push({
+      technique: "source-code-analysis",
+      confidence: 1,
+      value,
+    });
+  }
+  apkg.evidence.identity = identityList || identity;
+}
+
 /**
  * Enrich .NET package components with occurrence evidence and imported module/method
  * information from a dosai dependency slices file.
@@ -21762,6 +21811,7 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
   const purlLocationMap = {};
   const purlModulesMap = {};
   const purlMethodsMap = {};
+  const purlAliasMap = buildDosaiPurlAliasMap(pkgList);
   for (const apkg of pkgList) {
     if (apkg.properties && Array.isArray(apkg.properties)) {
       apkg.properties
@@ -21778,13 +21828,33 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
         });
     }
   }
-  const slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"));
+  let slicesData;
+  try {
+    slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"));
+  } catch (_err) {
+    return pkgList;
+  }
   if (slicesData && Object.keys(slicesData)) {
     thoughtLog(
       "Let's thoroughly inspect the dependency slice to identify where and how the components are used.",
     );
     if (slicesData.Dependencies) {
       for (const adep of slicesData.Dependencies) {
+        if (adep.Purl) {
+          const modPurl = resolveDosaiComponentPurl(adep.Purl, purlAliasMap);
+          if (modPurl) {
+            addDosaiSetValue(
+              purlLocationMap,
+              modPurl,
+              dosaiSourceLocation(adep),
+            );
+            addDosaiSetValue(
+              purlModulesMap,
+              modPurl,
+              adep.Name || adep.Namespace,
+            );
+          }
+        }
         // Case 1: Dependencies slice has the .dll file
         if (adep.Module?.endsWith(".dll") && pkgFilePurlMap[adep.Module]) {
           const modPurl = pkgFilePurlMap[adep.Module];
@@ -21810,6 +21880,64 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
         }
       }
     }
+    if (slicesData.PackageReachability) {
+      const graphEdges = Object.fromEntries(
+        (slicesData.CallGraph?.Edges || []).map((edge) => [edge.Id, edge]),
+      );
+      const graphNodes = Object.fromEntries(
+        (slicesData.CallGraph?.Nodes || []).map((node) => [node.Id, node]),
+      );
+      for (const reachability of slicesData.PackageReachability) {
+        const modPurl = resolveDosaiComponentPurl(
+          reachability.Purl,
+          purlAliasMap,
+        );
+        if (!modPurl) {
+          continue;
+        }
+        let hasExplicitSourceLocations = false;
+        for (const sourceLocation of reachability.SourceLocations || []) {
+          const location = dosaiSourceLocation(sourceLocation);
+          addDosaiSetValue(purlLocationMap, modPurl, location);
+          hasExplicitSourceLocations ||= Boolean(location);
+        }
+        for (const edgeId of reachability.EdgeIds || []) {
+          const edge = graphEdges[edgeId];
+          if (!hasExplicitSourceLocations) {
+            addDosaiSetValue(
+              purlLocationMap,
+              modPurl,
+              dosaiSourceLocation(edge),
+            );
+          }
+          addDosaiSetValue(
+            purlMethodsMap,
+            modPurl,
+            edge?.CalledMethodName || edge?.TargetName,
+          );
+        }
+        for (const nodeId of reachability.NodeIds || []) {
+          const node = graphNodes[nodeId];
+          if (!hasExplicitSourceLocations) {
+            addDosaiSetValue(
+              purlLocationMap,
+              modPurl,
+              dosaiSourceLocationFromNode(node),
+            );
+          }
+          addDosaiSetValue(
+            purlModulesMap,
+            modPurl,
+            node?.ClassName || node?.Module,
+          );
+          addDosaiSetValue(
+            purlMethodsMap,
+            modPurl,
+            node?.Name || node?.Identity?.MethodName,
+          );
+        }
+      }
+    }
     if (slicesData.MethodCalls) {
       for (const amethodCall of slicesData.MethodCalls) {
         if (
@@ -21857,6 +21985,7 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
         apkg.evidence.occurrences = locationOccurrences.map((l) =>
           parseOccurrenceEvidenceLocation(l),
         );
+        addDotnetIdentityMethod(apkg, locationOccurrences[0]);
         // Set the package scope
         apkg.scope = "required";
       }

package/lib/helpers/utils.poku.js

@@ -54,6 +54,7 @@ import {
   isPartialTree,
   isValidIriReference,
   mapConanPkgRefToPurlStringAndNameAndVersion,
+  PROJECT_TYPE_ALIASES,
   parseBazelActionGraph,
   parseBazelBuild,
   parseBazelSkyframe,
@@ -4327,6 +4328,296 @@ it("addEvidenceForDotnet() initializes evidence before adding occurrences", () =
   }
 });
 
+it("addEvidenceForDotnet() ignores unreadable dosai JSON", () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-dotnet-bad-json-"));
+  const slicesFile = path.join(tempDir, "dosai.json");
+  try {
+    writeFileSync(slicesFile, "");
+    const inputPkgList = [
+      {
+        name: "Example",
+        purl: "pkg:nuget/Example@1.0.0",
+        properties: [{ name: "PackageFiles", value: "Example.dll" }],
+      },
+    ];
+    const pkgList = addEvidenceForDotnet(inputPkgList, slicesFile);
+
+    assert.strictEqual(pkgList, inputPkgList);
+    assert.strictEqual(pkgList[0].evidence, undefined);
+    assert.strictEqual(pkgList[0].scope, undefined);
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+it("addEvidenceForDotnet() consumes dosai v3 PackageReachability", () => {
+  const tempDir = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-dotnet-reachability-"),
+  );
+  const slicesFile = path.join(tempDir, "dosai.json");
+  try {
+    writeFileSync(
+      slicesFile,
+      JSON.stringify({
+        CallGraph: {
+          Edges: [
+            {
+              Id: "e1",
+              FileName: "Controllers/EpisodesController.cs",
+              LineNumber: 17,
+              CalledMethodName: "System.Text.Json.JsonSerializer.Deserialize",
+            },
+          ],
+          Nodes: [
+            {
+              Id: "n1",
+              FileName: "System.Text.Json.dll",
+              LineNumber: 0,
+              ClassName: "JsonSerializer",
+              Name: "Deserialize",
+            },
+          ],
+        },
+        PackageReachability: [
+          {
+            Purl: "pkg:nuget/System.Text.Json",
+            EdgeIds: ["e1"],
+            NodeIds: ["n1"],
+            SourceLocations: [
+              {
+                Path: "Controllers/Parser.cs",
+                FileName: "Parser.cs",
+                LineNumber: 42,
+                ColumnNumber: 13,
+                Kind: "CallGraphEdge",
+              },
+              {
+                Path: "System.Text.Json.dll",
+                FileName: "System.Text.Json.dll",
+                LineNumber: 1,
+                Kind: "CallGraphNode",
+              },
+            ],
+          },
+        ],
+      }),
+    );
+    const pkgList = addEvidenceForDotnet(
+      [
+        {
+          name: "System.Text.Json",
+          purl: "pkg:nuget/System.Text.Json@10.0.0",
+          properties: [],
+        },
+      ],
+      slicesFile,
+    );
+
+    assert.deepStrictEqual(pkgList[0].evidence?.occurrences, [
+      {
+        location: "Controllers/Parser.cs",
+        line: 42,
+      },
+    ]);
+    assert.ok(
+      pkgList[0].evidence.identity.methods.some(
+        (method) =>
+          method.technique === "source-code-analysis" &&
+          method.value === "Controllers/Parser.cs#42",
+      ),
+    );
+    assert.ok(
+      pkgList[0].properties.some(
+        (property) =>
+          property.name === "CalledMethods" &&
+          property.value.includes(
+            "System.Text.Json.JsonSerializer.Deserialize",
+          ),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+it("addEvidenceForDotnet() keeps PackageReachability fallback evidence source-only", () => {
+  const tempDir = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-dotnet-source-fallback-"),
+  );
+  const slicesFile = path.join(tempDir, "dosai.json");
+  try {
+    writeFileSync(
+      slicesFile,
+      JSON.stringify({
+        CallGraph: {
+          Edges: [
+            {
+              Id: "e1",
+              FileName: "System.Text.Json.dll",
+              LineNumber: 12,
+              CalledMethodName: "System.Text.Json.JsonSerializer.Deserialize",
+              CallLocation: {
+                FileName: "Program.fs",
+                LineNumber: 8,
+              },
+            },
+            {
+              Id: "e2",
+              FileName: "Controllers/EpisodesController.cs",
+              LineNumber: 17,
+              CalledMethodName: "System.Text.Json.JsonSerializer.Serialize",
+            },
+          ],
+        },
+        PackageReachability: [
+          {
+            Purl: "pkg:nuget/System.Text.Json",
+            EdgeIds: ["e1", "e2"],
+          },
+        ],
+      }),
+    );
+    const pkgList = addEvidenceForDotnet(
+      [
+        {
+          name: "System.Text.Json",
+          purl: "pkg:nuget/System.Text.Json@10.0.0",
+          properties: [],
+        },
+      ],
+      slicesFile,
+    );
+
+    assert.deepStrictEqual(pkgList[0].evidence?.occurrences, [
+      {
+        location: "Controllers/EpisodesController.cs",
+        line: 17,
+      },
+      {
+        location: "Program.fs",
+        line: 8,
+      },
+    ]);
+    assert.ok(!JSON.stringify(pkgList[0].evidence).includes(".dll"));
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+it("addEvidenceForDotnet() preserves additional identity entries", () => {
+  const tempDir = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-dotnet-identity-array-"),
+  );
+  const slicesFile = path.join(tempDir, "dosai.json");
+  try {
+    writeFileSync(
+      slicesFile,
+      JSON.stringify({
+        Dependencies: [
+          {
+            Path: "Program.cs",
+            FileName: "Program.cs",
+            Name: "System.Text.Json",
+            Purl: "pkg:nuget/System.Text.Json",
+            LineNumber: 12,
+          },
+        ],
+      }),
+    );
+    const pkgList = addEvidenceForDotnet(
+      [
+        {
+          name: "System.Text.Json",
+          purl: "pkg:nuget/System.Text.Json@10.0.0",
+          evidence: {
+            identity: [
+              {
+                field: "name",
+                confidence: 0.8,
+                methods: [
+                  { technique: "filename", value: "packages.lock.json" },
+                ],
+              },
+              {
+                field: "purl",
+                confidence: 1,
+                methods: [
+                  {
+                    technique: "manifest-analysis",
+                    value: "packages.lock.json",
+                  },
+                ],
+              },
+            ],
+          },
+          properties: [],
+        },
+      ],
+      slicesFile,
+    );
+
+    assert.strictEqual(pkgList[0].evidence.identity.length, 2);
+    assert.strictEqual(pkgList[0].evidence.identity[0].field, "name");
+    assert.ok(
+      pkgList[0].evidence.identity[1].methods.some(
+        (method) =>
+          method.technique === "source-code-analysis" &&
+          method.value === "Program.cs#12",
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+it("addEvidenceForDotnet() consumes dosai Dependencies with purls", () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-dotnet-vb-deps-"));
+  const slicesFile = path.join(tempDir, "dosai.json");
+  try {
+    writeFileSync(
+      slicesFile,
+      JSON.stringify({
+        Dependencies: [
+          {
+            Path: "Program.vb",
+            FileName: "Program.vb",
+            Name: "Newtonsoft.Json",
+            Purl: "pkg:nuget/Newtonsoft.Json@13.0.3",
+            LineNumber: 4,
+            ColumnNumber: 9,
+          },
+        ],
+      }),
+    );
+    const pkgList = addEvidenceForDotnet(
+      [
+        {
+          name: "Newtonsoft.Json",
+          purl: "pkg:nuget/Newtonsoft.Json@13.0.3",
+          properties: [],
+        },
+      ],
+      slicesFile,
+    );
+
+    assert.deepStrictEqual(pkgList[0].evidence?.occurrences, [
+      {
+        location: "Program.vb",
+        line: 4,
+      },
+    ]);
+    assert.ok(
+      pkgList[0].properties.some(
+        (property) =>
+          property.name === "ImportedModules" &&
+          property.value.includes("Newtonsoft.Json"),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
 it("parse packages.lock.json", () => {
   assert.deepStrictEqual(parseCsPkgLockData(null), {
     dependenciesList: [],
@@ -10229,6 +10520,10 @@ it("parseMakeDFile tests", () => {
 });
 
 it("hasAnyProjectType tests", () => {
+  for (const language of ["vb", "vbnet", "visualbasic", "f#", "fs", "fsharp"]) {
+    assert.ok(PROJECT_TYPE_ALIASES.csharp.includes(language));
+  }
+
   assert.deepStrictEqual(
     hasAnyProjectType(["docker"], {
       projectType: [],

package/lib/server/server.js

@@ -8,6 +8,7 @@ import compression from "compression";
 import connect from "connect";
 
 import { createBom, submitBom } from "../cli/index.js";
+import { isCycloneDxBom } from "../helpers/bomUtils.js";
 import { normalizeOutputFormats } from "../helpers/exportUtils.js";
 import {
   cleanupSourceDir,
@@ -467,7 +468,7 @@ const start = (options) => {
       let responseBomJson = bomNSData.bomJson;
       if (
         requestedFormats.includes("spdx") &&
-        bomNSData?.bomJson?.bomFormat === "CycloneDX"
+        isCycloneDxBom(bomNSData?.bomJson)
       ) {
         responseBomJson = convertCycloneDxToSpdx(bomNSData.bomJson, reqOptions);
       }

package/lib/stages/postgen/annotator.js

@@ -23,6 +23,7 @@ function humanifyTimestamp(timestamp) {
     month: "long",
     day: "numeric",
     weekday: "long",
+    timeZone: "UTC",
   });
 }
 
@@ -123,7 +124,7 @@ function getGitHubWorkflowStats(components) {
         stats.continueOnError++;
       }
       if (propMap["cdx:github:job:runner"]) {
-        propMap["cdx:github:job:runner"]
+        String(propMap["cdx:github:job:runner"])
           .split(",")
           .filter((r) => r.includes("$"))
           .forEach((r) => {

package/lib/stages/postgen/annotator.poku.js

@@ -432,3 +432,31 @@ it("recognizes HBOMs and summarizes hardware-specific metadata", () => {
   );
   assert.match(summary, /Identifier policy is 'redacted-by-default'\./u);
 });
+
+it("handles non-string GitHub runner properties while summarizing metadata", () => {
+  const summary = textualMetadata({
+    bomFormat: "CycloneDX",
+    specVersion: "1.7",
+    metadata: {
+      timestamp: "2026-01-01T00:00:00Z",
+      tools: { components: [{ name: "cdxgen" }] },
+      component: { name: "workflow", type: "application" },
+    },
+    components: [
+      {
+        name: "checkout",
+        purl: "pkg:github/actions/checkout@v4",
+        properties: [
+          { name: "cdx:github:workflow:name", value: "CI" },
+          { name: "cdx:github:job:name", value: "build" },
+          {
+            name: "cdx:github:job:runner",
+            value: { group: "ubuntu-runners", labels: "ubuntu-latest" },
+          },
+        ],
+      },
+    ],
+  });
+
+  assert.match(summary, /GitHub Action references/u);
+});