@cyclonedx/cdxgen 12.4.2 → 12.4.4

package/README.md

@@ -403,6 +403,12 @@ The default specification used by cdxgen is 1.7. To generate BOM for a different
 cdxgen -r -o bom.json --spec-version 1.6
 ```
 
+Use repeated `--component-type` values to include only selected CycloneDX component types. This is a filter, not an inventory enabler: passing a type such as `machine-learning-model` does not enable machine-learning model discovery, and filtering to a type that the scan does not generate can produce an empty component list. The allowed values are validated against `--spec-version`; for example, `cryptographic-asset` is rejected for CycloneDX 1.5 and unsupported component types are pruned during compatibility downgrades. The dedicated `cbom` command does not accept `--component-type`; use `cdxgen --include-crypto` for normal generation plus filtering.
+
+```shell
+cdxgen -t docker alpine:3.20 --spec-version 1.5 --component-type library --component-type data
+```
+
 To generate SBOM for C or Python, ensure Java >= 21 is installed.
 
 ```shell

package/bin/audit.js

@@ -109,6 +109,12 @@ const args = yargs(hideBin(process.argv))
       "Optional JSON array or newline-delimited file of purl prefixes to exclude from predictive audit target selection in addition to the built-in well-known allowlist.",
     type: "string",
   })
+  .option("skip-default-branch-recheck", {
+    default: false,
+    description:
+      "Skip rechecking critical/high findings against the default branch to detect issues already fixed upstream.",
+    type: "boolean",
+  })
   .check((argv) => {
     if (!argv.bom && !argv.bomDir) {
       throw new Error("Specify --bom or --bom-dir.");
@@ -187,6 +193,7 @@ function writeOrPrint(output, outputPath) {
       reportsDir: args.reportsDir,
       rulesDir: args.rulesDir,
       scope: args.scope === "required" ? "required" : undefined,
+      skipDefaultBranchRecheck: args.skipDefaultBranchRecheck,
       trusted: args.onlyTrusted
         ? "only"
         : args.includeTrusted

package/bin/cdxgen.js

@@ -20,7 +20,13 @@ import { hideBin } from "yargs/helpers";
 
 import { createBom, submitBom } from "../lib/cli/index.js";
 import { signBom, verifyBom } from "../lib/helpers/bomSigner.js";
-import { isCycloneDxBom } from "../lib/helpers/bomUtils.js";
+import {
+  getSupportedCycloneDxComponentTypes,
+  isCycloneDxBom,
+  isCycloneDxComponentTypeEnabled,
+  normalizeCycloneDxComponentTypeFilter,
+  toCycloneDxSpecVersionString,
+} from "../lib/helpers/bomUtils.js";
 import {
   displaySelfThreatModel,
   printActivitySummary,
@@ -135,6 +141,7 @@ const invokedCommandName = basename(process.argv[1] || "cdxgen").replace(
   /\.(?:[cm]?js|exe)$/u,
   "",
 );
+const defaultComponentTypeChoices = getSupportedCycloneDxComponentTypes(1.7);
 
 const args = _yargs
   .env("CDXGEN")
@@ -408,6 +415,7 @@ const args = _yargs
   .option("exclude", {
     alias: "exclude-regex",
     description: "Additional glob pattern(s) to ignore",
+    nargs: 1,
     type: "array",
   })
   .option("export-proto", {
@@ -483,6 +491,12 @@ const args = _yargs
       "filename",
     ],
   })
+  .option("component-type", {
+    description:
+      "CycloneDX component type(s) to include. Choices are validated against --spec-version.",
+    choices: defaultComponentTypeChoices,
+    type: "string",
+  })
   .option("tlp-classification", {
     description:
       "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with an artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.",
@@ -567,6 +581,29 @@ const args = _yargs
   .array("standard")
   .array("feature-flags")
   .array("technique")
+  .array("componentType")
+  .check((argv) => {
+    const requestedComponentTypes = normalizeCycloneDxComponentTypeFilter(
+      argv.componentType,
+    );
+    if (!requestedComponentTypes.length) {
+      return true;
+    }
+    const normalizedSpecVersion =
+      toCycloneDxSpecVersionString(argv.specVersion) || "1.7";
+    const supportedComponentTypes = getSupportedCycloneDxComponentTypes(
+      normalizedSpecVersion,
+    );
+    const unsupportedComponentTypes = requestedComponentTypes.filter(
+      (componentType) => !supportedComponentTypes.includes(componentType),
+    );
+    if (unsupportedComponentTypes.length) {
+      throw new Error(
+        `Unsupported --component-type value(s) for CycloneDX ${normalizedSpecVersion}: ${unsupportedComponentTypes.join(", ")}. Supported values: ${supportedComponentTypes.join(", ")}`,
+      );
+    }
+    return true;
+  })
   .option("auto-compositions", {
     type: "boolean",
     default: true,
@@ -740,6 +777,12 @@ if (!options.projectType) {
 // Handle dedicated cbom and saasbom commands
 if (["cbom", "saasbom"].includes(invokedCommandName)) {
   if (invokedCommandName.includes("cbom")) {
+    if (normalizeCycloneDxComponentTypeFilter(options.componentType).length) {
+      console.error(
+        "The cbom command does not support --component-type. Use cdxgen with --include-crypto when you need component-type filtering.",
+      );
+      process.exit(1);
+    }
     thoughtLog(
       "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
     );
@@ -1676,7 +1719,10 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
         reachablesSlicesFile: options.reachablesSlicesFile,
         semanticsSlicesFile: options.semanticsSlicesFile,
         openapiSpecFile: options.openapiSpecFile,
-        includeCrypto: options.includeCrypto,
+        componentType: options.componentType,
+        includeCrypto:
+          options.includeCrypto &&
+          isCycloneDxComponentTypeEnabled("cryptographic-asset", options),
         specVersion: options.specVersion,
         profile: options.profile,
         jsonPretty: options.jsonPretty,

package/bin/evinse.js

@@ -113,6 +113,13 @@ const args = yargs(hideBin(process.argv))
     default: false,
     type: "boolean",
   })
+  .option("exclude", {
+    alias: "exclude-regex",
+    description:
+      "Additional glob pattern(s) to ignore during Atom evidence generation.",
+    nargs: 1,
+    type: "array",
+  })
   .option("usages-slices-file", {
     description: "Use an existing usages slices file.",
     default: "usages.slices.json",

package/lib/audit/index.js

@@ -1597,6 +1597,131 @@ function buildChildOptions(options, target) {
   };
 }
 
+function normalizeFindingFile(filePath) {
+  return String(filePath)
+    .replace(/\\/g, "/")
+    .replace(/\/+/g, "/")
+    .replace(/^\.\//, "");
+}
+
+function sourceFindingKey(finding) {
+  if (!finding?.ruleId || !finding?.location?.file) {
+    return undefined;
+  }
+  return `${finding.ruleId}|${normalizeFindingFile(finding.location.file)}`;
+}
+
+/**
+ * Recheck high/critical findings against the default branch to identify issues
+ * that have already been fixed upstream. This reduces false positives caused by
+ * scanning a version-specific tag where an issue existed but has since been
+ * resolved in the project's main development line.
+ *
+ * @param {object[]} findings findings from version-specific scan
+ * @param {object} target audit target
+ * @param {object} resolution repository resolution metadata
+ * @param {string[]} categories active audit categories
+ * @param {object} options CLI options
+ * @returns {Promise<{findings: object[], fixedInDefaultBranch: number}|undefined>}
+ */
+async function recheckFindingsAgainstDefaultBranch(
+  findings,
+  target,
+  resolution,
+  categories,
+  options,
+) {
+  let defaultBranchDir;
+  try {
+    defaultBranchDir = safeMkdtempSync(
+      join(getTmpDir(), `${targetSlug(target)}-default-`),
+    );
+    await cloneRepositoryToDirWithRetry(
+      resolution.repoUrl,
+      defaultBranchDir,
+      undefined,
+    );
+    const defaultSourceSelection = resolveTargetSourceDirectory(
+      defaultBranchDir,
+      target,
+      resolution,
+    );
+    const childOptions = buildChildOptions(options, target);
+    const bomNSData =
+      (await createBom(defaultSourceSelection.scanDir, childOptions)) || {};
+    if (!bomNSData?.bomJson) {
+      return undefined;
+    }
+    const processedBomNSData = postProcess(
+      bomNSData,
+      childOptions,
+      defaultSourceSelection.scanDir,
+    );
+    const defaultBranchFindings = await auditBom(processedBomNSData.bomJson, {
+      bomAuditCategories: categories.join(","),
+      bomAuditMinSeverity: options.minSeverity || "low",
+      bomAuditRulesDir: options.rulesDir,
+    });
+    const defaultBranchSourceFindings = defaultBranchFindings.concat(
+      buildPythonSourceHeuristicFindings(
+        defaultSourceSelection.scanDir,
+        target,
+      ),
+    );
+    // Build a set of finding signatures present in the default branch
+    const defaultBranchFindingKeys = new Set();
+    for (const finding of defaultBranchSourceFindings) {
+      const key = sourceFindingKey(finding);
+      if (key) {
+        defaultBranchFindingKeys.add(key);
+      }
+    }
+    // Retain findings that are still present in the default branch or are
+    // contextual/heuristic findings (not from rule evaluation against source).
+    // Source-derived findings have a location.file pointing to a repo file,
+    // while contextual findings reference purls or bomRefs only.
+    const retainedFindings = [];
+    let fixedCount = 0;
+    for (const finding of findings) {
+      const isSourceDerivedFinding = Boolean(finding?.location?.file);
+      if (!isSourceDerivedFinding) {
+        // Contextual/heuristic findings are not source-dependent
+        retainedFindings.push(finding);
+        continue;
+      }
+      if (defaultBranchFindingKeys.has(sourceFindingKey(finding))) {
+        retainedFindings.push(finding);
+      } else {
+        fixedCount += 1;
+        thoughtLog("Finding fixed in default branch, removing.", {
+          ruleId: finding.ruleId,
+          file: finding?.location?.file,
+          purl: target.purl,
+        });
+      }
+    }
+    if (fixedCount === 0) {
+      return undefined;
+    }
+    return {
+      findings: retainedFindings,
+      fixedInDefaultBranch: fixedCount,
+    };
+  } catch (error) {
+    const errorMessage = error?.message ?? String(error);
+    thoughtLog("Default branch recheck failed, keeping original findings.", {
+      error: errorMessage,
+      errorType: error?.errorType,
+      purl: target.purl,
+    });
+    return undefined;
+  } finally {
+    if (defaultBranchDir) {
+      cleanupSourceDir(defaultBranchDir);
+    }
+  }
+}
+
 /**
  * Analyze a single purl target by generating a child SBOM and auditing it.
  *
@@ -1756,17 +1881,55 @@ export async function auditTarget(target, options) {
       sourceSelection.scanDir,
       target,
     );
-    const predictiveFindings = findings.concat(
+    let predictiveFindings = findings.concat(
       contextualFindings,
       pythonSourceFindings,
     );
-    const assessment = scoreTargetRisk(predictiveFindings, target, {
+    let assessment = scoreTargetRisk(predictiveFindings, target, {
       bomJson: processedBomJson,
       repoReused: Boolean(checkout?.reused || cacheHit),
       resolution,
       sourceDirectoryConfidence: sourceSelection.confidence,
       versionMatched,
     });
+    // When we scanned a version-specific ref and the severity is high or
+    // critical, recheck against the default branch to reduce false positives
+    // from issues already fixed upstream.
+    if (
+      versionMatched &&
+      !options.skipDefaultBranchRecheck &&
+      severityMeetsThreshold(assessment.severity, "high") &&
+      resolution?.repoUrl
+    ) {
+      emitProgress(options, {
+        index: targetIndex,
+        label: targetLabel,
+        target,
+        total: targetTotal,
+        type: "target:stage",
+        stage: "rechecking findings against default branch",
+      });
+      const recheckResult = await recheckFindingsAgainstDefaultBranch(
+        predictiveFindings,
+        target,
+        resolution,
+        categories,
+        options,
+      );
+      if (recheckResult) {
+        predictiveFindings = recheckResult.findings;
+        assessment = scoreTargetRisk(predictiveFindings, target, {
+          bomJson: processedBomJson,
+          repoReused: Boolean(checkout?.reused || cacheHit),
+          resolution,
+          sourceDirectoryConfidence: sourceSelection.confidence,
+          versionMatched,
+        });
+        assessment.defaultBranchRechecked = true;
+        assessment.findingsFixedInDefaultBranch =
+          recheckResult.fixedInDefaultBranch;
+      }
+    }
     return persistAuditArtifacts(
       {
         assessment,