@cyclonedx/cdxgen 12.4.1 → 12.4.3

package/bin/evinse.js

@@ -51,15 +51,30 @@ const args = yargs(hideBin(process.argv))
       "py",
       "python",
       "android",
+      "csharp",
+      "cs",
       "c",
       "cpp",
+      "dotnet",
       "php",
       "swift",
       "ios",
       "ruby",
       "scala",
+      "vb",
+      "vbnet",
+      "visualbasic",
+      "f#",
+      "fs",
+      "fsharp",
     ],
   })
+  .option("profile", {
+    description:
+      "Evidence profile. The research profile enables dosai data-flow and crypto analysis for .NET projects.",
+    default: "generic",
+    choices: ["generic", "research"],
+  })
   .option("db-path", {
     description: "Atom slices DB path. Unused",
     default: undefined,

package/lib/cli/index.js

@@ -46,7 +46,10 @@ import {
   toCycloneDxSpecVersionString,
 } from "../helpers/bomUtils.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
-import { collectSourceCryptoComponents } from "../helpers/cbomutils.js";
+import {
+  collectDosaiCryptoComponents,
+  collectSourceCryptoComponents,
+} from "../helpers/cbomutils.js";
 import {
   CHROME_EXTENSION_PURL_TYPE,
   collectChromeExtensionsFromPath,
@@ -58,6 +61,13 @@ import {
   mergeServices,
   trimComponents,
 } from "../helpers/depsUtils.js";
+import {
+  collectDosaiServicesFromMethods,
+  createDosaiMethodsSlice,
+  isDosaiDotnetLanguage,
+  normalizeDosaiServiceMap,
+  readDosaiJsonFile,
+} from "../helpers/dosai.js";
 import { GIT_COMMAND } from "../helpers/envcontext.js";
 import {
   createHbomDocument,
@@ -246,7 +256,6 @@ import {
   enrichOSComponentsWithTrustData,
   executeOsQuery,
   getBinaryBom,
-  getDotnetSlices,
   getOSPackages,
   getPluginToolComponents,
 } from "../managers/binary.js";
@@ -400,6 +409,27 @@ const hasExplicitProjectTypeSelection = (options, baseProjectType) => {
   );
 };
 
+const hasDotnetProjectIndicators = (src, options = {}) => {
+  return Boolean(
+    getAllFiles(src, "**/*.{csproj,fsproj,vbproj,sln}", options)?.length,
+  );
+};
+
+const shouldCollectDosaiCrypto = (src, options = {}) => {
+  const projectTypes = Array.isArray(options.projectType)
+    ? options.projectType
+    : options.projectType
+      ? [options.projectType]
+      : [];
+  if (projectTypes.some((projectType) => isDosaiDotnetLanguage(projectType))) {
+    return true;
+  }
+  if (!projectTypes.length || projectTypes.includes("universal")) {
+    return hasDotnetProjectIndicators(src, options);
+  }
+  return false;
+};
+
 const determineParentComponent = (options) => {
   let parentComponent;
   if (options.parentComponent && Object.keys(options.parentComponent).length) {
@@ -1749,7 +1779,7 @@ export async function createJavaBom(path, options) {
         console.log(`Executing '${mavenCmd}' in`, basePath);
         result = safeSpawnSync(mavenCmd, mvnArgs, {
           cwd: basePath,
-          shell: true,
+          shell: isWin,
         });
         // Check if the cyclonedx plugin created the required bom.json file
         // Sometimes the plugin fails silently for complex maven projects
@@ -1807,7 +1837,7 @@ export async function createJavaBom(path, options) {
           }
           result = safeSpawnSync("mvn", findParentComponentArgs, {
             cwd: basePath,
-            shell: true,
+            shell: isWin,
           });
           if (result.status === 0) {
             if (safeExistsSync(tempMvnParentTree)) {
@@ -1840,7 +1870,7 @@ export async function createJavaBom(path, options) {
           mvnTreeArgs,
           {
             cwd: basePath,
-            shell: true,
+            shell: isWin,
           },
         );
         if (result.status !== 0 || result.error) {
@@ -2385,7 +2415,7 @@ export async function createJavaBom(path, options) {
       console.log("Executing", BAZEL_CMD, "in", basePath);
       let result = safeSpawnSync(BAZEL_CMD, bArgs, {
         cwd: basePath,
-        shell: true,
+        shell: isWin,
       });
       if (result.status !== 0 || result.error) {
         if (result.stderr) {
@@ -7742,6 +7772,7 @@ export async function createCsharpBom(path, options) {
     }
   }
   const pkgNameVersions = {};
+  let services = [];
   if (csProjFiles.length) {
     manifestFiles = manifestFiles.concat(csProjFiles);
     // Parsing csproj is quite error-prone. Some project files may not have versions specified
@@ -7803,21 +7834,30 @@ export async function createCsharpBom(path, options) {
     // Perform deep analysis using dosai
     if (options.deep) {
       const slicesFile = resolve(
-        join(path, options.depsSlicesFile) || join(getTmpDir(), "dosai.json"),
+        options.depsSlicesFile
+          ? join(path, options.depsSlicesFile)
+          : join(getTmpDir(), "dosai.json"),
       );
       // Create the slices file if it doesn't exist
       if (!safeExistsSync(slicesFile)) {
         thoughtLog(
           "Alright, the next step is to invoke the dosai command to identify evidence of occurrences for various components.",
         );
-        const sliceResult = getDotnetSlices(resolve(path), resolve(slicesFile));
+        const sliceResult = createDosaiMethodsSlice(
+          resolve(path),
+          resolve(slicesFile),
+          options,
+        );
         if (!sliceResult && DEBUG_MODE) {
           console.log(
             "Slicing with dosai was unsuccessful. Check the errors reported in the logs above.",
           );
         }
       }
-      pkgList = addEvidenceForDotnet(pkgList, slicesFile, options);
+      pkgList = addEvidenceForDotnet(pkgList, slicesFile);
+      const methodsSlice = readDosaiJsonFile(slicesFile);
+      const servicesMap = collectDosaiServicesFromMethods(methodsSlice, {});
+      services = normalizeDosaiServiceMap(servicesMap);
     }
   }
   // Parent dependency tree
@@ -7843,6 +7883,8 @@ export async function createCsharpBom(path, options) {
     filename: manifestFiles.join(", "),
     dependencies,
     parentComponent,
+    services,
+    tools: options.deep ? getPluginToolComponents(["dosai"]) : [],
   });
 }
 
@@ -8354,6 +8396,15 @@ export async function createCryptoCertsBom(path, options) {
   if (sourceCryptoComponents.length) {
     pkgList.push(...sourceCryptoComponents);
   }
+  if (shouldCollectDosaiCrypto(path, options)) {
+    const dosaiCryptoComponents = await collectDosaiCryptoComponents(
+      path,
+      options,
+    );
+    if (dosaiCryptoComponents.length) {
+      pkgList.push(...dosaiCryptoComponents);
+    }
+  }
   return {
     bomJson: {
       components: pkgList,

package/lib/cli/index.poku.js

@@ -1,5 +1,6 @@
 import { execFileSync, spawnSync } from "node:child_process";
 import {
+  chmodSync,
   copyFileSync,
   existsSync,
   mkdirSync,
@@ -29,6 +30,7 @@ import { postProcess } from "../stages/postgen/postgen.js";
 import {
   createBom,
   createChromeExtensionBom,
+  createJavaBom,
   createNodejsBom,
   createPHPBom,
   createPythonBom,
@@ -286,6 +288,165 @@ describe("CLI tests", () => {
       );
       assert.strictEqual(components[0].type, "data");
     });
+
+    it("does not invoke dosai crypto analysis for non-.NET CBOM scans", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-non-dotnet-"));
+      const collectDosaiCryptoComponents = sinon.stub().resolves([]);
+      try {
+        const { createCryptoCertsBom } = await esmock("./index.js", {
+          "../helpers/cbomutils.js": {
+            collectDosaiCryptoComponents,
+            collectSourceCryptoComponents: sinon.stub().resolves([]),
+          },
+        });
+
+        await createCryptoCertsBom(tempDir, {
+          projectType: ["js"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.notCalled(collectDosaiCryptoComponents);
+      } finally {
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
+
+    it("invokes dosai crypto analysis for explicit .NET CBOM scans", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-cbom-dotnet-"));
+      const collectDosaiCryptoComponents = sinon.stub().resolves([
+        {
+          name: "sha-256",
+          type: "cryptographic-asset",
+          "bom-ref": "crypto/algorithm/sha-256@2.16.840.1.101.3.4.2.1",
+          cryptoProperties: {
+            assetType: "algorithm",
+            oid: "2.16.840.1.101.3.4.2.1",
+          },
+        },
+      ]);
+      try {
+        const { createCryptoCertsBom } = await esmock("./index.js", {
+          "../helpers/cbomutils.js": {
+            collectDosaiCryptoComponents,
+            collectSourceCryptoComponents: sinon.stub().resolves([]),
+          },
+        });
+
+        const bomData = await createCryptoCertsBom(tempDir, {
+          projectType: ["dotnet"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.calledOnce(collectDosaiCryptoComponents);
+        assert.strictEqual(bomData.bomJson.components[0].name, "sha-256");
+      } finally {
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
+
+    it("invokes dosai crypto analysis when universal scans contain .NET project files", async () => {
+      const tempDir = mkdtempSync(
+        join(tmpdir(), "cdxgen-cbom-dotnet-indicator-"),
+      );
+      const collectDosaiCryptoComponents = sinon.stub().resolves([]);
+      try {
+        writeFileSync(join(tempDir, "app.csproj"), "<Project />");
+        const { createCryptoCertsBom } = await esmock("./index.js", {
+          "../helpers/cbomutils.js": {
+            collectDosaiCryptoComponents,
+            collectSourceCryptoComponents: sinon.stub().resolves([]),
+          },
+        });
+
+        await createCryptoCertsBom(tempDir, {
+          projectType: ["universal"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.calledOnce(collectDosaiCryptoComponents);
+      } finally {
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
+
+    it("does not interpret shell metacharacters in Maven module paths", async () => {
+      if (process.platform === "win32") {
+        return;
+      }
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-maven-shell-"));
+      const fakeBinDir = join(tempDir, "bin");
+      const repoDir = join(tempDir, "repo");
+      const markerFile = join(tmpdir(), "CDXGEN_GITURL_E2E_MARKER_TEST");
+      const shellIfs = "$" + "{IFS}";
+      const maliciousDirName = `evil;cd${shellIfs}..;cd${shellIfs}..;printf${shellIfs}CDXGEN_MAVEN_GIT_URL_E2E_SHELL_INJECTION>CDXGEN_GITURL_E2E_MARKER_TEST;#`;
+      const maliciousModuleDir = join(repoDir, maliciousDirName);
+      const originalPath = process.env.PATH;
+      const originalMvnCmd = process.env.MVN_CMD;
+      const originalMavenCmd = process.env.MAVEN_CMD;
+      const originalMvnArgs = process.env.MVN_ARGS;
+
+      try {
+        rmSync(markerFile, { force: true });
+        mkdirSync(fakeBinDir, { recursive: true });
+        mkdirSync(maliciousModuleDir, { recursive: true });
+        writeFileSync(
+          join(maliciousModuleDir, "pom.xml"),
+          "<project><modelVersion>4.0.0</modelVersion><groupId>org.example</groupId><artifactId>evil</artifactId><version>1.0.0</version></project>",
+        );
+        writeFileSync(join(maliciousModuleDir, "settings.xml"), "<settings />");
+        const fakeMvn = join(fakeBinDir, "mvn");
+        writeFileSync(
+          fakeMvn,
+          `#!/bin/sh
+for arg do
+  case "$arg" in
+    -DoutputFile=*)
+      output="\${arg#-DoutputFile=}"
+      mkdir -p "$(dirname "$output")"
+      printf 'org.example:evil:jar:1.0.0:compile\\n' > "$output"
+      ;;
+  esac
+done
+`,
+        );
+        chmodSync(fakeMvn, 0o755);
+        process.env.PATH = `${fakeBinDir}${process.env.PATH ? `:${process.env.PATH}` : ""}`;
+        delete process.env.MVN_CMD;
+        delete process.env.MAVEN_CMD;
+        delete process.env.MVN_ARGS;
+
+        await createJavaBom(repoDir, {
+          multiProject: true,
+          projectType: ["java"],
+          specVersion: 1.6,
+        });
+
+        assert.strictEqual(existsSync(markerFile), false);
+      } finally {
+        if (originalPath === undefined) {
+          delete process.env.PATH;
+        } else {
+          process.env.PATH = originalPath;
+        }
+        if (originalMvnCmd === undefined) {
+          delete process.env.MVN_CMD;
+        } else {
+          process.env.MVN_CMD = originalMvnCmd;
+        }
+        if (originalMavenCmd === undefined) {
+          delete process.env.MAVEN_CMD;
+        } else {
+          process.env.MAVEN_CMD = originalMavenCmd;
+        }
+        if (originalMvnArgs === undefined) {
+          delete process.env.MVN_ARGS;
+        } else {
+          process.env.MVN_ARGS = originalMvnArgs;
+        }
+        rmSync(markerFile, { force: true });
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
   });
 
   describe("distribution filters", () => {

package/lib/evinser/evinser.js

@@ -4,7 +4,19 @@ import process from "node:process";
 
 import { PackageURL } from "packageurl-js";
 
-import { findCryptoAlgos } from "../helpers/cbomutils.js";
+import {
+  collectDosaiCryptoComponents,
+  findCryptoAlgos,
+} from "../helpers/cbomutils.js";
+import { mergeServices } from "../helpers/depsUtils.js";
+import {
+  collectDosaiDataFlowFrames,
+  collectDosaiPurlEvidence,
+  collectDosaiServicesFromMethods,
+  createDosaiDataFlowSlice,
+  createDosaiMethodsSlice,
+  isDosaiDotnetLanguage,
+} from "../helpers/dosai.js";
 import { parseOccurrenceEvidenceLocation } from "../helpers/evidenceUtils.js";
 import {
   collectGradleDependencies,
@@ -230,6 +242,8 @@ export async function createSlice(
     language = "python";
   } else if (PROJECT_TYPE_ALIASES.scala.includes(language)) {
     language = "scala";
+  } else if (isDosaiDotnetLanguage(language)) {
+    language = "csharp";
   }
   if (
     PROJECT_TYPE_ALIASES.swift.includes(language) &&
@@ -270,6 +284,33 @@ export async function createSlice(
     }
     return { tempDir: sliceOutputDir, tempDirOwned, slicesFile };
   }
+  if (isDosaiDotnetLanguage(language)) {
+    console.log(
+      `Creating ${sliceType} slice for ${resolve(filePath)} using dosai. Please wait ...`,
+    );
+    const sliceResult =
+      sliceType === "data-flow"
+        ? createDosaiDataFlowSlice(
+            resolve(filePath),
+            resolve(slicesFile),
+            options,
+          )
+        : createDosaiMethodsSlice(
+            resolve(filePath),
+            resolve(slicesFile),
+            options,
+          );
+    if (!sliceResult) {
+      console.warn(
+        `Unable to generate ${sliceType} slice using dosai. Check if this is a supported .NET project.`,
+      );
+    }
+    return {
+      tempDir: sliceOutputDir,
+      tempDirOwned,
+      slicesFile,
+    };
+  }
   console.log(
     `Creating ${sliceType} slice for ${resolve(filePath)}. Please wait ...`,
   );
@@ -393,6 +434,9 @@ export function purlToLanguage(purl, filePath) {
     case "gem":
       language = "ruby";
       break;
+    case "nuget":
+      language = "csharp";
+      break;
     case "generic":
       language = "c";
   }
@@ -474,6 +518,77 @@ export async function analyzeProject(dbObjMap, options) {
   // Load any existing purl-location information from the sbom.
   // For eg: cdxgen populates this information for javascript projects
   let { purlLocationMap, purlImportsMap } = initFromSbom(components, language);
+  if (isDosaiDotnetLanguage(language)) {
+    if (options.profile === "research") {
+      options.withDataFlow = true;
+      options.includeCrypto = true;
+    }
+    if (
+      options.usagesSlicesFile &&
+      usableSlicesFile(options.usagesSlicesFile)
+    ) {
+      usageSlice = JSON.parse(
+        fs.readFileSync(options.usagesSlicesFile, "utf-8"),
+      );
+      usagesSlicesFile = options.usagesSlicesFile;
+    } else {
+      retMap = await createSlice(language, dirPath, "usages", options);
+      if (retMap?.slicesFile && safeExistsSync(retMap.slicesFile)) {
+        usageSlice = JSON.parse(fs.readFileSync(retMap.slicesFile, "utf-8"));
+        usagesSlicesFile = retMap.slicesFile;
+      }
+    }
+    if (usageSlice && Object.keys(usageSlice).length) {
+      const dosaiEvidence = collectDosaiPurlEvidence(usageSlice, components);
+      for (const [purl, locations] of Object.entries(
+        dosaiEvidence.purlLocationMap,
+      )) {
+        purlLocationMap[purl] ??= new Set();
+        for (const location of locations) {
+          purlLocationMap[purl].add(location);
+        }
+      }
+      servicesMap = collectDosaiServicesFromMethods(usageSlice, servicesMap);
+      userDefinedTypesMap = {};
+    }
+    if (options.withDataFlow) {
+      if (
+        options.dataFlowSlicesFile &&
+        safeExistsSync(options.dataFlowSlicesFile)
+      ) {
+        dataFlowSlicesFile = options.dataFlowSlicesFile;
+        dataFlowSlice = JSON.parse(
+          fs.readFileSync(options.dataFlowSlicesFile, "utf-8"),
+        );
+      } else {
+        retMap = await createSlice(language, dirPath, "data-flow", options);
+        if (retMap?.slicesFile && safeExistsSync(retMap.slicesFile)) {
+          dataFlowSlicesFile = retMap.slicesFile;
+          dataFlowSlice = JSON.parse(
+            fs.readFileSync(retMap.slicesFile, "utf-8"),
+          );
+        }
+      }
+      if (dataFlowSlice && Object.keys(dataFlowSlice).length) {
+        dataFlowFrames = collectDosaiDataFlowFrames(dataFlowSlice, components);
+      }
+    }
+    if (options.includeCrypto) {
+      cryptoComponents = await collectDosaiCryptoComponents(dirPath, options);
+    }
+    return {
+      usagesSlicesFile,
+      dataFlowSlicesFile,
+      purlLocationMap,
+      servicesMap,
+      dataFlowFrames,
+      tempDir: retMap?.tempDir,
+      tempDirOwned: retMap?.tempDirOwned,
+      userDefinedTypesMap,
+      cryptoComponents,
+      cryptoGeneratePurls,
+    };
+  }
   // Do reachables first so that usages slicing can reuse the atom file
   // We need reachables slicing even when trying to infer crypto packages
   if (options.withReachables || options.includeCrypto) {
@@ -1472,8 +1587,8 @@ export function createEvinseFile(sliceArtefacts, options) {
         properties: servicesMap[serviceName].properties,
       });
     }
-    // Add to existing services
-    bomJson.services = (bomJson.services || []).concat(services);
+    // Add to existing services while preserving CycloneDX uniqueItems validity
+    bomJson.services = mergeServices(bomJson.services || [], services);
     servicesPresent = true;
   }
   // Add the crypto components to the components list