@cyclonedx/cdxgen 12.1.5 → 12.2.1

package/README.md

@@ -1,4 +1,5 @@
 [![SBOM](https://img.shields.io/badge/SBOM-with_%E2%9D%A4%EF%B8%8F_by_cdxgen-FF753D)](https://github.com/cdxgen/cdxgen)
+[![AI-DECLARATION: pair](https://img.shields.io/badge/䷼%20AI--DECLARATION-pair-ffedd5?labelColor=ffedd5)](./AI-DECLARATION.md)
 [![JSR][badge-jsr]][jsr-cdxgen]
 [![NPM][badge-npm]][npmjs-cdxgen]
 [![GitHub Releases][badge-github-releases]][github-releases]
@@ -11,7 +12,7 @@
 
 <img src="./docs/_media/cdxgen.png" width="200" height="auto" />
 
-cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.7.
+cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create, validate, sign, and verify [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.5 - 1.7.
 
 Supported BOM formats:
 
@@ -31,8 +32,8 @@ Most SBOM tools are like simple barcode scanners. For easy applications, they ca
 - _Explainability:_ Don't list, but explain with evidence.
 - _Precision:_ Try using multiple techniques to improve precision, even if it takes extra time.
 - _Personas:_ Cater to the needs of a range of personas such as security researchers, compliance auditors, developers, and SOC.
-- _Lifecycle:_ Support BOM generation for various product lifecycles.
 - _Machine Learning:_ Optimize the generated data for Machine Learning (ML) purposes by considering the various model properties.
+- _Safety:_ Execute external build tools and handle untrusted inputs defensively, with hardened defaults and a [secure mode](docs/PERMISSIONS.md) for sensitive environments.
 
 ## Documentation
 
@@ -47,6 +48,8 @@ Sections include:
 - [Environment Variables][docs-env-vars]
 - [Advanced Usage][docs-advanced-usage]
 - [Permissions][docs-permissions]
+- [Security Policy](SECURITY.md)
+- [Threat Model](docs/THREAT_MODEL.md)
 - [Support (Enterprise & Community)][docs-support]
 
 ## Usage
@@ -104,7 +107,7 @@ docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghc
 In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)
 
 ```ts
-import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^12.1.0";
+import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^12.2.1";
 ```
 
 ## Getting Help
@@ -136,7 +139,10 @@ Options:
       --project-tag               Dependency track project tag. Multiple values allowed.                         [array]
       --project-id                Dependency track project id. Either provide the id or the project name and version tog
                                   ether                                                                         [string]
-      --parent-project-id         Dependency track parent project id                                            [string]
+      --parent-project-id         Dependency track parent project id. You must provide the id or both
+                                  parent project name and parent project version.                               [string]
+      --parent-project-name       Dependency track parent project name                                          [string]
+      --parent-project-version    Dependency track parent project version                                       [string]
       --required-only             Include only the packages with required scope on the SBOM. Would set compositions.aggr
                                   egate to incomplete unless --no-auto-compositions is passed.                 [boolean]
       --fail-on-error             Fail if any dependency extractor fails.                                      [boolean]
@@ -153,8 +159,8 @@ Options:
       --validate                  Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to
                                    disable.                                                    [boolean] [default: true]
       --evidence                  Generate SBOM with evidence for supported languages.        [boolean] [default: false]
-      --spec-version              CycloneDX Specification version to use. Defaults to 1.6
-                                                                   [number] [choices: 1.4, 1.5, 1.6, 1.7] [default: 1.6]
+      --spec-version              CycloneDX Specification version to use. Defaults to 1.7
+                                                                   [number] [choices: 1.4, 1.5, 1.6, 1.7] [default: 1.7]
       --filter                    Filter components containing this word in purl or component.properties.value. Multiple
                                    values allowed.                                                               [array]
       --only                      Include components only containing this word in purl. Useful to generate BOM with firs
@@ -217,11 +223,11 @@ To recursively generate a single BOM for all languages pass `-r` argument.
 cdxgen -r -o bom.json
 ```
 
-The default specification used by cdxgen is 1.6. To generate BOM for a different specification version, such as 1.5 or 1.4, pass the version number using the `--spec-version` argument.
+The default specification used by cdxgen is 1.7. To generate BOM for a different specification version, such as 1.5 or 1.6, pass the version number using the `--spec-version` argument.
 
 ```shell
-# 1.5 is supported by most tools
-cdxgen -r -o bom.json --spec-version 1.5
+# 1.6 is supported by most tools
+cdxgen -r -o bom.json --spec-version 1.6
 ```
 
 To generate SBOM for C or Python, ensure Java >= 21 is installed.
@@ -418,60 +424,65 @@ cbom -t java
 
 See [evinse mode](./ADVANCED.md) in the advanced documentation.
 
+---
+
 ## BOM signing
 
-cdxgen can sign the generated BOM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.
+cdxgen features a best-in-class, native **JSON Signature Format (JSF)** implementation for BOM signing, providing robust authenticity and non-repudiation capabilities. Unlike basic signing tools, our implementation fully supports granular signatures (signing individual components, services, and annotations), parallel Multi-Signatures (`signers`), and sequential Signature Chains (`chain`).
+
+To enable automatic signing during BOM generation, set the following environment variables:
+
+- `SBOM_SIGN_ALGORITHM`: JSF Algorithm. Examples: `RS512`, `ES256`, `Ed25519`, `HS256`
+- `SBOM_SIGN_PRIVATE_KEY`: Location of the private key (PEM format)
+- `SBOM_SIGN_PUBLIC_KEY`: Optional. Location of the public key
+- `SBOM_SIGN_MODE`: Optional. Signature mode (`replace`, `signers`, `chain`). Default is `replace`.
+
+To quickly generate test public/private key pairs and sign your first BOM, you can run cdxgen with the `--generate-key-and-sign` argument.
 
-- SBOM_SIGN_ALGORITHM: Algorithm. Example: RS512
-- SBOM_SIGN_PRIVATE_KEY: Location to the RSA private key
-- SBOM_SIGN_PUBLIC_KEY: Optional. Location to the RSA public key
+### Advanced Signing with `cdx-sign`
+
+For complex supply chain orchestration, use the bundled `cdx-sign` CLI. This tool allows multiple entities (e.g., a Builder and an Auditor) to co-sign an existing BOM without modifying its original data.
+
+```shell
+# Append a parallel multi-signature (Auditor co-signing)
+# Note: Granular component signing is disabled to preserve the Builder's original signature payload.
+cdx-sign -i bom.json -k auditor_private.pem -a ES256 --key-id "auditor-qa" --mode signers --no-sign-components
+```
 
-To generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature`, which could be used for validation. [jwt.io][jwt-homepage] is a known site that could be used for such signature validation.
+### Validating CycloneDX BOMs
 
-![SBOM signing](./docs/_media/sbom-sign.jpg)
+Use the bundled `cdx-validate` command to validate CycloneDX BOMs against **structural**, **deep**, and **compliance** checks. Refer to this [document](./docs/CDX_VALIDATE.md) for usage.
 
 ### Verifying the signature
 
-Use the bundled `cdx-verify` command, which supports verifying a single signature added at the bom level.
+Use the bundled `cdx-verify` command to validate BOM signatures. By default, `cdx-verify` performs a **strict deep verification**, meaning it mathematically validates the top-level BOM signature _and_ the signatures of every nested component, service, and annotation against the provided public key. Refer to this [lesson](./docs/LESSON6.md) for the usage of sign and verify commands.
 
 ```shell
 npm install -g @cyclonedx/cdxgen
+
+# Perform strict deep verification (default)
 cdx-verify -i bom.json --public-key public.key
+
+# Verify ONLY the top-level root signature (useful for verifying a multi-signer who didn't sign nested components)
+cdx-verify -i bom.json --public-key auditor_public.key --no-deep
 ```
 
 ### Verifying the signature (pnpm)
 
-Use the bundled `cdx-verify` command, which supports verifying a single signature added at the BOM level.
-
-You can run it directly using pnpm (no global install needed):
+You can run the verification tools directly using pnpm (no global install needed):
 
 ```shell
 pnpm dlx @cyclonedx/cdxgen cdx-verify -i bom.json --public-key public.key
 ```
 
-### Custom verification tool (Node.js example)
+You can also use pnpm to invoke the signing tool:
 
-There are many [libraries][jwt-libraries] available to validate JSON Web Tokens. Below is a javascript example.
-
-```js
-# npm install jws
-const jws = require("jws");
-const fs = require("fs");
-// Location of the SBOM json file
-const bomJsonFile = "bom.json";
-// Location of the public key
-const publicKeyFile = "public.key";
-const bomJson = JSON.parse(fs.readFileSync(bomJsonFile, "utf8"));
-// Retrieve the signature
-const bomSignature = bomJson.signature.value;
-const validationResult = jws.verify(bomSignature, bomJson.signature.algorithm, fs.readFileSync(publicKeyFile, "utf8"));
-if (validationResult) {
-  console.log("Signature is valid!");
-} else {
-  console.log("SBOM signature is invalid :(");
-}
+```shell
+pnpm dlx @cyclonedx/cdxgen cdx-sign -i bom.json -k private.key
 ```
 
+---
+
 ## Automatic usage detection
 
 For node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBOM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
@@ -568,7 +579,7 @@ Use `pnpm add -g` command to quickly test the main branch.
 ```shell
 corepack pnpm bin -g
 corepack pnpm setup
-corepack pnpm add -g --allow-build @appthreat/sqlite3 https://github.com/cdxgen/cdxgen
+corepack pnpm add -g https://github.com/cdxgen/cdxgen
 cdxgen --help
 ```
 

package/bin/cdxgen.js

@@ -7,13 +7,14 @@ import https from "node:https";
 import { basename, dirname, join, resolve } from "node:path";
 import process from "node:process";
 
-import jws from "jws";
 import { parse as _load } from "yaml";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 
 import { createBom, submitBom } from "../lib/cli/index.js";
+import { signBom, verifyBom } from "../lib/helpers/bomSigner.js";
 import {
+  displaySelfThreatModel,
   printCallStack,
   printDependencyTree,
   printFormulation,
@@ -26,7 +27,6 @@ import {
 } from "../lib/helpers/display.js";
 import { TRACE_MODE, thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
 import {
-  ATOM_DB,
   commandsExecuted,
   DEBUG_MODE,
   getTmpDir,
@@ -39,11 +39,12 @@ import {
   remoteHostsAccessed,
   retrieveCdxgenVersion,
   safeExistsSync,
+  toCamel,
 } from "../lib/helpers/utils.js";
-import { validateBom } from "../lib/helpers/validator.js";
 import { postProcess } from "../lib/stages/postgen/postgen.js";
-import { auditEnvironment } from "../lib/stages/pregen/env-audit.js";
+import { auditEnvironment } from "../lib/stages/pregen/envAudit.js";
 import { prepareEnv } from "../lib/stages/pregen/pregen.js";
+import { validateBom } from "../lib/validator/bomValidator.js";
 
 // Support for config files
 const configPaths = [
@@ -64,6 +65,18 @@ for (const configPattern of configPaths) {
     } else {
       config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
     }
+    if (isSecureMode || DEBUG_MODE) {
+      console.log(`Config file '${configPath}' loaded successfully.`);
+    }
+    const sensitiveOptions = ["server-url", "include-formulation"];
+    for (const opt of sensitiveOptions) {
+      if (config[opt] !== undefined || config[toCamel(opt)] !== undefined) {
+        const foundKey = config[opt] !== undefined ? opt : toCamel(opt);
+        console.warn(
+          `SECURE MODE: Config file sets '${foundKey}'. Verify this is intentional.`,
+        );
+      }
+    }
   } catch (_e) {
     console.log("Invalid config file", configPath);
   }
@@ -76,6 +89,9 @@ const args = _yargs
   .parserConfiguration({
     "greedy-arrays": false,
     "short-option-groups": false,
+    "dot-notation": false,
+    "parse-numbers": true,
+    "boolean-negation": true,
   })
   .option("output", {
     alias: "o",
@@ -120,6 +136,7 @@ const args = _yargs
   })
   .option("server-url", {
     description: "Dependency track url. Eg: https://deptrack.cyclonedx.io",
+    type: "string",
   })
   .option("skip-dt-tls-check", {
     type: "boolean",
@@ -128,6 +145,7 @@ const args = _yargs
   })
   .option("api-key", {
     description: "Dependency track api key",
+    type: "string",
   })
   .option("project-group", {
     description: "Dependency track project group",
@@ -153,6 +171,24 @@ const args = _yargs
     description: "Dependency track parent project id",
     type: "string",
   })
+  .option("parent-project-name", {
+    description: "Dependency track parent project name",
+    type: "string",
+  })
+  .option("parent-project-version", {
+    description: "Dependency track parent project version",
+    type: "string",
+  })
+  .option("auto-create", {
+    description: "Dependency track autoCreate value for BOM uploads",
+    type: "boolean",
+    hidden: true,
+  })
+  .option("is-latest", {
+    description: "Dependency track isLatest value for BOM uploads",
+    type: "boolean",
+    hidden: true,
+  })
   .option("required-only", {
     type: "boolean",
     description:
@@ -180,10 +216,12 @@ const args = _yargs
   .option("server-host", {
     description: "Listen address",
     default: "127.0.0.1",
+    type: "string",
   })
   .option("server-port", {
     description: "Listen port",
-    default: "9090",
+    default: 9090,
+    type: "number",
   })
   .option("install-deps", {
     type: "boolean",
@@ -229,8 +267,8 @@ const args = _yargs
     hidden: true,
   })
   .option("spec-version", {
-    description: "CycloneDX Specification version to use. Defaults to 1.6",
-    default: 1.6,
+    description: "CycloneDX Specification version to use. Defaults to 1.7",
+    default: 1.7,
     type: "number",
     choices: [1.4, 1.5, 1.6, 1.7],
   })
@@ -355,6 +393,46 @@ const args = _yargs
     default: "CLEAR",
     hidden: true,
   })
+  .option("env-audit", {
+    type: "boolean",
+    description:
+      "Display a pre-generation environment and configuration security assessment",
+    default: false,
+    hidden: true,
+  })
+  .option("bom-audit", {
+    type: "boolean",
+    description: "Perform post-generation security audit of BOM data",
+    default: false,
+    hidden: true,
+  })
+  .option("bom-audit-rules-dir", {
+    description:
+      "Directory containing additional YAML audit rules (merged with built-in)",
+    type: "string",
+    hidden: true,
+  })
+  .option("bom-audit-categories", {
+    description:
+      "Comma-separated list of rule categories to enable (default: all)",
+    type: "string",
+    hidden: true,
+  })
+  .option("bom-audit-min-severity", {
+    description:
+      "Minimum severity to report: low, medium, or high (default: low)",
+    type: "string",
+    choices: ["low", "medium", "high"],
+    default: "low",
+    hidden: true,
+  })
+  .option("bom-audit-fail-severity", {
+    description: "Severity threshold for secure mode failure (default: high)",
+    type: "string",
+    choices: ["high", "medium", "low"],
+    default: "high",
+    hidden: true,
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("type")
   .array("excludeType")
@@ -520,7 +598,7 @@ if (["cbom", "saasbom"].includes(process.argv[1])) {
     }
   }
   options.evidence = true;
-  options.specVersion = 1.6;
+  options.specVersion = 1.7;
   options.deep = true;
 }
 if (process.argv[1].includes("cdxgen-secure")) {
@@ -534,16 +612,29 @@ if (process.argv[1].includes("cdxgen-secure")) {
   process.env.CDXGEN_SECURE_MODE = true;
 }
 if (options.standard) {
-  options.specVersion = 1.6;
+  options.specVersion = 1.7;
 }
 if (options.includeFormulation) {
-  thoughtLog(
-    "Wait, the user wants to include formulation information. Let's warn about accidentally disclosing sensitive data via the BOM files.",
-  );
-  console.log(
-    "NOTE: Formulation section could include sensitive data such as emails and secrets.\nPlease review the generated SBOM before distribution.\n",
-  );
+  if (options.serverUrl) {
+    thoughtLog(
+      "Wait, the user specified a server URL and wants to include formulation data. Let's warn about accidentally disclosing sensitive data to a remote server.",
+    );
+    console.warn(
+      `\x1b[1;35mWARNING: The formulation section may include sensitive data such as emails and secrets. This data will be submitted to '${options.serverUrl}' automatically.\x1b[0m`,
+    );
+    if (isSecureMode) {
+      process.exit(1);
+    }
+  } else {
+    thoughtLog(
+      "Wait, the user wants to include formulation data. Let's warn about accidentally disclosing sensitive data via the generated BOM.",
+    );
+    console.log(
+      "NOTE: The formulation section may include sensitive data such as emails and secrets.\nPlease review the generated SBOM before distribution or LLM training.\n",
+    );
+  }
 }
+
 /**
  * Method to apply advanced options such as profile and lifecycles
  *
@@ -560,11 +651,13 @@ const applyAdvancedOptions = (options) => {
   switch (options.profile) {
     case "appsec":
       options.deep = true;
+      options.bomAudit = true;
       break;
     case "research":
       options.deep = true;
       options.evidence = true;
       options.includeCrypto = true;
+      options.bomAudit = true;
       process.env.CDX_MAVEN_INCLUDE_TEST_SCOPE = "true";
       process.env.ASTGEN_IGNORE_DIRS = "";
       process.env.ASTGEN_IGNORE_FILE_PATTERN = "";
@@ -575,10 +668,12 @@ const applyAdvancedOptions = (options) => {
       } else {
         options.projectType = ["os"];
       }
+      options.bomAudit = true;
       break;
     case "threat-modeling":
       options.deep = true;
       options.evidence = true;
+      options.bomAudit = true;
       break;
     case "license-compliance":
       process.env.FETCH_LICENSE = "true";
@@ -589,6 +684,7 @@ const applyAdvancedOptions = (options) => {
       options.evidence = false;
       options.includeCrypto = false;
       options.installDeps = false;
+      options.bomAudit = false;
       break;
     case "machine-learning":
     case "ml":
@@ -605,6 +701,7 @@ const applyAdvancedOptions = (options) => {
       options.evidence = true;
       options.includeCrypto = true;
       options.installDeps = !isSecureMode;
+      options.bomAudit = true;
       break;
     default:
       break;
@@ -640,7 +737,7 @@ const applyAdvancedOptions = (options) => {
         ].includes(options.projectType[0])
       ) {
         console.log(
-          "PREVIEW: post-build lifecycle SBOM generation is supported only for android, dotnet, go, and Rust projects. Please specify the type using the -t argument.",
+          "PREVIEW: post-build lifecycle SBOM generation is supported only for limited project types.",
         );
         process.exit(1);
       }
@@ -670,10 +767,23 @@ const applyAdvancedOptions = (options) => {
       "I must avoid any package installations and focus solely on the available artefacts, such as lock files.",
     );
   }
+  if (options.bomAudit) {
+    if (!options.includeFormulation) {
+      console.log(
+        "NOTE: Automatically collecting formulation information. The section may include sensitive data such as emails and secrets.\nPlease review the generated SBOM before distribution or LLM training.\n",
+      );
+    }
+    options.includeFormulation = true;
+  }
   return options;
 };
 applyAdvancedOptions(options);
 
+const envAuditFindings = auditEnvironment();
+if (options.envAudit) {
+  displaySelfThreatModel(filePath, config, options, envAuditFindings);
+}
+
 /**
  * Check for node >= 20 permissions
  *
@@ -786,22 +896,6 @@ const checkPermissions = (filePath, options) => {
         return false;
       }
     }
-    if (!process.permission.has("fs.write", process.env.ATOM_DB || ATOM_DB)) {
-      console.log(
-        `SECURE MODE: FileSystemWrite permission is required to create the output slices file. Please invoke cdxgen with the argument --allow-fs-write="${process.env.ATOM_DB || ATOM_DB}"`,
-      );
-      return false;
-    }
-    console.log(
-      "TIP: Invoke cdxgen with `--allow-addons` to allow the use of sqlite3 native addon. This addon is required for evidence mode.",
-    );
-  } else {
-    if (process.permission.has("fs.write", process.env.ATOM_DB || ATOM_DB)) {
-      console.log(
-        `SECURE MODE: FileSystemWrite permission is not required for the directory "${process.env.ATOM_DB || ATOM_DB}" in non-evidence mode. Consider removing the argument --allow-fs-write="${process.env.ATOM_DB || ATOM_DB}".`,
-      );
-      return false;
-    }
   }
   if (!process.permission.has("fs.write", getTmpDir())) {
     console.log(
@@ -843,12 +937,15 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
   printSponsorBanner(options);
   // Our quest to audit and check the SBOM generation environment to prevent our users from getting exploited
   // during SBOM generation.
-  const envWarnings = auditEnvironment();
-  if (envWarnings?.length) {
-    for (const w of envWarnings) {
-      console.log(`SECURE MODE: ${w}`);
+  if (envAuditFindings?.length) {
+    for (const f of envAuditFindings) {
+      console.log(`SECURE MODE: ${f.variable}: ${f.message}`);
     }
-    if (isSecureMode) {
+    // Only abort in secure mode for high or critical findings; low/medium are informational.
+    if (
+      isSecureMode &&
+      envAuditFindings.some((f) => ["high", "critical"].includes(f.severity))
+    ) {
       process.exit(1);
     }
   }
@@ -873,7 +970,38 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
     );
   }
   // Add extra metadata and annotations with post processing
-  bomNSData = postProcess(bomNSData, options);
+  bomNSData = postProcess(bomNSData, options, filePath);
+  if (options.bomAudit && bomNSData?.bomJson) {
+    const {
+      auditBom,
+      formatAnnotations,
+      formatConsoleOutput,
+      hasCriticalFindings,
+    } = await import("../lib/stages/postgen/auditBom.js");
+    thoughtLog("Let's run security audit...");
+    const postAuditFindings = await auditBom(bomNSData.bomJson, options);
+    if (postAuditFindings.length) {
+      formatConsoleOutput(postAuditFindings);
+    } else if (DEBUG_MODE) {
+      console.log("BOM audit: No findings");
+    }
+    if (postAuditFindings.length && options.specVersion >= 1.4) {
+      bomNSData.bomJson.annotations = [
+        ...(bomNSData.bomJson.annotations || []),
+        ...formatAnnotations(postAuditFindings, bomNSData.bomJson),
+      ];
+      thoughtLog(
+        `Embedded ${postAuditFindings.length} audit findings as CycloneDX annotations`,
+      );
+    }
+    if (isSecureMode && hasCriticalFindings(postAuditFindings, options)) {
+      console.error("\nSecure mode: Critical audit findings detected.");
+      console.error(
+        "Review findings above or adjust --bom-audit-fail-severity to proceed.",
+      );
+      process.exit(1);
+    }
+  }
   if (
     options.output &&
     (typeof options.output === "string" || options.output instanceof String)
@@ -972,71 +1100,41 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
           }
         }
         try {
-          // Sign the individual components
-          // Let's leave the services unsigned for now since it might require additional cleansing
           const bomJsonUnsignedObj = JSON.parse(jsonPayload);
-          for (const comp of bomJsonUnsignedObj.components) {
-            const compSignature = jws.sign({
-              header: { alg },
-              payload: comp,
-              privateKey: privateKeyToUse,
-            });
-            const compSignatureBlock = {
-              algorithm: alg,
-              value: compSignature,
-            };
-            if (jwkPublicKey) {
-              compSignatureBlock.publicKey = jwkPublicKey;
-            }
-            comp.signature = compSignatureBlock;
-          }
-          const signature = jws.sign({
-            header: { alg },
-            payload: JSON.stringify(bomJsonUnsignedObj, null, 2),
+          const signOptions = {
             privateKey: privateKeyToUse,
-          });
-          if (signature) {
-            const signatureBlock = {
-              algorithm: alg,
-              value: signature,
-            };
-            if (jwkPublicKey) {
-              signatureBlock.publicKey = jwkPublicKey;
-            }
-            bomJsonUnsignedObj.signature = signatureBlock;
-            fs.writeFileSync(
-              jsonFile,
-              JSON.stringify(
-                bomJsonUnsignedObj,
-                null,
-                options.jsonPretty ? 2 : null,
-              ),
-            );
-            thoughtLog(`Signing the BOM file "${jsonFile}".`);
-            if (publicKeyFile) {
-              // Verifying this signature
-              const signatureVerification = jws.verify(
-                signature,
+            algorithm: alg,
+            publicKeyJwk: jwkPublicKey,
+            mode: process.env.SBOM_SIGN_MODE || "replace",
+            signComponents: true,
+            signServices: true,
+            signAnnotations: true,
+          };
+          thoughtLog(`Signing the BOM file "${jsonFile}".`);
+          const signedBom = signBom(bomJsonUnsignedObj, signOptions);
+          fs.writeFileSync(
+            jsonFile,
+            JSON.stringify(signedBom, null, options.jsonPretty ? 2 : null),
+          );
+          if (publicKeyFile) {
+            const publicKeyStr = fs.readFileSync(publicKeyFile, "utf8");
+            const signatureVerification = verifyBom(signedBom, publicKeyStr);
+            if (signatureVerification) {
+              console.log(
+                "SBOM signature is verifiable natively with the public key and the algorithm",
+                publicKeyFile,
                 alg,
-                fs.readFileSync(publicKeyFile, "utf8"),
               );
-              if (signatureVerification) {
-                console.log(
-                  "SBOM signature is verifiable with the public key and the algorithm",
-                  publicKeyFile,
-                  alg,
-                );
-              } else {
-                console.log("SBOM signature verification was unsuccessful");
-                console.log(
-                  "Check if the public key was exported in PEM format",
-                );
-              }
+            } else {
+              console.log("SBOM signature verification was unsuccessful");
+              console.log("Check if the public key was exported in PEM format");
             }
           }
         } catch (ex) {
-          console.log("SBOM signing was unsuccessful", ex);
-          console.log("Check if the private key was exported in PEM format");
+          console.log("SBOM signing was unsuccessful:", ex.message);
+          console.log(
+            "Check if the private key was exported in PEM format and the algorithm is JSF-compliant.",
+          );
         }
       }
     }
@@ -1068,7 +1166,6 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
       input: options.output,
       output: options.evinseOutput,
       language: options.projectType,
-      dbPath: process.env.ATOM_DB || ATOM_DB,
       skipMavenCollector: false,
       force: false,
       withReachables: options.deep,