fix: hardenFactories.FromNodePackageJson.PackageUrlFactory's default package repository detection (#1074)

fixes #1073
closes
https://github.com/CycloneDX/cyclonedx-javascript-library/security/code-scanning/1

---------

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

.eslintrc.js

@@ -108,6 +108,18 @@ module.exports = {
         project: './tsconfig.json'
       }
     },
+    {
+      files: ['examples/node/typescript/example.cjs/src/*.ts'],
+      parserOptions: {
+        project: './examples/node/typescript/example.cjs/tsconfig.json'
+      }
+    },
+    {
+      files: ['examples/node/typescript/example.mjs/src/*.ts'],
+      parserOptions: {
+        project: './examples/node/typescript/example.mjs/tsconfig.json'
+      }
+    },
     {
       files: ['*.js', '*.mjs', '*.cjs'],
       plugins: [

.github/workflows/nodejs.yml

@@ -59,6 +59,26 @@ jobs:
           path: dist.${{ matrix.target }}
           if-no-files-found: error
 
+  test-lint:
+    name: test lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+          # cache: "npm"
+          # cache-dependency-path: "**/package-lock.json"
+      - name: setup project
+        run: npm i --ignore-scripts --include=optional  --loglevel=silly
+      - name: test
+        run: npm run test:lint
+
   test-standard:
     name: test standard
     runs-on: ubuntu-latest

HISTORY.md

@@ -6,6 +6,12 @@ All notable changes to this project will be documented in this file.
 
 <!-- add unreleased items here -->
 
+* Fixed
+  * Hardened `Factories.FromNodePackageJson.PackageUrlFactory`'s default package repository detection ([#1073] via [#1074])
+
+[#1073]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1073
+[#1074]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1074
+
 ## 6.8.0 -- 2024-05-14
 
 * Added

package.json

@@ -194,6 +194,7 @@
     "test": "run-p --aggregate-output -lc test:*",
     "test:node": "c8 mocha -p",
     "test:web": "node -e 'console.log(\"TODO: write web test\")'",
+    "test:lint": "tsc --noEmit",
     "test:standard": "eslint .",
     "api-doc": "run-p --aggregate-output -lc api-doc:*",
     "api-doc:node": "typedoc --options typedoc.node.json",

src/factories/fromNodePackageJson.node.ts

@@ -100,12 +100,17 @@ export class ExternalReferenceFactory {
   }
 }
 
-const npmDefaultRegistryMatcher = /^https?:\/\/registry\.npmjs\.org/
+/**
+ * The default repository is `https://registry.npmjs.org`.
+ * @see {@link https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#npm}
+ */
+const npmDefaultRepositoryMatcher = /^https?:\/\/registry\.npmjs\.org(:?\/|$)/
 
 /**
  * Node-specific PackageUrlFactory.
+ * @see {@link https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#npm}
  */
-export class PackageUrlFactory extends PlainPackageUrlFactory {
+export class PackageUrlFactory extends PlainPackageUrlFactory<'npm'> {
   override makeFromComponent (component: Component, sort: boolean = false): PackageURL | undefined {
     const purl = super.makeFromComponent(component, sort)
     return purl === undefined
@@ -132,7 +137,7 @@ export class PackageUrlFactory extends PlainPackageUrlFactory {
     const downloadUrl = qualifiers.get(PackageUrlQualifierNames.DownloadURL)
     if (downloadUrl !== undefined) {
       qualifiers.delete(PackageUrlQualifierNames.VcsUrl)
-      if (npmDefaultRegistryMatcher.test(downloadUrl)) {
+      if (npmDefaultRepositoryMatcher.test(downloadUrl)) {
         qualifiers.delete(PackageUrlQualifierNames.DownloadURL)
       }
     }

src/factories/packageUrl.ts

@@ -23,14 +23,14 @@ import { PackageUrlQualifierNames } from '../_helpers/packageUrl'
 import { ExternalReferenceType } from '../enums/externalReferenceType'
 import type { Component } from '../models/component'
 
-export class PackageUrlFactory {
-  readonly #type: PackageURL['type']
+export class PackageUrlFactory<PurlType extends PackageURL['type']> {
+  readonly #type: PurlType
 
-  constructor (type: PackageUrlFactory['type']) {
+  constructor (type: PurlType) {
     this.#type = type
   }
 
-  get type (): PackageURL['type'] {
+  get type (): PurlType {
     return this.#type
   }
 

tests/unit/Factories.FromNodePackageJson.PackageUrlFactory.js

@@ -0,0 +1,85 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+const assert = require('assert')
+const { suite, test } = require('mocha')
+
+const {
+  Factories: { FromNodePackageJson: { PackageUrlFactory } },
+  Enums: { ComponentType, ExternalReferenceType },
+  Models: { Component, ExternalReference, ExternalReferenceRepository }
+} = require('../../')
+
+suite('Factories.FromNodePackageJson.PackageUrlFactory', () => {
+  suite('makeFromComponent()', () => {
+    test('plain', () => {
+      const component = new Component(ComponentType.Library, 'testing')
+      const purlFac = new PackageUrlFactory('npm')
+      const actual = purlFac.makeFromComponent(component)
+      assert.deepEqual(actual, 'TODO')
+    })
+
+    test('strips default repo', () => {
+      // see https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#npm
+      const component = new Component(ComponentType.Library, 'testing', {
+        externalReferences: new ExternalReferenceRepository([
+          new ExternalReference(
+            'https://registry.npmjs.org/@cyclonedx/cyclonedx-library/-/cyclonedx-library-1.0.0-beta.2.tgz',
+            ExternalReferenceType.Distribution
+          )
+        ])
+      })
+      const purlFac = new PackageUrlFactory('npm')
+      const actual = purlFac.makeFromComponent(component)
+      assert.deepEqual(actual, {
+        type: 'npm',
+        name: 'testing',
+        namespace: undefined,
+        version: undefined,
+        qualifiers: undefined,
+        subpath: undefined
+      })
+    })
+
+    test('dont strip BA repo', () => {
+      // regression test for https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1073
+      const component = new Component(ComponentType.Library, 'testing', {
+        externalReferences: new ExternalReferenceRepository([
+          new ExternalReference(
+            'https://registry.npmjs.org.badactor.net/@cyclonedx/cyclonedx-library/-/cyclonedx-library-1.0.0-beta.2.tgz',
+            ExternalReferenceType.Distribution
+          )
+        ])
+      })
+      const purlFac = new PackageUrlFactory('npm')
+      const actual = purlFac.makeFromComponent(component)
+      assert.deepEqual(actual,
+        {
+          type: 'npm',
+          name: 'testing',
+          namespace: undefined,
+          version: undefined,
+          qualifiers: {
+            download_url: 'https://registry.npmjs.org.badactor.net/@cyclonedx/cyclonedx-library/-/cyclonedx-library-1.0.0-beta.2.tgz'
+          },
+          subpath: undefined
+        })
+    })
+  })
+})

tests/unit/Factories.PackageUrlFactory.spec.js

@@ -26,7 +26,7 @@ const {
 
 const { randomString } = require('../_helpers/stringFunctions')
 
-suite('Builders.FromNodePackageJson.ToolBuilder', () => {
+suite('Factories.PackageUrlFactory', () => {
   test('construct', () => {
     const type = randomString(5)
 

tsconfig.json

@@ -104,6 +104,7 @@
   },
   "exclude": [
     "node_modules",
-    "**/*.spec.ts", "**/*.test.ts"
+    "tests", "**/*.spec.ts", "**/*.test.ts",
+    "examples"
   ]
 }