Secure mode - part 2 (#1614)

Secure mode no child

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

.github/workflows/repotests.yml

@@ -739,6 +739,14 @@ jobs:
           mkdir -p "~/.rbenv/plugins"
           git clone https://github.com/rbenv/ruby-build.git --depth=1 "~/.rbenv/plugins/ruby-build"
         if: runner.os != 'Windows'
+      - name: repotests - no exec
+        run: |
+          bin/cdxgen.js -p -t pnpm ${GITHUB_WORKSPACE} --no-recurse -o ${GITHUB_WORKSPACE}/bomresults/bom-self.json --fail-on-error
+        shell: bash
+        env:
+          NODE_OPTIONS: "--permission --allow-fs-read=${{ runner.temp }}/cdxgen-repotests/* --allow-fs-read=${{ github.workspace }}/* --allow-fs-write=${{ github.workspace }}/bomresults/bom-self.json --trace-warnings"
+          CDXGEN_TEMP_DIR: ${{ runner.temp }}/cdxgen-repotests
+          JAVA_HOME: ""
       - name: repotests
         run: |
           bin/cdxgen.js -p -t java ${GITHUB_WORKSPACE}/repotests/java-sec-code -o ${GITHUB_WORKSPACE}/bomresults/bom-java-sec-code-1.json --fail-on-error

bin/cdxgen.js

@@ -28,6 +28,7 @@ import {
   isMac,
   isSecureMode,
   isWin,
+  safeExistsSync,
 } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/helpers/validator.js";
 import { postProcess } from "../lib/stages/postgen/postgen.js";
@@ -579,7 +580,9 @@ const checkPermissions = (filePath, options) => {
       console.log(
         "\x1b[1;35mSecure mode requires permission-related arguments. These can be passed as CLI arguments directly to the node runtime or set the NODE_OPTIONS environment variable as shown below.\x1b[0m",
       );
-      const nodeOptionsVal = `--permission --allow-fs-read="${getTmpDir()}/*" --allow-fs-write="${getTmpDir()}/*" --allow-fs-read="${fullFilePath}/*" --allow-fs-write="${options.output}" --allow-child-process`;
+      const childProcessArgs =
+        options?.lifecycle !== "pre-build" ? " --allow-child-process" : "";
+      const nodeOptionsVal = `--permission --allow-fs-read="${getTmpDir()}/*" --allow-fs-write="${getTmpDir()}/*" --allow-fs-read="${fullFilePath}/*" --allow-fs-write="${options.output}"${childProcessArgs}`;
       console.log(
         `${isWin ? "$env:" : "export "}NODE_OPTIONS='${nodeOptionsVal}'`,
       );
@@ -680,11 +683,11 @@ const checkPermissions = (filePath, options) => {
   }
   if (!process.permission.has("fs.write", getTmpDir())) {
     console.log(
-      `FileSystemWrite permission may be required to the TEMP directory. Please invoke cdxgen with the argument --allow-fs-write="${join(getTmpDir(), "*")}"`,
+      `FileSystemWrite permission may be required for the TEMP directory. Please invoke cdxgen with the argument --allow-fs-write="${join(getTmpDir(), "*")}" in case of any crashes.`,
     );
     if (isMac) {
       console.log(
-        "TIP: macOS doesn't use `/tmp` prefix for TEMP directories. Use the argument shown above.",
+        "TIP: macOS doesn't use the `/tmp` prefix for TEMP directories. Use the argument shown above.",
       );
     }
   }
@@ -752,7 +755,7 @@ const checkPermissions = (filePath, options) => {
           (process.env.SBOM_SIGN_ALGORITHM &&
             process.env.SBOM_SIGN_ALGORITHM !== "none" &&
             process.env.SBOM_SIGN_PRIVATE_KEY &&
-            fs.existsSync(process.env.SBOM_SIGN_PRIVATE_KEY)))
+            safeExistsSync(process.env.SBOM_SIGN_PRIVATE_KEY)))
       ) {
         let alg = process.env.SBOM_SIGN_ALGORITHM || "RS512";
         if (alg.includes("none")) {
@@ -794,7 +797,7 @@ const checkPermissions = (filePath, options) => {
           );
           if (
             process.env.SBOM_SIGN_PUBLIC_KEY &&
-            fs.existsSync(process.env.SBOM_SIGN_PUBLIC_KEY)
+            safeExistsSync(process.env.SBOM_SIGN_PUBLIC_KEY)
           ) {
             jwkPublicKey = crypto
               .createPublicKey(

deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.1.6",
+  "version": "11.1.7",
   "exports": "./lib/cli/index.js",
   "compilerOptions": {
     "lib": ["deno.window"],
@@ -68,7 +68,7 @@
     "packageurl-js": "npm:packageurl-js@1.0.2",
     "prettify-xml": "npm:prettify-xml@^1.2.0",
     "properties-reader": "npm:properties-reader@^2.3.0",
-    "semver": "npm:semver@^7.6.3",
+    "semver": "npm:semver@^7.7.0",
     "ssri": "npm:ssri@^12.0.0",
     "table": "npm:table@^6.9.0",
     "tar": "npm:tar@^7.4.3",

docs/PERMISSIONS.md

@@ -38,6 +38,27 @@ Use the custom container image `ghcr.io/cyclonedx/cdxgen-secure` which comes con
 docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-secure cdxgen -r /app -o /app/bom.json -t java
 ```
 
+### Identifying NODE_OPTIONS
+
+Run cdxgen with the environment variable `CDXGEN_SECURE_MODE=true` to obtain a suggested value for the `NODE_OPTIONS` environment variable.
+
+Example:
+
+```text
+cdxgen -t pnpm --no-recurse -o bom.json $(pwd) --exclude "**/__fixtures__/**" --lifecycle pre-build
+
+Secure mode requires permission-related arguments. These can be passed as CLI arguments directly to the node runtime or set the NODE_OPTIONS environment variable as shown below.
+export NODE_OPTIONS='--permission --allow-fs-read="/var/folders/h5/43_6kqvs4w7cclqtdbpj_7g80000gn/T/*" --allow-fs-write="/var/folders/h5/43_6kqvs4w7cclqtdbpj_7g80000gn/T/*" --allow-fs-read="/Volumes/Work/sandbox/pnpm/*" --allow-fs-write="/Volumes/Work/sandbox/pnpm/bom.json"'
+```
+
+## Controlling the permissions for external commands
+
+Use the environment variable `CDXGEN_NODE_OPTIONS` to control the permissions for the external node-based commands such as npm, atom, and yarn etc.
+
+```shell
+export CDXGEN_NODE_OPTIONS="--permission --allow-fs-read<more restricted directories> --allow-fs-write=/foo/usages.slices.json"
+```
+
 ## GitHub Action Workflow sample
 
 Our repotests include a working configuration to enable secure mode in GitHub Action Workflows. Below is a snippet.

jsr.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.1.6",
+  "version": "11.1.7",
   "exports": "./lib/cli/index.js",
   "include": ["*.js", "lib/**", "bin/**", "data/**", "types/**"],
   "exclude": [