@cyclonedx/cdxgen 12.1.5 → 12.2.1

package/lib/cli/index.js

@@ -2,9 +2,9 @@ import { Buffer } from "node:buffer";
 import {
   accessSync,
   constants,
-  existsSync,
   lstatSync,
   mkdtempSync,
+  readdirSync,
   readFileSync,
   rmSync,
   statSync,
@@ -19,22 +19,19 @@ import got from "got";
 import { PackageURL } from "packageurl-js";
 import { gte, lte } from "semver";
 import { parse } from "ssri";
-import { table } from "table";
 import { v4 as uuidv4 } from "uuid";
 import { parse as loadYaml } from "yaml";
 
 import { findJSImportsExports } from "../helpers/analyzer.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
-import { collectOSCryptoLibs } from "../helpers/cbomutils.js";
-import {
-  collectEnvInfo,
-  GIT_COMMAND,
-  getBranch,
-  getOriginUrl,
-  gitTreeHashes,
-  listFiles,
-} from "../helpers/envcontext.js";
+import { mergeDependencies, trimComponents } from "../helpers/depsUtils.js";
+import { GIT_COMMAND } from "../helpers/envcontext.js";
 import { thoughtLog } from "../helpers/logger.js";
+import {
+  buildDependencyTrackBomPayload,
+  getDependencyTrackBomUrl,
+} from "../helpers/remote/dependency-track.js";
+import { table } from "../helpers/table.js";
 import {
   addEvidenceForDotnet,
   addEvidenceForImports,
@@ -176,6 +173,14 @@ import {
   shouldFetchLicense,
   splitOutputByGradleProjects,
 } from "../helpers/utils.js";
+import {
+  cleanupTempDir,
+  collectInstalledExtensions,
+  discoverIdeExtensionDirs,
+  extractVsixToTempDir,
+  parseVsixFile,
+  VSCODE_EXTENSION_PURL_TYPE,
+} from "../helpers/vsixutils.js";
 import {
   executeOsQuery,
   getBinaryBom,
@@ -438,160 +443,6 @@ const addLifecyclesSection = (options) => {
   return lifecycles;
 };
 
-/**
- * Method to generate the formulation section based on git metadata
- *
- * @param {Object} options
- * @param {Object} context Context
- * @returns {Array} formulation array
- */
-const addFormulationSection = (options, context) => {
-  const formulation = [];
-  const provides = [];
-  const gitBranch = getBranch();
-  const originUrl = getOriginUrl();
-  const gitFiles = listFiles();
-  const treeHashes = gitTreeHashes();
-  let parentOmniborId;
-  let treeOmniborId;
-  let components = [];
-  const aformulation = {};
-  // Reuse any existing formulation components
-  // See: PR #1172
-  if (context?.formulationList?.length) {
-    components = components.concat(trimComponents(context.formulationList));
-  }
-  if (options.specVersion >= 1.6 && Object.keys(treeHashes).length === 2) {
-    parentOmniborId = `gitoid:blob:sha1:${treeHashes.parent}`;
-    treeOmniborId = `gitoid:blob:sha1:${treeHashes.tree}`;
-    components.push({
-      type: "file",
-      name: "git-parent",
-      description: "Git Parent Node.",
-      "bom-ref": parentOmniborId,
-      omniborId: [parentOmniborId],
-      swhid: [`swh:1:rev:${treeHashes.parent}`],
-    });
-    components.push({
-      type: "file",
-      name: "git-tree",
-      description: "Git Tree Node.",
-      "bom-ref": treeOmniborId,
-      omniborId: [treeOmniborId],
-      swhid: [`swh:1:rev:${treeHashes.tree}`],
-    });
-    provides.push({
-      ref: parentOmniborId,
-      provides: [treeOmniborId],
-    });
-  }
-  // Collect git related components
-  if (gitBranch && gitFiles) {
-    const gitFileComponents = gitFiles.map((f) =>
-      options.specVersion >= 1.6
-        ? {
-            type: "file",
-            name: f.name,
-            version: f.hash,
-            omniborId: [f.omniborId],
-            swhid: [f.swhid],
-          }
-        : {
-            type: "file",
-            name: f.name,
-            version: f.hash,
-          },
-    );
-    components = components.concat(gitFileComponents);
-    // Complete the Artifact Dependency Graph
-    if (options.specVersion >= 1.6 && treeOmniborId) {
-      provides.push({
-        ref: treeOmniborId,
-        provides: gitFiles.map((f) => f.ref),
-      });
-    }
-  }
-  // Collect build environment details
-  const infoComponents = collectEnvInfo(options.path);
-  if (infoComponents?.length) {
-    components = components.concat(infoComponents);
-  }
-  // Should we include the OS crypto libraries
-  if (options.includeCrypto) {
-    const cryptoLibs = collectOSCryptoLibs(options);
-    if (cryptoLibs?.length) {
-      components = components.concat(cryptoLibs);
-    }
-  }
-  aformulation["bom-ref"] = uuidv4();
-  aformulation.components = trimComponents(components);
-  let environmentVars = gitBranch?.length
-    ? [{ name: "GIT_BRANCH", value: gitBranch }]
-    : [];
-  const envPrefixes = [
-    "GIT",
-    "ANDROID",
-    "DENO",
-    "DOTNET",
-    "JAVA_",
-    "SDKMAN",
-    "CARGO",
-    "CONDA",
-    "RUST",
-    "GEM_",
-    "SCALA_",
-    "MAVEN_",
-    "GRADLE_",
-    "NODE_",
-  ];
-  const envBlocklist = [
-    "key",
-    "token",
-    "pass",
-    "secret",
-    "user",
-    "email",
-    "auth",
-    "session",
-    "proxy",
-    "cred",
-  ];
-
-  for (const aevar of Object.keys(process.env)) {
-    const lower = aevar.toLowerCase();
-    const value = process.env[aevar] ?? "";
-    if (
-      envPrefixes.some((p) => aevar.startsWith(p)) &&
-      !envBlocklist.some((b) => lower.includes(b)) &&
-      !envBlocklist.some((b) => value.includes(b)) &&
-      value.length
-    ) {
-      environmentVars.push({
-        name: aevar,
-        value,
-      });
-    }
-  }
-  if (!environmentVars.length) {
-    environmentVars = undefined;
-  }
-  let sourceInput;
-  if (environmentVars) {
-    sourceInput = { environmentVars };
-  }
-  const sourceWorkflow = {
-    "bom-ref": uuidv4(),
-    uid: uuidv4(),
-    taskTypes: originUrl ? ["build", "clone"] : ["build"],
-  };
-  if (sourceInput) {
-    sourceWorkflow.inputs = [sourceInput];
-  }
-  aformulation.workflows = [sourceWorkflow];
-  formulation.push(aformulation);
-  return { formulation, provides };
-};
-
 /**
  * Function to create metadata block
  *
@@ -1000,6 +851,7 @@ function addExternalReferences(opkg) {
  * @param {Object} allImports All imports
  * @param {Object} pkg Package object
  * @param {string} ptype Package type
+ * @returns {Object[]} Array of component objects
  */
 export function listComponents(options, allImports, pkg, ptype = "npm") {
   const compMap = {};
@@ -1067,6 +919,15 @@ function addComponent(
       purl = undefined;
       purlString = undefined;
     }
+    // Some applications like github workflow steps and commands do not have purl
+    if (
+      pkg.purl === undefined &&
+      !pkg?.["bom-ref"]?.startsWith("pkg:") &&
+      pkg?.type === "application"
+    ) {
+      purl = undefined;
+      purlString = undefined;
+    }
     const description = pkg.description || undefined;
     let compScope = pkg.scope;
     if (allImports) {
@@ -1106,7 +967,12 @@ function addComponent(
       component.data = pkg.data || undefined;
     }
     component["type"] = determinePackageType(pkg);
-    component["bom-ref"] = decodeURIComponent(purlString);
+    if (purlString) {
+      component["bom-ref"] = decodeURIComponent(purlString);
+    } else if (pkg["bom-ref"]) {
+      component["bom-ref"] = pkg["bom-ref"];
+    }
+
     if (
       component.externalReferences === undefined ||
       component.externalReferences.length === 0
@@ -1136,6 +1002,18 @@ function addComponent(
       }
       delete component.authors;
     }
+    // Downgrade from 1.7
+    if (options.specVersion < 1.7) {
+      if (component.isExternal) {
+        delete component.isExternal;
+      }
+      if (component.versionRange) {
+        console.warn(
+          `Version Range is not supported in ${options.specVersion} specifications. Please run cdxgen with --spec-version 1.7`,
+        );
+        delete component.versionRange;
+      }
+    }
     // Retain any tags
     if (
       options.specVersion >= 1.6 &&
@@ -1155,12 +1033,10 @@ function addComponent(
     if (pkg.components) {
       component.components = pkg.components;
     }
+    const compMapKey = component.purl || component["bom-ref"];
     // Issue: 1353. We need to keep merging the properties
-    if (compMap[component.purl]) {
-      const mergedComponents = trimComponents([
-        compMap[component.purl],
-        component,
-      ]);
+    if (compMap[compMapKey]) {
+      const mergedComponents = trimComponents([compMap[compMapKey], component]);
       if (mergedComponents?.length === 1) {
         component = mergedComponents[0];
       }
@@ -1196,7 +1072,7 @@ function addComponent(
         component.evidence.identity = pkg.evidence.identity[0];
       }
     }
-    compMap[component.purl] = component;
+    compMap[compMapKey] = component;
   }
   if (pkg.dependencies) {
     Object.keys(pkg.dependencies)
@@ -1380,24 +1256,22 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
     // CycloneDX Json Template
     const jsonTpl = {
       bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || "1.5"}`,
+      specVersion: `${options.specVersion || "1.7"}`,
       serialNumber: serialNum,
       version: 1,
       metadata: metadata,
       components,
       dependencies,
     };
-    const formulationData =
-      options.includeFormulation && options.specVersion >= 1.5
-        ? addFormulationSection(options, context)
-        : undefined;
-    if (formulationData) {
-      jsonTpl.formulation = formulationData.formulation;
-    }
     bomNSData.bomJson = jsonTpl;
     bomNSData.nsMapping = nsMapping;
     bomNSData.dependencies = dependencies;
     bomNSData.parentComponent = parentComponent;
+    // Carry language-specific formulation data (e.g. Pixi) so that
+    // postProcess can merge it when building the final formulation section.
+    if (context?.formulationList?.length) {
+      bomNSData.formulationList = context.formulationList;
+    }
   }
   return bomNSData;
 };
@@ -1489,6 +1363,7 @@ export async function createJarBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object|undefined} BOM object
  */
 export function createAndroidBom(path, options) {
   return createBinaryBom(path, options);
@@ -1499,6 +1374,7 @@ export function createAndroidBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object|undefined} BOM object
  */
 export function createBinaryBom(path, options) {
   const tempDir = mkdtempSync(join(getTmpDir(), "blint-tmp-"));
@@ -1522,6 +1398,7 @@ export function createBinaryBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createJavaBom(path, options) {
   let jarNSMapping = {};
@@ -1617,6 +1494,8 @@ export async function createJavaBom(path, options) {
     }
     let result;
     let mvnArgs;
+    // FIXME: How do we motivate everyone to upgrade to 1.7?
+    const toolsSpecVersion = 1.6;
     if (isQuarkus) {
       thoughtLog(
         "This appears to be a Quarkus project. Let's use the right Maven plugin.",
@@ -1627,12 +1506,14 @@ export async function createJavaBom(path, options) {
         "quarkus:dependency-sbom",
         "-Dquarkus.analytics.disabled=true",
       ];
-      if (options.specVersion) {
+      if (options.specVersion >= 1.6) {
         mvnArgs = mvnArgs.concat(
-          `-Dquarkus.dependency.sbom.schema-version=${options.specVersion}`,
+          `-Dquarkus.dependency.sbom.schema-version=${toolsSpecVersion}`,
         );
       }
     } else {
+      // FIXME: The last maven plugin release was on November 28th, 2024.
+      // Should we fork this repo and maintain it ourselves?
       const cdxMavenPlugin =
         process.env.CDX_MAVEN_PLUGIN ||
         "org.cyclonedx:cyclonedx-maven-plugin:2.9.1";
@@ -1654,9 +1535,11 @@ export async function createJavaBom(path, options) {
         const addArgs = process.env.MVN_ARGS.split(" ");
         mvnArgs = mvnArgs.concat(addArgs);
       }
-      // specVersion 1.4 doesn't support externalReferences.type=disribution-intake
+      // specVersion 1.4 doesn't support externalReferences.type=distribution-intake
       // so we need to run the plugin with the correct version
-      if (options.specVersion) {
+      if (options.specVersion >= 1.6) {
+        mvnArgs = mvnArgs.concat(`-DschemaVersion=${toolsSpecVersion}`);
+      } else if (options.specVersion > 1.4) {
         mvnArgs = mvnArgs.concat(`-DschemaVersion=${options.specVersion}`);
       }
     }
@@ -2769,6 +2652,7 @@ export async function createJavaBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createNodejsBom(path, options) {
   let pkgList = [];
@@ -2849,6 +2733,21 @@ export async function createNodejsBom(path, options) {
     `${options.multiProject ? "**/" : ""}bower.json`,
     options,
   );
+  if (DEBUG_MODE) {
+    const wasmFiles = getAllFiles(
+      path,
+      `${options.multiProject ? "**/" : ""}*.wasm`,
+      {
+        ...options,
+        includeNodeModulesDir: true,
+      },
+    );
+    if (wasmFiles?.length) {
+      console.log(
+        `Found ${wasmFiles.length} wasm files in this project. cdxgen will make a best attempt to identify the exports and imports from these files.`,
+      );
+    }
+  }
   // Parse min js files
   if (minJsFiles?.length) {
     manifestFiles = manifestFiles.concat(minJsFiles);
@@ -3203,8 +3102,9 @@ export async function createNodejsBom(path, options) {
       const basePath = dirname(f);
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
-      const pnpmHooks = join(basePath, ".pnpmfile.cjs");
-      if (safeExistsSync(pnpmHooks)) {
+      const pnpmCjsHooks = join(basePath, ".pnpmfile.cjs");
+      const pnpmMjsHooks = join(basePath, ".pnpmfile.mjs");
+      if (safeExistsSync(pnpmMjsHooks) || safeExistsSync(pnpmCjsHooks)) {
         thoughtLog("Wait, this pnpm project uses install hooks.");
       }
       if (!Object.keys(parentComponent).length) {
@@ -3367,6 +3267,7 @@ export async function createNodejsBom(path, options) {
     const pnpmLock = join(path, "common", "config", "rush", "pnpm-lock.yaml");
     if (safeExistsSync(swFile)) {
       let pkgList = await parseNodeShrinkwrap(swFile);
+      pkgList = addWasmComponentsFromImports(pkgList, allImports);
       if (allImports && Object.keys(allImports).length) {
         pkgList = await addEvidenceForImports(
           pkgList,
@@ -3383,9 +3284,13 @@ export async function createNodejsBom(path, options) {
     }
     if (safeExistsSync(pnpmLock)) {
       const pnpmLockObj = await parsePnpmLock(pnpmLock);
+      let pkgList = addWasmComponentsFromImports(
+        pnpmLockObj.pkgList,
+        allImports,
+      );
       if (allImports && Object.keys(allImports).length) {
         pkgList = await addEvidenceForImports(
-          pnpmLockObj.pkgList,
+          pkgList,
           allImports,
           allExports,
           options.deep,
@@ -3662,6 +3567,7 @@ export async function createNodejsBom(path, options) {
     options.parentComponent = parentComponent;
   }
   if (allImports && Object.keys(allImports).length) {
+    pkgList = addWasmComponentsFromImports(pkgList, allImports);
     pkgList = await addEvidenceForImports(
       pkgList,
       allImports,
@@ -3677,6 +3583,84 @@ export async function createNodejsBom(path, options) {
   });
 }
 
+const WASM_IMPORT_PATTERN = /\.wasm([?#].*)?$/i;
+
+/**
+ * Adds generic wasm components from discovered source imports.
+ *
+ * @param {Array<Object>} pkgList Node.js package list
+ * @param {Object} allImports analyzer imports map
+ * @returns {Array<Object>} pkgList enriched with wasm components
+ */
+const addWasmComponentsFromImports = (pkgList, allImports) => {
+  if (!allImports || !Object.keys(allImports).length) {
+    return pkgList;
+  }
+  const existingPurls = new Set();
+  for (const pkg of pkgList) {
+    if (pkg?.purl) {
+      existingPurls.add(pkg.purl);
+    }
+  }
+  for (const [importPath, occurrences] of Object.entries(allImports)) {
+    if (!WASM_IMPORT_PATTERN.test(importPath)) {
+      continue;
+    }
+    const cleanImportPath = importPath.replace(/[?#].*$/, "");
+    const normalizedImportPath = cleanImportPath
+      .replace(/\\/g, "/")
+      .replace(/^\.\//, "");
+    const wasmComponentName = normalizedImportPath || cleanImportPath;
+    const wasmFileName = basename(cleanImportPath);
+    if (!allImports[wasmComponentName]) {
+      allImports[wasmComponentName] = new Set();
+    }
+    for (const occurrence of occurrences) {
+      allImports[wasmComponentName].add(occurrence);
+    }
+    const wasmPurl = new PackageURL(
+      "generic",
+      "",
+      wasmFileName,
+      "",
+      normalizedImportPath ? { path: normalizedImportPath } : undefined,
+      undefined,
+    ).toString();
+    if (existingPurls.has(wasmPurl)) {
+      continue;
+    }
+    const firstOccurrence = Array.from(occurrences)[0];
+    const srcFile = firstOccurrence?.importedAs || importPath;
+    pkgList.push({
+      name: wasmComponentName,
+      type: "library",
+      purl: wasmPurl,
+      "bom-ref": wasmPurl,
+      properties: [
+        {
+          name: "SrcFile",
+          value: srcFile,
+        },
+      ],
+      evidence: {
+        identity: {
+          field: "purl",
+          confidence: 0.3,
+          methods: [
+            {
+              technique: "filename",
+              confidence: 0.3,
+              value: srcFile,
+            },
+          ],
+        },
+      },
+    });
+    existingPurls.add(wasmPurl);
+  }
+  return pkgList;
+};
+
 /**
  * Function to create bom string for Projects that use Pixi package manager.
  * createPixiBom is based on createPythonBom.
@@ -3687,6 +3671,7 @@ export async function createNodejsBom(path, options) {
  *
  * @param {String} path
  * @param {Object} options
+ * @returns {Object | null} BOM object, or `null` when `pixi.lock` is absent and `options.installDeps` is false
  */
 export function createPixiBom(path, options) {
   const allImports = {};
@@ -3765,6 +3750,7 @@ export function createPixiBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createPythonBom(path, options) {
   let allImports = {};
@@ -4306,6 +4292,7 @@ export async function createPythonBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object | undefined>} Promise resolving to a BOM object or `undefined`
  */
 export async function createGoBom(path, options) {
   let pkgList = [];
@@ -4732,6 +4719,7 @@ export async function createGoBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object|undefined>} Promise resolving to a BOM object or undefined
  */
 export async function createRustBom(path, options) {
   let pkgList = [];
@@ -4871,6 +4859,7 @@ export async function createRustBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createDartBom(path, options) {
   const pubFiles = getAllFiles(
@@ -4942,6 +4931,7 @@ export async function createDartBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createCppBom(path, options) {
   let parentComponent;
@@ -5153,6 +5143,7 @@ export function createCppBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createClojureBom(path, options) {
   const ednFiles = getAllFiles(
@@ -5270,6 +5261,7 @@ export function createClojureBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createHaskellBom(path, options) {
   const cabalFiles = getAllFiles(
@@ -5302,6 +5294,7 @@ export function createHaskellBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createElixirBom(path, options) {
   const mixFiles = getAllFiles(
@@ -5334,6 +5327,7 @@ export function createElixirBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createGitHubBom(path, options) {
   const ghactionFiles = getAllFiles(
@@ -5365,6 +5359,7 @@ export function createGitHubBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createCloudBuildBom(path, options) {
   const cbFiles = getAllFiles(path, "cloudbuild.yml", options);
@@ -5393,6 +5388,7 @@ export function createCloudBuildBom(path, options) {
  *
  * @param {string} _path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export function createOSBom(_path, options) {
   console.warn(
@@ -5451,6 +5447,7 @@ export function createOSBom(_path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createJenkinsBom(path, options) {
   let pkgList = [];
@@ -5500,6 +5497,7 @@ export async function createJenkinsBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createHelmBom(path, options) {
   let pkgList = [];
@@ -5532,6 +5530,7 @@ export function createHelmBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createSwiftBom(path, options) {
   const swiftFiles = getAllFiles(
@@ -5676,6 +5675,7 @@ export async function createSwiftBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object | undefined>} Promise resolving to a BOM object, or `undefined` when no Podfiles are found
  */
 export async function createCocoaBom(path, options) {
   const cocoaFiles = getAllFiles(
@@ -5692,7 +5692,7 @@ export async function createCocoaBom(path, options) {
   for (const podFile of cocoaFiles) {
     const projectPath = dirname(podFile);
     const lockFile = `${podFile}.lock`;
-    if (!existsSync(lockFile) || options.deep) {
+    if (!safeExistsSync(lockFile) || options.deep) {
       if (options.installDeps) {
         executePodCommand(["install"], projectPath, options);
       } else {
@@ -5830,6 +5830,7 @@ export async function createCocoaBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createNixBom(path, options) {
   let pkgList = [];
@@ -5952,6 +5953,7 @@ export async function createNixBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createCaxaBom(path, options) {
   let pkgList = [];
@@ -6003,6 +6005,7 @@ export async function createCaxaBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createContainerSpecLikeBom(path, options) {
   let services = [];
@@ -6331,6 +6334,7 @@ export async function createContainerSpecLikeBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Object} BOM object
  */
 export function createPHPBom(path, options) {
   let dependencies = [];
@@ -6438,7 +6442,7 @@ export function createPHPBom(path, options) {
         // Track all the modules in a mono-repo
         if (!Object.keys(parentComponent).length) {
           parentComponent = { ...moduleParent };
-        } else {
+        } else if (moduleParent?.["bom-ref"]) {
           parentComponent.components = parentComponent.components || [];
           parentComponent.components.push(moduleParent);
         }
@@ -6454,7 +6458,9 @@ export function createPHPBom(path, options) {
           dependencies.splice(0, 0, {
             ref: moduleParent["bom-ref"],
             dependsOn: [
-              ...new Set(retMap.rootList.map((p) => p["bom-ref"])),
+              ...new Set(
+                retMap.rootList.map((p) => p["bom-ref"]).filter(Boolean),
+              ),
             ].sort(),
           });
         }
@@ -6467,9 +6473,9 @@ export function createPHPBom(path, options) {
     }
     // Complete the root dependency tree
     if (parentComponent?.components?.length) {
-      const parentDependsOn = parentComponent.components.map(
-        (d) => d["bom-ref"],
-      );
+      const parentDependsOn = parentComponent.components
+        .map((d) => d["bom-ref"])
+        .filter(Boolean);
       dependencies = mergeDependencies(
         [{ ref: parentComponent["bom-ref"], dependsOn: parentDependsOn }],
         dependencies,
@@ -6491,6 +6497,7 @@ export function createPHPBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createRubyBom(path, options) {
   // We can look for gem files within node_modules directory
@@ -6744,6 +6751,7 @@ export async function createRubyBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object|undefined>} Promise resolving to BOM object
  */
 export async function createCsharpBom(path, options) {
   let manifestFiles = [];
@@ -7179,11 +7187,202 @@ export async function createCsharpBom(path, options) {
   });
 }
 
+/**
+ * Function to create BOM for VS Code / IDE extensions.
+ * Supports two modes:
+ * 1. Directory scan: Discovers `.vsix` files and installed extension directories
+ * 2. IDE discovery: Automatically finds extensions installed by known IDEs
+ *
+ * @param {string} path to the project or directory to scan
+ * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
+ */
+export async function createVscodeExtensionBom(path, options) {
+  let pkgList = [];
+  let dependencies = [];
+  const tempDirs = [];
+
+  // Mode 1: Scan for .vsix files in the given directory, or treat the input
+  // path as a single .vsix file.
+  let vsixFiles = [];
+  if (path.endsWith(".vsix")) {
+    vsixFiles = [resolve(path)];
+  } else {
+    vsixFiles = getAllFiles(
+      path,
+      `${options.multiProject ? "**/" : ""}*.vsix`,
+      options,
+    );
+  }
+  if (vsixFiles.length) {
+    if (DEBUG_MODE) {
+      console.log(`Found ${vsixFiles.length} .vsix file(s) to parse`);
+    }
+    for (const f of vsixFiles) {
+      if (DEBUG_MODE) {
+        console.log(`Parsing ${f}`);
+      }
+      // Get the extension component metadata
+      const component = await parseVsixFile(f);
+      if (component) {
+        pkgList.push(component);
+      }
+      // Extract the vsix to a temp dir and run deep analysis
+      const extractedDir = await extractVsixToTempDir(f);
+      if (extractedDir) {
+        tempDirs.push(extractedDir);
+        const deepResult = await analyzeExtensionDir(extractedDir, options);
+        if (deepResult.pkgList.length) {
+          pkgList = pkgList.concat(deepResult.pkgList);
+        }
+        if (deepResult.dependencies.length) {
+          dependencies = mergeDependencies(
+            dependencies,
+            deepResult.dependencies,
+          );
+        }
+      }
+    }
+  }
+
+  // Mode 2: Auto-discover extensions from known IDE locations
+  if (options.deep || options.projectType?.includes("ide-extensions")) {
+    const ideDirs = discoverIdeExtensionDirs();
+    if (ideDirs.length) {
+      if (DEBUG_MODE) {
+        console.log(
+          `Discovered IDE extension directories: ${ideDirs.map((d) => `${d.name}: ${d.dir}`).join(", ")}`,
+        );
+      }
+      const ideExtensions = collectInstalledExtensions(ideDirs);
+      if (ideExtensions.length) {
+        if (DEBUG_MODE) {
+          console.log(
+            `Found ${ideExtensions.length} IDE extension(s) from ${ideDirs.length} IDE location(s)`,
+          );
+        }
+        pkgList = pkgList.concat(ideExtensions);
+        // Deep analysis for IDE extension directories
+        for (const ideDir of ideDirs) {
+          await analyzeInstalledExtensionDirs(
+            ideDir.dir,
+            options,
+            pkgList,
+            dependencies,
+          );
+        }
+      }
+    }
+  }
+
+  // Clean up temp directories from vsix extraction
+  for (const td of tempDirs) {
+    cleanupTempDir(td);
+  }
+  pkgList = trimComponents(pkgList);
+  return buildBomNSData(options, pkgList, VSCODE_EXTENSION_PURL_TYPE, {
+    src: path,
+    filename: vsixFiles.join(", "),
+    nsMapping: {},
+    dependencies,
+  });
+}
+
+/**
+ * Analyze an extracted extension directory for bundled dependencies.
+ * Looks for npm lock files, node_modules, package.json files, minified JS,
+ * and runs the babel-based analyzer on the source.
+ *
+ * @param {string} extDir Path to the extracted extension directory
+ * @param {Object} options CLI options
+ * @returns {Promise<{pkgList: Object[], dependencies: Object[]}>}
+ */
+async function analyzeExtensionDir(extDir, options) {
+  const pkgList = [];
+  let dependencies = [];
+  // Check if the extension directory contains node.js project artifacts
+  const hasPackageJson = safeExistsSync(join(extDir, "package.json"));
+  const hasNodeModules = safeExistsSync(join(extDir, "node_modules"));
+  const hasLockFile =
+    safeExistsSync(join(extDir, "package-lock.json")) ||
+    safeExistsSync(join(extDir, "yarn.lock")) ||
+    safeExistsSync(join(extDir, "pnpm-lock.yaml"));
+
+  // If there are lock files or node_modules, run the full Node.js BOM generator
+  if (hasPackageJson && (hasLockFile || hasNodeModules)) {
+    if (DEBUG_MODE) {
+      console.log(
+        `Running Node.js BOM analysis on extension directory: ${extDir}`,
+      );
+    }
+    const nodeBomOptions = {
+      ...options,
+      path: extDir,
+      multiProject: true,
+      installDeps: false,
+      noBabel: false,
+      projectType: ["js"],
+    };
+    const bomData = await createNodejsBom(extDir, nodeBomOptions);
+    if (bomData?.bomJson?.components?.length) {
+      for (const comp of bomData.bomJson.components) {
+        pkgList.push(comp);
+      }
+    }
+    if (bomData?.bomJson?.dependencies?.length) {
+      dependencies = mergeDependencies(
+        dependencies,
+        bomData.bomJson.dependencies,
+      );
+    }
+    return { pkgList, dependencies };
+  }
+  return { pkgList, dependencies };
+}
+
+/**
+ * Run deep analysis on installed extension subdirectories within a parent
+ * extensions directory. Each subdirectory represents an installed extension.
+ *
+ * @param {string} extensionsDir Parent directory containing extension subdirs
+ * @param {Object} options CLI options
+ * @param {Object[]} pkgList Mutable array to push discovered components into
+ * @param {Object[]} dependencies Mutable array to merge dependencies into
+ */
+async function analyzeInstalledExtensionDirs(
+  extensionsDir,
+  options,
+  pkgList,
+  dependencies,
+) {
+  let entries;
+  try {
+    entries = readdirSync(extensionsDir, { withFileTypes: true });
+  } catch (_e) {
+    return;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory() || entry.name.startsWith(".")) {
+      continue;
+    }
+    const extDir = join(extensionsDir, entry.name);
+    const deepResult = await analyzeExtensionDir(extDir, options);
+    if (deepResult.pkgList.length) {
+      pkgList.push(...deepResult.pkgList);
+    }
+    if (deepResult.dependencies.length) {
+      const merged = mergeDependencies(dependencies, deepResult.dependencies);
+      dependencies.splice(0, dependencies.length, ...merged);
+    }
+  }
+}
+
 /**
  * Function to create bom object for cryptographic certificate files
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createCryptoCertsBom(path, options) {
   const pkgList = [];
@@ -7220,191 +7419,6 @@ export async function createCryptoCertsBom(path, options) {
   };
 }
 
-export function mergeDependencies(
-  dependencies,
-  newDependencies,
-  parentComponent = {},
-) {
-  if (!parentComponent && DEBUG_MODE) {
-    console.log(
-      "Unable to determine parent component. Dependencies will be flattened.",
-    );
-  }
-  let providesFound = false;
-  const deps_map = {};
-  const provides_map = {};
-  const parentRef = parentComponent?.["bom-ref"]
-    ? parentComponent["bom-ref"]
-    : undefined;
-  const combinedDeps = dependencies.concat(newDependencies || []);
-  for (const adep of combinedDeps) {
-    if (!deps_map[adep.ref]) {
-      deps_map[adep.ref] = new Set();
-    }
-    if (!provides_map[adep.ref]) {
-      provides_map[adep.ref] = new Set();
-    }
-    if (adep["dependsOn"]) {
-      for (const eachDepends of adep["dependsOn"]) {
-        if (parentRef && eachDepends) {
-          if (eachDepends.toLowerCase() !== parentRef.toLowerCase()) {
-            deps_map[adep.ref].add(eachDepends);
-          }
-        } else {
-          deps_map[adep.ref].add(eachDepends);
-        }
-      }
-    }
-    if (adep["provides"]) {
-      providesFound = true;
-      for (const eachProvides of adep["provides"]) {
-        if (
-          parentRef &&
-          eachProvides.toLowerCase() !== parentRef.toLowerCase()
-        ) {
-          provides_map[adep.ref].add(eachProvides);
-        }
-      }
-    }
-  }
-  const retlist = [];
-  for (const akey of Object.keys(deps_map)) {
-    if (providesFound) {
-      retlist.push({
-        ref: akey,
-        dependsOn: Array.from(deps_map[akey]).sort(),
-        provides: Array.from(provides_map[akey]).sort(),
-      });
-    } else {
-      retlist.push({
-        ref: akey,
-        dependsOn: Array.from(deps_map[akey]).sort(),
-      });
-    }
-  }
-  return retlist;
-}
-
-/**
- * Trim duplicate components by retaining all the properties
- *
- * @param {Array} components Components
- *
- * @returns {Array} Filtered components
- */
-export function trimComponents(components) {
-  const keyCache = {};
-  const filteredComponents = [];
-  for (const comp of components) {
-    const key = (
-      comp.purl ||
-      comp["bom-ref"] ||
-      comp.name + comp.version
-    ).toLowerCase();
-    if (!keyCache[key]) {
-      keyCache[key] = comp;
-    } else {
-      const existingComponent = keyCache[key];
-      // We need to retain any properties that differ
-      if (comp.properties) {
-        if (existingComponent.properties) {
-          for (const newprop of comp.properties) {
-            if (
-              !existingComponent.properties.find(
-                (prop) =>
-                  prop.name === newprop.name && prop.value === newprop.value,
-              )
-            ) {
-              existingComponent.properties.push(newprop);
-            }
-          }
-        } else {
-          existingComponent.properties = comp.properties;
-        }
-      }
-      // Retain all component.evidence.identity
-      if (comp?.evidence?.identity) {
-        if (!existingComponent.evidence) {
-          existingComponent.evidence = { identity: [] };
-        } else if (!existingComponent?.evidence?.identity) {
-          existingComponent.evidence.identity = [];
-        } else if (
-          existingComponent?.evidence?.identity &&
-          !Array.isArray(existingComponent.evidence.identity)
-        ) {
-          existingComponent.evidence.identity = [
-            existingComponent.evidence.identity,
-          ];
-        }
-        // comp.evidence.identity can be an array or object
-        // Merge the evidence.identity based on methods or objects
-        const isIdentityArray = Array.isArray(comp.evidence.identity);
-        const identities = isIdentityArray
-          ? comp.evidence.identity
-          : [comp.evidence.identity];
-        for (const aident of identities) {
-          let methodBasedMerge = false;
-          if (aident?.methods?.length) {
-            for (const amethod of aident.methods) {
-              for (const existIdent of existingComponent.evidence.identity) {
-                if (existIdent.field === aident.field) {
-                  if (!existIdent.methods) {
-                    existIdent.methods = [];
-                  }
-                  let isDup = false;
-                  for (const emethod of existIdent.methods) {
-                    if (emethod?.value === amethod?.value) {
-                      isDup = true;
-                      break;
-                    }
-                  }
-                  if (!isDup) {
-                    existIdent.methods.push(amethod);
-                  }
-                  methodBasedMerge = true;
-                }
-              }
-            }
-          }
-          if (!methodBasedMerge && aident.field && aident.confidence) {
-            existingComponent.evidence.identity.push(aident);
-          }
-        }
-        if (!isIdentityArray) {
-          const firstIdentity = existingComponent.evidence.identity[0];
-          let identConfidence = firstIdentity?.confidence;
-          // We need to set the confidence to the max of all confidences
-          if (firstIdentity?.methods?.length > 1) {
-            for (const aidentMethod of firstIdentity.methods) {
-              if (
-                aidentMethod?.confidence &&
-                aidentMethod.confidence > identConfidence
-              ) {
-                identConfidence = aidentMethod.confidence;
-              }
-            }
-          }
-          firstIdentity.confidence = identConfidence;
-          existingComponent.evidence = {
-            identity: firstIdentity,
-          };
-        }
-      }
-      // If the component is required in any of the child projects, then make it required
-      if (
-        existingComponent?.scope !== "required" &&
-        comp?.scope === "required"
-      ) {
-        existingComponent.scope = "required";
-      }
-    }
-  }
-  for (const akey of Object.keys(keyCache)) {
-    filteredComponents.push(keyCache[akey]);
-  }
-  return filteredComponents;
-}
-
 /**
  * Dedupe components
  *
@@ -7445,7 +7459,7 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
     components,
     bomJson: {
       bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || 1.5}`,
+      specVersion: `${options.specVersion || 1.7}`,
       serialNumber: serialNum,
       version: 1,
       metadata: addMetadata(parentComponent, options, {}),
@@ -7461,11 +7475,13 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
  *
  * @param {string[]} pathList list of to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createMultiXBom(pathList, options) {
   let components = [];
   let dependencies = [];
   let bomData;
+  let formulationList = [];
   let parentComponent = determineParentComponent(options) || {};
   let parentSubComponents = [];
   options.createMultiXBom = true;
@@ -7676,6 +7692,9 @@ export async function createMultiXBom(pathList, options) {
           parentSubComponents.push(bomData.parentComponent);
         }
       }
+      if (bomData?.formulationList?.length) {
+        formulationList = formulationList.concat(bomData.formulationList);
+      }
     }
     if (hasAnyProjectType(["oci", "go"], options)) {
       if (!hasAnyProjectType(["oci"], options, false)) {
@@ -8168,6 +8187,27 @@ export async function createMultiXBom(pathList, options) {
         }
       }
     }
+    if (hasAnyProjectType(["vscode-extension"], options)) {
+      bomData = await createVscodeExtensionBom(path, options);
+      if (bomData?.bomJson?.components?.length) {
+        if (DEBUG_MODE) {
+          console.log(
+            `Found ${bomData.bomJson.components.length} VS Code extension(s) at ${path}`,
+          );
+        }
+        components = components.concat(bomData.bomJson.components);
+        dependencies = mergeDependencies(
+          dependencies,
+          bomData.bomJson.dependencies,
+        );
+        if (
+          bomData.parentComponent &&
+          Object.keys(bomData.parentComponent).length
+        ) {
+          parentSubComponents.push(bomData.parentComponent);
+        }
+      }
+    }
     // Collect any crypto keys
     if (options.specVersion >= 1.6 && options.includeCrypto) {
       if (!hasAnyProjectType(["oci"], options, false)) {
@@ -8266,7 +8306,16 @@ export async function createMultiXBom(pathList, options) {
       }
     }
   }
-  return dedupeBom(options, components, parentComponent, dependencies);
+  const multiResult = dedupeBom(
+    options,
+    components,
+    parentComponent,
+    dependencies,
+  );
+  if (formulationList.length) {
+    multiResult.formulationList = formulationList;
+  }
+  return multiResult;
 }
 
 /**
@@ -8274,6 +8323,7 @@ export async function createMultiXBom(pathList, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object|undefined>} Promise resolving to BOM object, or undefined if path is not readable
  */
 export async function createXBom(path, options) {
   try {
@@ -8512,6 +8562,16 @@ export async function createXBom(path, options) {
     return await createJenkinsBom(path, options);
   }
 
+  // VS Code extensions (.vsix files)
+  const vsixFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}*.vsix`,
+    options,
+  );
+  if (vsixFiles.length) {
+    return await createVscodeExtensionBom(path, options);
+  }
+
   // Helm charts
   const chartFiles = getAllFiles(
     path,
@@ -8619,6 +8679,7 @@ export async function createXBom(path, options) {
  *
  * @param {string} path to the project
  * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
  */
 export async function createBom(path, options) {
   let { projectType } = options;
@@ -8863,6 +8924,9 @@ export async function createBom(path, options) {
   if (PROJECT_TYPE_ALIASES["caxa"].includes(projectType[0])) {
     return await createCaxaBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["vscode-extension"].includes(projectType[0])) {
+    return await createVscodeExtensionBom(path, options);
+  }
   switch (projectType[0]) {
     case "jar":
       return createJarBom(path, options);
@@ -8901,66 +8965,22 @@ export async function createBom(path, options) {
  * @throws {Error} if the request fails
  */
 export async function submitBom(args, bomContents) {
-  const serverUrl = `${args.serverUrl.replace(/\/$/, "")}/api/v1/bom`;
-  let encodedBomContents = Buffer.from(JSON.stringify(bomContents)).toString(
-    "base64",
-  );
-  if (encodedBomContents.startsWith("77u/")) {
-    encodedBomContents = encodedBomContents.substring(4);
-  }
-  const bomPayload = {
-    autoCreate: "true",
-    bom: encodedBomContents,
-  };
-  const projectVersion = args.projectVersion || "main";
-  if (
-    typeof args.projectId !== "undefined" ||
-    (typeof args.projectName !== "undefined" &&
-      typeof projectVersion !== "undefined")
-  ) {
-    if (typeof args.projectId !== "undefined") {
-      bomPayload.project = args.projectId;
-    }
-    if (typeof args.projectName !== "undefined") {
-      bomPayload.projectName = args.projectName;
-    }
-    if (typeof projectVersion !== "undefined") {
-      bomPayload.projectVersion = projectVersion;
-    }
-  } else {
+  const serverUrl = getDependencyTrackBomUrl(args.serverUrl);
+  const bomPayload = buildDependencyTrackBomPayload(args, bomContents);
+  if (!bomPayload) {
     console.log(
-      "projectId, projectName and projectVersion, or all three must be provided.",
+      "Invalid Dependency-Track submission arguments. Provide projectId or projectName (projectVersion defaults to main) and specify parent project either by UUID or by parent project name + version.",
     );
     args.failOnError && process.exit(1);
     return;
   }
-  if (
-    typeof args.parentProjectId !== "undefined" ||
-    typeof args.parentUUID !== "undefined"
-  ) {
-    bomPayload.parentUUID = args.parentProjectId || args.parentUUID;
-  }
-  // Add project tags if provided
-  // see https://docs.dependencytrack.org/2024/10/01/v4.12.0/
-  // corresponding API usage documentation can be found on the
-  // API docs site of your instance, see
-  // https://docs.dependencytrack.org/integrations/rest-api/
-  // or public instance see https://yoursky.blue/documentation/rest-api
-  if (typeof args.projectTag !== "undefined") {
-    // If args.projectTag is not an array, convert it to an array
-    // Attention, array items should be of form { name: "tagName " }
-    // see https://yoursky.blue/documentation/rest-api#tag/bom/operation/UploadBomBase64Encoded
-    bomPayload.projectTags = (
-      Array.isArray(args.projectTag) ? args.projectTag : [args.projectTag]
-    ).map((tag) => ({ name: tag }));
-  }
   if (DEBUG_MODE) {
     console.log(
       "Submitting BOM to",
       serverUrl,
       "params",
       args.projectName,
-      projectVersion,
+      bomPayload.projectVersion,
     );
   }
   try {