@cyclonedx/cdxgen 11.1.9 → 11.2.0

package/bin/cdxgen.js

@@ -579,13 +579,25 @@ const applyAdvancedOptions = (options) => {
       break;
   }
   // When the user specifies source-code-analysis as a technique, then enable deep and evidence mode.
-  if (
-    options?.technique &&
-    Array.isArray(options.technique) &&
-    options?.technique?.includes("source-code-analysis")
-  ) {
-    options.deep = true;
-    options.evidence = true;
+  if (options?.technique && Array.isArray(options.technique)) {
+    if (options?.technique?.includes("source-code-analysis")) {
+      options.deep = true;
+      options.evidence = true;
+    }
+    if (options.technique.length === 1) {
+      thoughtLog(
+        `Wait, the user wants me to use only the following technique: '${options.technique.join(", ")}'.`,
+      );
+    } else {
+      thoughtLog(
+        `Alright, I will use only the following techniques: '${options.technique.join(", ")}' for the final BOM.`,
+      );
+    }
+  }
+  if (!options.installDeps) {
+    thoughtLog(
+      "I must avoid any package installations and focus solely on the available artefacts, such as lock files.",
+    );
   }
   return options;
 };
@@ -764,7 +776,11 @@ const checkPermissions = (filePath, options) => {
   prepareEnv(filePath, options);
   thoughtLog("Getting ready to generate the BOM ⚡️.");
   let bomNSData = (await createBom(filePath, options)) || {};
-  thoughtLog("Tweaking the generated BOM data. Nearly there.");
+  if (bomNSData?.bomJson) {
+    thoughtLog(
+      "Tweaking the generated BOM data with useful annotations and properties.",
+    );
+  }
   // Add extra metadata and annotations with post processing
   bomNSData = postProcess(bomNSData, options);
   if (
@@ -972,7 +988,7 @@ const checkPermissions = (filePath, options) => {
     }
   }
   // Perform automatic validation
-  if (options.validate) {
+  if (options.validate && bomNSData?.bomJson) {
     thoughtLog("Wait, let's check the generated BOM file for any issues.");
     if (!validateBom(bomNSData.bomJson)) {
       process.exit(1);

package/bin/repl.js

@@ -137,6 +137,19 @@ cdxgenRepl.defineCommand("import", {
     this.displayPrompt();
   },
 });
+cdxgenRepl.defineCommand("summary", {
+  help: "summarize an existing BOM",
+  action() {
+    if (sbom) {
+      printSummary(sbom);
+    } else {
+      console.log(
+        "⚠ No BOM is loaded. Use .import command to import an existing BOM",
+      );
+    }
+    this.displayPrompt();
+  },
+});
 cdxgenRepl.defineCommand("exit", {
   help: "exit",
   action() {
@@ -162,13 +175,13 @@ cdxgenRepl.defineCommand("search", {
     if (sbom) {
       if (searchStr) {
         try {
-          const originalSearchString = searchStr;
-          let dependenciesSearchStr = searchStr;
-          if (!searchStr.includes("~>")) {
-            dependenciesSearchStr = `dependencies[ref ~> /${searchStr}/i or dependsOn ~> /${searchStr}/i or provides ~> /${searchStr}/i]`;
-            searchStr = `components[group ~> /${searchStr}/i or name ~> /${searchStr}/i or description ~> /${searchStr}/i or publisher ~> /${searchStr}/i or purl ~> /${searchStr}/i or tags ~> /${searchStr}/i]`;
+          let fixedSearchStr = searchStr.replaceAll("/", "\\/");
+          let dependenciesSearchStr = fixedSearchStr;
+          if (!fixedSearchStr.includes("~>")) {
+            dependenciesSearchStr = `dependencies[ref ~> /${fixedSearchStr}/i or dependsOn ~> /${fixedSearchStr}/i or provides ~> /${fixedSearchStr}/i]`;
+            fixedSearchStr = `components[group ~> /${fixedSearchStr}/i or name ~> /${fixedSearchStr}/i or description ~> /${fixedSearchStr}/i or publisher ~> /${fixedSearchStr}/i or purl ~> /${fixedSearchStr}/i or tags ~> /${fixedSearchStr}/i]`;
           }
-          const expression = jsonata(searchStr);
+          const expression = jsonata(fixedSearchStr);
           let components = await expression.evaluate(sbom);
           const dexpression = jsonata(dependenciesSearchStr);
           let dependencies = await dexpression.evaluate(sbom);
@@ -181,16 +194,12 @@ cdxgenRepl.defineCommand("search", {
           if (!components) {
             console.log("No results found!");
           } else {
-            printTable(
-              { components, dependencies },
-              undefined,
-              originalSearchString,
-            );
+            printTable({ components, dependencies }, undefined, searchStr);
             if (dependencies?.length) {
               printDependencyTree(
                 { components, dependencies },
                 "dependsOn",
-                originalSearchString,
+                searchStr,
               );
             }
           }

package/lib/cli/index.js

@@ -32,6 +32,7 @@ import {
 } from "../helpers/envcontext.js";
 import { thoughtLog } from "../helpers/logger.js";
 
+import { analyzeBuildSettings } from "../helpers/package_specific/gradleutils.js";
 import {
   CARGO_CMD,
   CLJ_CMD,
@@ -80,6 +81,7 @@ import {
   hasAnyProjectType,
   includeMavenTestScope,
   isFeatureEnabled,
+  isMac,
   isPackageManagerAllowed,
   isPartialTree,
   isSecureMode,
@@ -1627,6 +1629,13 @@ export async function createJavaBom(path, options) {
             tmpParentComponent.type = "application";
             if (dlist?.length) {
               pkgList = pkgList.concat(dlist);
+              if (dlist.length > 1) {
+                thoughtLog(`Obtained ${dlist.length} components from maven.`);
+              } else {
+                thoughtLog(
+                  `"Received very few components from the maven dependency tree command for ${basePath}."`,
+                );
+              }
             }
             // Retain the parent hierarchy
             if (!Object.keys(parentComponent).length) {
@@ -1635,12 +1644,18 @@ export async function createJavaBom(path, options) {
             } else {
               parentComponent.components.push(tmpParentComponent);
             }
-            if (parsedList.dependenciesList && parsedList.dependenciesList) {
+            if (parsedList.dependenciesList) {
               dependencies = mergeDependencies(
                 dependencies,
                 parsedList.dependenciesList,
                 tmpParentComponent,
               );
+            } else {
+              if (dlist?.length) {
+                thoughtLog(
+                  `Hmm, I didn't find any dependencies after executing '${basename(mavenCmd)}'. However, I did get ${dlist.length} components, which is confusing.`,
+                );
+              }
             }
             unlinkSync(tempMvnTree);
           }
@@ -1755,6 +1770,11 @@ export async function createJavaBom(path, options) {
   ) {
     gradleRootPath = dirname(gradleFiles[0]);
   }
+  if (safeExistsSync(join(gradleRootPath, "gradle.properties"))) {
+    thoughtLog(
+      "Hmm, there is a gradle.properties file. Do we need any private modules or custom JVM arguments for this project 🤔?",
+    );
+  }
   // Execute gradle properties
   if (
     gradleFiles?.length &&
@@ -1763,10 +1783,47 @@ export async function createJavaBom(path, options) {
     let rootProjects = [null];
     let allProjectsStr = [];
     let rootGradleModule = {};
+    let includedProjectsFound = false;
     if (process.env.GRADLE_INCLUDED_BUILDS) {
-      rootProjects = rootProjects.concat(
-        process.env.GRADLE_INCLUDED_BUILDS.split(","),
+      // Automatically add the colon prefix
+      const includedBuilds = process.env.GRADLE_INCLUDED_BUILDS.split(",").map(
+        (b) => (!b.startsWith(":") ? `:${b}` : b),
+      );
+      rootProjects = rootProjects.concat(includedBuilds);
+      includedProjectsFound = true;
+    } else {
+      // Automatically detect included builds
+      // Only from the root path for now
+      for (const abuildFile of [
+        join(gradleRootPath, "build.gradle"),
+        join(gradleRootPath, "build.gradle.kts"),
+        join(gradleRootPath, "settings.gradle"),
+        join(gradleRootPath, "settings.gradle.kts"),
+      ]) {
+        if (!safeExistsSync(abuildFile)) {
+          continue;
+        }
+        const buildSettings = analyzeBuildSettings(abuildFile);
+        if (buildSettings?.includedBuilds?.length) {
+          for (const aib of buildSettings.includedBuilds) {
+            if (!rootProjects.includes(aib)) {
+              rootProjects.push(aib);
+              includedProjectsFound = true;
+            }
+          }
+          break;
+        }
+      }
+    }
+    if (includedProjectsFound) {
+      thoughtLog(
+        `Wait, this gradle project uses composite builds. I must carefully process these ${rootProjects.length} projects including the root.`,
       );
+      if (DEBUG_MODE) {
+        console.log(
+          `Additional root projects: ${rootProjects.join(" ").trim()}.`,
+        );
+      }
     }
     const parallelPropTaskOut = executeParallelGradleProperties(
       gradleRootPath,
@@ -1787,14 +1844,14 @@ export async function createJavaBom(path, options) {
         gradleModules.set(key, rootComponent);
         if (!rootProjects.includes(key)) {
           if (rootGradleModule.name) {
-            console.error(
-              "Found more than 1 root-components! Maybe you made a mistake in the name of an included-build module?",
-            );
-            throw new Error(
-              "Found more than 1 root-components! Maybe you made a mistake in the name of an included-build module?",
-            );
+            if (DEBUG_MODE) {
+              console.log(
+                `Received new root component: ${rootComponent.name} with key ${key}. Please verify the value used for included builds. Using the name ${rootGradleModule.name}.`,
+              );
+            }
+          } else {
+            rootGradleModule = rootComponent;
           }
-          rootGradleModule = rootComponent;
         } else if (!allProjectsAddedPurls.includes(rootComponent["purl"])) {
           allProjects.push(rootComponent);
           rootDependsOn.add(rootComponent["bom-ref"]);
@@ -1809,7 +1866,11 @@ export async function createJavaBom(path, options) {
       const modulesToSkip = process.env.GRADLE_SKIP_MODULES
         ? process.env.GRADLE_SKIP_MODULES.split(",")
         : [];
-
+      if (modulesToSkip.length) {
+        thoughtLog(
+          `Good news. I know there are ${allProjectsStr.length} gradle modules at ${gradleRootPath}. I must skip ${modulesToSkip.length} out of these.`,
+        );
+      }
       const parallelPropTaskOut = executeParallelGradleProperties(
         gradleRootPath,
         allProjectsStr.filter((module) => !modulesToSkip.includes(module)),
@@ -1886,12 +1947,17 @@ export async function createJavaBom(path, options) {
         ? process.env.GRADLE_ARGS_DEPENDENCIES.split(" ")
         : [],
     );
-    console.log(
-      "Executing",
-      gradleCmd,
-      gradleArguments.join(" "),
-      "in",
-      gradleRootPath,
+    if (DEBUG_MODE) {
+      console.log(
+        "Executing",
+        gradleCmd,
+        `${gradleArguments.join(" ").substring(0, 150)} ...`,
+        "in",
+        gradleRootPath,
+      );
+    }
+    thoughtLog(
+      `Let's invoke '${basename(gradleCmd)}' with the arguments '${gradleArguments.join(" ").substring(0, 100)} ...'.`,
     );
     const sresult = spawnSync(gradleCmd, gradleArguments, {
       cwd: gradleRootPath,
@@ -1899,7 +1965,6 @@ export async function createJavaBom(path, options) {
       timeout: TIMEOUT_MS,
       maxBuffer: MAX_BUFFER,
     });
-
     if (sresult.status !== 0 || sresult.error) {
       if (options.failOnError || DEBUG_MODE) {
         console.error(sresult.stdout, sresult.stderr);
@@ -1920,22 +1985,20 @@ export async function createJavaBom(path, options) {
           gradleRootPath,
         );
         const dlist = parsedList.pkgList;
-        if (parsedList.dependenciesList && parsedList.dependenciesList) {
+        if (parsedList.dependenciesList) {
           dependencies = mergeDependencies(
             dependencies,
             parsedList.dependenciesList,
             parentComponent,
           );
-        }
-        if (dlist?.length) {
-          if (DEBUG_MODE) {
-            console.log(
-              "Found",
-              dlist.length,
-              "packages in gradle project",
-              key,
+        } else {
+          if (dlist?.length) {
+            thoughtLog(
+              `Hmm, I didn't find any dependencies after executing '${basename(gradleCmd)}' for the project ${key}. However, I did get ${dlist.length} components, which is confusing.`,
             );
           }
+        }
+        if (dlist?.length) {
           pkgList = pkgList.concat(dlist);
         }
       }
@@ -1950,11 +2013,12 @@ export async function createJavaBom(path, options) {
           );
         }
       }
-      console.log(
-        "Obtained",
-        pkgList.length,
-        "from this gradle project. De-duping this list ...",
+      thoughtLog(
+        `Obtained ${pkgList.length} components by executing the '${basename(gradleCmd)}' command.`,
       );
+      if (DEBUG_MODE) {
+        console.log("Obtained", pkgList.length, "from this gradle project.");
+      }
     } else {
       thoughtLog(
         "**GRADLE:** SBOM is incomplete. I recommend troubleshooting the issue to improve the BOM precision.",
@@ -2405,19 +2469,18 @@ export async function createNodejsBom(path, options) {
     `${options.multiProject ? "**/" : ""}package.json`,
     options,
   );
-  const yarnLockFile = getAllFiles(path, "yarn.lock", options);
-  const pnpmLockFile = getAllFiles(path, "pnpm-lock.yaml", options);
   const npmInstallCount = Number.parseInt(process.env.NPM_INSTALL_COUNT) || 2;
   // Automatic npm install logic.
   // Only perform npm install for smaller projects (< 2 package.json) without the correct number of lock files
   if (
     (pkgJsonLockFiles?.length === 0 ||
       pkgJsonLockFiles?.length < pkgJsonFiles?.length) &&
-    yarnLockFile?.length === 0 &&
-    pnpmLockFile?.length === 0 &&
+    yarnLockFiles?.length === 0 &&
+    pnpmLockFiles?.length === 0 &&
     pkgJsonFiles?.length <= npmInstallCount &&
     options.installDeps
   ) {
+    let anyInstallSuccess = false;
     for (const apkgJson of pkgJsonFiles) {
       let pkgMgr = "npm";
       const supPkgMgrs = ["npm", "yarn", "yarnpkg", "pnpm", "pnpx"];
@@ -2427,8 +2490,21 @@ export async function createNodejsBom(path, options) {
       if (mgrData) {
         mgr = mgrData.split("@")[0];
       }
-      if (supPkgMgrs.includes(mgr)) {
+      // Try harder to identify the correct package manager
+      if (options?.projectType?.includes("npm")) {
+        pkgMgr = "npm";
+      } else if (supPkgMgrs.includes(mgr)) {
         pkgMgr = mgr;
+      } else if (pkgData?.engines?.yarn) {
+        pkgMgr = "yarn";
+      } else if (
+        isPackageManagerAllowed("yarn", ["npm", "pnpm", "rush"], options)
+      ) {
+        pkgMgr = "yarn";
+      } else if (
+        isPackageManagerAllowed("pnpm", ["npm", "yarn", "rush"], options)
+      ) {
+        pkgMgr = "pnpm";
       }
       let installCommand = "install";
       if (pkgMgr === "npm" && isSecureMode && pkgJsonLockFiles?.length > 0) {
@@ -2463,6 +2539,16 @@ export async function createNodejsBom(path, options) {
           installArgs.push("--package-lock");
         }
       }
+      if (pkgMgr === "npm" && yarnLockFiles.length) {
+        thoughtLog(
+          `Wait, there are ${yarnLockFiles.length} yarn.lock files in this project; however, I'm about to invoke the '${pkgMgr} ${installArgs[0]}' command.`,
+        );
+      }
+      if (pkgMgr !== "npm") {
+        thoughtLog(
+          `**PACKAGE MANAGER**: Let's run the '${pkgMgr}' command with the arguments '${installArgs.join(" ")}' to generate the needed lock files.`,
+        );
+      }
       console.log(
         `Executing '${pkgMgr} ${installArgs.join(" ")}' in`,
         basePath,
@@ -2477,6 +2563,9 @@ export async function createNodejsBom(path, options) {
         console.error(
           `${pkgMgr} install has failed. Generated SBOM will be empty or with a lower precision.`,
         );
+        thoughtLog(
+          "It looks like the install command has failed. I'm considering some troubleshooting ideas.",
+        );
         if (DEBUG_MODE && result.stdout) {
           if (result.stdout.includes("EBADENGINE Unsupported engine")) {
             console.log(
@@ -2523,6 +2612,8 @@ export async function createNodejsBom(path, options) {
           console.log(result.stderr);
         }
         options.failOnError && process.exit(1);
+      } else {
+        anyInstallSuccess = true;
       }
     }
     pkgLockFiles = getAllFiles(
@@ -2540,6 +2631,16 @@ export async function createNodejsBom(path, options) {
       `${options.multiProject ? "**/" : ""}yarn.lock`,
       options,
     );
+    if (
+      anyInstallSuccess &&
+      !pkgLockFiles.length &&
+      !pnpmLockFiles.length &&
+      !yarnLockFiles.length
+    ) {
+      thoughtLog(
+        `Despite a successful installation step, I didn't find any lock files. Perhaps they're being created elsewhere, such as in the root directory. I am currently checking the directory at ${path}.`,
+      );
+    }
   }
   if (
     pnpmLockFiles?.length &&
@@ -2977,6 +3078,17 @@ export async function createNodejsBom(path, options) {
       }
     }
   }
+  if (!pkgList.length && (yarnLockFiles.length || pkgLockFiles.length)) {
+    if (options.projectType.length) {
+      thoughtLog(
+        `Despite seeing some lock files, I didn't find any components in this Node.js project. Is there an issue with the project type '${options.projectType.join(", ")}' used 🤔? I recommend trying again with a different type.`,
+      );
+    } else {
+      thoughtLog(
+        "Despite seeing some lock files, I didn't find any components in this Node.js project. Feels like a bug.",
+      );
+    }
+  }
   // Retain the components of parent component
   if (parentSubComponents.length) {
     parentComponent.components = parentSubComponents;
@@ -4774,6 +4886,7 @@ export async function createSwiftBom(path, options) {
   let dependencies = [];
   let parentComponent = {};
   const completedPath = [];
+  let packageArgsMessageShown = false;
   if (pkgResolvedFiles.length) {
     for (const f of pkgResolvedFiles) {
       if (!parentComponent || !Object.keys(parentComponent).length) {
@@ -4787,6 +4900,9 @@ export async function createSwiftBom(path, options) {
         pkgList = pkgList.concat(dlist);
       }
     }
+    thoughtLog(
+      `It looks like we have ${pkgResolvedFiles.length} Package.resolved files, which is good. To compute the dependency tree, let's try using the swift package command 📦.`,
+    );
   }
   if (swiftFiles.length) {
     for (const f of swiftFiles) {
@@ -4795,7 +4911,25 @@ export async function createSwiftBom(path, options) {
         continue;
       }
       let treeData = undefined;
-      let packageArgs = ["package", "show-dependencies", "--format", "json"];
+      let packageArgs = ["package"];
+      // Additional arguments to pass to the swift package command.
+      // Example: --swift-sdks-path <swift-sdks-path> --jobs <jobs>
+      if (process.env.SWIFT_PACKAGE_ARGS) {
+        packageArgs = packageArgs.concat(
+          process.env.SWIFT_PACKAGE_ARGS.split(" "),
+        );
+        if (!packageArgsMessageShown) {
+          thoughtLog(
+            `Wait, let's use the additional arguments '${process.env.SWIFT_PACKAGE_ARGS}' for the swift package command.`,
+          );
+          packageArgsMessageShown = true;
+        }
+      }
+      packageArgs = packageArgs.concat([
+        "show-dependencies",
+        "--format",
+        "json",
+      ]);
       let swiftCommand = SWIFT_CMD;
       if (swiftCommand.startsWith("xcrun")) {
         swiftCommand = "xcrun";
@@ -4803,8 +4937,7 @@ export async function createSwiftBom(path, options) {
       }
       if (DEBUG_MODE) {
         console.log(
-          `Executing '${swiftCommand} ${packageArgs.join(" ")}' in`,
-          basePath,
+          `Executing '${swiftCommand} ${packageArgs.join(" ")}' in ${basePath}. Please wait ...`,
         );
       }
       const result = spawnSync(swiftCommand, packageArgs, {
@@ -4813,15 +4946,29 @@ export async function createSwiftBom(path, options) {
         timeout: TIMEOUT_MS,
         maxBuffer: MAX_BUFFER,
       });
-      if (result.status === 0 && result.stdout) {
+      if (result.stdout) {
         completedPath.push(basePath);
         treeData = Buffer.from(result.stdout).toString();
         const retData = parseSwiftJsonTree(treeData, f);
-        if (retData.pkgList?.length) {
-          parentComponent = retData.pkgList.splice(0, 1)[0];
-          parentComponent.type = "application";
-          pkgList = pkgList.concat(retData.pkgList);
+        if (retData.rootList?.length) {
+          if (!Object.keys(parentComponent).length) {
+            parentComponent = retData.rootList[0];
+            if (retData.rootList.length > 1) {
+              if (!parentComponent.components) {
+                parentComponent.components = [];
+              }
+              for (const p of retData.rootList.splice(0, 1)) {
+                parentComponent.components.push(p);
+              }
+            }
+          } else {
+            if (!parentComponent.components) {
+              parentComponent.components = [];
+            }
+            parentComponent.components.concat(retData.rootList);
+          }
         }
+        pkgList = pkgList.concat(retData.pkgList);
         if (retData.dependenciesList) {
           dependencies = mergeDependencies(
             dependencies,
@@ -4829,11 +4976,25 @@ export async function createSwiftBom(path, options) {
             parentComponent,
           );
         }
-      } else {
-        if (DEBUG_MODE) {
+      }
+      if (result.status !== 0 || result.error) {
+        if (result?.stderr?.includes("Source files for target")) {
+          console.log(
+            "The Sources directory is missing. Please run cdxgen from the directory that contains the complete source code.",
+          );
+          thoughtLog(
+            `It looks like the 'Sources' directory is missing, so we are missing the components and dependencies for '${basename(basePath)}'.`,
+          );
+        } else if (process.env.CDXGEN_IN_CONTAINER !== "true") {
           console.log(
-            "Please install swift from https://www.swift.org/download/ or use the cdxgen container image",
+            "Consider using the cdxgen container image (`ghcr.io/cyclonedx/cdxgen`), which includes Swift and additional build tools.",
           );
+          if (!isMac) {
+            console.log("Alternatively, try building this project from a Mac.");
+            thoughtLog(
+              "I'm wondering if the results might be better on a Mac 🤔.",
+            );
+          }
         }
         console.error(result.stderr);
         options.failOnError && process.exit(1);
@@ -7259,6 +7420,7 @@ export async function createBom(path, options) {
       console.log(
         `OS BOM generation has failed due to problems with exporting the image ${path}`,
       );
+      options.failOnError && process.exit(1);
       return {};
     }
     isContainerMode = true;
@@ -7277,6 +7439,14 @@ export async function createBom(path, options) {
     if (exportData) {
       isContainerMode = true;
     } else {
+      // Fail early for oci types
+      if (hasAnyProjectType(["oci"], options, false)) {
+        console.log(
+          `OCI BOM generation has failed due to problems with exporting the image ${path}.`,
+        );
+        options.failOnError && process.exit(1);
+        return {};
+      }
       if (DEBUG_MODE) {
         console.log(path, "doesn't appear to be a valid container image.");
       }
@@ -7368,15 +7538,21 @@ export async function createBom(path, options) {
   }
   if (projectType.length > 1) {
     thoughtLog(
-      `The user has specified multiple project types: projectType.join(", "). Let's focus on the types one at a time.`,
+      `The user has specified multiple project types: ${projectType.join(", ")}. Let's focus on the types one at a time.`,
     );
     console.log("Generate BOM for project types:", projectType.join(", "));
     return await createMultiXBom(path, options);
   }
   if (projectType.length === 1) {
-    thoughtLog(
-      `The user wants me to focus on a single type, '${projectType}'. Could there be an issue with auto-detection, or might they use another tool like cyclonedx-cli to merge all the generated BOMs later?`,
-    );
+    if (hasAnyProjectType(["oci"], options, false)) {
+      thoughtLog(
+        "Okay, we're generating an SBOM for the OCI type. We'll need a compatible tool like Docker, Podman, or Nerdctl, along with the binary plugins.",
+      );
+    } else {
+      thoughtLog(
+        `The user wants me to focus on a single type, '${projectType}'. Could there be an issue with auto-detection, or might they use another tool like cyclonedx-cli to merge all the generated BOMs later?`,
+      );
+    }
   }
   // Use the project type alias to return any singular BOM
   if (PROJECT_TYPE_ALIASES["java"].includes(projectType[0])) {

package/lib/evinser/evinser.js

@@ -228,7 +228,7 @@ export async function createSlice(
   // Handle language with version types
   if (language.startsWith("ruby")) {
     language = "ruby";
-  } else if (language.startsWith("java")) {
+  } else if (language.startsWith("java") && language !== "javascript") {
     language = "java";
   } else if (language.startsWith("node")) {
     language = "js";

package/lib/helpers/display.js

@@ -465,8 +465,10 @@ export function printSummary(bomJson) {
   let bomPkgNamespaces = [];
   // Print any annotations found
   const annotations = bomJson?.annotations || [];
-  for (const annot of annotations) {
-    message = `${message}\n${annot.text}`;
+  if (annotations.length) {
+    for (const annot of annotations) {
+      message = `${message}\n${annot.text}`;
+    }
   }
   const tools = bomJson?.metadata?.tools?.components;
   if (tools) {

package/lib/helpers/logger.js

@@ -6,7 +6,8 @@ import colors from "yoctocolors";
 // Enable think mode
 export const THINK_MODE =
   process.env.CDXGEN_THOUGHT_LOG ||
-  ["true", "1"].includes(process.env.CDXGEN_THINK_MODE);
+  ["true", "1"].includes(process.env.CDXGEN_THINK_MODE) ||
+  process.env.CDXGEN_DEBUG_MODE === "verbose";
 
 const output = process.env.CDXGEN_THOUGHT_LOG
   ? fs.createWriteStream(process.env.CDXGEN_THOUGHT_LOG)