@cyclonedx/cdxgen 12.4.2 → 12.4.4

package/lib/helpers/utils.poku.js

@@ -106,7 +106,9 @@ import {
   parseLeinDep,
   parseLeiningenData,
   parseMakeDFile,
+  parseMavenArgs,
   parseMavenTree,
+  parseMavenTreeJson,
   parseMillDependency,
   parseMinJs,
   parseMixLockData,
@@ -339,6 +341,32 @@ it("safeSpawnSync() does not classify non-probe -v commands as version checks",
   }
 });
 
+it("safeSpawnSync() blocks shell metacharacters with shell execution", () => {
+  const markerFile = path.join(tmpdir(), "cdxgen-safe-spawn-shell-marker");
+  const originalConsoleWarn = console.warn;
+  const warnings = [];
+  rmSync(markerFile, { force: true });
+  resetRecordedActivities();
+  console.warn = (message) => {
+    warnings.push(message);
+  };
+
+  try {
+    const result = safeSpawnSync("printf", ["blocked", ">", markerFile], {
+      shell: true,
+    });
+    assert.strictEqual(result.status, 1);
+    assert.ok(result.error);
+    assert.match(result.error.message, /shell metacharacters/);
+    assert.strictEqual(existsSync(markerFile), false);
+    assert.ok(warnings.some((warning) => /Security Alert/.test(warning)));
+  } finally {
+    console.warn = originalConsoleWarn;
+    resetRecordedActivities();
+    rmSync(markerFile, { force: true });
+  }
+});
+
 it("safeSpawnSync() reads CDXGEN_ALLOWED_COMMANDS once per invocation", () => {
   const originalAllowedCommands = process.env.CDXGEN_ALLOWED_COMMANDS;
   process.env.CDXGEN_ALLOWED_COMMANDS = "echo-cdxgen-test";
@@ -598,6 +626,37 @@ it("records recursive file discovery activity in dry-run mode", () => {
   }
 });
 
+it("records suspicious discovered paths with shell metacharacters in dry-run mode", () => {
+  const tmpRoot = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-dry-run-shell-path-"),
+  );
+  const shellIfs = "$" + "{IFS}";
+  const maliciousDirName =
+    platform() === "win32"
+      ? "evil&echo%CDXGEN_GITURL_E2E_MARKER%&rem"
+      : `evil;cd${shellIfs}..;printf${shellIfs}marker>CDXGEN_GITURL_E2E_MARKER;#`;
+  const maliciousDir = path.join(tmpRoot, maliciousDirName);
+  const pomFile = path.join(maliciousDir, "pom.xml");
+  mkdirSync(maliciousDir, { recursive: true });
+  writeFileSync(pomFile, "<project />");
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    assert.deepStrictEqual(getAllFiles(tmpRoot, "**/pom.xml"), [pomFile]);
+    const suspiciousActivity = getRecordedActivities().find(
+      (activity) => activity.classification === "suspicious-path",
+    );
+    assert.ok(suspiciousActivity);
+    assert.strictEqual(suspiciousActivity.risk, "shell-metacharacters");
+    assert.strictEqual(suspiciousActivity.target, pomFile);
+    assert.match(suspiciousActivity.reason, /shell metacharacters/);
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+    rmSync(tmpRoot, { force: true, recursive: true });
+  }
+});
+
 it("records updated discovery activity when a repeated glob match count changes", () => {
   const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-glob-"));
   const packageJsonFile = path.join(tmpRoot, "package.json");
@@ -1508,7 +1567,7 @@ it("parse maven tree", () => {
     name: "com.ibm.icu",
     version: "67.1.0.v20200706-1749",
     qualifiers: { type: "eclipse-plugin" },
-    scope: undefined,
+    scope: "excluded",
     properties: [],
   });
   assert.deepStrictEqual(parsedList.dependenciesList.length, 79);
@@ -1550,12 +1609,12 @@ it("parse maven tree", () => {
       encoding: "utf-8",
     }),
   );
-  assert.deepStrictEqual(parsedList.pkgList.length, 90);
+  assert.deepStrictEqual(parsedList.pkgList.length, 102);
   assert.deepStrictEqual(
     parsedList.parentComponent["bom-ref"],
     "pkg:maven/org.apache.dubbo/dubbo-spring-boot-starter@3.3.0?type=jar",
   );
-  assert.deepStrictEqual(parsedList.dependenciesList.length, 90);
+  assert.deepStrictEqual(parsedList.dependenciesList.length, 102);
   assert.deepStrictEqual(parsedList.dependenciesList[0], {
     ref: "pkg:maven/org.apache.dubbo/dubbo-spring-boot-starter@3.3.0?type=jar",
     dependsOn: [
@@ -1571,11 +1630,109 @@ it("parse maven tree", () => {
       "pkg:maven/org.junit.vintage/junit-vintage-engine@5.8.2?type=jar",
       "pkg:maven/org.mockito/mockito-core@4.11.0?type=jar",
       "pkg:maven/org.mockito/mockito-inline@4.11.0?type=jar",
-      "pkg:maven/org.yaml/snakeyaml@1.30?type=jar",
+      "pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18?type=jar",
     ],
   });
 });
 
+it("parse maven tree optional and repeated dependency edges", () => {
+  const parsedOptional = parseMavenTree(`example:optional-sample:jar:1.0.0
+\\- org.apache.maven:maven-artifact:jar:3.9.9:compile (optional)
+   \\- org.codehaus.plexus:plexus-utils:jar:3.5.1:compile (optional)
+`);
+  assert.strictEqual(parsedOptional.pkgList.length, 3);
+  assert.strictEqual(parsedOptional.pkgList[1].scope, "optional");
+  assert.deepStrictEqual(parsedOptional.pkgList[1].properties, []);
+  assert.deepStrictEqual(parsedOptional.dependenciesList[0], {
+    ref: "pkg:maven/example/optional-sample@1.0.0?type=jar",
+    dependsOn: ["pkg:maven/org.apache.maven/maven-artifact@3.9.9?type=jar"],
+  });
+  const parsedDuplicate = parseMavenTree(`example:dup-root:jar:1.0.0
++- g:a:jar:1:compile
+|  \\- g:c:jar:1:compile
+\\- g:b:jar:1:compile
+   \\- g:c:jar:1:compile
+`);
+  const bDependency = parsedDuplicate.dependenciesList.find(
+    (dep) => dep.ref === "pkg:maven/g/b@1?type=jar",
+  );
+  assert.deepStrictEqual(bDependency.dependsOn, ["pkg:maven/g/c@1?type=jar"]);
+});
+
+it("parse maven tree json", () => {
+  const parsedList = parseMavenTreeJson(
+    JSON.stringify({
+      groupId: "example",
+      artifactId: "json-root",
+      version: "1.0.0",
+      type: "jar",
+      scope: "",
+      classifier: "",
+      optional: "false",
+      children: [
+        {
+          groupId: "org.apache.maven",
+          artifactId: "maven-artifact",
+          version: "3.9.9",
+          type: "jar",
+          scope: "compile",
+          classifier: "",
+          optional: "true",
+          children: [
+            {
+              groupId: "org.codehaus.plexus",
+              artifactId: "plexus-utils",
+              version: "3.5.1",
+              type: "jar",
+              scope: "compile",
+              classifier: "",
+              optional: "true",
+            },
+          ],
+        },
+      ],
+    }),
+  );
+  assert.strictEqual(parsedList.pkgList.length, 3);
+  assert.strictEqual(parsedList.pkgList[1].scope, "optional");
+  assert.deepStrictEqual(parsedList.dependenciesList[0], {
+    ref: "pkg:maven/example/json-root@1.0.0?type=jar",
+    dependsOn: ["pkg:maven/org.apache.maven/maven-artifact@3.9.9?type=jar"],
+  });
+  assert.deepStrictEqual(parsedList.dependenciesList[1], {
+    ref: "pkg:maven/org.apache.maven/maven-artifact@3.9.9?type=jar",
+    dependsOn: ["pkg:maven/org.codehaus.plexus/plexus-utils@3.5.1?type=jar"],
+  });
+  assert.deepStrictEqual(parseMavenTreeJson("{not-json"), {});
+  assert.deepStrictEqual(parseMavenTree("{not-json"), {});
+});
+
+it("parse maven args", () => {
+  assert.deepStrictEqual(
+    parseMavenArgs(
+      '--settings "/tmp/path with spaces/settings.xml" -P dev,test -DskipTests',
+    ),
+    [
+      "--settings",
+      "/tmp/path with spaces/settings.xml",
+      "-P",
+      "dev,test",
+      "-DskipTests",
+    ],
+  );
+  assert.deepStrictEqual(
+    parseMavenArgs(String.raw`-s C:\Users\me\settings.xml -Dpath=C:\repo\demo`),
+    [
+      "-s",
+      String.raw`C:\Users\me\settings.xml`,
+      String.raw`-Dpath=C:\repo\demo`,
+    ],
+  );
+  assert.deepStrictEqual(parseMavenArgs(String.raw`-Dname=hello\ world`), [
+    "-Dname=hello world",
+  ]);
+});
+
 // Slow test
 /*
 it("get maven metadata", async () => {
@@ -5147,6 +5304,41 @@ it("parsePomFile", () => {
   assert.deepStrictEqual(data.isQuarkus, false);
 });
 
+it("parsePomFile maven 4 model", () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-maven4-pom-"));
+  const pomFile = path.join(tempDir, "pom.xml");
+  writeFileSync(
+    pomFile,
+    `<project xmlns="http://maven.apache.org/POM/4.1.0" root="true" preserve.model.version="true">
+  <modelVersion>4.1.0</modelVersion>
+  <groupId>example</groupId>
+  <artifactId>maven4-root</artifactId>
+  <version>1.0.0</version>
+  <packaging>pom</packaging>
+  <subprojects><subproject>app</subproject></subprojects>
+  <dependencies>
+    <dependency>
+      <groupId>org.example</groupId>
+      <artifactId>demo</artifactId>
+      <version>1.2.3</version>
+      <type>test-jar</type>
+      <classifier>tests</classifier>
+      <optional>true</optional>
+    </dependency>
+  </dependencies>
+</project>`,
+  );
+  const data = parsePom(pomFile);
+  assert.deepStrictEqual(data.modules, ["app"]);
+  assert.strictEqual(data.properties.modelVersion, "4.1.0");
+  assert.strictEqual(data.properties.mavenRoot, "true");
+  assert.strictEqual(data.properties.preserveModelVersion, "true");
+  assert.strictEqual(data.dependencies[0].qualifiers.type, "test-jar");
+  assert.strictEqual(data.dependencies[0].qualifiers.classifier, "tests");
+  assert.strictEqual(data.dependencies[0].scope, "optional");
+  rmSync(tempDir, { recursive: true, force: true });
+});
+
 it("parsePomMetadata", async () => {
   const deps = parsePom("./test/pom.xml");
   const data = await getMvnMetadata(deps.dependencies);
@@ -6111,6 +6303,73 @@ it("parsePnpmWorkspace", async () => {
   assert.deepStrictEqual(Object.keys(wobj.catalogs).length, 217);
 });
 
+it("parsePnpmWorkspace handles scalar package fixtures", async () => {
+  const projectDir = mkdtempSync(path.join(tmpdir(), "cdxgen-pnpm-workspace-"));
+  try {
+    const workspaceFile = path.join(projectDir, "pnpm-workspace.yaml");
+    writeFileSync(workspaceFile, 'packages: "pkg"\n');
+
+    const wobj = parsePnpmWorkspace(workspaceFile);
+
+    assert.deepStrictEqual(wobj.packages, ["pkg"]);
+    assert.deepStrictEqual(wobj.packagePatterns, ["pkg"]);
+  } finally {
+    rmSync(projectDir, { recursive: true, force: true });
+  }
+});
+
+it("parsePnpmWorkspace preserves negated package patterns", async () => {
+  const projectDir = mkdtempSync(path.join(tmpdir(), "cdxgen-pnpm-workspace-"));
+  try {
+    const workspaceFile = path.join(projectDir, "pnpm-workspace.yaml");
+    writeFileSync(workspaceFile, 'packages:\n  - "pkg"\n  - "!**/test/**"\n');
+
+    const wobj = parsePnpmWorkspace(workspaceFile);
+
+    assert.deepStrictEqual(wobj.packages, ["pkg"]);
+    assert.deepStrictEqual(wobj.packagePatterns, ["pkg"]);
+    assert.deepStrictEqual(wobj.excludePackages, ["**/test/**"]);
+  } finally {
+    rmSync(projectDir, { recursive: true, force: true });
+  }
+});
+
+it("parsePnpmLock relativizes pnpm evidence paths from project root", async () => {
+  const projectDir = mkdtempSync(path.join(tmpdir(), "cdxgen-pnpm-lock-"));
+  try {
+    const nestedDir = path.join(projectDir, "packages", "app");
+    mkdirSync(nestedDir, { recursive: true });
+    const lockFile = path.join(nestedDir, "pnpm-lock.yaml");
+    writeFileSync(
+      lockFile,
+      readFileSync("./test/data/pnpm-lock6.yaml", "utf-8"),
+    );
+
+    const parsedList = await parsePnpmLock(
+      lockFile,
+      null,
+      [],
+      {},
+      {},
+      {},
+      {},
+      projectDir,
+    );
+    const firstPkg = parsedList.pkgList[0];
+
+    assert.strictEqual(
+      firstPkg.properties.find((p) => p.name === "SrcFile")?.value,
+      path.join("packages", "app", "pnpm-lock.yaml"),
+    );
+    assert.strictEqual(
+      firstPkg.evidence.identity.methods[0].value,
+      path.join("packages", "app", "pnpm-lock.yaml"),
+    );
+  } finally {
+    rmSync(projectDir, { recursive: true, force: true });
+  }
+});
+
 it("parsePnpmLock", async () => {
   let parsedList = await parsePnpmLock("./test/pnpm-lock.yaml");
   assert.deepStrictEqual(parsedList.pkgList.length, 1706);
@@ -6599,6 +6858,55 @@ it("pnpmMetadata with scoped packages", async () => {
   assert.deepStrictEqual(babelPkg.name, "@babel/core");
 });
 
+it("pnpmMetadata enriches split scoped package metadata from pnpm virtual store", async () => {
+  const projectDir = mkdtempSync(path.join(tmpdir(), "cdxgen-pnpm-scope-"));
+  try {
+    const scopedPackageDir = path.join(
+      projectDir,
+      "node_modules",
+      ".pnpm",
+      "@example+scoped-lib@1.2.3",
+      "node_modules",
+      "@example",
+      "scoped-lib",
+    );
+    mkdirSync(scopedPackageDir, { recursive: true });
+    writeFileSync(
+      path.join(scopedPackageDir, "package.json"),
+      JSON.stringify({
+        name: "@example/scoped-lib",
+        version: "1.2.3",
+        description: "Scoped pnpm metadata fixture",
+        license: "MIT",
+      }),
+    );
+
+    const result = await pnpmMetadata(
+      [
+        {
+          group: "@example",
+          name: "scoped-lib",
+          version: "1.2.3",
+          properties: [],
+        },
+      ],
+      path.join(projectDir, "pnpm-lock.yaml"),
+    );
+
+    assert.strictEqual(result[0].description, "Scoped pnpm metadata fixture");
+    assert.strictEqual(result[0].license, "MIT");
+    assert.ok(
+      result[0].properties.some(
+        (p) =>
+          p.name === "LocalNodeModulesPath" &&
+          p.value.includes("@example+scoped-lib@1.2.3"),
+      ),
+    );
+  } finally {
+    rmSync(projectDir, { recursive: true, force: true });
+  }
+});
+
 it("pnpmMetadata integration with parsePnpmLock", async () => {
   // Test that the integration works by parsing a real pnpm lock file
   const parsedList = await parsePnpmLock("./pnpm-lock.yaml");
@@ -7034,6 +7342,97 @@ it("parseYarnLock", async () => {
   });
 });
 
+it("parseYarnLock marks root dev, optional, peer and dependency-only closures", async () => {
+  const projectDir = mkdtempSync(path.join(tmpdir(), "cdxgen-yarn-scope-"));
+  try {
+    writeFileSync(
+      path.join(projectDir, "package.json"),
+      JSON.stringify({
+        dependencies: {
+          "runtime-a": "^1.0.0",
+        },
+        devDependencies: {
+          "dev-tool": "^1.0.0",
+        },
+        optionalDependencies: {
+          "optional-root": "^1.0.0",
+        },
+        peerDependencies: {
+          "peer-root": "^1.0.0",
+        },
+      }),
+    );
+    writeFileSync(
+      path.join(projectDir, "yarn.lock"),
+      [
+        "runtime-a@^1.0.0:",
+        '  version "1.0.0"',
+        "  dependencies:",
+        '    runtime-child "^1.0.0"',
+        "  optionalDependencies:",
+        '    optional-lock-child "^1.0.0"',
+        "",
+        "runtime-child@^1.0.0:",
+        '  version "1.0.0"',
+        "",
+        "optional-lock-child@^1.0.0:",
+        '  version "1.0.0"',
+        "",
+        "dev-tool@^1.0.0:",
+        '  version "1.0.0"',
+        "  dependencies:",
+        '    dev-child "^1.0.0"',
+        "",
+        "dev-child@^1.0.0:",
+        '  version "1.0.0"',
+        "",
+        "optional-root@^1.0.0:",
+        '  version "1.0.0"',
+        "  dependencies:",
+        '    optional-child "^1.0.0"',
+        "",
+        "optional-child@^1.0.0:",
+        '  version "1.0.0"',
+        "",
+        "peer-root@^1.0.0:",
+        '  version "1.0.0"',
+        "  dependencies:",
+        '    peer-child "^1.0.0"',
+        "",
+        "peer-child@^1.0.0:",
+        '  version "1.0.0"',
+        "",
+      ].join("\n"),
+    );
+
+    const parsedList = await parseYarnLock(path.join(projectDir, "yarn.lock"));
+    const byName = Object.fromEntries(
+      parsedList.pkgList.map((pkg) => [pkg.name, pkg]),
+    );
+    const hasProperty = (pkg, name) =>
+      pkg.properties?.some(
+        (property) => property.name === name && property.value === "true",
+      );
+
+    assert.equal(byName["runtime-a"].scope, undefined);
+    assert.equal(byName["runtime-child"].scope, undefined);
+    assert.equal(byName["dev-tool"].scope, "optional");
+    assert.equal(byName["dev-child"].scope, "optional");
+    assert.equal(byName["optional-root"].scope, "optional");
+    assert.equal(byName["optional-child"].scope, "optional");
+    assert.equal(byName["optional-lock-child"].scope, "optional");
+    assert.equal(byName["peer-root"].scope, "optional");
+    assert.equal(byName["peer-child"].scope, "optional");
+    assert.ok(hasProperty(byName["dev-child"], "cdx:npm:package:development"));
+    assert.ok(
+      hasProperty(byName["optional-child"], "cdx:npm:package:optional"),
+    );
+    assert.ok(hasProperty(byName["peer-child"], "cdx:npm:package:peer"));
+  } finally {
+    rmSync(projectDir, { recursive: true, force: true });
+  }
+});
+
 describe("yarn workspace functionality", () => {
   it("should parse yarn workspace lock file with workspace packages", async () => {
     const mockWorkspacePackages = [
@@ -10295,6 +10694,17 @@ it("jar manifest inference and pom properties parsing tests", () => {
     groupId: "org.apache.commons",
     version: "3.6.1",
   });
+  assert.deepStrictEqual(parsePomProperties("artifactId=demo\ncustom=a=b=c"), {
+    artifactId: "demo",
+    custom: "a=b=c",
+  });
+  assert.deepStrictEqual(
+    parsePomProperties("artifactId=demo\r\r\ncustom=a\r=b\r=c"),
+    {
+      artifactId: "demo",
+      custom: "a=b=c",
+    },
+  );
 });
 
 it("jar group suffix trimming tests", () => {

package/lib/managers/binary.js

@@ -11,6 +11,7 @@ import process from "node:process";
 
 import { PackageURL } from "packageurl-js";
 
+import { isCycloneDxComponentTypeEnabled } from "../helpers/bomUtils.js";
 import { createContainerRiskProperties } from "../helpers/containerRisk.js";
 import { createGtfoBinsProperties } from "../helpers/gtfobins.js";
 import {
@@ -608,10 +609,11 @@ export function executeSourcekitten(args) {
  *
  * @param src {String} Source directory containing the extracted filesystem.
  * @param imageConfig {Object} Image configuration containing environment variables, command, entrypoints etc
+ * @param options CLI options controlling inventory generation
  *
  * @returns {Object} Metadata containing packages, dependencies, etc
  */
-export async function getOSPackages(src, imageConfig) {
+export async function getOSPackages(src, imageConfig, options = {}) {
   if (isDryRun) {
     recordActivity({
       kind: "container",
@@ -1101,7 +1103,10 @@ export async function getOSPackages(src, imageConfig) {
       }
     }
   }
-  const rootfsRepositoryInventory = await collectRootfsRepositoryInventory(src);
+  const rootfsRepositoryInventory = await collectRootfsRepositoryInventory(
+    src,
+    options,
+  );
   if (rootfsRepositoryInventory.components.length) {
     pkgList.push(...rootfsRepositoryInventory.components);
   }
@@ -1393,13 +1398,17 @@ function promoteTrivyOsPackageIdentity(component, trivyMetadata) {
   return fallbackProperties;
 }
 
-async function collectRootfsRepositoryInventory(basePath) {
-  let { components: trustedKeyComponents, refsByPath } =
-    await collectTrustedKeyComponents(basePath);
-  trustedKeyComponents = applyTrustMaterialEnhancements(
-    trustedKeyComponents,
-    collectTrustInspectorRootfsInventory(basePath),
-  );
+async function collectRootfsRepositoryInventory(basePath, options = {}) {
+  let trustedKeyComponents = [];
+  let refsByPath = new Map();
+  if (isCycloneDxComponentTypeEnabled("cryptographic-asset", options)) {
+    ({ components: trustedKeyComponents, refsByPath } =
+      await collectTrustedKeyComponents(basePath));
+    trustedKeyComponents = applyTrustMaterialEnhancements(
+      trustedKeyComponents,
+      collectTrustInspectorRootfsInventory(basePath),
+    );
+  }
   refsByPath = new Map(
     trustedKeyComponents
       .map((component) => {