@cyclonedx/cdxgen 11.2.0 → 11.2.2

package/lib/helpers/utils.js

@@ -1,6 +1,6 @@
 import { Buffer } from "node:buffer";
 import { spawnSync } from "node:child_process";
-import { createHash } from "node:crypto";
+import { createHash, randomUUID } from "node:crypto";
 import {
   constants,
   chmodSync,
@@ -175,6 +175,16 @@ export let metadata_cache = {};
 // Speed up lookup namespaces for a given jar
 const jarNSMapping_cache = {};
 
+// Temporary files written by cdxgen, will be removed on exit
+const temporaryFiles = new Set();
+process.on("exit", () =>
+  temporaryFiles.forEach((tempFile) => {
+    if (existsSync(tempFile)) {
+      unlinkSync(tempFile);
+    }
+  }),
+);
+
 // Whether test scope shall be included for java/maven projects; default, if unset shall be 'true'
 export const includeMavenTestScope =
   !process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE ||
@@ -410,6 +420,14 @@ export const PROJECT_TYPE_ALIASES = {
     "dotnet-framework48",
     "vb",
     "fsharp",
+    "twincat",
+    "csproj",
+    "tsproj",
+    "vbproj",
+    "sln",
+    "fsproj",
+    "plcproj",
+    "hmiproj",
   ],
   dart: ["dart", "flutter", "pub"],
   haskell: ["haskell", "hackage", "cabal"],
@@ -448,6 +466,7 @@ export const PROJECT_TYPE_ALIASES = {
   ],
   binary: ["binary", "blint"],
   oci: ["docker", "oci", "container", "podman"],
+  cocoa: ["cocoa", "cocoapods", "objective-c", "swift", "ios"],
 };
 
 // Package manager aliases
@@ -595,12 +614,21 @@ export function isPackageManagerAllowed(name, conflictingManagers, options) {
 // HTTP cache
 const gotHttpCache = new Map();
 
+function isCacheDisabled() {
+  return (
+    process.env.CDXGEN_NO_CACHE &&
+    ["true", "1"].includes(process.env.CDXGEN_NO_CACHE)
+  );
+}
+
+const cache = isCacheDisabled() ? undefined : gotHttpCache;
+
 // Custom user-agent for cdxgen
 export const cdxgenAgent = got.extend({
   headers: {
     "user-agent": `@CycloneDX/cdxgen ${_version}`,
   },
-  cache: gotHttpCache,
+  cache,
   retry: {
     limit: 0,
   },
@@ -1638,7 +1666,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
 }
 
 /**
- * Given a lock file this method would return an Object with the identiy as the key and parsed name and value
+ * Given a lock file this method would return an Object with the identity as the key and parsed name and value
  * eg: "@actions/core@^1.2.6", "@actions/core@^1.6.0":
  *        version "1.6.0"
  * would result in two entries
@@ -1650,7 +1678,7 @@ export function yarnLockToIdentMap(lockData) {
   let currentIdents = [];
   lockData.split("\n").forEach((l) => {
     l = l.replace("\r", "");
-    if (l === "\n" || l.startsWith("#")) {
+    if (l === "\n" || !l.length || l.startsWith("#")) {
       return;
     }
     // "@actions/core@^1.2.6", "@actions/core@^1.6.0":
@@ -1707,14 +1735,22 @@ export function yarnLockToIdentMap(lockData) {
 function _parseYarnLine(l) {
   let name = "";
   let group = "";
-  const prefixAtSymbol = l.startsWith("@");
+  let prefixAtSymbol = l.startsWith("@");
   const tmpA = l.split("@");
   // ignore possible leading empty strings
   if (tmpA[0] === "") {
     tmpA.shift();
   }
+  let fullName;
   if (tmpA.length >= 2) {
-    const fullName = tmpA[0];
+    if (tmpA.length === 4) {
+      if (tmpA[1] === "npm:") {
+        prefixAtSymbol = true;
+      }
+      fullName = tmpA[2];
+    } else {
+      fullName = tmpA[0];
+    }
     if (fullName.indexOf("/") > -1) {
       const parts = fullName.split("/");
       group = (prefixAtSymbol ? "@" : "") + parts[0];
@@ -1891,16 +1927,26 @@ export async function parseYarnLock(yarnLockFile) {
           if (dgroupname.endsWith(":")) {
             dgroupname = dgroupname.substring(0, dgroupname.length - 1);
           }
-          let range = tmpA[1].replace(/["']/g, "");
+          let dgroupnameToUse = dgroupname;
+          const range = tmpA[1].replace(/["']/g, "");
+          let versionRange = range;
           // Deal with range with npm: prefix such as npm:string-width@^4.2.0, npm:@types/ioredis@^4.28.10
           if (range.startsWith("npm:")) {
-            range = range.split("@").splice(-1)[0];
+            versionRange = range.split("@").splice(-1)[0];
+            dgroupnameToUse = range
+              .replace("npm:", "")
+              .replace(`@${versionRange}`, "");
           }
-          const resolvedVersion = identMap[`${dgroupname}|${range}`];
+          const resolvedVersion =
+            identMap[`${dgroupname}|${versionRange}`] ||
+            identMap[`${dgroupnameToUse}|${versionRange}`];
+          // Handle case where the dependency name is really an alias.
+          // Eg: legacy-swc-helpers "npm:@swc/helpers@=0.4.14". Here the dgroupname=@swc/helpers
+
           const depPurlString = new PackageURL(
             "npm",
             null,
-            dgroupname,
+            dgroupnameToUse,
             resolvedVersion,
             null,
             null,
@@ -4152,7 +4198,10 @@ export async function getMvnMetadata(
     }
     const group = p.group || "";
     // If the package already has key metadata skip querying maven
-    if (group && p.name && p.version && !shouldFetchLicense() && !force) {
+    if (
+      !p.version ||
+      (group && p.name && p.version && !shouldFetchLicense() && !force)
+    ) {
       cdepList.push(p);
       continue;
     }
@@ -6932,8 +6981,11 @@ export async function parseGemspecData(gemspecData, gemspecFile) {
         if (["name", "version"].includes(aprop)) {
           value = value.replace(/["']/g, "");
         }
-        pkg[aprop] = value;
-        return;
+        // Do not set name=name or version=version
+        if (value !== aprop) {
+          pkg[aprop] = value;
+          break;
+        }
       }
     }
     // Handle common problems
@@ -7598,11 +7650,11 @@ export async function parseCargoTomlData(
       pkg.evidence = {
         identity: {
           field: "purl",
-          confidence: 0.5,
+          confidence: pkg.version ? 0.5 : 0,
           methods: [
             {
               technique: "manifest-analysis",
-              confidence: 0.5,
+              confidence: pkg.version ? 0.5 : 0,
               value: cargoTomlFile,
             },
           ],
@@ -9228,7 +9280,10 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
   let gacVersionWarningShown = false;
   // First make up a parentcomponent name based on the .csproj file name
   if (projFile) {
-    parentComponent.name = basename(projFile).replaceAll(".csproj", "");
+    parentComponent.name = basename(projFile).replaceAll(
+      /.(cs|fs|vb|ts|plc|hmi)proj$/g,
+      "",
+    );
   }
   // Collect details about the parent component
   if (project?.PropertyGroup?.length) {
@@ -9240,6 +9295,13 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
         Array.isArray(apg.AssemblyName[0]._)
       ) {
         parentComponent.name = apg.AssemblyName[0]._[0];
+      } else if (
+        apg?.Name &&
+        Array.isArray(apg.Name) &&
+        apg.Name[0]._ &&
+        Array.isArray(apg.Name[0]._)
+      ) {
+        parentComponent.name = apg.Name[0]._[0];
       }
       if (
         apg?.ProductVersion &&
@@ -9248,6 +9310,20 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
         Array.isArray(apg.ProductVersion[0]._)
       ) {
         parentComponent.version = apg.ProductVersion[0]._[0];
+      } else if (
+        apg?.ProgramVersion &&
+        Array.isArray(apg.ProgramVersion) &&
+        apg.ProgramVersion[0]._ &&
+        Array.isArray(apg.ProgramVersion[0]._)
+      ) {
+        parentComponent.version = apg.ProgramVersion[0]._[0];
+      } else if (
+        apg?.HmiVersion &&
+        Array.isArray(apg.HmiVersion) &&
+        apg.HmiVersion[0]._ &&
+        Array.isArray(apg.HmiVersion[0]._)
+      ) {
+        parentComponent.version = apg.HmiVersion[0]._[0];
       }
       if (
         apg?.OutputType &&
@@ -9328,6 +9404,17 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
           });
         }
       }
+      if (
+        apg?.AzureFunctionsVersion &&
+        Array.isArray(apg.AzureFunctionsVersion) &&
+        apg.AzureFunctionsVersion[0]._ &&
+        Array.isArray(apg.AzureFunctionsVersion[0]._)
+      ) {
+        parentComponent.properties.push({
+          name: "cdx:dotnet:azure_functions_version",
+          value: apg.AzureFunctionsVersion[0]._[0],
+        });
+      }
       if (
         apg?.Description &&
         Array.isArray(apg.Description) &&
@@ -9476,11 +9563,13 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
       }
     }
   }
-  if (
-    parentComponent &&
-    Object.keys(parentComponent).length &&
-    parentComponent.purl
-  ) {
+  // If the parent still lacks a purl, add one based on the name and version
+  if (parentComponent && !parentComponent.purl && parentComponent.name) {
+    parentComponent.purl = `pkg:nuget/${parentComponent.name}@${
+      parentComponent.version || "latest"
+    }`;
+  }
+  if (parentComponent?.purl) {
     parentComponent["bom-ref"] = parentComponent.purl;
   }
   let dependencies = [];
@@ -11431,9 +11520,10 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
             }
           }
         }
+        let jarMetadata;
         if ((!group || !name || !version) && safeExistsSync(manifestFile)) {
           confidence = 0.8;
-          const jarMetadata = parseJarManifest(
+          jarMetadata = parseJarManifest(
             readFileSync(manifestFile, {
               encoding: "utf-8",
             }),
@@ -11506,7 +11596,10 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
           // if group is empty use name as group
           group = group === "." ? name : group || name;
         }
-        if (name && version) {
+        if (name) {
+          if (!version) {
+            confidence = 0;
+          }
           const apkg = {
             group: group ? encodeForPurl(group) : "",
             name: name ? encodeForPurl(name) : "",
@@ -11535,7 +11628,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
             properties: [
               {
                 name: "SrcFile",
-                value: jarname,
+                value: jf,
               },
             ],
           };
@@ -11895,6 +11988,607 @@ export function splitOutputByGradleProjects(rawOutput, relevantTasks) {
   return outputSplitBySubprojects;
 }
 
+/**
+ * Parse the contents of a 'Podfile.lock'
+ *
+ * @param {Object} podfileLock The content of the podfile.lock as an Object
+ * @param {String} projectPath The path to the project root
+ * @returns {Map} Map of all dependencies with their direct dependencies
+ */
+export async function parsePodfileLock(podfileLock, projectPath) {
+  const dependencies = new Map();
+  for (const pod of podfileLock["PODS"]) {
+    const dependency = {};
+    if (pod.constructor === Object) {
+      for (const key in pod) {
+        dependency.metadata = parseCocoaDependency(key);
+        const subDependencies = new Set();
+        for (const subPod of pod[key]) {
+          subDependencies.add(parseCocoaDependency(subPod, false));
+        }
+        dependency.dependencies = Array.from(subDependencies);
+      }
+    } else {
+      dependency.metadata = parseCocoaDependency(pod);
+    }
+    const podName = dependency.metadata.name.includes("/")
+      ? dependency.metadata.name.substring(
+          0,
+          dependency.metadata.name.indexOf("/"),
+        )
+      : dependency.metadata.name;
+    if (podfileLock["EXTERNAL SOURCES"]?.[podName]) {
+      const externalPod = podfileLock["EXTERNAL SOURCES"][podName];
+      if (externalPod[":podspec"]) {
+        const podspecLocation = resolve(projectPath, externalPod[":podspec"]);
+        dependency.metadata.properties = [
+          {
+            name: "cdx:pods:projectDir",
+            value: dirname(podspecLocation),
+          },
+          {
+            name: "cdx:pods:podspecLocation",
+            value: podspecLocation,
+          },
+        ];
+      } else {
+        const projectLocation = resolve(projectPath, externalPod[":path"]);
+        dependency.metadata.properties = [
+          {
+            name: "cdx:pods:projectDir",
+            value: projectLocation,
+          },
+        ];
+        let podspec = join(projectLocation, `${podName}.podspec`);
+        if (!existsSync(podspec)) {
+          podspec = `${podspec}.json`;
+        }
+        if (existsSync(podspec)) {
+          dependency.metadata.properties.push({
+            name: "cdx:pods:podspecLocation",
+            value: podspec,
+          });
+        }
+      }
+    }
+    dependencies.set(dependency.metadata.name, dependency);
+  }
+  if (!["false", "0"].includes(process.env.COCOA_MERGE_SUBSPECS)) {
+    for (const subspecComponentName of [...dependencies.keys()].filter((name) =>
+      name.includes("/"),
+    )) {
+      const subspecComponent = dependencies.get(subspecComponentName);
+      const mainComponentName = subspecComponentName.split("/")[0];
+      let mainComponent = dependencies.get(mainComponentName);
+      if (!mainComponent) {
+        mainComponent = {
+          metadata: {
+            name: mainComponentName,
+            version: subspecComponent.metadata.version,
+          },
+        };
+        dependencies.set(mainComponentName, mainComponent);
+      }
+      if (subspecComponent.dependencies) {
+        if (mainComponent.dependencies) {
+          mainComponent.dependencies = [
+            ...mainComponent.dependencies,
+            ...subspecComponent.dependencies,
+          ];
+        } else {
+          mainComponent.dependencies = subspecComponent.dependencies;
+        }
+      }
+      mainComponent.metadata.properties = [
+        ...(mainComponent.metadata.properties
+          ? mainComponent.metadata.properties
+          : []),
+        {
+          name: "cdx:pods:Subspec",
+          value: subspecComponentName.substring(
+            subspecComponentName.indexOf("/") + 1,
+          ),
+        },
+        ...(subspecComponent.metadata.propertie
+          ? subspecComponent.metadata.properties
+          : []),
+      ];
+      dependencies.delete(subspecComponentName);
+    }
+    for (const [dependencyName, dependency] of dependencies) {
+      if (dependency.dependencies) {
+        dependency.dependencies.forEach(
+          (dep) => (dep.name = dep.name.split("/")[0]),
+        );
+        dependency.dependencies = [
+          ...new Map(
+            dependency.dependencies
+              .filter((dep) => dep.name !== dependencyName)
+              .map((dep) => [dep.name, dep]),
+          ).values(),
+        ];
+        if (dependency.dependencies.length === 0) {
+          delete dependency.dependencies;
+        }
+      }
+    }
+  }
+  return dependencies;
+}
+
+/**
+ * Parse all targets and their direct dependencies from the 'Podfile'
+ *
+ * @param {Object} target A JSON-object representing a target
+ * @param {Map} allDependencies The map containing all parsed direct dependencies for a target
+ * @param {String} [prefix=undefined] Prefix to add to the targets name
+ */
+export function parsePodfileTargets(
+  target,
+  allDependencies,
+  prefix = undefined,
+) {
+  const targetName = (prefix ? `${prefix}/` : "") + target.name;
+  const targetDependencies = new Set(
+    prefix && allDependencies.has(prefix)
+      ? allDependencies.get(prefix)
+      : targetName !== "Pods"
+        ? allDependencies.get("Pods")
+        : [],
+  );
+  if (target["dependencies"]) {
+    for (const targetDependency of target["dependencies"]) {
+      if (targetDependency.constructor === Object) {
+        targetDependencies.add(Object.keys(targetDependency)[0]);
+      } else {
+        targetDependencies.add(targetDependency);
+      }
+    }
+  }
+  allDependencies.set(targetName, Array.from(targetDependencies));
+  if (target.children) {
+    const childPrefix = targetName === "Pods" ? undefined : targetName;
+    for (const childTarget of target.children) {
+      parsePodfileTargets(childTarget, allDependencies, childPrefix);
+    }
+  }
+}
+
+/**
+ * Parse a single line representing a dependency
+ *
+ * @param {String} dependencyLine The line that should be parsed as a dependency
+ * @param {boolean} [parseVersion=true] Include parsing the version of the dependency
+ * @returns {Object} Object representing a dependency
+ */
+export function parseCocoaDependency(dependencyLine, parseVersion = true) {
+  const dependencyData = dependencyLine.split(" (");
+  const dependency = { name: dependencyData[0] };
+  if (parseVersion) {
+    dependency.version = dependencyData[1].substring(
+      0,
+      dependencyData[1].length - 1,
+    );
+  }
+  return dependency;
+}
+
+/**
+ * Execute the 'pod'-command with parameters
+ *
+ * @param {String[]} parameters The parameters for the command
+ * @param {String} path The path where the command should be executed
+ * @param {Object} options CLI options
+ * @returns {Object} The result of running the command
+ */
+export function executePodCommand(parameters, path, options) {
+  if (DEBUG_MODE) {
+    if (path) {
+      console.log("Executing pod", parameters.join(" "), "in", path);
+    } else {
+      console.log("Executing pod", parameters.join(" "));
+    }
+  }
+  const result = spawnSync(process.env.POD_CMD || "pod", parameters, {
+    cwd: path,
+    encoding: "utf-8",
+    shell: isWin,
+    maxBuffer: MAX_BUFFER,
+  });
+  if (result.status !== 0 || result.error) {
+    if (result?.stderr?.includes("Unable to find a pod")) {
+      console.log(
+        "Try again by running 'pod install' before invoking 'cdxgen'.",
+      );
+    }
+    if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
+      console.log(
+        "Consider using the cdxgen container image (`ghcr.io/cyclonedx/cdxgen`), which includes cocoapods and additional build tools.",
+      );
+    } else if (!DEBUG_MODE) {
+      console.log(
+        "Something went wrong when trying to execute cocoapods -- Set the environment variable 'CDXGEN_DEBUG_MODE=debug' to troubleshoot cocoapods related errors",
+      );
+    }
+    if (options.failOnError || DEBUG_MODE) {
+      if (result.stdout) {
+        console.log(result.stdout);
+      }
+      if (result.stderr) {
+        console.log(result.stderr);
+      }
+      options.failOnError && process.exit(1);
+    }
+  }
+  return result;
+}
+
+/**
+ * Method that handles object creation for cocoa pods.
+ *
+ * @param {Object} dependency The dependency that is to be transformed into an SBOM object
+ * @param {Object} options CLI options
+ * @param {String} [type="library"] The type of Object to create
+ * @returns {Object} An object representing the pod in SBOM-format
+ */
+export async function buildObjectForCocoaPod(
+  dependency,
+  options,
+  type = "library",
+) {
+  let component;
+  if (
+    !["false", "0"].includes(process.env.COCOA_RESOLVE_FROM_NODE) &&
+    dependency.properties?.find(({ name }) => name === "cdx:pods:projectDir")
+  ) {
+    let tmpDir = dependency.properties.find(
+      ({ name }) => name === "cdx:pods:projectDir",
+    ).value;
+    const exclusionDirs = process.env.COCOA_RESOLVE_FROM_NODE_EXCLUSION_DIRS
+      ? process.env.COCOA_RESOLVE_FROM_NODE_EXCLUSION_DIRS.split(",")
+      : [];
+    if (
+      tmpDir &&
+      !exclusionDirs.some((dir) =>
+        `${tmpDir.replaceAll("\\", "/")}/`.includes(
+          `/${dir.replaceAll("\\", "/")}/`.replaceAll("//", "/"),
+        ),
+      ) &&
+      tmpDir.indexOf("node_modules") !== -1
+    ) {
+      do {
+        const npmPackages = await parsePkgJson(join(tmpDir, "package.json"));
+        if (npmPackages.length === 1) {
+          component = npmPackages[0];
+          component.type = "library";
+          component.properties = component.properties.concat(
+            {
+              name: "cdx:pods:PodName",
+              value: dependency.name,
+            },
+            dependency.properties,
+          );
+          tmpDir = undefined;
+        } else {
+          tmpDir = dirname(tmpDir);
+        }
+      } while (tmpDir && tmpDir.indexOf("node_modules") !== -1);
+    }
+  }
+  if (!component) {
+    let name = dependency.name;
+    let subspec = null;
+    const locationOfSubspec = dependency.name.indexOf("/");
+    if (locationOfSubspec !== -1) {
+      name = dependency.name.substring(0, locationOfSubspec);
+      subspec = dependency.name.substring(locationOfSubspec + 1);
+    }
+    component = {
+      ...dependency,
+      type,
+    };
+    if (subspec) {
+      if (!component.properties) {
+        component.properties = [];
+      }
+      component.properties.push({
+        name: "cdx:pods:Subspec",
+        value: subspec,
+      });
+    }
+    const purl = new PackageURL(
+      "cocoapods",
+      "",
+      name,
+      component.version,
+      null,
+      subspec,
+    ).toString();
+    component["purl"] = purl;
+    component["bom-ref"] = decodeURIComponent(purl);
+    if (options && !["false", "0"].includes(process.env.COCOA_FULL_SCAN)) {
+      fullScanCocoaPod(dependency, component, options);
+    }
+  }
+  return component;
+}
+
+function fullScanCocoaPod(dependency, component, options) {
+  let result;
+  if (
+    component.properties?.find(({ name }) => name === "cdx:pods:projectDir")
+  ) {
+    if (
+      component.properties.find(
+        ({ name }) => name === "cdx:pods:podspecLocation",
+      )
+    ) {
+      let podspecLocation = component.properties.find(
+        ({ name }) => name === "cdx:pods:podspecLocation",
+      ).value;
+      component.properties.push({
+        name: "SrcFile",
+        value: podspecLocation,
+      });
+      let replacements;
+      if (
+        podspecLocation.endsWith(".podspec") &&
+        process.env.COCOA_PODSPEC_REPLACEMENTS
+      ) {
+        replacements = process.env.COCOA_PODSPEC_REPLACEMENTS.split(";");
+      } else if (
+        podspecLocation.endsWith(".json") &&
+        process.env.COCOA_PODSPEC_JSON_REPLACEMENTS
+      ) {
+        replacements = process.env.COCOA_PODSPEC_JSON_REPLACEMENTS.split(";");
+      }
+      if (replacements) {
+        let podspecContent = readFileSync(podspecLocation, "utf-8");
+        for (const replacement of replacements) {
+          const replacementPair = replacement.split("=");
+          let match = replacementPair[0].replaceAll("<NEWLINE>", "\n");
+          if (match.startsWith("/") && match.endsWith("/")) {
+            match = new RegExp(match.substring(1, match.length - 1), "g");
+          }
+          const repl = replacementPair[1].replaceAll("<NEWLINE>", "\n");
+          podspecContent = podspecContent.replaceAll(match, repl);
+        }
+        podspecLocation = join(
+          dirname(podspecLocation),
+          `${randomUUID()}.${podspecLocation.substring(podspecLocation.lastIndexOf(".") + 1)}`,
+        );
+        writeFileSync(podspecLocation, podspecContent);
+        temporaryFiles.add(podspecLocation);
+      }
+      result = executePodCommand(
+        ["ipc", "spec", "--silent", podspecLocation],
+        undefined,
+        options,
+      );
+    } else {
+      console.warn(
+        `Unable to do a full scan of local pod '${dependency.name}', because either its podspec doesn't exist, or it wasn't found with the currently implemented algorithms.\nIf you think this is an error, please file an issue on GitHub!`,
+      );
+      return;
+    }
+  } else {
+    let dependencyName = dependency.name;
+    if (dependencyName.includes("/")) {
+      dependencyName = dependencyName.substring(0, dependencyName.indexOf("/"));
+    }
+    const srcFileProperty = {
+      name: "SrcFile",
+      value: executePodCommand(
+        ["spec", "which", dependencyName, `--version=${dependency.version}`],
+        undefined,
+        options,
+      ).stdout.trim(),
+    };
+    if (component.properties) {
+      component.properties.push(srcFileProperty);
+    } else {
+      component.properties = [srcFileProperty];
+    }
+    result = executePodCommand(
+      ["spec", "cat", dependencyName, `--version=${dependency.version}`],
+      undefined,
+      options,
+    );
+  }
+  const podspecText = result.stdout;
+  let podspec;
+  try {
+    podspec = JSON.parse(
+      podspecText.substring(
+        podspecText.indexOf("{"),
+        podspecText.lastIndexOf("}") + 1,
+      ),
+    );
+  } catch (e) {
+    return;
+  }
+  const externalRefs = [];
+  if (podspec.authors) {
+    component.authors = [];
+    if (podspec.authors.constructor === Object) {
+      Object.entries(podspec.authors).forEach(([name, email]) =>
+        component.authors.push({ name, email }),
+      );
+    } else if (podspec.authors.constructor === Array) {
+      podspec.authors.forEach((name) => component.authors.push({ name }));
+    } else {
+      component.authors.push({ name: podspec.authors });
+    }
+  }
+  if (podspec.description) {
+    component.description = podspec.description;
+  } else if (podspec.summary) {
+    component.description = podspec.summary;
+  }
+  if (podspec.documentation_url) {
+    externalRefs.push({
+      type: "documentation",
+      url: podspec.documentation_url,
+    });
+  } else if (podspec.readme) {
+    externalRefs.push({
+      type: "documentation",
+      url: podspec.readme,
+    });
+  }
+  if (podspec.homepage) {
+    externalRefs.push({
+      type: "website",
+      url: podspec.homepage,
+    });
+  }
+  if (podspec.license) {
+    if (podspec.license.constructor === Object) {
+      if (podspec.license.type === "Copyright") {
+        component.copyright = podspec.license.text;
+      } else {
+        component.licenses = [{ license: {} }];
+        if (spdxLicenses.includes(podspec.license.type)) {
+          component.licenses[0].license.id = podspec.license.type;
+        } else {
+          component.licenses[0].license.name = podspec.license.type;
+        }
+        const licenseText = [];
+        if (podspec.license.text) {
+          if (podspec.license.text.startsWith("http")) {
+            component.licenses[0].license.url = podspec.license.text;
+          } else {
+            licenseText.push(podspec.license.text);
+          }
+        }
+        if (podspec.license.file) {
+          if (podspec.license.file.startsWith("http")) {
+            if (component.licenses[0].license.url) {
+              if (licenseText.length !== 0) {
+                licenseText.push("");
+              }
+              licenseText.push(
+                `See also: ${component.licenses[0].license.url}`,
+              );
+            }
+            component.licenses[0].license.url = podspec.license.file;
+          } else {
+            if (licenseText.length !== 0) {
+              licenseText.push("");
+            }
+            licenseText.push(`See license in file '${podspec.license.file}'`);
+          }
+        }
+        if (licenseText.length !== 0) {
+          component.licenses[0].license.text = {
+            content: licenseText.join("\n"),
+          };
+        }
+      }
+    } else {
+      if (spdxLicenses.includes(podspec.license)) {
+        component.licenses = [{ license: { id: podspec.license } }];
+      } else {
+        component.licenses = [{ license: { name: podspec.license } }];
+      }
+    }
+  }
+  if (podspec.social_media_url) {
+    externalRefs.push({
+      type: "social",
+      url: podspec.social_media_url,
+    });
+  }
+  if (podspec.source) {
+    const comment = [];
+    if (podspec.source.http) {
+      const sourceDistro = {
+        type: "source-distribution",
+        url: podspec.source.http,
+      };
+      const hashes = [];
+      if (podspec.source.http.sha1) {
+        hashes.push({
+          alg: "SHA-1",
+          content: podspec.source.http.sha1,
+        });
+      }
+      if (podspec.source.http.sha256) {
+        hashes.push({
+          alg: "SHA-256",
+          content: podspec.source.http.sha256,
+        });
+      }
+      if (hashes.length !== 0) {
+        sourceDistro.hashes = hashes;
+      }
+      if (podspec.source.flatten) {
+        comment.push(`Flatten: ${podspec.source.flatten}`);
+      }
+      if (podspec.source.type) {
+        comment.push(`Type: ${podspec.source.type}`);
+      }
+      if (podspec.source.headers) {
+        comment.push(`Headers: ${podspec.source.headers}`);
+      }
+      if (comment.length !== 0) {
+        sourceDistro.comment = comment.join("\n");
+      }
+      externalRefs.push(sourceDistro);
+    } else {
+      let url;
+      if (podspec.source.git) {
+        url = podspec.source.git;
+        comment.push("Type: git");
+        if (podspec.source.branch) {
+          comment.push(`Branch: ${podspec.source.branch}`);
+        }
+        if (podspec.source.commit) {
+          comment.push(`Commit: ${podspec.source.commit}`);
+        }
+        if (podspec.source.tag) {
+          comment.push(`Tag: ${podspec.source.tag}`);
+        }
+        if (podspec.source.submodules) {
+          comment.push(`Submodules: ${podspec.source.submodules}`);
+        }
+      } else if (podspec.source.hg) {
+        url = podspec.source.hg;
+        comment.push("Type: hg");
+        if (podspec.source.revision) {
+          comment.push(`Revision: ${podspec.source.revision}`);
+        }
+      } else if (podspec.source.svn) {
+        url = podspec.source.svn;
+        comment.push("Type: svn");
+        if (podspec.source.folder) {
+          comment.push(`Folder: ${podspec.source.folder}`);
+        }
+        if (podspec.source.revision) {
+          comment.push(`Revision: ${podspec.source.revision}`);
+        }
+        if (podspec.source.tag) {
+          comment.push(`Tag: ${podspec.source.tag}`);
+        }
+      }
+      if (url) {
+        externalRefs.push({
+          type: "vcs",
+          url: url,
+          comment: comment.join("\n"),
+        });
+      } else {
+        console.warn(
+          `${dependency.name} has property 'source' defined, but it does not contain a URL -- ignoring...`,
+        );
+      }
+    }
+  }
+  if (externalRefs.length !== 0) {
+    component.externalReferences = externalRefs;
+  }
+}
+
 /**
  * Method that handles object creation for gradle modules.
  *
@@ -11904,8 +12598,11 @@ export function splitOutputByGradleProjects(rawOutput, relevantTasks) {
  */
 export async function buildObjectForGradleModule(name, metadata) {
   let component;
-  if (["true", "1"].includes(process.env.GRADLE_RESOLVE_FROM_NODE)) {
-    let tmpDir = metadata.properties.find(
+  if (
+    !["false", "0"].includes(process.env.GRADLE_RESOLVE_FROM_NODE) &&
+    metadata.properties?.find(({ name }) => name === "projectDir")
+  ) {
+    let tmpDir = metadata.properties?.find(
       ({ name }) => name === "projectDir",
     ).value;
     if (tmpDir.indexOf("node_modules") !== -1) {
@@ -14183,6 +14880,9 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
   }
   const slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"));
   if (slicesData && Object.keys(slicesData)) {
+    thoughtLog(
+      "Let's thoroughly inspect the dependency slice to identify where and how the components are used.",
+    );
     if (slicesData.Dependencies) {
       for (const adep of slicesData.Dependencies) {
         // Case 1: Dependencies slice has the .dll file
@@ -14274,6 +14974,10 @@ export function addEvidenceForDotnet(pkgList, slicesFile) {
         });
       }
     }
+  } else if (slicesData?.Dependencies || slicesData?.MethodCalls) {
+    thoughtLog(
+      "I didn't find any occurrence evidence or detailed imported modules, even though there is good dependency slice data from dosai. This is surprising.",
+    );
   }
   return pkgList;
 }
@@ -14408,3 +15112,168 @@ export function recomputeScope(pkgList, dependencies) {
   }
   return pkgList;
 }
+
+/**
+ * Function to parse a list of environment variables to identify the paths containing executable binaries
+ *
+ * @param envValues {Array[String]} Environment variables list
+ * @returns {Array[String]} Binary Paths identified from the environment variables
+ */
+export function extractPathEnv(envValues) {
+  if (!envValues) {
+    return [];
+  }
+  let binPaths = new Set();
+  const shellVariables = {};
+  // Let's focus only on linux container images for now
+  for (const env of envValues) {
+    if (env.startsWith("PATH=")) {
+      binPaths = new Set(env.replace("PATH=", "").split(":"));
+    } else {
+      const tmpA = env.split("=");
+      if (tmpA.length === 2) {
+        shellVariables[`$${tmpA[0]}`] = tmpA[1];
+        shellVariables[`\${${tmpA[0]}}`] = tmpA[1];
+      }
+    }
+  }
+  binPaths = Array.from(binPaths);
+  const expandedBinPaths = [];
+  for (let apath of binPaths) {
+    // Filter empty paths
+    if (!apath.length) {
+      continue;
+    }
+    if (apath.includes("$")) {
+      for (const k of Object.keys(shellVariables)) {
+        apath = apath.replace(k, shellVariables[k]);
+      }
+    }
+    // We're here, but not all paths got substituted
+    // Let's ignore them for now instead of risking substitution based on host values.
+    // Eg: ${GITHUB_TOKEN} could get expanded with the values from the host
+    if (apath.length && !apath.includes("$")) {
+      expandedBinPaths.push(apath);
+    }
+  }
+  return expandedBinPaths;
+}
+
+/**
+ * Collect all executable files from the given list of binary paths
+ *
+ * @param basePath Base directory
+ * @param binPaths {Array[String]} Paths containing potential binaries
+ * @return {Array[String]} List of executables
+ */
+export function collectExecutables(basePath, binPaths) {
+  if (!binPaths) {
+    return [];
+  }
+  let executables = [];
+  const ignoreList = [
+    "**/*.{h,c,cpp,hpp,man,txt,md,htm,html,jar,ear,war,zip,tar,egg,keepme,gitignore,json,js,py,pyc}",
+    "[",
+  ];
+  for (const apath of binPaths) {
+    try {
+      const files = globSync(`**${apath}/*`, {
+        cwd: basePath,
+        absolute: false,
+        nocase: true,
+        nodir: true,
+        dot: true,
+        follow: true,
+        ignore: ignoreList,
+      });
+      executables = executables.concat(files);
+    } catch (err) {
+      // ignore
+    }
+  }
+  return Array.from(new Set(executables)).sort();
+}
+
+/**
+ * Collect all shared library files from the given list of paths
+ *
+ * @param basePath Base directory
+ * @param libPaths {Array[String]} Paths containing potential libraries
+ * @param ldConf {String} Config file used by ldconfig to locate additional paths
+ * @param ldConfDirPattern {String} Config directory that can contain more .conf files for ldconfig
+ *
+ * @return {Array[String]} List of executables
+ */
+export function collectSharedLibs(
+  basePath,
+  libPaths,
+  ldConf,
+  ldConfDirPattern,
+) {
+  if (!libPaths) {
+    return [];
+  }
+  let sharedLibs = [];
+  const ignoreList = [
+    "**/*.{h,c,cpp,hpp,man,txt,md,htm,html,jar,ear,war,zip,tar,egg,keepme,gitignore,json,js,py,pyc}",
+  ];
+  const allLdConfDirs = ldConfDirPattern ? [ldConfDirPattern] : [];
+  collectAllLdConfs(basePath, ldConf, allLdConfDirs, libPaths);
+  if (allLdConfDirs.length) {
+    for (const aldconfPattern of allLdConfDirs) {
+      const confFiles = globSync(aldconfPattern, {
+        cwd: basePath,
+        absolute: false,
+        nocase: true,
+        nodir: true,
+        dot: true,
+        follow: false,
+      });
+      for (const moreConf of confFiles) {
+        collectAllLdConfs(basePath, moreConf, allLdConfDirs, libPaths);
+      }
+    }
+  }
+  for (const apath of Array.from(new Set(libPaths))) {
+    try {
+      const files = globSync(`**${apath}/*.{so,so.*,a,lib,dll}`, {
+        cwd: basePath,
+        absolute: false,
+        nocase: true,
+        nodir: true,
+        dot: true,
+        follow: true,
+        ignore: ignoreList,
+      });
+      sharedLibs = sharedLibs.concat(files);
+    } catch (err) {
+      // ignore
+    }
+  }
+  return Array.from(new Set(sharedLibs)).sort();
+}
+
+function collectAllLdConfs(basePath, ldConf, allLdConfDirs, libPaths) {
+  if (ldConf && existsSync(join(basePath, ldConf))) {
+    const ldConfData = readFileSync(join(basePath, ldConf), "utf-8");
+    for (let line of ldConfData.split("\n")) {
+      line = line.replace("\r", "").trim();
+      if (!line.length || line.startsWith("#")) {
+        continue;
+      }
+      if (line.startsWith("include ")) {
+        let apattern = line.replace("include ", "");
+        if (!apattern.includes("*")) {
+          apattern = `${apattern}/*.conf`;
+        }
+        if (!allLdConfDirs.includes(apattern)) {
+          allLdConfDirs.push(apattern);
+        }
+      } else if (line.startsWith("/")) {
+        if (!libPaths.includes(line)) {
+          libPaths.push(line);
+        }
+      }
+    }
+  }
+}