@cyclonedx/cdxgen 10.7.0 → 10.8.0

package/README.md

@@ -7,7 +7,6 @@
 [![SWH][badge-swh]][swh-cdxgen]
 [![Libraries.io dependency status][badge-libraries]][librariesio]
 
-
 # CycloneDX Generator (cdxgen)
 
 ![cdxgen logo](./docs/_media/cdxgen.png)
@@ -51,16 +50,6 @@ Sections include:
 - [Permissions][docs-permissions]
 - [Support (Enterprise & Community)][docs-support]
 
-### Automatic usage detection
-
-For node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBOM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
-
-This attribute can be later used for various purposes. For example, [dep-scan][depscan-github] uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.
-
-With the argument `--required-only`, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
-
-For go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).
-
 ## Usage
 
 ## Installing
@@ -110,88 +99,68 @@ import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";
 ## Getting Help
 
 ```text
-$ cdxgen -h
+cdxgen [command]
+
+Commands:
+  cdxgen completion  Generate bash/zsh completion
+
 Options:
-  -o, --output                 Output file. Default bom.json
-                                                           [default: "bom.json"]
-  -t, --type                   Project type. Please refer to https://cyclonedx.g
-                               ithub.io/cdxgen/#/PROJECT_TYPES for supported lan
-                               guages/platforms.
-  -r, --recurse                Recurse mode suitable for mono-repos. Defaults to
-                                true. Pass --no-recurse to disable.
-                                                       [boolean] [default: true]
-  -p, --print                  Print the SBOM as a table with tree.    [boolean]
-  -c, --resolve-class          Resolve class names for packages. jars only for n
-                               ow.                                     [boolean]
-      --deep                   Perform deep searches for components. Useful whil
-                               e scanning C/C++ apps, live OS and oci images.
-                                                                       [boolean]
-      --server-url             Dependency track url. Eg: https://deptrack.cyclon
-                               edx.io
+  -o, --output                 Output file. Default bom.json                                       [default: "bom.json"]
+  -t, --type                   Project type. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for supp
+                               orted languages/platforms.                                                        [array]
+      --exclude-type           Project types to exclude. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TY
+                               PES for supported languages/platforms.
+  -r, --recurse                Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable.
+                                                                                               [boolean] [default: true]
+  -p, --print                  Print the SBOM as a table with tree.                                            [boolean]
+  -c, --resolve-class          Resolve class names for packages. jars only for now.                            [boolean]
+      --deep                   Perform deep searches for components. Useful while scanning C/C++ apps, live OS and oci i
+                               mages.                                                                          [boolean]
+      --server-url             Dependency track url. Eg: https://deptrack.cyclonedx.io
       --api-key                Dependency track api key
       --project-group          Dependency track project group
-      --project-name           Dependency track project name. Default use the di
-                               rectory name
-      --project-version        Dependency track project version
-                                                          [string] [default: ""]
-      --project-id             Dependency track project id. Either provide the i
-                               d or the project name and version together
-                                                                        [string]
-      --parent-project-id      Dependency track parent project id       [string]
-      --required-only          Include only the packages with required scope on
-                               the SBOM. Would set compositions.aggregate to inc
-                               omplete unless --no-auto-compositions is passed.
-                                                                       [boolean]
-      --fail-on-error          Fail if any dependency extractor fails. [boolean]
-      --no-babel               Do not use babel to perform usage analysis for Ja
-                               vaScript/TypeScript projects.           [boolean]
-      --generate-key-and-sign  Generate an RSA public/private key pair and then
-                               sign the generated SBOM using JSON Web Signatures
-                               .                                       [boolean]
-      --server                 Run cdxgen as a server                  [boolean]
-      --server-host            Listen address             [default: "127.0.0.1"]
-      --server-port            Listen port                     [default: "9090"]
-      --install-deps           Install dependencies automatically for some proje
-                               cts. Defaults to true but disabled for containers
-                                and oci scans. Use --no-install-deps to disable
-                               this feature.           [boolean] [default: true]
-      --validate               Validate the generated SBOM using json schema. De
-                               faults to true. Pass --no-validate to disable.
-                                                       [boolean] [default: true]
-      --evidence               Generate SBOM with evidence for supported languag
-                               es.                    [boolean] [default: false]
-      --spec-version           CycloneDX Specification version to use. Defaults
-                               to 1.5                    [number] [default: 1.5]
-      --filter                 Filter components containing this word in purl or
-                                component.properties.value. Multiple values allo
-                               wed.                                      [array]
-      --only                   Include components only containing this word in p
-                               url. Useful to generate BOM with first party comp
-                               onents alone. Multiple values allowed.    [array]
-      --author                 The person(s) who created the BOM. Set this value
-                                if you're intending the modify the BOM and claim
-                                authorship.[array] [default: "OWASP Foundation"]
-      --profile                BOM profile to use for generation. Default generi
-                               c.
-  [choices: "appsec", "research", "operational", "threat-modeling", "license-com
-                                       pliance", "generic"] [default: "generic"]
-      --exclude                Additional glob pattern(s) to ignore      [array]
-      --include-formulation    Generate formulation section using git metadata.
-                                                      [boolean] [default: false]
-      --include-crypto         Include crypto libraries found under formulation.
-                                                      [boolean] [default: false]
-      --standard               The list of standards which may consist of regula
-                               tions, industry or organizational-specific standa
-                               rds, maturity models, best practices, or any othe
-                               r requirements which can be evaluated against or
-                               attested to.
-  [array] [choices: "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "
-                     pcissc-secure-slc-1.1", "scvs-1.0.0", "ssaf-DRAFT-2023-11"]
-      --auto-compositions      Automatically set compositions when the BOM was f
-                               iltered. Defaults to true
-                                                       [boolean] [default: true]
-  -h, --help                   Show help                               [boolean]
-  -v, --version                Show version number                     [boolean]
+      --project-name           Dependency track project name. Default use the directory name
+      --project-version        Dependency track project version                                   [string] [default: ""]
+      --project-id             Dependency track project id. Either provide the id or the project name and version togeth
+                               er                                                                               [string]
+      --parent-project-id      Dependency track parent project id                                               [string]
+      --required-only          Include only the packages with required scope on the SBOM. Would set compositions.aggrega
+                               te to incomplete unless --no-auto-compositions is passed.                       [boolean]
+      --fail-on-error          Fail if any dependency extractor fails.                                         [boolean]
+      --no-babel               Do not use babel to perform usage analysis for JavaScript/TypeScript projects.  [boolean]
+      --generate-key-and-sign  Generate an RSA public/private key pair and then sign the generated SBOM using JSON Web S
+                               ignatures.                                                                      [boolean]
+      --server                 Run cdxgen as a server                                                          [boolean]
+      --server-host            Listen address                                                     [default: "127.0.0.1"]
+      --server-port            Listen port                                                             [default: "9090"]
+      --install-deps           Install dependencies automatically for some projects. Defaults to true but disabled for c
+                               ontainers and oci scans. Use --no-install-deps to disable this feature.         [boolean]
+      --validate               Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di
+                               sable.                                                          [boolean] [default: true]
+      --evidence               Generate SBOM with evidence for supported languages.           [boolean] [default: false]
+      --spec-version           CycloneDX Specification version to use. Defaults to 1.5           [number] [default: 1.5]
+      --filter                 Filter components containing this word in purl or component.properties.value. Multiple va
+                               lues allowed.                                                                     [array]
+      --only                   Include components only containing this word in purl. Useful to generate BOM with first p
+                               arty components alone. Multiple values allowed.                                   [array]
+      --author                 The person(s) who created the BOM. Set this value if you're intending the modify the BOM
+                               and claim authorship.                               [array] [default: "OWASP Foundation"]
+      --profile                BOM profile to use for generation. Default generic.
+  [choices: "appsec", "research", "operational", "threat-modeling", "license-compliance", "generic"] [default: "generic"
+                                                                                                                       ]
+      --exclude                Additional glob pattern(s) to ignore                                              [array]
+      --include-formulation    Generate formulation section with git metadata and build tools. Defaults to true. Invoke
+                               with --no-include-formulation to disable.                       [boolean] [default: true]
+      --include-crypto         Include crypto libraries found under formulation.              [boolean] [default: false]
+      --standard               The list of standards which may consist of regulations, industry or organizational-specif
+                               ic standards, maturity models, best practices, or any other requirements which can be eva
+                               luated against or attested to.
+  [array] [choices: "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "pcissc-secure-slc-1.1", "scvs-1.0.0", "s
+                                                                                                     saf-DRAFT-2023-11"]
+      --auto-compositions      Automatically set compositions when the BOM was filtered. Defaults to true
+                                                                                               [boolean] [default: true]
+  -h, --help                   Show help                                                                       [boolean]
+  -v, --version                Show version number                                                             [boolean]
 ```
 
 All boolean arguments accept `--no` prefix to toggle the behavior.
@@ -473,6 +442,16 @@ if (validationResult) {
 }
 ```
 
+## Automatic usage detection
+
+For node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBOM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
+
+This attribute can be later used for various purposes. For example, [dep-scan][depscan-github] uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.
+
+With the argument `--required-only`, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.
+
+For go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).
+
 ## Automatic services detection
 
 cdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the `services` attribute in the generated SBOM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code.

package/bin/cdxgen.js

@@ -17,6 +17,7 @@ import {
   printReachables,
   printServices,
   printSponsorBanner,
+  printSummary,
   printTable,
 } from "../display.js";
 import { createBom, submitBom } from "../index.js";
@@ -55,6 +56,10 @@ import { hideBin } from "yargs/helpers";
 
 const args = yargs(hideBin(process.argv))
   .env("CDXGEN")
+  .parserConfiguration({
+    "greedy-arrays": false,
+    "short-option-groups": false,
+  })
   .option("output", {
     alias: "o",
     description: "Output file. Default bom.json",
@@ -63,7 +68,6 @@ const args = yargs(hideBin(process.argv))
   .option("evinse-output", {
     description:
       "Create bom with evidence as a separate file. Default bom.json",
-    default: "bom.json",
     hidden: true,
   })
   .option("type", {
@@ -71,6 +75,10 @@ const args = yargs(hideBin(process.argv))
     description:
       "Project type. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for supported languages/platforms.",
   })
+  .option("exclude-type", {
+    description:
+      "Project types to exclude. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for supported languages/platforms.",
+  })
   .option("recurse", {
     alias: "r",
     type: "boolean",
@@ -238,8 +246,9 @@ const args = yargs(hideBin(process.argv))
   })
   .option("include-formulation", {
     type: "boolean",
-    default: false,
-    description: "Generate formulation section using git metadata.",
+    default: true,
+    description:
+      "Generate formulation section with git metadata and build tools. Defaults to true. Invoke with --no-include-formulation to disable.",
   })
   .option("include-crypto", {
     type: "boolean",
@@ -262,10 +271,13 @@ const args = yargs(hideBin(process.argv))
   .option("no-banner", {
     type: "boolean",
     default: false,
+    hidden: true,
     description:
       "Do not show the donation banner. Set this attribute if you are an active sponsor for OWASP CycloneDX.",
   })
   .completion("completion", "Generate bash/zsh completion")
+  .array("type")
+  .array("excludeType")
   .array("filter")
   .array("only")
   .array("author")
@@ -279,6 +291,10 @@ const args = yargs(hideBin(process.argv))
   })
   .example([
     ["$0 -t java .", "Generate a Java SBOM for the current directory"],
+    [
+      "$0 -t java -t js .",
+      "Generate a SBOM for Java and JavaScript in the current directory",
+    ],
     ["$0 --server", "Run cdxgen as a server"],
   ])
   .epilogue("for documentation, visit https://cyclonedx.github.io/cdxgen")
@@ -369,7 +385,11 @@ const applyAdvancedOptions = (options) => {
       process.env.ASTGEN_IGNORE_FILE_PATTERN = "";
       break;
     case "operational":
-      options.projectType = options.projectType || "os";
+      if (options?.projectType) {
+        options.projectType.push("os");
+      } else {
+        options.projectType = ["os"];
+      }
       break;
     case "threat-modeling":
       options.deep = true;
@@ -388,6 +408,8 @@ const applyAdvancedOptions = (options) => {
     case "post-build":
       if (
         !options.projectType ||
+        (Array.isArray(options.projectType) &&
+          options.projectType.length > 1) ||
         ![
           "csharp",
           "dotnet",
@@ -403,7 +425,7 @@ const applyAdvancedOptions = (options) => {
           "rust",
           "rust-lang",
           "cargo",
-        ].includes(options.projectType)
+        ].includes(options.projectType[0])
       ) {
         console.log(
           "PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, go, and Rust projects. Please specify the type using the -t argument.",
@@ -473,14 +495,8 @@ const checkPermissions = (filePath) => {
     options.usagesSlicesFile = `${options.projectName}-usages.json`;
   }
   let bomNSData = (await createBom(filePath, options)) || {};
-  if (
-    options.requiredOnly ||
-    options["filter"] ||
-    options["only"] ||
-    options.standard
-  ) {
-    bomNSData = postProcess(bomNSData, options);
-  }
+  // Add extra metadata and annotations with post processing
+  bomNSData = postProcess(bomNSData, options);
   if (
     options.output &&
     (typeof options.output === "string" || options.output instanceof String)
@@ -496,15 +512,7 @@ const checkPermissions = (filePath) => {
         fs.writeFileSync(jsonFile, bomNSData.bomJson);
         jsonPayload = bomNSData.bomJson;
       } else {
-        jsonPayload = JSON.stringify(
-          bomNSData.bomJson,
-          null,
-          options.deep ||
-            ["os", "docker", "universal"].includes(options.projectType) ||
-            process.env.CI
-            ? null
-            : 2,
-        );
+        jsonPayload = JSON.stringify(bomNSData.bomJson, null, null);
         fs.writeFileSync(jsonFile, jsonPayload);
       }
       if (
@@ -643,12 +651,17 @@ const checkPermissions = (filePath) => {
   }
   // Evidence generation
   if (options.evidence || options.includeCrypto) {
+    // Set the evinse output file to be the same as output file
+    if (!options.evinseOutput) {
+      options.evinseOutput = options.output;
+    }
     const evinserModule = await import("../evinser.js");
+    options.projectType = options.projectType || ["java"];
     const evinseOptions = {
       _: args._,
       input: options.output,
       output: options.evinseOutput,
-      language: options.projectType || "java",
+      language: options.projectType,
       dbPath: process.env.ATOM_DB || ATOM_DB,
       skipMavenCollector: false,
       force: false,
@@ -699,6 +712,7 @@ const checkPermissions = (filePath) => {
     protobomModule.writeBinary(bomNSData.bomJson, options.protoBinFile);
   }
   if (options.print && bomNSData.bomJson && bomNSData.bomJson.components) {
+    printSummary(bomNSData.bomJson);
     printDependencyTree(bomNSData.bomJson);
     printTable(bomNSData.bomJson);
     // CBOM related print

package/bin/repl.js

@@ -13,6 +13,7 @@ import {
   printOSTable,
   printOccurrences,
   printServices,
+  printSummary,
   printTable,
   printVulnerabilities,
 } from "../display.js";
@@ -67,6 +68,7 @@ export const importSbom = (sbomOrPath) => {
         bomType = "VDR";
       }
       console.log(`✅ ${bomType} imported successfully from ${sbomOrPath}`);
+      printSummary(sbom);
     } catch (e) {
       console.log(`⚠ Unable to import the BOM from ${sbomOrPath} due to ${e}`);
     }
@@ -161,9 +163,15 @@ cdxgenRepl.defineCommand("search", {
             searchStr = `components[group ~> /${searchStr}/i or name ~> /${searchStr}/i or description ~> /${searchStr}/i or publisher ~> /${searchStr}/i or purl ~> /${searchStr}/i]`;
           }
           const expression = jsonata(searchStr);
-          const components = await expression.evaluate(sbom);
+          let components = await expression.evaluate(sbom);
           const dexpression = jsonata(dependenciesSearchStr);
-          const dependencies = await dexpression.evaluate(sbom);
+          let dependencies = await dexpression.evaluate(sbom);
+          if (components && !Array.isArray(components)) {
+            components = [components];
+          }
+          if (dependencies && !Array.isArray(dependencies)) {
+            dependencies = [dependencies];
+          }
           if (!components) {
             console.log("No results found!");
           } else {

package/binary.js

@@ -249,6 +249,7 @@ const OS_DISTRO_ALIAS = {
   "debian-13.5": "trixie",
   "debian-12": "bookworm",
   "debian-12.5": "bookworm",
+  "debian-12.6": "bookworm",
   "debian-11": "bullseye",
   "debian-11.5": "bullseye",
   "debian-10": "buster",

package/data/lic-mapping.json

@@ -17,9 +17,7 @@
       "Apache Public License 2.0",
       "Apache Software License - Version 2.0",
       "The Apache License, Version 2.0",
-      "BSD or Apache License, Version 2.0",
       "Apache Software License",
-      "Apache-2.0 OR MIT",
       "Apache2.0",
       "apache-2-0",
       "APL2",
@@ -241,7 +239,8 @@
       "GNU General Public License v2.0 or later",
       "GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version",
       "GNU GPLv2 or any later version",
-      "GPLv2+"
+      "GPLv2+",
+      "GNU General Public License v2 or later (GPLv2+)"
     ]
   },
   {
@@ -287,6 +286,10 @@
       "GNU Affero General Public License v3.0"
     ]
   },
+  {
+    "exp": "MIT-0",
+    "names": ["MIT No Attribution License (MIT-0)", "MIT No Attribution"]
+  },
   {
     "exp": "MIT",
     "names": [

package/display.js

@@ -405,3 +405,35 @@ export function printSponsorBanner(options) {
     console.log(table(data, config));
   }
 }
+
+export const printSummary = (bomJson) => {
+  const config = {
+    header: {
+      alignment: "center",
+      content: "BOM summary",
+    },
+  };
+  const metadataProperties = bomJson?.metadata?.properties;
+  if (!metadataProperties) {
+    return;
+  }
+  let bomPkgTypes = [];
+  let bomPkgNamespaces = [];
+  for (const aprop of metadataProperties) {
+    if (aprop.name === "cdx:bom:componentTypes") {
+      bomPkgTypes = aprop?.value.split("\\n");
+    }
+    if (aprop.name === "cdx:bom:componentNamespaces") {
+      bomPkgNamespaces = aprop?.value.split("\\n");
+    }
+  }
+  if (!bomPkgTypes.length && !bomPkgNamespaces.length) {
+    return;
+  }
+  let message = `** Package Types (${bomPkgTypes.length}) **\n${bomPkgTypes.join("\n")}`;
+  if (bomPkgNamespaces.length) {
+    message = `${message}\n\n** Namespaces (${bomPkgNamespaces.length}) **\n${bomPkgNamespaces.join("\n")}`;
+  }
+  const data = [[message]];
+  console.log(table(data, config));
+};

package/docker.js

@@ -37,6 +37,7 @@ let isDockerRootless = false;
 let isContainerd = !!process.env.CONTAINERD_ADDRESS;
 const WIN_LOCAL_TLS = "http://localhost:2375";
 let isWinLocalTLS = false;
+let isNerdctl = undefined;
 
 if (
   !process.env.DOCKER_HOST &&
@@ -49,6 +50,56 @@ if (
   isContainerd = true;
 }
 
+/**
+ * Detect if Rancher desktop is running on a mac.
+ */
+export function detectRancherDesktop() {
+  // Detect Rancher desktop and nerdctl on a mac
+  if (_platform() === "darwin") {
+    const limaHome = join(
+      homedir(),
+      "Library",
+      "Application Support",
+      "rancher-desktop",
+      "lima",
+    );
+    const limactl = join(
+      "/Applications",
+      "Rancher Desktop.app",
+      "Contents",
+      "Resources",
+      "resources",
+      "darwin",
+      "lima",
+      "bin",
+      "limactl",
+    );
+    // Is Rancher Desktop running
+    if (existsSync(limactl) || existsSync(limaHome)) {
+      const result = spawnSync("rdctl", ["list-settings"], {
+        encoding: "utf-8",
+      });
+      if (result.status !== 0 || result.error) {
+        if (
+          isNerdctl === undefined &&
+          result.stderr?.includes("connection refused")
+        ) {
+          console.warn(
+            "Ensure Rancher Desktop is running prior to invoking cdxgen. To start from the command line, type the command 'rdctl start'",
+          );
+          isNerdctl = false;
+        }
+      } else {
+        if (DEBUG_MODE) {
+          console.log("Rancher Desktop found!");
+        }
+        isNerdctl = true;
+      }
+    }
+  }
+  return isNerdctl;
+}
+
 // Cache the registry auth keys
 const registry_auth_keys = {};
 
@@ -288,7 +339,7 @@ const getDefaultOptions = (forRegistry) => {
 };
 
 export const getConnection = async (options, forRegistry) => {
-  if (isContainerd) {
+  if (isContainerd || isNerdctl) {
     return undefined;
   }
   if (!dockerConn) {
@@ -368,10 +419,15 @@ export const getConnection = async (options, forRegistry) => {
               "Ensure Docker for Desktop is running as an administrator with 'Exposing daemon on TCP without TLS' setting turned on.",
               opts,
             );
-          } else if (_platform() === "darwin") {
-            console.warn(
-              "Ensure Podman Desktop (open-source) or Docker for Desktop (May require subscription) is running.",
-            );
+          } else if (_platform() === "darwin" && !isNerdctl) {
+            if (detectRancherDesktop()) {
+              return undefined;
+            }
+            if (isNerdctl === undefined) {
+              console.warn(
+                "Ensure Podman Desktop (open-source) or Docker for Desktop (May require subscription) is running.",
+              );
+            }
           } else {
             console.warn(
               "Ensure docker/podman service or Docker for Desktop is running.",
@@ -497,11 +553,14 @@ export const parseImageName = (fullImageName) => {
 };
 
 /**
- * Prefer cli on windows or when using tcp/ssh based host.
+ * Prefer cli on windows, nerdctl on mac, or when using tcp/ssh based host.
  *
  * @returns boolean true if we should use the cli. false otherwise
  */
 const needsCliFallback = () => {
+  if (_platform() === "darwin" && detectRancherDesktop()) {
+    return true;
+  }
   return (
     isWin ||
     (process.env.DOCKER_HOST &&
@@ -532,7 +591,10 @@ export const getImage = async (fullImageName) => {
     return undefined;
   }
   if (needsCliFallback()) {
-    const dockerCmd = process.env.DOCKER_CMD || "docker";
+    let dockerCmd = process.env.DOCKER_CMD || "docker";
+    if (!process.env.DOCKER_CMD && detectRancherDesktop()) {
+      dockerCmd = "nerdctl";
+    }
     let result = spawnSync(dockerCmd, ["pull", fullImageName], {
       encoding: "utf-8",
     });
@@ -956,14 +1018,18 @@ export const exportImage = async (fullImageName) => {
   let manifestFile = join(tempDir, "manifest.json");
   // Windows containers use index.json
   const manifestIndexFile = join(tempDir, "index.json");
-  // On Windows, fallback to invoking cli
+  // On Windows or on mac with Rancher Desktop, fallback to invoking cli
   if (needsCliFallback()) {
     const imageTarFile = join(tempDir, "image.tar");
+    let dockerCmd = process.env.DOCKER_CMD || "docker";
+    if (!process.env.DOCKER_CMD && detectRancherDesktop()) {
+      dockerCmd = "nerdctl";
+    }
     console.log(
-      `About to export image ${fullImageName} to ${imageTarFile} using docker cli`,
+      `About to export image ${fullImageName} to ${imageTarFile} using ${dockerCmd} cli`,
     );
     const result = spawnSync(
-      "docker",
+      dockerCmd,
       ["save", "-o", imageTarFile, fullImageName],
       {
         encoding: "utf-8",

package/evinser.js

@@ -202,7 +202,7 @@ export const createAndStoreSlice = async (
 };
 
 export const createSlice = (
-  purlOrLanguage,
+  purlOrLanguages,
   filePath,
   sliceType = "usages",
   options = {},
@@ -215,9 +215,12 @@ export const createSlice = (
       filePath,
     )}. Please wait ...`,
   );
-  const language = purlOrLanguage.startsWith("pkg:")
-    ? purlToLanguage(purlOrLanguage, filePath)
-    : purlOrLanguage;
+  const firstLanguage = Array.isArray(purlOrLanguages)
+    ? purlOrLanguages[0]
+    : purlOrLanguages;
+  const language = firstLanguage.startsWith("pkg:")
+    ? purlToLanguage(firstLanguage, filePath)
+    : firstLanguage;
   if (!language) {
     return undefined;
   }