@cyclonedx/cdxgen 12.4.2 → 12.4.4

package/lib/helpers/bomUtils.poku.js

@@ -5,10 +5,13 @@ import {
   getCycloneDxFormat,
   getCycloneDxRootFormatKey,
   getNonCycloneDxErrorMessage,
+  getSupportedCycloneDxComponentTypes,
   isCycloneDx20SpecVersion,
   isCycloneDxBom,
+  isCycloneDxComponentTypeEnabled,
   isCycloneDxSpecVersionAtLeast,
   isSpdxJsonLd,
+  normalizeCycloneDxComponentTypeFilter,
   normalizeCycloneDxSpecVersion,
   setCycloneDxFormat,
   toCycloneDxSpecVersionString,
@@ -81,6 +84,48 @@ describe("bomUtils", () => {
     assert.strictEqual(isCycloneDxSpecVersionAtLeast(undefined, 1.7), false);
   });
 
+  it("reports supported component types by CycloneDX spec version", () => {
+    assert.strictEqual(
+      getSupportedCycloneDxComponentTypes(1.5).includes("cryptographic-asset"),
+      false,
+    );
+    assert.strictEqual(
+      getSupportedCycloneDxComponentTypes(1.6).includes("cryptographic-asset"),
+      true,
+    );
+    assert.strictEqual(
+      getSupportedCycloneDxComponentTypes(1.7).includes("data"),
+      true,
+    );
+  });
+
+  it("normalizes and applies requested CycloneDX component type filters", () => {
+    assert.deepStrictEqual(
+      normalizeCycloneDxComponentTypeFilter(["library", "", "library"]),
+      ["library"],
+    );
+    assert.strictEqual(
+      isCycloneDxComponentTypeEnabled("cryptographic-asset", {
+        specVersion: 1.5,
+      }),
+      false,
+    );
+    assert.strictEqual(
+      isCycloneDxComponentTypeEnabled("cryptographic-asset", {
+        componentType: ["library"],
+        specVersion: 1.7,
+      }),
+      false,
+    );
+    assert.strictEqual(
+      isCycloneDxComponentTypeEnabled("library", {
+        componentType: ["library"],
+        specVersion: 1.5,
+      }),
+      true,
+    );
+  });
+
   it("selects and writes the correct CycloneDX root format key", () => {
     assert.strictEqual(getCycloneDxRootFormatKey("1.7"), "bomFormat");
     assert.strictEqual(getCycloneDxRootFormatKey("2.0"), "specFormat");

package/lib/helpers/depsUtils.js

@@ -82,6 +82,102 @@ export function mergeDependencies(
   return retlist;
 }
 
+const NPM_NON_RUNTIME_SCOPE_PROPERTIES = new Set([
+  "cdx:npm:package:development",
+  "cdx:npm:package:optional",
+  "cdx:npm:package:peer",
+]);
+
+function hasNonRuntimeNpmScope(component) {
+  return (component?.properties || []).some(
+    (property) =>
+      NPM_NON_RUNTIME_SCOPE_PROPERTIES.has(property.name) &&
+      property.value === "true",
+  );
+}
+
+function normalizeBomRef(ref) {
+  const refString = String(ref || "");
+  try {
+    return decodeURIComponent(refString).toLowerCase();
+  } catch {
+    return refString.toLowerCase();
+  }
+}
+
+/**
+ * Propagates required scope through a dependency graph.
+ *
+ * If component A has `scope: "required"` and dependency metadata says A depends
+ * on B, B is also runtime-relevant. Keep packages optional when lockfile/parser
+ * metadata explicitly identifies them as development, optional, or peer-only.
+ *
+ * @param {Object[]} components CycloneDX component objects
+ * @param {Object[]} dependencies CycloneDX dependency entries
+ * @returns {Object[]} The same component array with scopes updated in place
+ */
+export function propagateRequiredScopeFromDependencies(
+  components = [],
+  dependencies = [],
+) {
+  if (!components?.length || !dependencies?.length) {
+    return components;
+  }
+  const componentByRef = new Map();
+  for (const component of components) {
+    for (const ref of [component?.["bom-ref"], component?.purl]) {
+      if (ref) {
+        componentByRef.set(normalizeBomRef(ref), component);
+      }
+    }
+  }
+  if (!componentByRef.size) {
+    return components;
+  }
+  const dependencyMap = new Map();
+  for (const dependency of dependencies || []) {
+    const ref = normalizeBomRef(dependency?.ref);
+    if (!ref) {
+      continue;
+    }
+    const dependsOn = (dependency.dependsOn || [])
+      .map((depRef) => normalizeBomRef(depRef))
+      .filter(Boolean);
+    dependencyMap.set(
+      ref,
+      Array.from(new Set([...(dependencyMap.get(ref) || []), ...dependsOn])),
+    );
+  }
+  const requiredStack = [];
+  const visited = new Set();
+  for (const component of components) {
+    if (component?.scope === "required") {
+      const ref = normalizeBomRef(component["bom-ref"] || component.purl);
+      if (ref) {
+        requiredStack.push(ref);
+      }
+    }
+  }
+  while (requiredStack.length) {
+    const requiredRef = requiredStack.pop();
+    if (visited.has(requiredRef)) {
+      continue;
+    }
+    visited.add(requiredRef);
+    for (const childRef of dependencyMap.get(requiredRef) || []) {
+      const childComponent = componentByRef.get(childRef);
+      if (!childComponent || hasNonRuntimeNpmScope(childComponent)) {
+        continue;
+      }
+      if (childComponent.scope !== "required") {
+        childComponent.scope = "required";
+      }
+      requiredStack.push(childRef);
+    }
+  }
+  return components;
+}
+
 function serviceIdentityKey(service) {
   if (service?.["bom-ref"]) {
     return service["bom-ref"].toLowerCase();
@@ -330,3 +426,53 @@ export function trimComponents(components) {
   }
   return filteredComponents;
 }
+
+/**
+ * Filter out invalid cryptographic-asset components from a component list.
+ * Removes algorithm components without a valid cryptoProperties.oid and
+ * certificate components without cryptoProperties.algorithmProperties.
+ *
+ * @param {Object[] | undefined | null} components Array of CycloneDX components
+ * @returns {Object[]} Filtered array with invalid crypto components removed
+ */
+export function filterInvalidCryptoComponents(components) {
+  if (!components?.length) {
+    return [];
+  }
+  return components.filter((comp) => {
+    if (comp.type !== "cryptographic-asset") {
+      return true;
+    }
+    if (!comp.cryptoProperties) {
+      if (DEBUG_MODE) {
+        console.log(
+          `Removing cryptographic-asset '${comp.name}' without cryptoProperties`,
+        );
+      }
+      return false;
+    }
+    if (
+      comp.cryptoProperties.assetType === "algorithm" &&
+      !comp.cryptoProperties.oid
+    ) {
+      if (DEBUG_MODE) {
+        console.log(
+          `Removing cryptographic-asset algorithm '${comp.name}' without OID`,
+        );
+      }
+      return false;
+    }
+    if (
+      comp.cryptoProperties.assetType === "certificate" &&
+      !comp.cryptoProperties.algorithmProperties
+    ) {
+      if (DEBUG_MODE) {
+        console.log(
+          `Removing cryptographic-asset certificate '${comp.name}' without algorithmProperties`,
+        );
+      }
+      return false;
+    }
+    return true;
+  });
+}

package/lib/helpers/depsUtils.poku.js

@@ -1,8 +1,10 @@
 import { assert, describe, it } from "poku";
 
 import {
+  filterInvalidCryptoComponents,
   mergeDependencies,
   mergeServices,
+  propagateRequiredScopeFromDependencies,
   trimComponents,
 } from "./depsUtils.js";
 
@@ -153,6 +155,105 @@ describe("mergeDependencies()", () => {
   });
 });
 
+describe("propagateRequiredScopeFromDependencies()", () => {
+  it("marks transitive dependencies of required components as required", () => {
+    const components = [
+      {
+        name: "app-lib",
+        "bom-ref": "pkg:npm/app-lib@1.0.0",
+        scope: "required",
+      },
+      {
+        name: "runtime-a",
+        "bom-ref": "pkg:npm/runtime-a@1.0.0",
+        scope: "optional",
+      },
+      {
+        name: "runtime-b",
+        "bom-ref": "pkg:npm/runtime-b@1.0.0",
+        scope: "optional",
+      },
+    ];
+    const dependencies = [
+      { ref: "pkg:npm/app-lib@1.0.0", dependsOn: ["pkg:npm/runtime-a@1.0.0"] },
+      {
+        ref: "pkg:npm/runtime-a@1.0.0",
+        dependsOn: ["pkg:npm/runtime-b@1.0.0"],
+      },
+    ];
+
+    propagateRequiredScopeFromDependencies(components, dependencies);
+
+    assert.strictEqual(components[1].scope, "required");
+    assert.strictEqual(components[2].scope, "required");
+  });
+
+  it("preserves known development, optional, and peer-only packages", () => {
+    const components = [
+      {
+        name: "app-lib",
+        "bom-ref": "pkg:npm/app-lib@1.0.0",
+        scope: "required",
+      },
+      {
+        name: "dev-tool",
+        "bom-ref": "pkg:npm/dev-tool@1.0.0",
+        scope: "optional",
+        properties: [{ name: "cdx:npm:package:development", value: "true" }],
+      },
+      {
+        name: "optional-runtime",
+        "bom-ref": "pkg:npm/optional-runtime@1.0.0",
+        scope: "optional",
+        properties: [{ name: "cdx:npm:package:optional", value: "true" }],
+      },
+      {
+        name: "peer-runtime",
+        "bom-ref": "pkg:npm/peer-runtime@1.0.0",
+        scope: "optional",
+        properties: [{ name: "cdx:npm:package:peer", value: "true" }],
+      },
+    ];
+    const dependencies = [
+      {
+        ref: "pkg:npm/app-lib@1.0.0",
+        dependsOn: [
+          "pkg:npm/dev-tool@1.0.0",
+          "pkg:npm/optional-runtime@1.0.0",
+          "pkg:npm/peer-runtime@1.0.0",
+        ],
+      },
+    ];
+
+    propagateRequiredScopeFromDependencies(components, dependencies);
+
+    assert.strictEqual(components[1].scope, "optional");
+    assert.strictEqual(components[2].scope, "optional");
+    assert.strictEqual(components[3].scope, "optional");
+  });
+
+  it("handles decoded and encoded bom-ref variants", () => {
+    const components = [
+      {
+        name: "scoped",
+        "bom-ref": "pkg:npm/@scope/scoped@1.0.0",
+        scope: "required",
+      },
+      { name: "child", purl: "pkg:npm/@scope/child@1.0.0", scope: "optional" },
+    ];
+    const dependencies = [
+      {
+        ref: "pkg:npm/%40scope/scoped@1.0.0",
+        dependsOn: ["pkg:npm/%40scope/child@1.0.0"],
+      },
+    ];
+
+    propagateRequiredScopeFromDependencies(components, dependencies);
+
+    assert.strictEqual(components[1].scope, "required");
+  });
+});
+
 describe("trimComponents()", () => {
   it("retains hashes from duplicate components", () => {
     const components = [
@@ -331,3 +432,85 @@ describe("mergeServices()", () => {
     assert.deepStrictEqual(result[0].endpoints, ["/mcp", "/health"]);
   });
 });
+
+describe("filterInvalidCryptoComponents()", () => {
+  it("removes algorithm components without OID", () => {
+    const components = [
+      {
+        name: "sha-256",
+        type: "cryptographic-asset",
+        cryptoProperties: {
+          assetType: "algorithm",
+          oid: "2.16.840.1.101.3.4.2.1",
+        },
+      },
+      {
+        name: "unknown-algo",
+        type: "cryptographic-asset",
+        cryptoProperties: { assetType: "algorithm" },
+      },
+      { name: "express", type: "library", purl: "pkg:npm/express@4.18.0" },
+    ];
+    const result = filterInvalidCryptoComponents(components);
+    assert.strictEqual(result.length, 2);
+    assert.strictEqual(result[0].name, "sha-256");
+    assert.strictEqual(result[1].name, "express");
+  });
+
+  it("removes crypto components without cryptoProperties", () => {
+    const components = [
+      { name: "bad-cert", type: "cryptographic-asset" },
+      {
+        name: "good-cert",
+        type: "cryptographic-asset",
+        cryptoProperties: {
+          assetType: "certificate",
+          algorithmProperties: {
+            executionEnvironment: "unknown",
+            implementationPlatform: "unknown",
+          },
+        },
+      },
+    ];
+    const result = filterInvalidCryptoComponents(components);
+    assert.strictEqual(result.length, 1);
+    assert.strictEqual(result[0].name, "good-cert");
+  });
+
+  it("removes certificate components without algorithmProperties", () => {
+    const components = [
+      {
+        name: "bad-cert",
+        type: "cryptographic-asset",
+        cryptoProperties: { assetType: "certificate" },
+      },
+    ];
+    const result = filterInvalidCryptoComponents(components);
+    assert.strictEqual(result.length, 0);
+  });
+
+  it("preserves related-crypto-material components", () => {
+    const components = [
+      {
+        name: "gpg-key",
+        type: "cryptographic-asset",
+        cryptoProperties: {
+          assetType: "related-crypto-material",
+          relatedCryptoMaterialProperties: {
+            type: "public-key",
+            id: "abc",
+            state: "active",
+          },
+        },
+      },
+    ];
+    const result = filterInvalidCryptoComponents(components);
+    assert.strictEqual(result.length, 1);
+  });
+
+  it("returns an empty array for empty/falsy input", () => {
+    assert.strictEqual(filterInvalidCryptoComponents([]).length, 0);
+    assert.deepStrictEqual(filterInvalidCryptoComponents(undefined), []);
+    assert.deepStrictEqual(filterInvalidCryptoComponents(null), []);
+  });
+});

package/lib/helpers/display.js

@@ -42,6 +42,7 @@ const MULTIVALUE_ACTIVITY_TARGET_KEYS = new Set([
   "SrcFiles",
 ]);
 const PATH_SEPARATOR_REGEX = /[\\/]+/;
+const SUSPICIOUS_SHELL_PATH_LABEL = "⚠ shell-metacharacters";
 const ENV_AUDIT_SEVERITY_RANK = {
   low: 1,
   medium: 2,
@@ -1220,16 +1221,21 @@ export function printActivitySummary(reportType = undefined) {
     }
     return;
   }
-  const formatActivityTarget = (target) => {
+  const formatActivityTarget = (activity) => {
+    const target = activity?.target;
+    const suspiciousPrefix =
+      activity?.risk === "shell-metacharacters"
+        ? `${SUSPICIOUS_SHELL_PATH_LABEL}\n`
+        : "";
     if (typeof target !== "string" || !target.includes(",")) {
-      return target || "";
+      return `${suspiciousPrefix}${target || ""}`;
     }
     const targetEntries = splitCommaSeparatedActivityEntries(target);
     if (isLikelyActivityPathList(targetEntries)) {
-      return sortActivityTargetEntries(targetEntries).join("\n");
+      return `${suspiciousPrefix}${sortActivityTargetEntries(targetEntries).join("\n")}`;
     }
     if (!(target.includes(":") || target.includes("="))) {
-      return target || "";
+      return `${suspiciousPrefix}${target || ""}`;
     }
     const targetSegments = target.split(/,\s*(?=[A-Za-z][\w-]*\s*[:=])/);
     let didFormat = false;
@@ -1249,7 +1255,7 @@ export function printActivitySummary(reportType = undefined) {
         .map((entry) => `- ${entry}`)
         .join("\n")}`;
     });
-    return didFormat ? renderedSegments.join("\n") : target;
+    return `${suspiciousPrefix}${didFormat ? renderedSegments.join("\n") : target}`;
   };
   const formatActivityType = (type) => {
     if (typeof type !== "string" || !type.includes(",")) {
@@ -1275,7 +1281,7 @@ export function printActivitySummary(reportType = undefined) {
       formatActivityType(activity.projectType),
       activity.packageType || "",
       activity.kind || "",
-      formatActivityTarget(activity.target),
+      formatActivityTarget(activity),
       activity.reason
         ? `${formatStatus(activity.status)}\n${activity.reason}`.trim()
         : formatStatus(activity.status),

package/lib/helpers/display.poku.js

@@ -481,6 +481,44 @@ it("renders plain comma-separated activity paths one per line sorted by depth",
   }
 });
 
+it("highlights suspicious shell-metacharacter paths in the activity summary", async () => {
+  const tableStub = sinon.stub().returns("activity-table");
+  const shellIfs = "$" + "{IFS}";
+  try {
+    const { printActivitySummary: printActivitySummaryMocked } = await esmock(
+      "./display.js",
+      {
+        "./table.js": {
+          createStream: sinon.stub(),
+          table: tableStub,
+        },
+        "./utils.js": {
+          getRecordedActivities: sinon.stub().returns([
+            {
+              identifier: "ACT-0005",
+              kind: "inspect",
+              reason: "Suspicious path contains shell metacharacters.",
+              risk: "shell-metacharacters",
+              status: "completed",
+              target: `/tmp/repo/evil;cd${shellIfs}..;printf${shellIfs}marker>CDXGEN_GITURL_E2E_MARKER;#/pom.xml`,
+            },
+          ]),
+          isDryRun: true,
+          isSecureMode: false,
+          safeExistsSync: sinon.stub(),
+          toCamel: sinon.stub(),
+        },
+      },
+    );
+    printActivitySummaryMocked();
+    const [data] = tableStub.firstCall.args;
+    assert.ok(data[1][4].startsWith("⚠ shell-metacharacters\n"));
+    assert.ok(data[1][4].includes(`evil;cd${shellIfs}..`));
+  } finally {
+    sinon.restore();
+  }
+});
+
 it("prints grouped environment audit findings in a secure-mode panel", async () => {
   const tableStub = sinon.stub().returns("env-audit-table");
   try {