@cyclonedx/cdxgen 11.1.7 → 11.1.9

package/README.md

@@ -84,7 +84,7 @@ deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryIn
 
 You can also use the cdxgen container image with node, deno, or bun runtime versions.
 
-The default version uses Node.js 22
+The default version uses Node.js 23
 
 ```bash
 docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:master -r /app -o /app/bom.json
@@ -516,7 +516,7 @@ Before raising a PR, please run the following commands.
 
 ```bash
 corepack enable pnpm
-pnpm install
+pnpm install --config.strict-dep-builds=true
 # Generate types using jsdoc syntax
 pnpm run gen-types
 # Run biomejs formatter and linter with auto fix

package/bin/cdxgen.js

@@ -21,6 +21,7 @@ import {
   printSummary,
   printTable,
 } from "../lib/helpers/display.js";
+import { thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
 import {
   ATOM_DB,
   dirNameStr,
@@ -397,6 +398,7 @@ if (!args.projectName) {
     args.projectName = basename(resolve(filePath));
   }
 }
+thoughtLog(`Let's try to generate a CycloneDX BOM for the path '${filePath}'`);
 if (
   filePath.includes(" ") ||
   filePath.includes("\r") ||
@@ -412,6 +414,9 @@ if (
 // Support for obom/cbom aliases
 if (process.argv[1].includes("obom") && !args.type) {
   args.type = "os";
+  thoughtLog(
+    "Ok, the user wants to generate an Operations Bill-of-Materials (OBOM).",
+  );
 }
 
 /**
@@ -428,14 +433,28 @@ const options = Object.assign({}, args, {
       ? resolve(join(filePath, args.output))
       : args.output,
 });
-
+// Filter duplicate types. Eg: -t gradle -t gradle
+if (options.projectType && Array.isArray(options.projectType)) {
+  options.projectType = Array.from(new Set(options.projectType));
+}
+if (!options.projectType) {
+  thoughtLog(
+    "Ok, the user wants me to identify all the project types and generate a consolidated BOM document.",
+  );
+}
 if (process.argv[1].includes("cbom")) {
+  thoughtLog(
+    "Ok, the user wants to generate Cryptographic Bill-of-Materials (CBOM).",
+  );
   options.includeCrypto = true;
   options.evidence = true;
   options.specVersion = 1.6;
   options.deep = true;
 }
 if (process.argv[1].includes("cdxgen-secure")) {
+  thoughtLog(
+    "Ok, the user wants cdxgen to run in secure mode by default. Let's try and use the permissions api.",
+  );
   console.log(
     "NOTE: Secure mode only restricts cdxgen from performing certain activities such as package installation. It does not provide security guarantees in the presence of malicious code.",
   );
@@ -446,6 +465,9 @@ if (options.standard) {
   options.specVersion = 1.6;
 }
 if (options.includeFormulation) {
+  thoughtLog(
+    "Wait, the user wants to include formulation information. Let's warn about accidentally disclosing sensitive data via the BOM files.",
+  );
   console.log(
     "NOTE: Formulation section could include sensitive data such as emails and secrets.\nPlease review the generated SBOM before distribution.\n",
   );
@@ -456,6 +478,13 @@ if (options.includeFormulation) {
  * @param {object} options CLI options
  */
 const applyAdvancedOptions = (options) => {
+  if (options?.profile !== "generic") {
+    thoughtLog(`BOM profile to use is '${options.profile}'.`);
+  } else {
+    thoughtLog(
+      "The user hasn't specified a profile. Should I suggest one to optimize the BOM for a specific use case or persona 🤔?",
+    );
+  }
   switch (options.profile) {
     case "appsec":
       options.deep = true;
@@ -508,6 +537,11 @@ const applyAdvancedOptions = (options) => {
     default:
       break;
   }
+  if (options.lifecycle) {
+    thoughtLog(
+      `BOM must be generated for the lifecycle '${options.lifecycle}'.`,
+    );
+  }
   switch (options.lifecycle) {
     case "pre-build":
       options.installDeps = false;
@@ -728,7 +762,9 @@ const checkPermissions = (filePath, options) => {
     options.usagesSlicesFile = `${options.projectName}-usages.json`;
   }
   prepareEnv(filePath, options);
+  thoughtLog("Getting ready to generate the BOM ⚡️.");
   let bomNSData = (await createBom(filePath, options)) || {};
+  thoughtLog("Tweaking the generated BOM data. Nearly there.");
   // Add extra metadata and annotations with post processing
   bomNSData = postProcess(bomNSData, options);
   if (
@@ -748,6 +784,13 @@ const checkPermissions = (filePath, options) => {
       } else {
         jsonPayload = JSON.stringify(bomNSData.bomJson, null, null);
         fs.writeFileSync(jsonFile, jsonPayload);
+        if (jsonFile.endsWith("bom.json")) {
+          thoughtLog(
+            `Let's save the file to "${jsonFile}". Should I suggest the '.cdx.json' file extension for better semantics?`,
+          );
+        } else {
+          thoughtLog(`Let's save the file to "${jsonFile}".`);
+        }
       }
       if (
         jsonPayload &&
@@ -843,6 +886,7 @@ const checkPermissions = (filePath, options) => {
               jsonFile,
               JSON.stringify(bomJsonUnsignedObj, null, null),
             );
+            thoughtLog(`Signing the BOM file "${jsonFile}".`);
             if (publicKeyFile) {
               // Verifying this signature
               const signatureVerification = jws.verify(
@@ -929,10 +973,13 @@ const checkPermissions = (filePath, options) => {
   }
   // Perform automatic validation
   if (options.validate) {
+    thoughtLog("Wait, let's check the generated BOM file for any issues.");
     if (!validateBom(bomNSData.bomJson)) {
       process.exit(1);
     }
+    thoughtLog("BOM file looks valid. Thank you for using cdxgen!");
   }
+  thoughtEnd();
   // Automatically submit the bom data
   // biome-ignore lint/suspicious/noDoubleEquals: yargs passes true for empty values
   if (options.serverUrl && options.serverUrl != true && options.apiKey) {

package/lib/cli/index.js

@@ -30,6 +30,8 @@ import {
   gitTreeHashes,
   listFiles,
 } from "../helpers/envcontext.js";
+import { thoughtLog } from "../helpers/logger.js";
+
 import {
   CARGO_CMD,
   CLJ_CMD,
@@ -1344,11 +1346,22 @@ export async function createJavaBom(path, options) {
     `${options.multiProject ? "**/" : ""}pom.xml`,
     options,
   );
+  // gradle
+  const gradleFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}build.gradle*`,
+    options,
+  );
   let bomJsonFiles = [];
   if (
     pomFiles?.length &&
     isPackageManagerAllowed("maven", ["bazel", "sbt", "gradle"], options)
   ) {
+    if (gradleFiles.length) {
+      thoughtLog(
+        `Is this a Gradle project? I recommend invoking cdxgen with the "-t gradle" option if you're encountering build errors.`,
+      );
+    }
     if (!isQuarkus) {
       // Quarkus projects require special treatment. To detect quarkus, we parse the first 3 maven file to look for a hit
       for (const pf of pomFiles.slice(0, 3)) {
@@ -1367,6 +1380,9 @@ export async function createJavaBom(path, options) {
     let result = undefined;
     let mvnArgs;
     if (isQuarkus) {
+      thoughtLog(
+        "This appears to be a quarkus project. Let's use the right maven plugin.",
+      );
       // disable analytics. See: https://quarkus.io/usage/
       mvnArgs = [
         "-fn",
@@ -1438,6 +1454,7 @@ export async function createJavaBom(path, options) {
       }
       // Use the cyclonedx maven plugin if there is no preference for maven deps tree
       if (!useMavenDepsTree) {
+        thoughtLog("The user wants me to use the cyclonedx-maven plugin.");
         console.log(
           `Executing '${mavenCmd} ${mvnArgs.join(" ")}' in`,
           basePath,
@@ -1488,6 +1505,9 @@ export async function createJavaBom(path, options) {
         // For the first pom alone, we need to execute first in non-recursive mode to capture
         // the parent component. Then, we execute all of them in recursive mode
         if (f === firstPom) {
+          thoughtLog(
+            "What is the parent component here? Let's use maven command to find out.",
+          );
           result = spawnSync(
             "mvn",
             ["dependency:tree", "-N", `-DoutputFile=${tempMvnParentTree}`],
@@ -1510,10 +1530,22 @@ export async function createJavaBom(path, options) {
               tmpParentComponent.type = "application";
               parentComponent = tmpParentComponent;
               parentComponent.components = [];
+              if (parentComponent.name) {
+                thoughtLog(
+                  `Parent component is called ${parentComponent.name}!`,
+                );
+              }
             }
           }
         }
-        console.log(`Executing 'mvn ${mvnTreeArgs.join(" ")}' in ${basePath}`);
+        thoughtLog(
+          `**MAVEN**: Let's use Maven to collect packages from ${basePath}.`,
+        );
+        if (DEBUG_MODE) {
+          console.log(
+            `Executing 'mvn ${mvnTreeArgs.join(" ")}' in ${basePath}`,
+          );
+        }
         // Prefer the built-in maven
         result = spawnSync(
           PREFER_MAVEN_DEPS_TREE ? "mvn" : mavenCmd,
@@ -1577,6 +1609,9 @@ export async function createJavaBom(path, options) {
           console.log(
             "\nFalling back to parsing pom.xml files. Only direct dependencies would get included!",
           );
+          thoughtLog(
+            "**MAVEN**: There appear to be build errors, so the SBOM will be incomplete.",
+          );
           const dlist = parsePom(f);
           if (dlist?.length) {
             pkgList = pkgList.concat(dlist);
@@ -1693,19 +1728,17 @@ export async function createJavaBom(path, options) {
       }
     }
     if (possible_misses) {
-      if (!DEBUG_MODE) {
+      if (gradleFiles.length) {
+        console.log(
+          "Is this a gradle project? Try running cdxgen with `-t gradle`.",
+        );
+      } else if (!DEBUG_MODE) {
         console.warn(
           "Multiple errors occurred while building this project with maven. The SBOM is therefore incomplete!",
         );
       }
     }
   }
-  // gradle
-  const gradleFiles = getAllFiles(
-    path,
-    `${options.multiProject ? "**/" : ""}build.gradle*`,
-    options,
-  );
   const allProjects = [];
   const allProjectsAddedPurls = [];
   const rootDependsOn = new Set();
@@ -1923,9 +1956,14 @@ export async function createJavaBom(path, options) {
         "from this gradle project. De-duping this list ...",
       );
     } else {
-      console.log(
-        "No packages found. Set the environment variable 'CDXGEN_DEBUG_MODE=debug' to troubleshoot any gradle related errors.",
+      thoughtLog(
+        "**GRADLE:** SBOM is incomplete. I recommend troubleshooting the issue to improve the BOM precision.",
       );
+      if (!DEBUG_MODE) {
+        console.log(
+          "No packages found. Set the environment variable 'CDXGEN_DEBUG_MODE=debug' to troubleshoot any gradle related errors.",
+        );
+      }
       options.failOnError && process.exit(1);
     }
     // Should we attempt to resolve class names
@@ -3317,6 +3355,9 @@ export async function createPythonBom(path, options) {
           }
           // Fallback to parsing manually
           if (!pkgList.length || !frozen) {
+            thoughtLog(
+              `Manually parsing ${f}. The result would include only direct dependencies.`,
+            );
             if (DEBUG_MODE) {
               console.log(
                 `Manually parsing ${f}. The result would include only direct dependencies.`,
@@ -4005,10 +4046,12 @@ export async function createRustBom(path, options) {
     }
   }
   // After running cargo check, .d files would get created
-  const makeDFiles = getAllFiles(path, "target/**/*.d", options);
   let pkgFilesMap = {};
-  for (const dfile of makeDFiles) {
-    pkgFilesMap = { ...pkgFilesMap, ...parseMakeDFile(dfile) };
+  if (options.deep || ["build", "post-build"].includes(options.lifecycle)) {
+    const makeDFiles = getAllFiles(path, "target/**/*.d", options);
+    for (const dfile of makeDFiles) {
+      pkgFilesMap = { ...pkgFilesMap, ...parseMakeDFile(dfile) };
+    }
   }
   const cargoLockFiles = getAllFiles(
     path,
@@ -6205,7 +6248,16 @@ export async function createMultiXBom(pathList, options) {
     );
     if (DEBUG_MODE) {
       console.log(
-        `Found ${osPackages.length} OS packages at ${options.allLayersExplodedDir}`,
+        `**OS**: Found ${osPackages.length} OS packages at ${options.allLayersExplodedDir}`,
+      );
+    }
+    if (osPackages.length) {
+      thoughtLog(
+        `I found ${osPackages.length} OS packages at ${options.allLayersExplodedDir}`,
+      );
+    } else {
+      thoughtLog(
+        `I couldn't find any OS packages at ${options.allLayersExplodedDir}. Perhaps the binary plugin wasn't available, or the architecture is unsupported.`,
       );
     }
     if (allTypes?.length) {
@@ -6230,6 +6282,11 @@ export async function createMultiXBom(pathList, options) {
       if (DEBUG_MODE) {
         console.log(`Found ${bomData.bomJson.components.length} OS components`);
       }
+      if (bomData.bomJson.components.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} OS packages 😎.`,
+        );
+      }
       components = components.concat(bomData.bomJson.components);
     }
   }
@@ -6237,10 +6294,19 @@ export async function createMultiXBom(pathList, options) {
     if (DEBUG_MODE) {
       console.log("Scanning", path);
     }
+    if (pathList.length > 2) {
+      thoughtLog(`Let's thoroughly check the path ${path}.`);
+    }
     // Node.js
     if (hasAnyProjectType(["oci", "js"], options)) {
+      thoughtLog(
+        "**JS**: Now looking for JavaScript projects (npm, yarn, pnpm) and files.",
+      );
       bomData = await createNodejsBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} npm packages. Let's keep looking.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} npm packages at ${path}`,
@@ -6268,8 +6334,14 @@ export async function createMultiXBom(pathList, options) {
     }
     // Java
     if (hasAnyProjectType(["oci", "java"], options)) {
+      thoughtLog(
+        "**JAVA**: Looking for Java projects (e.g., Maven, Gradle, SBT). I hope all configurations—from Java version to individual build settings—are correctly aligned.",
+      );
       bomData = await createJavaBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} java packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} java packages at ${path}`,
@@ -6291,6 +6363,9 @@ export async function createMultiXBom(pathList, options) {
         if (bomData.parentComponent.components?.length) {
           let bomSubComponents = bomData.parentComponent.components;
           if (["true", "1"].includes(process.env.GRADLE_RESOLVE_FROM_NODE)) {
+            thoughtLog(
+              "Wait, the user wants me to resolve gradle projects from npm.",
+            );
             const allRefs = components.map((c) => c["bom-ref"]);
             const duplicateComponents = bomSubComponents.filter((c) =>
               allRefs.includes(c["bom-ref"]),
@@ -6309,8 +6384,19 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "py"], options)) {
+      thoughtLog(
+        "**PYTHON**: Looking for Python projects with package managers such as pip, poetry, uv, etc. Wish me good luck!",
+      );
+      if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
+        thoughtLog(
+          "I'm running in a non-container environment. Let's hope the correct build tools are available ✌️.",
+        );
+      }
       bomData = await createPythonBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} python packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} python packages at ${path}`,
@@ -6330,8 +6416,12 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "go"], options)) {
+      thoughtLog(
+        "**GO**: Looking for go projects. I need to be cautious about purl namespaces and potential failures with the 'go list' command.",
+      );
       bomData = await createGoBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(`I found ${bomData.bomJson.components.length} go packages.`);
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} go packages at ${path}`,
@@ -6351,8 +6441,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "rust"], options)) {
+      thoughtLog(
+        "**RUST**: Let's search for Cargo/Rust projects. Should I warn the user that we don't support Cargo 'features' and native dependencies, which may lead to both false positives and false negatives? 🤔?",
+      );
       bomData = await createRustBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} rust packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} rust packages at ${path}`,
@@ -6379,8 +6475,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "php"], options)) {
+      thoughtLog(
+        "**PHP**: About to search for Composer-based projects. I hope lock files are available; otherwise, the 'composer install' command might fail for various reasons.",
+      );
       bomData = createPHPBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} php packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} php packages at ${path}`,
@@ -6407,8 +6509,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "ruby"], options)) {
+      thoughtLog(
+        "**RUBY**: Are there any Ruby projects in this path? There's only one way to know.",
+      );
       bomData = await createRubyBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `We got ${bomData.bomJson.components.length} ruby packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} ruby packages at ${path}`,
@@ -6436,8 +6544,12 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "csharp"], options)) {
+      thoughtLog("**CSHARP**: What about csharp and fsharp projects?");
       bomData = await createCsharpBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `There are ${bomData.bomJson.components.length} csharp packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} csharp packages at ${path}`,
@@ -6464,8 +6576,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "dart"], options)) {
+      thoughtLog(
+        "**DART**: Looking for Dart projects. These are rare ones. Should I inform the user that they can pass the types argument via the command-line to speed things up?",
+      );
       bomData = await createDartBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} pub packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} pub packages at ${path}`,
@@ -6485,8 +6603,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "haskell"], options)) {
+      thoughtLog(
+        "**HASKELL**: Looking for Haskell projects. They're rarely encountered.",
+      );
       bomData = createHaskellBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} hackage packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} hackage packages at ${path}`,
@@ -6506,8 +6630,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "elixir"], options)) {
+      thoughtLog(
+        "**ELIXIR**: Looking for Elixir projects—they're quite rare as well.",
+      );
       bomData = createElixirBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} mix packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} mix packages at ${path}`,
@@ -6527,8 +6657,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "c"], options)) {
+      thoughtLog(
+        "**C/C++**: Looking for C/C++ projects. Should I warn the user that the generated SBOM might have low accuracy and contain errors?",
+      );
       bomData = createCppBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} cpp packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} cpp packages at ${path}`,
@@ -6548,8 +6684,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "clojure"], options)) {
+      thoughtLog(
+        "**CLOJURE**: Looking for Clojure projects. Should I warn the user that the purl namespace 'clojars' isn't widely supported by tools like Dependency-Track?",
+      );
       bomData = createClojureBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} clojure packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} clojure packages at ${path}`,
@@ -6569,8 +6711,12 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "github"], options)) {
+      thoughtLog("**GITHUB**: Looking for any github packages and workflows.");
       bomData = createGitHubBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} github action packages as well. Should I convert these to formulation instead 🤔`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} GitHub action packages at ${path}`,
@@ -6590,8 +6736,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "cloudbuild"], options)) {
+      thoughtLog(
+        "**CLOUDBUILD**: Let's check for CloudBuild configuration files that include package dependencies.",
+      );
       bomData = createCloudBuildBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} cloudbuild packages.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} CloudBuild configuration at ${path}`,
@@ -6611,8 +6763,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "swift"], options)) {
+      thoughtLog(
+        "**SWIFT**: Now checking for Swift projects. We don't support CocoaPods, Objective-C, or pure Xcode projects, so the SBOM will be incomplete.",
+      );
       bomData = await createSwiftBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} swift packages here.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} Swift packages at ${path}`,
@@ -6632,8 +6790,14 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "jar", "war", "ear"], options)) {
+      thoughtLog(
+        "**JAR**: Let's check for any bundled jar/war/ear files to improve the SBOM accuracy.",
+      );
       bomData = await createJarBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} jar packages as well.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} jar packages at ${path}`,
@@ -6654,8 +6818,14 @@ export async function createMultiXBom(pathList, options) {
     }
     // Collect any crypto keys
     if (options.specVersion >= 1.6 && options.includeCrypto) {
+      thoughtLog(
+        "**CBOM**: Wait, the user wants me to look for cryptographic assets. Let's check thoroughly.",
+      );
       bomData = await createCryptoCertsBom(path, options);
       if (bomData?.bomJson?.components?.length) {
+        thoughtLog(
+          `I found ${bomData.bomJson.components.length} crypto assets.`,
+        );
         if (DEBUG_MODE) {
           console.log(
             `Found ${bomData.bomJson.components.length} crypto assets at ${path}`,
@@ -6693,6 +6863,7 @@ export async function createMultiXBom(pathList, options) {
   }
   // Retain the components of parent component
   if (parentSubComponents.length) {
+    thoughtLog("**METADATA**: Tweaking the parent component hierarchy.");
     if (!parentComponent || !Object.keys(parentComponent).length) {
       parentComponent = parentSubComponents[0];
     }
@@ -6724,7 +6895,10 @@ export async function createMultiXBom(pathList, options) {
       parentDependencies["dependsOn"] = [];
     }
     for (const parentSub of parentSubComponents) {
-      parentDependencies["dependsOn"].push(parentSub["bom-ref"]);
+      // Issue: 1622. We might have already captured this parent component dependency
+      if (!parentDependencies["dependsOn"].includes(parentSub["bom-ref"])) {
+        parentDependencies["dependsOn"].push(parentSub["bom-ref"]);
+      }
     }
   }
   // some cleanup, but not complete
@@ -7193,9 +7367,17 @@ export async function createBom(path, options) {
     projectType = ["java"];
   }
   if (projectType.length > 1) {
+    thoughtLog(
+      `The user has specified multiple project types: projectType.join(", "). Let's focus on the types one at a time.`,
+    );
     console.log("Generate BOM for project types:", projectType.join(", "));
     return await createMultiXBom(path, options);
   }
+  if (projectType.length === 1) {
+    thoughtLog(
+      `The user wants me to focus on a single type, '${projectType}'. Could there be an issue with auto-detection, or might they use another tool like cyclonedx-cli to merge all the generated BOMs later?`,
+    );
+  }
   // Use the project type alias to return any singular BOM
   if (PROJECT_TYPE_ALIASES["java"].includes(projectType[0])) {
     return await createJavaBom(path, options);