@cyclonedx/cdxgen 12.4.0 → 12.4.2

package/lib/stages/postgen/postgen.js

@@ -9,6 +9,12 @@ import {
   matchesAiInventoryExcludeType,
   optionIncludesAiInventoryProjectType,
 } from "../../helpers/aiInventory.js";
+import {
+  isCycloneDx20SpecVersion,
+  normalizeCycloneDxSpecVersion,
+  setCycloneDxFormat,
+  toCycloneDxSpecVersionString,
+} from "../../helpers/bomUtils.js";
 import { mergeDependencies, mergeServices } from "../../helpers/depsUtils.js";
 import { addFormulationSection } from "../../helpers/formulationParsers.js";
 import { getContainerFileInventoryStats } from "../../helpers/inventoryStats.js";
@@ -160,10 +166,8 @@ const SERVICE_1_6_ONLY_FIELDS = new Set(["tags"]);
 const SERVICE_1_7_ONLY_FIELDS = new Set(["patentAssertions"]);
 const METADATA_1_6_ONLY_FIELDS = new Set(["manufacturer"]);
 const METADATA_1_7_ONLY_FIELDS = new Set(["distributionConstraints"]);
-
-function normalizeSpecVersion(specVersion) {
-  return Number.parseFloat(String(specVersion || 0));
-}
+const METADATA_2_0_REMOVED_FIELDS = new Set(["manufacture"]);
+const COMPONENT_2_0_REMOVED_FIELDS = new Set(["author", "modified"]);
 
 function normalizeTlpClassification(tlpClassification) {
   return String(tlpClassification || "")
@@ -274,9 +278,10 @@ function collectSensitivePropertyViolations(
 }
 
 function validateTlpClassification(bomJson, options) {
-  const specVersion = normalizeSpecVersion(
-    bomJson?.specVersion || options?.specVersion,
-  );
+  const specVersion =
+    normalizeCycloneDxSpecVersion(
+      bomJson?.specVersion || options?.specVersion,
+    ) || 0;
   if (specVersion < 1.7) {
     return bomJson;
   }
@@ -366,6 +371,10 @@ function deleteFields(subject, fields) {
   }
 }
 
+function isObjectRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+
 function normalizeComponentForSpecVersion(subject, specVersion) {
   if (specVersion < 1.6) {
     deleteFields(subject, COMPONENT_1_6_ONLY_FIELDS);
@@ -393,6 +402,190 @@ function normalizeMetadataForSpecVersion(subject, specVersion) {
   }
 }
 
+function authorStringToAuthors(authorValue) {
+  if (typeof authorValue !== "string") {
+    return undefined;
+  }
+  const authors = authorValue
+    .split(",")
+    .map((author) => author.trim())
+    .filter(Boolean)
+    .map((name) => ({ name }));
+  return authors.length ? authors : undefined;
+}
+
+function normalizeLegacyToolComponent(tool) {
+  if (!isObjectRecord(tool)) {
+    return tool;
+  }
+  if (!tool.type) {
+    tool.type = "application";
+  }
+  if (tool.vendor && !tool.publisher) {
+    tool.publisher = tool.vendor;
+  }
+  delete tool.vendor;
+  if (!tool.authors && tool.author) {
+    tool.authors = authorStringToAuthors(tool.author);
+  }
+  deleteFields(tool, COMPONENT_2_0_REMOVED_FIELDS);
+  normalizeComponentsForSpecVersion(tool.components);
+  return tool;
+}
+
+function hasExplicitSpecVersion(specVersion) {
+  return (
+    specVersion !== undefined &&
+    specVersion !== null &&
+    `${specVersion}`.trim() !== ""
+  );
+}
+
+function resolveSpecVersionForCompatibility(bomJson, options) {
+  if (hasExplicitSpecVersion(options?.specVersion)) {
+    return options.specVersion;
+  }
+  if (hasExplicitSpecVersion(bomJson?.specVersion)) {
+    return bomJson.specVersion;
+  }
+  return "1.7";
+}
+
+function normalizeLegacyToolService(service) {
+  if (!isObjectRecord(service)) {
+    return service;
+  }
+  if (service.vendor && !service.provider) {
+    service.provider =
+      typeof service.vendor === "string"
+        ? { name: service.vendor }
+        : service.vendor;
+  }
+  delete service.vendor;
+  deleteFields(service, COMPONENT_2_0_REMOVED_FIELDS);
+  normalizeServicesForSpecVersion(service.services);
+  return service;
+}
+
+function normalizeComponentsForSpecVersion(components) {
+  if (!Array.isArray(components)) {
+    return;
+  }
+  for (const component of components) {
+    normalizeComponentForSpecVersion20(component);
+  }
+}
+
+function normalizeComponentForSpecVersion20(component) {
+  if (!isObjectRecord(component)) {
+    return;
+  }
+  if (!component.authors && component.author) {
+    component.authors = authorStringToAuthors(component.author);
+  }
+  deleteFields(component, COMPONENT_2_0_REMOVED_FIELDS);
+  normalizeComponentsForSpecVersion(component.components);
+}
+
+function normalizeServicesForSpecVersion(services) {
+  if (!Array.isArray(services)) {
+    return;
+  }
+  for (const service of services) {
+    normalizeLegacyToolService(service);
+  }
+}
+
+function normalizeFormulationForSpecVersion(formulation) {
+  if (!Array.isArray(formulation)) {
+    return;
+  }
+  for (const formula of formulation) {
+    if (!isObjectRecord(formula)) {
+      continue;
+    }
+    normalizeComponentsForSpecVersion(formula.components);
+    normalizeServicesForSpecVersion(formula.services);
+  }
+}
+
+function normalizeVulnerabilitiesForSpecVersion(vulnerabilities) {
+  if (!Array.isArray(vulnerabilities)) {
+    return;
+  }
+  for (const vulnerability of vulnerabilities) {
+    if (!isObjectRecord(vulnerability?.tools)) {
+      continue;
+    }
+    normalizeComponentsForSpecVersion(vulnerability.tools.components);
+    normalizeServicesForSpecVersion(vulnerability.tools.services);
+  }
+}
+
+function normalizeDefinitionsForSpecVersion(definitions) {
+  if (!isObjectRecord(definitions)) {
+    return;
+  }
+  normalizeComponentsForSpecVersion(definitions.components);
+  normalizeServicesForSpecVersion(definitions.services);
+}
+
+function migrateLegacyManufactureForSpecVersion(metadata) {
+  if (!metadata.manufacture) {
+    return;
+  }
+  if (isObjectRecord(metadata.component) && !metadata.component.manufacturer) {
+    metadata.component.manufacturer = metadata.manufacture;
+    return;
+  }
+  if (!metadata.manufacturer) {
+    metadata.manufacturer = metadata.manufacture;
+  }
+}
+
+function normalizeToolsForSpecVersion(subject, specVersion) {
+  if (!subject || !isCycloneDx20SpecVersion(specVersion)) {
+    return;
+  }
+  if (Array.isArray(subject.tools)) {
+    subject.tools = {
+      components: subject.tools.map((tool) =>
+        normalizeLegacyToolComponent(isObjectRecord(tool) ? { ...tool } : tool),
+      ),
+    };
+    return;
+  }
+  if (!isObjectRecord(subject.tools)) {
+    return;
+  }
+  if (Array.isArray(subject.tools.components)) {
+    subject.tools.components = subject.tools.components.map((tool) =>
+      normalizeLegacyToolComponent(tool),
+    );
+  }
+  if (Array.isArray(subject.tools.services)) {
+    subject.tools.services = subject.tools.services.map((service) =>
+      normalizeLegacyToolService(service),
+    );
+  }
+}
+
+function upgradeSubjectForSpecVersion(subject, specVersion) {
+  if (!isObjectRecord(subject) || !isCycloneDx20SpecVersion(specVersion)) {
+    return;
+  }
+  if (isObjectRecord(subject.metadata)) {
+    migrateLegacyManufactureForSpecVersion(subject.metadata);
+    deleteFields(subject.metadata, METADATA_2_0_REMOVED_FIELDS);
+    normalizeToolsForSpecVersion(subject.metadata, specVersion);
+    normalizeComponentForSpecVersion20(subject.metadata.component);
+  }
+  normalizeComponentsForSpecVersion(subject.components);
+  normalizeFormulationForSpecVersion(subject.formulation);
+  normalizeDefinitionsForSpecVersion(subject.definitions);
+  normalizeVulnerabilitiesForSpecVersion(subject.vulnerabilities);
+}
+
 function downgradeSubjectForSpecVersion(subject, specVersion, parentKey) {
   if (!subject || typeof subject !== "object") {
     return;
@@ -460,14 +653,28 @@ function downgradeSubjectForSpecVersion(subject, specVersion, parentKey) {
 }
 
 function applySpecVersionCompatibility(bomJson, options) {
-  const specVersion = normalizeSpecVersion(
-    options?.specVersion || bomJson?.specVersion || 1.7,
+  const requestedSpecVersion = resolveSpecVersionForCompatibility(
+    bomJson,
+    options,
   );
-  if (specVersion >= 1.7) {
+  const normalizedSpecVersion =
+    toCycloneDxSpecVersionString(requestedSpecVersion);
+  if (!normalizedSpecVersion) {
+    thoughtLog(
+      "Skipping CycloneDX specVersion compatibility updates for malformed explicit specVersion.",
+      {
+        specVersion: requestedSpecVersion,
+      },
+    );
     return bomJson;
   }
-  downgradeSubjectForSpecVersion(bomJson, specVersion);
-  return bomJson;
+  const specVersion = normalizeCycloneDxSpecVersion(normalizedSpecVersion);
+  if (specVersion < 1.7) {
+    downgradeSubjectForSpecVersion(bomJson, specVersion);
+  } else if (isCycloneDx20SpecVersion(specVersion)) {
+    upgradeSubjectForSpecVersion(bomJson, specVersion);
+  }
+  return setCycloneDxFormat(bomJson, normalizedSpecVersion);
 }
 
 /**

package/lib/stages/postgen/postgen.poku.js

@@ -241,6 +241,169 @@ it("postProcess passes formulationList from bomNSData into the formulation secti
   );
 });
 
+it("postProcess finalizes CycloneDX 2.0-dev root fields and strips legacy fields", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      metadata: {
+        manufacture: { name: "Legacy Factory" },
+        component: "not-a-component-object",
+        tools: [
+          {
+            author: "OWASP Foundation",
+            name: "cdxgen",
+            vendor: "OWASP Foundation",
+            version: "12.4.0",
+            components: [
+              {
+                author: "Nested Tool Author",
+                modified: true,
+                name: "cdxgen-plugin",
+                type: "library",
+              },
+            ],
+          },
+        ],
+      },
+      components: [
+        {
+          author: "Jane Doe",
+          modified: false,
+          name: "demo-lib",
+          type: "library",
+          version: "1.0.0",
+          components: [
+            {
+              author: "Nested Author",
+              modified: true,
+              name: "nested-lib",
+              type: "library",
+            },
+          ],
+        },
+      ],
+    },
+  };
+
+  const result = postProcess(bomNSData, { specVersion: 2.0 });
+  const [toolComponent] = result.bomJson.metadata.tools.components;
+  const [component] = result.bomJson.components;
+
+  assert.strictEqual(result.bomJson.specFormat, "CycloneDX");
+  assert.strictEqual(result.bomJson.bomFormat, undefined);
+  assert.strictEqual(result.bomJson.specVersion, "2.0");
+  assert.strictEqual(result.bomJson.metadata.manufacture, undefined);
+  assert.deepStrictEqual(result.bomJson.metadata.manufacturer, {
+    name: "Legacy Factory",
+  });
+  assert.strictEqual(
+    result.bomJson.metadata.component,
+    "not-a-component-object",
+  );
+  assert.strictEqual(toolComponent.publisher, "OWASP Foundation");
+  assert.deepStrictEqual(toolComponent.authors, [{ name: "OWASP Foundation" }]);
+  assert.strictEqual(toolComponent.author, undefined);
+  assert.deepStrictEqual(toolComponent.components[0].authors, [
+    { name: "Nested Tool Author" },
+  ]);
+  assert.strictEqual(toolComponent.components[0].author, undefined);
+  assert.strictEqual(toolComponent.components[0].modified, undefined);
+  assert.deepStrictEqual(component.authors, [{ name: "Jane Doe" }]);
+  assert.strictEqual(component.author, undefined);
+  assert.strictEqual(component.modified, undefined);
+  assert.deepStrictEqual(component.components[0].authors, [
+    { name: "Nested Author" },
+  ]);
+  assert.strictEqual(component.components[0].author, undefined);
+  assert.strictEqual(component.components[0].modified, undefined);
+});
+
+it("postProcess preserves malformed explicit specVersion values instead of coercing them to 1.7", () => {
+  const malformedBomResult = postProcess(
+    {
+      bomJson: {
+        bomFormat: "CycloneDX",
+        specVersion: "2.0.1",
+        components: [],
+        dependencies: [],
+        metadata: { properties: [] },
+      },
+    },
+    {},
+  );
+  assert.strictEqual(malformedBomResult.bomJson.specVersion, "2.0.1");
+  assert.strictEqual(malformedBomResult.bomJson.bomFormat, "CycloneDX");
+  assert.strictEqual(malformedBomResult.bomJson.specFormat, undefined);
+
+  const malformedOptionResult = postProcess(
+    {
+      bomJson: {
+        bomFormat: "CycloneDX",
+        specVersion: "1.7",
+        components: [],
+        dependencies: [],
+        metadata: { properties: [] },
+      },
+    },
+    { specVersion: "2.0.1" },
+  );
+  assert.strictEqual(malformedOptionResult.bomJson.specVersion, "1.7");
+  assert.strictEqual(malformedOptionResult.bomJson.bomFormat, "CycloneDX");
+  assert.strictEqual(malformedOptionResult.bomJson.specFormat, undefined);
+});
+
+it("postProcess migrates CycloneDX 2.0 metadata manufacture and tool services without broad recursion", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      metadata: {
+        manufacture: { name: "Component Factory" },
+        component: {
+          name: "demo-app",
+          type: "application",
+        },
+        tools: {
+          components: [],
+          services: [
+            {
+              author: "Legacy Author",
+              name: "scanner-service",
+              vendor: "Scanner Vendor",
+            },
+          ],
+        },
+      },
+      components: [],
+      dependencies: [{ ref: "pkg:generic/demo@1.0.0", dependsOn: [] }],
+      unrelatedInventory: {
+        components: [
+          {
+            author: "Should Not Be Traversed",
+            name: "not-a-component-list",
+          },
+        ],
+      },
+    },
+  };
+
+  const result = postProcess(bomNSData, { specVersion: 2.0 });
+  const [toolService] = result.bomJson.metadata.tools.services;
+
+  assert.strictEqual(result.bomJson.metadata.manufacture, undefined);
+  assert.deepStrictEqual(result.bomJson.metadata.component.manufacturer, {
+    name: "Component Factory",
+  });
+  assert.deepStrictEqual(toolService.provider, { name: "Scanner Vendor" });
+  assert.strictEqual(toolService.vendor, undefined);
+  assert.strictEqual(toolService.author, undefined);
+  assert.strictEqual(
+    result.bomJson.unrelatedInventory.components[0].author,
+    "Should Not Be Traversed",
+  );
+});
+
 it("postProcess downgrades certificate crypto properties for spec version 1.6", () => {
   const bomNSData = {
     bomJson: {

package/lib/validator/bomValidator.js

@@ -6,6 +6,10 @@ import Ajv2020 from "ajv/dist/2020.js";
 import addFormats from "ajv-formats";
 import { PackageURL } from "packageurl-js";
 
+import {
+  isCycloneDxSpecVersionAtLeast,
+  toCycloneDxSpecVersionString,
+} from "../helpers/bomUtils.js";
 import { thoughtLog } from "../helpers/logger.js";
 import { DEBUG_MODE, dirNameStr, isPartialTree } from "../helpers/utils.js";
 import {
@@ -14,6 +18,13 @@ import {
 } from "../stages/postgen/spdxConverter.js";
 
 const dirName = dirNameStr;
+const SUPPORTED_CYCLONEDX_SCHEMA_VERSIONS = new Set([
+  "1.4",
+  "1.5",
+  "1.6",
+  "1.7",
+  "2.0",
+]);
 const PLACEHOLDER_COMPONENT_NAMES = new Set(["app", "application", "project"]);
 const SPDX_EXPORT_TYPES = new Set([
   "CreationInfo",
@@ -23,6 +34,74 @@ const SPDX_EXPORT_TYPES = new Set([
   "software_Package",
 ]);
 let spdxExportSchemaValidator;
+const cycloneDxSchemaValidators = new Map();
+
+const AJV_OPTIONS = {
+  strict: false,
+  logger: false,
+  verbose: true,
+  code: {
+    source: true,
+    lines: true,
+    optimize: true,
+  },
+};
+
+const readJsonSchema = (fileName) =>
+  JSON.parse(readFileSync(join(dirName, "data", fileName), "utf-8"));
+
+const addDraft2020BundledSchema = (ajv, schema, schemaId) => {
+  const bundledSchema = { ...schema };
+  delete bundledSchema.$schema;
+  bundledSchema.$id = schemaId;
+  ajv.addSchema(bundledSchema);
+};
+
+const getCycloneDxSchemaValidator = (specVersion) => {
+  if (cycloneDxSchemaValidators.has(specVersion)) {
+    return cycloneDxSchemaValidators.get(specVersion);
+  }
+  let validate;
+  if (isCycloneDxSpecVersionAtLeast(specVersion, "2.0")) {
+    const ajv = new Ajv2020(AJV_OPTIONS);
+    addFormats(ajv);
+    addDraft2020BundledSchema(
+      ajv,
+      readJsonSchema("cryptography-defs.schema.json"),
+      "https://cyclonedx.org/schema/cryptography-defs.schema.json",
+    );
+    addDraft2020BundledSchema(
+      ajv,
+      readJsonSchema("jsf-0.82.schema.json"),
+      "https://cyclonedx.org/schema/jsf-0.82.schema.json",
+    );
+    addDraft2020BundledSchema(
+      ajv,
+      readJsonSchema("spdx.schema.json"),
+      "https://cyclonedx.org/schema/spdx.schema.json",
+    );
+    validate = ajv.compile(readJsonSchema("cyclonedx-2.0-bundled.schema.json"));
+  } else {
+    const schemas = [
+      readJsonSchema(`bom-${specVersion}.schema.json`),
+      readJsonSchema("jsf-0.82.schema.json"),
+      readJsonSchema("spdx.schema.json"),
+    ];
+    if (isCycloneDxSpecVersionAtLeast(specVersion, "1.7")) {
+      schemas.push(readJsonSchema("cryptography-defs.schema.json"));
+    }
+    const ajv = new Ajv({
+      ...AJV_OPTIONS,
+      schemas,
+    });
+    addFormats(ajv);
+    validate = ajv.getSchema(
+      `http://cyclonedx.org/schema/bom-${specVersion}.schema.json`,
+    );
+  }
+  cycloneDxSchemaValidators.set(specVersion, validate);
+  return validate;
+};
 
 const getSpdxElementId = (element) => element?.spdxId || element?.["@id"];
 
@@ -36,6 +115,7 @@ const getSpdxExportSchemaValidator = () => {
     );
     const ajv = new Ajv2020({
       strict: false,
+      validateSchema: false,
       logger: false,
       verbose: true,
       code: {
@@ -63,44 +143,16 @@ export const validateBom = (bomJson) => {
   if (!bomJson) {
     return true;
   }
-  const specVersion = bomJson.specVersion;
-  const schema = JSON.parse(
-    readFileSync(
-      join(dirName, "data", `bom-${specVersion}.schema.json`),
-      "utf-8",
-    ),
-  );
-  const defsSchema = JSON.parse(
-    readFileSync(join(dirName, "data", "jsf-0.82.schema.json"), "utf-8"),
-  );
-  const spdxSchema = JSON.parse(
-    readFileSync(join(dirName, "data", "spdx.schema.json"), "utf-8"),
-  );
-  const cryptoDefSchema = JSON.parse(
-    readFileSync(
-      join(dirName, "data", "cryptography-defs.schema.json"),
-      "utf-8",
-    ),
-  );
-  const schemas = [schema, defsSchema, spdxSchema];
-  if (specVersion >= 1.7) {
-    schemas.push(cryptoDefSchema);
-  }
-  const ajv = new Ajv({
-    schemas,
-    strict: false,
-    logger: false,
-    verbose: true,
-    code: {
-      source: true,
-      lines: true,
-      optimize: true,
-    },
-  });
-  addFormats(ajv);
-  const validate = ajv.getSchema(
-    `http://cyclonedx.org/schema/bom-${specVersion}.schema.json`,
-  );
+  const specVersion = toCycloneDxSpecVersionString(bomJson.specVersion);
+  if (!SUPPORTED_CYCLONEDX_SCHEMA_VERSIONS.has(specVersion)) {
+    console.log(
+      `Unsupported CycloneDX specVersion '${bomJson.specVersion}'. Supported versions are ${[
+        ...SUPPORTED_CYCLONEDX_SCHEMA_VERSIONS,
+      ].join(", ")}.`,
+    );
+    return false;
+  }
+  const validate = getCycloneDxSchemaValidator(specVersion);
   const isValid = validate(bomJson);
   if (!isValid) {
     if (bomJson.metadata?.component?.name) {

package/lib/validator/bomValidator.poku.js

@@ -1,7 +1,97 @@
+import { readFileSync as actualReadFileSync } from "node:fs";
+
 import esmock from "esmock";
 import { assert, describe, it } from "poku";
 import sinon from "sinon";
 
+import { validateBom } from "./bomValidator.js";
+
+const validCycloneDx20Bom = {
+  specFormat: "CycloneDX",
+  specVersion: "2.0",
+  serialNumber: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  version: 1,
+  metadata: {
+    component: {
+      "bom-ref": "pkg:generic/demo@1.0.0",
+      name: "demo",
+      purl: "pkg:generic/demo@1.0.0",
+      type: "application",
+      version: "1.0.0",
+    },
+    tools: {
+      components: [{ type: "application", name: "cdxgen", version: "12.4.0" }],
+    },
+  },
+  components: [
+    {
+      "bom-ref": "pkg:npm/lodash@4.17.21",
+      name: "lodash",
+      purl: "pkg:npm/lodash@4.17.21",
+      type: "library",
+      version: "4.17.21",
+    },
+  ],
+  dependencies: [
+    {
+      ref: "pkg:generic/demo@1.0.0",
+      dependsOn: ["pkg:npm/lodash@4.17.21"],
+    },
+    { ref: "pkg:npm/lodash@4.17.21", dependsOn: [] },
+  ],
+};
+
+describe("validateBom()", () => {
+  it("validates CycloneDX 2.0-dev JSON against the bundled schema", () => {
+    assert.strictEqual(validateBom(validCycloneDx20Bom), true);
+  });
+
+  it("returns a clear validation failure for unsupported spec versions", async () => {
+    const readFileSyncStub = sinon.stub();
+    const consoleLogStub = sinon.stub(console, "log");
+    try {
+      const { validateBom } = await esmock("./bomValidator.js", {
+        "node:fs": {
+          readFileSync: readFileSyncStub,
+        },
+      });
+
+      assert.strictEqual(
+        validateBom({ bomFormat: "CycloneDX", specVersion: "2.0.1" }),
+        false,
+      );
+      sinon.assert.notCalled(readFileSyncStub);
+      sinon.assert.calledWithMatch(
+        consoleLogStub,
+        "Unsupported CycloneDX specVersion '2.0.1'.",
+      );
+    } finally {
+      consoleLogStub.restore();
+    }
+  });
+
+  it("caches compiled CycloneDX schema validators by spec version", async () => {
+    const readFileSyncStub = sinon
+      .stub()
+      .callsFake((...args) => actualReadFileSync(...args));
+    const { validateBom } = await esmock("./bomValidator.js", {
+      "node:fs": {
+        readFileSync: readFileSyncStub,
+      },
+    });
+
+    assert.strictEqual(validateBom(validCycloneDx20Bom), true);
+    const readCountAfterFirstValidation = readFileSyncStub.callCount;
+    assert.ok(readCountAfterFirstValidation > 0);
+
+    assert.strictEqual(validateBom(validCycloneDx20Bom), true);
+    assert.strictEqual(
+      readFileSyncStub.callCount,
+      readCountAfterFirstValidation,
+    );
+  });
+});
+
 describe("validateSpdx()", () => {
   it("lazy-loads the bundled SPDX export schema on first validation call", async () => {
     const readFileSyncStub = sinon