@cyclonedx/cdxgen 12.4.3 → 12.4.4

package/lib/audit/index.poku.js

@@ -2058,3 +2058,465 @@ describe("auditTarget() cache resume", () => {
     }
   });
 });
+
+describe("auditTarget() default branch recheck", () => {
+  it("downgrades severity when findings are fixed in default branch", async () => {
+    const workspaceDir = mkdtempSync(
+      path.join(os.tmpdir(), "cdx-audit-recheck-"),
+    );
+    const target = {
+      bomRefs: ["pkg:pypi/typer@0.9.0"],
+      name: "typer",
+      purl: "pkg:pypi/typer@0.9.0",
+      properties: [],
+      type: "pypi",
+      version: "0.9.0",
+    };
+    const targetDir = path.join(workspaceDir, auditTargetSlug(target));
+    const cacheDir = path.join(targetDir, ".cdx-audit");
+    const cachedBom = {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      version: 1,
+      components: [],
+      formulation: [{ components: [] }],
+    };
+    writeJson(path.join(cacheDir, "source-bom.json"), cachedBom);
+    writeJson(path.join(cacheDir, "source-bom.meta.json"), {
+      repoUrl: "https://github.com/tiangolo/typer.git",
+      resolution: {
+        name: "typer",
+        repoUrl: "https://github.com/tiangolo/typer.git",
+        type: "pypi",
+        version: "0.9.0",
+      },
+      scanDirRelative: ".",
+      sourceDirectoryConfidence: "high",
+      versionMatched: true,
+    });
+
+    // First call returns critical findings; second call returns the same rule in
+    // a different default-branch file, which should not retain the fixed finding.
+    const auditBomStub = sinon.stub();
+    auditBomStub.onFirstCall().resolves([
+      {
+        category: "ci-permission",
+        location: { file: ".github/workflows/ci.yml" },
+        message: "Workflow uses pull_request_target trigger",
+        ruleId: "CI-007",
+        severity: "critical",
+      },
+      {
+        category: "ci-permission",
+        location: { file: ".github/workflows/ci.yml" },
+        message: "Checkout step pulls PR head inside pull_request_target",
+        ruleId: "CI-019",
+        severity: "critical",
+      },
+      {
+        category: "dependency-source",
+        location: { file: "requirements.txt" },
+        message: "Dependency pinned to mutable git reference",
+        ruleId: "DEP-001",
+        severity: "high",
+      },
+    ]);
+    auditBomStub.onSecondCall().resolves([
+      {
+        category: "ci-permission",
+        location: { file: ".github\\workflows\\release.yml" },
+        message: "Workflow uses pull_request_target trigger elsewhere",
+        ruleId: "CI-007",
+        severity: "high",
+      },
+    ]);
+
+    const cloneStub = sinon.stub();
+    const createBomStub = sinon.stub().resolves({ bomJson: cachedBom });
+    const { auditTarget } = await esmock("./index.js", {
+      "../cli/index.js": { createBom: createBomStub },
+      "../helpers/logger.js": { thoughtLog: sinon.stub() },
+      "../helpers/source.js": {
+        cleanupSourceDir: sinon.stub(),
+        findGitRefForPurlVersion: sinon.stub().returns("0.9.0"),
+        hardenedGitCommand: cloneStub.returns({ status: 0 }),
+        resolveGitUrlFromPurl: sinon.stub().resolves({
+          name: "typer",
+          repoUrl: "https://github.com/tiangolo/typer.git",
+          type: "pypi",
+          version: "0.9.0",
+        }),
+        resolvePurlSourceDirectory: sinon.stub().returns(undefined),
+        sanitizeRemoteUrlForLogs: (value) => value,
+      },
+      "../helpers/utils.js": {
+        dirNameStr: path.resolve("."),
+        getTmpDir: () => os.tmpdir(),
+        isDryRun: false,
+        safeExistsSync: (filePath) => existsSync(filePath),
+        safeMkdirSync: (filePath, options) => mkdirSync(filePath, options),
+        safeMkdtempSync: (prefix) => mkdtempSync(prefix),
+        safeRmSync: (filePath, options) => rmSync(filePath, options),
+      },
+      "../stages/postgen/auditBom.js": { auditBom: auditBomStub },
+      "../stages/postgen/postgen.js": {
+        postProcess: sinon.stub().callsFake((bomNSData) => bomNSData),
+      },
+    });
+
+    try {
+      const result = await auditTarget(target, {
+        maxTargets: 1,
+        minSeverity: "low",
+        workspaceDir,
+      });
+
+      assert.strictEqual(result.status, "audited");
+      // Source-derived findings should be removed since they're fixed in default branch
+      // Contextual PROV-002 finding (no location.file) is retained
+      assert.strictEqual(result.findings.length, 1);
+      assert.strictEqual(result.findings[0].ruleId, "PROV-002");
+      assert.strictEqual(result.assessment.defaultBranchRechecked, true);
+      assert.strictEqual(result.assessment.findingsFixedInDefaultBranch, 3);
+      // Severity should be downgraded from critical/high to something lower
+      assert.ok(
+        result.assessment.severity !== "critical" &&
+          result.assessment.severity !== "high",
+        "severity should be downgraded after default branch recheck",
+      );
+    } finally {
+      rmSync(workspaceDir, { force: true, recursive: true });
+    }
+  });
+
+  it("retains Python source heuristic findings still present on default branch", async () => {
+    const workspaceDir = mkdtempSync(
+      path.join(os.tmpdir(), "cdx-audit-recheck-pysrc-"),
+    );
+    const target = {
+      bomRefs: ["pkg:pypi/demo@1.0.0"],
+      name: "demo",
+      purl: "pkg:pypi/demo@1.0.0",
+      properties: [],
+      type: "pypi",
+      version: "1.0.0",
+    };
+    const targetDir = path.join(workspaceDir, auditTargetSlug(target));
+    const cacheDir = path.join(targetDir, ".cdx-audit");
+    const suspiciousSetup = [
+      "from setuptools import setup",
+      "import base64",
+      "import os",
+      "payload = base64.b64decode('bHM=')",
+      "os.system(payload.decode())",
+      "setup(name='demo')",
+    ].join("\n");
+    mkdirSync(targetDir, { recursive: true });
+    writeFileSync(path.join(targetDir, "setup.py"), suspiciousSetup);
+    const cachedBom = {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      version: 1,
+      components: [],
+      formulation: [{ components: [] }],
+    };
+    writeJson(path.join(cacheDir, "source-bom.json"), cachedBom);
+    writeJson(path.join(cacheDir, "source-bom.meta.json"), {
+      repoUrl: "https://github.com/acme/demo.git",
+      resolution: {
+        name: "demo",
+        repoUrl: "https://github.com/acme/demo.git",
+        type: "pypi",
+        version: "1.0.0",
+      },
+      scanDirRelative: ".",
+      sourceDirectoryConfidence: "high",
+      versionMatched: true,
+    });
+
+    const auditBomStub = sinon.stub().resolves([]);
+    const cloneStub = sinon.stub().callsFake((args) => {
+      const cloneDir = args.at(-1);
+      mkdirSync(cloneDir, { recursive: true });
+      writeFileSync(path.join(cloneDir, "setup.py"), suspiciousSetup);
+      return { status: 0 };
+    });
+    const { auditTarget } = await esmock("./index.js", {
+      "../cli/index.js": {
+        createBom: sinon.stub().resolves({ bomJson: cachedBom }),
+      },
+      "../helpers/logger.js": { thoughtLog: sinon.stub() },
+      "../helpers/source.js": {
+        cleanupSourceDir: sinon.stub(),
+        findGitRefForPurlVersion: sinon.stub().returns("1.0.0"),
+        hardenedGitCommand: cloneStub,
+        resolveGitUrlFromPurl: sinon.stub().resolves({
+          name: "demo",
+          repoUrl: "https://github.com/acme/demo.git",
+          type: "pypi",
+          version: "1.0.0",
+        }),
+        resolvePurlSourceDirectory: sinon.stub().returns(undefined),
+        sanitizeRemoteUrlForLogs: (value) => value,
+      },
+      "../helpers/utils.js": {
+        dirNameStr: path.resolve("."),
+        getTmpDir: () => os.tmpdir(),
+        isDryRun: false,
+        safeExistsSync: (filePath) => existsSync(filePath),
+        safeMkdirSync: (filePath, options) => mkdirSync(filePath, options),
+        safeMkdtempSync: (prefix) => mkdtempSync(prefix),
+        safeRmSync: (filePath, options) => rmSync(filePath, options),
+      },
+      "../stages/postgen/auditBom.js": { auditBom: auditBomStub },
+      "../stages/postgen/postgen.js": {
+        postProcess: sinon.stub().callsFake((bomNSData) => bomNSData),
+      },
+    });
+
+    try {
+      const result = await auditTarget(target, {
+        maxTargets: 1,
+        minSeverity: "low",
+        workspaceDir,
+      });
+
+      assert.strictEqual(result.status, "audited");
+      assert.ok(
+        result.findings.some((finding) => finding.ruleId === "PYSRC-001"),
+      );
+      assert.strictEqual(result.assessment.defaultBranchRechecked, undefined);
+    } finally {
+      rmSync(workspaceDir, { force: true, recursive: true });
+    }
+  });
+
+  it("logs non-Error default-branch recheck failures safely", async () => {
+    const workspaceDir = mkdtempSync(
+      path.join(os.tmpdir(), "cdx-audit-recheck-log-"),
+    );
+    const target = {
+      bomRefs: ["pkg:npm/acme/demo@1.0.0"],
+      name: "demo",
+      namespace: "acme",
+      purl: "pkg:npm/acme/demo@1.0.0",
+      properties: [],
+      type: "npm",
+      version: "1.0.0",
+    };
+    const targetDir = path.join(workspaceDir, auditTargetSlug(target));
+    const cacheDir = path.join(targetDir, ".cdx-audit");
+    const cachedBom = {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      version: 1,
+      components: [],
+      formulation: [{ components: [] }],
+    };
+    writeJson(path.join(cacheDir, "source-bom.json"), cachedBom);
+    writeJson(path.join(cacheDir, "source-bom.meta.json"), {
+      repoUrl: "https://github.com/acme/demo.git",
+      resolution: {
+        name: "demo",
+        repoUrl: "https://github.com/acme/demo.git",
+        type: "npm",
+        version: "1.0.0",
+      },
+      scanDirRelative: ".",
+      sourceDirectoryConfidence: "high",
+      versionMatched: true,
+    });
+
+    const auditBomStub = sinon.stub().resolves([
+      {
+        category: "ci-permission",
+        location: { file: ".github/workflows/ci.yml" },
+        message: "Workflow uses pull_request_target trigger",
+        ruleId: "CI-007",
+        severity: "critical",
+      },
+      {
+        category: "ci-permission",
+        location: { file: ".github/workflows/ci.yml" },
+        message: "Checkout step pulls PR head inside pull_request_target",
+        ruleId: "CI-019",
+        severity: "critical",
+      },
+      {
+        category: "dependency-source",
+        location: { file: "package.json" },
+        message: "Dependency pinned to mutable git reference",
+        ruleId: "DEP-001",
+        severity: "high",
+      },
+    ]);
+    const thoughtLogStub = sinon.stub();
+    const { auditTarget } = await esmock("./index.js", {
+      "../cli/index.js": {
+        createBom: sinon.stub().callsFake(() => {
+          throw "default branch failure";
+        }),
+      },
+      "../helpers/logger.js": { thoughtLog: thoughtLogStub },
+      "../helpers/source.js": {
+        cleanupSourceDir: sinon.stub(),
+        findGitRefForPurlVersion: sinon.stub().returns("1.0.0"),
+        hardenedGitCommand: sinon.stub().returns({ status: 0 }),
+        resolveGitUrlFromPurl: sinon.stub().resolves({
+          name: "demo",
+          repoUrl: "https://github.com/acme/demo.git",
+          type: "npm",
+          version: "1.0.0",
+        }),
+        resolvePurlSourceDirectory: sinon.stub().returns(undefined),
+        sanitizeRemoteUrlForLogs: (value) => value,
+      },
+      "../helpers/utils.js": {
+        dirNameStr: path.resolve("."),
+        getTmpDir: () => os.tmpdir(),
+        isDryRun: false,
+        safeExistsSync: (filePath) => existsSync(filePath),
+        safeMkdirSync: (filePath, options) => mkdirSync(filePath, options),
+        safeMkdtempSync: (prefix) => mkdtempSync(prefix),
+        safeRmSync: (filePath, options) => rmSync(filePath, options),
+      },
+      "../stages/postgen/auditBom.js": { auditBom: auditBomStub },
+      "../stages/postgen/postgen.js": {
+        postProcess: sinon.stub().callsFake((bomNSData) => bomNSData),
+      },
+    });
+
+    try {
+      const result = await auditTarget(target, {
+        maxTargets: 1,
+        minSeverity: "low",
+        workspaceDir,
+      });
+      assert.strictEqual(result.status, "audited");
+      assert.ok(result.findings.some((finding) => finding.ruleId === "CI-007"));
+      assert.ok(
+        thoughtLogStub.calledWithMatch(
+          "Default branch recheck failed, keeping original findings.",
+          {
+            error: "default branch failure",
+            purl: target.purl,
+          },
+        ),
+        JSON.stringify(thoughtLogStub.getCalls().map((call) => call.args)),
+      );
+    } finally {
+      rmSync(workspaceDir, { force: true, recursive: true });
+    }
+  });
+
+  it("skips recheck when skipDefaultBranchRecheck option is set", async () => {
+    const workspaceDir = mkdtempSync(
+      path.join(os.tmpdir(), "cdx-audit-recheck-skip-"),
+    );
+    const target = {
+      bomRefs: ["pkg:pypi/typer@0.9.0"],
+      name: "typer",
+      purl: "pkg:pypi/typer@0.9.0",
+      properties: [],
+      type: "pypi",
+      version: "0.9.0",
+    };
+    const targetDir = path.join(workspaceDir, auditTargetSlug(target));
+    const cacheDir = path.join(targetDir, ".cdx-audit");
+    const cachedBom = {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      version: 1,
+      components: [],
+      formulation: [{ components: [] }],
+    };
+    writeJson(path.join(cacheDir, "source-bom.json"), cachedBom);
+    writeJson(path.join(cacheDir, "source-bom.meta.json"), {
+      repoUrl: "https://github.com/tiangolo/typer.git",
+      resolution: {
+        name: "typer",
+        repoUrl: "https://github.com/tiangolo/typer.git",
+        type: "pypi",
+        version: "0.9.0",
+      },
+      scanDirRelative: ".",
+      sourceDirectoryConfidence: "high",
+      versionMatched: true,
+    });
+
+    const auditBomStub = sinon.stub().resolves([
+      {
+        category: "ci-permission",
+        location: { file: ".github/workflows/ci.yml" },
+        message: "Workflow uses pull_request_target trigger",
+        ruleId: "CI-007",
+        severity: "high",
+      },
+      {
+        category: "ci-permission",
+        location: { file: ".github/workflows/ci.yml" },
+        message: "Checkout step pulls PR head inside pull_request_target",
+        ruleId: "CI-019",
+        severity: "critical",
+      },
+      {
+        category: "dependency-source",
+        location: { file: "requirements.txt" },
+        message: "Dependency pinned to mutable git reference",
+        ruleId: "DEP-001",
+        severity: "high",
+      },
+    ]);
+
+    const { auditTarget } = await esmock("./index.js", {
+      "../cli/index.js": {
+        createBom: sinon.stub().resolves({ bomJson: cachedBom }),
+      },
+      "../helpers/logger.js": { thoughtLog: sinon.stub() },
+      "../helpers/source.js": {
+        cleanupSourceDir: sinon.stub(),
+        findGitRefForPurlVersion: sinon.stub().returns("0.9.0"),
+        hardenedGitCommand: sinon.stub().returns({ status: 0 }),
+        resolveGitUrlFromPurl: sinon.stub().resolves({
+          name: "typer",
+          repoUrl: "https://github.com/tiangolo/typer.git",
+          type: "pypi",
+          version: "0.9.0",
+        }),
+        resolvePurlSourceDirectory: sinon.stub().returns(undefined),
+        sanitizeRemoteUrlForLogs: (value) => value,
+      },
+      "../helpers/utils.js": {
+        dirNameStr: path.resolve("."),
+        getTmpDir: () => os.tmpdir(),
+        isDryRun: false,
+        safeExistsSync: (filePath) => existsSync(filePath),
+        safeMkdirSync: (filePath, options) => mkdirSync(filePath, options),
+        safeMkdtempSync: (prefix) => mkdtempSync(prefix),
+        safeRmSync: (filePath, options) => rmSync(filePath, options),
+      },
+      "../stages/postgen/auditBom.js": { auditBom: auditBomStub },
+      "../stages/postgen/postgen.js": {
+        postProcess: sinon.stub().callsFake((bomNSData) => bomNSData),
+      },
+    });
+
+    try {
+      const result = await auditTarget(target, {
+        maxTargets: 1,
+        minSeverity: "low",
+        skipDefaultBranchRecheck: true,
+        workspaceDir,
+      });
+
+      assert.strictEqual(result.status, "audited");
+      // auditBom should only be called once (no recheck)
+      assert.strictEqual(auditBomStub.callCount, 1);
+      // Findings should remain unchanged (3 from auditBom + 1 contextual PROV-002)
+      assert.strictEqual(result.findings.length, 4);
+      assert.strictEqual(result.assessment.defaultBranchRechecked, undefined);
+    } finally {
+      rmSync(workspaceDir, { force: true, recursive: true });
+    }
+  });
+});