@cyclonedx/cdxgen 11.4.3 → 11.5.0

package/lib/helpers/utils.js

@@ -507,6 +507,7 @@ export const PROJECT_TYPE_ALIASES = {
   oci: ["docker", "oci", "container", "podman"],
   cocoa: ["cocoa", "cocoapods", "objective-c", "swift", "ios"],
   scala: ["scala", "scala3", "sbt", "mill"],
+  nix: ["nix", "nixos", "flake"],
 };
 
 // Package manager aliases
@@ -580,8 +581,11 @@ export function hasAnyProjectType(projectTypes, options, defaultStatus = true) {
   const allProjectTypes = [...projectTypes];
   // Convert the project types into base types
   const baseProjectTypes = [];
-  // Support for arbitray versioned ruby type
-  if (projectTypes.filter((p) => p.startsWith("ruby")).length) {
+  // Support for arbitrary versioned ruby type
+  if (
+    options.projectType?.length &&
+    projectTypes.filter((p) => p.startsWith("ruby")).length
+  ) {
     baseProjectTypes.push("ruby");
   }
   const baseExcludeTypes = [];
@@ -692,6 +696,7 @@ export const cdxgenAgent = got.extend({
   retry: {
     limit: 0,
   },
+  followRedirect: !isSecureMode,
   hooks: {
     beforeRequest: [
       (options) => {
@@ -725,6 +730,8 @@ export const cdxgenAgent = got.extend({
  * @param {string} dirPath Root directory for search
  * @param {string} pattern Glob pattern (eg: *.gradle)
  * @param {Object} options CLI options
+ *
+ * @returns {Array[string]} List of matched files
  */
 export function getAllFiles(dirPath, pattern, options = {}) {
   let ignoreList = [
@@ -737,7 +744,7 @@ export function getAllFiles(dirPath, pattern, options = {}) {
     "**/coverage/**",
   ];
   // Only ignore node_modules if the caller is not looking for package.json
-  if (!pattern.includes("package.json")) {
+  if (!pattern.includes("package.json") && !options.includeNodeModulesDir) {
     ignoreList.push("**/node_modules/**");
   }
   // ignore docs only for non-lock file lookups
@@ -752,7 +759,27 @@ export function getAllFiles(dirPath, pattern, options = {}) {
   if (options?.exclude && Array.isArray(options.exclude)) {
     ignoreList = ignoreList.concat(options.exclude);
   }
-  return getAllFilesWithIgnore(dirPath, pattern, ignoreList);
+  const includeDot = pattern.startsWith(".") || options.includeNodeModulesDir;
+  const defaultHits = getAllFilesWithIgnore(
+    dirPath,
+    pattern,
+    includeDot,
+    ignoreList,
+  );
+  // Support for specifying the pattern via options
+  if (options?.include?.length) {
+    const includeOnlyHits = getAllFilesWithIgnore(
+      dirPath,
+      options.include,
+      includeDot,
+      ignoreList,
+    );
+    if (!includeOnlyHits.length) {
+      return [];
+    }
+    return defaultHits.filter((f) => includeOnlyHits.includes(f));
+  }
+  return defaultHits;
 }
 
 /**
@@ -760,16 +787,24 @@ export function getAllFiles(dirPath, pattern, options = {}) {
  *
  * @param {string} dirPath Root directory for search
  * @param {string} pattern Glob pattern (eg: *.gradle)
+ * @param {Boolean} includeDot whether hidden files can be included.
  * @param {Array} ignoreList Directory patterns to ignore
+ *
+ * @returns {Array[string]} List of matched files
  */
-export function getAllFilesWithIgnore(dirPath, pattern, ignoreList) {
+export function getAllFilesWithIgnore(
+  dirPath,
+  pattern,
+  includeDot,
+  ignoreList,
+) {
   try {
     const files = globSync(pattern, {
       cwd: dirPath,
       absolute: true,
       nocase: true,
       nodir: true,
-      dot: pattern.startsWith("."),
+      dot: includeDot,
       follow: false,
       ignore: ignoreList,
     });
@@ -2285,6 +2320,164 @@ export function parsePnpmWorkspace(workspaceFile) {
   };
 }
 
+/**
+ * Helper function to find a package path in pnpm node_modules structure
+ *
+ * @param {string} baseDir Base directory containing node_modules
+ * @param {string} packageName Package name (with or without scope)
+ * @param {string} version Package version
+ * @returns {string|null} Path to the package directory or null if not found
+ */
+export function findPnpmPackagePath(baseDir, packageName, version) {
+  if (!baseDir || !packageName) {
+    return null;
+  }
+
+  const nodeModulesDir = join(baseDir, "node_modules");
+  if (!safeExistsSync(nodeModulesDir)) {
+    return null;
+  }
+
+  // Try direct node_modules lookup first (for symlinked packages)
+  const directPath = join(nodeModulesDir, packageName);
+  if (
+    safeExistsSync(directPath) &&
+    safeExistsSync(join(directPath, "package.json"))
+  ) {
+    return directPath;
+  }
+
+  // Try pnpm's .pnpm directory structure
+  const pnpmDir = join(nodeModulesDir, ".pnpm");
+  if (safeExistsSync(pnpmDir)) {
+    // pnpm stores packages as {name}@{version} in .pnpm directory
+    const encodedName = packageName.replace("/", "%2f");
+    let pnpmPackagePath;
+
+    // Try different formats that pnpm might use
+    const possiblePaths = [
+      join(pnpmDir, `${encodedName}@${version}`, "node_modules", packageName),
+      join(pnpmDir, `${packageName}@${version}`, "node_modules", packageName),
+      join(pnpmDir, `${encodedName}@${version}`),
+      join(pnpmDir, `${packageName}@${version}`),
+    ];
+
+    for (const possiblePath of possiblePaths) {
+      if (
+        safeExistsSync(possiblePath) &&
+        safeExistsSync(join(possiblePath, "package.json"))
+      ) {
+        pnpmPackagePath = possiblePath;
+        break;
+      }
+    }
+
+    if (pnpmPackagePath) {
+      return pnpmPackagePath;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * pnpm packages with metadata from local node_modules
+ *
+ * @param {Array} pkgList Package list to enhance
+ * @param {string} lockFilePath Path to the pnpm-lock.yaml file
+ * @returns {Array} Enhanced package list
+ */
+export async function pnpmMetadata(pkgList, lockFilePath) {
+  if (!pkgList || !pkgList.length || !lockFilePath) {
+    return pkgList;
+  }
+
+  const baseDir = dirname(lockFilePath);
+  const nodeModulesDir = join(baseDir, "node_modules");
+
+  // Only proceed if node_modules exists
+  if (!safeExistsSync(nodeModulesDir)) {
+    return pkgList;
+  }
+
+  if (DEBUG_MODE) {
+    console.log(
+      `Metadata for ${pkgList.length} pnpm packages using local node_modules at ${nodeModulesDir}`,
+    );
+  }
+
+  let enhancedCount = 0;
+  for (const pkg of pkgList) {
+    // Skip if package already has complete metadata
+    if (pkg.description && pkg.author && pkg.license) {
+      continue;
+    }
+
+    // Find the package path in node_modules
+    const packagePath = findPnpmPackagePath(baseDir, pkg.name, pkg.version);
+    if (!packagePath) {
+      continue;
+    }
+
+    const packageJsonPath = join(packagePath, "package.json");
+    if (!safeExistsSync(packageJsonPath)) {
+      continue;
+    }
+
+    try {
+      // Parse the local package.json to get metadata
+      const localPkgList = await parsePkgJson(packageJsonPath, true);
+      if (localPkgList && localPkgList.length === 1) {
+        const localMetadata = localPkgList[0];
+        if (localMetadata && Object.keys(localMetadata).length) {
+          if (!pkg.description && localMetadata.description) {
+            pkg.description = localMetadata.description;
+          }
+          if (!pkg.author && localMetadata.author) {
+            pkg.author = localMetadata.author;
+          }
+          if (!pkg.license && localMetadata.license) {
+            pkg.license = localMetadata.license;
+          }
+          if (!pkg.homepage && localMetadata.homepage) {
+            pkg.homepage = localMetadata.homepage;
+          }
+          if (!pkg.repository && localMetadata.repository) {
+            pkg.repository = localMetadata.repository;
+          }
+
+          // Add a property to track that we enhanced from local node_modules
+          if (!pkg.properties) {
+            pkg.properties = [];
+          }
+          pkg.properties.push({
+            name: "LocalNodeModulesPath",
+            value: packagePath,
+          });
+
+          enhancedCount++;
+        }
+      }
+    } catch (error) {
+      // Silently ignore parsing errors for individual packages
+      if (DEBUG_MODE) {
+        console.log(
+          `Failed to parse package.json at ${packageJsonPath}:`,
+          error.message,
+        );
+      }
+    }
+  }
+
+  if (DEBUG_MODE && enhancedCount > 0) {
+    console.log(
+      `Enhanced metadata for ${enhancedCount} packages from local node_modules`,
+    );
+  }
+
+  return pkgList;
+}
+
 /**
  * Parse nodejs pnpm lock file
  *
@@ -2646,6 +2839,21 @@ export async function parsePnpmLock(
         packages[fullName]?.resolution ||
         snapshots[fullName]?.resolution;
       const integrity = resolution?.integrity;
+      const cpu =
+        packages[pkgKeys[k]]?.cpu ||
+        snapshots[pkgKeys[k]]?.cpu ||
+        packages[fullName]?.cpu ||
+        snapshots[fullName]?.cpu;
+      const os =
+        packages[pkgKeys[k]]?.os ||
+        snapshots[pkgKeys[k]]?.os ||
+        packages[fullName]?.os ||
+        snapshots[fullName]?.os;
+      const libc =
+        packages[pkgKeys[k]]?.libc ||
+        snapshots[pkgKeys[k]]?.libc ||
+        packages[fullName]?.libc ||
+        snapshots[fullName]?.libc;
       // In lock file version 9, dependencies is under snapshots
       const deps =
         packages[pkgKeys[k]]?.dependencies ||
@@ -2849,7 +3057,7 @@ export async function parsePnpmLock(
               value: pnpmLock,
             },
           ];
-          if (hasBin) {
+          if (hasBin || os || cpu || libc) {
             properties.push({
               name: "cdx:npm:has_binary",
               value: `${hasBin}`,
@@ -2861,6 +3069,14 @@ export async function parsePnpmLock(
               value: deprecatedMessage,
             });
           }
+          const binary_metadata = { os, cpu, libc };
+          Object.entries(binary_metadata).forEach(([key, value]) => {
+            if (!value) return;
+            properties.push({
+              name: `cdx:pnpm:${key}`,
+              value: Array.isArray(value) ? value.join(", ") : value,
+            });
+          });
           if (srcFilesMap[decodeURIComponent(purlString)]) {
             for (const sf of srcFilesMap[decodeURIComponent(purlString)]) {
               properties.push({
@@ -3075,6 +3291,12 @@ export async function parsePnpmLock(
       });
     }
   }
+
+  // Enhance metadata from local node_modules if available
+  if (pkgList?.length) {
+    pkgList = await pnpmMetadata(pkgList, pnpmLock);
+  }
+
   if (shouldFetchLicense() && pkgList && pkgList.length) {
     if (DEBUG_MODE) {
       console.log(
@@ -4725,13 +4947,19 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
         p.name = p.name.split("[")[0];
       }
       let res;
+      let url_addition;
+      if (p.version?.trim().length) {
+        url_addition = `${p.name}/${p.version.trim()}/json`;
+      } else {
+        url_addition = `${p.name}/json`;
+      }
       try {
-        res = await cdxgenAgent.get(`${PYPI_URL + p.name}/json`, {
+        res = await cdxgenAgent.get(`${PYPI_URL + url_addition}`, {
           responseType: "json",
         });
       } catch (_err) {
         // retry by prefixing django- to the package name
-        res = await cdxgenAgent.get(`${PYPI_URL}django-${p.name}/json`, {
+        res = await cdxgenAgent.get(`${PYPI_URL}django-${url_addition}`, {
           responseType: "json",
         });
         p.name = `django-${p.name}`;
@@ -4774,6 +5002,12 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
           p.license.push(licenseId);
         }
       }
+      if (body.info.license_expression) {
+        const licenseId = findLicenseId(body.info.license_expression);
+        if (licenseId && !p.license.includes(licenseId)) {
+          p.license.push(licenseId);
+        }
+      }
       if (body.info.home_page) {
         if (body.info.home_page.includes("git")) {
           p.repository = { url: body.info.home_page };
@@ -5611,20 +5845,66 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
 }
 
 /**
- * Method to parse requirements.txt data. This must be replaced with atom parsedeps.
+ * Method to parse requirements.txt file. This must be replaced with atom parsedeps.
  *
- * @param {Object} reqData Requirements.txt data
+ * @param {String} reqFile Requirements.txt file
  * @param {Boolean} fetchDepsInfo Fetch dependencies info from pypi
+ *
+ * @returns {Promise[Array<Object>]} List of direct dependencies from the requirements file
  */
-export async function parseReqFile(reqData, fetchDepsInfo) {
+export async function parseReqFile(reqFile, fetchDepsInfo = false) {
+  return await parseReqData(reqFile, null, fetchDepsInfo);
+}
+
+/**
+ * Method to parse requirements.txt file. Must only be used internally.
+ *
+ * @param {String} reqFile Requirements.txt file
+ * @param {Object} reqData Requirements.txt data for internal invocations from setup.py file etc.
+ *
+ * @param {Boolean} fetchDepsInfo Fetch dependencies info from pypi
+ *
+ * @returns {Promise[Array<Object>]} List of direct dependencies from the requirements file
+ */
+async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
   const pkgList = [];
   let compScope;
+  if (!reqFile && !reqData) {
+    console.warn(
+      "Either the requirements file or the data needs to be provided for parsing.",
+    );
+    return pkgList;
+  }
+  reqData = reqData || readFileSync(reqFile, { encoding: "utf-8" });
+  const evidence = reqFile
+    ? {
+        identity: {
+          field: "purl",
+          confidence: 0.5,
+          methods: [
+            {
+              technique: "manifest-analysis",
+              confidence: 0.5,
+              value: reqFile,
+            },
+          ],
+        },
+      }
+    : undefined;
   reqData
     .replace(/\r/g, "")
     .replace(/ [\\]\n/g, "")
     .replace(/ {4}/g, " ")
     .split("\n")
     .forEach((l) => {
+      const properties = reqFile
+        ? [
+            {
+              name: "SrcFile",
+              value: reqFile,
+            },
+          ]
+        : [];
       l = l.trim();
       let markers;
       if (l.includes(" ; ")) {
@@ -5659,11 +5939,11 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
             const name = tmpA[0].trim().replace(";", "");
             const versionSpecifiers = l.replace(name, "");
             if (!PYTHON_STD_MODULES.includes(name)) {
-              const properties = [];
               const apkg = {
                 name,
                 version: versionStr,
                 scope: compScope,
+                evidence,
               };
               if (
                 versionSpecifiers?.length > 0 &&
@@ -5695,7 +5975,9 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
               name,
               version: undefined,
               scope: compScope,
+              evidence,
               properties: [
+                ...properties,
                 {
                   name: "cdx:pypi:versionSpecifiers",
                   value: versionSpecifiers?.length
@@ -5718,7 +6000,9 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
                 name,
                 version: undefined,
                 scope: compScope,
+                evidence,
                 properties: [
+                  ...properties,
                   {
                     name: "cdx:pypi:versionSpecifiers",
                     value: versionSpecifiers?.length
@@ -5743,6 +6027,7 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
                 name,
                 version: undefined,
                 scope: compScope,
+                evidence,
                 properties: [
                   {
                     name: "cdx:pypi:versionSpecifiers",
@@ -5761,6 +6046,7 @@ export async function parseReqFile(reqData, fetchDepsInfo) {
                 name,
                 version: null,
                 scope: compScope,
+                evidence,
                 properties: [
                   {
                     name: "cdx:pypi:versionSpecifiers",
@@ -5884,7 +6170,7 @@ export async function parseSetupPyFile(setupPyData) {
       lines = lines.concat(tmpA);
     }
   });
-  return await parseReqFile(lines.join("\n"), false);
+  return await parseReqData(null, lines.join("\n"), false);
 }
 
 /**
@@ -7323,6 +7609,7 @@ export async function parseGemspecData(gemspecData, gemspecFile) {
       pkg?.version?.includes("File.") ||
       pkg?.version?.includes("::")
     ) {
+      const origVersion = pkg.version;
       pkg.version = undefined;
       // Can we find the version from the directory name?
       if (gemspecFile) {
@@ -7333,10 +7620,17 @@ export async function parseGemspecData(gemspecData, gemspecFile) {
         }
       }
       if (!versionHackMatch && !pkg.version) {
-        console.log(
-          "Unable to identify the package version by parsing the file",
-          gemspecFile,
-        );
+        if (origVersion?.toLowerCase().includes("version")) {
+          if (DEBUG_MODE) {
+            console.log(
+              `Unable to identify the version for '${pkg.name}' from the string '${origVersion}'. Spec file: ${gemspecFile}`,
+            );
+          }
+        } else {
+          console.log(
+            `Unable to identify the version for '${pkg.name}'. Spec file: ${gemspecFile}`,
+          );
+        }
       }
     }
     for (const aprop of ["authors", "licenses"]) {
@@ -9236,15 +9530,35 @@ export function parseConanLockData(conanLockData) {
   if (!conanLockData) {
     return pkgList;
   }
-  const graphLock = JSON.parse(conanLockData);
-  if (!graphLock || !graphLock.graph_lock || !graphLock.graph_lock.nodes) {
+  const lockFile = JSON.parse(conanLockData);
+  if (
+    (!lockFile || !lockFile.graph_lock || !lockFile.graph_lock.nodes) &&
+    !lockFile.requires
+  ) {
     return pkgList;
   }
-  const nodes = graphLock.graph_lock.nodes;
-  for (const nk of Object.keys(nodes)) {
-    if (nodes[nk].ref) {
+  if (lockFile.graph_lock?.nodes) {
+    const depends = lockFile.graph_lock.nodes;
+    for (const nk of Object.keys(depends)) {
+      if (depends[nk].ref) {
+        const [purl, name, version] =
+          mapConanPkgRefToPurlStringAndNameAndVersion(depends[nk].ref);
+        if (purl !== null) {
+          pkgList.push({
+            name,
+            version,
+            purl,
+            "bom-ref": decodeURIComponent(purl),
+          });
+        }
+      }
+    }
+  } else if (lockFile.requires) {
+    const depends = lockFile.requires;
+    for (const nk of Object.keys(depends)) {
+      depends[nk] = depends[nk].split("%").shift();
       const [purl, name, version] = mapConanPkgRefToPurlStringAndNameAndVersion(
-        nodes[nk].ref,
+        depends[nk],
       );
       if (purl !== null) {
         pkgList.push({
@@ -9397,6 +9711,218 @@ export async function parseNupkg(nupkgFile) {
   return parseNuspecData(nupkgFile, nuspecData);
 }
 
+/**
+ * Method to parse flake.nix files
+ *
+ * @param {String} flakeNixFile flake.nix file to parse
+ * @returns {Object} Object containing package information
+ */
+export function parseFlakeNix(flakeNixFile) {
+  const pkgList = [];
+  const dependencies = [];
+
+  if (!existsSync(flakeNixFile)) {
+    return { pkgList, dependencies };
+  }
+
+  try {
+    const flakeContent = readFileSync(flakeNixFile, "utf-8");
+
+    // Extract inputs from flake.nix using regex
+    const inputsRegex = /inputs\s*=\s*\{[^}]*\}/g;
+    let match;
+    while ((match = inputsRegex.exec(flakeContent)) !== null) {
+      const inputBlock = match[0];
+
+      // Match different input patterns including nested inputs
+      const inputPatterns = [
+        /([a-zA-Z0-9_-]+(?:\.[a-zA-Z0-9_-]+)*)\.url\s*=\s*"([^"]+)"/g,
+        /([a-zA-Z0-9_-]+(?:\.[a-zA-Z0-9_-]+)*)\s*=\s*\{\s*url\s*=\s*"([^"]+)"[^}]*\}/gs,
+      ];
+
+      const addedPackages = new Set();
+
+      for (const pattern of inputPatterns) {
+        let subMatch;
+        pattern.lastIndex = 0;
+        while ((subMatch = pattern.exec(inputBlock)) !== null) {
+          const name = subMatch[1];
+          const url = subMatch[2] || subMatch[3];
+
+          if (name && url && !addedPackages.has(name)) {
+            addedPackages.add(name);
+            const pkg = {
+              name: name,
+              version: "latest",
+              description: `Nix flake input: ${name}`,
+              scope: "required",
+              properties: [
+                {
+                  name: "SrcFile",
+                  value: flakeNixFile,
+                },
+                {
+                  name: "cdx:nix:input_url",
+                  value: url,
+                },
+              ],
+              evidence: {
+                identity: {
+                  field: "purl",
+                  confidence: 0.8,
+                  methods: [
+                    {
+                      technique: "manifest-analysis",
+                      confidence: 0.8,
+                      value: flakeNixFile,
+                    },
+                  ],
+                },
+              },
+            };
+
+            pkg.purl = generateNixPurl(name, "latest");
+            pkg["bom-ref"] = pkg.purl;
+
+            pkgList.push(pkg);
+          }
+        }
+      }
+    }
+  } catch (error) {
+    console.warn(`Failed to parse ${flakeNixFile}: ${error.message}`);
+  }
+
+  return { pkgList, dependencies };
+}
+
+/**
+ * Method to parse flake.lock files
+ *
+ * @param {String} flakeLockFile flake.lock file to parse
+ * @returns {Object} Object containing locked dependency information
+ */
+export function parseFlakeLock(flakeLockFile) {
+  const pkgList = [];
+  const dependencies = [];
+
+  if (!existsSync(flakeLockFile)) {
+    return { pkgList, dependencies };
+  }
+
+  try {
+    const lockContent = readFileSync(flakeLockFile, "utf-8");
+    const lockData = JSON.parse(lockContent);
+
+    if (lockData.nodes) {
+      for (const [nodeName, nodeData] of Object.entries(lockData.nodes)) {
+        if (nodeName === "root" || !nodeData.locked) continue;
+
+        const locked = nodeData.locked;
+
+        let version = "latest";
+        if (locked.rev) {
+          version = locked.rev.substring(0, 7);
+        } else if (locked.ref) {
+          version = locked.ref;
+        }
+
+        const pkg = {
+          name: nodeName,
+          version: version,
+          description: `Nix flake dependency: ${nodeName}`,
+          scope: "required",
+          properties: [
+            {
+              name: "SrcFile",
+              value: flakeLockFile,
+            },
+          ],
+          evidence: {
+            identity: {
+              field: "purl",
+              confidence: 1.0,
+              methods: [
+                {
+                  technique: "manifest-analysis",
+                  confidence: 1.0,
+                  value: flakeLockFile,
+                },
+              ],
+            },
+          },
+        };
+
+        if (locked.narHash) {
+          pkg.properties.push({
+            name: "cdx:nix:nar_hash",
+            value: locked.narHash,
+          });
+        }
+
+        if (locked.lastModified) {
+          pkg.properties.push({
+            name: "cdx:nix:last_modified",
+            value: locked.lastModified.toString(),
+          });
+        }
+
+        if (locked.rev) {
+          pkg.properties.push({
+            name: "cdx:nix:revision",
+            value: locked.rev,
+          });
+        }
+
+        if (locked.ref) {
+          pkg.properties.push({
+            name: "cdx:nix:ref",
+            value: locked.ref,
+          });
+        }
+
+        pkg.purl = generateNixPurl(nodeName, version);
+        pkg["bom-ref"] = pkg.purl;
+
+        pkgList.push(pkg);
+      }
+
+      // Generate dependency relationships from root inputs
+      if (lockData.nodes?.root?.inputs) {
+        const rootInputs = Object.keys(lockData.nodes.root.inputs);
+        if (rootInputs.length > 0) {
+          dependencies.push({
+            ref: "pkg:nix/flake@latest",
+            dependsOn: rootInputs
+              .map(
+                (input) =>
+                  pkgList.find((pkg) => pkg.name === input)?.["bom-ref"],
+              )
+              .filter(Boolean),
+          });
+        }
+      }
+    }
+  } catch (error) {
+    console.warn(`Failed to parse ${flakeLockFile}: ${error.message}`);
+  }
+
+  return { pkgList, dependencies };
+}
+
+/**
+ * Generate a Nix PURL from input information
+ *
+ * @param {String} name Package name
+ * @param {String} version Package version
+ * @returns {String} PURL string
+ */
+function generateNixPurl(name, version) {
+  // For now, use a generic nix PURL type
+  // In the future, this could be more sophisticated based on the source type
+  return `pkg:nix/${name}@${version}`;
+}
+
 /**
  * Method to parse .nuspec files
  *
@@ -9816,7 +10342,7 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
           continue;
         }
         pkg.name = pref.Include;
-        pkg.version = pref.Version;
+        pkg.version = pref.Version || pkgNameVersions[pkg.name];
         pkg.purl = `pkg:nuget/${pkg.name}@${pkg.version}`;
         pkg["bom-ref"] = pkg.purl;
         if (projFile) {
@@ -9853,9 +10379,11 @@ export function parseCsProjData(csProjData, projFile, pkgNameVersions = {}) {
         pkg.name = incParts[0];
         pkg.properties = [];
         if (incParts.length > 1 && incParts[1].includes("Version")) {
-          pkg.version = incParts[1].replace("Version=", "").trim();
+          pkg.version =
+            incParts[1].replace("Version=", "").trim() ||
+            pkgNameVersions[pkg.name];
         }
-        const version = pkg.version || pkgNameVersions[pkg.name];
+        const version = pkg.version;
         if (version) {
           pkg.purl = `pkg:nuget/${pkg.name}@${version}`;
         } else {
@@ -9999,25 +10527,27 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
     return { pkgList, dependenciesList };
   }
   csProjData = JSON.parse(csProjData);
-  const purlString = new PackageURL(
-    "nuget",
-    "",
-    csProjData.project.restore.projectName,
-    csProjData.project.version || "latest",
-    null,
-    null,
-  ).toString();
-  rootPkg = {
-    group: "",
-    name: csProjData.project.restore.projectName,
-    version: csProjData.project.version || "latest",
-    type: "application",
-    purl: purlString,
-    "bom-ref": decodeURIComponent(purlString),
-  };
-  pkgList.push(rootPkg);
+  let purlString;
+  if (csProjData.project?.restore?.projectName) {
+    purlString = new PackageURL(
+      "nuget",
+      "",
+      csProjData.project?.restore?.projectName,
+      csProjData.project.version || "latest",
+      null,
+      null,
+    ).toString();
+    rootPkg = {
+      group: "",
+      name: csProjData.project.restore.projectName,
+      version: csProjData.project.version || "latest",
+      type: "application",
+      purl: purlString,
+      "bom-ref": decodeURIComponent(purlString),
+    };
+    pkgList.push(rootPkg);
+  }
   const rootPkgDeps = new Set();
-
   // create root pkg deps
   if (csProjData.targets && csProjData.projectFileDependencyGroups) {
     for (const frameworkTarget in csProjData.projectFileDependencyGroups) {
@@ -10074,11 +10604,12 @@ export function parseCsProjAssetsData(csProjData, assetsJsonFile) {
         rootPkgDeps.add(dpurl);
       }
     }
-
-    dependenciesList.push({
-      ref: purlString,
-      dependsOn: Array.from(rootPkgDeps).sort(),
-    });
+    if (purlString && rootPkgDeps.size) {
+      dependenciesList.push({
+        ref: purlString,
+        dependsOn: Array.from(rootPkgDeps).sort(),
+      });
+    }
   }
 
   if (csProjData.libraries && csProjData.targets) {
@@ -10453,7 +10984,10 @@ export function parseComposerJson(composerJsonFile) {
   const composerData = JSON.parse(
     readFileSync(composerJsonFile, { encoding: "utf-8" }),
   );
-  const rootRequires = composerData.require;
+  const rootRequires = {
+    ...composerData.require,
+    ...composerData["require-dev"],
+  };
   const pkgName = composerData.name;
   if (pkgName) {
     moduleParent.group = dirname(pkgName);
@@ -11321,7 +11855,7 @@ export async function collectMvnDependencies(
     copyArgs = copyArgs.concat(addArgs);
   }
   if (basePath && basePath !== MAVEN_CACHE_DIR) {
-    console.log(`Executing '${mavenCmd} ${copyArgs.join(" ")}' in ${basePath}`);
+    console.log(`Executing '${mavenCmd} in ${basePath}`);
     const result = safeSpawnSync(mavenCmd, copyArgs, {
       cwd: basePath,
       encoding: "utf-8",
@@ -13304,7 +13838,7 @@ export function executeAtom(src, args, extra_env = {}) {
     }
   }
   if (DEBUG_MODE) {
-    console.log("Executing", ATOM_BIN, args.join(" "));
+    console.log("Executing", ATOM_BIN);
   }
   const env = {
     ...process.env,
@@ -13606,9 +14140,9 @@ export function createUVLock(basePath, options) {
  * @param {string} tempVenvDir Temp venv dir
  * @param {Object} parentComponent Parent component
  *
- * @returns List of packages from the virtual env
+ * @returns {Object} List of packages from the virtual env
  */
-export function getPipFrozenTree(
+export async function getPipFrozenTree(
   basePath,
   reqOrSetupFile,
   tempVenvDir,
@@ -13623,6 +14157,20 @@ export function getPipFrozenTree(
   const env = {
     ...process.env,
   };
+
+  // FIX: Create a set of explicit dependencies from requirements.txt to identify root packages.
+  const explicitDeps = new Set();
+  if (reqOrSetupFile?.endsWith(".txt") && safeExistsSync(reqOrSetupFile)) {
+    // We only need the package names, so we pass `false` to avoid fetching full metadata.
+    const tempPkgList = await parseReqFile(reqOrSetupFile, null, false);
+    for (const pkg of tempPkgList) {
+      if (pkg.name) {
+        // Normalize the name (lowercase, hyphenated) for accurate lookups.
+        explicitDeps.add(pkg.name.replace(/_/g, "-").toLowerCase());
+      }
+    }
+  }
+
   /**
    * Let's start with an attempt to create a new temporary virtual environment in case we aren't in one
    *
@@ -13804,7 +14352,7 @@ export function getPipFrozenTree(
         `**PIP**: Trying pip install using the arguments ${pipInstallArgs.join(" ")}`,
       );
       if (DEBUG_MODE) {
-        console.log("Executing", python_cmd_for_tree, pipInstallArgs.join(" "));
+        console.log("Executing", python_cmd_for_tree);
       }
       // Attempt to perform pip install
       result = safeSpawnSync(python_cmd_for_tree, pipInstallArgs, {
@@ -13883,7 +14431,6 @@ export function getPipFrozenTree(
             console.info(
               "\nEXPERIMENTAL: Invoke cdxgen with '--feature-flags safe-pip-install' to recover a partial dependency tree for projects with build errors.\n",
             );
-            console.log("args used:", pipInstallArgs);
             if (result.stderr) {
               console.log(result.stderr);
             }
@@ -14034,12 +14581,14 @@ export function getPipFrozenTree(
       };
       if (scope !== "excluded") {
         pkgList.push(apkg);
-        rootList.push({
-          name,
-          version,
-          purl: purlString,
-          "bom-ref": decodeURIComponent(purlString),
-        });
+        if (explicitDeps.size === 0 || explicitDeps.has(name)) {
+          rootList.push({
+            name,
+            version,
+            purl: purlString,
+            "bom-ref": decodeURIComponent(purlString),
+          });
+        }
         flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t);
       } else {
         formulationList.push(apkg);
@@ -15829,3 +16378,154 @@ function collectAllLdConfs(basePath, ldConf, allLdConfDirs, libPaths) {
     }
   }
 }
+
+/**
+ * Get information about the runtime.
+ *
+ * @returns {Object} Object containing the name and version of the runtime
+ */
+export function getRuntimeInformation() {
+  const runtimeInfo = {};
+
+  if (typeof globalThis.Deno !== "undefined" && globalThis.Deno.version?.deno) {
+    runtimeInfo.runtime = "Deno";
+    runtimeInfo.version = globalThis.Deno.version.deno;
+  } else if (typeof globalThis.Bun !== "undefined" && globalThis.Bun.version) {
+    runtimeInfo.runtime = "Bun";
+    runtimeInfo.version = globalThis.Bun.version;
+  } else if (
+    typeof globalThis.process !== "undefined" &&
+    globalThis.process.versions?.node
+  ) {
+    runtimeInfo.runtime = "Node.js";
+    runtimeInfo.version = globalThis.process.versions.node;
+    const report = process.report.getReport();
+    const nodeSourceUrl = report?.header?.release?.sourceUrl;
+    // Collect the bundled components in node.js
+    if (report?.header?.componentVersions) {
+      const nodeBundledComponents = [];
+      for (const [name, version] of Object.entries(
+        report.header.componentVersions,
+      )) {
+        if (name === "node") {
+          continue;
+        }
+        const apkg = {
+          name,
+          version,
+          description: `Bundled with Node.js ${runtimeInfo.version}`,
+          type: "library",
+          scope: "excluded",
+          purl: `pkg:generic/${name}@${version}`,
+          "bom-ref": `pkg:generic/${name}@${version}`,
+        };
+        if (nodeSourceUrl) {
+          apkg.externalReferences = [
+            {
+              url: nodeSourceUrl,
+              type: "source-distribution",
+              comment: "Node.js release url",
+            },
+          ];
+        }
+        nodeBundledComponents.push(apkg);
+      }
+      if (nodeBundledComponents.length) {
+        runtimeInfo.components = nodeBundledComponents;
+      }
+    }
+    if (report.sharedObjects) {
+      const osSharedObjects = [];
+      for (const aso of report.sharedObjects) {
+        const name = basename(aso);
+        if (name === "node") {
+          continue;
+        }
+        const apkg = {
+          name,
+          type: "library",
+          scope: "excluded",
+          purl: `pkg:generic/${name}#${aso}`,
+          "bom-ref": `pkg:generic/${name}`,
+        };
+        osSharedObjects.push(apkg);
+      }
+      if (osSharedObjects.length) {
+        runtimeInfo.components = osSharedObjects;
+      }
+    }
+  } else {
+    runtimeInfo.runtime = "Unknown";
+    runtimeInfo.version = "N/A";
+  }
+
+  return runtimeInfo;
+}
+
+/**
+ * Checks for dangerous Unicode characters that could enable homograph attacks
+ *
+ * @param {string} str String to check
+ * @returns {boolean} true if dangerous Unicode is found
+ */
+// biome-ignore-start lint/suspicious/noControlCharactersInRegex: validation
+export function hasDangerousUnicode(str) {
+  // Check for bidirectional control characters
+  const bidiChars = /[\u202A-\u202E\u2066-\u2069]/;
+  if (bidiChars.test(str)) {
+    return true;
+  }
+
+  // Check for zero-width characters that could be used for obfuscation
+  const zeroWidthChars = /[\u200B-\u200D\uFEFF]/;
+  if (zeroWidthChars.test(str)) {
+    return true;
+  }
+
+  // Check for control characters (except common ones like \n, \r, \t)
+  const controlChars = /[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F-\u009F]/;
+  if (controlChars.test(str)) {
+    return true;
+  }
+
+  return false;
+}
+// biome-ignore-end lint/suspicious/noControlCharactersInRegex: validation
+
+/**
+ * Validates that a root is a legitimate Windows drive letter format
+ *
+ * @param {string} root Root to validate
+ * @returns {boolean} true if valid drive format
+ */
+export function isValidDriveRoot(root) {
+  // Must be at most 3 characters: letter, colon, backslash
+  if (root.length > 3) {
+    return false;
+  }
+
+  // Check each character individually to prevent Unicode lookalikes
+  const driveLetter = root.charAt(0);
+  const colon = root.charAt(1);
+  const backslash = root.charAt(2);
+
+  // Drive letter must be ASCII A-Z or a-z
+  const charCode = driveLetter.charCodeAt(0);
+  const isAsciiLetter =
+    (charCode >= 65 && charCode <= 90) || (charCode >= 97 && charCode <= 122);
+  if (!isAsciiLetter) {
+    return false;
+  }
+
+  // Colon must be exactly ASCII colon (0x3A)
+  if (colon.charCodeAt(0) !== 0x3a) {
+    return false;
+  }
+
+  // Backslash (optional) must be exactly ASCII backslash (0x5C)
+  if (backslash && backslash.charCodeAt(0) !== 0x5c) {
+    return false;
+  }
+
+  return true;
+}