@cyclonedx/cdxgen 12.4.1 → 12.4.3

package/lib/helpers/dosai.poku.js

@@ -0,0 +1,302 @@
+import esmock from "esmock";
+import { assert, describe, it } from "poku";
+import sinon from "sinon";
+
+import {
+  buildPurlAliasMap,
+  collectDosaiDataFlowFrames,
+  collectDosaiPurlEvidence,
+  collectDosaiServicesFromMethods,
+  isDosaiDotnetLanguage,
+  normalizeDosaiServiceMap,
+  resolveComponentPurl,
+} from "./dosai.js";
+
+describe("dosai helpers", () => {
+  it("recognizes C#, VB.NET, and F# language aliases", () => {
+    for (const language of [
+      "csharp",
+      "dotnet",
+      "vb",
+      "vbnet",
+      "visualbasic",
+      "f#",
+      "fs",
+      "fsharp",
+    ]) {
+      assert.strictEqual(isDosaiDotnetLanguage(language), true);
+    }
+  });
+
+  it("matches versionless dosai purls to cdxgen component purls", () => {
+    const components = [{ purl: "pkg:nuget/System.Text.Json@10.0.0" }];
+    const aliases = buildPurlAliasMap(components);
+
+    assert.strictEqual(
+      resolveComponentPurl("pkg:nuget/System.Text.Json", aliases),
+      "pkg:nuget/System.Text.Json@10.0.0",
+    );
+  });
+
+  it("collects package occurrence evidence from dosai PackageReachability", () => {
+    const methodsSlice = {
+      CallGraph: {
+        Edges: [
+          {
+            Id: "e1",
+            FileName: "System.Text.Json.dll",
+            LineNumber: 12,
+            CalledMethodName: "System.Text.Json.JsonSerializer.Deserialize",
+            TargetName: "Deserialize",
+          },
+        ],
+        Nodes: [
+          {
+            Id: "n1",
+            FileName: "Program.cs",
+            LineNumber: 10,
+            ClassName: "Program",
+            Name: "Main",
+          },
+          {
+            Id: "n2",
+            FileName: "System.Text.Json.dll",
+            LineNumber: 0,
+            ClassName: "JsonSerializer",
+            Name: "Deserialize",
+          },
+        ],
+      },
+      PackageReachability: [
+        {
+          Purl: "pkg:nuget/System.Text.Json",
+          EdgeIds: ["e1"],
+          NodeIds: ["n1", "n2"],
+          SourceLocations: [
+            {
+              Path: "Controllers/Parser.cs",
+              FileName: "Parser.cs",
+              LineNumber: 42,
+              ColumnNumber: 13,
+              Kind: "CallGraphEdge",
+            },
+          ],
+        },
+      ],
+    };
+    const retMap = collectDosaiPurlEvidence(methodsSlice, [
+      { purl: "pkg:nuget/System.Text.Json@10.0.0" },
+    ]);
+
+    assert.deepStrictEqual(
+      Array.from(
+        retMap.purlLocationMap["pkg:nuget/System.Text.Json@10.0.0"],
+      ).sort(),
+      ["Controllers/Parser.cs#42"],
+    );
+    assert.ok(
+      retMap.purlMethodsMap["pkg:nuget/System.Text.Json@10.0.0"].has(
+        "System.Text.Json.JsonSerializer.Deserialize",
+      ),
+    );
+  });
+
+  it("keeps PackageReachability fallback occurrence evidence source-only", () => {
+    const retMap = collectDosaiPurlEvidence(
+      {
+        CallGraph: {
+          Edges: [
+            {
+              Id: "e1",
+              FileName: "System.Text.Json.dll",
+              LineNumber: 12,
+              CalledMethodName: "System.Text.Json.JsonSerializer.Deserialize",
+              CallLocation: {
+                FileName: "Program.fs",
+                LineNumber: 8,
+              },
+            },
+            {
+              Id: "e2",
+              FileName: "Controllers/EpisodesController.cs",
+              LineNumber: 17,
+              CalledMethodName: "System.Text.Json.JsonSerializer.Serialize",
+            },
+          ],
+        },
+        PackageReachability: [
+          {
+            Purl: "pkg:nuget/System.Text.Json",
+            EdgeIds: ["e1", "e2"],
+          },
+        ],
+      },
+      [{ purl: "pkg:nuget/System.Text.Json@10.0.0" }],
+    );
+
+    assert.deepStrictEqual(
+      Array.from(retMap.purlLocationMap["pkg:nuget/System.Text.Json@10.0.0"]),
+      ["Program.fs#8", "Controllers/EpisodesController.cs#17"],
+    );
+    assert.ok(
+      !Array.from(
+        retMap.purlLocationMap["pkg:nuget/System.Text.Json@10.0.0"],
+      ).some((location) => location.includes(".dll")),
+    );
+  });
+
+  it("collects package occurrence evidence from dosai Dependencies with purls", () => {
+    const retMap = collectDosaiPurlEvidence(
+      {
+        Dependencies: [
+          {
+            Path: "Program.vb",
+            FileName: "Program.vb",
+            Name: "Newtonsoft.Json",
+            Purl: "pkg:nuget/Newtonsoft.Json@13.0.3",
+            LineNumber: 4,
+            ColumnNumber: 9,
+          },
+        ],
+      },
+      [{ purl: "pkg:nuget/Newtonsoft.Json@13.0.3" }],
+    );
+
+    assert.deepStrictEqual(
+      Array.from(retMap.purlLocationMap["pkg:nuget/Newtonsoft.Json@13.0.3"]),
+      ["Program.vb#4"],
+    );
+    assert.ok(
+      retMap.purlModulesMap["pkg:nuget/Newtonsoft.Json@13.0.3"].has(
+        "Newtonsoft.Json",
+      ),
+    );
+  });
+
+  it("builds CycloneDX services from dosai ApiEndpoints without raw policy names", () => {
+    const servicesMap = collectDosaiServicesFromMethods({
+      ApiEndpoints: [
+        {
+          Route: "/api/podcasts?sig=secret",
+          FileName: "EpisodesController.cs",
+          Path: "Controllers/EpisodesController.cs",
+          ClassName: "EpisodesController",
+          MethodName: "Get",
+          HttpMethod: "GET",
+          EndpointKind: "Attribute",
+          AuthorizationRequired: true,
+          AuthorizationPolicies: ["InternalPolicyName"],
+          Roles: ["Admin"],
+          AllowAnonymous: false,
+          LineNumber: 42,
+          ColumnNumber: 9,
+        },
+      ],
+    });
+    const services = normalizeDosaiServiceMap(servicesMap);
+
+    assert.strictEqual(services.length, 1);
+    assert.deepStrictEqual(services[0].endpoints, ["/api/podcasts"]);
+    assert.strictEqual(services[0].authenticated, true);
+    assert.ok(
+      services[0].properties.some(
+        (property) =>
+          property.name === "cdx:dosai:authorizationPolicyCount" &&
+          property.value === "1",
+      ),
+    );
+    assert.ok(!JSON.stringify(services[0]).includes("InternalPolicyName"));
+  });
+
+  it("collects callstack frames from dosai data-flow slices", () => {
+    const frames = collectDosaiDataFlowFrames(
+      {
+        Nodes: [
+          {
+            Id: "dfn1",
+            Path: "Controllers/EpisodesController.cs",
+            Namespace: "Podcast.Api",
+            ClassName: "EpisodesController",
+            MethodName: "Get",
+            LineNumber: 12,
+            ColumnNumber: 5,
+          },
+          {
+            Id: "dfn2",
+            Path: "Services/JsonLoader.cs",
+            Namespace: "Podcast.Api",
+            ClassName: "JsonLoader",
+            MethodName: "Load",
+            LineNumber: 20,
+            ColumnNumber: 9,
+          },
+        ],
+        Slices: [
+          {
+            NodeIds: ["dfn1", "dfn2"],
+            Purls: ["pkg:nuget/System.Text.Json"],
+          },
+        ],
+      },
+      [{ purl: "pkg:nuget/System.Text.Json@10.0.0" }],
+    );
+
+    assert.strictEqual(frames["pkg:nuget/System.Text.Json@10.0.0"].length, 1);
+    assert.strictEqual(
+      frames["pkg:nuget/System.Text.Json@10.0.0"][0][1].function,
+      "Load",
+    );
+  });
+
+  it("rejects unsafe dosai command inputs before spawning", async () => {
+    const safeSpawnSync = sinon.stub().returns({ status: 0 });
+    const { runDosaiCommand } = await esmock("./dosai.js", {
+      "./plugins.js": { resolvePluginBinary: sinon.stub().returns("dosai") },
+      "./utils.js": {
+        DEBUG_MODE: false,
+        getTmpDir: sinon.stub().returns("/tmp"),
+        safeExistsSync: sinon.stub().returns(true),
+        safeMkdtempSync: sinon.stub(),
+        safeRmSync: sinon.stub(),
+        safeSpawnSync,
+      },
+    });
+
+    assert.strictEqual(
+      runDosaiCommand("methods;rm -rf /", "/tmp/project", "/tmp/out.json"),
+      false,
+    );
+    assert.strictEqual(
+      runDosaiCommand("methods", "/tmp/project\n--bad", "/tmp/out.json"),
+      false,
+    );
+    sinon.assert.notCalled(safeSpawnSync);
+  });
+
+  it("spawns dosai with argument arrays and shell disabled", async () => {
+    const safeSpawnSync = sinon.stub().returns({ status: 0 });
+    const { runDosaiCommand } = await esmock("./dosai.js", {
+      "./plugins.js": { resolvePluginBinary: sinon.stub().returns("dosai") },
+      "./utils.js": {
+        DEBUG_MODE: false,
+        getTmpDir: sinon.stub().returns("/tmp"),
+        safeExistsSync: sinon.stub().returns(true),
+        safeMkdtempSync: sinon.stub(),
+        safeRmSync: sinon.stub(),
+        safeSpawnSync,
+      },
+    });
+
+    assert.strictEqual(
+      runDosaiCommand("dataflows", "/tmp/project", "/tmp/out.json", {
+        dataFlowPatterns: "/tmp/patterns.json",
+        patternPacks: "/tmp/packs",
+      }),
+      true,
+    );
+    sinon.assert.calledOnce(safeSpawnSync);
+    assert.strictEqual(safeSpawnSync.firstCall.args[0], "dosai");
+    assert.ok(Array.isArray(safeSpawnSync.firstCall.args[1]));
+    assert.strictEqual(safeSpawnSync.firstCall.args[2].shell, false);
+  });
+});

package/lib/helpers/dosaiParsers.js

@@ -0,0 +1,103 @@
+import { PackageURL } from "packageurl-js";
+
+export function normalizeDosaiPurlKey(purl) {
+  if (!purl || typeof purl !== "string") {
+    return undefined;
+  }
+  try {
+    const purlObj = PackageURL.fromString(purl);
+    return [
+      purlObj.type?.toLowerCase(),
+      purlObj.namespace?.toLowerCase() || "",
+      purlObj.name?.toLowerCase(),
+    ].join("/");
+  } catch (_err) {
+    return purl.split("?")[0].split("#")[0].split("@")[0].toLowerCase();
+  }
+}
+
+export function addDosaiSetValue(map, key, value) {
+  if (!key || !value) {
+    return;
+  }
+  map[key] ??= new Set();
+  map[key].add(value);
+}
+
+export function dosaiLocation(item) {
+  const location = item?.Location || item?.CallLocation || item;
+  const fileName =
+    location?.Path || location?.FileName || item?.Path || item?.FileName;
+  if (!fileName || fileName === "<unknown>") {
+    return undefined;
+  }
+  const lineNumber = location?.LineNumber || item?.LineNumber;
+  if (lineNumber && lineNumber > 0) {
+    return `${fileName}#${lineNumber}`;
+  }
+  return fileName;
+}
+
+function dosaiSourceFileName(item) {
+  const location = item?.Location || item?.CallLocation || item;
+  return String(
+    location?.Path || location?.FileName || item?.Path || item?.FileName || "",
+  );
+}
+
+function dosaiSourceLineNumber(item) {
+  const location = item?.Location || item?.CallLocation || item;
+  return location?.LineNumber || item?.LineNumber;
+}
+
+export function dosaiSourceLocationFromNode(node) {
+  const location = dosaiLocation(node);
+  const fileName = dosaiSourceFileName(node).toLowerCase();
+  const lineNumber = dosaiSourceLineNumber(node);
+  if (!location || !/\.(cs|vb|fs|fsx)$/i.test(fileName)) {
+    return undefined;
+  }
+  if (!lineNumber || lineNumber <= 0) {
+    return undefined;
+  }
+  return location;
+}
+
+export function dosaiSourceLocation(location) {
+  const sourceLocation = dosaiLocation(location);
+  const fileName = dosaiSourceFileName(location);
+  const lineNumber = dosaiSourceLineNumber(location);
+  if (!sourceLocation || !/\.(cs|vb|fs|fsx)$/i.test(fileName)) {
+    return undefined;
+  }
+  if (!lineNumber || lineNumber <= 0) {
+    return undefined;
+  }
+  return sourceLocation;
+}
+
+export function buildDosaiPurlAliasMap(components = []) {
+  const purlAliasMap = new Map();
+  for (const component of components) {
+    if (!component?.purl) {
+      continue;
+    }
+    purlAliasMap.set(component.purl, component.purl);
+    const key = normalizeDosaiPurlKey(component.purl);
+    if (key && !purlAliasMap.has(key)) {
+      purlAliasMap.set(key, component.purl);
+    }
+  }
+  return purlAliasMap;
+}
+
+export function resolveDosaiComponentPurl(purl, purlAliasMap) {
+  if (!purl) {
+    return undefined;
+  }
+  return (
+    purlAliasMap.get(purl) ||
+    purlAliasMap.get(normalizeDosaiPurlKey(purl)) ||
+    purl
+  );
+}

package/lib/helpers/utils.js

@@ -58,6 +58,13 @@ import Arborist from "../third-party/arborist/lib/index.js";
 import { analyzeSuspiciousJsFile } from "./analyzer.js";
 import { DEFAULT_HBOM_AUDIT_CATEGORIES } from "./auditCategories.js";
 import { parseWorkflowFile } from "./ciParsers/githubActions.js";
+import {
+  addDosaiSetValue,
+  buildDosaiPurlAliasMap,
+  dosaiSourceLocation,
+  dosaiSourceLocationFromNode,
+  resolveDosaiComponentPurl,
+} from "./dosaiParsers.js";
 import { extractPackageInfoFromHintPath } from "./dotnetutils.js";
 import {
   createOccurrenceEvidence,
@@ -1108,6 +1115,50 @@ function isWindowsShellHijackRisk(command, options) {
 
 const VERSION_PROBE_ARGS = new Set(["--version", "-version", "version"]);
 
+const POSIX_SHELL_METACHARACTERS = /[;&|<>$`\\\n\r]/;
+const WINDOWS_SHELL_METACHARACTERS = /[&|<>^%\n\r]/;
+
+function hasShellMetacharacters(value) {
+  if (value === undefined || value === null) {
+    return false;
+  }
+  const stringValue = String(value);
+  return isWin
+    ? WINDOWS_SHELL_METACHARACTERS.test(stringValue)
+    : POSIX_SHELL_METACHARACTERS.test(stringValue);
+}
+
+function getUnsafeShellToken(command, args) {
+  if (hasShellMetacharacters(command)) {
+    return command;
+  }
+  const argList = Array.isArray(args)
+    ? args
+    : args === undefined || args === null
+      ? []
+      : [args];
+  return argList.find((arg) => hasShellMetacharacters(arg));
+}
+
+function recordSuspiciousShellPathActivities(files, metadata = {}) {
+  for (const file of files) {
+    if (!hasShellMetacharacters(file)) {
+      continue;
+    }
+    recordActivity({
+      classification: "suspicious-path",
+      discoveryType: metadata.discoveryType,
+      kind: "inspect",
+      pattern: metadata.pattern,
+      reason:
+        "Suspicious path contains shell metacharacters. cdxgen passes direct process arguments as argv values, but review this path before invoking external build tools on untrusted projects.",
+      risk: "shell-metacharacters",
+      status: "completed",
+      target: file,
+    });
+  }
+}
+
 function detectProbeType(command, args = []) {
   const normalizedCommand = basename(String(command || "")).toLowerCase();
   const normalizedArgs = (args || []).map((arg) => String(arg).toLowerCase());
@@ -1286,8 +1337,30 @@ export function safeSpawnSync(command, args, options) {
     options = {
       ...options,
     };
+  }
+  if (options.cdxgenActivity) {
     delete options.cdxgenActivity;
   }
+  if (options.shell === true) {
+    const unsafeShellToken = getUnsafeShellToken(command, args);
+    if (unsafeShellToken !== undefined) {
+      const blockedReason = `Blocked shell execution for ${command}: command or argument contains shell metacharacters.`;
+      console.warn(`\x1b[1;31mSecurity Alert: ${blockedReason}\x1b[0m`);
+      recordActivity({
+        kind: activityDescriptor.kind,
+        ...activityDescriptor.metadata,
+        reason: blockedReason,
+        status: "blocked",
+        target: activityDescriptor.target,
+      });
+      return {
+        status: 1,
+        stdout: undefined,
+        stderr: undefined,
+        error: new Error(blockedReason),
+      };
+    }
+  }
   // Inject maxBuffer
   if (!options.maxBuffer) {
     options.maxBuffer = MAX_BUFFER;
@@ -1753,6 +1826,10 @@ export const PROJECT_TYPE_ALIASES = {
     "dotnet-framework47",
     "dotnet-framework48",
     "vb",
+    "vbnet",
+    "visualbasic",
+    "f#",
+    "fs",
     "fsharp",
     "twincat",
     "csproj",
@@ -2363,6 +2440,10 @@ export function getAllFilesWithIgnore(
       reasonBuilder: (count) =>
         `Scanned ${dirPath} with glob '${patternValue}' for ${discoveryMetadata.label}; matched ${files.length} path(s)${buildReadCountSuffix(count)}.`,
     });
+    recordSuspiciousShellPathActivities(files, {
+      discoveryType: discoveryMetadata.discoveryType,
+      pattern: patternValue,
+    });
     if (files.length > 1) {
       thoughtLog(
         `Found ${files.length} files for the pattern '${pattern}' at '${dirPath}'.`,
@@ -21739,6 +21820,42 @@ export async function getNugetMetadata(pkgList, dependencies = undefined) {
   };
 }
 
+function addDotnetIdentityMethod(apkg, value) {
+  if (!value) {
+    return;
+  }
+  apkg.evidence = apkg.evidence || {};
+  const identityList = Array.isArray(apkg.evidence.identity)
+    ? apkg.evidence.identity
+    : undefined;
+  let identity = identityList
+    ? identityList.find((entry) => entry?.field === "purl") ||
+      identityList.find((entry) => !entry?.field)
+    : apkg.evidence.identity;
+  if (!identity) {
+    identity = { field: "purl", confidence: 1, methods: [] };
+    if (identityList) {
+      identityList.push(identity);
+    }
+  }
+  identity.field ??= "purl";
+  identity.confidence ??= 1;
+  identity.methods ??= [];
+  if (
+    !identity.methods.some(
+      (method) =>
+        method.technique === "source-code-analysis" && method.value === value,
+    )
+  ) {
+    identity.methods.push({
+      technique: "source-code-analysis",
+      confidence: 1,
+      value,
+    });
+  }
+  apkg.evidence.identity = identityList || identity;
+}
+
 /**
  * Enrich .NET package components with occurrence evidence and imported module/method
  * information from a dosai dependency slices file.
@@ -21762,6 +21879,7 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
   const purlLocationMap = {};
   const purlModulesMap = {};
   const purlMethodsMap = {};
+  const purlAliasMap = buildDosaiPurlAliasMap(pkgList);
   for (const apkg of pkgList) {
     if (apkg.properties && Array.isArray(apkg.properties)) {
       apkg.properties
@@ -21778,13 +21896,33 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
         });
     }
   }
-  const slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"));
+  let slicesData;
+  try {
+    slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"));
+  } catch (_err) {
+    return pkgList;
+  }
   if (slicesData && Object.keys(slicesData)) {
     thoughtLog(
       "Let's thoroughly inspect the dependency slice to identify where and how the components are used.",
     );
     if (slicesData.Dependencies) {
       for (const adep of slicesData.Dependencies) {
+        if (adep.Purl) {
+          const modPurl = resolveDosaiComponentPurl(adep.Purl, purlAliasMap);
+          if (modPurl) {
+            addDosaiSetValue(
+              purlLocationMap,
+              modPurl,
+              dosaiSourceLocation(adep),
+            );
+            addDosaiSetValue(
+              purlModulesMap,
+              modPurl,
+              adep.Name || adep.Namespace,
+            );
+          }
+        }
         // Case 1: Dependencies slice has the .dll file
         if (adep.Module?.endsWith(".dll") && pkgFilePurlMap[adep.Module]) {
           const modPurl = pkgFilePurlMap[adep.Module];
@@ -21810,6 +21948,64 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
         }
       }
     }
+    if (slicesData.PackageReachability) {
+      const graphEdges = Object.fromEntries(
+        (slicesData.CallGraph?.Edges || []).map((edge) => [edge.Id, edge]),
+      );
+      const graphNodes = Object.fromEntries(
+        (slicesData.CallGraph?.Nodes || []).map((node) => [node.Id, node]),
+      );
+      for (const reachability of slicesData.PackageReachability) {
+        const modPurl = resolveDosaiComponentPurl(
+          reachability.Purl,
+          purlAliasMap,
+        );
+        if (!modPurl) {
+          continue;
+        }
+        let hasExplicitSourceLocations = false;
+        for (const sourceLocation of reachability.SourceLocations || []) {
+          const location = dosaiSourceLocation(sourceLocation);
+          addDosaiSetValue(purlLocationMap, modPurl, location);
+          hasExplicitSourceLocations ||= Boolean(location);
+        }
+        for (const edgeId of reachability.EdgeIds || []) {
+          const edge = graphEdges[edgeId];
+          if (!hasExplicitSourceLocations) {
+            addDosaiSetValue(
+              purlLocationMap,
+              modPurl,
+              dosaiSourceLocation(edge),
+            );
+          }
+          addDosaiSetValue(
+            purlMethodsMap,
+            modPurl,
+            edge?.CalledMethodName || edge?.TargetName,
+          );
+        }
+        for (const nodeId of reachability.NodeIds || []) {
+          const node = graphNodes[nodeId];
+          if (!hasExplicitSourceLocations) {
+            addDosaiSetValue(
+              purlLocationMap,
+              modPurl,
+              dosaiSourceLocationFromNode(node),
+            );
+          }
+          addDosaiSetValue(
+            purlModulesMap,
+            modPurl,
+            node?.ClassName || node?.Module,
+          );
+          addDosaiSetValue(
+            purlMethodsMap,
+            modPurl,
+            node?.Name || node?.Identity?.MethodName,
+          );
+        }
+      }
+    }
     if (slicesData.MethodCalls) {
       for (const amethodCall of slicesData.MethodCalls) {
         if (
@@ -21857,6 +22053,7 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
         apkg.evidence.occurrences = locationOccurrences.map((l) =>
           parseOccurrenceEvidenceLocation(l),
         );
+        addDotnetIdentityMethod(apkg, locationOccurrences[0]);
         // Set the package scope
         apkg.scope = "required";
       }