vaspera 2.5.0

package/dist/sbom/cyclonedx.js

@@ -0,0 +1,392 @@
+/**
+ * CycloneDX SBOM Generator
+ *
+ * Generates CycloneDX 1.5 SBOMs from package.json and lock files.
+ *
+ * @module sbom/cyclonedx
+ */
+import { readFile, access } from "fs/promises";
+import { join } from "path";
+import { createHash, randomUUID } from "crypto";
+/**
+ * Check if file exists
+ */
+async function fileExists(filePath) {
+    try {
+        await access(filePath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Parse package.json
+ */
+async function parsePackageJson(projectPath) {
+    const pkgPath = join(projectPath, "package.json");
+    if (!(await fileExists(pkgPath))) {
+        return null;
+    }
+    const content = await readFile(pkgPath, "utf-8");
+    return JSON.parse(content);
+}
+/**
+ * Parse package-lock.json
+ */
+async function parsePackageLock(projectPath) {
+    const lockPath = join(projectPath, "package-lock.json");
+    if (!(await fileExists(lockPath))) {
+        return null;
+    }
+    const content = await readFile(lockPath, "utf-8");
+    return JSON.parse(content);
+}
+/**
+ * Generate purl (package URL) for npm package
+ */
+function generatePurl(name, version) {
+    // Handle scoped packages
+    const encodedName = name.startsWith("@")
+        ? name.replace("/", "%2F")
+        : name;
+    return version
+        ? `pkg:npm/${encodedName}@${version}`
+        : `pkg:npm/${encodedName}`;
+}
+/**
+ * Generate bom-ref from package name and version
+ */
+function generateBomRef(name, version) {
+    return version ? `${name}@${version}` : name;
+}
+/**
+ * Parse integrity hash from package-lock
+ */
+function parseIntegrityHash(integrity) {
+    if (!integrity)
+        return [];
+    const hashes = [];
+    // Format: sha512-base64hash or sha256-base64hash
+    if (integrity.startsWith("sha512-")) {
+        hashes.push({
+            alg: "SHA-512",
+            content: integrity.slice(7),
+        });
+    }
+    else if (integrity.startsWith("sha256-")) {
+        hashes.push({
+            alg: "SHA-256",
+            content: integrity.slice(7),
+        });
+    }
+    else if (integrity.startsWith("sha1-")) {
+        hashes.push({
+            alg: "SHA-1",
+            content: integrity.slice(5),
+        });
+    }
+    return hashes;
+}
+/**
+ * Extract author name from package.json author field
+ */
+function extractAuthorName(author) {
+    if (!author)
+        return undefined;
+    if (typeof author === "string") {
+        // Parse "Name <email>" format
+        const match = author.match(/^([^<]+)/);
+        return match ? match[1].trim() : author;
+    }
+    return author.name;
+}
+/**
+ * Create component from package info
+ */
+function createComponent(name, version, options) {
+    const component = {
+        type: "library",
+        "bom-ref": generateBomRef(name, version),
+        name,
+        version,
+        purl: generatePurl(name, version),
+    };
+    if (options?.integrity) {
+        component.hashes = parseIntegrityHash(options.integrity);
+    }
+    if (options?.description) {
+        component.description = options.description;
+    }
+    if (options?.license) {
+        component.licenses = [{ license: { id: options.license } }];
+    }
+    if (options?.isDev) {
+        component.scope = "optional";
+        component.properties = [{ name: "cdx:npm:development", value: "true" }];
+    }
+    if (options?.isOptional) {
+        component.scope = "optional";
+    }
+    if (options?.resolved) {
+        component.externalReferences = [
+            {
+                type: "distribution",
+                url: options.resolved,
+            },
+        ];
+    }
+    return component;
+}
+/**
+ * Generate SBOM metadata
+ */
+function generateMetadata(packageJson, options) {
+    const projectName = options?.projectName || packageJson.name || "unknown";
+    const projectVersion = options?.projectVersion || packageJson.version;
+    const metadata = {
+        timestamp: new Date().toISOString(),
+        tools: [
+            {
+                vendor: "Vaspera",
+                name: "vaspera-hardening",
+                version: "1.1.0",
+            },
+        ],
+        component: {
+            type: "application",
+            "bom-ref": generateBomRef(projectName, projectVersion),
+            name: projectName,
+            version: projectVersion,
+            description: packageJson.description,
+            purl: generatePurl(projectName, projectVersion),
+        },
+    };
+    // Add author
+    const authorName = options?.author?.name || extractAuthorName(packageJson.author);
+    if (authorName) {
+        metadata.authors = [
+            {
+                name: authorName,
+                email: options?.author?.email,
+            },
+        ];
+    }
+    // Add license
+    if (packageJson.license) {
+        metadata.licenses = [{ license: { id: packageJson.license } }];
+    }
+    return metadata;
+}
+/**
+ * Extract components from package-lock.json (v2/v3 format)
+ */
+function extractComponentsFromLockV2(packageLock, includeDevDependencies) {
+    const components = [];
+    const packages = packageLock.packages || {};
+    for (const [pkgPath, pkgInfo] of Object.entries(packages)) {
+        // Skip root package
+        if (pkgPath === "")
+            continue;
+        // Extract name from path (e.g., "node_modules/@types/node" -> "@types/node")
+        const name = pkgPath.replace(/^node_modules\//, "").replace(/\/node_modules\//g, "/");
+        // Skip dev dependencies if not included
+        if (pkgInfo.dev && !includeDevDependencies)
+            continue;
+        components.push(createComponent(name, pkgInfo.version, {
+            resolved: pkgInfo.resolved,
+            integrity: pkgInfo.integrity,
+            isDev: pkgInfo.dev,
+            isOptional: pkgInfo.optional,
+        }));
+    }
+    return components;
+}
+/**
+ * Extract components from package-lock.json (v1 format)
+ */
+function extractComponentsFromLockV1(packageLock, includeDevDependencies) {
+    const components = [];
+    const deps = packageLock.dependencies || {};
+    function processDeps(dependencies, 
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _prefix = "") {
+        for (const [name, info] of Object.entries(dependencies)) {
+            // Skip dev dependencies if not included
+            if (info.dev && !includeDevDependencies)
+                continue;
+            components.push(createComponent(name, info.version, {
+                resolved: info.resolved,
+                integrity: info.integrity,
+                isDev: info.dev,
+                isOptional: info.optional,
+            }));
+            // Process nested dependencies
+            if (info.dependencies) {
+                processDeps(info.dependencies);
+            }
+        }
+    }
+    processDeps(deps);
+    return components;
+}
+/**
+ * Extract components from package.json only (no lock file)
+ */
+function extractComponentsFromPackageJson(packageJson, includeDevDependencies) {
+    const components = [];
+    // Production dependencies
+    if (packageJson.dependencies) {
+        for (const [name, version] of Object.entries(packageJson.dependencies)) {
+            components.push(createComponent(name, version.replace(/^[\^~]/, "")));
+        }
+    }
+    // Dev dependencies
+    if (includeDevDependencies && packageJson.devDependencies) {
+        for (const [name, version] of Object.entries(packageJson.devDependencies)) {
+            components.push(createComponent(name, version.replace(/^[\^~]/, ""), { isDev: true }));
+        }
+    }
+    // Peer dependencies
+    if (packageJson.peerDependencies) {
+        for (const [name, version] of Object.entries(packageJson.peerDependencies)) {
+            components.push(createComponent(name, version.replace(/^[\^~]/, ""), { isOptional: true }));
+        }
+    }
+    return components;
+}
+/**
+ * Generate dependency graph
+ */
+function generateDependencies(packageJson, components) {
+    const dependencies = [];
+    const componentRefs = new Set(components.map((c) => c["bom-ref"]));
+    // Root application depends on direct dependencies
+    const rootRef = generateBomRef(packageJson.name || "unknown", packageJson.version);
+    const directDeps = [];
+    if (packageJson.dependencies) {
+        for (const [name, version] of Object.entries(packageJson.dependencies)) {
+            const ref = generateBomRef(name, version.replace(/^[\^~]/, ""));
+            if (componentRefs.has(ref)) {
+                directDeps.push(ref);
+            }
+        }
+    }
+    dependencies.push({
+        ref: rootRef,
+        dependsOn: directDeps,
+    });
+    // Add empty dependency entries for each component
+    for (const component of components) {
+        if (component["bom-ref"] && component["bom-ref"] !== rootRef) {
+            dependencies.push({
+                ref: component["bom-ref"],
+                dependsOn: [],
+            });
+        }
+    }
+    return dependencies;
+}
+/**
+ * Convert scanner findings to vulnerabilities
+ */
+export function findingsToVulnerabilities(findings) {
+    const vulnerabilities = [];
+    // Filter to dependency vulnerabilities
+    const depFindings = findings.filter((f) => f.scanner === "npm-audit" || f.cveIds?.length);
+    for (const finding of depFindings) {
+        const vuln = {
+            "bom-ref": `vuln-${finding.ruleId}`,
+            id: finding.cveIds?.[0] || finding.ruleId,
+            source: {
+                name: finding.scanner === "npm-audit" ? "npm" : "scanner",
+                url: finding.scanner === "npm-audit"
+                    ? "https://www.npmjs.com/advisories"
+                    : undefined,
+            },
+            ratings: [
+                {
+                    severity: finding.severity,
+                    method: "other",
+                },
+            ],
+            description: finding.message,
+        };
+        if (finding.cweIds?.length) {
+            vuln.cwes = finding.cweIds
+                .map((cwe) => parseInt(cwe.replace("CWE-", ""), 10))
+                .filter((n) => !isNaN(n));
+        }
+        vulnerabilities.push(vuln);
+    }
+    return vulnerabilities;
+}
+/**
+ * Generate CycloneDX SBOM
+ */
+export async function generateSBOM(projectPath, options, findings) {
+    const packageJson = await parsePackageJson(projectPath);
+    if (!packageJson) {
+        throw new Error(`No package.json found in ${projectPath}`);
+    }
+    const packageLock = await parsePackageLock(projectPath);
+    const includeDevDependencies = options?.includeDevDependencies ?? false;
+    // Extract components
+    let components;
+    if (packageLock) {
+        // Use lock file for accurate versions
+        if (packageLock.lockfileVersion && packageLock.lockfileVersion >= 2) {
+            components = extractComponentsFromLockV2(packageLock, includeDevDependencies);
+        }
+        else {
+            components = extractComponentsFromLockV1(packageLock, includeDevDependencies);
+        }
+    }
+    else {
+        // Fall back to package.json
+        components = extractComponentsFromPackageJson(packageJson, includeDevDependencies);
+    }
+    // Generate SBOM
+    const sbom = {
+        bomFormat: "CycloneDX",
+        specVersion: "1.5",
+        serialNumber: `urn:uuid:${randomUUID()}`,
+        version: 1,
+        metadata: generateMetadata(packageJson, options),
+        components,
+        dependencies: generateDependencies(packageJson, components),
+    };
+    // Add vulnerabilities if requested
+    if (options?.includeVulnerabilities && findings?.length) {
+        sbom.vulnerabilities = findingsToVulnerabilities(findings);
+    }
+    return sbom;
+}
+/**
+ * Generate SBOM as JSON string
+ */
+export async function generateSBOMJson(projectPath, options, findings) {
+    const sbom = await generateSBOM(projectPath, options, findings);
+    return JSON.stringify(sbom, null, 2);
+}
+/**
+ * Calculate SHA-256 hash of content
+ */
+export function calculateSha256(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+/**
+ * Generate compact SBOM summary
+ */
+export function generateSBOMSummary(sbom) {
+    const componentCount = sbom.components?.length || 0;
+    const vulnCount = sbom.vulnerabilities?.length || 0;
+    const projectName = sbom.metadata?.component?.name || "unknown";
+    const projectVersion = sbom.metadata?.component?.version || "?";
+    let summary = `SBOM: ${projectName}@${projectVersion} | ${componentCount} components`;
+    if (vulnCount > 0) {
+        summary += ` | ${vulnCount} vulnerabilities`;
+    }
+    return summary;
+}
+//# sourceMappingURL=cyclonedx.js.map

package/dist/sbom/cyclonedx.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cyclonedx.js","sourceRoot":"","sources":["../../src/sbom/cyclonedx.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAY,MAAM,MAAM,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AA6DhD;;GAEG;AACH,KAAK,UAAU,UAAU,CAAC,QAAgB;IACxC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IACjD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IAClD,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACjD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;IACxD,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,IAAY,EAAE,OAAgB;IAClD,yBAAyB;IACzB,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QACtC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC;QAC1B,CAAC,CAAC,IAAI,CAAC;IAET,OAAO,OAAO;QACZ,CAAC,CAAC,WAAW,WAAW,IAAI,OAAO,EAAE;QACrC,CAAC,CAAC,WAAW,WAAW,EAAE,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY,EAAE,OAAgB;IACpD,OAAO,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,SAAkB;IAC5C,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAE1B,MAAM,MAAM,GAAW,EAAE,CAAC;IAE1B,iDAAiD;IACjD,IAAI,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC;YACV,GAAG,EAAE,SAAS;YACd,OAAO,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;SAC5B,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC;YACV,GAAG,EAAE,SAAS;YACd,OAAO,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;SAC5B,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC;YACV,GAAG,EAAE,OAAO;YACZ,OAAO,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;SAC5B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,MAA6B;IACtD,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,8BAA8B;QAC9B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACvC,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;IAC1C,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,IAAY,EACZ,OAAgB,EAChB,OAOC;IAED,MAAM,SAAS,GAAuB;QACpC,IAAI,EAAE,SAAS;QACf,SAAS,EAAE,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC;QACxC,IAAI;QACJ,OAAO;QACP,IAAI,EAAE,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC;KAClC,CAAC;IAEF,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;QACvB,SAAS,CAAC,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;QACzB,SAAS,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IAC9C,CAAC;IAED,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,SAAS,CAAC,QAAQ,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,SAAS,CAAC,KAAK,GAAG,UAAU,CAAC;QAC7B,SAAS,CAAC,UAAU,GAAG,CAAC,EAAE,IAAI,EAAE,qBAAqB,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,IAAI,OAAO,EAAE,UAAU,EAAE,CAAC;QACxB,SAAS,CAAC,KAAK,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,SAAS,CAAC,kBAAkB,GAAG;YAC7B;gBACE,IAAI,EAAE,cAAc;gBACpB,GAAG,EAAE,OAAO,CAAC,QAAQ;aACtB;SACF,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,WAAwB,EACxB,OAAqB;IAErB,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,WAAW,CAAC,IAAI,IAAI,SAAS,CAAC;IAC1E,MAAM,cAAc,GAAG,OAAO,EAAE,cAAc,IAAI,WAAW,CAAC,OAAO,CAAC;IAEtE,MAAM,QAAQ,GAAsB;QAClC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,KAAK,EAAE;YACL;gBACE,MAAM,EAAE,SAAS;gBACjB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,OAAO;aACjB;SACF;QACD,SAAS,EAAE;YACT,IAAI,EAAE,aAAa;YACnB,SAAS,EAAE,cAAc,CAAC,WAAW,EAAE,cAAc,CAAC;YACtD,IAAI,EAAE,WAAW;YACjB,OAAO,EAAE,cAAc;YACvB,WAAW,EAAE,WAAW,CAAC,WAAW;YACpC,IAAI,EAAE,YAAY,CAAC,WAAW,EAAE,cAAc,CAAC;SAChD;KACF,CAAC;IAEF,aAAa;IACb,MAAM,UAAU,GAAG,OAAO,EAAE,MAAM,EAAE,IAAI,IAAI,iBAAiB,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAClF,IAAI,UAAU,EAAE,CAAC;QACf,QAAQ,CAAC,OAAO,GAAG;YACjB;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK;aAC9B;SACF,CAAC;IACJ,CAAC;IAED,cAAc;IACd,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,QAAQ,CAAC,QAAQ,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,WAAW,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAClC,WAAwB,EACxB,sBAA+B;IAE/B,MAAM,UAAU,GAAyB,EAAE,CAAC;IAC5C,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,IAAI,EAAE,CAAC;IAE5C,KAAK,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1D,oBAAoB;QACpB,IAAI,OAAO,KAAK,EAAE;YAAE,SAAS;QAE7B,6EAA6E;QAC7E,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;QAEtF,wCAAwC;QACxC,IAAI,OAAO,CAAC,GAAG,IAAI,CAAC,sBAAsB;YAAE,SAAS;QAErD,UAAU,CAAC,IAAI,CACb,eAAe,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,EAAE;YACrC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,KAAK,EAAE,OAAO,CAAC,GAAG;YAClB,UAAU,EAAE,OAAO,CAAC,QAAQ;SAC7B,CAAC,CACH,CAAC;IACJ,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAClC,WAAwB,EACxB,sBAA+B;IAE/B,MAAM,UAAU,GAAyB,EAAE,CAAC;IAC5C,MAAM,IAAI,GAAG,WAAW,CAAC,YAAY,IAAI,EAAE,CAAC;IAE5C,SAAS,WAAW,CAClB,YAAyB;IACzB,6DAA6D;IAC7D,OAAO,GAAG,EAAE;QAEZ,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACxD,wCAAwC;YACxC,IAAI,IAAI,CAAC,GAAG,IAAI,CAAC,sBAAsB;gBAAE,SAAS;YAElD,UAAU,CAAC,IAAI,CACb,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE;gBAClC,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,KAAK,EAAE,IAAI,CAAC,GAAG;gBACf,UAAU,EAAE,IAAI,CAAC,QAAQ;aAC1B,CAAC,CACH,CAAC;YAEF,8BAA8B;YAC9B,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACtB,WAAW,CAAC,IAAI,CAAC,YAA2B,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;IACH,CAAC;IAED,WAAW,CAAC,IAAI,CAAC,CAAC;IAClB,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,gCAAgC,CACvC,WAAwB,EACxB,sBAA+B;IAE/B,MAAM,UAAU,GAAyB,EAAE,CAAC;IAE5C,0BAA0B;IAC1B,IAAI,WAAW,CAAC,YAAY,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;YACvE,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,mBAAmB;IACnB,IAAI,sBAAsB,IAAI,WAAW,CAAC,eAAe,EAAE,CAAC;QAC1D,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,CAAC;YAC1E,UAAU,CAAC,IAAI,CACb,eAAe,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CACtE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,IAAI,WAAW,CAAC,gBAAgB,EAAE,CAAC;QACjC,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC3E,UAAU,CAAC,IAAI,CACb,eAAe,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAC3E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,WAAwB,EACxB,UAAgC;IAEhC,MAAM,YAAY,GAA0B,EAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAEnE,kDAAkD;IAClD,MAAM,OAAO,GAAG,cAAc,CAC5B,WAAW,CAAC,IAAI,IAAI,SAAS,EAC7B,WAAW,CAAC,OAAO,CACpB,CAAC;IAEF,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,IAAI,WAAW,CAAC,YAAY,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;YACvE,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC;YAChE,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3B,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAED,YAAY,CAAC,IAAI,CAAC;QAChB,GAAG,EAAE,OAAO;QACZ,SAAS,EAAE,UAAU;KACtB,CAAC,CAAC;IAEH,kDAAkD;IAClD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,SAAS,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,SAAS,CAAC,KAAK,OAAO,EAAE,CAAC;YAC7D,YAAY,CAAC,IAAI,CAAC;gBAChB,GAAG,EAAE,SAAS,CAAC,SAAS,CAAC;gBACzB,SAAS,EAAE,EAAE;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,QAAgC;IAEhC,MAAM,eAAe,GAA6B,EAAE,CAAC;IAErD,uCAAuC;IACvC,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CACjC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,WAAW,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,CACrD,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,IAAI,GAA2B;YACnC,SAAS,EAAE,QAAQ,OAAO,CAAC,MAAM,EAAE;YACnC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,MAAM;YACzC,MAAM,EAAE;gBACN,IAAI,EAAE,OAAO,CAAC,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;gBACzD,GAAG,EACD,OAAO,CAAC,OAAO,KAAK,WAAW;oBAC7B,CAAC,CAAC,kCAAkC;oBACpC,CAAC,CAAC,SAAS;aAChB;YACD,OAAO,EAAE;gBACP;oBACE,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,MAAM,EAAE,OAAO;iBAChB;aACF;YACD,WAAW,EAAE,OAAO,CAAC,OAAO;SAC7B,CAAC;QAEF,IAAI,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,MAAM;iBACvB,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;iBACnD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9B,CAAC;QAED,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,WAAmB,EACnB,OAAqB,EACrB,QAAiC;IAEjC,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACxD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,4BAA4B,WAAW,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACxD,MAAM,sBAAsB,GAAG,OAAO,EAAE,sBAAsB,IAAI,KAAK,CAAC;IAExE,qBAAqB;IACrB,IAAI,UAAgC,CAAC;IAErC,IAAI,WAAW,EAAE,CAAC;QAChB,sCAAsC;QACtC,IAAI,WAAW,CAAC,eAAe,IAAI,WAAW,CAAC,eAAe,IAAI,CAAC,EAAE,CAAC;YACpE,UAAU,GAAG,2BAA2B,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC;QAChF,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,2BAA2B,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;SAAM,CAAC;QACN,4BAA4B;QAC5B,UAAU,GAAG,gCAAgC,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC;IACrF,CAAC;IAED,gBAAgB;IAChB,MAAM,IAAI,GAAkB;QAC1B,SAAS,EAAE,WAAW;QACtB,WAAW,EAAE,KAAK;QAClB,YAAY,EAAE,YAAY,UAAU,EAAE,EAAE;QACxC,OAAO,EAAE,CAAC;QACV,QAAQ,EAAE,gBAAgB,CAAC,WAAW,EAAE,OAAO,CAAC;QAChD,UAAU;QACV,YAAY,EAAE,oBAAoB,CAAC,WAAW,EAAE,UAAU,CAAC;KAC5D,CAAC;IAEF,mCAAmC;IACnC,IAAI,OAAO,EAAE,sBAAsB,IAAI,QAAQ,EAAE,MAAM,EAAE,CAAC;QACxD,IAAI,CAAC,eAAe,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAmB,EACnB,OAAqB,EACrB,QAAiC;IAEjC,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAChE,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAmB;IACrD,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,EAAE,MAAM,IAAI,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,EAAE,MAAM,IAAI,CAAC,CAAC;IACpD,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,SAAS,CAAC;IAChE,MAAM,cAAc,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,IAAI,GAAG,CAAC;IAEhE,IAAI,OAAO,GAAG,SAAS,WAAW,IAAI,cAAc,MAAM,cAAc,aAAa,CAAC;IAEtF,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QAClB,OAAO,IAAI,MAAM,SAAS,kBAAkB,CAAC;IAC/C,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/sbom/cyclonedx.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Tests for CycloneDX SBOM generation
+ */
+export {};
+//# sourceMappingURL=cyclonedx.test.d.ts.map

package/dist/sbom/cyclonedx.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cyclonedx.test.d.ts","sourceRoot":"","sources":["../../src/sbom/cyclonedx.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/sbom/cyclonedx.test.js

@@ -0,0 +1,244 @@
+/**
+ * Tests for CycloneDX SBOM generation
+ */
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { generateSBOM, generateSBOMJson, generateSBOMSummary, findingsToVulnerabilities, calculateSha256, } from "./cyclonedx.js";
+// Mock fs/promises
+vi.mock("fs/promises", () => ({
+    readFile: vi.fn(),
+    access: vi.fn(),
+}));
+import { readFile, access } from "fs/promises";
+describe("CycloneDX SBOM", () => {
+    const mockPackageJson = JSON.stringify({
+        name: "test-project",
+        version: "1.0.0",
+        description: "A test project",
+        author: "Test Author",
+        license: "MIT",
+        dependencies: {
+            express: "^4.18.0",
+            lodash: "^4.17.21",
+        },
+        devDependencies: {
+            vitest: "^1.0.0",
+        },
+    });
+    const mockPackageLock = JSON.stringify({
+        name: "test-project",
+        version: "1.0.0",
+        lockfileVersion: 3,
+        packages: {
+            "": {
+                name: "test-project",
+                version: "1.0.0",
+                dependencies: {
+                    express: "^4.18.0",
+                    lodash: "^4.17.21",
+                },
+                devDependencies: {
+                    vitest: "^1.0.0",
+                },
+            },
+            "node_modules/express": {
+                version: "4.18.2",
+                resolved: "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
+                integrity: "sha512-abc123...",
+            },
+            "node_modules/lodash": {
+                version: "4.17.21",
+                resolved: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+                integrity: "sha512-xyz789...",
+            },
+            "node_modules/vitest": {
+                version: "1.0.4",
+                resolved: "https://registry.npmjs.org/vitest/-/vitest-1.0.4.tgz",
+                integrity: "sha512-dev000...",
+                dev: true,
+            },
+        },
+    });
+    beforeEach(() => {
+        vi.clearAllMocks();
+    });
+    describe("generateSBOM", () => {
+        it("generates SBOM from package.json and lock file", async () => {
+            vi.mocked(access).mockResolvedValue(undefined);
+            vi.mocked(readFile).mockImplementation(async (path) => {
+                if (String(path).includes("package-lock.json")) {
+                    return mockPackageLock;
+                }
+                return mockPackageJson;
+            });
+            const sbom = await generateSBOM("/test/path");
+            expect(sbom.bomFormat).toBe("CycloneDX");
+            expect(sbom.specVersion).toBe("1.5");
+            expect(sbom.serialNumber).toMatch(/^urn:uuid:/);
+            expect(sbom.version).toBe(1);
+            expect(sbom.metadata).toBeDefined();
+            expect(sbom.metadata?.component?.name).toBe("test-project");
+            expect(sbom.components).toBeDefined();
+            expect(sbom.components.length).toBe(2); // Only prod deps by default
+        });
+        it("includes dev dependencies when requested", async () => {
+            vi.mocked(access).mockResolvedValue(undefined);
+            vi.mocked(readFile).mockImplementation(async (path) => {
+                if (String(path).includes("package-lock.json")) {
+                    return mockPackageLock;
+                }
+                return mockPackageJson;
+            });
+            const sbom = await generateSBOM("/test/path", { includeDevDependencies: true });
+            expect(sbom.components.length).toBe(3); // Includes vitest
+            const vitest = sbom.components.find((c) => c.name === "vitest");
+            expect(vitest).toBeDefined();
+            expect(vitest?.scope).toBe("optional");
+        });
+        it("generates purl for components", async () => {
+            vi.mocked(access).mockResolvedValue(undefined);
+            vi.mocked(readFile).mockImplementation(async (path) => {
+                if (String(path).includes("package-lock.json")) {
+                    return mockPackageLock;
+                }
+                return mockPackageJson;
+            });
+            const sbom = await generateSBOM("/test/path");
+            const express = sbom.components.find((c) => c.name === "express");
+            expect(express?.purl).toBe("pkg:npm/express@4.18.2");
+        });
+        it("generates bom-ref for components", async () => {
+            vi.mocked(access).mockResolvedValue(undefined);
+            vi.mocked(readFile).mockImplementation(async (path) => {
+                if (String(path).includes("package-lock.json")) {
+                    return mockPackageLock;
+                }
+                return mockPackageJson;
+            });
+            const sbom = await generateSBOM("/test/path");
+            const express = sbom.components.find((c) => c.name === "express");
+            expect(express?.["bom-ref"]).toBe("express@4.18.2");
+        });
+        it("falls back to package.json when no lock file", async () => {
+            vi.mocked(access).mockImplementation(async (path) => {
+                if (String(path).includes("package-lock.json")) {
+                    throw new Error("Not found");
+                }
+                return undefined;
+            });
+            vi.mocked(readFile).mockResolvedValue(mockPackageJson);
+            const sbom = await generateSBOM("/test/path");
+            expect(sbom.components.length).toBe(2);
+            // Version from package.json has ^ stripped
+            const express = sbom.components.find((c) => c.name === "express");
+            expect(express?.version).toBe("4.18.0");
+        });
+        it("throws when no package.json", async () => {
+            vi.mocked(access).mockRejectedValue(new Error("Not found"));
+            await expect(generateSBOM("/test/path")).rejects.toThrow("No package.json");
+        });
+        it("includes metadata tools", async () => {
+            vi.mocked(access).mockResolvedValue(undefined);
+            vi.mocked(readFile).mockImplementation(async (path) => {
+                if (String(path).includes("package-lock.json")) {
+                    return mockPackageLock;
+                }
+                return mockPackageJson;
+            });
+            const sbom = await generateSBOM("/test/path");
+            expect(sbom.metadata?.tools).toBeDefined();
+            expect(sbom.metadata?.tools?.[0].name).toBe("vaspera-hardening");
+        });
+        it("generates dependencies graph", async () => {
+            vi.mocked(access).mockResolvedValue(undefined);
+            vi.mocked(readFile).mockImplementation(async (path) => {
+                if (String(path).includes("package-lock.json")) {
+                    return mockPackageLock;
+                }
+                return mockPackageJson;
+            });
+            const sbom = await generateSBOM("/test/path");
+            expect(sbom.dependencies).toBeDefined();
+            expect(sbom.dependencies.length).toBeGreaterThan(0);
+        });
+    });
+    describe("generateSBOMJson", () => {
+        it("returns valid JSON string", async () => {
+            vi.mocked(access).mockResolvedValue(undefined);
+            vi.mocked(readFile).mockImplementation(async (path) => {
+                if (String(path).includes("package-lock.json")) {
+                    return mockPackageLock;
+                }
+                return mockPackageJson;
+            });
+            const json = await generateSBOMJson("/test/path");
+            expect(() => JSON.parse(json)).not.toThrow();
+            const parsed = JSON.parse(json);
+            expect(parsed.bomFormat).toBe("CycloneDX");
+        });
+    });
+    describe("generateSBOMSummary", () => {
+        it("generates compact summary", async () => {
+            vi.mocked(access).mockResolvedValue(undefined);
+            vi.mocked(readFile).mockImplementation(async (path) => {
+                if (String(path).includes("package-lock.json")) {
+                    return mockPackageLock;
+                }
+                return mockPackageJson;
+            });
+            const sbom = await generateSBOM("/test/path");
+            const summary = generateSBOMSummary(sbom);
+            expect(summary).toContain("test-project");
+            expect(summary).toContain("1.0.0");
+            expect(summary).toContain("2 components");
+        });
+    });
+    describe("findingsToVulnerabilities", () => {
+        it("converts scanner findings to vulnerabilities", () => {
+            const findings = [
+                {
+                    scanner: "npm-audit",
+                    ruleId: "GHSA-123",
+                    file: "package.json",
+                    line: 1,
+                    message: "Vulnerable dependency",
+                    severity: "high",
+                    confidence: 100,
+                    cweIds: ["CWE-400"],
+                    cveIds: ["CVE-2023-1234"],
+                },
+            ];
+            const vulns = findingsToVulnerabilities(findings);
+            expect(vulns.length).toBe(1);
+            expect(vulns[0].id).toBe("CVE-2023-1234");
+            expect(vulns[0].ratings?.[0].severity).toBe("high");
+            expect(vulns[0].cwes).toContain(400);
+        });
+        it("uses ruleId when no CVE", () => {
+            const findings = [
+                {
+                    scanner: "npm-audit",
+                    ruleId: "GHSA-xyz",
+                    file: "package.json",
+                    line: 1,
+                    message: "Advisory",
+                    severity: "medium",
+                    confidence: 100,
+                },
+            ];
+            const vulns = findingsToVulnerabilities(findings);
+            expect(vulns[0].id).toBe("GHSA-xyz");
+        });
+    });
+    describe("calculateSha256", () => {
+        it("calculates SHA-256 hash", () => {
+            const hash = calculateSha256("test content");
+            expect(hash).toBe("6ae8a75555209fd6c44157c0aed8016e763ff435a19cf186f76863140143ff72");
+        });
+        it("produces different hashes for different content", () => {
+            const hash1 = calculateSha256("content1");
+            const hash2 = calculateSha256("content2");
+            expect(hash1).not.toBe(hash2);
+        });
+    });
+});
+//# sourceMappingURL=cyclonedx.test.js.map