@cyclonedx/cdxgen 11.3.2 → 11.4.1

package/data/spdx.schema.json

@@ -1,7 +1,7 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "http://cyclonedx.org/schema/spdx.schema.json",
-  "$comment": "v1.0-3.24.0",
+  "$comment": "v1.0-3.26.0",
   "type": "string",
   "enum": [
     "0BSD",
@@ -35,6 +35,7 @@
     "ANTLR-PD",
     "ANTLR-PD-fallback",
     "any-OSI",
+    "any-OSI-perl-modules",
     "Apache-1.0",
     "Apache-1.1",
     "Apache-2.0",
@@ -64,6 +65,7 @@
     "blessing",
     "BlueOak-1.0.0",
     "Boehm-GC",
+    "Boehm-GC-without-fee",
     "Borceux",
     "Brian-Gladman-2-Clause",
     "Brian-Gladman-3-Clause",
@@ -165,6 +167,8 @@
     "CC-BY-SA-3.0-IGO",
     "CC-BY-SA-4.0",
     "CC-PDDC",
+    "CC-PDM-1.0",
+    "CC-SA-1.0",
     "CC0-1.0",
     "CDDL-1.0",
     "CDDL-1.1",
@@ -215,6 +219,9 @@
     "DL-DE-BY-2.0",
     "DL-DE-ZERO-2.0",
     "DOC",
+    "DocBook-Schema",
+    "DocBook-Stylesheet",
+    "DocBook-XML",
     "Dotseqn",
     "DRL-1.0",
     "DRL-1.1",
@@ -256,6 +263,7 @@
     "fwlw",
     "GCR-docs",
     "GD",
+    "generic-xts",
     "GFDL-1.1",
     "GFDL-1.1-invariants-only",
     "GFDL-1.1-invariants-or-later",
@@ -308,6 +316,7 @@
     "Gutmann",
     "HaskellReport",
     "hdparm",
+    "HIDAPI",
     "Hippocratic-2.1",
     "HP-1986",
     "HP-1989",
@@ -326,6 +335,7 @@
     "HPND-Markus-Kuhn",
     "HPND-merchantability-variant",
     "HPND-MIT-disclaimer",
+    "HPND-Netrek",
     "HPND-Pbmplus",
     "HPND-sell-MIT-disclaimer-xserver",
     "HPND-sell-regexpr",
@@ -345,6 +355,7 @@
     "Imlib2",
     "Info-ZIP",
     "Inner-Net-2.0",
+    "InnoSetup",
     "Intel",
     "Intel-ACPI",
     "Interbase-1.0",
@@ -413,10 +424,12 @@
     "McPhee-slideshow",
     "metamail",
     "Minpack",
+    "MIPS",
     "MirOS",
     "MIT",
     "MIT-0",
     "MIT-advertising",
+    "MIT-Click",
     "MIT-CMU",
     "MIT-enna",
     "MIT-feh",
@@ -557,6 +570,7 @@
     "RSA-MD",
     "RSCPL",
     "Ruby",
+    "Ruby-pty",
     "SAX-PD",
     "SAX-PD-2.0",
     "Saxpath",
@@ -564,6 +578,7 @@
     "SchemeReport",
     "Sendmail",
     "Sendmail-8.23",
+    "Sendmail-Open-Source-1.1",
     "SGI-B-1.0",
     "SGI-B-1.1",
     "SGI-B-2.0",
@@ -576,6 +591,7 @@
     "SISSL-1.2",
     "SL",
     "Sleepycat",
+    "SMAIL-GPL",
     "SMLNJ",
     "SMPPL",
     "SNIA",
@@ -604,16 +620,19 @@
     "TCP-wrappers",
     "TermReadKey",
     "TGPPL-1.0",
+    "ThirdEye",
     "threeparttable",
     "TMate",
     "TORQUE-1.1",
     "TOSL",
     "TPDL",
     "TPL-1.0",
+    "TrustedQSL",
     "TTWL",
     "TTYP0",
     "TU-Berlin-1.0",
     "TU-Berlin-2.0",
+    "Ubuntu-font-1.0",
     "UCAR",
     "UCL-1.0",
     "ulem",
@@ -637,9 +656,11 @@
     "Widget-Workshop",
     "Wsuipa",
     "WTFPL",
+    "wwl",
     "wxWindows",
     "X11",
     "X11-distribute-modifications-variant",
+    "X11-swapped",
     "Xdebug-1.03",
     "Xerox",
     "Xfig",
@@ -674,11 +695,13 @@
     "Bison-exception-1.24",
     "Bison-exception-2.2",
     "Bootloader-exception",
+    "CGAL-linking-exception",
     "Classpath-exception-2.0",
     "CLISP-exception-2.0",
     "cryptsetup-OpenSSL-exception",
     "DigiRule-FOSS-exception",
     "eCos-exception-2.0",
+    "erlang-otp-linking-exception",
     "Fawkes-Runtime-exception",
     "FLTK-exception",
     "fmt-exception",
@@ -692,13 +715,16 @@
     "GNOME-examples-exception",
     "GNU-compiler-exception",
     "gnu-javamail-exception",
+    "GPL-3.0-389-ds-base-exception",
     "GPL-3.0-interface-exception",
     "GPL-3.0-linking-exception",
     "GPL-3.0-linking-source-exception",
     "GPL-CC-1.0",
     "GStreamer-exception-2005",
     "GStreamer-exception-2008",
+    "harbour-exception",
     "i2p-gpl-java-exception",
+    "Independent-modules-exception",
     "KiCad-libraries-exception",
     "LGPL-3.0-linking-exception",
     "libpri-OpenH323-exception",
@@ -708,6 +734,7 @@
     "LLVM-exception",
     "LZMA-exception",
     "mif-exception",
+    "mxml-exception",
     "Nokia-Qt-exception-1.1",
     "OCaml-LGPL-linking-exception",
     "OCCT-exception-1.0",
@@ -719,6 +746,7 @@
     "Qt-GPL-exception-1.0",
     "Qt-LGPL-exception-1.1",
     "Qwt-exception-1.0",
+    "romic-exception",
     "RRDtool-FLOSS-exception-2.0",
     "SANE-exception",
     "SHL-2.0",

package/lib/cli/index.js

@@ -1,5 +1,4 @@
 import { Buffer } from "node:buffer";
-import { spawnSync } from "node:child_process";
 import {
   constants,
   accessSync,
@@ -163,6 +162,7 @@ import {
   recomputeScope,
   safeExistsSync,
   safeMkdirSync,
+  safeSpawnSync,
   shouldFetchLicense,
   splitOutputByGradleProjects,
 } from "../helpers/utils.js";
@@ -588,6 +588,10 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
   if (lifecycles) {
     metadata.lifecycles = lifecycles;
   }
+  // TLP classification
+  if (options.specVersion >= 1.7 && options?.tlpClassification) {
+    metadata.distribution = options.tlpClassification;
+  }
   if (parentComponent && Object.keys(parentComponent).length) {
     if (parentComponent) {
       cleanParentComponent(parentComponent);
@@ -1435,7 +1439,7 @@ export async function createJarBom(path, options) {
       rmSync(tempDir, { recursive: true, force: true });
     }
   }
-  pkgList = pkgList.concat(convertJarNSToPackages(nsMapping));
+  pkgList = pkgList.concat(await convertJarNSToPackages(nsMapping));
   return buildBomNSData(options, pkgList, "maven", {
     src: path,
     parentComponent,
@@ -1614,8 +1618,8 @@ export async function createJavaBom(path, options) {
       }
       // specVersion 1.4 doesn't support externalReferences.type=disribution-intake
       // so we need to run the plugin with the correct version
-      if (options.specVersion === 1.4) {
-        mvnArgs = mvnArgs.concat("-DschemaVersion=1.4");
+      if (options.specVersion) {
+        mvnArgs = mvnArgs.concat(`-DschemaVersion=${options.specVersion}`);
       }
     }
     const firstPom = pomFiles.length ? pomFiles[0] : undefined;
@@ -1660,7 +1664,7 @@ export async function createJavaBom(path, options) {
           `Executing '${mavenCmd} ${mvnArgs.join(" ")}' in`,
           basePath,
         );
-        result = spawnSync(mavenCmd, mvnArgs, {
+        result = safeSpawnSync(mavenCmd, mvnArgs, {
           cwd: basePath,
           shell: true,
           encoding: "utf-8",
@@ -1709,7 +1713,7 @@ export async function createJavaBom(path, options) {
           thoughtLog(
             "What is the parent component here? Let's use maven command to find out.",
           );
-          result = spawnSync(
+          result = safeSpawnSync(
             "mvn",
             ["dependency:tree", "-N", `-DoutputFile=${tempMvnParentTree}`],
             {
@@ -1748,7 +1752,7 @@ export async function createJavaBom(path, options) {
           );
         }
         // Prefer the built-in maven
-        result = spawnSync(
+        result = safeSpawnSync(
           PREFER_MAVEN_DEPS_TREE ? "mvn" : mavenCmd,
           mvnTreeArgs,
           {
@@ -2147,7 +2151,7 @@ export async function createJavaBom(path, options) {
       thoughtLog(
         `Let's invoke '${basename(gradleCmd)}' with the arguments '${gradleArg.join(" ").substring(0, 100)} ...'.`,
       );
-      const sresult = spawnSync(gradleCmd, gradleArg, {
+      const sresult = safeSpawnSync(gradleCmd, gradleArg, {
         cwd: gradleRootPath,
         encoding: "utf-8",
         shell: isWin,
@@ -2232,7 +2236,7 @@ export async function createJavaBom(path, options) {
       if (DEBUG_MODE) {
         console.log("Stopping gradle daemon...");
       }
-      const sresult = spawnSync(gradleCmd, ["--stop"], {
+      const sresult = safeSpawnSync(gradleCmd, ["--stop"], {
         cwd: gradleRootPath,
         encoding: "utf-8",
         shell: isWin,
@@ -2293,7 +2297,7 @@ export async function createJavaBom(path, options) {
         bArgs = ["--bazelrc=.bazelrc", "build", bazelTarget];
       }
       console.log("Executing", BAZEL_CMD, bArgs.join(" "), "in", basePath);
-      let result = spawnSync(BAZEL_CMD, bArgs, {
+      let result = safeSpawnSync(BAZEL_CMD, bArgs, {
         cwd: basePath,
         shell: true,
         encoding: "utf-8",
@@ -2331,7 +2335,7 @@ export async function createJavaBom(path, options) {
           bazelParser = parseBazelSkyframe;
         }
         console.log("Executing", BAZEL_CMD, `${query.join(" ")} in`, basePath);
-        result = spawnSync(BAZEL_CMD, query, {
+        result = safeSpawnSync(BAZEL_CMD, query, {
           cwd: basePath,
           encoding: "utf-8",
           timeout: TIMEOUT_MS,
@@ -2509,7 +2513,7 @@ export async function createJavaBom(path, options) {
           tempSbtgDir,
         );
         // Note that the command has to be invoked with `shell: true` to properly execut sbt
-        const result = spawnSync(SBT_CMD, sbtArgs, {
+        const result = safeSpawnSync(SBT_CMD, sbtArgs, {
           cwd: basePath,
           shell: true,
           encoding: "utf-8",
@@ -2628,7 +2632,7 @@ export async function createJavaBom(path, options) {
     if (DEBUG_MODE) {
       console.log("Executing", millCmd, millArgs.join(" "), "in", millRootPath);
     }
-    let sresult = spawnSync(millCmd, millArgs, {
+    let sresult = safeSpawnSync(millCmd, millArgs, {
       cwd: millRootPath,
       encoding: "utf-8",
       shell: isWin,
@@ -2651,7 +2655,7 @@ export async function createJavaBom(path, options) {
         millRootPath,
       );
     }
-    sresult = spawnSync(millCmd, millResolveArgs, {
+    sresult = safeSpawnSync(millCmd, millResolveArgs, {
       cwd: millRootPath,
       encoding: "utf-8",
       shell: isWin,
@@ -2717,7 +2721,7 @@ export async function createJavaBom(path, options) {
       if (DEBUG_MODE) {
         console.log("Shutting down mill server...");
       }
-      const sresult = spawnSync(millCmd, ["shutdown"], {
+      const sresult = safeSpawnSync(millCmd, ["shutdown"], {
         cwd: millRootPath,
         encoding: "utf-8",
         shell: isWin,
@@ -2943,7 +2947,7 @@ export async function createNodejsBom(path, options) {
         `Executing '${pkgMgr} ${installArgs.join(" ")}' in`,
         basePath,
       );
-      const result = spawnSync(pkgMgr, installArgs, {
+      const result = safeSpawnSync(pkgMgr, installArgs, {
         cwd: basePath,
         encoding: "utf-8",
         timeout: TIMEOUT_MS,
@@ -3140,6 +3144,10 @@ export async function createNodejsBom(path, options) {
       const basePath = dirname(f);
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
+      const pnpmHooks = join(basePath, ".pnpmfile.cjs");
+      if (safeExistsSync(pnpmHooks)) {
+        thoughtLog("Wait, this pnpm project uses install hooks.");
+      }
       if (!Object.keys(parentComponent).length) {
         if (safeExistsSync(packageJsonF)) {
           const pcs = await parsePkgJson(packageJsonF, true);
@@ -3270,7 +3278,7 @@ export async function createNodejsBom(path, options) {
     // Do rush install if we don't have node_modules directory
     if (!safeExistsSync(nmDir)) {
       console.log("Executing 'rush install --no-link'", path);
-      const result = spawnSync(
+      const result = safeSpawnSync(
         "rush",
         ["install", "--no-link", "--bypass-policy"],
         {
@@ -3806,7 +3814,7 @@ export async function createPythonBom(path, options) {
   if (requirementsMode || pipenvMode) {
     if (pipenvMode) {
       // TODO: Support for nested directories
-      spawnSync("pipenv", ["install"], { cwd: path, encoding: "utf-8" });
+      safeSpawnSync("pipenv", ["install"], { cwd: path, encoding: "utf-8" });
       const piplockFile = join(path, "Pipfile.lock");
       if (safeExistsSync(piplockFile)) {
         const lockData = JSON.parse(readFileSync(piplockFile));
@@ -4033,7 +4041,7 @@ export async function createPythonBom(path, options) {
       tempDir,
       parentComponent,
     );
-    if (DEBUG_MODE && newPkgMap.failedPkgList.length) {
+    if (DEBUG_MODE && newPkgMap?.failedPkgList?.length) {
       if (newPkgMap.failedPkgList.length < pkgList.length) {
         console.log(
           `${newPkgMap.failedPkgList.length} packages failed to install.`,
@@ -4148,7 +4156,7 @@ export async function createGoBom(path, options) {
       if (DEBUG_MODE) {
         console.log(`go mod why -m -vendor ${pkgFullName}`);
       }
-      const mresult = spawnSync(
+      const mresult = safeSpawnSync(
         "go",
         ["mod", "why", "-m", "-vendor", pkgFullName],
         {
@@ -4250,7 +4258,7 @@ export async function createGoBom(path, options) {
         if (DEBUG_MODE) {
           console.log("Executing go list -deps in", basePath);
         }
-        let result = spawnSync(
+        let result = safeSpawnSync(
           "go",
           [
             "list",
@@ -4298,7 +4306,7 @@ export async function createGoBom(path, options) {
             console.log("Executing go mod graph in", basePath);
           }
           // Next we use the go mod graph command to construct the dependency tree
-          result = spawnSync("go", ["mod", "graph"], {
+          result = safeSpawnSync("go", ["mod", "graph"], {
             cwd: basePath,
             encoding: "utf-8",
             timeout: TIMEOUT_MS,
@@ -4351,7 +4359,7 @@ export async function createGoBom(path, options) {
             console.log("Executing go mod graph in", basePath);
           }
           // Next we use the go mod graph command to construct the dependency tree
-          result = spawnSync("go", ["mod", "graph"], {
+          result = safeSpawnSync("go", ["mod", "graph"], {
             cwd: basePath,
             encoding: "utf-8",
             timeout: TIMEOUT_MS,
@@ -4541,7 +4549,7 @@ export async function createRustBom(path, options) {
           basePath,
         );
       }
-      const cargoInstallResult = spawnSync(CARGO_CMD, cargoArgs, {
+      const cargoInstallResult = safeSpawnSync(CARGO_CMD, cargoArgs, {
         cwd: basePath,
         encoding: "utf-8",
         shell: isWin,
@@ -4907,7 +4915,7 @@ export function createClojureBom(path, options) {
       }
       const basePath = dirname(f);
       console.log("Executing", LEIN_CMD, LEIN_ARGS.join(" "), "in", basePath);
-      const result = spawnSync(LEIN_CMD, LEIN_ARGS, {
+      const result = safeSpawnSync(LEIN_CMD, LEIN_ARGS, {
         cwd: basePath,
         encoding: "utf-8",
         timeout: TIMEOUT_MS,
@@ -4956,7 +4964,7 @@ export function createClojureBom(path, options) {
     for (const f of ednFiles) {
       const basePath = dirname(f);
       console.log("Executing", CLJ_CMD, CLJ_ARGS.join(" "), "in", basePath);
-      const result = spawnSync(CLJ_CMD, CLJ_ARGS, {
+      const result = safeSpawnSync(CLJ_CMD, CLJ_ARGS, {
         cwd: basePath,
         encoding: "utf-8",
         timeout: TIMEOUT_MS,
@@ -5339,7 +5347,7 @@ export async function createSwiftBom(path, options) {
           `Executing '${swiftCommand} ${packageArgs.join(" ")}' in ${basePath}. Please wait ...`,
         );
       }
-      const result = spawnSync(swiftCommand, packageArgs, {
+      const result = safeSpawnSync(swiftCommand, packageArgs, {
         cwd: basePath,
         encoding: "utf-8",
         timeout: TIMEOUT_MS,
@@ -5923,7 +5931,7 @@ export function createPHPBom(path, options) {
     if (DEBUG_MODE) {
       console.log("About to invoke composer --version");
     }
-    const versionResult = spawnSync("composer", ["--version"], {
+    const versionResult = safeSpawnSync("composer", ["--version"], {
       encoding: "utf-8",
     });
     if (versionResult.status !== 0 || versionResult.error) {
@@ -5956,7 +5964,7 @@ export function createPHPBom(path, options) {
         console.log("Executing 'composer install' in", basePath);
         args = ["install", "--ignore-platform-reqs"];
       }
-      const result = spawnSync("composer", args, {
+      const result = safeSpawnSync("composer", args, {
         cwd: basePath,
         encoding: "utf-8",
       });
@@ -6108,7 +6116,7 @@ export async function createRubyBom(path, options) {
     for (const f of gemFiles) {
       const basePath = dirname(f);
       console.log("Executing 'bundle install' in", basePath);
-      const result = spawnSync("bundle", ["install"], {
+      const result = safeSpawnSync("bundle", ["install"], {
         cwd: basePath,
         encoding: "utf-8",
       });
@@ -6368,7 +6376,7 @@ export async function createCsharpBom(path, options) {
           `Executing '${buildCmd} ${buildArgs.join(" ")}' in ${basePath}`,
         );
       }
-      const result = spawnSync(buildCmd, buildArgs, {
+      const result = safeSpawnSync(buildCmd, buildArgs, {
         cwd: path,
         encoding: "utf-8",
         env: { ...process.env, DOTNET_ROLL_FORWARD: "Major" },

package/lib/evinser/evinser.js

@@ -286,7 +286,11 @@ export async function createSlice(
   if (sliceType === "usages") {
     // Generate OpenAPI specification for endpoints. Needs atom-tools pypi package to be installed.
     args.push("--extract-endpoints");
-    if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
+    if (
+      process.env?.CDXGEN_IN_CONTAINER !== "true" &&
+      !process.env?.DEVENV_NIX &&
+      !process.env?.NIX_STORE
+    ) {
       console.log(
         "Use an official cdxgen container image to improve the precision of endpoints detection (for SaaSBOM).",
       );

package/lib/helpers/envcontext.js

@@ -1,5 +1,4 @@
 import { Buffer } from "node:buffer";
-import { spawnSync } from "node:child_process";
 import { arch, homedir } from "node:os";
 import { delimiter, dirname, join } from "node:path";
 import process from "node:process";
@@ -23,6 +22,7 @@ import {
   isMac,
   isWin,
   safeExistsSync,
+  safeSpawnSync,
 } from "./utils.js";
 
 export const GIT_COMMAND = process.env.GIT_CMD || "git";
@@ -35,7 +35,7 @@ export const SDKMAN_JAVA_TOOL_ALIASES = {
   java21: process.env.JAVA21_TOOL || "21.0.7-tem",
   java22: process.env.JAVA22_TOOL || "22.0.2-tem",
   java23: process.env.JAVA23_TOOL || "23.0.2-tem",
-  java24: process.env.JAVA24_TOOL || "24-tem",
+  java24: process.env.JAVA24_TOOL || "24.0.1-tem",
 };
 
 /**
@@ -399,7 +399,7 @@ const getCommandOutput = (cmd, dir, args) => {
   if (DEBUG_MODE) {
     console.log(`Executing ${commandToUse} ${args.join(" ")} in ${dir}`);
   }
-  const result = spawnSync(commandToUse, args, {
+  const result = safeSpawnSync(commandToUse, args, {
     cwd: dir,
     encoding: "utf-8",
     shell: isWin,
@@ -440,7 +440,7 @@ export function isSdkmanAvailable() {
  * Method to check if nvm is available.
  */
 export function isNvmAvailable() {
-  const result = spawnSync(
+  const result = safeSpawnSync(
     process.env.SHELL || "bash",
     ["-i", "-c", process.env.NVM_CMD || "nvm"],
     {
@@ -502,7 +502,7 @@ export function installSdkmanTool(toolType, toolName) {
       installDir = join(process.env.SDKMAN_CANDIDATES_DIR, toolType);
     }
     console.log("About to install", toolType, toolName, installDir);
-    result = spawnSync(
+    result = safeSpawnSync(
       process.env.SHELL || "bash",
       [
         "-i",
@@ -597,7 +597,7 @@ export function installSdkmanTool(toolType, toolName) {
  * @returns {String} path of nvm if present, otherwise false
  */
 export function getNvmToolDirectory(toolName) {
-  const resultWhichNode = spawnSync(
+  const resultWhichNode = safeSpawnSync(
     process.env.SHELL || "bash",
     ["-i", "-c", `"nvm which ${toolName}"`],
     {
@@ -632,7 +632,7 @@ export function getOrInstallNvmTool(toolVersion) {
   const nvmNodePath = getNvmToolDirectory(toolVersion);
   if (!nvmNodePath) {
     // nvm couldn't directly use toolName so maybe needs to be installed
-    const resultInstall = spawnSync(
+    const resultInstall = safeSpawnSync(
       process.env.SHELL || "bash",
       ["-i", "-c", `"nvm install ${toolVersion}"`],
       {
@@ -678,7 +678,7 @@ function getSdkmanToolFullname(toolName) {
  * @returns {Boolean} true if rbenv is available. false otherwise.
  */
 export function isRbenvAvailable() {
-  let result = spawnSync(
+  let result = safeSpawnSync(
     process.env.SHELL || "bash",
     ["-i", "-c", process.env.RBENV_CMD || "rbenv", "--version"],
     {
@@ -688,7 +688,7 @@ export function isRbenvAvailable() {
     },
   );
   if (result.status !== 0) {
-    result = spawnSync(process.env.RBENV_CMD || "rbenv", ["--version"], {
+    result = safeSpawnSync(process.env.RBENV_CMD || "rbenv", ["--version"], {
       shell: isWin,
       encoding: "utf-8",
     });
@@ -732,7 +732,7 @@ export function bundleInstallWithDocker(rubyVersion, cdxgenGemHome, filePath) {
     "install",
   ];
   console.log(`Performing bundle install with: ${ociCmd} ${ociArgs.join(" ")}`);
-  const result = spawnSync(ociCmd, ociArgs, {
+  const result = safeSpawnSync(ociCmd, ociArgs, {
     encoding: "utf-8",
     shell: isWin,
     timeout: TIMEOUT_MS,
@@ -765,7 +765,7 @@ export function installRubyVersion(rubyVersion, filePath) {
   }
   const fullToolBinDir = rubyVersionDir(rubyVersion);
   if (safeExistsSync(fullToolBinDir)) {
-    const result = spawnSync(
+    const result = safeSpawnSync(
       process.env.RBENV_CMD || "rbenv",
       ["local", rubyVersion],
       {
@@ -809,7 +809,7 @@ export function installRubyVersion(rubyVersion, filePath) {
       `To speed up this step, use bind mounts. Example: "--mount type=bind,src=/tmp/rbenv,dst=/root/.rbenv/versions/${rubyVersion}"`,
     );
   }
-  const result = spawnSync(
+  const result = safeSpawnSync(
     process.env.RBENV_CMD || "rbenv",
     ["install", rubyVersion],
     {
@@ -879,7 +879,7 @@ export function installRubyBundler(rubyVersion, bundlerVersion) {
         );
       }
     }
-    const result = spawnSync(join(fullToolBinDir, "gem"), gemInstallArgs, {
+    const result = safeSpawnSync(join(fullToolBinDir, "gem"), gemInstallArgs, {
       encoding: "utf-8",
       shell: isWin,
       timeout: TIMEOUT_MS,
@@ -946,7 +946,7 @@ export function performBundleInstall(
   console.log(
     `Invoking ${bundleCommand} ${installArgs.join(" ")} from ${basePath} with GEM_HOME ${cdxgenGemHome}. Please wait ...`,
   );
-  let result = spawnSync(bundleCommand, installArgs, {
+  let result = safeSpawnSync(bundleCommand, installArgs, {
     encoding: "utf-8",
     shell: isWin,
     timeout: TIMEOUT_MS,
@@ -1003,7 +1003,7 @@ export function performBundleInstall(
         );
       }
       console.log(`${bundleCommand} ${updateArgs.join(" ")}`);
-      result = spawnSync(bundleCommand, updateArgs, {
+      result = safeSpawnSync(bundleCommand, updateArgs, {
         encoding: "utf-8",
         shell: isWin,
         timeout: TIMEOUT_MS,
@@ -1048,7 +1048,7 @@ export function performBundleInstall(
       }
       if (process.env?.CDXGEN_IN_CONTAINER === "true") {
         console.log(
-          "TIP: Create your own container image by using an existing Ruby base image from here: https://github.com/CycloneDX/cdxgen/tree/master/ci/base-images/debian",
+          "TIP: Create your own container image by using an existing Ruby base image from here: https://github.com/CycloneDX/cdxgen/tree/master/ci/images/debian",
         );
       }
     }