@cyclonedx/cdxgen 12.1.2 → 12.1.4

package/lib/helpers/utils.js

@@ -48,6 +48,7 @@ import {
   satisfies,
   valid,
 } from "semver";
+import { v4 as uuidv4 } from "uuid";
 import { xml2js } from "xml-js";
 import { parse as _load } from "yaml";
 
@@ -160,6 +161,20 @@ export function safeSpawnSync(command, args, options) {
   if (!options.timeout) {
     options.timeout = TIMEOUT_MS;
   }
+  // Check for -S for python invocations in secure mode
+  if (command.includes("python") && (!args?.length || args[0] !== "-S")) {
+    if (isSecureMode) {
+      console.warn(
+        "\x1b[1;35mNotice: Running python command without '-S' argument. This is a bug in cdxgen. Please report with an example repo here https://github.com/cdxgen/cdxgen/issues.\x1b[0m",
+      );
+    } else if (process.env?.CDXGEN_IN_CONTAINER === "true") {
+      console.log("Running python command without '-S' argument.");
+    } else {
+      console.warn(
+        "\x1b[1;35mNotice: Running python command without '-S' argument. Only run cdxgen in trusted directories to prevent auto-executing local scripts.\x1b[0m",
+      );
+    }
+  }
   traceLog("spawn", { command, args, ...options });
   commandsExecuted.add(command);
   // Fix for DEP0190 warning
@@ -1033,18 +1048,10 @@ export function getKnownLicense(licenseUrl, pkg) {
             return { id: akLic.license, name: akLic.licenseName };
           }
         }
-        if (
-          akLic.urlIncludes &&
-          licenseUrl &&
-          licenseUrl.includes(akLic.urlIncludes)
-        ) {
+        if (akLic.urlIncludes && licenseUrl?.includes(akLic.urlIncludes)) {
           return { id: akLic.license, name: akLic.licenseName };
         }
-        if (
-          akLic.urlEndswith &&
-          licenseUrl &&
-          licenseUrl.endsWith(akLic.urlEndswith)
-        ) {
+        if (akLic.urlEndswith && licenseUrl?.endsWith(akLic.urlEndswith)) {
           return { id: akLic.license, name: akLic.licenseName };
         }
       }
@@ -1265,7 +1272,7 @@ export async function parsePkgJson(pkgJsonFile, simple = false) {
       // continue regardless of error
     }
   }
-  if (!simple && shouldFetchLicense() && pkgList && pkgList.length) {
+  if (!simple && shouldFetchLicense() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
         `About to fetch license information for ${pkgList.length} packages in parsePkgJson`,
@@ -1455,6 +1462,40 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
           value: "true",
         });
       }
+      // Detect version spoofing by comparing the version in the lockfile with the version in package.json
+      if (node.path && safeExistsSync(join(node.path, "package.json"))) {
+        try {
+          const diskPkgStr = readFileSync(
+            join(node.path, "package.json"),
+            "utf8",
+          );
+          const diskPkg = JSON.parse(diskPkgStr);
+          if (!diskPkg.name || diskPkg.name !== node.packageName) {
+            console.warn(
+              `\x1b[1;35mWARNING: Package name spoofing detected for ${node.packageName}! Lockfile says ${node.packageName}, but disk says ${diskPkg.name}.\x1b[0m`,
+            );
+            if (diskPkg.name) {
+              pkg.properties.push({
+                name: "cdx:npm:nameMismatchError",
+                value: `${diskPkg.name} used instead of ${node.packageName}`,
+              });
+            }
+          }
+          if (!diskPkg.version || diskPkg.version !== node.version) {
+            console.warn(
+              `\x1b[1;35mWARNING: Package version spoofing detected for ${node.packageName}! Lockfile says ${node.version}, but disk says ${diskPkg.version}.\x1b[0m`,
+            );
+            if (diskPkg.version) {
+              pkg.properties.push({
+                name: "cdx:npm:versionMismatchError",
+                value: `${diskPkg.version} used instead of ${node.version}`,
+              });
+            }
+          }
+        } catch (_err) {
+          // ignore
+        }
+      }
       if (node?.inBundle) {
         pkg.properties.push({
           name: "cdx:npm:inBundle",
@@ -1786,7 +1827,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
     options,
   ));
 
-  if (shouldFetchLicense() && pkgList && pkgList.length) {
+  if (shouldFetchLicense() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
         `About to fetch license information for ${pkgList.length} packages in parsePkgLock`,
@@ -2419,7 +2460,7 @@ export async function parseYarnLock(
     }
   }
 
-  if (shouldFetchLicense() && pkgList && pkgList.length) {
+  if (shouldFetchLicense() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
         `About to fetch license information for ${pkgList.length} packages in parseYarnLock`,
@@ -2496,7 +2537,7 @@ export async function parseNodeShrinkwrap(swFile) {
       }
     }
   }
-  if (shouldFetchLicense() && pkgList && pkgList.length) {
+  if (shouldFetchLicense() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
         `About to fetch license information for ${pkgList.length} packages in parseNodeShrinkwrap`,
@@ -3698,7 +3739,7 @@ export async function parsePnpmLock(
     pkgList = await pnpmMetadata(pkgList, pnpmLock);
   }
 
-  if (shouldFetchLicense() && pkgList && pkgList.length) {
+  if (shouldFetchLicense() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
         `About to fetch license information for ${pkgList.length} packages in parsePnpmLock`,
@@ -3759,7 +3800,7 @@ export async function parseBowerJson(bowerJsonFile) {
       // continue regardless of error
     }
   }
-  if (shouldFetchLicense() && pkgList && pkgList.length) {
+  if (shouldFetchLicense() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
         `About to fetch license information for ${pkgList.length} packages in parseBowerJson`,
@@ -3857,7 +3898,7 @@ export async function parseMinJs(minJsFile) {
       // continue regardless of error
     }
   }
-  if (shouldFetchLicense() && pkgList && pkgList.length) {
+  if (shouldFetchLicense() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
         `About to fetch license information for ${pkgList.length} packages in parseMinJs`,
@@ -6132,6 +6173,9 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
     ).toString();
     pkg.purl = purlString;
     pkg["bom-ref"] = decodeURIComponent(purlString);
+    if (parentComponent && pkg["bom-ref"] === parentComponent["bom-ref"]) {
+      continue;
+    }
     pkg.evidence = {
       identity: {
         field: "purl",
@@ -6387,6 +6431,9 @@ export async function parseReqFile(reqFile, fetchDepsInfo = false) {
   return await parseReqData(reqFile, null, fetchDepsInfo);
 }
 
+const LICENSE_ID_COMMENTS_PATTERN =
+  /^(Apache-2\.0|MIT|ISC|GPL-|LGPL-|BSD-[23]-Clause)/i;
+
 /**
  * Method to parse requirements.txt file. Must only be used internally.
  *
@@ -6434,6 +6481,12 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
     if (!l || l.startsWith("#") || l.startsWith("-")) {
       continue;
     }
+    let comment = null;
+    const commentMatch = l.match(/\s+#(.*)$/);
+    if (commentMatch) {
+      comment = commentMatch[1].trim();
+      l = l.substring(0, commentMatch.index).trim();
+    }
     const properties = reqFile
       ? [
           {
@@ -6482,6 +6535,21 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
         scope: compScope,
         evidence,
       };
+      if (comment) {
+        apkg.licenses = comment
+          .split("/")
+          .map((c) => {
+            const licenseObj = {};
+            const cId = c.trim();
+            if (cId.match(LICENSE_ID_COMMENTS_PATTERN)) {
+              licenseObj.id = cId;
+            } else {
+              return undefined;
+            }
+            return { license: licenseObj };
+          })
+          .filter((l) => l !== undefined);
+      }
       if (extras && extras.length > 0) {
         properties.push({
           name: "cdx:pypi:extras",
@@ -6533,6 +6601,21 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
         scope: compScope,
         evidence,
       };
+      if (comment) {
+        apkg.licenses = comment
+          .split("/")
+          .map((c) => {
+            const licenseObj = {};
+            const cId = c.trim();
+            if (cId.match(LICENSE_ID_COMMENTS_PATTERN)) {
+              licenseObj.id = cId;
+            } else {
+              return undefined;
+            }
+            return { license: licenseObj };
+          })
+          .filter((l) => l !== undefined);
+      }
       if (versionSpecifiers && !versionSpecifiers.startsWith("==")) {
         properties.push({
           name: "cdx:pypi:versionSpecifiers",
@@ -9877,82 +9960,250 @@ export function parseGitHubWorkflowData(f) {
     return pkgList;
   }
   const lines = ghwData.split("\n");
+  // workflow-related values
+  const workflowName = yamlObj.name || path.basename(f, path.extname(f));
+  const workflowTriggers = yamlObj.on || yamlObj.true;
+  const workflowPermissions = yamlObj.permissions || {};
+  let hasWritePermissions = analyzePermissions(workflowPermissions);
+  // GitHub of course supports strings such as "write-all" to make it easy to create supply-chain attacks.
+  if (
+    (typeof workflowPermissions === "string" ||
+      workflowPermissions instanceof String) &&
+    workflowPermissions.includes("write")
+  ) {
+    hasWritePermissions = true;
+  }
+  const workflowConcurrency = yamlObj.concurrency || {};
+  const _workflowEnv = yamlObj.env || {};
+  const hasIdTokenWrite = workflowPermissions?.["id-token"] === "write";
   for (const jobName of Object.keys(yamlObj.jobs)) {
-    if (yamlObj.jobs[jobName].steps) {
-      for (const step of yamlObj.jobs[jobName].steps) {
-        if (step.uses) {
-          const tmpA = step.uses.split("@");
-          if (tmpA.length !== 2) {
-            continue;
+    const job = yamlObj.jobs[jobName];
+    if (!job.steps) {
+      continue;
+    }
+    // job-related values
+    const jobRunner = job["runs-on"] || "unknown";
+    const jobEnvironment = job.environment?.name || job.environment || "";
+    const jobTimeout = job["timeout-minutes"] || null;
+    const jobPermissions = job.permissions || {};
+    const jobServices = job.services ? Object.keys(job.services) : [];
+    let jobNeeds = job.needs || [];
+    if (!Array.isArray(jobNeeds)) {
+      jobNeeds = [jobNeeds];
+    }
+    const _jobIf = job.if || "";
+    const _jobStrategy = job.strategy ? JSON.stringify(job.strategy) : "";
+    const jobHasWritePermissions = analyzePermissions(jobPermissions);
+    for (const step of job.steps) {
+      if (step.uses) {
+        const tmpA = step.uses.split("@");
+        if (tmpA.length !== 2) {
+          continue;
+        }
+        const groupName = tmpA[0];
+        let name = groupName;
+        let group = "";
+        const tagOrCommit = tmpA[1];
+        let version = tagOrCommit;
+        const tmpB = groupName.split("/");
+        if (tmpB.length >= 2) {
+          name = tmpB.pop();
+          group = tmpB.join("/");
+        } else if (tmpB.length === 1) {
+          name = tmpB[0];
+          group = "";
+        }
+        const versionPinningType = getVersionPinningType(tagOrCommit);
+        const isShaPinned = versionPinningType === "sha";
+        const _isTagPinned = versionPinningType === "tag";
+        const _isBranchRef = versionPinningType === "branch";
+        let lineNum = -1;
+        const stepLineMatch = ghwData.indexOf(step.uses);
+        if (stepLineMatch >= 0) {
+          lineNum = ghwData.substring(0, stepLineMatch).split("\n").length - 1;
+        }
+        if (lineNum >= 0 && lines[lineNum]) {
+          const line = lines[lineNum];
+          const commentMatch = line.match(/#\s*v?([0-9]+(?:\.[0-9]+)*)/);
+          if (commentMatch?.[1]) {
+            version = commentMatch[1];
           }
-          const groupName = tmpA[0];
-          let name = groupName;
-          let group = "";
-          const tagOrCommit = tmpA[1];
-          let version = tagOrCommit;
-          const tmpB = groupName.split("/");
-          if (tmpB.length >= 2) {
-            name = tmpB.pop();
-            group = tmpB.join("/");
-          } else if (tmpB.length === 1) {
-            name = tmpB[0];
-            group = "";
+        }
+        const key = `${group}-${name}-${version}`;
+        let confidence = 0.6;
+        if (!keys_cache[key] && name && version) {
+          keys_cache[key] = key;
+          let fullName = name;
+          if (group.length) {
+            fullName = `${group}/${name}`;
           }
-          let lineNum = -1;
-          const stepLineMatch = ghwData.indexOf(step.uses);
-          if (stepLineMatch >= 0) {
-            lineNum =
-              ghwData.substring(0, stepLineMatch).split("\n").length - 1;
+          let purl = `pkg:github/${fullName}@${version}`;
+          if (tagOrCommit && version !== tagOrCommit) {
+            const qualifierDesc = tagOrCommit.startsWith("v")
+              ? "tag"
+              : "commit";
+            purl = `${purl}?${qualifierDesc}=${tagOrCommit}`;
+            confidence = 0.7;
           }
-          if (lineNum >= 0 && lines[lineNum]) {
-            const line = lines[lineNum];
-            const commentMatch = line.match(/#\s*v?([0-9]+(?:\.[0-9]+)*)/);
-            if (commentMatch?.[1]) {
-              version = commentMatch[1];
-            }
+          const properties = [
+            { name: "SrcFile", value: f },
+            { name: "cdx:github:workflow:name", value: workflowName },
+            { name: "cdx:github:job:name", value: jobName },
+            {
+              name: "cdx:github:job:runner",
+              value: Array.isArray(jobRunner) ? jobRunner.join(",") : jobRunner,
+            },
+            { name: "cdx:github:action:uses", value: step.uses },
+            {
+              name: "cdx:github:action:versionPinningType",
+              value: versionPinningType,
+            },
+            {
+              name: "cdx:github:action:isShaPinned",
+              value: isShaPinned.toString(),
+            },
+          ];
+          if (step.name) {
+            properties.push({ name: "cdx:github:step:name", value: step.name });
           }
-          const key = `${group}-${name}-${version}`;
-          let confidence = 0.6;
-          if (!keys_cache[key] && name && version) {
-            keys_cache[key] = key;
-            let fullName = name;
-            if (group.length) {
-              fullName = `${group}/${name}`;
-            }
-            let purl = `pkg:github/${fullName}@${version}`;
-            if (tagOrCommit && version !== tagOrCommit) {
-              const qualifierDesc = tagOrCommit.startsWith("v")
-                ? "tag"
-                : "commit";
-              purl = `${purl}?${qualifierDesc}=${tagOrCommit}`;
-              confidence = 0.7;
-            }
-            const properties = [
-              {
-                name: "SrcFile",
-                value: f,
+          if (step.if) {
+            properties.push({
+              name: "cdx:github:step:condition",
+              value: step.if,
+            });
+          }
+          if (step["continue-on-error"]) {
+            properties.push({
+              name: "cdx:github:step:continueOnError",
+              value: "true",
+            });
+          }
+          if (step.timeout) {
+            properties.push({
+              name: "cdx:github:step:timeout",
+              value: step.timeout.toString(),
+            });
+          }
+          if (jobEnvironment) {
+            properties.push({
+              name: "cdx:github:job:environment",
+              value: jobEnvironment,
+            });
+          }
+          if (jobTimeout) {
+            properties.push({
+              name: "cdx:github:job:timeoutMinutes",
+              value: jobTimeout.toString(),
+            });
+          }
+          if (jobHasWritePermissions) {
+            properties.push({
+              name: "cdx:github:job:hasWritePermissions",
+              value: "true",
+            });
+          }
+          if (jobServices.length > 0) {
+            properties.push({
+              name: "cdx:github:job:services",
+              value: jobServices.join(","),
+            });
+          }
+          if (jobNeeds.length > 0) {
+            properties.push({
+              name: "cdx:github:job:needs",
+              value: jobNeeds.join(","),
+            });
+          }
+          if (hasWritePermissions) {
+            properties.push({
+              name: "cdx:github:workflow:hasWritePermissions",
+              value: "true",
+            });
+          }
+          if (hasIdTokenWrite) {
+            properties.push({
+              name: "cdx:github:workflow:hasIdTokenWrite",
+              value: "true",
+            });
+          }
+          if (workflowConcurrency?.group) {
+            properties.push({
+              name: "cdx:github:workflow:concurrencyGroup",
+              value: workflowConcurrency.group,
+            });
+          }
+          if (group?.startsWith("github/") || group === "actions") {
+            properties.push({ name: "cdx:actions:isOfficial", value: "true" });
+          }
+          if (group?.startsWith("github/")) {
+            properties.push({ name: "cdx:actions:isVerified", value: "true" });
+          }
+          if (workflowTriggers) {
+            const triggers =
+              typeof workflowTriggers === "string"
+                ? workflowTriggers
+                : Object.keys(workflowTriggers).join(",");
+            properties.push({
+              name: "cdx:github:workflow:triggers",
+              value: triggers,
+            });
+          }
+          pkgList.push({
+            group,
+            name,
+            version,
+            purl,
+            properties,
+            evidence: {
+              identity: {
+                field: "purl",
+                confidence,
+                methods: [
+                  {
+                    technique: "source-code-analysis",
+                    confidence,
+                    value: f,
+                  },
+                ],
               },
-            ];
-            if (group?.startsWith("github/") || group === "actions") {
-              properties.push({
-                name: "cdx:actions:isOfficial",
-                value: "true",
-              });
-            }
+            },
+          });
+        }
+      }
+      if (step.run) {
+        const runLineNum = ghwData.indexOf(step.run);
+        const runLine =
+          runLineNum >= 0
+            ? ghwData.substring(0, runLineNum).split("\n").length
+            : -1;
+        const pkgCommands = extractPackageManagerCommands(step.run);
+        for (const pkgCmd of pkgCommands) {
+          const key = `run-${pkgCmd.name}-${pkgCmd.version || "latest"}`;
+          if (!keys_cache[key]) {
+            keys_cache[key] = key;
             pkgList.push({
-              group,
-              name,
-              version,
-              purl,
-              properties,
+              group: "",
+              name: pkgCmd.name,
+              version: pkgCmd.version || undefined,
+              scope: "excluded",
+              "bom-ref": uuidv4(),
+              description: key,
+              properties: [
+                { name: "SrcFile", value: f },
+                { name: "cdx:github:workflow:name", value: workflowName },
+                { name: "cdx:github:job:name", value: jobName },
+                { name: "cdx:github:step:type", value: "run" },
+                { name: "cdx:github:step:command", value: pkgCmd.command },
+                { name: "cdx:github:run:line", value: runLine.toString() },
+              ],
               evidence: {
                 identity: {
                   field: "purl",
-                  confidence,
+                  confidence: 0.5,
                   methods: [
                     {
                       technique: "source-code-analysis",
-                      confidence,
+                      confidence: 0.5,
                       value: f,
                     },
                   ],
@@ -9967,6 +10218,103 @@ export function parseGitHubWorkflowData(f) {
   return pkgList;
 }
 
+/**
+ * Analyze permissions for write access.
+ *
+ * Refer to https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions
+ */
+function analyzePermissions(permissions) {
+  if (!permissions || typeof permissions !== "object") {
+    return false;
+  }
+  const writePermissions = [
+    "actions",
+    "artifact-metadata",
+    "attestations",
+    "checks",
+    "contents",
+    "deployments",
+    "id-token",
+    "models",
+    "discussions",
+    "packages",
+    "pages",
+    "actions",
+    "deployments",
+    "issues",
+    "pull-requests",
+    "security-events",
+    "statuses",
+  ];
+  for (const perm of writePermissions) {
+    if (permissions[perm] === "write") {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Determine version pinning type for security assessment
+ */
+function getVersionPinningType(versionRef) {
+  if (!versionRef) {
+    return "unknown";
+  }
+  if (/^[a-f0-9]{40}$/.test(versionRef)) {
+    return "sha";
+  }
+  if (/^[a-f0-9]{7,}$/.test(versionRef)) {
+    return "sha";
+  }
+  if (
+    versionRef === "main" ||
+    versionRef === "master" ||
+    versionRef.includes("/")
+  ) {
+    return "branch";
+  }
+  return "tag";
+}
+
+/**
+ * Extract package manager commands from run steps
+ */
+function extractPackageManagerCommands(runScript) {
+  const commands = [];
+  if (!runScript) {
+    return commands;
+  }
+  const patterns = [
+    { regex: /npm\s+(install|i|ci)\s+([^&\n|;]+)/g, name: "npm", type: "npm" },
+    {
+      regex: /yarn\s+(add|install)\s+([^&\n|;]+)/g,
+      name: "yarn",
+      type: "yarn",
+    },
+    { regex: /pip\s+(install)\s+([^&\n|;]+)/g, name: "pip", type: "pip" },
+    { regex: /pip3\s+(install)\s+([^&\n|;]+)/g, name: "pip3", type: "pip" },
+    { regex: /gem\s+(install)\s+([^&\n|;]+)/g, name: "gem", type: "gem" },
+    { regex: /go\s+(get|install)\s+([^&\n|;]+)/g, name: "go", type: "go" },
+    {
+      regex: /cargo\s+(install|add)\s+([^&\n|;]+)/g,
+      name: "cargo",
+      type: "cargo",
+    },
+  ];
+  for (const pattern of patterns) {
+    let match;
+    while ((match = pattern.regex.exec(runScript)) !== null) {
+      commands.push({
+        name: pattern.name,
+        command: match[0],
+        version: null,
+      });
+    }
+  }
+  return commands;
+}
+
 export function parseCloudBuildData(cbwData) {
   const pkgList = [];
   const keys_cache = {};
@@ -10833,6 +11181,9 @@ export function parseCsPkgData(pkgData, pkgFile) {
 export function getPropertyGroupTextNodes(propsFiles) {
   const matches = {};
   for (const f of propsFiles) {
+    if (!f) {
+      continue;
+    }
     let projects;
     try {
       const data = readFileSync(f, { encoding: "utf-8" });
@@ -11623,9 +11974,7 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
               assetData.dependencies[aversion][adep].resolved;
           } else if (
             aversion.includes("/") &&
-            assetData.dependencies[aversionNoRuntime] &&
-            assetData.dependencies[aversionNoRuntime][adep] &&
-            assetData.dependencies[aversionNoRuntime][adep].resolved
+            assetData.dependencies[aversionNoRuntime]?.[adep]?.resolved
           ) {
             adepResolvedVersion =
               assetData.dependencies[aversionNoRuntime][adep].resolved;
@@ -12695,7 +13044,7 @@ export async function collectMvnDependencies(
   }
 
   // Clean up
-  if (cleanup && tempDir && tempDir.startsWith(tmpdir()) && rmSync) {
+  if (cleanup && tempDir?.startsWith(tmpdir()) && rmSync) {
     rmSync(tempDir, { recursive: true, force: true });
   }
   return jarNSMapping;
@@ -15056,7 +15405,11 @@ export async function getPipFrozenTree(
     thoughtLog(
       "Let me create a new virtual environment for installing the packages with pip.",
     );
-    result = safeSpawnSync(PYTHON_CMD, ["-m", "venv", tempVenvDir], {
+    const venvCreationArgs = ["-m", "venv", tempVenvDir];
+    if (isSecureMode) {
+      venvCreationArgs.unshift("-S");
+    }
+    result = safeSpawnSync(PYTHON_CMD, venvCreationArgs, {
       shell: isWin,
     });
     if (result.status !== 0 || result.error) {
@@ -15107,12 +15460,18 @@ export async function getPipFrozenTree(
         "true",
         "--local",
       ];
+      if (isSecureMode) {
+        poetryConfigArgs.unshift("-S");
+      }
       result = safeSpawnSync(PYTHON_CMD, poetryConfigArgs, {
         cwd: basePath,
         shell: isWin,
       });
       thoughtLog("Performing poetry install");
       let poetryInstallArgs = ["-m", "poetry", "install", "-n", "--no-root"];
+      if (isSecureMode) {
+        poetryInstallArgs.unshift("-S");
+      }
       // Attempt to perform poetry install
       result = safeSpawnSync(PYTHON_CMD, poetryInstallArgs, {
         cwd: basePath,
@@ -15189,6 +15548,9 @@ export async function getPipFrozenTree(
         "install",
         "--disable-pip-version-check",
       ];
+      if (isSecureMode) {
+        pipInstallArgs.unshift("-S");
+      }
       // Requirements.txt could be called with any name so best to check for not setup.py and not pyproject.toml
       if (
         !reqOrSetupFile.endsWith("setup.py") &&
@@ -15509,7 +15871,11 @@ export function getPipTreeForPackages(
   };
   if (!process.env.VIRTUAL_ENV && !process.env.CONDA_PREFIX) {
     // Create a virtual environment
-    result = safeSpawnSync(PYTHON_CMD, ["-m", "venv", tempVenvDir], {
+    const venvCreationArgs = ["-m", "venv", tempVenvDir];
+    if (isSecureMode) {
+      venvCreationArgs.unshift("-S");
+    }
+    result = safeSpawnSync(PYTHON_CMD, venvCreationArgs, {
       shell: isWin,
     });
     if (result.status !== 0 || result.error) {
@@ -15532,6 +15898,9 @@ export function getPipTreeForPackages(
   }
   const python_cmd_for_tree = get_python_command_from_env(env);
   let pipInstallArgs = ["-m", "pip", "install", "--disable-pip-version-check"];
+  if (isSecureMode) {
+    pipInstallArgs.unshift("-S");
+  }
   // Support for passing additional arguments to pip
   // Eg: --python-version 3.10 --ignore-requires-python --no-warn-conflicts
   if (process?.env?.PIP_INSTALL_ARGS) {
@@ -15713,6 +16082,7 @@ export async function addEvidenceForImports(
     const aliases = group?.length
       ? [name, `${group}/${name}`, `@${group}/${name}`]
       : [name];
+    let isImported = false;
     for (const alias of aliases) {
       const all_includes = impPkgs.filter(
         (find_pkg) =>
@@ -15761,6 +16131,7 @@ export async function addEvidenceForImports(
       }
       // Identify all the imported modules of a component
       if (impPkgs.includes(alias) || all_includes.length) {
+        isImported = true;
         let importedModules = new Set();
         pkg.scope = "required";
         for (const subevidence of all_includes) {
@@ -15798,6 +16169,11 @@ export async function addEvidenceForImports(
         }
         break;
       }
+      if (impPkgs?.length > 0 && !isImported && DEBUG_MODE) {
+        console.debug(
+          `\x1b[1;35mNotice: Package ${pkg.name} has no usage in code. Check if it is needed.\x1b[0m`,
+        );
+      }
       // Capture metadata such as description from local node_modules in deep mode
       if (deep && !pkg.description && pkg.properties) {
         let localNodeModulesPath;