@cyclonedx/cdxgen 11.11.0 → 12.0.0

package/README.md

@@ -50,6 +50,12 @@ Sections include:
 
 ## Usage
 
+## For Contributors / Developers
+```shell
+pnpm install
+pnpm dlx cdxgen
+```
+
 ## Installing
 
 ```shell
@@ -339,6 +345,8 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 - Ruby (Gemfile.lock)
 - Rust (Cargo.lock)
 
+
+
 ## Plugins
 
 cdxgen could be extended with external binary plugins to support more SBOM use cases. These are now installed as an optional dependency.
@@ -347,6 +355,17 @@ cdxgen could be extended with external binary plugins to support more SBOM use c
 sudo npm install -g @cyclonedx/cdxgen-plugins-bin
 ```
 
+
+## Plugins (pnpm)
+
+`cdxgen` can be extended with external binary plugins to support more SBOM use cases.  
+These are now installed as optional dependencies and can be used without a global install.
+
+```shell
+pnpm dlx @cyclonedx/cdxgen-plugins-bin
+```
+
+
 ## Docker / OCI container support
 
 `docker` type is automatically detected based on the presence of values such as `sha256` or `docker.io` prefix etc in the path.
@@ -428,6 +447,18 @@ npm install -g @cyclonedx/cdxgen
 cdx-verify -i bom.json --public-key public.key
 ```
 
+
+### Verifying the signature (pnpm)
+
+Use the bundled `cdx-verify` command, which supports verifying a single signature added at the BOM level.
+
+You can run it directly using pnpm (no global install needed):
+
+```shell
+pnpm dlx @cyclonedx/cdxgen cdx-verify -i bom.json --public-key public.key
+```
+
+
 ### Custom verification tool (Node.js example)
 
 There are many [libraries][jwt-libraries] available to validate JSON Web Tokens. Below is a javascript example.
@@ -539,6 +570,18 @@ corepack pnpm add -g --allow-build @appthreat/sqlite3 https://github.com/Cyclone
 cdxgen --help
 ```
 
+
+### Testing main branch (No Global Install)
+
+To quickly test the latest main branch without installing globally, you can use `pnpm` in a local or temporary environment.
+
+```shell
+corepack enable
+pnpm install --prefer-offline
+pnpm dlx cdxgen --help
+```
+
+
 ## Sponsors
 
 <div style="display: flex; align-items: center; gap: 20px;">

package/bin/dependencies.js

@@ -0,0 +1,122 @@
+#!/usr/bin/env node
+
+import { readFileSync } from "node:fs";
+
+import { parse as yaml } from "yaml";
+
+const pkgJson = JSON.parse(readFileSync("./package.json", "utf8"));
+const pnpmLockYaml = yaml(readFileSync("./pnpm-lock.yaml", "utf8"));
+
+const installedPackages = [];
+
+const incorrectNpmOverridesVersions = [];
+const incorrectPnpmOverridesVersions = [];
+const missingNpmOverrides = [];
+const missingPnpmOverrides = [];
+
+const obsoleteNpmOverrides = [];
+const obsoletePnpmOverrides = [];
+
+for (const _package in pnpmLockYaml.snapshots) {
+  const indexOfSeparator = _package.split("(")[0].lastIndexOf("@");
+  const packageName = _package.substring(0, indexOfSeparator);
+  const packageVersion = _package.substring(indexOfSeparator + 1);
+  if (!installedPackages.includes(packageName)) {
+    installedPackages.push(packageName);
+    checkOverride(packageName, packageVersion);
+  }
+  for (const dependency in pnpmLockYaml.snapshots[_package].dependencies) {
+    if (!installedPackages.includes(dependency)) {
+      installedPackages.push(dependency);
+      checkOverride(
+        dependency,
+        pnpmLockYaml.snapshots[_package].dependencies[dependency],
+      );
+    }
+  }
+  for (const dependency in pnpmLockYaml.snapshots[_package]
+    .optionalDependencies) {
+    if (!installedPackages.includes(dependency)) {
+      installedPackages.push(dependency);
+      checkOverride(
+        dependency,
+        pnpmLockYaml.snapshots[_package].optionalDependencies[dependency],
+      );
+    }
+  }
+}
+for (const override in pkgJson.overrides) {
+  checkObsolescence(override, obsoleteNpmOverrides);
+}
+for (const override in pkgJson.pnpm.overrides) {
+  checkObsolescence(override, obsoletePnpmOverrides);
+}
+
+export function checkDependencies() {
+  return (
+    incorrectNpmOverridesVersions.length +
+    incorrectPnpmOverridesVersions.length +
+    missingNpmOverrides.length +
+    missingPnpmOverrides.length +
+    obsoleteNpmOverrides.length +
+    obsoletePnpmOverrides.length
+  );
+}
+
+function checkOverride(packageName, packageVersion) {
+  packageVersion = packageVersion.split("(")[0];
+  if (packageVersion.includes("@")) {
+    packageVersion = `npm:${packageVersion}`;
+  }
+  if (!Object.hasOwn(pkgJson.overrides, packageName)) {
+    missingNpmOverrides.push(`  "${packageName}": "${packageVersion}"`);
+  } else if (pkgJson.overrides[packageName] !== packageVersion) {
+    incorrectNpmOverridesVersions.push(
+      ` - ${packageName} (${pkgJson.overrides[packageName]} instead of ${packageVersion})`,
+    );
+  }
+  if (!Object.hasOwn(pkgJson.pnpm.overrides, packageName)) {
+    missingPnpmOverrides.push(`  "${packageName}": "${packageVersion}"`);
+  } else if (pkgJson.pnpm.overrides[packageName] !== packageVersion) {
+    incorrectPnpmOverridesVersions.push(
+      ` - ${packageName} (${pkgJson.pnpm.overrides[packageName]} instead of ${packageVersion})`,
+    );
+  }
+}
+
+function checkObsolescence(override, obsoletionArray) {
+  if (!installedPackages.includes(override)) {
+    obsoletionArray.push(override);
+  }
+}
+
+if (missingNpmOverrides.length) {
+  console.log("The following dependencies are not in the 'overrides'-block:");
+  console.log(missingNpmOverrides.join(",\n"));
+}
+if (incorrectNpmOverridesVersions.length) {
+  console.log(
+    "The following dependencies have a different version in the 'overrides'-block:",
+  );
+  console.log(incorrectNpmOverridesVersions.join("\n"));
+}
+if (missingPnpmOverrides.length) {
+  console.log(
+    "The following dependencies are not in the 'pnpm.overrides'-block:",
+  );
+  console.log(missingPnpmOverrides.join(",\n"));
+}
+if (incorrectPnpmOverridesVersions.length) {
+  console.log(
+    "The following dependencies have a different version in the 'pnpm.overrides'-block:",
+  );
+  console.log(incorrectPnpmOverridesVersions.join("\n"));
+}
+if (obsoleteNpmOverrides.length) {
+  console.log("The following entries in 'overrides' are not used:");
+  console.log(obsoleteNpmOverrides.join("\n"));
+}
+if (obsoletePnpmOverrides.length) {
+  console.log("The following entries in 'pnpm.overrides' are not used:");
+  console.log(obsoletePnpmOverrides.join("\n"));
+}

package/data/pypi-pkg-aliases.json

@@ -563,6 +563,7 @@
   "curator": "elasticsearch-curator",
   "curl": "pycurl",
   "cv2": "opencv-python",
+  "cyclonedx": "cyclonedx-python-lib",
   "daemon": "python-daemon",
   "dare": "dare",
   "database-locks": "django-database-locks",
@@ -1064,6 +1065,8 @@
   "slugify": "unicode-slugify",
   "smarkets": "smk-python-sdk",
   "snappy": "ctypes-snappy",
+  "snsql": "smartnoise-sql",
+  "snsynth": "smartnoise-synth",
   "social-core": "social-auth-core",
   "social-django": "social-auth-app-django",
   "socketio": "python-socketio",

package/lib/cli/index.js

@@ -1721,9 +1721,8 @@ export async function createJavaBom(path, options) {
         result?.status !== 0 ||
         result?.error
       ) {
-        const tempDir = mkdtempSync(join(getTmpDir(), "cdxmvn-"));
-        const tempMvnTree = join(tempDir, "mvn-tree.txt");
-        const tempMvnParentTree = join(tempDir, "mvn-parent-tree.txt");
+        const tempMvnTree = join("target", "cdxgen-mvn-tree.txt");
+        const tempMvnParentTree = join("target", "cdxgen-mvn-parent-tree.txt");
         let mvnTreeArgs = ["dependency:tree", `-DoutputFile=${tempMvnTree}`];
         let addArgs = "";
         if (process.env.MVN_ARGS) {
@@ -1828,7 +1827,7 @@ export async function createJavaBom(path, options) {
               );
             } else {
               console.log(
-                "1. Java version requirement: cdxgen container image bundles Java 24 with maven 3.9 which might be incompatible. Try running cdxgen with the custom JDK11-based image `ghcr.io/cyclonedx/cdxgen-java11:v11`.",
+                "1. Java version requirement: cdxgen container image bundles Java 24 with maven 3.9 which might be incompatible. Try running cdxgen with the custom JDK11-based image `ghcr.io/cyclonedx/cdxgen-java11:v12`.",
               );
             }
             console.log(
@@ -1889,7 +1888,9 @@ export async function createJavaBom(path, options) {
                 );
               }
             }
-            unlinkSync(tempMvnTree);
+            if (!DEBUG_MODE) {
+              unlinkSync(tempMvnTree);
+            }
           }
         }
       }
@@ -2972,7 +2973,7 @@ export async function createNodejsBom(path, options) {
         if (DEBUG_MODE && result.stdout) {
           if (result.stdout.includes("EBADENGINE Unsupported engine")) {
             console.log(
-              "TIP: Try using the custom `ghcr.io/cyclonedx/cdxgen-node20:v11` container image, which bundles node.js 20. The current version of node.js is incompatible for this project.",
+              "TIP: Try using the custom `ghcr.io/cyclonedx/cdxgen-node20:v12` container image, which bundles node.js 20. The current version of node.js is incompatible for this project.",
             );
             console.log(
               "Alternatively, run cdxgen with the custom node with version types. Eg: `-t node20`",
@@ -3002,12 +3003,12 @@ export async function createNodejsBom(path, options) {
                 );
               } else {
                 console.log(
-                  "TIP: Try using the custom `ghcr.io/cyclonedx/cdxgen-node20:v11` container image, which bundles node.js 20. The default image bundles node >= 23, which might be incompatible.",
+                  "TIP: Try using the custom `ghcr.io/cyclonedx/cdxgen-node20:v12` container image, which bundles node.js 20. The default image bundles node >= 23, which might be incompatible.",
                 );
               }
             } else {
               console.log(
-                "TIP: Try using the custom `ghcr.io/cyclonedx/cdxgen-node20:v11` container image with --platform=linux/amd64, which bundles node.js 20.",
+                "TIP: Try using the custom `ghcr.io/cyclonedx/cdxgen-node20:v12` container image with --platform=linux/amd64, which bundles node.js 20.",
               );
             }
           }
@@ -6670,7 +6671,7 @@ export async function createCsharpBom(path, options) {
             "This project requires a specific version of dotnet sdk to be installed. The cdxgen container image bundles dotnet SDK 8.0, which might be incompatible.",
           );
           console.log(
-            "TIP: Try using the custom `ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v11` or `ghcr.io/cyclonedx/cdxgen-debian-dotnet8:v11` container images.",
+            "TIP: Try using the custom `ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v12` or `ghcr.io/cyclonedx/cdxgen-debian-dotnet8:v12` container images.",
           );
         } else if (
           result?.stderr?.includes("is not found on source") ||
@@ -6701,7 +6702,7 @@ export async function createCsharpBom(path, options) {
           );
           if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
             console.log(
-              "Alternatively, try using the custom `ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v11` container image, which bundles nuget (mono) and a range of dotnet SDKs.",
+              "Alternatively, try using the custom `ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v12` container image, which bundles nuget (mono) and a range of dotnet SDKs.",
             );
           }
         }
@@ -6797,7 +6798,7 @@ export async function createCsharpBom(path, options) {
         "3. If the project uses the legacy .Net Framework 4.6/4.7/4.8, it might require execution on Windows.",
       );
       console.log(
-        "Alternatively, try using the custom `ghcr.io/cyclonedx/cdxgen-dotnet:v11` container image, which bundles a range of dotnet SDKs.",
+        "Alternatively, try using the custom `ghcr.io/cyclonedx/cdxgen-dotnet:v12` container image, which bundles a range of dotnet SDKs.",
       );
       options.failOnError && process.exit(1);
     }

package/lib/helpers/dependencies.poku.js

@@ -0,0 +1,11 @@
+import { assert, it } from "poku";
+
+import { checkDependencies } from "../../bin/dependencies.js";
+
+it("checks dependency overrides in package.json vs installed in pnpm-lock.yaml", async () => {
+  assert.equal(
+    checkDependencies(),
+    0,
+    "There shouldn't have been dependency discrepancies",
+  );
+});

package/lib/helpers/envcontext.js

@@ -782,7 +782,7 @@ export function installRubyVersion(rubyVersion, filePath) {
     process.env?.CDXGEN_IN_CONTAINER !== "true"
   ) {
     console.log(
-      `Installing Ruby version ${rubyVersion} requires specific development libraries. Consider using the custom container image "ghcr.io/cyclonedx/cdxgen-debian-ruby26:v11" instead.`,
+      `Installing Ruby version ${rubyVersion} requires specific development libraries. Consider using the custom container image "ghcr.io/cyclonedx/cdxgen-debian-ruby26:v12" instead.`,
     );
     console.log("The below install step is likely to fail.");
   }

package/lib/helpers/utils.js

@@ -35,6 +35,7 @@ import { parseEDNString } from "edn-data";
 import { globSync } from "glob";
 import got from "got";
 import iconv from "iconv-lite";
+import Keyv from "keyv";
 import StreamZip from "node-stream-zip";
 import { PackageURL } from "packageurl-js";
 import propertiesReader from "properties-reader";
@@ -672,7 +673,9 @@ export function isPackageManagerAllowed(name, conflictingManagers, options) {
 }
 
 // HTTP cache
-const gotHttpCache = new Map();
+const gotHttpCache = new Keyv();
+// Don't complain when there's lots of parallel requests
+gotHttpCache.setMaxListeners(10000);
 
 function isCacheDisabled() {
   return (
@@ -3805,8 +3808,21 @@ export async function parseMinJs(minJsFile) {
           if (tmpB && tmpB.length > 1) {
             // Fix #223 - lowercase parsed package name
             const name = tmpB[0].replace(/ /g, "-").trim().toLowerCase();
+            if (name === "@license" || name === "license") {
+              return;
+            }
+            if (name.startsWith("@") && !name.includes("/")) {
+              return;
+            }
             if (
-              ["copyright", "author", "licensed"].includes(name.toLowerCase())
+              [
+                "copyright",
+                "author",
+                "licensed",
+                "minified",
+                "vendor",
+                "build",
+              ].includes(name.toLowerCase())
             ) {
               return;
             }
@@ -4792,7 +4808,7 @@ export function executeParallelGradleProperties(
           "1. Check if the correct version of java and gradle are installed and available in PATH. For example, some project might require Java 11 with gradle 7.\n cdxgen container image bundles Java 23 with gradle 8 which might be incompatible.",
         );
         console.log(
-          "2. Try running cdxgen with the custom JDK11-based image `ghcr.io/cyclonedx/cdxgen-java11:v11`.",
+          "2. Try running cdxgen with the custom JDK11-based image `ghcr.io/cyclonedx/cdxgen-java11:v12`.",
         );
         if (result.stderr?.includes("not get unknown property")) {
           console.log(
@@ -12107,7 +12123,7 @@ export function convertOSQueryResults(
   return pkgList;
 }
 
-function purlFromUrlString(type, repoUrl, version) {
+export function purlFromUrlString(type, repoUrl, version) {
   let namespace = "";
   let name;
   if (repoUrl?.startsWith("http")) {
@@ -12136,7 +12152,10 @@ function purlFromUrlString(type, repoUrl, version) {
     namespace = `${hostname}/${urlpath}`;
   } else if (repoUrl?.startsWith("/")) {
     const parts = repoUrl.split("/");
-    name = parts[parts.length - 1];
+    name = parts[parts.length - 1] || "unknown";
+    if (type === "swift") {
+      namespace = "local";
+    }
   } else {
     if (DEBUG_MODE) {
       console.warn("unsupported repo url for swift type");
@@ -14929,7 +14948,7 @@ export async function getPipFrozenTree(
             }
           }
           console.warn(
-            "This project does not support python with version types. Use an appropriate container image such as `ghcr.io/appthreat/cdxgen-python39:v11` or `ghcr.io/appthreat/cdxgen-python311:v11` and invoke cdxgen with `-t python` instead.\n",
+            "This project does not support python with version types. Use an appropriate container image such as `ghcr.io/appthreat/cdxgen-python39:v12` or `ghcr.io/appthreat/cdxgen-python311:v12` and invoke cdxgen with `-t python` instead.\n",
           );
         } else if (
           result?.stderr?.includes(
@@ -14937,7 +14956,7 @@ export async function getPipFrozenTree(
           )
         ) {
           console.log(
-            "Installing build dependencies has failed. Use an appropriate container image such as `ghcr.io/appthreat/cdxgen-python39:v11` or `ghcr.io/appthreat/cdxgen-python311:v11` and invoke cdxgen with `-t python` instead.",
+            "Installing build dependencies has failed. Use an appropriate container image such as `ghcr.io/appthreat/cdxgen-python39:v12` or `ghcr.io/appthreat/cdxgen-python311:v12` and invoke cdxgen with `-t python` instead.",
           );
           if (
             result?.stderr?.includes(
@@ -14995,7 +15014,7 @@ export async function getPipFrozenTree(
                 "1. Try invoking cdxgen with a specific python version type. Example: `-t python36` or `-t python39`",
               );
               console.log(
-                "2. Alternatively, try using the custom container images `ghcr.io/cyclonedx/cdxgen-python39:v11` or `ghcr.io/cyclonedx/cdxgen-python311:v11`, which bundles a range of build tools and development libraries.",
+                "2. Alternatively, try using the custom container images `ghcr.io/cyclonedx/cdxgen-python39:v12` or `ghcr.io/cyclonedx/cdxgen-python311:v12`, which bundles a range of build tools and development libraries.",
               );
             } else if (
               process.env?.PIP_INSTALL_ARGS?.includes("--python-version")

package/lib/helpers/utils.poku.js

@@ -1,5 +1,5 @@
 import { Buffer } from "node:buffer";
-import { existsSync, readFileSync } from "node:fs";
+import { existsSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
 import path from "node:path";
 
 import { PackageURL } from "packageurl-js";
@@ -75,6 +75,7 @@ import {
   parseMakeDFile,
   parseMavenTree,
   parseMillDependency,
+  parseMinJs,
   parseMixLockData,
   parseNodeShrinkwrap,
   parseNupkg,
@@ -105,6 +106,7 @@ import {
   parseSwiftResolved,
   parseYarnLock,
   pnpmMetadata,
+  purlFromUrlString,
   readZipEntry,
   splitOutputByGradleProjects,
   toGemModuleNames,
@@ -2095,7 +2097,7 @@ it("get crates metadata", async () => {
     homepage: { url: "https://github.com/iqlusioninc/abscissa/" },
     properties: [
       { name: "cdx:cargo:crate_id", value: "207912" },
-      { name: "cdx:cargo:latest_version", value: "0.8.2" },
+      { name: "cdx:cargo:latest_version", value: "0.9.0" },
       {
         name: "cdx:cargo:features",
         value:
@@ -2471,12 +2473,12 @@ it("parse mix lock data", () => {
 it("parse github actions workflow data", () => {
   assert.deepStrictEqual(parseGitHubWorkflowData(null), []);
   let dep_list = parseGitHubWorkflowData("./.github/workflows/nodejs.yml");
-  assert.deepStrictEqual(dep_list.length, 9);
+  assert.deepStrictEqual(dep_list.length, 7);
   assert.deepStrictEqual(dep_list[0], {
     group: "actions",
     name: "checkout",
-    version: "5.0.0",
-    purl: "pkg:github/actions/checkout@5.0.0?commit=08c6903cd8c0fde910a37f88322edcfb5dd907a8",
+    version: "6.0.0",
+    purl: "pkg:github/actions/checkout@6.0.0?commit=1af3b93b6815bc44a9784bd300feb67ff0d1eeb3",
     properties: [
       {
         name: "SrcFile",
@@ -3941,11 +3943,6 @@ it("parsePnpmLock", async () => {
     parsedList.pkgList.filter((pkg) => !pkg.scope).length,
     3,
   );
-  parsedList = await parsePnpmLock("./pnpm-lock.yaml");
-  assert.deepStrictEqual(parsedList.pkgList.length, 355);
-  assert.deepStrictEqual(parsedList.dependenciesList.length, 355);
-  assert.ok(parsedList.pkgList[0]);
-  assert.ok(parsedList.dependenciesList[0]);
   parsedList = await parsePnpmLock(
     "./test/data/pnpm_locks/bytemd-pnpm-lock.yaml",
   );
@@ -6956,6 +6953,13 @@ it("parse swift deps files", () => {
   });
 });
 
+it("assigns default namespace for local swift paths (#2781)", () => {
+  const purl = purlFromUrlString("swift", "/Users/arsh/project", "1.0.0");
+  assert.equal(purl.namespace, "local");
+  assert.equal(purl.name, "project");
+  assert.equal(purl.version, "1.0.0");
+});
+
 it("pypi version solver tests", () => {
   const versionsList = [
     "1.0.0",
@@ -7916,3 +7920,35 @@ testCases.forEach(([url, expected], index) => {
 });
 // biome-ignore-end lint/suspicious/noTemplateCurlyInString: This is a unit test
 // biome-ignore-end lint/style/useTemplate: This is a unit test
+it("ignores license banners in minified js (#2717)", async () => {
+  const file = "temp.min.js";
+
+  const content = `/*! @license DOMPurify 3.2.7 */
+(function(){console.log("test")})();
+`;
+
+  writeFileSync(file, content);
+
+  const result = await parseMinJs(file);
+
+  assert.ok(Array.isArray(result));
+  assert.equal(result.length, 0);
+
+  if (existsSync(file)) unlinkSync(file);
+});
+
+it("parses valid minified js with real package name (#2717)", async () => {
+  const file = "temp.min.js";
+  const content = `/*! jquery 3.6.0 */
+(function(){console.log("test")})();`;
+
+  writeFileSync(file, content);
+
+  const result = await parseMinJs(file);
+
+  assert.equal(result.length, 1);
+  assert.equal(result[0].name, "jquery");
+  assert.equal(result[0].version, "3.6.0");
+
+  if (existsSync(file)) unlinkSync(file);
+});

package/lib/third-party/arborist/lib/node.js

@@ -34,7 +34,6 @@ import util from "node:util";
 import nameFromFolder from "@npmcli/name-from-folder";
 import getPaths from "bin-links";
 import npa from "npm-package-arg";
-import log from "proc-log";
 import rpj from "read-package-json-fast";
 import semver from "semver";
 import { walkUp } from "walk-up-path";
@@ -1444,8 +1443,6 @@ class Node {
       }
       return false;
     }
-    // This is an error condition. We can only get here if the new override set is in conflict with the existing.
-    log.silly("Conflicting override sets", this.name);
   }
 
   deleteEdgeIn(edge) {

package/lib/third-party/arborist/lib/override-set.js

@@ -1,5 +1,4 @@
 import npa from "npm-package-arg";
-import log from "proc-log";
 import semver from "semver";
 
 class OverrideSet {
@@ -206,9 +205,6 @@ class OverrideSet {
         return first;
       }
     }
-
-    // The override sets are incomparable. Neither one contains the other.
-    log.silly("Conflicting override sets", first, second);
   }
 
   static doOverrideSetsConflict(first, second) {

package/lib/third-party/arborist/lib/place-dep.js

@@ -8,7 +8,6 @@
 // a result.
 
 import localeCompare from "@isaacs/string-locale-compare";
-import { redact } from "@npmcli/redact";
 import log from "proc-log";
 
 import CanPlaceDep, { CONFLICT, KEEP } from "./can-place-dep.js";
@@ -183,15 +182,6 @@ class PlaceDep {
 
     const { target } = this.canPlace;
 
-    log.silly(
-      "placeDep",
-      target.location || "ROOT",
-      `${this.dep.name}@${this.dep.version}`,
-      this.canPlace.description,
-      `for: ${this.edge.from.package._id || this.edge.from.location}`,
-      `want: ${redact(this.edge.spec || "*")}`,
-    );
-
     const placementType =
       this.canPlace.canPlace === CONFLICT
         ? this.canPlace.canPlaceSelf

package/lib/third-party/arborist/lib/query-selector-all.js

@@ -12,13 +12,11 @@ class Results {
   #initialItems;
   #inventory;
   #results = new Map();
-  #targetNode;
 
   constructor(opts) {
     this.#currentAstSelector = opts.rootAstNode.nodes[0];
     this.#inventory = opts.inventory;
     this.#initialItems = opts.initialItems;
-    this.#targetNode = opts.targetNode;
 
     this.currentResults = this.#initialItems;
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.11.0",
+  "version": "12.0.0",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "keywords": [
     "sbom",
@@ -98,12 +98,12 @@
     "types/",
     "index.cjs"
   ],
-  "lint-staged": {
-    "*": "biome check --fix --no-errors-on-unmatched"
-  },
   "overrides": {
-    "@appthreat/atom": "2.4.2",
+    "@appthreat/atom": "2.3.0",
+    "@appthreat/atom-common": "1.0.11",
+    "@appthreat/atom-parsetools": "1.0.11",
     "@appthreat/cdx-proto": "1.1.4",
+    "@appthreat/sqlite3": "6.0.9",
     "@babel/code-frame": "7.27.1",
     "@babel/generator": "7.28.5",
     "@babel/helper-globals": "7.28.0",
@@ -113,107 +113,324 @@
     "@babel/template": "7.27.2",
     "@babel/traverse": "7.28.5",
     "@babel/types": "7.28.5",
-    "@biomejs/biome": "2.3.0",
-    "@bufbuild/protobuf": "2.10.0",
-    "@cyclonedx/cdxgen-plugins-bin": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-darwin-amd64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-darwin-arm64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linux-amd64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linux-arm": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linux-arm64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linux-ppc64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linuxmusl-amd64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linuxmusl-arm64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-windows-arm64": "1.7.0",
+    "@biomejs/biome": "2.3.7",
+    "@biomejs/cli-darwin-arm64": "2.3.7",
+    "@biomejs/cli-darwin-x64": "2.3.7",
+    "@biomejs/cli-linux-arm64": "2.3.7",
+    "@biomejs/cli-linux-arm64-musl": "2.3.7",
+    "@biomejs/cli-linux-x64": "2.3.7",
+    "@biomejs/cli-linux-x64-musl": "2.3.7",
+    "@biomejs/cli-win32-arm64": "2.3.7",
+    "@biomejs/cli-win32-x64": "2.3.7",
+    "@bufbuild/protobuf": "2.10.1",
+    "@cyclonedx/cdxgen-plugins-bin": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-darwin-amd64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-darwin-arm64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linux-amd64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linux-arm": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linux-arm64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linux-ppc64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linuxmusl-amd64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linuxmusl-arm64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-windows-arm64": "1.8.0",
     "@iarna/toml": "2.2.5",
+    "@isaacs/balanced-match": "4.0.1",
+    "@isaacs/brace-expansion": "5.0.0",
+    "@isaacs/fs-minipass": "4.0.1",
     "@isaacs/string-locale-compare": "1.1.0",
+    "@jridgewell/gen-mapping": "0.3.13",
+    "@jridgewell/resolve-uri": "3.1.2",
+    "@jridgewell/sourcemap-codec": "1.5.5",
+    "@jridgewell/trace-mapping": "0.3.31",
+    "@keyv/serialize": "1.1.1",
     "@npmcli/agent": "4.0.0",
     "@npmcli/fs": "5.0.0",
-    "@npmcli/installed-package-contents": "4.0.0",
-    "@npmcli/map-workspaces": "5.0.1",
+    "@npmcli/git": "7.0.1",
+    "@npmcli/map-workspaces": "5.0.3",
     "@npmcli/name-from-folder": "4.0.0",
-    "@npmcli/package-json": "7.0.1",
+    "@npmcli/package-json": "7.0.4",
+    "@npmcli/promise-spawn": "9.0.1",
     "@npmcli/query": "5.0.0",
-    "@npmcli/redact": "4.0.0",
+    "@sec-ant/readable-stream": "0.6.0",
+    "@sindresorhus/is": "7.1.1",
+    "@types/debug": "4.1.12",
+    "@types/http-cache-semantics": "4.0.4",
+    "@types/ms": "2.1.0",
+    "@types/node": "24.10.1",
+    "@types/validator": "13.15.10",
     "abbrev": "4.0.0",
+    "agent-base": "7.1.4",
     "ajv": "8.17.1",
     "ajv-formats": "3.0.1",
+    "ansi-regex": "6.2.2",
+    "ansi-styles": "6.2.3",
+    "b4a": "1.7.3",
+    "bare-events": "2.8.2",
+    "bare-fs": "4.5.1",
+    "bare-os": "3.6.2",
+    "bare-path": "3.0.0",
+    "bare-stream": "2.7.0",
+    "bare-url": "2.3.2",
     "bin-links": "6.0.0",
+    "bindings": "1.5.0",
     "body-parser": "2.2.0",
-    "cacache": "20.0.0",
+    "boolbase": "1.0.0",
+    "boolean": "3.2.0",
+    "buffer-equal-constant-time": "1.0.1",
+    "byte-counter": "0.1.0",
+    "bytes": "3.1.2",
+    "cacache": "20.0.3",
+    "cacheable-lookup": "7.0.0",
+    "cacheable-request": "13.0.15",
+    "call-bind-apply-helpers": "1.0.2",
+    "call-bound": "1.0.4",
     "cheerio": "1.1.2",
+    "cheerio-select": "2.1.0",
     "chownr": "3.0.0",
+    "cliui": "9.0.1",
+    "cmd-shim": "8.0.0",
     "common-ancestor-path": "1.0.1",
+    "compressible": "2.0.18",
     "compression": "1.8.1",
     "connect": "3.7.0",
-    "debug": "4.4.1",
-    "decompress-response": "7.0.0",
+    "content-type": "1.0.5",
+    "css-select": "6.0.0",
+    "css-what": "7.0.0",
+    "cssesc": "3.0.0",
+    "debug": "4.4.3",
+    "decompress-response": "10.0.0",
+    "deep-extend": "0.6.0",
+    "define-data-property": "1.1.4",
+    "define-properties": "1.2.1",
+    "depd": "2.0.0",
+    "detect-libc": "2.1.2",
+    "detect-node": "2.1.0",
+    "dom-serializer": "2.0.0",
+    "domelementtype": "2.3.0",
+    "domhandler": "5.0.3",
+    "domutils": "3.2.2",
+    "dottie": "2.0.6",
+    "dunder-proto": "1.0.1",
+    "ecdsa-sig-formatter": "1.0.11",
     "edn-data": "1.1.2",
+    "ee-first": "1.1.1",
+    "encodeurl": "2.0.0",
     "encoding": "0.1.13",
-    "escape-string-regexp": "4.0.0",
-    "glob": "11.0.3",
+    "encoding-sniffer": "0.2.1",
+    "end-of-stream": "1.4.5",
+    "entities": "7.0.0",
+    "env-paths": "3.0.0",
+    "err-code": "3.0.1",
+    "es-define-property": "1.0.1",
+    "es-errors": "1.3.0",
+    "es-object-atoms": "1.1.1",
+    "es6-error": "4.1.1",
+    "escalade": "3.2.0",
+    "escape-html": "1.0.3",
+    "escape-string-regexp": "5.0.0",
+    "events-universal": "1.0.1",
+    "expand-template": "2.0.3",
+    "exponential-backoff": "3.1.3",
+    "fast-deep-equal": "3.1.3",
+    "fast-fifo": "1.3.2",
+    "fast-uri": "3.1.0",
+    "fdir": "6.5.0",
+    "file-uri-to-path": "2.0.0",
+    "finalhandler": "2.1.0",
+    "form-data-encoder": "4.1.0",
+    "fs-minipass": "3.0.3",
+    "function-bind": "1.1.2",
+    "get-caller-file": "2.0.5",
+    "get-east-asian-width": "1.4.0",
+    "get-intrinsic": "1.3.0",
+    "get-proto": "1.0.1",
+    "get-stream": "9.0.1",
+    "github-from-package": "0.0.0",
+    "glob": "13.0.0",
     "global-agent": "3.0.0",
-    "got": "14.6.0",
+    "globalthis": "1.0.4",
+    "gopd": "1.2.0",
+    "got": "14.6.5",
+    "graceful-fs": "4.2.11",
+    "has-property-descriptors": "1.0.2",
+    "has-symbols": "1.1.0",
+    "hasown": "2.0.2",
     "hosted-git-info": "9.0.2",
+    "htmlparser2": "10.0.0",
+    "http-cache-semantics": "4.2.0",
+    "http-errors": "2.0.1",
+    "http-proxy-agent": "7.0.2",
+    "http2-wrapper": "2.2.1",
+    "https-proxy-agent": "7.0.6",
     "iconv-lite": "0.7.0",
+    "imurmurhash": "0.1.4",
+    "inflection": "3.0.2",
+    "inherits": "2.0.4",
     "ini": "6.0.0",
+    "ip-address": "10.1.0",
+    "is-fullwidth-code-point": "5.1.0",
     "is-stream": "4.0.1",
     "isexe": "3.1.1",
+    "js-tokens": "9.0.1",
+    "jsesc": "3.1.0",
     "json-parse-even-better-errors": "5.0.0",
+    "json-schema-traverse": "1.0.0",
     "json-stringify-nice": "1.1.4",
+    "json-stringify-safe": "5.0.1",
     "jsonata": "2.1.0",
+    "just-diff": "6.0.2",
+    "just-diff-apply": "5.5.0",
     "jwa": "2.0.1",
     "jws": "4.0.0",
+    "keyv": "5.5.4",
+    "lodash": "4.17.21",
+    "lodash.truncate": "4.4.2",
+    "lowercase-keys": "3.0.0",
     "lru-cache": "11.2.2",
-    "make-fetch-happen": "15.0.2",
-    "minimatch": "10.0.3",
+    "make-fetch-happen": "15.0.3",
+    "matcher": "6.0.0",
+    "math-intrinsics": "1.1.0",
+    "media-typer": "1.1.0",
+    "mime-db": "1.54.0",
+    "mime-types": "3.0.2",
+    "mimic-response": "4.0.0",
+    "minimatch": "10.1.1",
+    "minimist": "1.2.8",
+    "minipass": "7.1.2",
+    "minipass-collect": "2.0.1",
+    "minipass-fetch": "5.0.0",
+    "minipass-flush": "1.0.5",
+    "minipass-pipeline": "1.2.4",
+    "minipass-sized": "1.0.3",
     "minizlib": "3.1.0",
     "mkdirp": "3.0.1",
+    "mkdirp-classic": "0.5.3",
+    "moment": "2.30.1",
+    "moment-timezone": "0.6.0",
     "ms": "2.1.3",
-    "negotiator": "0.6.4",
-    "node-gyp": "11.5.0",
+    "napi-build-utils": "2.0.0",
+    "negotiator": "1.0.0",
+    "node-abi": "3.85.0",
+    "node-addon-api": "8.5.0",
+    "node-gyp": "12.1.0",
     "node-stream-zip": "1.15.0",
     "nopt": "9.0.0",
+    "normalize-url": "8.1.0",
     "npm-install-checks": "8.0.0",
     "npm-normalize-package-bin": "5.0.0",
-    "npm-package-arg": "13.0.1",
+    "npm-package-arg": "13.0.2",
     "npm-pick-manifest": "11.0.3",
+    "nth-check": "2.1.1",
+    "object-inspect": "1.13.4",
+    "object-keys": "1.1.1",
     "on-finished": "2.4.1",
+    "on-headers": "1.1.0",
+    "once": "1.4.0",
+    "p-cancelable": "4.0.1",
+    "p-map": "7.0.4",
     "packageurl-js": "1.0.2",
     "parse-conflict-json": "5.0.1",
+    "parse5": "8.0.0",
+    "parse5-htmlparser2-tree-adapter": "8.0.0",
+    "parse5-parser-stream": "8.0.0",
+    "parseurl": "1.3.3",
+    "path-scurry": "2.0.1",
+    "pg-connection-string": "2.9.1",
+    "picocolors": "1.1.1",
+    "picomatch": "4.0.3",
     "poku": "3.0.2",
-    "prettify-xml": "1.2.0",
+    "postcss-selector-parser": "7.1.0",
+    "prebuild-install": "7.1.3",
     "proc-log": "6.0.0",
     "proggy": "4.0.0",
-    "promise-all-reject-late": "1.0.1",
-    "promise-call-limit": "3.0.2",
+    "promise-retry": "2.0.1",
     "properties-reader": "2.3.0",
+    "pump": "3.0.3",
+    "qs": "6.14.0",
+    "quick-lru": "5.1.1",
+    "raw-body": "3.0.2",
+    "rc": "1.2.8",
+    "read-cmd-shim": "6.0.0",
     "read-package-json-fast": "5.0.0",
+    "require-from-string": "2.0.2",
+    "resolve-alpn": "1.2.1",
     "responselike": "4.0.2",
+    "retry": "0.13.1",
+    "retry-as-promised": "7.1.1",
+    "roarr": "2.15.4",
+    "safe-buffer": "5.2.1",
+    "safer-buffer": "2.1.2",
+    "sax": "1.4.3",
     "semver": "7.7.3",
+    "semver-compare": "1.0.0",
     "sequelize": "6.37.7",
+    "sequelize-pool": "8.0.1",
+    "serialize-error": "12.0.0",
+    "setprototypeof": "1.2.0",
+    "side-channel": "1.1.0",
+    "side-channel-list": "1.0.0",
+    "side-channel-map": "1.0.1",
+    "side-channel-weakmap": "1.0.2",
     "signal-exit": "4.1.0",
+    "simple-concat": "1.0.1",
+    "simple-get": "4.0.1",
+    "slice-ansi": "7.1.2",
+    "smart-buffer": "4.2.0",
+    "socks": "2.8.7",
+    "socks-proxy-agent": "8.0.5",
+    "spdx-correct": "3.2.0",
+    "spdx-exceptions": "2.5.0",
+    "spdx-expression-parse": "4.0.0",
+    "spdx-license-ids": "3.0.22",
     "sprintf-js": "1.1.3",
     "sqlite3": "npm:@appthreat/sqlite3@6.0.9",
     "ssri": "13.0.0",
     "statuses": "2.0.2",
-    "strip-json-comments": "3.1.1",
+    "streamx": "2.23.0",
+    "string-width": "8.1.0",
+    "strip-ansi": "7.1.2",
+    "strip-json-comments": "5.0.3",
     "table": "6.9.0",
-    "tar": "7.5.1",
+    "tagged-tag": "1.0.0",
+    "tar": "7.5.2",
+    "tar-fs": "3.1.1",
+    "tar-stream": "3.1.7",
+    "text-decoder": "1.2.3",
+    "tinyglobby": "0.2.15",
+    "toidentifier": "1.0.1",
+    "toposort-class": "1.0.1",
     "treeverse": "3.0.0",
-    "type-fest": "4.41.0",
+    "tunnel-agent": "0.6.0",
+    "type-fest": "5.2.0",
+    "type-is": "2.0.1",
     "typescript": "5.9.3",
+    "undici": "7.16.0",
+    "undici-types": "7.16.0",
     "unique-filename": "5.0.0",
     "unique-slug": "6.0.0",
-    "uuid": "11.1.0",
+    "unpipe": "1.0.0",
+    "util-deprecate": "1.0.2",
+    "utils-merge": "1.0.1",
+    "uuid": "13.0.0",
+    "validate-npm-package-license": "3.0.4",
+    "validate-npm-package-name": "7.0.0",
+    "validator": "13.15.23",
+    "vary": "1.1.2",
     "walk-up-path": "4.0.0",
-    "which": "5.0.0",
+    "whatwg-encoding": "3.1.1",
+    "whatwg-mimetype": "4.0.0",
+    "which": "6.0.0",
+    "wkx": "0.5.0",
+    "wrap-ansi": "9.0.2",
+    "wrappy": "1.0.2",
     "write-file-atomic": "7.0.0",
     "xml-js": "1.6.11",
+    "y18n": "5.0.8",
     "yallist": "5.0.0",
     "yaml": "2.8.1",
-    "yargs": "17.7.2",
+    "yargs": "18.0.0",
+    "yargs-parser": "22.0.0",
     "yoctocolors": "2.1.2"
   },
   "dependencies": {
@@ -222,73 +439,63 @@
     "@iarna/toml": "2.2.5",
     "@isaacs/string-locale-compare": "1.1.0",
     "@npmcli/fs": "5.0.0",
-    "@npmcli/installed-package-contents": "4.0.0",
-    "@npmcli/map-workspaces": "5.0.1",
+    "@npmcli/map-workspaces": "5.0.3",
     "@npmcli/name-from-folder": "4.0.0",
-    "@npmcli/package-json": "7.0.1",
+    "@npmcli/package-json": "7.0.4",
     "@npmcli/query": "5.0.0",
-    "@npmcli/redact": "4.0.0",
     "ajv": "8.17.1",
     "ajv-formats": "3.0.1",
     "bin-links": "6.0.0",
     "cheerio": "1.1.2",
     "common-ancestor-path": "1.0.1",
     "edn-data": "1.1.2",
-    "encoding": "0.1.13",
-    "glob": "11.0.3",
+    "glob": "13.0.0",
     "global-agent": "3.0.0",
-    "got": "14.6.0",
-    "hosted-git-info": "9.0.2",
+    "got": "14.6.5",
     "iconv-lite": "0.7.0",
     "json-stringify-nice": "1.1.4",
     "jws": "4.0.0",
-    "minimatch": "10.0.3",
+    "keyv": "5.5.4",
     "node-stream-zip": "1.15.0",
-    "npm-install-checks": "8.0.0",
-    "npm-normalize-package-bin": "5.0.0",
-    "npm-package-arg": "13.0.1",
-    "npm-pick-manifest": "11.0.3",
+    "npm-package-arg": "13.0.2",
     "packageurl-js": "1.0.2",
     "parse-conflict-json": "5.0.1",
-    "prettify-xml": "1.2.0",
     "proc-log": "6.0.0",
     "proggy": "4.0.0",
-    "promise-all-reject-late": "1.0.1",
-    "promise-call-limit": "3.0.2",
     "properties-reader": "2.3.0",
     "read-package-json-fast": "5.0.0",
     "semver": "7.7.3",
     "ssri": "13.0.0",
     "table": "6.9.0",
-    "tar": "7.5.1",
+    "tar": "7.5.2",
     "treeverse": "3.0.0",
-    "uuid": "11.1.0",
+    "uuid": "13.0.0",
     "walk-up-path": "4.0.0",
     "xml-js": "1.6.11",
     "yaml": "2.8.1",
-    "yargs": "17.7.2",
+    "yargs": "18.0.0",
     "yoctocolors": "2.1.2"
   },
   "devDependencies": {
-    "@biomejs/biome": "2.3.0",
+    "@biomejs/biome": "2.3.7",
     "poku": "3.0.2",
     "typescript": "5.9.3"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "2.4.2",
+    "@appthreat/atom": "2.3.0",
     "@appthreat/cdx-proto": "1.1.4",
-    "@bufbuild/protobuf": "2.10.0",
-    "@cyclonedx/cdxgen-plugins-bin": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-darwin-amd64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-darwin-arm64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linux-amd64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linux-arm": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linux-arm64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linux-ppc64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linuxmusl-amd64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-linuxmusl-arm64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "1.7.0",
-    "@cyclonedx/cdxgen-plugins-bin-windows-arm64": "1.7.0",
+    "@bufbuild/protobuf": "2.10.1",
+    "@cyclonedx/cdxgen-plugins-bin": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-darwin-amd64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-darwin-arm64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linux-amd64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linux-arm": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linux-arm64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linux-ppc64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linuxmusl-amd64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-linuxmusl-arm64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-windows-amd64": "1.8.0",
+    "@cyclonedx/cdxgen-plugins-bin-windows-arm64": "1.8.0",
     "body-parser": "2.2.0",
     "compression": "1.8.1",
     "connect": "3.7.0",
@@ -297,29 +504,30 @@
     "sqlite3": "npm:@appthreat/sqlite3@6.0.9"
   },
   "engines": {
-    "node": ">=20",
+    "node": "^20 || ^22 || ^24",
     "pnpm": ">=10"
   },
   "devEngines": {
     "runtime": [
       {
         "name": "node",
-        "version": "24.10.0",
+        "version": ">=24",
         "onFail": "ignore"
       },
       {
         "name": "bun",
-        "version": "1.3.1",
+        "version": "1.3.3",
         "onFail": "ignore"
       },
       {
         "name": "deno",
-        "version": "2.5.4",
+        "version": "2.5.6",
         "onFail": "ignore"
       }
     ]
   },
   "scripts": {
+    "dependencies": "node bin/dependencies.js",
     "gen-types": "npx -p typescript tsc",
     "install:frozen": "pnpm install --config.strict-dep-builds=true --frozen-lockfile --package-import-method copy",
     "install:prod": "pnpm install --config.strict-dep-builds=true --frozen-lockfile --package-import-method copy --prod",