@cyclonedx/cdxgen 12.4.1 → 12.4.2

package/bin/evinse.js

@@ -51,15 +51,30 @@ const args = yargs(hideBin(process.argv))
       "py",
       "python",
       "android",
+      "csharp",
+      "cs",
       "c",
       "cpp",
+      "dotnet",
       "php",
       "swift",
       "ios",
       "ruby",
       "scala",
+      "vb",
+      "vbnet",
+      "visualbasic",
+      "f#",
+      "fs",
+      "fsharp",
     ],
   })
+  .option("profile", {
+    description:
+      "Evidence profile. The research profile enables dosai data-flow and crypto analysis for .NET projects.",
+    default: "generic",
+    choices: ["generic", "research"],
+  })
   .option("db-path", {
     description: "Atom slices DB path. Unused",
     default: undefined,

package/lib/cli/index.js

@@ -46,7 +46,10 @@ import {
   toCycloneDxSpecVersionString,
 } from "../helpers/bomUtils.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
-import { collectSourceCryptoComponents } from "../helpers/cbomutils.js";
+import {
+  collectDosaiCryptoComponents,
+  collectSourceCryptoComponents,
+} from "../helpers/cbomutils.js";
 import {
   CHROME_EXTENSION_PURL_TYPE,
   collectChromeExtensionsFromPath,
@@ -58,6 +61,13 @@ import {
   mergeServices,
   trimComponents,
 } from "../helpers/depsUtils.js";
+import {
+  collectDosaiServicesFromMethods,
+  createDosaiMethodsSlice,
+  isDosaiDotnetLanguage,
+  normalizeDosaiServiceMap,
+  readDosaiJsonFile,
+} from "../helpers/dosai.js";
 import { GIT_COMMAND } from "../helpers/envcontext.js";
 import {
   createHbomDocument,
@@ -246,7 +256,6 @@ import {
   enrichOSComponentsWithTrustData,
   executeOsQuery,
   getBinaryBom,
-  getDotnetSlices,
   getOSPackages,
   getPluginToolComponents,
 } from "../managers/binary.js";
@@ -400,6 +409,27 @@ const hasExplicitProjectTypeSelection = (options, baseProjectType) => {
   );
 };
 
+const hasDotnetProjectIndicators = (src, options = {}) => {
+  return Boolean(
+    getAllFiles(src, "**/*.{csproj,fsproj,vbproj,sln}", options)?.length,
+  );
+};
+
+const shouldCollectDosaiCrypto = (src, options = {}) => {
+  const projectTypes = Array.isArray(options.projectType)
+    ? options.projectType
+    : options.projectType
+      ? [options.projectType]
+      : [];
+  if (projectTypes.some((projectType) => isDosaiDotnetLanguage(projectType))) {
+    return true;
+  }
+  if (!projectTypes.length || projectTypes.includes("universal")) {
+    return hasDotnetProjectIndicators(src, options);
+  }
+  return false;
+};
+
 const determineParentComponent = (options) => {
   let parentComponent;
   if (options.parentComponent && Object.keys(options.parentComponent).length) {
@@ -7742,6 +7772,7 @@ export async function createCsharpBom(path, options) {
     }
   }
   const pkgNameVersions = {};
+  let services = [];
   if (csProjFiles.length) {
     manifestFiles = manifestFiles.concat(csProjFiles);
     // Parsing csproj is quite error-prone. Some project files may not have versions specified
@@ -7803,21 +7834,30 @@ export async function createCsharpBom(path, options) {
     // Perform deep analysis using dosai
     if (options.deep) {
       const slicesFile = resolve(
-        join(path, options.depsSlicesFile) || join(getTmpDir(), "dosai.json"),
+        options.depsSlicesFile
+          ? join(path, options.depsSlicesFile)
+          : join(getTmpDir(), "dosai.json"),
       );
       // Create the slices file if it doesn't exist
       if (!safeExistsSync(slicesFile)) {
         thoughtLog(
           "Alright, the next step is to invoke the dosai command to identify evidence of occurrences for various components.",
         );
-        const sliceResult = getDotnetSlices(resolve(path), resolve(slicesFile));
+        const sliceResult = createDosaiMethodsSlice(
+          resolve(path),
+          resolve(slicesFile),
+          options,
+        );
         if (!sliceResult && DEBUG_MODE) {
           console.log(
             "Slicing with dosai was unsuccessful. Check the errors reported in the logs above.",
           );
         }
       }
-      pkgList = addEvidenceForDotnet(pkgList, slicesFile, options);
+      pkgList = addEvidenceForDotnet(pkgList, slicesFile);
+      const methodsSlice = readDosaiJsonFile(slicesFile);
+      const servicesMap = collectDosaiServicesFromMethods(methodsSlice, {});
+      services = normalizeDosaiServiceMap(servicesMap);
     }
   }
   // Parent dependency tree
@@ -7843,6 +7883,8 @@ export async function createCsharpBom(path, options) {
     filename: manifestFiles.join(", "),
     dependencies,
     parentComponent,
+    services,
+    tools: options.deep ? getPluginToolComponents(["dosai"]) : [],
   });
 }
 
@@ -8354,6 +8396,15 @@ export async function createCryptoCertsBom(path, options) {
   if (sourceCryptoComponents.length) {
     pkgList.push(...sourceCryptoComponents);
   }
+  if (shouldCollectDosaiCrypto(path, options)) {
+    const dosaiCryptoComponents = await collectDosaiCryptoComponents(
+      path,
+      options,
+    );
+    if (dosaiCryptoComponents.length) {
+      pkgList.push(...dosaiCryptoComponents);
+    }
+  }
   return {
     bomJson: {
       components: pkgList,

package/lib/cli/index.poku.js

@@ -286,6 +286,86 @@ describe("CLI tests", () => {
       );
       assert.strictEqual(components[0].type, "data");
     });
+
+    it("does not invoke dosai crypto analysis for non-.NET CBOM scans", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-non-dotnet-"));
+      const collectDosaiCryptoComponents = sinon.stub().resolves([]);
+      try {
+        const { createCryptoCertsBom } = await esmock("./index.js", {
+          "../helpers/cbomutils.js": {
+            collectDosaiCryptoComponents,
+            collectSourceCryptoComponents: sinon.stub().resolves([]),
+          },
+        });
+
+        await createCryptoCertsBom(tempDir, {
+          projectType: ["js"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.notCalled(collectDosaiCryptoComponents);
+      } finally {
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
+
+    it("invokes dosai crypto analysis for explicit .NET CBOM scans", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-dotnet-"));
+      const collectDosaiCryptoComponents = sinon.stub().resolves([
+        {
+          name: "sha-256",
+          type: "cryptographic-asset",
+          "bom-ref": "crypto/algorithm/sha-256@2.16.840.1.101.3.4.2.1",
+          cryptoProperties: {
+            assetType: "algorithm",
+            oid: "2.16.840.1.101.3.4.2.1",
+          },
+        },
+      ]);
+      try {
+        const { createCryptoCertsBom } = await esmock("./index.js", {
+          "../helpers/cbomutils.js": {
+            collectDosaiCryptoComponents,
+            collectSourceCryptoComponents: sinon.stub().resolves([]),
+          },
+        });
+
+        const bomData = await createCryptoCertsBom(tempDir, {
+          projectType: ["dotnet"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.calledOnce(collectDosaiCryptoComponents);
+        assert.strictEqual(bomData.bomJson.components[0].name, "sha-256");
+      } finally {
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
+
+    it("invokes dosai crypto analysis when universal scans contain .NET project files", async () => {
+      const tempDir = mkdtempSync(
+        join(tmpdir(), "cdxgen-cbom-dotnet-indicator-"),
+      );
+      const collectDosaiCryptoComponents = sinon.stub().resolves([]);
+      try {
+        writeFileSync(join(tempDir, "app.csproj"), "<Project />");
+        const { createCryptoCertsBom } = await esmock("./index.js", {
+          "../helpers/cbomutils.js": {
+            collectDosaiCryptoComponents,
+            collectSourceCryptoComponents: sinon.stub().resolves([]),
+          },
+        });
+
+        await createCryptoCertsBom(tempDir, {
+          projectType: ["universal"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.calledOnce(collectDosaiCryptoComponents);
+      } finally {
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
   });
 
   describe("distribution filters", () => {

package/lib/evinser/evinser.js

@@ -4,7 +4,19 @@ import process from "node:process";
 
 import { PackageURL } from "packageurl-js";
 
-import { findCryptoAlgos } from "../helpers/cbomutils.js";
+import {
+  collectDosaiCryptoComponents,
+  findCryptoAlgos,
+} from "../helpers/cbomutils.js";
+import { mergeServices } from "../helpers/depsUtils.js";
+import {
+  collectDosaiDataFlowFrames,
+  collectDosaiPurlEvidence,
+  collectDosaiServicesFromMethods,
+  createDosaiDataFlowSlice,
+  createDosaiMethodsSlice,
+  isDosaiDotnetLanguage,
+} from "../helpers/dosai.js";
 import { parseOccurrenceEvidenceLocation } from "../helpers/evidenceUtils.js";
 import {
   collectGradleDependencies,
@@ -230,6 +242,8 @@ export async function createSlice(
     language = "python";
   } else if (PROJECT_TYPE_ALIASES.scala.includes(language)) {
     language = "scala";
+  } else if (isDosaiDotnetLanguage(language)) {
+    language = "csharp";
   }
   if (
     PROJECT_TYPE_ALIASES.swift.includes(language) &&
@@ -270,6 +284,33 @@ export async function createSlice(
     }
     return { tempDir: sliceOutputDir, tempDirOwned, slicesFile };
   }
+  if (isDosaiDotnetLanguage(language)) {
+    console.log(
+      `Creating ${sliceType} slice for ${resolve(filePath)} using dosai. Please wait ...`,
+    );
+    const sliceResult =
+      sliceType === "data-flow"
+        ? createDosaiDataFlowSlice(
+            resolve(filePath),
+            resolve(slicesFile),
+            options,
+          )
+        : createDosaiMethodsSlice(
+            resolve(filePath),
+            resolve(slicesFile),
+            options,
+          );
+    if (!sliceResult) {
+      console.warn(
+        `Unable to generate ${sliceType} slice using dosai. Check if this is a supported .NET project.`,
+      );
+    }
+    return {
+      tempDir: sliceOutputDir,
+      tempDirOwned,
+      slicesFile,
+    };
+  }
   console.log(
     `Creating ${sliceType} slice for ${resolve(filePath)}. Please wait ...`,
   );
@@ -393,6 +434,9 @@ export function purlToLanguage(purl, filePath) {
     case "gem":
       language = "ruby";
       break;
+    case "nuget":
+      language = "csharp";
+      break;
     case "generic":
       language = "c";
   }
@@ -474,6 +518,77 @@ export async function analyzeProject(dbObjMap, options) {
   // Load any existing purl-location information from the sbom.
   // For eg: cdxgen populates this information for javascript projects
   let { purlLocationMap, purlImportsMap } = initFromSbom(components, language);
+  if (isDosaiDotnetLanguage(language)) {
+    if (options.profile === "research") {
+      options.withDataFlow = true;
+      options.includeCrypto = true;
+    }
+    if (
+      options.usagesSlicesFile &&
+      usableSlicesFile(options.usagesSlicesFile)
+    ) {
+      usageSlice = JSON.parse(
+        fs.readFileSync(options.usagesSlicesFile, "utf-8"),
+      );
+      usagesSlicesFile = options.usagesSlicesFile;
+    } else {
+      retMap = await createSlice(language, dirPath, "usages", options);
+      if (retMap?.slicesFile && safeExistsSync(retMap.slicesFile)) {
+        usageSlice = JSON.parse(fs.readFileSync(retMap.slicesFile, "utf-8"));
+        usagesSlicesFile = retMap.slicesFile;
+      }
+    }
+    if (usageSlice && Object.keys(usageSlice).length) {
+      const dosaiEvidence = collectDosaiPurlEvidence(usageSlice, components);
+      for (const [purl, locations] of Object.entries(
+        dosaiEvidence.purlLocationMap,
+      )) {
+        purlLocationMap[purl] ??= new Set();
+        for (const location of locations) {
+          purlLocationMap[purl].add(location);
+        }
+      }
+      servicesMap = collectDosaiServicesFromMethods(usageSlice, servicesMap);
+      userDefinedTypesMap = {};
+    }
+    if (options.withDataFlow) {
+      if (
+        options.dataFlowSlicesFile &&
+        safeExistsSync(options.dataFlowSlicesFile)
+      ) {
+        dataFlowSlicesFile = options.dataFlowSlicesFile;
+        dataFlowSlice = JSON.parse(
+          fs.readFileSync(options.dataFlowSlicesFile, "utf-8"),
+        );
+      } else {
+        retMap = await createSlice(language, dirPath, "data-flow", options);
+        if (retMap?.slicesFile && safeExistsSync(retMap.slicesFile)) {
+          dataFlowSlicesFile = retMap.slicesFile;
+          dataFlowSlice = JSON.parse(
+            fs.readFileSync(retMap.slicesFile, "utf-8"),
+          );
+        }
+      }
+      if (dataFlowSlice && Object.keys(dataFlowSlice).length) {
+        dataFlowFrames = collectDosaiDataFlowFrames(dataFlowSlice, components);
+      }
+    }
+    if (options.includeCrypto) {
+      cryptoComponents = await collectDosaiCryptoComponents(dirPath, options);
+    }
+    return {
+      usagesSlicesFile,
+      dataFlowSlicesFile,
+      purlLocationMap,
+      servicesMap,
+      dataFlowFrames,
+      tempDir: retMap?.tempDir,
+      tempDirOwned: retMap?.tempDirOwned,
+      userDefinedTypesMap,
+      cryptoComponents,
+      cryptoGeneratePurls,
+    };
+  }
   // Do reachables first so that usages slicing can reuse the atom file
   // We need reachables slicing even when trying to infer crypto packages
   if (options.withReachables || options.includeCrypto) {
@@ -1472,8 +1587,8 @@ export function createEvinseFile(sliceArtefacts, options) {
         properties: servicesMap[serviceName].properties,
       });
     }
-    // Add to existing services
-    bomJson.services = (bomJson.services || []).concat(services);
+    // Add to existing services while preserving CycloneDX uniqueItems validity
+    bomJson.services = mergeServices(bomJson.services || [], services);
     servicesPresent = true;
   }
   // Add the crypto components to the components list

package/lib/helpers/cbomutils.js

@@ -3,6 +3,7 @@ import { join } from "node:path";
 
 import { executeOsQuery } from "../managers/binary.js";
 import { detectJsCryptoInventory } from "./analyzer.js";
+import { analyzeDosaiCrypto } from "./dosai.js";
 import {
   createOccurrenceEvidence,
   formatOccurrenceEvidence,
@@ -239,16 +240,19 @@ function mergeAlgorithmComponentUsage(component, usage, src, options) {
     }
   }
   if (usage.source) {
+    const sourceType =
+      usage.source === "dosai" ? undefined : `js-ast:${usage.source}`;
     if (
+      sourceType &&
       !properties.some(
         (property) =>
           property.name === "cdx:crypto:sourceType" &&
-          property.value === `js-ast:${usage.source}`,
+          property.value === sourceType,
       )
     ) {
       properties.push({
         name: "cdx:crypto:sourceType",
-        value: `js-ast:${usage.source}`,
+        value: sourceType,
       });
     }
   }
@@ -271,6 +275,93 @@ function mergeAlgorithmComponentUsage(component, usage, src, options) {
   return component;
 }
 
+function normalizeDosaiCryptoNames(cryptoObject) {
+  const rawName = cryptoObject?.Name || cryptoObject;
+  const names = new Set([rawName]);
+  const cleanName = String(rawName || "").trim();
+  if (!cleanName) {
+    return [];
+  }
+  if (cleanName.includes("/")) {
+    for (const part of cleanName
+      .split("/")
+      .map((candidate) => candidate.trim())
+      .filter(Boolean)) {
+      names.add(part);
+    }
+  }
+  if (/^SHA-?256$/i.test(cleanName)) {
+    names.add("sha-256");
+  } else if (/^SHA-?384$/i.test(cleanName)) {
+    names.add("sha-384");
+  } else if (/^SHA-?512$/i.test(cleanName)) {
+    names.add("sha-512");
+  } else if (/^SHA-?1$/i.test(cleanName)) {
+    names.add("sha-1");
+  }
+  const context = [
+    cryptoObject?.Symbol,
+    cryptoObject?.Code,
+    cryptoObject?.Algorithm,
+  ]
+    .filter(Boolean)
+    .join(" ");
+  if (/^SHA-?2$/i.test(cleanName)) {
+    if (/SHA-?256/i.test(context)) {
+      names.add("sha-256");
+    }
+    if (/SHA-?384/i.test(context)) {
+      names.add("sha-384");
+    }
+    if (/SHA-?512/i.test(context)) {
+      names.add("sha-512");
+    }
+  }
+  return Array.from(names);
+}
+
+function dosaiCryptoUsage(assetOrOperation) {
+  const location = assetOrOperation.Location || {};
+  return {
+    fileName: location.Path || location.FileName,
+    lineNumber: location.LineNumber || undefined,
+    columnNumber: location.ColumnNumber || undefined,
+    primitive: assetOrOperation.Family || assetOrOperation.OperationType,
+    source: "dosai",
+  };
+}
+
+function addDosaiProperties(component, dosaiObject, evidenceType) {
+  const properties = component.properties || [];
+  const addProperty = (name, value) => {
+    if (value === undefined || value === null || value === "") {
+      return;
+    }
+    if (
+      !properties.some(
+        (property) =>
+          property.name === name && property.value === String(value),
+      )
+    ) {
+      properties.push({ name, value: String(value) });
+    }
+  };
+  addProperty("cdx:crypto:sourceType", `dosai:${evidenceType}`);
+  addProperty("cdx:dosai:crypto:id", dosaiObject.Id);
+  addProperty("cdx:dosai:crypto:strength", dosaiObject.Strength);
+  addProperty(
+    "cdx:dosai:crypto:reachableFromEntryPoint",
+    dosaiObject.ReachableFromEntryPoint,
+  );
+  if (dosaiObject.EntryPointIds?.length) {
+    addProperty(
+      "cdx:dosai:crypto:entryPointCount",
+      dosaiObject.EntryPointIds.length,
+    );
+  }
+  component.properties = properties;
+}
+
 export async function collectSourceCryptoComponents(src, options = {}) {
   const inventory = await detectJsCryptoInventory(src, Boolean(options.deep));
   const componentsByRef = new Map();
@@ -317,6 +408,75 @@ export async function collectSourceCryptoComponents(src, options = {}) {
   );
 }
 
+export async function collectDosaiCryptoComponents(src, options = {}) {
+  const dosaiCrypto = analyzeDosaiCrypto(src, options);
+  if (!dosaiCrypto) {
+    return [];
+  }
+  const componentsByRef = new Map();
+  const cryptoObjects = [
+    ...(dosaiCrypto.Assets || []).filter(
+      (asset) => asset.AssetType === "algorithm",
+    ),
+    ...(dosaiCrypto.Operations || []).map((operation) => ({
+      ...operation,
+      Name: operation.Algorithm,
+      Family: operation.OperationType,
+    })),
+  ];
+  for (const cryptoObject of cryptoObjects) {
+    for (const candidateName of normalizeDosaiCryptoNames(cryptoObject)) {
+      const normalizedName = normalizeDetectedCryptoAlgorithmName(
+        candidateName,
+        "algorithm",
+      );
+      const algorithmMetadata =
+        cbomCryptoOids[normalizedName] || cbomCryptoOids[candidateName];
+      if (!algorithmMetadata?.oid) {
+        continue;
+      }
+      const bomRef = cryptoAlgorithmBomRef(
+        normalizedName,
+        algorithmMetadata.oid,
+      );
+      const component = componentsByRef.get(bomRef) || {
+        type: "cryptographic-asset",
+        name: normalizedName,
+        "bom-ref": bomRef,
+        description:
+          algorithmMetadata.description ||
+          "Cryptographic algorithm detected by dosai source analysis",
+        cryptoProperties: {
+          assetType: "algorithm",
+          oid: algorithmMetadata.oid,
+        },
+        properties: [],
+      };
+      mergeAlgorithmComponentUsage(
+        component,
+        dosaiCryptoUsage(cryptoObject),
+        src,
+        options,
+      );
+      addDosaiProperties(
+        component,
+        cryptoObject,
+        cryptoObject.OperationType ? "operation" : "asset",
+      );
+      componentsByRef.set(bomRef, component);
+    }
+  }
+  const components = Array.from(componentsByRef.values());
+  components.forEach((component) => {
+    normalizeCryptoComponentEvidence(component, options);
+  });
+  return components.sort((left, right) =>
+    `${left.name}:${left["bom-ref"]}`.localeCompare(
+      `${right.name}:${right["bom-ref"]}`,
+    ),
+  );
+}
+
 /**
  * Find crypto algorithm in the given code snippet
  *