@cyclonedx/cdxgen 12.1.4 → 12.2.0

package/lib/cli/index.js

@@ -2,9 +2,9 @@ import { Buffer } from "node:buffer";
 import {
   accessSync,
   constants,
-  existsSync,
   lstatSync,
   mkdtempSync,
+  readdirSync,
   readFileSync,
   rmSync,
   statSync,
@@ -25,14 +25,8 @@ import { parse as loadYaml } from "yaml";
 
 import { findJSImportsExports } from "../helpers/analyzer.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
-import { collectOSCryptoLibs } from "../helpers/cbomutils.js";
-import {
-  collectEnvInfo,
-  getBranch,
-  getOriginUrl,
-  gitTreeHashes,
-  listFiles,
-} from "../helpers/envcontext.js";
+import { mergeDependencies, trimComponents } from "../helpers/depsUtils.js";
+import { GIT_COMMAND } from "../helpers/envcontext.js";
 import { thoughtLog } from "../helpers/logger.js";
 import {
   addEvidenceForDotnet,
@@ -175,6 +169,14 @@ import {
   shouldFetchLicense,
   splitOutputByGradleProjects,
 } from "../helpers/utils.js";
+import {
+  cleanupTempDir,
+  collectInstalledExtensions,
+  discoverIdeExtensionDirs,
+  extractVsixToTempDir,
+  parseVsixFile,
+  VSCODE_EXTENSION_PURL_TYPE,
+} from "../helpers/vsixutils.js";
 import {
   executeOsQuery,
   getBinaryBom,
@@ -188,6 +190,7 @@ import {
   getPkgPathList,
   parseImageName,
 } from "../managers/docker.js";
+import { DEFAULT_NPMRC_BLOCKLIST, parseNpmrc } from "../parsers/npmrc.js";
 
 const dirName = dirNameStr;
 
@@ -436,160 +439,6 @@ const addLifecyclesSection = (options) => {
   return lifecycles;
 };
 
-/**
- * Method to generate the formulation section based on git metadata
- *
- * @param {Object} options
- * @param {Object} context Context
- * @returns {Array} formulation array
- */
-const addFormulationSection = (options, context) => {
-  const formulation = [];
-  const provides = [];
-  const gitBranch = getBranch();
-  const originUrl = getOriginUrl();
-  const gitFiles = listFiles();
-  const treeHashes = gitTreeHashes();
-  let parentOmniborId;
-  let treeOmniborId;
-  let components = [];
-  const aformulation = {};
-  // Reuse any existing formulation components
-  // See: PR #1172
-  if (context?.formulationList?.length) {
-    components = components.concat(trimComponents(context.formulationList));
-  }
-  if (options.specVersion >= 1.6 && Object.keys(treeHashes).length === 2) {
-    parentOmniborId = `gitoid:blob:sha1:${treeHashes.parent}`;
-    treeOmniborId = `gitoid:blob:sha1:${treeHashes.tree}`;
-    components.push({
-      type: "file",
-      name: "git-parent",
-      description: "Git Parent Node.",
-      "bom-ref": parentOmniborId,
-      omniborId: [parentOmniborId],
-      swhid: [`swh:1:rev:${treeHashes.parent}`],
-    });
-    components.push({
-      type: "file",
-      name: "git-tree",
-      description: "Git Tree Node.",
-      "bom-ref": treeOmniborId,
-      omniborId: [treeOmniborId],
-      swhid: [`swh:1:rev:${treeHashes.tree}`],
-    });
-    provides.push({
-      ref: parentOmniborId,
-      provides: [treeOmniborId],
-    });
-  }
-  // Collect git related components
-  if (gitBranch && gitFiles) {
-    const gitFileComponents = gitFiles.map((f) =>
-      options.specVersion >= 1.6
-        ? {
-            type: "file",
-            name: f.name,
-            version: f.hash,
-            omniborId: [f.omniborId],
-            swhid: [f.swhid],
-          }
-        : {
-            type: "file",
-            name: f.name,
-            version: f.hash,
-          },
-    );
-    components = components.concat(gitFileComponents);
-    // Complete the Artifact Dependency Graph
-    if (options.specVersion >= 1.6 && treeOmniborId) {
-      provides.push({
-        ref: treeOmniborId,
-        provides: gitFiles.map((f) => f.ref),
-      });
-    }
-  }
-  // Collect build environment details
-  const infoComponents = collectEnvInfo(options.path);
-  if (infoComponents?.length) {
-    components = components.concat(infoComponents);
-  }
-  // Should we include the OS crypto libraries
-  if (options.includeCrypto) {
-    const cryptoLibs = collectOSCryptoLibs(options);
-    if (cryptoLibs?.length) {
-      components = components.concat(cryptoLibs);
-    }
-  }
-  aformulation["bom-ref"] = uuidv4();
-  aformulation.components = trimComponents(components);
-  let environmentVars = gitBranch?.length
-    ? [{ name: "GIT_BRANCH", value: gitBranch }]
-    : [];
-  const envPrefixes = [
-    "GIT",
-    "ANDROID",
-    "DENO",
-    "DOTNET",
-    "JAVA_",
-    "SDKMAN",
-    "CARGO",
-    "CONDA",
-    "RUST",
-    "GEM_",
-    "SCALA_",
-    "MAVEN_",
-    "GRADLE_",
-    "NODE_",
-  ];
-  const envBlocklist = [
-    "key",
-    "token",
-    "pass",
-    "secret",
-    "user",
-    "email",
-    "auth",
-    "session",
-    "proxy",
-    "cred",
-  ];
-
-  for (const aevar of Object.keys(process.env)) {
-    const lower = aevar.toLowerCase();
-    const value = process.env[aevar] ?? "";
-    if (
-      envPrefixes.some((p) => aevar.startsWith(p)) &&
-      !envBlocklist.some((b) => lower.includes(b)) &&
-      !envBlocklist.some((b) => value.includes(b)) &&
-      value.length
-    ) {
-      environmentVars.push({
-        name: aevar,
-        value,
-      });
-    }
-  }
-  if (!environmentVars.length) {
-    environmentVars = undefined;
-  }
-  let sourceInput;
-  if (environmentVars) {
-    sourceInput = { environmentVars };
-  }
-  const sourceWorkflow = {
-    "bom-ref": uuidv4(),
-    uid: uuidv4(),
-    taskTypes: originUrl ? ["build", "clone"] : ["build"],
-  };
-  if (sourceInput) {
-    sourceWorkflow.inputs = [sourceInput];
-  }
-  aformulation.workflows = [sourceWorkflow];
-  formulation.push(aformulation);
-  return { formulation, provides };
-};
-
 /**
  * Function to create metadata block
  *
@@ -998,6 +847,7 @@ function addExternalReferences(opkg) {
  * @param {Object} allImports All imports
  * @param {Object} pkg Package object
  * @param {string} ptype Package type
+ * @returns {Object[]} Array of component objects
  */
 export function listComponents(options, allImports, pkg, ptype = "npm") {
   const compMap = {};
@@ -1065,6 +915,15 @@ function addComponent(
       purl = undefined;
       purlString = undefined;
     }
+    // Some applications like github workflow steps and commands do not have purl
+    if (
+      pkg.purl === undefined &&
+      !pkg?.["bom-ref"]?.startsWith("pkg:") &&
+      pkg?.type === "application"
+    ) {
+      purl = undefined;
+      purlString = undefined;
+    }
     const description = pkg.description || undefined;
     let compScope = pkg.scope;
     if (allImports) {
@@ -1104,7 +963,12 @@ function addComponent(
       component.data = pkg.data || undefined;
     }
     component["type"] = determinePackageType(pkg);
-    component["bom-ref"] = decodeURIComponent(purlString);
+    if (purlString) {
+      component["bom-ref"] = decodeURIComponent(purlString);
+    } else if (pkg["bom-ref"]) {
+      component["bom-ref"] = pkg["bom-ref"];
+    }
+
     if (
       component.externalReferences === undefined ||
       component.externalReferences.length === 0
@@ -1134,6 +998,18 @@ function addComponent(
       }
       delete component.authors;
     }
+    // Downgrade from 1.7
+    if (options.specVersion < 1.7) {
+      if (component.isExternal) {
+        delete component.isExternal;
+      }
+      if (component.versionRange) {
+        console.warn(
+          `Version Range is not supported in ${options.specVersion} specifications. Please run cdxgen with --spec-version 1.7`,
+        );
+        delete component.versionRange;
+      }
+    }
     // Retain any tags
     if (
       options.specVersion >= 1.6 &&
@@ -1153,12 +1029,10 @@ function addComponent(
     if (pkg.components) {
       component.components = pkg.components;
     }
+    const compMapKey = component.purl || component["bom-ref"];
     // Issue: 1353. We need to keep merging the properties
-    if (compMap[component.purl]) {
-      const mergedComponents = trimComponents([
-        compMap[component.purl],
-        component,
-      ]);
+    if (compMap[compMapKey]) {
+      const mergedComponents = trimComponents([compMap[compMapKey], component]);
       if (mergedComponents?.length === 1) {
         component = mergedComponents[0];
       }
@@ -1194,7 +1068,7 @@ function addComponent(
         component.evidence.identity = pkg.evidence.identity[0];
       }
     }
-    compMap[component.purl] = component;
+    compMap[compMapKey] = component;
   }
   if (pkg.dependencies) {
     Object.keys(pkg.dependencies)
@@ -1385,17 +1259,15 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
       components,
       dependencies,
     };
-    const formulationData =
-      options.includeFormulation && options.specVersion >= 1.5
-        ? addFormulationSection(options, context)
-        : undefined;
-    if (formulationData) {
-      jsonTpl.formulation = formulationData.formulation;
-    }
     bomNSData.bomJson = jsonTpl;
     bomNSData.nsMapping = nsMapping;
     bomNSData.dependencies = dependencies;
     bomNSData.parentComponent = parentComponent;
+    // Carry language-specific formulation data (e.g. Pixi) so that
+    // postProcess can merge it when building the final formulation section.
+    if (context?.formulationList?.length) {
+      bomNSData.formulationList = context.formulationList;
+    }
   }
   return bomNSData;
 };
@@ -1487,6 +1359,7 @@ export async function createJarBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object|undefined} BOM object
  */
 export function createAndroidBom(path, options) {
   return createBinaryBom(path, options);
@@ -1497,6 +1370,7 @@ export function createAndroidBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object|undefined} BOM object
  */
 export function createBinaryBom(path, options) {
   const tempDir = mkdtempSync(join(getTmpDir(), "blint-tmp-"));
@@ -1520,6 +1394,7 @@ export function createBinaryBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createJavaBom(path, options) {
   let jarNSMapping = {};
@@ -2767,6 +2642,7 @@ export async function createJavaBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createNodejsBom(path, options) {
   let pkgList = [];
@@ -2879,6 +2755,7 @@ export async function createNodejsBom(path, options) {
   );
   const npmInstallCount =
     Number.parseInt(process.env.NPM_INSTALL_COUNT, 10) || 2;
+  let anyInstallSuccess = false;
   // Automatic npm install logic.
   // Only perform npm install for smaller projects (< 2 package.json) without the correct number of lock files
   if (
@@ -2889,7 +2766,6 @@ export async function createNodejsBom(path, options) {
     pkgJsonFiles?.length <= npmInstallCount &&
     options.installDeps
   ) {
-    let anyInstallSuccess = false;
     for (const apkgJson of pkgJsonFiles) {
       let pkgMgr = "npm";
       const supPkgMgrs = ["npm", "yarn", "yarnpkg", "pnpm", "pnpx"];
@@ -2938,17 +2814,50 @@ export async function createNodejsBom(path, options) {
         if (pkgMgr === "pnpm") {
           installArgs.push("--ignore-pnpmfile");
         }
-        if (pkgMgr === "npm" && !installArgs.includes("--no-audit")) {
-          installArgs.push("--no-audit");
+        if (pkgMgr === "npm") {
+          for (const c of ["--no-audit", "--no-bin-links"]) {
+            if (!installArgs.includes(c)) {
+              installArgs.push(c);
+            }
+          }
+          installArgs.push(`--git=${GIT_COMMAND}`);
         }
       }
+      if (
+        pkgMgr === "npm" &&
+        isSecureMode &&
+        !installArgs.join(" ").includes("--allow-git")
+      ) {
+        console.log(
+          "Consider passing '--allow-git=none' via the environment variable NPM_INSTALL_ARGS to prevent any git dependencies from being fetched and installed via npm.",
+        );
+      }
       const basePath = dirname(apkgJson);
+      let npmrcData;
+      if (safeExistsSync(join(basePath, ".npmrc"))) {
+        thoughtLog(
+          "Wait, there is a .npmrc file here! I'm going to check if it has anything malicious.",
+        );
+        npmrcData = readFileSync(join(basePath, ".npmrc"), "utf-8");
+        const npmrcObj = parseNpmrc(npmrcData);
+        for (const [key, value] of Object.entries(npmrcObj)) {
+          const baseKey = key.replace(/^(?:\/\/[^/]+\/|@[^:]+:)/, "");
+          if (
+            DEFAULT_NPMRC_BLOCKLIST.has(baseKey) ||
+            DEFAULT_NPMRC_BLOCKLIST.has(key)
+          ) {
+            console.warn(
+              `\x1b[1;35mSECURE MODE: Dangerous configuration ${key}=${value} detected in .npmrc! Verify if this is a trusted project. Remove this setting or any other problematic configurations to proceed.\x1b[0m`,
+            );
+            process.exit(1);
+          }
+        }
+      }
       // juice-shop mode
       // Projects such as juice-shop prevent lockfile creations using .npmrc files
       // Plus, they might require specific npm install args such as --legacy-peer-deps that could lead to strange node_modules structure
       // To keep life simple, let's look for any .npmrc file that has package-lock=false to toggle before npm install
-      if (pkgMgr === "npm" && safeExistsSync(join(basePath, ".npmrc"))) {
-        const npmrcData = readFileSync(join(basePath, ".npmrc"));
+      if (pkgMgr === "npm") {
         if (
           npmrcData?.includes("package-lock=false") &&
           !installArgs.includes("--package-lock")
@@ -2966,6 +2875,9 @@ export async function createNodejsBom(path, options) {
           `**PACKAGE MANAGER**: Let's run the '${pkgMgr}' command with the arguments '${installArgs.join(" ")}' to generate the needed lock files.`,
         );
       }
+      console.warn(
+        "\x1b[1;35mNotice: Generating an SBOM without a lockfile is risky and non-deterministic. Consider generating and committing the lockfile to your repository to ensure reproducible builds and SBOMs.\x1b[0m",
+      );
       console.log(
         `Executing '${pkgMgr} ${installArgs.join(" ")}' in`,
         basePath,
@@ -3165,8 +3077,9 @@ export async function createNodejsBom(path, options) {
       const basePath = dirname(f);
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
-      const pnpmHooks = join(basePath, ".pnpmfile.cjs");
-      if (safeExistsSync(pnpmHooks)) {
+      const pnpmCjsHooks = join(basePath, ".pnpmfile.cjs");
+      const pnpmMjsHooks = join(basePath, ".pnpmfile.mjs");
+      if (safeExistsSync(pnpmMjsHooks) || safeExistsSync(pnpmCjsHooks)) {
         thoughtLog("Wait, this pnpm project uses install hooks.");
       }
       if (!Object.keys(parentComponent).length) {
@@ -3239,6 +3152,11 @@ export async function createNodejsBom(path, options) {
     pkgLockFiles?.length &&
     isPackageManagerAllowed("npm", ["pnpm", "yarn"], options)
   ) {
+    if (anyInstallSuccess) {
+      thoughtLog(
+        `I have ${pkgLockFiles.length} package-lock.json file(s) now after a successful npm install.`,
+      );
+    }
     manifestFiles = manifestFiles.concat(pkgLockFiles);
     for (const f of pkgLockFiles) {
       if (DEBUG_MODE) {
@@ -3644,6 +3562,7 @@ export async function createNodejsBom(path, options) {
  *
  * @param {String} path
  * @param {Object} options
+ * @returns {Object | null} BOM object, or `null` when `pixi.lock` is absent and `options.installDeps` is false
  */
 export function createPixiBom(path, options) {
   const allImports = {};
@@ -3722,6 +3641,7 @@ export function createPixiBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createPythonBom(path, options) {
   let allImports = {};
@@ -3848,7 +3768,6 @@ export async function createPythonBom(path, options) {
         console.log(`Parsing ${f}`);
       }
       let retMap = await parsePyLockData(lockData, f);
-      // Should we exit for workspace errors
       if (retMap?.workspaceWarningShown) {
         options.failOnError && process.exit(1);
       }
@@ -3856,7 +3775,6 @@ export async function createPythonBom(path, options) {
         pkgList = pkgList.concat(retMap.pkgList);
         pkgList = trimComponents(pkgList);
       }
-      // Retain the parent hierarchy
       if (retMap?.parentComponent?.components?.length) {
         if (!parentComponent.components) {
           parentComponent.components = [];
@@ -3872,36 +3790,81 @@ export async function createPythonBom(path, options) {
           parentComponent,
         );
       }
-      // Retrieve the tree using virtualenv in deep mode and as a fallback
-      // This is a slow operation
       if ((options.deep || !dependencies.length) && !f.endsWith("uv.lock")) {
-        retMap = await getPipFrozenTree(basePath, f, tempDir, parentComponent);
-        if (retMap.pkgList?.length) {
-          pkgList = pkgList.concat(retMap.pkgList);
-        }
-        if (retMap.formulationList?.length) {
-          formulationList = formulationList.concat(retMap.formulationList);
-        }
-        if (retMap.dependenciesList) {
-          dependencies = mergeDependencies(
-            dependencies,
-            retMap.dependenciesList,
+        if (options.installDeps) {
+          retMap = await getPipFrozenTree(
+            basePath,
+            f,
+            tempDir,
             parentComponent,
           );
+          if (retMap.pkgList?.length) pkgList = pkgList.concat(retMap.pkgList);
+          if (retMap.formulationList?.length)
+            formulationList = formulationList.concat(retMap.formulationList);
+          if (retMap.dependenciesList)
+            dependencies = mergeDependencies(
+              dependencies,
+              retMap.dependenciesList,
+              parentComponent,
+            );
+          if (retMap.rootList) {
+            const parentDependsOn = new Set();
+            for (const p of retMap.rootList)
+              parentDependsOn.add(
+                `pkg:pypi/${p.name.toLowerCase()}@${p.version}`,
+              );
+            dependencies.splice(0, 0, {
+              ref: parentComponent["bom-ref"],
+              dependsOn: [...parentDependsOn].sort(),
+            });
+          }
+        } else {
+          let exportedReqs = "";
+          if (f.endsWith("poetry.lock")) {
+            thoughtLog(
+              "Using poetry export as a safe, static alternative to pip install.",
+            );
+            const expCmd = safeSpawnSync(
+              "poetry",
+              ["export", "-f", "requirements.txt"],
+              { cwd: basePath, shell: false },
+            );
+            if (expCmd.status === 0 && expCmd.stdout)
+              exportedReqs = expCmd.stdout.toString();
+          } else if (f.endsWith("pdm.lock")) {
+            thoughtLog(
+              "Using pdm export as a safe, static alternative to pip install.",
+            );
+            const expCmd = safeSpawnSync(
+              "pdm",
+              ["export", "-f", "requirements"],
+              { cwd: basePath, shell: false },
+            );
+            if (expCmd.status === 0 && expCmd.stdout)
+              exportedReqs = expCmd.stdout.toString();
+          }
+          if (exportedReqs) {
+            const tmpReqFile = join(
+              tempDir,
+              `exported-${basename(basePath)}-reqs.txt`,
+            );
+            writeFileSync(tmpReqFile, exportedReqs);
+            const dlist = await parseReqFile(tmpReqFile, false);
+            if (dlist?.length) {
+              pkgList = pkgList.concat(dlist);
+              const parentDependsOn = new Set();
+              for (const p of dlist)
+                parentDependsOn.add(
+                  `pkg:pypi/${p.name.toLowerCase()}@${p.version}`,
+                );
+              dependencies.splice(0, 0, {
+                ref: parentComponent["bom-ref"],
+                dependsOn: [...parentDependsOn].sort(),
+              });
+            }
+          }
         }
       }
-      if (retMap.rootList) {
-        const parentDependsOn = new Set();
-        // Complete the dependency tree by making parent component depend on the first level
-        for (const p of retMap.rootList) {
-          parentDependsOn.add(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
-        }
-        const pdependencies = {
-          ref: parentComponent["bom-ref"],
-          dependsOn: [...parentDependsOn].sort(),
-        };
-        dependencies.splice(0, 0, pdependencies);
-      }
     }
     options.parentComponent = parentComponent;
   } // poetryMode
@@ -3919,7 +3882,7 @@ export async function createPythonBom(path, options) {
     for (const wf of whlFiles) {
       const mData = await readZipEntry(wf, "METADATA");
       if (mData) {
-        const dlist = parseBdistMetadata(undefined, mData);
+        const dlist = parseBdistMetadata(join(wf, "METADATA"), mData);
         if (dlist?.length) {
           pkgList = pkgList.concat(dlist);
         }
@@ -4001,29 +3964,29 @@ export async function createPythonBom(path, options) {
         for (const f of reqFiles) {
           const basePath = dirname(f);
           if (options.installDeps) {
-            const pkgMap = await getPipFrozenTree(
+            const rpkgMap = await getPipFrozenTree(
               basePath,
               f,
               tempDir,
               parentComponent,
             );
-            if (pkgMap.pkgList?.length) {
-              pkgList = pkgList.concat(pkgMap.pkgList);
+            if (rpkgMap.pkgList?.length) {
+              pkgList = pkgList.concat(rpkgMap.pkgList);
               pkgList = trimComponents(pkgList);
             }
-            if (pkgMap.formulationList?.length) {
-              formulationList = formulationList.concat(pkgMap.formulationList);
+            if (rpkgMap.formulationList?.length) {
+              formulationList = formulationList.concat(rpkgMap.formulationList);
               formulationList = trimComponents(formulationList);
             }
-            if (pkgMap.dependenciesList) {
+            if (rpkgMap.dependenciesList) {
               dependencies = mergeDependencies(
                 dependencies,
-                pkgMap.dependenciesList,
+                rpkgMap.dependenciesList,
                 parentComponent,
               );
             }
             // Add the root packages from this file to the parent's dependencies
-            for (const p of pkgMap.rootList) {
+            for (const p of rpkgMap.rootList) {
               if (
                 parentComponent &&
                 p.name === parentComponent.name &&
@@ -4046,12 +4009,42 @@ export async function createPythonBom(path, options) {
           parentComponent,
         );
       }
-
+      if (pkgMap) {
+        // Complete the dependency tree by making parent component depend on the first level
+        for (const p of pkgMap.rootList) {
+          if (
+            parentComponent &&
+            p.name === parentComponent.name &&
+            (p.version === parentComponent.version || p.version === "latest")
+          ) {
+            continue;
+          }
+          parentDependsOn.add(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
+        }
+        if (pkgMap?.pkgList?.length) {
+          pkgList = pkgList.concat(pkgMap.pkgList);
+        }
+        if (pkgMap?.formulationList?.length) {
+          formulationList = formulationList.concat(pkgMap.formulationList);
+        }
+        if (pkgMap?.dependenciesList) {
+          dependencies = mergeDependencies(
+            dependencies,
+            pkgMap.dependenciesList,
+            parentComponent,
+          );
+        }
+      }
       // ATOM parsedeps block
       // Atom parsedeps slices can be used to identify packages that are not declared in manifests
       // Since it is a slow operation, we only use it as a fallback or in deep mode
       // This change was made in 10.9.2 release onwards
       if (options.deep || !pkgList.length) {
+        if (!pkgList.length) {
+          thoughtLog(
+            "I couldn't find any components yet. Let's try static analysis with atom parsedeps command.",
+          );
+        }
         const retMap = await getPyModules(path, pkgList, options);
         // We need to patch the existing package list to add ImportedModules for evinse to work
         if (retMap.modList?.length) {
@@ -4100,32 +4093,6 @@ export async function createPythonBom(path, options) {
         }
       }
       // ATOM parsedeps block
-      if (pkgMap) {
-        // Complete the dependency tree by making parent component depend on the first level
-        for (const p of pkgMap.rootList) {
-          if (
-            parentComponent &&
-            p.name === parentComponent.name &&
-            (p.version === parentComponent.version || p.version === "latest")
-          ) {
-            continue;
-          }
-          parentDependsOn.add(`pkg:pypi/${p.name.toLowerCase()}@${p.version}`);
-        }
-        if (pkgMap?.pkgList?.length) {
-          pkgList = pkgList.concat(pkgMap.pkgList);
-        }
-        if (pkgMap?.formulationList?.length) {
-          formulationList = formulationList.concat(pkgMap.formulationList);
-        }
-        if (pkgMap?.dependenciesList) {
-          dependencies = mergeDependencies(
-            dependencies,
-            pkgMap.dependenciesList,
-            parentComponent,
-          );
-        }
-      }
       let parentPresent = false;
       for (const d of dependencies) {
         if (d.ref === parentComponent["bom-ref"]) {
@@ -4144,7 +4111,6 @@ export async function createPythonBom(path, options) {
       }
     }
   }
-
   // Final fallback is to manually parse setup.py if we still
   // have an empty list
   if (!pkgList.length && setupPyMode) {
@@ -4217,6 +4183,7 @@ export async function createPythonBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object | undefined>} Promise resolving to a BOM object or `undefined`
  */
 export async function createGoBom(path, options) {
   let pkgList = [];
@@ -4643,6 +4610,7 @@ export async function createGoBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object|undefined>} Promise resolving to a BOM object or undefined
  */
 export async function createRustBom(path, options) {
   let pkgList = [];
@@ -4782,6 +4750,7 @@ export async function createRustBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createDartBom(path, options) {
   const pubFiles = getAllFiles(
@@ -4853,6 +4822,7 @@ export async function createDartBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createCppBom(path, options) {
   let parentComponent;
@@ -5064,6 +5034,7 @@ export function createCppBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createClojureBom(path, options) {
   const ednFiles = getAllFiles(
@@ -5181,6 +5152,7 @@ export function createClojureBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createHaskellBom(path, options) {
   const cabalFiles = getAllFiles(
@@ -5213,6 +5185,7 @@ export function createHaskellBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createElixirBom(path, options) {
   const mixFiles = getAllFiles(
@@ -5245,6 +5218,7 @@ export function createElixirBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createGitHubBom(path, options) {
   const ghactionFiles = getAllFiles(
@@ -5276,6 +5250,7 @@ export function createGitHubBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createCloudBuildBom(path, options) {
   const cbFiles = getAllFiles(path, "cloudbuild.yml", options);
@@ -5304,6 +5279,7 @@ export function createCloudBuildBom(path, options) {
  *
  * @param {string} _path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export function createOSBom(_path, options) {
   console.warn(
@@ -5362,6 +5338,7 @@ export function createOSBom(_path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createJenkinsBom(path, options) {
   let pkgList = [];
@@ -5411,6 +5388,7 @@ export async function createJenkinsBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createHelmBom(path, options) {
   let pkgList = [];
@@ -5443,6 +5421,7 @@ export function createHelmBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createSwiftBom(path, options) {
   const swiftFiles = getAllFiles(
@@ -5587,6 +5566,7 @@ export async function createSwiftBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object | undefined>} Promise resolving to a BOM object, or `undefined` when no Podfiles are found
  */
 export async function createCocoaBom(path, options) {
   const cocoaFiles = getAllFiles(
@@ -5603,7 +5583,7 @@ export async function createCocoaBom(path, options) {
   for (const podFile of cocoaFiles) {
     const projectPath = dirname(podFile);
     const lockFile = `${podFile}.lock`;
-    if (!existsSync(lockFile) || options.deep) {
+    if (!safeExistsSync(lockFile) || options.deep) {
       if (options.installDeps) {
         executePodCommand(["install"], projectPath, options);
       } else {
@@ -5741,6 +5721,7 @@ export async function createCocoaBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createNixBom(path, options) {
   let pkgList = [];
@@ -5863,6 +5844,7 @@ export async function createNixBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createCaxaBom(path, options) {
   let pkgList = [];
@@ -5914,6 +5896,7 @@ export async function createCaxaBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createContainerSpecLikeBom(path, options) {
   let services = [];
@@ -6242,6 +6225,7 @@ export async function createContainerSpecLikeBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createPHPBom(path, options) {
   let dependencies = [];
@@ -6349,7 +6333,7 @@ export function createPHPBom(path, options) {
         // Track all the modules in a mono-repo
         if (!Object.keys(parentComponent).length) {
           parentComponent = { ...moduleParent };
-        } else {
+        } else if (moduleParent?.["bom-ref"]) {
           parentComponent.components = parentComponent.components || [];
           parentComponent.components.push(moduleParent);
         }
@@ -6365,7 +6349,9 @@ export function createPHPBom(path, options) {
           dependencies.splice(0, 0, {
             ref: moduleParent["bom-ref"],
             dependsOn: [
-              ...new Set(retMap.rootList.map((p) => p["bom-ref"])),
+              ...new Set(
+                retMap.rootList.map((p) => p["bom-ref"]).filter(Boolean),
+              ),
             ].sort(),
           });
         }
@@ -6378,9 +6364,9 @@ export function createPHPBom(path, options) {
     }
     // Complete the root dependency tree
     if (parentComponent?.components?.length) {
-      const parentDependsOn = parentComponent.components.map(
-        (d) => d["bom-ref"],
-      );
+      const parentDependsOn = parentComponent.components
+        .map((d) => d["bom-ref"])
+        .filter(Boolean);
       dependencies = mergeDependencies(
         [{ ref: parentComponent["bom-ref"], dependsOn: parentDependsOn }],
         dependencies,
@@ -6402,6 +6388,7 @@ export function createPHPBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createRubyBom(path, options) {
   // We can look for gem files within node_modules directory
@@ -6655,6 +6642,7 @@ export async function createRubyBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object|undefined>} Promise resolving to BOM object
  */
 export async function createCsharpBom(path, options) {
   let manifestFiles = [];
@@ -7090,11 +7078,202 @@ export async function createCsharpBom(path, options) {
   });
 }
 
+/**
+ * Function to create BOM for VS Code / IDE extensions.
+ * Supports two modes:
+ * 1. Directory scan: Discovers `.vsix` files and installed extension directories
+ * 2. IDE discovery: Automatically finds extensions installed by known IDEs
+ *
+ * @param {string} path to the project or directory to scan
+ * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
+ */
+export async function createVscodeExtensionBom(path, options) {
+  let pkgList = [];
+  let dependencies = [];
+  const tempDirs = [];
+
+  // Mode 1: Scan for .vsix files in the given directory, or treat the input
+  // path as a single .vsix file.
+  let vsixFiles = [];
+  if (path.endsWith(".vsix")) {
+    vsixFiles = [resolve(path)];
+  } else {
+    vsixFiles = getAllFiles(
+      path,
+      `${options.multiProject ? "**/" : ""}*.vsix`,
+      options,
+    );
+  }
+  if (vsixFiles.length) {
+    if (DEBUG_MODE) {
+      console.log(`Found ${vsixFiles.length} .vsix file(s) to parse`);
+    }
+    for (const f of vsixFiles) {
+      if (DEBUG_MODE) {
+        console.log(`Parsing ${f}`);
+      }
+      // Get the extension component metadata
+      const component = await parseVsixFile(f);
+      if (component) {
+        pkgList.push(component);
+      }
+      // Extract the vsix to a temp dir and run deep analysis
+      const extractedDir = await extractVsixToTempDir(f);
+      if (extractedDir) {
+        tempDirs.push(extractedDir);
+        const deepResult = await analyzeExtensionDir(extractedDir, options);
+        if (deepResult.pkgList.length) {
+          pkgList = pkgList.concat(deepResult.pkgList);
+        }
+        if (deepResult.dependencies.length) {
+          dependencies = mergeDependencies(
+            dependencies,
+            deepResult.dependencies,
+          );
+        }
+      }
+    }
+  }
+
+  // Mode 2: Auto-discover extensions from known IDE locations
+  if (options.deep || options.projectType?.includes("ide-extensions")) {
+    const ideDirs = discoverIdeExtensionDirs();
+    if (ideDirs.length) {
+      if (DEBUG_MODE) {
+        console.log(
+          `Discovered IDE extension directories: ${ideDirs.map((d) => `${d.name}: ${d.dir}`).join(", ")}`,
+        );
+      }
+      const ideExtensions = collectInstalledExtensions(ideDirs);
+      if (ideExtensions.length) {
+        if (DEBUG_MODE) {
+          console.log(
+            `Found ${ideExtensions.length} IDE extension(s) from ${ideDirs.length} IDE location(s)`,
+          );
+        }
+        pkgList = pkgList.concat(ideExtensions);
+        // Deep analysis for IDE extension directories
+        for (const ideDir of ideDirs) {
+          await analyzeInstalledExtensionDirs(
+            ideDir.dir,
+            options,
+            pkgList,
+            dependencies,
+          );
+        }
+      }
+    }
+  }
+
+  // Clean up temp directories from vsix extraction
+  for (const td of tempDirs) {
+    cleanupTempDir(td);
+  }
+  pkgList = trimComponents(pkgList);
+  return buildBomNSData(options, pkgList, VSCODE_EXTENSION_PURL_TYPE, {
+    src: path,
+    filename: vsixFiles.join(", "),
+    nsMapping: {},
+    dependencies,
+  });
+}
+
+/**
+ * Analyze an extracted extension directory for bundled dependencies.
+ * Looks for npm lock files, node_modules, package.json files, minified JS,
+ * and runs the babel-based analyzer on the source.
+ *
+ * @param {string} extDir Path to the extracted extension directory
+ * @param {Object} options CLI options
+ * @returns {Promise<{pkgList: Object[], dependencies: Object[]}>}
+ */
+async function analyzeExtensionDir(extDir, options) {
+  const pkgList = [];
+  let dependencies = [];
+  // Check if the extension directory contains node.js project artifacts
+  const hasPackageJson = safeExistsSync(join(extDir, "package.json"));
+  const hasNodeModules = safeExistsSync(join(extDir, "node_modules"));
+  const hasLockFile =
+    safeExistsSync(join(extDir, "package-lock.json")) ||
+    safeExistsSync(join(extDir, "yarn.lock")) ||
+    safeExistsSync(join(extDir, "pnpm-lock.yaml"));
+
+  // If there are lock files or node_modules, run the full Node.js BOM generator
+  if (hasPackageJson && (hasLockFile || hasNodeModules)) {
+    if (DEBUG_MODE) {
+      console.log(
+        `Running Node.js BOM analysis on extension directory: ${extDir}`,
+      );
+    }
+    const nodeBomOptions = {
+      ...options,
+      path: extDir,
+      multiProject: true,
+      installDeps: false,
+      noBabel: false,
+      projectType: ["js"],
+    };
+    const bomData = await createNodejsBom(extDir, nodeBomOptions);
+    if (bomData?.bomJson?.components?.length) {
+      for (const comp of bomData.bomJson.components) {
+        pkgList.push(comp);
+      }
+    }
+    if (bomData?.bomJson?.dependencies?.length) {
+      dependencies = mergeDependencies(
+        dependencies,
+        bomData.bomJson.dependencies,
+      );
+    }
+    return { pkgList, dependencies };
+  }
+  return { pkgList, dependencies };
+}
+
+/**
+ * Run deep analysis on installed extension subdirectories within a parent
+ * extensions directory. Each subdirectory represents an installed extension.
+ *
+ * @param {string} extensionsDir Parent directory containing extension subdirs
+ * @param {Object} options CLI options
+ * @param {Object[]} pkgList Mutable array to push discovered components into
+ * @param {Object[]} dependencies Mutable array to merge dependencies into
+ */
+async function analyzeInstalledExtensionDirs(
+  extensionsDir,
+  options,
+  pkgList,
+  dependencies,
+) {
+  let entries;
+  try {
+    entries = readdirSync(extensionsDir, { withFileTypes: true });
+  } catch (_e) {
+    return;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory() || entry.name.startsWith(".")) {
+      continue;
+    }
+    const extDir = join(extensionsDir, entry.name);
+    const deepResult = await analyzeExtensionDir(extDir, options);
+    if (deepResult.pkgList.length) {
+      pkgList.push(...deepResult.pkgList);
+    }
+    if (deepResult.dependencies.length) {
+      const merged = mergeDependencies(dependencies, deepResult.dependencies);
+      dependencies.splice(0, dependencies.length, ...merged);
+    }
+  }
+}
+
 /**
  * Function to create bom object for cryptographic certificate files
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createCryptoCertsBom(path, options) {
   const pkgList = [];
@@ -7131,191 +7310,6 @@ export async function createCryptoCertsBom(path, options) {
   };
 }
 
-export function mergeDependencies(
-  dependencies,
-  newDependencies,
-  parentComponent = {},
-) {
-  if (!parentComponent && DEBUG_MODE) {
-    console.log(
-      "Unable to determine parent component. Dependencies will be flattened.",
-    );
-  }
-  let providesFound = false;
-  const deps_map = {};
-  const provides_map = {};
-  const parentRef = parentComponent?.["bom-ref"]
-    ? parentComponent["bom-ref"]
-    : undefined;
-  const combinedDeps = dependencies.concat(newDependencies || []);
-  for (const adep of combinedDeps) {
-    if (!deps_map[adep.ref]) {
-      deps_map[adep.ref] = new Set();
-    }
-    if (!provides_map[adep.ref]) {
-      provides_map[adep.ref] = new Set();
-    }
-    if (adep["dependsOn"]) {
-      for (const eachDepends of adep["dependsOn"]) {
-        if (parentRef && eachDepends) {
-          if (eachDepends.toLowerCase() !== parentRef.toLowerCase()) {
-            deps_map[adep.ref].add(eachDepends);
-          }
-        } else {
-          deps_map[adep.ref].add(eachDepends);
-        }
-      }
-    }
-    if (adep["provides"]) {
-      providesFound = true;
-      for (const eachProvides of adep["provides"]) {
-        if (
-          parentRef &&
-          eachProvides.toLowerCase() !== parentRef.toLowerCase()
-        ) {
-          provides_map[adep.ref].add(eachProvides);
-        }
-      }
-    }
-  }
-  const retlist = [];
-  for (const akey of Object.keys(deps_map)) {
-    if (providesFound) {
-      retlist.push({
-        ref: akey,
-        dependsOn: Array.from(deps_map[akey]).sort(),
-        provides: Array.from(provides_map[akey]).sort(),
-      });
-    } else {
-      retlist.push({
-        ref: akey,
-        dependsOn: Array.from(deps_map[akey]).sort(),
-      });
-    }
-  }
-  return retlist;
-}
-
-/**
- * Trim duplicate components by retaining all the properties
- *
- * @param {Array} components Components
- *
- * @returns {Array} Filtered components
- */
-export function trimComponents(components) {
-  const keyCache = {};
-  const filteredComponents = [];
-  for (const comp of components) {
-    const key = (
-      comp.purl ||
-      comp["bom-ref"] ||
-      comp.name + comp.version
-    ).toLowerCase();
-    if (!keyCache[key]) {
-      keyCache[key] = comp;
-    } else {
-      const existingComponent = keyCache[key];
-      // We need to retain any properties that differ
-      if (comp.properties) {
-        if (existingComponent.properties) {
-          for (const newprop of comp.properties) {
-            if (
-              !existingComponent.properties.find(
-                (prop) =>
-                  prop.name === newprop.name && prop.value === newprop.value,
-              )
-            ) {
-              existingComponent.properties.push(newprop);
-            }
-          }
-        } else {
-          existingComponent.properties = comp.properties;
-        }
-      }
-      // Retain all component.evidence.identity
-      if (comp?.evidence?.identity) {
-        if (!existingComponent.evidence) {
-          existingComponent.evidence = { identity: [] };
-        } else if (!existingComponent?.evidence?.identity) {
-          existingComponent.evidence.identity = [];
-        } else if (
-          existingComponent?.evidence?.identity &&
-          !Array.isArray(existingComponent.evidence.identity)
-        ) {
-          existingComponent.evidence.identity = [
-            existingComponent.evidence.identity,
-          ];
-        }
-        // comp.evidence.identity can be an array or object
-        // Merge the evidence.identity based on methods or objects
-        const isIdentityArray = Array.isArray(comp.evidence.identity);
-        const identities = isIdentityArray
-          ? comp.evidence.identity
-          : [comp.evidence.identity];
-        for (const aident of identities) {
-          let methodBasedMerge = false;
-          if (aident?.methods?.length) {
-            for (const amethod of aident.methods) {
-              for (const existIdent of existingComponent.evidence.identity) {
-                if (existIdent.field === aident.field) {
-                  if (!existIdent.methods) {
-                    existIdent.methods = [];
-                  }
-                  let isDup = false;
-                  for (const emethod of existIdent.methods) {
-                    if (emethod?.value === amethod?.value) {
-                      isDup = true;
-                      break;
-                    }
-                  }
-                  if (!isDup) {
-                    existIdent.methods.push(amethod);
-                  }
-                  methodBasedMerge = true;
-                }
-              }
-            }
-          }
-          if (!methodBasedMerge && aident.field && aident.confidence) {
-            existingComponent.evidence.identity.push(aident);
-          }
-        }
-        if (!isIdentityArray) {
-          const firstIdentity = existingComponent.evidence.identity[0];
-          let identConfidence = firstIdentity?.confidence;
-          // We need to set the confidence to the max of all confidences
-          if (firstIdentity?.methods?.length > 1) {
-            for (const aidentMethod of firstIdentity.methods) {
-              if (
-                aidentMethod?.confidence &&
-                aidentMethod.confidence > identConfidence
-              ) {
-                identConfidence = aidentMethod.confidence;
-              }
-            }
-          }
-          firstIdentity.confidence = identConfidence;
-          existingComponent.evidence = {
-            identity: firstIdentity,
-          };
-        }
-      }
-      // If the component is required in any of the child projects, then make it required
-      if (
-        existingComponent?.scope !== "required" &&
-        comp?.scope === "required"
-      ) {
-        existingComponent.scope = "required";
-      }
-    }
-  }
-  for (const akey of Object.keys(keyCache)) {
-    filteredComponents.push(keyCache[akey]);
-  }
-  return filteredComponents;
-}
-
 /**
  * Dedupe components
  *
@@ -7372,11 +7366,13 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
  *
  * @param {string[]} pathList list of to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createMultiXBom(pathList, options) {
   let components = [];
   let dependencies = [];
   let bomData;
+  let formulationList = [];
   let parentComponent = determineParentComponent(options) || {};
   let parentSubComponents = [];
   options.createMultiXBom = true;
@@ -7587,6 +7583,9 @@ export async function createMultiXBom(pathList, options) {
           parentSubComponents.push(bomData.parentComponent);
         }
       }
+      if (bomData?.formulationList?.length) {
+        formulationList = formulationList.concat(bomData.formulationList);
+      }
     }
     if (hasAnyProjectType(["oci", "go"], options)) {
       if (!hasAnyProjectType(["oci"], options, false)) {
@@ -8079,6 +8078,27 @@ export async function createMultiXBom(pathList, options) {
         }
       }
     }
+    if (hasAnyProjectType(["vscode-extension"], options)) {
+      bomData = await createVscodeExtensionBom(path, options);
+      if (bomData?.bomJson?.components?.length) {
+        if (DEBUG_MODE) {
+          console.log(
+            `Found ${bomData.bomJson.components.length} VS Code extension(s) at ${path}`,
+          );
+        }
+        components = components.concat(bomData.bomJson.components);
+        dependencies = mergeDependencies(
+          dependencies,
+          bomData.bomJson.dependencies,
+        );
+        if (
+          bomData.parentComponent &&
+          Object.keys(bomData.parentComponent).length
+        ) {
+          parentSubComponents.push(bomData.parentComponent);
+        }
+      }
+    }
     // Collect any crypto keys
     if (options.specVersion >= 1.6 && options.includeCrypto) {
       if (!hasAnyProjectType(["oci"], options, false)) {
@@ -8177,7 +8197,16 @@ export async function createMultiXBom(pathList, options) {
       }
     }
   }
-  return dedupeBom(options, components, parentComponent, dependencies);
+  const multiResult = dedupeBom(
+    options,
+    components,
+    parentComponent,
+    dependencies,
+  );
+  if (formulationList.length) {
+    multiResult.formulationList = formulationList;
+  }
+  return multiResult;
 }
 
 /**
@@ -8185,6 +8214,7 @@ export async function createMultiXBom(pathList, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object|undefined>} Promise resolving to BOM object, or undefined if path is not readable
  */
 export async function createXBom(path, options) {
   try {
@@ -8423,6 +8453,16 @@ export async function createXBom(path, options) {
     return await createJenkinsBom(path, options);
   }
 
+  // VS Code extensions (.vsix files)
+  const vsixFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}*.vsix`,
+    options,
+  );
+  if (vsixFiles.length) {
+    return await createVscodeExtensionBom(path, options);
+  }
+
   // Helm charts
   const chartFiles = getAllFiles(
     path,
@@ -8530,6 +8570,7 @@ export async function createXBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createBom(path, options) {
   let { projectType } = options;
@@ -8774,6 +8815,9 @@ export async function createBom(path, options) {
   if (PROJECT_TYPE_ALIASES["caxa"].includes(projectType[0])) {
     return await createCaxaBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["vscode-extension"].includes(projectType[0])) {
+    return await createVscodeExtensionBom(path, options);
+  }
   switch (projectType[0]) {
     case "jar":
       return createJarBom(path, options);